capture the flag, hacking

@RealTryHackMe #AdventOfCyber Series: Challenge 6 – Patch Management Is Hard #TisTheSeasonForHacking

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our sixth challenge, we’re presented with a scenario where McSkidy discovered some recovery keys on a web application on a server that needed to be decommissioned. The elf in charge of decommissioning the server never got around to doing the task. McSkidy realizes that the recovery keys found can be used to save other systems.

The topics explored in this challenge are Local File Inclusion (LFI), and Remote Command Execution (RCE). LFI is a vulnerability where files can be accessed from the server. This is bad as ANY file with read permissions can be accessed. LFI happens due to Un-sanitized or lack of input validation. The application accepts any input from the users. Another topic explored is RCE. RCE happens when the user can inject or write to a specific file. When a user finds LFI it’s a good idea to see if RCE is also possible. This will be helpful for our challenge.

Can McSkidy use the recovery keys to log into other systems? Find out below!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking, Uncategorized

@RealTryHackMe #AdventOfCyber Series: Challenge 24 – Learning From The Grinch #TisTheSeasonForHacking

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our twenty-fourth challenge, we’re presented with a scenario where McSkidy wants to perform the same attacks Grinch Enterprises employed on the elves network to learn more about the attack. McSkidy will use the same machine that Grinch Enterprises compromised to understand the Grinch better.

The topic(s) explored in this challenge are post exploitation, hashing, how passwords are stored in the Windows operating system, the mimikatz tool, and how to crack a password hash using the tool John The Ripper. Hashing is a one-way function that is used to change text into an unrecognized form. There are many hashing algorithms such as MD5, SHA1, SHA256, etc.

Post-Exploitation is the process after the attacker has gained access to the system. In this stage, the attacker wants to keep persistence to the machine – meaning they do not want to lose their connection and they also want to escalate their privileges from a standard user to an Administrator/root user.

Hashing is important as it leads into the next topic of how passwords are stored in the Windows operating system. Windows passwords are stored in the Security Accounts Database (SAM). When a user types in a password, that password hash is compared to the hash in the SAM database by way of the Local Security Authority Subsystem Service (LSASS) service. If the passwords match, then the user successful logs in. If the passwords do not match, the user will receive an error message “incorrect password.”

Now that we know how passwords are stored and retrieved in Windows, we can dump them using the mimikatz tool. This tool allows us to dump the hashes from memory that comes from the LSASS service. Finally, once we have a password hash, we can use the tool John The Ripper to crack it. With John The Ripper, we can specify the hashing algorithm we want to use in the process.

Can McSkidy use the Grinch’s nefarious activities to learn more about his attacks? Find out below!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking

@RealTryHackMe #AdventOfCyber Series: Challenge 23 – PowershELlF Magic #TisTheSeasonForHacking

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our twenty-third challenge, we’re presented with a scenario where one of the admins from Elf Dome Enterprises realizes his password file is missing from his desktop. McSkidy suspects that a previous phishing attempt was successful and is on the hunt to figure out what happened.

The topic(s) explored in this challenge are PowerShell and Event Viewer. PowerShell is used to automate day-to-day tasks. PowerShell can also be used for nefarious activity as well. PowerShell is available on Windows, Linux, and macOS. The last concept Event Viewer is a logging system. All actions in Windows are classified as an event and has a specific event ID and record ID. Event Viewer can be helpful as we can filter all events for a particular day, activity/action, and/or provider (such as PowerShell). This will be helpful for the challenge.

Can McSkidy figure out how the admin from Elf Dome Enterprises lost his password file? Find out below!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking

@RealTryHackMe #AdventOfCyber Series: Challenge 25 – Feedback #TisTheSeasonForHacking

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our twenty-fifth (and final) challenge, we’re presented with a survey link to give feedback on how we felt about the Advent of Cyber challenges! Completing the link will provide the final flag of Advent of Cyber, so make sure to do it. Whew, that was a rough/fun 25 days of learning.

Also, if you want to delve deeper into a particular topic there are three additional links to the learning paths of Pre-Security, Junior Penetration Tester, and Defensive Security. Check those links out to pick your flavor of InfoSec!

If you want to hear my hilarious commentary on this challenge, click the video below!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking

@RealTryHackMe #AdventOfCyber Series: Challenge 22 – How It Happened #TisTheSeasonForHacking

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our twenty-second challenge, we’re presented with a scenario where McSkidy has identified the first trace of Grinch Enterprises in their network. Now, McSkidy needs to find out what they did when they entered the network. Hmm… I wonder what that could be.

