Lockpicking zen and webapps

In this blogpost, I will once again try to recapitulate my findings from this month. If you’re too busy to read, webapps are not as shit as previously believed and lockpicking is similar to buffer overflows. This sentiment is subject to change.

Chugging the Ports

I am happy to announce that Portswigger is starting to click for me. I have cracked 100 labs a few days ago, and it’s making sense now! The vulnerabilities are starting to show patterns, and I will use some of my writeups on these labs in another blog post for sure!

In short, they are not as shit as I always thought. Yes, I disliked web apps for a long while, since I thought it was not as cool as doing all the cool CLI stuff. GUI and Burp Suite were a pet peeve, a thing to overcome between two CLI-focused hacking runs, but it’s beginning to be nicer and nicer now! I still remember thinking how IppSec or Tib3rius did what they do, but now it’s clear: Tons of training and awareness of the vulnerabilities.

Tips for Swigging Ports

If you want to follow in my footsteps (and quickly overtake me), I will share a secret recipe my colleagues shared with me:

  1. Create an account on Portswigger.net
  2. Enroll in the Academy (all free). Be prepared that some labs cannot be completed without Burp Suite Pro, but you that’s not the majority.
  3. Read up on a topic of your choosing
  4. As you go along, do the labs. They usually fit the topic quite well, although you may need to google for a while.
  5. If you’re stuck, ask online first, then go to community solutions, then go to the Portswigger solution. Z3nsh3ll has good Portswigger lab videos, mostly because the videos start with an explanation, not with “PUT THIS IN AND PWN THE THING.” If you watch the first 30 seconds, you get a nudge (or confirmation you were right.)
  6. Writeups, writeups, writeups. If you learn something, it’s good to have notes to come back to when you get stuck on a similar issue. Many of the payloads can be reused in different scenarios, and sometimes one payload can get you through several labs with minimal editing.

The last point is, as with anything you want to get good at, practice, practice, practice. If you’re losing your mind on one lab for hours, fear not! Go for a lab you know you will be able to do, there will be challenges you know from other points. For me, these labs are auth bypasses or anything involving brute force.

Once you get a few dozen of the labs done and want to review, Portswigger has mystery labs as well. These work the same as normal labs, but they don’t show you what you’re supposed to exploit. This trains your recon skills, but in my case, the training was more about memory. Once I saw a specific function, the level walkthrough popped up in my brain and the hardest thing was remembering the payload.

Picking the Locks

In other news, I found out a bad and a good piece of news. Firstly, my lockpicking is not as good as I thought. This is not good, but by realizing this, I now don’t have to spend as much on locks.

The picking issue

As the very famous LockPickingLawyer said:

“There is a difference between learning how to pick a lock, and learning how to pick locks.”

And I can now see what it’s about. I can open many locks in my possession, many in several seconds to a minute. However if you show me a new lock, I can be lost for hours before finally popping it the first time. There was one lock I managed to “first-pick” in less than 5 minutes, but that one was on a door I had permission to pick, and it was for a bet. Furthermore, I raked it open, so it doesn’t really count in my mind.

What I kept forgetting is that simple difference, picking a lock versus picking locks. It’s basically the same as with webapps. If you can run through one lab and practice the same thing over and over, you will run through the lab with your eyes closed. Same goes for locks, if you open one lock a thousand times, you will inevitably know how and where to push. I picked one lock so many times that my homemade pick basically turned into a key for that lock. It was the school elevator and I made it pop faster than the teachers could get their keys out.

If I want to get good at picking locks, the answer is simple: More locks. I found places that sell brand new locks not that expensive, and I can amass a nice collection in a few months. They will all look the same, so I will not be able to remember which lock has which quirks. Same lock, different pins. Once the collection is large enough, I can pick a lock at random, pick it, move to the next, and so on until I have exhausted my collection. After that, I can pick the other side (the locks here are usually double-sided), or just shuffle them up in a bag and take a new one at random.

To illustrate my expenses: One lock costs ~$8. It gets me a very small door lock. The FAB 50D is a good example. This comes out to $4 per lock, is enough to put into a door in a pinch, but once I collect 20-30 of these, I will have 40-60 pin-tumbler sequences to play with!

If I want to learn another lock type in the future, I will do the same thing, practice to my heart’s content, and then I can sell/gift them to other lockpickers!

One day, if I keep this up, I’ll get better, and I’m scared of that. The better the picker, the more expensive they tend to be, and that will be a pain to collect! Especially the padlocks, as they rarely feature double-sided locks!

The ending

This month was good, if I say so myself. All is going well, I’m getting better at being dangerous, and I found a place where people smarter than I can help. I chose a good trade for myself, I get to be a huge dick to anyone and they thank me for it!