During this intensive live project with The Tech Academy, I participated in a two-week Agile-based cybersecurity simulation. The project involved executing a series of "Sprint Stories" that alternated between offensive and defensive operations.
| Category | Tools Utilized |
|---|---|
| OS / Environment | Kali Linux, VirtualBox, VMware |
| Traffic Analysis | Wireshark, PCAP Forensics |
| Offensive Security | Burp Suite, Chromium Proxy |
| Threat Intelligence | VirusTotal, Exploit-DB, Rapid7 (CVE) |
| Malware Analysis | ANY.RUN (Interactive Sandbox) |
- Packet Analysis: Used Wireshark to conduct deep-packet inspection of PCAP files to identify network breaches and potential data exfiltration.
- Threat Identification: Leveraged VirusTotal and ANY.RUN to perform hash lookups and dynamic analysis of suspicious files.
- Web Penetration Testing: Employed Burp Suite to intercept and analyze HTTP/S traffic, identifying vulnerabilities within web applications.
- Exploit Research: Utilized Exploit-DB and GTFOBins to research privilege escalation paths.
- Developed a deep understanding of the Cyber Attack Lifecycle.
- Gained hands-on experience in Incident Response and Threat Hunting.
Vulnerability Type: Improper Input Validation / Local File Inclusion (LFI)
Target: OWASP Juice Shop (Restricted /ftp/ Directory)
Identified a critical security flaw allowing unauthorized access to restricted server configuration files. By utilizing Double Encoding and Null Byte Injection, I successfully bypassed server-side file extension filters to exfiltrate sensitive metadata.
- The Restriction: The application employs a whitelist filter that only permits downloads for "safe" extensions like
.mdor.pdf. - The Exploit: By appending a double-encoded null byte (
%2500) followed by a valid extension, I deceived the validation logic. - The Payload:
http://localhost:3000/ftp/package.json.bak%2500.md - The Result: The web filter validated the
.mdsuffix as safe, but the backend server terminated the string at the Null Byte, serving the restrictedpackage.json.bakfile instead.
Figure 1: Screenshot demonstrates the successful download of package.json.bak by poisoning the URL string to bypass the server's file-type validation logic.
The exposure of package.json.bak reveals internal application architecture, dependencies, and configuration. This metadata provides an attacker with a roadmap for further targeted attacks, significantly increasing the risk of a full system compromise.