The topic(s) explored in this challenge are the encoding, ciphers, and oledump tool. In particular, we read about base64 encoding and how it’s still used to evade Antivirus detection even though it’s not super effective. The next topic was ciphers. In particular, we read about XOR ciphers which is used as an either-or option. Meaning, you can pick one option, but not both. The final topic is the oledump tool. This tool is used to analyze OLE files which you can think of as mini file systems. These files can hide macros which is executable code in Word and Excel documents. Bad actors can use macros to add malicious code. <— this will be helpful in this challenge.

Can McSkidy figure out what the Grinch did after gaining initial access to the system? Find out below!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking

@RealTryHackMe #AdventOfCyber Series: Challenge 17 – Elf Leaks #TisTheSeasonForHacking

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our seventeenth challenge, we’re presented with a scenario where the Grinch has posted an email to everyone at the Best Festival Company detailing everyone’s name and date of birth. McSkidy talks with McInfra to determine the origin of the breach.

The topic explored in this challenge is AWS S3 (Simple Storage Service) and AWS IAM (Identity and Access Management). S3 is one of AWS oldest services and store files in buckets. These buckets can be stored publicly and privately (this will be useful in our challenge). For AWS IAM, there are two different keys that are useful for this service, access key IDs that start with AKIA and short-term credentials that start with ASIA. This will also be helpful in our challenge.

Can McSkidy find the origin of the breach? Find out below!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking

@RealTryHackMe #AdventOfCyber Series: Challenge 21 – Needles In Computer Stacks #TisTheSeasonForHacking

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our twenty-first challenge, we’re presented with a scenario where McBlue wants to use automation to detect malicious files on the network. Great idea!

The topic explored in this challenge is the tool YARA. YARA is a tool that is used to match patterns in potentially malicious files. The tool can be used to as a detection aid for malware analysis. Which will be helpful in our challenge.

Can McSkidy find the malicious file(s) in the network? Find out below!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking, Uncategorized

@RealTryHackMe #AdventOfCyber Series: Challenge 13 – They Lost The Plan! #TisTheSeasonForHacking

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our thirteenth challenge, we’re presented with a scenario where the Grinch has downgraded the permissions for the rough draft of the disaster recovery plan that McSkidy was working on. Oh no!

The topic explored in this challenge is elevation of privileges. There are two types of elevation of privileges. Vertical and horizontal elevation of privileges. Horizontal is where we go from one user to another with the same permissions. Vertical escalation of privileges is where we start as a standard user, and we elevate to an administrator (Windows) or root (Linux). The second type of escalation of privileges (vertical) will be useful for this challenge.

Can McSkidy escalate her privileges to retrieve the disaster recovery plan? Find out below!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking, Uncategorized

@RealTryHackMe #AdventOfCyber Series: Challenge 20 – What’s The Worst That Can Happen? #TisTheSeasonForHacking

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our twentieth challenge, we’re presented with a scenario where McPayroll is processing bonuses. An elf sends McPayroll a file claiming it’s their new payment information. There’s one problem. McPayroll doesn’t recognize the elf. Uh oh…

The topic explored in this challenge is malware. Malware or malicious software is where there’s hidden code inside of file. Malware can be in executables, files that execute code which usually have the .exe extensions, and Word/Excel documents if macros are enabled, for example. In this challenge there are two commands used to determine if there is malware. The first command file will give us the file type no matter the extension and strings will output printable characters from a file.

Can McSkidy determine if the elves new payment information is really malware? Find out below!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking

@RealTryHackMe #AdventOfCyber Series: Challenge 8 – Santa’s Bag of Toys #TisTheSeasonForHacking

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our eighth challenge, we’re presented with a scenario where Santa’s laptop that is used to prepare his bag of toys is missing. Oh no! It’s alleged that a minion from the Grinch Enterprise has stolen it and we need make sure that is the case. Besides Santa’s laptop being stolen we realized that the laptop was also compromised. While we don’t have the physical laptop, we do have logs that we can review.

The topic explored in this challenge are PowerShell Transcription Logs. These Transcription Logs can be viewed to see what PowerShell commands were executed to see what happened on a server or laptop *hint, hint*.

Can McSkidy find who stole the laptop and recover Santa’s bag of toys? Find out below!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007