Tevora & Immersive Labs CTF 2021

I recently took part in the Tevora & Immersive Labs CTF. I was surprised by the content, rather than a ‘standard’ CTF, it had a lot of focus on analysis of compromise and tasks with OSINT.

The process for submitting flags was a little different too. For most tasks, you’d have multiple questions to complete the task – it guided you through what the learning was intended to be, you couldn’t just get the root flag and complete the task.

My favourite task was the OSINT to compromise of a corporate environment because of a ‘noisy’ CISO. I also liked the emphasis on Wireshark pcap investigation with the Windows event logs.

It was fun & I learned a new trick or two! I also won.

Security+

After procrastinating for a couple of months, I set a date and sat the Security+ exam. I didn’t do too much revision for this, I skimmed an old Sybex ebook that I had on the Kindle app from back when I couldn’t afford the exam, I thought this would be enough alongside my real world experience. Happily I passed the exam with 822.

I was impressed by the configuration type questions, they caught me out a little but I think I managed to get these correct. I was owned on a couple of risk related question which I assume I got wrong and I don’t recall seeing anything around this in the old ebook I had – I’ll blame the book, other than that I felt like I had it covered.

It is definitely an entry level examination but nice to have.

Next up: CASP+!

HTB Cyber Apocalypse CTF

After seeing some interesting updates from Hack The Box about funding on LinkedIn, I found a very exciting post about a CTF that they were running called Cyber Apocalypse. I left it pretty late to sign up as I didn’t think I’d get a lot of time, our baby needs a lot of attention & I have only a few hours in the evening where I can spend time hacking. I was considering asking some of the team at work whether they’d be interested in playing but thought better of it, at this point i wasn’t sure what type of CTF this would be. Some CTFs are ‘realistic’ and some are just troll-level pain and really not very fun.

I decided to focus on the web challenges as that’s something I’m OK at. Some were very simple, some were not so simple and were actually pretty scary with what could be achieved when the exploit path was understood. I managed to complete 12 challenges, 10 of which were web challenges, 1 was a ‘misc’ challenge exploiting input() in Python and the warm-up challenge. The warm-up challenge brought the most laughs… endless individuals writing flag++ in the Discord chat, not reading the announcements and mods getting very upset.

I liked the format but the infrastructure hit a hurdle a couple of times when I went to try play. I really liked that when the challenges were released that they were worth 1000 points, as people solved it dropped down to a minimum of 300 points, like a bounty for being quick or solving harder challenges. I managed to get a few > 500 point solves along the way which felt like a mini victory. I really liked the variety of challenges, I definitely wasn’t equipped to handle the forensics tasks as quickly as I’d have liked and consequently I parked these. I will definitely be reading the writeups and playing with the challenge materials at a later stage. Some areas like hardware & crypto were way out of my current skillset, and something I’ll also be looking into the released challenges when time permits.

It would’ve been good to know where I ranked as a 1 player team, I didn’t expect to compete with any of the 10 player teams! I managed to place 617/4740 as a single pringle, with a grand total of 3400/19650 points. I will be definitely be inviting along my work colleagues for the next, it wasn’t a trollfest of insanely unfun machines and really good learning.

Business Email Compromise: Spam to misdirected payments.

One of my domains that I used for consulting received a bunch of spam this weekend. It wasn’t targeted at all but it’s easy to see how people fall for it.

The first e-mail was a “confirm your credentials” type phish, the site lead to a page hosted that took the e-mail on a parameter to populate the page so it would show your e-mail address to make it a bit more believable. It was hosted on a compromised domain. It might look quite realistic if you aren’t IT savvy but the domain wasn’t particularly sneaky to someone with a bit of experience.

The second e-mail was a “email access will be deactivated” type e-mail, the site was hosted on Google firebase storage.

This wasn’t particularly smart but it looked realistic-ish, the URL had mentions of Microsoft-like services and the login page looked very much like an O365 login page. It didn’t show a phishing warning, people would easily fall for it.

