Hacker News new | past | comments | ask | show | jobs | submit login
Pwn.college (pwn.college)
339 points by throwaway_7718 on Feb 24, 2020 | hide | past | favorite | 35 comments

Looks good but if I may add a suggestion is to remove the slides from google docs. Maybe let us download them locally?

1. Corp VPN's will block google docs very regularly 2. Some people refuse to use google services 3. It shouldn't take you to a different domain to read the learning material

Great job getting this in front of people as soon as possible, this is a very polished product for a beta. Nothing worse than sitting on something waiting for it to be perfect or "complete". Excited to see where you go with this!

Another software exploit thing that appears to be entirely Linux centered. Nothing against it but this doesn't even touch "core cybersecurity concepts". As crappy as it is, a security+ will teach you more infosec than knowing how to write kernel rootkits and create rop gadgets in your sleep. Case in point: most "advanced" attackers (except the "equation group" lol) very very rarely use a zero day, A majority of attacks by these guys does not even see new exploits out of known public vulns. As easy and comfy as Linux is to hacker, try doing this in Windows land. You will gain a broader perspective. Just my $0.02c ,I am still glad to see more content like this.

We must have a different definition of advanced attackers because I can think of numerous countries that use zero days. A handful more that use COTS malware (i.e. NSO) that employs zero days.

Yes a few, very few compared to the rest. You will note I said most of them don't use 0 days and even 1 days. A lot attempt exploitation in some form of another, typically for vulns older than a few months.

It's simply too easy to use other means of delivery.

Look at drive by: https://attack.mitre.org/techniques/T1189/

In most cases the only thing exploited is the sites hosting their malware (typical joomla/wp sites).

Spear phishing attachment: https://attack.mitre.org/techniques/T1193

I see about 3 examples out of 40 that use exploits.

Spearphishing link: https://attack.mitre.org/techniques/T1192/


https://attack.mitre.org/techniques/T1190/ only 5 examples for public facing asset exploit,mostly sql injection.

Mitre is not a complete list but they do a good job of keeping up with APT techniques. The most famous ones indeed use 0days and that is one of the reasons they're famous. But the end of the day they should be noteworthy based on damage done not "coolness" of the hack.

Software exploitation is a thing but not only is it seen less and less, modern mitigations are making a lot of the techniques obsolete. Look at the fall of exploit kits as an example.

I do not consider spear phishing an advanced attack (despite many governments doing it). Credential theft definitely is not. Malicious docs generally are not (as they are typically just macros that the user has to run).

Watering holes can be depending on how the malware is delivered once the user visits the site. If it just tries to download it and hope they click, that is not advanced IMO.

I do agree that this is what most organizations face as threats though. Resources like these are for people who want to eventually sell exploits, hunt for bugs, or learn enough to analyze them effectively. I do not think these are for teaching someone to teach corp users to not run docms.

No no no...

It is the threat that is advanced not the technique. That was my whole point. If corp users with all their security teams are still victims how much more are individuals. Or does the world outside of tech bubbles not exist?

Also, macros and docm are only small vector, most non technical people for example would open say...a jar file with a PDF icon that came from an email from a compromised account of someone they know, and trust me I've seen plenty of non corp users without the typical mandatory phishing training fall victims,lose large sums of money,etc...

I have no clue why you don't think spear phishing is an advanced thechnique. Just recently I stumbled upon a word exploit being used and it was not "spear" phising just normal stuff. Does it have to be sophisticated and impressive to be advanced? Often, the most damaging exploits are the ones with minimal attack complexity (a CVE vector that adversley affects the score mind you). Regarsless of your opinion , the offensive way is to use the easiest and quietest method.

As to my comment, the author stating the material teaches people "core cybersecurity concepts" is what I disagreed with. Memory safe lanuages and exploit mitigation solutions make these software exploit techniques very difficult to pull off. Plus, any decent EDR solution easily detects and blocks exploitation of browsers,productivity apps and other well known initial access vectors, so you're basically left with mostly linux that is not hardened and even then only on servers and network devices since most people don't run Linux desktop (and to my point the post does not even touch windows).

Essentially, my point is that any infosec education that is not informed of current practical threats and attacks while very fun to go through, it may not provide as much value as you think.

Even in a tech company/startup where everyone uses linux and mac, it is much more important to have good security architecture and hygeine, do authentication properly (you're exploit proof but someone exposed their ssh private key and got you pwned),knowing risk analysis, threat modeling,incident response,etc... Is much more "core" while exploitation of software and even spearphishing are "edge" concepts.

