What’s new with Hacking-Lab?
1) New LiveCD
Please note, we have uploaded the new Hacking-Lab LiveCD v5.83 to
2) New Video Tutorial
Watch this short tutorial and learn how to use multiple firefox profiles with your new LiveCD
3) OWASP AppSec EU
OWASP rocks!!! Join the University Challenge in Athens this year and test your security skills in the University Challenge discipline provided by Hacking-Lab.
4) Hacking-Lab Magazine
The first release 0x01 will be released within the next 7 days!!! Register a Hacking-Lab account and make sure you receive a copy.
5) IRC service in vulnerable server network
Since a couple of days, we have an IRC service up and running within the vulnerable server network. Please join #hackinglab once you are vpn connected. (chat.hacking-lab.com)
* TUTORIAL VIDEO HERE: http://media.hacking-lab.com/movies/chat/
That’s it. Have a safe day
Don’t miss our tech/geek research talk series; mark the next Beer-Talk that will be held next June 7th, 2012 in Jona Switzerland in your agenda. As we have multiple research topics you can choose, please mark your favorite in the survey below:
Survey – http://www.csnc.ch/de/calendar/NextBeerTalk/
Did you miss the last Beer-Talk about Advanced Web Security by Philipp Oesch? Don’t worry; get the PDF from here: FileBox DownloadLink
Do you feel like gambling/testing with the Apache Struts2 vulnerability by yourself? Join the free Hacking-Lab event here: Hacking Challenge in Hacking-Lab
Watch this Apache Struts2 intro movie, to get familiar with the shown issue
As you might know, Hacking-Lab is providing free OWASP TOP 10 hands-on challenges to the OWASP community. This is an inner service of GEC (Global Education Commitee) and as part of the Academy Portal project.
Vulnerabilities within used frameworks and libraries, like the Apache Struts vulnerability do not have a prominent place with the OWASP TOP 10 list, but very important because of it’s remote code execution characteristic. Hacking-Lab has written a vulnerable Apache Struts service and a tutorial video. Check it out.
I think it is important to discuss library and dependency risks.
Please watch the tutorial here:
Please read more about the Apache vulnerability here
Please try it our, mess around in Hacking-Lab (if you like, it’s free!)
Looking forward to hearing from you
Ivan Buetler, Switzerland
Fridays, I was approaching a win32 reversing challenge. So I transferred the binary into my Windows XP virtual box and fired-up OllyDbg. The goal was to bypass the username and password prompt that occurred on application startup. Hilariously, I was just providing a dummy name and password to the app…. “asdf” “asdf” as probably most penetration testers have done so, over and over to test logon prompt behavior.
BANG… the app is telling me: “Correct, le clef est Le saucisson vaudois ca rapicole.!”
The force was with me and actually, only Chuck Norris could have topped that :). Was I in god mode? Probably not. Later analysis just revealed that the application required the password to be equal to the username and had some minimal restrictions on the credentials length.
All in all, a 30 seconds exercise.
– Implement strong password policies
– Give it a try before you hurry to launch Olly.