A security researchers' thoughts on cybersecurity education, training, AND hacking ALL THE THINGS: web, mobile, cloud, etc.
Another day, another challenge.
I’m restarting the series #PwnItFriday, where I hack machines from hackthebox and TryHackMe.
Without further ado, the machine I’m solving today is Neighbour.
Topics explored in this machine are IDOR – Insecure Direct Object Reference.
Click the video to learn how to solve this machine!
Like the content — support by Buying a Coffee
Another day, another challenge…
In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.
In our twenty-fourth challenge, we’re presented with a scenario where McSkidy wants to perform the same attacks Grinch Enterprises employed on the elves network to learn more about the attack. McSkidy will use the same machine that Grinch Enterprises compromised to understand the Grinch better.
The topic(s) explored in this challenge are post exploitation, hashing, how passwords are stored in the Windows operating system, the mimikatz tool, and how to crack a password hash using the tool John The Ripper. Hashing is a one-way function that is used to change text into an unrecognized form. There are many hashing algorithms such as MD5, SHA1, SHA256, etc.
Post-Exploitation is the process after the attacker has gained access to the system. In this stage, the attacker wants to keep persistence to the machine – meaning they do not want to lose their connection and they also want to escalate their privileges from a standard user to an Administrator/root user.
Hashing is important as it leads into the next topic of how passwords are stored in the Windows operating system. Windows passwords are stored in the Security Accounts Database (SAM). When a user types in a password, that password hash is compared to the hash in the SAM database by way of the Local Security Authority Subsystem Service (LSASS) service. If the passwords match, then the user successful logs in. If the passwords do not match, the user will receive an error message “incorrect password.”
Now that we know how passwords are stored and retrieved in Windows, we can dump them using the mimikatz tool. This tool allows us to dump the hashes from memory that comes from the LSASS service. Finally, once we have a password hash, we can use the tool John The Ripper to crack it. With John The Ripper, we can specify the hashing algorithm we want to use in the process.
Can McSkidy use the Grinch’s nefarious activities to learn more about his attacks? Find out below!
If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007
Another day, another challenge…
In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.
In our thirteenth challenge, we’re presented with a scenario where the Grinch has downgraded the permissions for the rough draft of the disaster recovery plan that McSkidy was working on. Oh no!
The topic explored in this challenge is elevation of privileges. There are two types of elevation of privileges. Vertical and horizontal elevation of privileges. Horizontal is where we go from one user to another with the same permissions. Vertical escalation of privileges is where we start as a standard user, and we elevate to an administrator (Windows) or root (Linux). The second type of escalation of privileges (vertical) will be useful for this challenge.
Can McSkidy escalate her privileges to retrieve the disaster recovery plan? Find out below!
If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007
Another day, another challenge…
In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.
In our twentieth challenge, we’re presented with a scenario where McPayroll is processing bonuses. An elf sends McPayroll a file claiming it’s their new payment information. There’s one problem. McPayroll doesn’t recognize the elf. Uh oh…
The topic explored in this challenge is malware. Malware or malicious software is where there’s hidden code inside of file. Malware can be in executables, files that execute code which usually have the .exe extensions, and Word/Excel documents if macros are enabled, for example. In this challenge there are two commands used to determine if there is malware. The first command file will give us the file type no matter the extension and strings will output printable characters from a file.
Can McSkidy determine if the elves new payment information is really malware? Find out below!
If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007
Another day, another challenge.
In today’s blog post we’re going to solve the “A Thing Called A Stack” challenge from PicoCTF.
Let’s get started.
Clicking on the challenge, we see the following:
OK, so we’re given a file, and we need to determine the difference between the value of esp at the end of the code, and the location of the saved return address.
Looking at the hints we see the following:
We’ve encountered two different questions. Where is the return address saved, and what commands actually affect the stack.
DISCLAIMER: I haven’t worked with assembly in probably 8 years. So, what did I do? Go to YouTube.
Entering – “Assembly tutorial” I found a GREAT crash course on explaining assembly.
I have linked the video here.
Opening the file (Notepad++ is great!)
We see the following:
Using the YouTube tutorial, let’s decode the assembly code.
First we’re pushing the ebp (base pointer) onto the stack.
Next, we move the esp (stack pointer) to be at the same location to the base pointer.
Next, we push edi, esi, and ebx onto the stack. Note these instructions don’t change the stack. This solves question #2 in the hints section.
Next, we add 180 (0xb4 hex) to the stack to hold local variables.
Next, we’re going to store the local variable x = 0, to address 180 + 4 = 184
Next, we’re going to store the local variable y = 1, to address 184 + 4 = 188
Next, we’re going to store the local variable z = 2, to address 188 + 4 = 192
Next, we’re going to store the local variable a = 3, to address 192 + 4 = 196
So now the esp (stack pointer) is now at 196.
Let’s convert 196 to hexadecimal.
Doing this we get the following: 0xc4
Entering this into the challenge, we see that solved the challenge and acquired 60 points!
I’ll start this post by being truthful… I honestly forgot about this blog post. At the time I was an application developer looking to transfer into the Information Security field. This was about 5 years ago. So where am I today? I’m currently in the Information Security field as an Application Security Tester working on a DevOps pipeline. As the tagline of this blog states I still want to become a penetration tester.
You, the reader might be wondering – why? I look at penetration testing as a game (I’m a gamer at heart). I have this console, and I know what I need to do (gain r00t), but the process of doing it is left up to the penetration tester.
I still love web application penetration testing – but I would also love to get into mobile penetration testing since EVERYONE has a mobile phone.
So… how do I want to revamp this site? I want to show my skills. I will start with showing my solutions to vulnerable virtual machines. My first would be the OWASP Hackademic Challenge. This challenge happened about 4 years ago, but each challenge illustrates the OWASP Top Ten, and I think this will be a good introduction to show how an application developer is STILL making the transition to a penetration tester. 🙂
I guess I should get the formalities out of the way.
I started this blog to discuss my journey of transitioning over the Information Security field. I see my end goal as becoming a Penetration Tester. At this time, I have the education (Masters in Computer Science, graduate certificate in Information Security and Privacy) but even with the education, I do not have the practical knowledge at this time (that’s changing though).
Now to begin the formalities:
I’ve been trying to enter the Information Security field for the past 8 years. I can remember it like yesterday how I became interested in the topic. I stumbled into a Yahoo! Group post on Cryptography. I remember spending 2 hours looking at all the posts and becoming intrigued on how messages were scrambled and to the naked (untrained) eye looked like jibberish. At that time I said, “I want to do cryptography.” After doing more research, I realized that while cryptography is interesting the field is narrow. I wanted my career to give me options, I didn’t want to do the same thing everyday. Next, I decided that I wanted to look at authentication protocols after reading Michelle Brown’s speech to Congress about Identity Theft. Again, after doing more research into authentication protocols I had the same problem as Cryptography, the field was narrow.
Before my Computer Forensics final (May 2011), I was talking with one of my classmates, where he brought up Penetration Testing. I was skeptical about the field because I thought it was going to be like the last two I researched (cryptography and authentication protocols), but as I started doing more research I found myself to be even more intrigued. The field of penetration testing seemed to fit me perfectly. The field is not so narrow, meaning that if I wanted to change my scope of penetration testing it wouldn’t be a problem since there are many flavors of the field.
What I see this blog becoming:
My plan for the next couple of posts will be discussing tools I am playing with, would like to play with, and other general topics that deal with information security/penetration testing. By all means I would like this to be interactive. If anyone knows of tools/certifications that I need to successfully transition over to the field, please let me know.
Thanks. (o:
You must be logged in to post a comment.