>Does it have to be sophisticated and impressive to be advanced?

Yes. I think this is where our opinions differ. It is always a joke to be reading a blog post about an advanced attacker and the exploit is, as you say, the user clicked a jar with a pdf icon.

I agree completely about things that add value to corporations. This is why I am not working corporate security at a startup. I do not care so much about implementing U2F policies or server authentication methods, even though these are much more impactful for the business. I work for a small company, work on less impactful things (in regards to corporate security), and enjoy myself considerably more. If I could stomach the other stuff I would make more money, but I prefer to enjoy my work and hack on obscure things.

Your namesake with eternalblue is quite advanced (even though it was n-day). That stuff is interesting. Reverse engineering that stuff is interesting. I think these things prepare people to do that sort of work.

That's fine,having a specialized interest is ok,just don't say that is a "core concepts of cybersecurity".

You like impressive exploits and vulnerability research,which is good,that upstream work is useful in downstream "core" security whether it be for corporations (a 2 person startup is one) or consumers.

There are far more advanced hacking groups than there are nation states. There are likely more criminal hacking groups in each individual country than there are nation states.

There are many criminal groups, but few are advanced. It takes investment and large teams to get full chain zero days. Most criminal groups will implement n days, but they are not coming up with Eternal Blue, you know? They are just grabbing it and hitting unpatched machines. It is skilled for sure, but it is not my definition of advanced threats.

If you have some examples of criminal groups using zero days in hard targets, I'm very interested. From what I see, no one's mobile phones are getting hit with ransomware via fresh vulns. That behavior is generally reserved for nation states with the ability (financial and legal) to purchase the exploits.

spot on !!

Check out:

https://blog.ret2.io/2018/09/11/scalable-security-education/ These guys have built an epic b0f research education platform - could be also sold as a cloud-based research platform for vuln developers

Another one is https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/vid... for mostly C/C++ overflow type education

> could be also sold as a cloud-based research platform for vuln developers

You'd have a tough time getting any public Cloud provider to allow you to run known vulnerable software, on purpose, on their network and then exposing it to the Internet.

If you kept it under a decent amount of network security and heavily restricted access it might work.

I would suspect you'd need permission to set this up, though.

True. I think the biggest buyer of this would be gov institutions that are constantly looking for building their offensive capabilities (mainly around exploit dev) but find it hard to get new recruits trained up. The alternatives are mostly instructor-led training which is good but combined with this type of platform + remote assistance via chat etc could scale things up.


I'm just in the beginning phases of learning pen testing. I want to move from DevOps to DevSecOps to PT.

I'm keen to see what labs exist out there already and how I can build my own complex labs (consisting of complete virtual networks) that I can hack against. A real wargame.

See also:

- Wechall

- OverTheWire

- SmashTheStack.org

- CryptoPals.com

- Google Gruyere appspot

I've been working through https://guyinatuxedo.github.io/ while reading "The Shellcoder's Handbook" and Sam Bowne's class notes (https://samsclass.info/127/127_F19.shtml). Highly recommended

https://microcorruption.com/ is also quite fun!

In my youth I learnt a thing or two from hackthissite.org.

Great work, Yan and Connor! It's interesting that the solutions are not made publicly available. Is this intended towards educators to use in their cybersecurity classes?

Looking forward to the collection of modules. Right now I'd say it's a bit too linux centric. Especially when it comes to bringing cypersecurity concepts to new people I think it's usually better to start with basic stuff like SQL injection ('bobby tables') or ARP spoofing. They even state it's aimed at white belts, yet have slides about the different rings in a linux kernel. But maybe that's just my perception. Great anyway!

CTF exploiting challenges tend to be overwhelmingly biased towards Linux, so I'm sure this is just a reflection of that.

A beginner in offensive cyber security/infosec is better off learning Burp and common web app vulnerabilities.

In my opinion that is.

That's exactly my point, yes.

Cannot connect to https://pwn.college/ (only works on HTTPS with www subdomain) - somewhat of a problem for sharing this website.

Ironically, a website centred around security doesn't support ed25519 ssh keys.

Cool stuff. Does anyone know of a similar program for web security?

Not exactly the same but https://portswigger.net/web-security has several good lessons and labs about specific attacks.

This is awesome. I’d definitely watch the videos!!

Gotta be a bit less cheap and solve your ssl problems if you want people to take you seriously when it comes to security... Use cloudflare or routepath.app.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact