Blog ini non-partisan dan terbuka kepada semua tanpa mengira fahaman politik. Emel atau MMS ucapan / rayuan / keluhan / pengumuman anda ke tamanperpaduan.terusblog@blogger.com untuk tulisan anda tersiar di blog ini serta merta. Gambar juga boleh disertakan dan tertakluk kepada syarat.
Posting tidak sepatutnya akan dinyahsiarkan.

Jumaat, 12 Jun 2020

WHAT IS ETHICAL HACKING

What is ethical hacking?

Ethical hacking is identifying weakness in computer system and/or computer networks and coming with countermeasures that protect the weakness.

Ethical hackers must abide by the following rules-
1-Get written permission from the owner of the computer system and/or computer network before  hacking.
2-Protect the privacy of the organisation been hacked etc.

Ethical Hacking and Ethical Hacker are terms used to describe hacking performed by a company or individual to help identity potential threats on a computer or network.
 

An Ethical Hacker attempts to byepass system security and search for any weak point that could be exploited by Malicious Hackers.
More information

Security Onion - Linux Distro For IDS, NSM, And Log Management


Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Security-onion project
This repo contains the ISO image, Wiki, and Roadmap for Security Onion.

Looking for documentation?
Please proceed to the Wiki.

Screenshots








Related posts

  1. Pentest Keys
  2. Pentest Free
  3. Pentest Vpn
  4. Pentest Practice Sites
  5. Pentest Vs Red Team
  6. Pentest Bootcamp
  7. Hacking Groups
  8. Pentest Methodology
  9. Pentest Book

Khamis, 11 Jun 2020

How To Hack Any Whatsapp Account In 2020

The article will also be broken down into different subtopics and subcategories. This to make it easy for those who are just interested in skimming through the article to pick the part of WhatsApp hack they are most interested in. Just incase you don't have enough time to go through the entire article.

Search queries like these are a common place; Can WhatsApp be hacked? Can you read WhatsApp messages? How safe is the most popular trade fair in the world? This article gives you all the solution you need to hack any WhatsApp account, as well as how to protect yourself from a WhatsApp hack attack.

Although the messenger is now on an end-to-end encryption, WhatsApp is still not totally safe from espionage. WhatsApp chats and messages can still be accessed and read remotely, and old &deleted WhatsApp chats and messages retrieved.

WhatsApp Spy: Hack WhatsApp Chats and Messages

A very simple solution is to use a software that can hack WhatsApp remotely. All manufacturers offer to read the WhatsApp messages an extra web portal. In addition to the Whatsapp messages but can also spy on other messengers. So you can also have access to social media accounts.

The software may only be installed on a smartphone. If the user of the smartphone has been informed about the installation and effects.

WhatsApp Hacker: 3 Steps to Hack WhatsApp in 2020

You can hack Whatsapp using a second cell phone. No extra SIM card is necessary for this. The guide also works with a tablet. With this method, the other phone only needs to clone WhatsApp messages is internet connection.

The trick to hack Whatsapp successfully is not a software bug. It's the way WhatsApp has developed the setup wizard. Since there are no user accounts with passwords and you log in via the mobile number, here lies the vulnerability. But you can also protect yourself from the Whatsapp hack.

Hack WhatsApp Chat with the Best WhatsApp Hacking Tool

To read Whatsapp messages, the mobile phone number of the target must be known. The cell phone can remain locked. There is no need to install software to hack and read Whatsapp messages. Even with the PIN or fingerprint, the Whatsapp account can be hacked.

STEP 1: Create a New WhatsApp Account

To hack an account from Whatsapp, the app from the App Store must be installed on the second cell phone. After the installation of Whatsapp, target's phone number is entered. A confirmation request must be waited until access to the smartphone of the victim exists.

STEP 2: WhatsApp Account Confirmation

The confirmation of the Whatsapp account is the actual security risk of the messenger. Whatsapp usually confirms the registration via SMS. Occasionally the confirmation will also be sent by automated phone call via a phone call.

Calls and text messages can be read and taken by anyone even when the screen is locked. So that the WhatsApp hack does not stand out, the SMS must be removed from the start screen by swiping.

STEP 3: Enter Confirmation

The stolen verification PIN is now entered on the second smartphone. As a result, the WhatsApp account has been taken over by you. You can read the WhatsApp messages, which respond to this mobile phone number.

The downside to this trick is that the victim immediately notices the Whatsapp hack as soon as Whatsapp is opened. If the victim goes through the sign-in process again. The attacker loses access to the messages and no Whatsapp messages can be read.

How to Hack Someone's WhatsApp in 2020

A good way to hack a WhatsApp account is to hack whatsapp online. Here you can read WhatsApp messages via a browser and also write. The target user can continue to use his cell phone (works for iOS, Android phone etc) and does not notice the WhatsApp hack.

STEP 1: Access the Cell Phone

In order to be able to read WhatsApp messages by installing software. Access to the unlocked smartphone is required for a short time. In addition, cell phone, a computer or laptop is necessary. On this the Whatsapp messages will be read later.

STEP 2: Access WhatsApp Web

If you have access to the unlocked smartphone, Whatsapp must be started there. The Whatsapp settings include Whatsapp Web . If this is selected, Whatsapp opens a QR code scanner with the hint to open WhatsApp Web in the browser.

If the QR code is scanned in the browser with the smartphone. There is a permanent connection and Whatsapp messages can be read. If you want to hack Whatsapp in this way. You have full access to all incoming messages and you can even write messages yourself.

STEP 3: Read WhatsApp Messages

The target usually sees this Whatsapp hack only when the settings are invoked to Whatsapp Web in the app. Whatsapp messages can be read via the browser. Regardless of whether the smartphone is on home Wi-Fi or on the move. You can also hack group chats admin by just having any of the contact details.

WhatsApp Hack: How to Hack any WhatsApp account

Which is the most popular messaging app globally? Of course, you can use different apps from Android or iOS to send and receive messages. But Whatsapp remains everyone's favorite globally!

Whatsapp is one of the popular apps in the world. There are more than 2 billion active users on Whatsapp, messaging daily with the app. Why do people love WhatsApp? Whatsapp is very convenient and easy to use.

Other messaging apps like Facebook Messenger, still needs a special account to sign up for this app. If you change a new app, you'll need to add another account. This can be stressful, as you have to remember a lot of new passwords and usernames.

HACKER NT

Related news


How To Build A "Burner Device" For DEF CON In One Easy Step

TL;DR: Don't build a burner device. Probably this is not the risk you are looking for.

Introduction

Every year before DEF CON people starts to give advice to attendees to bring "burner devices" to DEF CON. Some people also start to create long lists on how to build burner devices, especially laptops. But the deeper we look into the topic, the more confusing it gets. Why are we doing this? Why are we recommending this? Are we focusing on the right things?

What is a "burner device" used for?

For starters, the whole "burner device" concept is totally misunderstood, even within the ITSEC community. A "burner device" is used for non-attribution. You know, for example, you are a spy and you don't want the country where you live to know that you are communicating with someone else. I believe this is not the situation for most attendees at DEF CON. More info about the meaning of "burner" https://twitter.com/Viss/status/877400669669306369

Burner phone means it has a throwaway SIM card with a throwaway phone, used for one specific operation only. You don't use the "burner device" to log in to your e-mail account or to VPN to your work or home.
But let's forget this word misuse issue for a moment, and focus on the real problem.

The bad advice

The Internet is full of articles focusing on the wrong things, especially when it comes to "burner devices". Like how to build a burner laptop, without explaining why you need it or how to use it.
The problem with this approach is that people end up "burning" (lame wordplay, sorry) significant resources for building a secure "burner device". But people are not educated about how they should use these devices.

The threats

I believe the followings are some real threats which are higher when you travel:
1. The laptop getting lost or stolen.
2. The laptop getting inspected/copied at the border.

These two risks have nothing to do with DEF CON, this is true for every travel.

Some other risks which are usually mentioned when it comes to "burner devices" and DEF CON:
3. Device getting owned via physical access while in a hotel room.
4. Network traffic Man-in-the-middle attacked. Your password displayed on a Wall of Sheep. Or having fun with Shellshock with DHCP. Information leak of NTLM hashes or similar.
5. Pwning the device via some nasty things like WiFi/TCP/Bluetooth/LTE/3G/GSM stack. These are unicorn attacks.

6. Pwning your device by pwning a service on your device. Like leaving your upload.php file in the root folder you use at CTFs and Nginx is set to autostart. The author of this article cannot comment on this incident whether it happened in real life or is just an imaginary example. 

How to mitigate these risks? 

Laptop getting stolen/lost/inspected at the border?
1. Bring a cheap, empty device with you. Or set up a fake OS/fake account to log in if you really need your day-to-day laptop. This dummy account should not decrypt the real files in the real account.

Device getting owned while in a hotel room with physical access

1. Don't bring any device with you.
2. If you bring any, make it tamper-resistant. How to do that depends on your enemy, but you can start by using nail glitter and Full Disk Encryption. Tools like Do Not Disturb help. It also helps if your OS supports suspending DMA devices before the user logs in.
3. If you can't make the device tamper-resistant, use a device that has a good defense against physical attackers, like iOS.
4. Probably you are not that important anyway that anyone will spend time and resources on you. If they do, probably you will only make your life miserable with all the hardening, but still, get pwned.

Network traffic Man-in-the-middle attacked

1. Don't bring any device with you.
2. Use services that are protected against MiTM. Like TLS.
3. Update your OS to the latest and greatest versions. Not everyone at DEF CON has a 0dayz worth of 100K USD, and even the ones who have won't waste it on you. 
4. Use fail-safe VPN. Unfortunately, not many people talk about this or have proper solutions for the most popular operating systems.
5. For specific attacks like Responder, disable LLMNR, NBT-NS, WPAD, and IPv6 and use a non-work account on the machine. If you don't have the privileges to do so on your machine, you probably should not bring this device with you. Or ask your local IT to disable these services and set up a new account for you.

Pwning the device via some nasty thing like WiFi/TCP/Bluetooth/LTE/3G/GSM stack

1. Don't bring any device with you.
2. If you bring any, do not use this device to log in to work, personal email, social media, etc.
3. Don't worry, these things don't happen very often. 

Pwning your device by pwning a service on your device

Just set up a firewall profile where all services are hidden from the outside. You rarely need any service accessible on your device at a hacker conference.

Conclusion

If you are still so afraid to go there, just don't go there. Watch the talks at home. But how is the hotel WiFi at a random place different from a hacker conference? Turns out, it is not much different, so you better spend time and resources on hardening your daily work devices for 365 days, instead of building a "burner device".

You probably need a "burner device" if you are a spy for a foreign government. Or you are the head of a criminal organization. Otherwise, you don't need a burner device. Maybe you need to bring a cheap replacement device.
Continue reading

Selasa, 9 Jun 2020

Printer Security


Printers belong arguably to the most common devices we use. They are available in every household, office, company, governmental, medical, or education institution.

From a security point of view, these machines are quite interesting since they are located in internal networks and have direct access to sensitive information like confidential reports, contracts or patient recipes.


TL;DR: In this blog post we give an overview of attack scenarios based on network printers, and show the possibilities of an attacker who has access to a vulnerable printer. We present our evaluation of 20 different printer models and show that each of these is vulnerable to multiple attacks. We release an open-source tool that supported our analysis: PRinter Exploitation Toolkit (PRET) https://github.com/RUB-NDS/PRET
Full results are available in the master thesis of Jens Müller and our paper.
Furthermore, we have set up a wiki (http://hacking-printers.net/) to share knowledge on printer (in)security.
The highlights of the entire survey will be presented by Jens Müller for the first time at RuhrSec in Bochum.

Background


There are many cool protocols and languages you can use to control your printer or your print jobs. We assume you have never heard of at least half of them. An overview is depicted in the following figure and described below.

 

Device control

This set of languages is used to control the printer device. With a device control language it is possible to retrieve the printer name or status. One of the most common languages is the Simple Network Management Protocol (SNMP). SNMP is a UDP based protocol designed to manage various network components beyond printers as well, e.g. routers and servers.

Printing channel

The most common network printing protocols supported by printer devices are the Internet Printing Protocol (IPP), Line Printer Daemon (LPD), Server Message Block (SMB), and raw port 9100 printing. Each protocol has specific features like print job queue management or accounting. In our work, we used these protocols to transport malicious documents to the printers.

 

Job control language

This is where it gets very interesting (for our attacks). A job control language manages printer settings like output trays or paper size. A de-facto standard for print job control is PJL. From a security perspective it is very useful that PJL is not limited to the current print job as some settings can be made permanent. It can further be used to change the printer's display or read/write files on the device.

 

Page description language

A page description language specifies the appearance of the actual document. One of the most common 'standard' page description languages is PostScript. While PostScript has lost popularity in desktop publishing and as a document exchange format (we use PDF now), it is still the preferred page description language for laser printers. PostScript is a stack-based, Turing-complete programming language consisting of about 400 instructions/operators. As a security aware researcher you probable know that some of them could be useful. Technically spoken, access to a PostScript interpreter can already be classified as code execution.

 

Attacks


Even though printers are an important attack target, security threats and scenarios for printers are discussed in very few research papers or technical reports. Our first step was therefore to perform a comprehensive analysis of all reported and published attacks in CVEs and security blogs. We then used this summary to systematize the known issues, to develop new attacks and to find a generic approach to apply them to different printers. We estimated that the best targets are the PostScript and PJL interpreters processing the actual print jobs since they can be exploited by a remote attacker with only the ability to 'print' documents, independent of the printing channel supported by the device.
We put the printer attacks into four categories.

 

Denial-of-service (DoS)

Executing a DoS attack is as simple as sending these two lines of PostScript code to the printer which lead to the execution of an infinite loop:

Denial-of-service%!
{} loop


Other attacks include:
  • Offline mode. The PJL standard defines the OPMSG command which 'prompts the printer to display a specified message and go offline'.
  • Physical damage. By continuously setting the long-term values for PJL variables, it is possible to physically destroy the printer's NVRAM which only survives a limited number of write cycles.
  • Showpage redefinition. The PostScript 'showpage' operator is used in every document to print the page. An attacker can simply redefine this operator to do nothing.

Protection Bypass

Resetting a printer device to factory defaults is the best method to bypass protection mechanisms. This task is trivial for an attacker with local access to the printer, since all tested devices have documented procedures to perform a cold reset by pressing certain key combinations.
However, a factory reset can be performed also by a remote attacker, for example using SNMP if the device complies with RFC1759 (Printer MIB):

Protection Bypass# snmpset -v1 -c public [printer] 1.3.6.1.2.1.43.5.1.1.3.1 i 6
Other languages like HP's PML, Kyocera's PRESCRIBE or even PostScript offer similar functionalities.

Furthermore, our work shows techniques to bypass print job accounting on popular print servers like CUPS or LPRng.

Print Job Manipulation

Some page description languages allow permanent modifications of themselves which leads to interesting attacks, like manipulating other users' print jobs. For example, it is possible to overlay arbitrary graphics on all further documents to be printed or even to replace text in them by redefining the 'showpage' and 'show' PostScript operators.

Information Disclosure

Printing over port 9100 provides a bidirectional channel, which can be used to leak sensitive information. For example, Brother based printers have a documented feature to read from or write to a certain NVRAM address using PJL:

Information Disclosure@PJL RNVRAM ADDRESS = X
Our prototype implementation simply increments this value to dump the whole NVRAM, which contains passwords for the printer itself but also for user-defined POP3/SMTP as well as for FTP and Active Directory profiles. This way an attacker can escalate her way into a network, using the printer device as a starting point.
Other attacks include:
  • File system access. Both, the standards for PostScript and PJL specify functionality to access the printers file system. As it seems, some manufacturers have not limited this feature to a certain directory, which leads to the disclosure of sensitive information like passwords.
  • Print job capture. If PostScript is used as a printer driver, printed documents can be captured. This is made possible by two interesting features of the PostScript language: First, permanently redefining operators allows an attacker to 'hook' into other users' print jobs and secondly, PostScript's capability to read its own code as data allows to easily store documents instead of executing them.

  • Credential disclosure. PJL passwords, if set, can easily retrieved through brute-force attacks due to their limited key space (1..65535). PostScript passwords, on the other hand, can be cracked extremely fast (up to 100,000 password verifications per second) thanks to the performant PostScript interpreters.

PRET

To automate the introduced attacks, we wrote a prototype software entitled PRET. The main idea of PRET is to facilitate the communication between the end-user and the printer. Thus, by entering a UNIX-like command PRET translates it to PostScript or PJL, sends it to the printer, and evaluates the result. For example, PRET converts a UNIX command ls to the following PJL request:


Information Disclosure@PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535
It then collects the printer output and translates it to a user friendly output.

PRET implements the following list of commands for file system access on a printer device:

Evaluation

As a highly motivated security researcher with a deep understanding of systematic analysis, you would probably obtain a list of about 20 - 30 well-used printers from the most important manufacturers, and perform an extensive security analysis using these printers.
However, this was not our case. To overcome the financial obstacles, we collected printers from various university chairs and facilities. While our actual goal was to assemble a pool of printers containing at least one model for each of the top ten manufacturers, we practically took what we could get. The result is depicted in the following figure:
The assembled devices were not brand-new anymore and some of them were not even completely functional. Three printers had physically broken printing functionality so it was not possible to evaluate all the presented attacks. Nevertheless, these devices represent a good mix of printers used in a typical university or office environment.
Before performing the attacks, we of course installed the newest firmware on each of the devices. The results of our evaluation show that we could find multiple attacks against each printer. For example, simple DoS attacks with malicious PostScript files containing infinite loops are applicable to each printer. Only the HP LaserJet M2727nf had a watchdog mechanism and restarted itself after about ten minutes. Physical damage could be caused to about half of the tested device within 24 hours of NVRAM stressing. For a majority of devices, print jobs could be manipulated or captured.
PostScript, PJL and PML based attacks can even be exploited by a web attacker using advanced cross-site printing techniques. In the scope of our research, we discovered a novel approach – 'CORS spoofing' – to leak information like captured print jobs from a printer device given only a victim's browser as carrier.
A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at http://hacking-printers.net/xsp/.

Our next post will be on adapting PostScript based attacks to websites.

Authors of this Post

Jens Müller
Juraj Somorovsky
Vladislav Mladenov

Continue reading
  1. Pentest Devices
  2. Pentest Owasp Top 10
  3. Hacking Forums
  4. Hacker Anonymous
  5. Hacking Programs
  6. Pentest Process
  7. Pentest Tools For Windows
  8. Hacker Attack

The RastaLabs Experience

Introduction


It was 20 November, and I was just starting to wonder what I would do during the next month. I had already left my previous job, and the new one would only start in January. Playing with PS4 all month might sound fun for some people, but I knew I would get bored quickly.

Even though I have some limited red teaming experience, I always felt that I wanted to explore the excitement of getting Domain Admin – again. I got my first DA in ˜2010 using pass-the-hash, but that was a loooong time ago, and things change quickly.
While reading the backlogs of one of the many Slack rooms, I noticed that certain chat rooms were praising RastaLabs. Looking at the lab description, I felt "this is it, this is exactly what I need." How hard could it be, I have a whole month ahead of me, surely I will finish it before Christmas. Boy, was I wrong.



The one-time fee of starting the lab is 90 GBP which includes the first month, then every additional month costs 20 GBP. I felt like I was stealing money from Rastamouse and Hackthebox... How can it be so cheap? Sometimes cheap indicates low quality, but not in this case.



My experience


Regarding my previous experience, I already took OSCP, OSCE, SLAE (Securitytube Linux Assembly Expert), and PSP (Powershell for Pentesters), all of which helped me a lot during the lab. I also had some limited red teaming experience. I had more-than-average experience with AV evasion, and I already had experience with the new post-exploit frameworks like Covenant and Powershell Empire. As for writing exploits, I knew how a buffer overflow or a format string attack worked, but I lacked practice in bypassing ASLR and NX. I basically had zero experience with Mimikatz on Windows 10. I used Mimikatz back in 2012, but probably not since. I also had a lot of knowledge on how to do X and Y, on useful tools and hot techniques, but I lacked recent experience with them. Finally, I am usually the last when it comes to speed in hacking, but I have always balanced my lack of speed with perseverance.

RastaLabs starts in 3,2,1 ...


So I paid the initial entry fee, got the VPN connection pack, connected to the lab, and got my first flag after ... 4 days. And there were 17 of them in total. This was the first time I started to worry. I did everything to keep myself on the wrong track, stupid things like assuming incorrect lab network addresses, scanning too few machines, finding the incorrect breadcrumbs via OSINT, trying to exploit a patched web service (as most OSCPers would do), etc. I was also continually struggling with the tools I was using, as I never knew whether they were buggy, or I was misusing them, or this is just not the way to get the flag. I am sure someone with luck and experience could have done this stage in 2-3 hours, but hey, I was there to gain experience.

During the lab, whenever I got stuck with the same problem for more than 30-40 hours and my frustration was running high, I pinged Rastamouse on the official RastaLabs support channel on https://mm.netsecfocus.com/. I usually approached him like "Hi, I tried X, Y, and Z but no luck", then he replied "yeah, try Y harder". This kind of information was usually all I needed, and 2-3 hours later I was back on track again. His help was always enough, but never too much to spoil the fun. The availability and professionalism of Rastamouse was 10/10. Huge multi-billion dollar companies fail to provide good enough support, this one guy here was always there to help. Amazing. I highly recommend joining the Mattermost channel – it will help you a lot to see that you are not the only one stuck with problems. But please do not DM him or the channel if you have not already tried harder.

What's really lovely in the lab is that you can expect real-world scenarios with "RastaLabs employees" working on their computer, reading emails, browsing the web, etc. I believe it is not a spoiler here that at some point in time you have to deliver malware that evades the MS Defender AV on the machine. Yes, there is a real working Defender on the machines, and although it is a bit out of date, it might catch your default payload very quickly. As I previously mentioned, luckily I had recent experience with AV evasion, so this part was not new to me. I highly recommend setting up your own Win10 with the latest Defender updates and testing your payload on it first. If it works there, it will work in the lab. This part can be especially frustrating, because the only feedback you get from the lab is that nothing is happening, and there is no way to debug it. Test your solution locally first.

Powershell Empire turned out to be an excellent solution for me, the only functionality it lacked was Port Forwarding. But you can drop other tools to do this job efficiently.

A little help: even if you manage to deliver your payload and you have a working C&C, it does not mean your task with AV evasion is over. It is highly probable that Defender will block your post-exploit codes. To bypass this, read all the blog posts from Rastamouse about AMSI bypass. This is important.

Lateral movement


When you finally get your first shell back ...



A whole new world starts. From now on, you will spend significant time on password cracking, lateral movement, persistence, and figuring out how Windows AD works.
In the past, I played a lot of CTF, and from time to time I got the feeling "yeah, even though this challenge was fun, it was not realistic". This never happened during RastaLabs. All the challenges and solutions were 100% realistic, and as the "Ars poetica" of RastaLabs states:



...which is sooooo true. None of the tasks involve any exploit of any CVE. You need a different mindset for this lab. You need to think about misconfigurations, crackable passwords, privilege abuse, and similar issues. But I believe this lab is still harder to own than 90% of the organizations out there. The only help is that there are no blue-teamers killing our shells.

About the architecture of the lab: When connecting to the lab with VPN, you basically found yourself in a network you might label as "Internet", with your target network being behind a firewall, just as a proper corporate network should be.
There are a bunch of workstations – Win10 only, and some servers like fileserver, exchange, DC, SQL server, etc. The majority of servers are Windows Server 2016, and there is one Linux server. The two sites are adequately separated and firewalled.

As time passed, I was getting more and more flags, and I started to feel the power. Then the rollercoaster experience started. I was useless, I knew nothing. Getting the flag, I was god. One hour later, I was useless.



For example, I spent a significant amount of time trying to get GUI access to the workstations. In the end, I managed to get that, just to find out I did not achieve anything with it. For unknown reasons, none of the frameworks I tried had a working VNC, so I set up my own, and it was pain.

On December 18, I finally got Domain Admin privileges. So my estimation to "finish the lab" in one month was not that far off. Except that I was far from finishing it, as I still had to find five other flags I was missing. You might ask "you already have DA, how hard could it be to find the remaining five?". Spoiler alert, it was hard. Or to be more precise, not hard, just challenging, and time-consuming. This was also a time when connections on Mattermost RastaLabs channel helped me a lot. Hints like "flag X is on machine Y" helped me keep motivated, yet it did not spoil the fun. Without hints like this, I would not have written this post but would have been stuck with multiple flags.

About exploitation


And there was the infamous challenge, "ROP the night away." This was totally different from the other 16. I believe this image explains it all:


If you are not friends with GDB, well, you will have a hard time. If you don't have lots of hands-on experience with NX bypass - a.k.a ROP - like me, you will have a hard time with this challenge. The binary exploit challenges during OSCP and OSCE exams are nowhere near as complex as this one. If you have OSEE, you will be fine. For this challenge, I used GDB-Peda and Python pwntools – check them out in case you are not familiar with them. For me, solving this challenge took about 40 hours. Experienced CTF people could probably solve it in 4 hours or less.

Conclusion


I would not recommend taking this lab for total beginners *. I also do not recommend doing the lab if you only have limited time per day, which is especially true if you are working on your home computer. I probably would have saved hours or even days if I had set up a dedicated server in the cloud for this lab. The issue was that the lab workstations were rebooted every day, which meant that I always lost my shells. "Persistence FTW", you might say, but if your C&C is down when the workstation reboots, you are screwed. "Scheduled tasks FTW", you might say, but unless you have a strict schedule on when you start your computer, you will end up with a bunch of scheduled tasks just to get back the shell whenever you start your computer. Day after day I spent the first hour getting back to where I had been the day before. And I just figured out at the end of the lab why some of my scheduled tasks were not working ...

I would be really interested to see how much time I spent connected to the lab. Probably it was around 200–250 hours in total, which I believe is more than I spent on OSCP and OSCE combined. But it was totally worth it. I really feel the power now that I learned so many useful things.

But if you consider that the price of the one-month lab is 20 GBP, it is still a very cheap option to practice your skills. 
* It is totally OK to do the lab in 6 months, in case you start as a beginner. That is still just 190 GBP for the months of lab access, and you will gain a lot of experience during this time. You will probably have a hard time reaching the point when you have a working shell, but it is OK. You can find every information on Google, you just need time, patience and willingness to get there.

Anyway, it is still an option not to aim to "get all the flags". Even just by getting the first two flags, you will gain significant experience in "getting a foothold". But for me, not getting all the flags was never an option.



If you are still unconvinced, check these other blog posts:

Or see what others wrote about RastaLabs.


Footnote


In case you start the lab, please, pretty please, follow the rules, and do not spoil the fun for others. Do not leave your tools around, do not keep shared drives open, do not leave FLAGs around. Leave the machine as it was. If you have to upload a file, put it in a folder others won't easily find. This is a necessary mindset when it comes to real-world red teaming. Don't forget to drop a party parrot into the chat whenever you or someone else gets a new flag. And don't forget:
OSCP has no power here. Cry harder!

I will probably keep my subscription to the lab and try new things, new post-exploit frameworks. I would like to thank @_rastamouse for this great experience, @superkojiman for the ROP challenge. Hackthebox for hosting the lab with excellent uptime.
As for @gentilkiwi and @harmj0y, these two guys probably advanced red-teaming more than everyone else combined together. pwntools from @gallopsled was also really helpful. And I will be forever grateful to Bradley from finance for his continuous support whenever I lost my shells.
Related news

Las 50 "Mejores" Conferencias De Chema Alonso @Chemaalonso

Ayer no llegué a publicar el post de El lado del mal, pero no es porque no estuviera trabajando. Estuve trabajando y mucho desde muy temprano, que es cuando más disfruto yo de ciclos de computación de calidad en mi CPU, pero cuando pude acabar con el trabajo que me había puesto se me había hecho muy tarde, así que decidí dejar para hoy la publicación del post.

Figura 1: Las 50 "mejores" conferencias de Chema Alonso

No llegué a tiempo a publicar el post, pero sí que hice el trabajo que me había propuesto, que no era otro que hacer una lista de "Las 50 mejores conferencias de Chema Alonso" en mi Canal Youtube, de esas que me gustan a mí y a mi mamá, y que dejé publicado.
No están todas las charlas, y alguna que he dejado fuera por ahora porque había decidido que solo fueran 40 los vídeos que tenían que estar, pero a lo mejor los cambio con el tiempo. Tampoco las he ordenado por ahora en un orden temático o especial, pero puede que lo haga en el futuro. Y también puede que luego haga una lista del Top 10, y lo mismo hago que esta lista de 50 acaba siendo de 10. Ya veremos. 

Figura 3: Las 50 mejores conferencias de Chema Alonso

Lo que sí es cierto es que ahora tienes esa lista con las 50 charlas que he elegido - y hay algunas de 3 minutos, otras de 5 minutos y otras de más de una hora -, pero si quieres verte "La Serie Completa", tienes temporada a temporada, todas las series ordenadas cronológicamente en listas. Los vídeos de charlas comienzan en el año 2007 - no he conseguido vídeos anteriores - donde está la primera charla de LDAP Injection & Blind LDAP Injection y un Webcast de ISA Server 2006.  Y así hasta 2020 con la charla de Gremlin Botnets y las que vaya a dar este año.















También tengo otras listas para entrevistas a cosas temáticas, y los vídeos que usamos en los artículos, y otros vídeos con explicaciones puntuales, pero subido al escenario dando charlas, tienes todo el material que he sido capaz de recuperar en esas listas, para que encuentres la charla que quieres ver.

Saludos Malignos!

Autor: Chema Alonso (Contactar con Chema Alonso)

Related news