The last attempt was a little more interesting. It was a keylogger sent in a zip. When extracted the exe had an icon of a PDF and was named “URGENT: INVOICE <DESC> <date>.pdf.exe”. This isn’t new but how it progressed was – it wasn’t someone just after my netflix password.

I stood up my sandbox and let the ‘invoice’ work. I captured it sending traffic over port 587 in cleartext, the credentials were base64 encoded. To my horror it was sending my saved passwords from my browser. Luckily the sandbox only had my router credentials saved in my browser and it was the default password. The tool did the standard kind of crypted malware thing… it waited, prompted an error, appeared to have stopped Windows Defender, it added something to startup and it ran in the background as something that looked half legit, in this case it was WSUSS.EXE (like Windows Update). Looking at the format of the e-mail, it appeared to be a variant of Origin keylogger – but they’re likely all pretty similar.

Spammers don’t have great opsec.

Things got a little more interesting when I checked the SMTP conversation. When sending these details in cleartext, they are giving you credentials to the sender e-mail account. Sometimes these are compromised accounts acting as a forwarder to an external account, sometimes they’re on a domain purchased by the spammer but sending to another mailbox, but in this case the sender e-mail was also the recipient e-mail. With a bit of guess work against the domain I found the webmail panel and could login.

An example which was similar to what was seen.

This spammer had tested the crypted ‘tool’ on their own server/laptop so the captured info was being sent back to this same mailbox that I had access to, this gave me some insight into exactly what he was doing. He was kind enough to capture the keylogging and screenshots to build the full picture.

This spammer left his Instagram, Facebook and other identifiable details available in his logs inbox. I’ve tried to send to the Enugu police in Nigeria where I think he’s located but I doubt alot will happen from it. I also contacted the businesses I found to be compromised in the yandex account.

This was his process:

  • He bought a spam list from a site that sells “leads” with a perceived anonymous currency that isn’t crypto.
  • He purchased a domain and an e-mail service from a provider that only accepts cryptocurrency, let’s call the purchased domain “badboy.com”
  • He bought an RDP for SMTP from the site he purchased the “leads”, the mail server was setup with DKIM – this guaranteed it’d hit the inbox of most providers for a while, particularly if he avoided Hotmail and GMail recipients.
  • He downloaded a cracked version of a spam tool on the RDP he purchased and set up the spam tool.
  • He configured the keylogger to his logs@badboy.com domain, the sender and recipient were the same.
  • He tried to use an online crypter service but this failed to make it “FUD” (fully undetectable).
  • He went and purchased another crypter and crypted his binary. I guess this was FUD or had better results.
  • He sent this out as an attachment with an e-mail titled “URGENT: INVOICE <DESC> <date>” to his “leads” list
  • Once results filtered in, he would login to their inbox and forward all the mail received to a yandex account.
  • At some point he had purchased another domain that was very similar to the compromised business, it had a typo in the domain name (qroup vs group) and he used this to reply to the customers to try get them to pay by bank transfer to a BOA account in America. A case of business e-mail compromise.

BEC is a big deal in countries where law enforcement can be bought. With a small upfront cost to setup, some basic IT ability and persistence, the return can be massive.

secureCodeBox, it really whips the llama’s ass.

If you get the winamp reference +1 old points to you.

As part of my role I conduct vulnerability scans against environments on a quarterly basis. It’s not massively taxing, I’ve documented so somebody else could do it… but it’s definitely something that could be automated. This is where secureCodeBox comes in!

At the moment I am playing with the features to automate what already exists with ZAP, SSLyze, nikto & nmap. I am looking to see the effort required to include other tools in custom scans since it’d be nice if GVM could be usable in a similar manner.

The nice thing with secureCodeBox is that it can happily output to an S3 compat. service, so that includes S3, Vultr block storage & its own in-built minio. It does have some potential to integrate with ES and it looks to be only a matter of time for DefectDojo which is what I’m waiting for.

