-->

A Brief Summary of Primary Interview of Security Engineer


Pre-Knowledge

  • Server-related information (real IP, system type, version open port, WAF, etc.)
  • Website fingerprint recognition (CMS, CDN, certificate, DNS record, etc.)
  • Whois information, name, filing, email, telephone contrast (the mailbox is lost to the social work library, social work preparation, etc.)
  • Collection of subdomains, side stations, section C, etc.
  • Google hacking targeted search, PDF files, middleware versions, weak password scanning, etc.
  • Scan the website directory structure, explode the background, website banner, test files, backups and other sensitive files leaks, etc.
  • Protocol, common vulnerabilities, GitHub source code, etc.

Vulnerability Mining

  • Browse the website, check the scale, function points, and characteristics of the website.
  • Ports, weak passwords, directory scanning, vulnerability detection on response ports, weak passwords for MySQL, FTP, ssh, etc.
  • Start to detect vulnerabilities, such as XSS, SSRF, SQL injection, code execution, command execution, unauthorized access, arbitrary file reading, downloading, file inclusion, remote command execution, weak password, editor vulnerability, brute force cracking, replay attack, server Vulnerability detection, and finally use missing scanning tools, etc.
  • CMS: Content management system, located in the front-end and back-end office systems, generally you can search for the corresponding source code or version vulnerabilities.
  • CDN: An intelligent virtual network built on the basis of the existing network, relying on edge servers deployed in various places, through the load balancing, content distribution, scheduling, and other functional modules of the central platform, so that users can obtain the required content nearby and reduce network congestion. Improve user access response speed and hit rate.
  • Use Google search to find information such as background, user information leakage, source code leakage, unauthorized access, MDB file download, website configuration password, php remote file containing vulnerabilities, and other information.
  • Middleware: It is an independent system software or service program that connects applications or systems, and can still exchange information even with different interfaces

Vulnerability & Privilege Escalation

  • MySQL escalation, serv-u escalation, oracle escalation
  • Linux kernel vulnerability escalation
  • Windows overflow privilege escalation

Summary of questions that may be interviewed

  • Emergency thinking: first intercept the attack package body and log analysis through the security equipment to understand what kind of attack the attacker has carried out, and further judge the attacker's attack method through the combination of black and white simulation methods. After recurrence, the vulnerabilities are repaired and the attacker can be traced back to the source.
  • The idea of ​​tracing the source: first analyze the attacker’s IP and attack method through system logs, security equipment intercepted attack packets, etc., use web shell or Trojan to perform micro-step analysis, or go to the Anheng Threat Intelligence Center for IP detection and analysis. Is it a cloud server? , Base station, etc., if it is a cloud server, you can directly reverse osmosis, look at the open ports, domain names, whois, etc. to judge, get the name and phone number, etc., lose the social work database to see if you can find more information and then call it a day
  • What projects have been done: After receiving some projects, you can use Mizusawa to collect information on target assets or lighthouses. Do a good job of collecting information to determine whether the framework has Shiro deserialization and struct command execution. The framework cannot be tested one by one. Then there are several kinds of weak passwords, entering the background, template injection, uploading loopholes, and getting shell permissions. What I think is more interesting is that the machine I encountered this time, the normal rotten potatoes cannot be elevated. Finally found that he has a 3306 MySQL service, and found the password in the website source code and has root privileges, and then used the MySQL UDF to increase the privilege, directly upload the UDF file that comes with sqlmap, use the hexadecimal transmission, and finally increase the privilege, To execute the anti-virus system, immediately call Cs, obtain the account and password of the current server, and use the hash to pass the horizontal direction. It is found that it is a large network segment. Scan the code on the IP segment of the intranet to check the website, and collect information again. For ssh, MySQL, SQL Server, 3389, horizontal movement can basically get a large number of machines. The domain controller uses the captured domain controller login account and password, and finally, the gold and silver receipts, to get the domain controller. In the case of the intranet, I think it is a weak password blasting, escalation of rights after obtaining the password, etc.
  • Equipment: Wireshark will automatically match the data packet that may be an attack, and then judge whether it is an attack based on the data packet. Burp Suite will extract the URLs. The request modifying, payloads inserted brute-forcing webserver to extract data.
  • How to troubleshoot memory horses: If you find some traces of memory web shell, you need to have a troubleshooting idea to track and analyze, and also list a troubleshooting idea based on the principles of each type
    • If it is jsp injection, in the log Troubleshoot access requests that can be jsp. 
    • If it is a code execution vulnerability, check the error.log of the middleware to see if there is a suspicious error, and determine the injection time and method. 
    • Check for possible java code execution vulnerabilities according to the components used in the business. If the spring controller is of the type, look up the log according to the URL reported to the web shell, filter, or listener type, there may be more than 404 requests with parameters.
  • Honeypot phishing: usually deploy a middleware page or background page, once it is attacked, it will obtain part of the attacker's information.
  • How to analyze the message: According to the data packet, use the platform or Wireshark to analyze which attack payload is the attack path or where is the interface?
  • Process investigation ideas:
    • Process without signature verification information
    • Process without description information
    • The user who started the process
    • Is the path of the process legal
    • Processes that consume too much CPU or memory resources for a long time

