
Pwn.college - throwaway_7718
https://www.pwn.college/
======
fybe
Looks good but if I may add a suggestion is to remove the slides from google
docs. Maybe let us download them locally?

1\. Corp VPN's will block google docs very regularly 2\. Some people refuse to
use google services 3\. It shouldn't take you to a different domain to read
the learning material

------
deevnullx
Great job getting this in front of people as soon as possible, this is a very
polished product for a beta. Nothing worse than sitting on something waiting
for it to be perfect or "complete". Excited to see where you go with this!

------
badrabbit
Another software exploit thing that appears to be entirely Linux centered.
Nothing against it but this doesn't even touch "core cybersecurity concepts".
As crappy as it is, a security+ will teach you more infosec than knowing how
to write kernel rootkits and create rop gadgets in your sleep. Case in point:
most "advanced" attackers (except the "equation group" lol) very very rarely
use a zero day, A majority of attacks by these guys does not even see new
exploits out of known public vulns. As easy and comfy as Linux is to hacker,
try doing this in Windows land. You will gain a broader perspective. Just my
$0.02c ,I am still glad to see more content like this.

~~~
TACIXAT
We must have a different definition of advanced attackers because I can think
of numerous countries that use zero days. A handful more that use COTS malware
(i.e. NSO) that employs zero days.

~~~
badrabbit
Yes a few, very few compared to the rest. You will note I said most of them
don't use 0 days and even 1 days. A lot attempt exploitation in some form of
another, typically for vulns older than a few months.

It's simply too easy to use other means of delivery.

Look at drive by:
[https://attack.mitre.org/techniques/T1189/](https://attack.mitre.org/techniques/T1189/)

In most cases the only thing exploited is the sites hosting their malware
(typical joomla/wp sites).

Spear phishing attachment:
[https://attack.mitre.org/techniques/T1193](https://attack.mitre.org/techniques/T1193)

I see about 3 examples out of 40 that use exploits.

Spearphishing link:
[https://attack.mitre.org/techniques/T1192/](https://attack.mitre.org/techniques/T1192/)

2/20

[https://attack.mitre.org/techniques/T1190/](https://attack.mitre.org/techniques/T1190/)
only 5 examples for public facing asset exploit,mostly sql injection.

Mitre is not a complete list but they do a good job of keeping up with APT
techniques. The most famous ones indeed use 0days and that is one of the
reasons they're famous. But the end of the day they should be noteworthy based
on damage done not "coolness" of the hack.

Software exploitation is a thing but not only is it seen less and less, modern
mitigations are making a lot of the techniques obsolete. Look at the fall of
exploit kits as an example.

~~~
TACIXAT
I do not consider spear phishing an advanced attack (despite many governments
doing it). Credential theft definitely is not. Malicious docs generally are
not (as they are typically just macros that the user has to run).

Watering holes can be depending on how the malware is delivered once the user
visits the site. If it just tries to download it and hope they click, that is
not advanced IMO.

I do agree that this is what most organizations face as threats though.
Resources like these are for people who want to eventually sell exploits, hunt
for bugs, or learn enough to analyze them effectively. I do not think these
are for teaching someone to teach corp users to not run docms.

~~~
badrabbit
No no no...

It is the threat that is advanced not the technique. That was my whole point.
If corp users with all their security teams are still victims how much more
are individuals. Or does the world outside of tech bubbles not exist?

Also, macros and docm are only small vector, most non technical people for
example would open say...a jar file with a PDF icon that came from an email
from a compromised account of someone they know, and trust me I've seen plenty
of non corp users without the typical mandatory phishing training fall
victims,lose large sums of money,etc...

I have no clue why you don't think spear phishing is an advanced thechnique.
Just recently I stumbled upon a word exploit being used and it was not "spear"
phising just normal stuff. Does it have to be sophisticated and impressive to
be advanced? Often, the most damaging exploits are the ones with minimal
attack complexity (a CVE vector that adversley affects the score mind you).
Regarsless of your opinion , the offensive way is to use the easiest and
quietest method.

As to my comment, the author stating the material teaches people "core
cybersecurity concepts" is what I disagreed with. Memory safe lanuages and
exploit mitigation solutions make these software exploit techniques very
difficult to pull off. Plus, any decent EDR solution easily detects and blocks
exploitation of browsers,productivity apps and other well known initial access
vectors, so you're basically left with mostly linux that is not hardened and
even then only on servers and network devices since most people don't run
Linux desktop (and to my point the post does not even touch windows).

Essentially, my point is that any infosec education that is not informed of
current practical threats and attacks while very fun to go through, it may not
provide as much value as you think.

Even in a tech company/startup where everyone uses linux and mac, it is much
more important to have good security architecture and hygeine, do
authentication properly (you're exploit proof but someone exposed their ssh
private key and got you pwned),knowing risk analysis, threat modeling,incident
response,etc... Is much more "core" while exploitation of software and even
spearphishing are "edge" concepts.

~~~
TACIXAT
>Does it have to be sophisticated and impressive to be advanced?

Yes. I think this is where our opinions differ. It is always a joke to be
reading a blog post about an advanced attacker and the exploit is, as you say,
the user clicked a jar with a pdf icon.

I agree completely about things that add value to corporations. This is why I
am not working corporate security at a startup. I do not care so much about
implementing U2F policies or server authentication methods, even though these
are much more impactful for the business. I work for a small company, work on
less impactful things (in regards to corporate security), and enjoy myself
considerably more. If I could stomach the other stuff I would make more money,
but I prefer to enjoy my work and hack on obscure things.

Your namesake with eternalblue is quite advanced (even though it was n-day).
That stuff is interesting. Reverse engineering that stuff is interesting. I
think these things prepare people to do that sort of work.

~~~
badrabbit
That's fine,having a specialized interest is ok,just don't say that is a "core
concepts of cybersecurity".

You like impressive exploits and vulnerability research,which is good,that
upstream work is useful in downstream "core" security whether it be for
corporations (a 2 person startup is one) or consumers.

------
gyanchawdhary
Check out:

[https://blog.ret2.io/2018/09/11/scalable-security-
education/](https://blog.ret2.io/2018/09/11/scalable-security-education/)
These guys have built an epic b0f research education platform - could be also
sold as a cloud-based research platform for vuln developers

Another one is [https://www.youtube.com/channel/UClcE-
kVhqyiHCcjYwcpfj9w/vid...](https://www.youtube.com/channel/UClcE-
kVhqyiHCcjYwcpfj9w/videos) for mostly C/C++ overflow type education

~~~
movedx
> could be also sold as a cloud-based research platform for vuln developers

You'd have a tough time getting any public Cloud provider to allow you to run
known vulnerable software, on purpose, on their network and then exposing it
to the Internet.

If you kept it under a decent amount of network security and heavily
restricted access it might work.

I would suspect you'd need permission to set this up, though.

~~~
gyanchawdhary
True. I think the biggest buyer of this would be gov institutions that are
constantly looking for building their offensive capabilities (mainly around
exploit dev) but find it hard to get new recruits trained up. The alternatives
are mostly instructor-led training which is good but combined with this type
of platform + remote assistance via chat etc could scale things up.

~~~
movedx
Yeah.

I'm just in the beginning phases of learning pen testing. I want to move from
DevOps to DevSecOps to PT.

I'm keen to see what labs exist out there already and how I can build my own
complex labs (consisting of complete virtual networks) that I can hack
against. A real wargame.

------
joshschreuder
See also:

\- Wechall

\- OverTheWire

\- SmashTheStack.org

\- CryptoPals.com

\- Google Gruyere appspot

~~~
cjbprime
And:

\- [https://pwnable.tw](https://pwnable.tw)

\- [https://pwnable.xyz](https://pwnable.xyz)

~~~
saagarjha
[https://microcorruption.com/](https://microcorruption.com/) is also quite
fun!

------
saagarjha
Great work, Yan and Connor! It's interesting that the solutions are not made
publicly available. Is this intended towards educators to use in their
cybersecurity classes?

------
numlock86
Looking forward to the collection of modules. Right now I'd say it's a bit too
linux centric. Especially when it comes to bringing cypersecurity concepts to
new people I think it's usually better to start with basic stuff like SQL
injection ('bobby tables') or ARP spoofing. They even state it's aimed at
white belts, yet have slides about the different rings in a linux kernel. But
maybe that's just my perception. Great anyway!

~~~
bashwizard
A beginner in offensive cyber security/infosec is better off learning Burp and
common web app vulnerabilities.

In my opinion that is.

~~~
numlock86
That's exactly my point, yes.

------
thenewnewguy
Cannot connect to [https://pwn.college/](https://pwn.college/) (only works on
HTTPS with www subdomain) - somewhat of a problem for sharing this website.

------
earenndil
Ironically, a website centred around security doesn't support ed25519 ssh
keys.

------
_JC_Denton
Cool stuff. Does anyone know of a similar program for web security?

~~~
kdbg
Not exactly the same but [https://portswigger.net/web-
security](https://portswigger.net/web-security) has several good lessons and
labs about specific attacks.

------
timwis
This is awesome. I’d definitely watch the videos!!

------
toyg
Gotta be a bit less cheap and solve your ssl problems if you want people to
take you seriously when it comes to security... Use cloudflare or
routepath.app.

