The HackingDept Beginner's Path environment is dedicated to students of full-time and postgraduate studies in IT and cybersecurity. It enables the development of practical skills as part of laboratory and workshop classes. During the course, students will learn from scratch how to conduct network penetration tests and services served on Linux hosts.
The range of topics available is comparable to the knowledge required in recognized international, industry, and practical cybersecOSCP).
The HackingDept Beginner's Path environment is installed on the HackingDept BOX BP platform.
BEGINNER'S PATH ENVIRONMENT
The laboratory configured on the HackingDept BOX BP platform has over 2,500 virtual machines. Students can access 5 networks and 42 virtual machines with progressive difficulty levels. Since each virtual machine always contains two separate exercises (user and root) and sometimes a foothold, over 80 tasks are shared on all virtual machines.
The machines are connected in pairs, gaining access to the resources of one machine makes it possible to attempt to compromise the other. The environment has been divided into the "LEARN" part where the student learns new offensive security techniques and the "PRACTICE" part, where he independently verifies the acquired skills.
ISSUES DISCUSSED USING THE BEGINNER'S PATH ENVIRONMENT
Level 1
White
HTML code analysis,
Locating hidden endpoints,
Popular passwords in login systems,
Remote Command Execution (RCE),
Confidential data in hidden files,
Enumeration of network services,
Detection of hidden backdoors,
Fuzzing program arguments.
Level 2
Yellow
-
Default passwords in login systems,
-
Security of cookies,
-
Command Injection vulnerability class,
-
Privilege escalation via restricted sudo,
-
Reusing the same password,
-
Buffer Overflow vulnerability class.
Level 3
Orange
-
Enumeration of files and directories,
-
Dirbuster class tools,
-
Whitebox analysis,
-
HTTP requests and responses,
-
Common programming errors,
-
"Burp Suite" HTTP proxy server,
-
Recovering simple passwords using a dictionary attack,
-
Reusing the same password in multiple places,
-
Abuse of relative paths in applications with the SetUID attribute.
Level 4
Green
Enumeration of network services and web resources,
Deobfuscation of Javascript code,
Bypassing Frontend Security,
Enumeration of users and passwords using a dictionary attack.
Enumeration of local network services,
Executing commands using custom applications,
File transfer using limited tools,
Reading "hardcoded" data in binary files.
Level 5
Blue
SSL certificates,
Virtual hosts,
File upload security,
Path Traversal Vulnerability Class,
Port knocking,
Side-channel attack.
Level 6
Purple
Enumeration of subdomains and virtual hosts,
SQL Injection vulnerability class,
Privilege escalation via containers (docker, lxd),
Remote execution of PHP code via SQL,
Signals in Linux systems,
Ignoring signals.
Level 7
Red
Wordpress application enumeration,
Using ready-made exploits for reported CVE vulnerabilities,
Metasploit Framework,
Exploitation of old versions of the Debian Linux kernel,
Incorrectly configured FTP server,
Exploitation of old versions of the FreeBSD kernel.
Level 8
Brown
"data" URL scheme,
Template Injection vulnerability class,
Incorrect file permissions,
Incorrect Cron job configuration,
XML Extenal Entities vulnerability class,
Manipulation of reading data from a relative path.
Level 9
Gray
Cross-site Scripting vulnerability class,
Enumeration of processes running in the background,
Privilege escalation via symbolic links,
Cross-site Request Forgery vulnerability class,
File descriptors and their inheritance,
Scrolling and reading unclosed file descriptors.
Level 10
Black
-
An exam to test the knowledge acquired.
USING HACKINGDEPT BEGINNER'S PATH
The range of available topics available on HackingDept Beginner's Path has been planned for 2 semesters (8 teaching hours x 20 days of training).
In the proposed implementation of the HackingDept Beginner's Path environment, each student has the entire environment (HackingDept stack) at their own and exclusive disposal. Due to the configuration of the HackingDept BOX BP server, the minimum number of purchased licenses is 60.
Currently, laboratory and workshop classes end with solving tasks that test the student's practical skills by the University's requirements.