MY EXPERIENCE ON ADVENT OF CYBER 2023

 

Tryhackme’s advent of cyber 2023 was a great experience, it was very beginner friendly and they provided well setup labs with a storyline to make the challenge interesting, it was quite interactive and very informative from a beginner point of view, the challenges brushed through many of the concepts used in different areas of cybersecurity job roles. And the attack labs were well setup and I didn’t face much issues, and the discord community was very active in resolving any issues and supporting others. In fact story line with the comics made it very interesting by building a curiosity within the players and at last there was a game where we had to submit the evidence in court, that was fun. After this we received a certificate also. Overall it was a great initiative collaborating with many youtubers in the security field and I felt it was worth the time.

TRYHACKME’S ADVENT OF CYBER 2023 ( DAY 24 )

 

Day 24 - "You Are on the Naughty List, McGreedy"

The learning objectives for day 24 were:

• Static acquisition: A bit-by-bit image of the disk is created while the device is turned off.
• Live acquisition: A bit-by-bit image of the disk is created while the device is turned on.
• Logical acquisition: A select list of files is copied from the seized device.
• Sparse acquisition: Select fragments of unallocated data are copied. The unallocated areas of the disk might contain deleted data; however, this approach is limited compared to static and live acquisition because it doesn’t cover the whole disk.

In this task we learned about acquiring digital forensics evidence to present in court, how to acquire a smartphone image and to use the Autopsy tool.

We had to use autopsy to analyse the smartphone image and find data, confirming his involvement in the crime.

Click here to see the tutorial.

TRYHACKME'S ADVENT OF CYBER 2023 ( DAY 23 )

 

Day 23 - "Relay All the Way"

The learning objectives for day 23 were:

• The basics of network file shares
• Understanding NTLM authentication
• How NTLM authentication coercion attacks work
• How Responder works for authentication coercion attacks
• Forcing authentication coercion using lnk files

In this task we learned about what NTLM authentication is, how the coercion attacks work, and how to perform this attack.

First we created a lnk file and uploaded it, opened up our responder and waited for an interaction , once we received the hash we used john the ripper tool to crack the hash.

Click here to see the tutorial.

TRYHACKME’S ADVENT OF CYBER 2023 ( DAY 22 )

 

Day 22 - "Jingle Your SSRF Bells: A Merry Command & Control Hackventure"

The learning objectives for day 22 were:

• Understanding server-side request forgery (SSRF)
• Which different types of SSRF are used to exploit the vulnerability
• Prerequisites for exploiting the vulnerability
• How the attack works
• How to exploit the vulnerability
• Mitigation measures for protection

In this task we learned what server-side request forgery is, what the different types of ssrf attacks are, how it works and how to hack the c2 server using ssrf and mitigation measures.

we found a link to an endpoint in the login page and used ssrf to gain access.

Click here to see the tutorial.

TRYHACKME'S ADVENT OF CYBER 2023 ( DAY 21 )

 

Day 21 - "Yule be Poisoned: A Pipeline of Insecure Code!"

The learning objectives for day 21 were:

• Understand how a larger CI/CD environment operates.
• Explore indirect poisoned pipeline execution (PPE) and how it can be used to exploit Git.
• Apply CI/CD exploitation knowledge to the larger CI/CD environment.

In this task we poisoned the pipeline and we had to find certain information , we did this by cloning the repository and since the repository containing the source was not write-protected. we modified the pipeline file to execute the commands that gave us the required information.

Click here to see the tutorial.

TRYHACKME'S ADVENT OF CYBER 2023 ( DAY 20 )

Day 20 - "Advent of Frostlings"

 The learning objectives for day 20 were:

• Learn about poisoned pipeline execution.
• Understand how to secure CI/CD pipelines.
• Get an introduction to secure software development lifecycles (SSDLC) & DevSecOps.
• Learn about CI/CD best practices.

In this task we were briefed with topics like gitlab, SDLC concepts, DevSecops, CI/CD, On exploring we found an endpoint that was defaced, then we identified who did this and then we found the original merge for the endpoint and restored it .

Click here to see the tutorial.

TRYHACKME'S ADVENT OF CYBER 2023 ( DAY 19 )

Day 19 — “CrypTOYminers Sing Volala-lala-latility”

The learning objectives for day 19 were:

• Understand what memory forensics is and how to use it in a digital forensics investigation
• Understand what volatile data and memory dumps are
• Learn about Volatility and how it can be used to analyse a memory dump
• Learn about Volatility profiles

In this task we learned to use a forensic command line tool called Volatility, that lets digital forensics and incident response teams analyse a memory dump in order to perform memory analysis. Volatility is written in python. We created a profile and performed memory analysis, in the process we also learned to use some plugins to find the running process, to extract binary for examination of the process and file extraction .

Click here to see the tutorial.

TRYHACKME'S ADVENT OF CYBER 2023 ( DAY 18 )

 

Day 18 - "A Gift That Keeps on Giving"

The learning objectives for day 18 were:

• Identify the CPU and memory usage of processes in Linux.
• Kill unwanted processes in Linux.
• Find ways a process can persist beyond termination.
• Remove persistent processes permanently.

We were provided with a machine that had a malicious process running, our task was to identify and kill this process.

We used the top commands to check the system processes and noticed there was one process which used 100% of the CPU then we killed the mallicious process but it somehow managed to respawn on a different PID, Then we checked the cronjobs of the user and the root user but we couldn't find anything there. So, we used the systemctl command to see all the running services here we found a suspicious process and on further investigation we confirmed it was the mallicious process , we then stopped the service using the sytemctl command , then we disabled the service and deleted it from the file system.

Click here to see the tutorial.

TRYHACKME'S ADVENT OF CYBER 2023 (Day 17)

 

Day 17 — “I Tawt I Taw A C2 Tat!”

The learning objectives for day 17 were:

•Gain knowledge of the network traffic data format

•Understand the differences between full packet captures and network flows

•Learn how to process network flow data

•Discover the SiLK tool suite

•Gain hands-on experience in network flow analysis with SiLK

In this task we had to find the attacker’s ip address by analysing the network traffic using the SiLK Suite tool. While analysing we noticed that there is high traffic volume on port 53, we found out from where the majority of the traffic was from using the stats, then we filtered all that use port 53 and found that 99% of the traffic was coming from just 2 ip’s. Then we saw there was over 10 DNS requests in less than a second. On further investigation we found that the ip was sending a series of SYN packets but doesn’t respond back with a ACK packet when a SYN-ACK packet is send. So we concluded this was a DOS attack.

Click here to see the walkthrough.

TRYHACKME'S ADVENT OF CYBER 2023 (Day 16)

 Day 16 — “Cant CAPTCHA this Machine!”

The learning objectives for day 16 were:

•Complex neural network structures

•How does a convolutional neural networks function?

•Using neural networks for optical character recognition

•Integrating neural networks into red team tooling

In this task we learned to build a custom brute force script that will make use of ML to solve the CAPTCHA and continue a brute force attack. we were provided with a script to perform the bruteforce and a trained CNN model.

Convolutional Neural Networks are incredible ML structures that have the ability to extract features that can be used to train a neural network. In the previous task, we used the garbage-in, garbage-out principle to explain the importance of our inputs having good features. This ensures that the output from the neural network is accurate. But what if we could actually have the neural network select the important features itself? This is where CNN comes into play!

In essence, CNNs are normal neural networks that simply have the feature-extraction process as part of the network itself. This time, we’re not just using maths but combining it with linear algebra. Again, we won’t dive too deep into the maths here to keep things simple.

We can divide our CNN into three main components:

Feature extraction

Fully connected layers

Classification

In order to crack CAPTCHAs, we will have to go through the following steps:

Gather CAPTCHAs so we can create labelled data

Label the CAPTCHAs to use in a supervised learning model

Train our CAPTCHA-cracking CNN

Verify and test our CAPTCHA-cracking CNN

Export and host the trained model so we can feed it CAPTCHAs to solve

Create and execute a brute force script that will receive the CAPTCHA, pass it on to be solved, and then run the brute force attack

Click here to see the walkthrough.

TRYHACKME'S ADVENT OF CYBER 2023 (Day 15)

                         

Day 15 - "Jingle Bell SPAM: Machine Learning Saves the Day!"

The learning objectives for day 15 were:

•Different steps in a generic Machine Learning pipeline

•Machine Learning classification and training models

•How to split the dataset into training and testing data

•How to prepare the Machine Learning model

•How to evaluate the model’s effectiveness

In this task we are tasked with using a spam email detector using machine learning and we are provided with a dataset .We used jupyter notebook, first we started by importing the required libraries and the reading our dataset as a dataframe using the pandas library. Since ML models understand numbers, not text so we using CountVectorizer class from the skikit-learn library in python, then we splitted the testing and training data from the given dataset. After training our model we used the naive bayes classification to evaluate our model.

Click here to see the walkthrough

TRYHACKME'S ADVENT OF CYBER 2023 (Day 14)

 

Day 14 — “The Little Machine That Wanted to Learn”

The learning objectives for day 14 were:

• What is machine learning?
• Basic machine learning structures and algorithms
• Using neural networks to predict defective toys

This time we had to make our own neural network to that can be used to detect defective toys, for this task we were provided with a script to build our neural network, training and testing dataset.

We started by learning about generic algorithm, particle swarn, neural networks, and then we moved on to the machine learning styles: supervised and unsupervised. Then we were taught about the basic structure of neural networks, feed forward loop, back-propagation, dataset splits .How to create the training and testing dataset from a given dataset, normalising the data, training the neural network and validating it.

We also learned about the cybersecurity applications in machine learning , and importance to take caution .

Click here to see the walkthrough.

TRYHACKME'S ADVENT OF CYBER 2023 (Day 13)

 

Day 13 — “To the Pots, Through the Walls”

The learning objectives for day 13 were:

Learn to understand incident analysis through the Diamond Model.

Identify defensive strategies that can be applied to the Diamond Model.

Learn to set up firewall rules and a honeypot as defensive strategies.

In this task we had to change the firewall rules to expose the webiste to the public and obtain the flag , here we learned about the default firewall configuration tool available on Ubuntu hosts , we had to enable ufw and we had to configure it allow and deny traffic from ports and ip’s as per the requirements.Later, we were also tasked with creating our very own honeypot using the penTbox tool.

Earlier we were briefed about types of attacks, firewalls, types of firewalls, defensive diamond model , honeypots and their importance.

Two key elements of defensive diamond models are threat hunting and vulnerability management.

A honeypot is a cyber security mechanism — a masterful deception. It presents itself as an alluring target to the adversaries, drawing them away from the true prizes. Honeypots come in various forms: software applications, servers, or entire networks. They are designed to mimic legitimate targets, yet they are under the watchful control of the defender. For the Best Festival Company, envision a honeypot masquerading as Santa’s website — a perfect replica of the real one.

Click here to see the walkthrough.

TRYHACKME'S ADVENT OF CYBER 2023 (Day 12)

 

Day 12 — “Sleighing Threats, One Layer at a Time”

The learning objectives for day 12 were:

•Defence in Depth

•Basic Endpoint Hardening

•Simple Boot2Root Methodology

In this task we were provided with a vulnerable web server which contained misconfigurations and poorly implemented security practices, we had to figure out the vulnerable areas and harden the web server.

We found an a place in the website where we could execute commands, making use of this we executed a scripting to get a reverse shell connection to our attack machine, once we got in we noticed that there was an user who had complete access so with this account we got root access , then we removed the user from the sudoers group , then we went to the ssh config file and disabled it . Then we found the original backup configuration file the administrator left before implementing this one ,then we replaced the original backup file with the vulnerable one . By doing this we got a login page and we had to answer a few questions about it .

Click here to see the walkthrough.

TRYHACKME'S ADVENT OF CYBER 2023 (Day 11)

Day 11 - "Jingle Bells, Shadow Spells"

The learning objectives of day 11 were :

• Understanding Active Directory
• Introduction to Windows Hello for Business
• Prerequisites for exploiting GenericWrite privilege
• How the Shadow Credentials attack works
• How to exploit the vulnerability

In this task we were provided with access to a user account on AD and we had to answer the questions after exploiting the vulnerability found.

We were briefed with Active Directory, Windows Hello for Business and the authentication process, how to enumerate for misconfigurations, how to abuse the vulnerable privilege, how to generate the certificate required for impersonation and pass-the-hash attack.

So we started by enumerating the privileges for our user, we found that our user had generic write access over another user, then we used a tool called whisker to get the certificate for impersonation of the vulnerable user, after getting the certificate we used another tool called rubeus to get the TGT by providing the certificate we generated earlier, This gave us the NTLM hash , we performed pass-the-hash attack using the Evil-winRM.

Active Directory (AD) is a system mainly used by businesses in Windows environments. It's a centralised authentication system. The Domain Controller (DC) is at the heart of AD and typically manages data storage, authentication, and authorisation within a domain.

Whisker is one helpful tool for abusing the vulnerable privilege, a C# utility created by Elad Shamir.

Rubeus is a C# toolset designed for direct Kerberos interaction and exploitation, was developed by SpecterOps. a pass-the-hash attack! 

Evil-winRM, a tool for remotely managing Windows systems abusing the Windows Remote Management (WinRM) protocol.

Click here to see the walkthrough.