Looking forward to playing with this more, it is really a great idea.

OSCP vs OSWE

In late 2019 I completed the requirements for the Offensive Security Certified Professional certification. It was challenging and a bit more stressful than the eCPPT examination I’d passed before this. It was 24 hours of trying to break into systems that sometimes lead you down a wrong path and ate into your examination hours. The OSCP certification is difficult but it’s really aimed at using the tools of the trade, following a process they provide you and just understanding scripts and tools that you are running. There may be an element of changing scripts to fit needs, it needs that basic understanding of reading code what some might call script kiddy level.

October 2020 I decided to take on the OSWE after going through the AWAE materials that I’d had since the beginning of the year (minus the online boxes to attack). It was genuinely a different level of difficulty and it relies on a lot of self-learning. It was the closest I have been to not completing an examination as it was just so hard to make progress at times. The goal here is very much reading code, understanding what it’s doing and why it might not be doing it in the best way. It also has elements with using encryption, hashing and encoding which is required in the automation of your scripts that you write. It’s necessary to make use of Burp Suite on this and then converting web requests into something you use in your code. I can’t give too much away but suffice to say it’s not easy. After handing in I genuinely thought I’d failed… but I was delighted to see a few days later I’d passed!

OSCP and OSWE are different beasts in terms of expectations and level. OSWE really does require an understanding of code, injection, encryption, writing these into scripts and most importantly automating the full exploit process – end to end to pop a shell. If you do anything developer related then OSWE would be good to have, it covers a lot of the OWASP top ten throughout the course.

I am delighted with passing both but I definitely value the OSWE more as it’s definitely an advanced level certification. Because of cost, time investment required & having a little baby to entertain there will be no more Offensive Security certifications for a while!

AWS: Security – Specialty vs Azure Security Engineer Associate (AZ-500)

Until late 2018 my interactions to both AWS and Azure were pretty limited, even after this they were limited in a working capacity and it was mainly hobbyist working with the products on the cheap.

After completing what I call “hands-on” exams with OSCP & OSWE which are Offensive Security certifications that require breaking into systems, I wanted to show I knew how to setup securely. Most of the types of technology on both AWS and Azure have been around for a while, but it used to be the case you’d need several things to stitch together to make a solution for your needs – it wasn’t just all in one place and with a few clicks it’d all just play nicely together. AWS and Azure offer this now with relative ease.

I took AWS: Security in October and this is really what I’d call a solutions type exam, the goal was to provide answers to specific scenarios where you could technically do it a few ways but the goal would either be cost, scalability or something else they wanted you to factor in. It did have a lot of core information security and basic networking related questions that anyone with a few years of that domain knowledge would find fairly straight forward. It was challenging because sometimes a right answer can be a wrong answer and it’s a word or two in the requirements that makes that difference. It had a lot of emphasis on availability, monitoring, IAM, alerting and KMS. I definitely felt like I’d gone through an exam with this and it genuinely hurt my head.

I took the Azure Security Engineer Associate (AZ-500) at the end of November after managing to snaffle another 30 day freebie trial to play with. The Azure exam is a lot simpler and the scenarios are simpler to determine the right answer. There was some emphasis on IAM, monitoring, alerting and Vault but not so much on availability. I felt like the exam wasn’t too hard on the brain but some things you just couldn’t know without exposure to premium licensing and products which isn’t easy to achieve on a budget. Any Udemy videos around these features were generally outdated, in some cases nothing existed.

Each certification has its own merits but the AWS: Security – Specialty exam is definitely aimed at people with a bit more real world experience and this shows in the scenarios, troubleshooting and depth of questions. The Azure exam is entry level and focuses on best practices with their products, very basic networking, basic troubleshooting, security fundamentals and common uses.

Very pleased to have completed both this year!