Elementary Interview Questions

Get a station to be tested, what do you think should be done first

Collect Message

Get the whois information of the domain name, and then get the registrant's email name, phone number, etc., go to the social work database to see if there is any information leakage, and then try to use the leaked information to log in or blast the background. Use mail as an index to search for associated social accounts, social workers find out the passwords of associated accounts, etc., and use existing information to generate a dedicated dictionary

Vulnerability scan

Start to detect vulnerabilities, such as XSS, SSRF, SQL injection, code execution, command execution, unauthorized access, arbitrary file reading, downloading, file inclusion, remote command execution, weak passwords, editor vulnerabilities, brute force cracking, etc.

Exploit

    • Use the above methods to get web shell
    • Privilege escalation
    • Log cleanup
    • Summary report and repair plan

The Significance of CMS to Penetration

  • Look for vulnerabilities that have been exposed.
  • If open-source, you can also download the corresponding source code for audit

Common web server containers

  • IIS, Apache, Nginx, Lighttpd, Tomcat

Which versions of containers are currently known to have parsing vulnerabilities?

  • IIS 6.0-/xx.asp/xx.jpg
  • IIS 7.0-Fast-cgi is enabled by default, and input /.php directly after the image address will parse the image as php
  • Nginx-version less than 0.8.37 The use method is the same as IIS7.0
  • Apache-The uploaded file name is test.php.x1.x2.x3, Apache is judged from right to left
  • Lighttpd-XX.jpg/xx.php

How to quickly judge the target manually

  • Linux is case sensitive, windows are not case sensitive

Does the security dog ​​track variables and find out that it is a Trojan horse?

  • No, it is based on the feature code

SQL injection protection method

  • Use safe APIs
  • Escape the input special characters
  • Use whitelists to standardize input verification methods
  • Control the client input and do not allow the input of special characters related to SQL injection
  • The server-side filters, escapes, replaces, and deletes special characters before submitting to the database for SQL injection query
  • Precompiled

How to use XSS to achieve long-term control of the target station when there is a shell

  • Add a section of js to record the login account password at the back-end login, and judge whether the login is successful, then record the account and password in a rare path file or send it directly to your website

SQL Injection Prevention

  • Precompiled
  • PDO
  • Regular expression filtering

The difference between serialization and deserialization

  • Serialization: The process of converting an object into a sequence of bytes that can be transmitted is called serialization
  • Deserialization: The process of restoring a byte sequence to an object is called deserialization

Common middleware vulnerabilities

IIS (Internet Information Services)

PUT vulnerability, short file name guessing, remote code execution, parsing vulnerability

Apache

Parsing loopholes, directory traversal

Nginx

File analysis, directory traversal, CRLF injection, directory traversal

JBoss


Deserialization vulnerability, war backdoor file deployment

WebLogic

Deserialization vulnerability SSRF arbitrary file upload war backdoor file deployment

Apache Shiro Deserialization

Shiro rememberMe (Shiro-550) Shiro Padding Oracle Attack(Shiro-721)

What are the vulnerabilities of OWASP Top10?

  • SQL injection
  • Invalid authentication
  • Leakage of sensitive data
  • XML external entity (XXE)
  • Invalid access control
  • Security configuration error
  • Cross-site scripting (XSS)
  • Insufficient logging and monitoring
  • Unsafe deserialization
  • Use components with known vulnerabilities

The difference between forwarding SHELL and reverse SHELL

  • Forward shell, the attacker connects to the attacked machine
  • Reverse shell, the attacker actively connects to the attacker
  • Forward proxy, client proxy, the server does not know the client that actually initiated the request
  • A reverse proxy, server proxy, the client does not know the server that actually provides the service

The difference between TCP and UDP protocols

TCP is connection-oriented, UDP is message-oriented, TCP guarantees integrity and order, udp does not guarantee

Flow Analysis

  • Filter IP:
    • Filter source IP address:; ip.src==1.1.1.1Filter destination ip address: ip.dst==1.1.1.1
  • Through the port:
    • Filter 80 port:, tcp.port==80 source port:, tcp.srcport=80 destination port: tcp.dsttport==80
  • Protocol filtering:
    • Just enter the protocol name directly, http or https
  • http mode filtering:
    • Filter get/post package http.request.mothod== "GET/POST"