本文档深入探讨了漏洞研究的基础知识,包括权限升级、应用逻辑漏洞等类型。介绍了CVSS和VPR两种漏洞评分系统,并通过实例展示了如何发现和利用漏洞。此外,提到了NVD中2021年7月的CVE提交数量以及Exploit-DB的作者。最后,鼓励读者继续学习相关领域的更多内容。
Vulnerability Research
文章目录
Vulnerabilities 101
Task1 Introduction
Read this task!
Task2 Introduction to Vulnerabilities
1.An attacker has been able to upgrade the permissions of their system account from “user” to “administrator”. What type of vulnerability is this?
Operating System
2.You manage to bypass a login panel using cookies to authenticate. What type of vulnerability is this?
Application Logic
Task3 Scoring Vulnerabilities (CVSS & VPR)
1.What year was the first iteration of CVSS published?
2005
2.If you wanted to assess vulnerability based on the risk it poses to an organisation, what framework would you use?
Note: We are looking for the acronym here.
VPR
3.If you wanted to use a framework that was free and open-source, what framework would that be?
Note: We are looking for the acronym here.
CVSS
Task4 Vulnerability Databases
1.Using NVD, how many CVEs were submitted in July 2021?
1585
2.Who is the author of Exploit-DB?
Task5 An Example of Finding a Vulnerability
What type of vulnerability did we use to find the name and version of the application in this example?
Version Disclosure
Task6 Showcase: Exploiting Ackme’s Application
Follow along with the showcase of exploiting ACKme’s application to the end to retrieve a flag. What is this flag?
THM{ACKME_ENGAGEMENT}
Task7 Conclusion
Continue on your learning with the additional rooms in this module.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
