Get in the spirit of the holidays with some hacking!
If you’re like me, you probably have a number of projects that you’re working on and tracking at any one time. It’s important to keep your skills fresh, and, if you can have a little fun while you’re at it, it doesn’t have to feel like work or a huge time sink. I’ve shared some resources for red-team (or hacking) exercises in the past, but if you’re still intimidated or need slightly more guidance than simply downloading a vulnerable VM and not knowing what to do next, I have a great resource for you today.
TryHackMe is an online service that has all sorts of cybersecurity exercises that you can do right in your browser — no huge downloads required. Many of these exercises include guides or explainers to help beginners or experts in their hacking journey. There’s a free version and a paid-for version of TryHackMe, but the main difference is a matter of how much time you’re given or how many resources to which you have access. I’ve started several “rooms” on TryHackMe and enjoyed my time with them.
To celebrate the holidays, TryHackMe has started a campaign for the second year in a row called “Advent of Cyber.” These are daily, holiday-themed security exercises meant for anybody to participate in — you don’t need to pay for it or be a “hacking expert” to do these; you just need a little basic computer/web knowledge and a desire to learn. Every day, a new task is revealed, accompanied by a story and enough light tech explanations to complete each requirement. I’m not a particularly competitive person, so, if you’re like me and maybe a little intimidated by the idea of competing in a CTF exercise against other people, this is a fantastic opportunity that allows you to participate in an ongoing security campaign without feeling like you have to constantly compare yourself to others.
I’m writing this on December 3rd, but, to kickstart things, I’ve written a walkthrough for the first two days to show you the kind of exercises you’ll be performing.
Day 1 — A Christmas Crisis
To start with, we need to deploy both the “AttackBox” (the Linux VM we’ll be using to hack with) and the target VM.
It may take several minutes to boot both VMs (site traffic was pretty high when I did these exercises), but, once they’re up, both IP addresses will be displayed on the webpage.
From there, we need to use FireFox to navigate to the target VM’s IP address.
Create an account and login.
Today’s exercise is all about cookie manipulation and logging in without having to authenticate with a user’s password. As a refresher, a cookie is a bit of information stored on your host computer when you visit a website. The website uses this cookie to verify who you are and “remember” your settings when you visit that website again (how this works is a bit more complicated than that, but this is all the info you need to do this exercise).
To view the cookie that was created when we made an account and logged in, we need to go to FireFox’s “Web Developer” tools.
Remember, cookies are stored locally, so from Web Developer, we navigate to “Storage Inspector.” On a typical browser and website, you may find that a whole number of cookies have been stored, but, with this simple exercise, there should be only one.
There’s actually a decent amount of info here, such as the name of the cookie, whether it’s secure, when it expires, etc., but the important thing we want to look at in this example is the “value” of the cookie, or the actual information contained in it.
The cookie value is stored in hexadecimal, otherwise known as Base16. “Hex,” as it’s often called, is a very common standard used in encoding because of how easily it can convert to both binary and human readable plaintext. If you spend enough time working with computers, you’ll probably learn to recognize hexadecimal on sight, just because of how ubiquitous it is, but there are a couple ways to “cheat” and figure out what it is. The simplest way is looking at the characters — if you have nine numbers as well as letters through A through F represented (but nothing after F), you’re looking at hexadecimal.
The second method is using a highly valuable tool called “CyberChef.” CyberChef can auto-detect what encoding is being used when you click on the “wand” symbol and convert it to plaintext. We can do that now, since the next step will involve decoding the cookie value to see the info contained inside.
If you haven’t used it before, I strongly recommend bookmarking (or downloading) CyberChef, as it is a great way to quickly perform encoding/decoding operations for whatever purpose you may have.
Now comes the fun part. Given the information in the setup for this exercise, we can reasonably intuit that the admin for this service is most likely “santa.” Let’s reverse the process of decoding the cookie value and change the username to “santa,” after which, we convert the JSON text back to hexadecimal.
From there, let’s log out of the service, and create a new cookie. It will contain all of the same information as our original cookie, except the new value with “santa” as the username.
Refresh the page, and voila! We have managed to log in as the admin without even needing the password. The service sees our cookie and thinks we are “santa,” returning to use the program. Turning all of the services back on gives us the flag for this exercise.
(Random aside — I actually couldn’t get the buttons to show up the first time I did this exercise. I don’t know if was because of some security tools in my browser or because the TryHackMe server was swamped with users, but, when I tuned the security tools in my browser and returned to the exercise later in the day, it all worked as it was supposed to.)
Day 2 — The Elf Strikes Back!
The goal for this exercise is to initiate a reverse shell by uploading some php script to a server that’s meant to store images. While this may sound more complicated than Day 1, this is actually a pretty straightforward, but fun, exercise that takes advantage of some scripts that have already been written for us.
First, we need to connect to the vulnerable VM’s upload page, which we can use by applying the assigned ID we’re given earlier in the exercise and applying it in our URL:
By going through the dialog box, we can see that this server only accepts images, but, as described in our explainer at the start of the exercise, we can bypass the filter and trick the server into accepting a php script.
First, we take the php script used for establishing a reverse shell and make a copy, being sure to change the IP address and port number to the relevant info necessary for communicating with the AttackBox.
After that, we change the filetype to include a dot and jpeg (or whatever image type that will be accepted) to essentially “trick” the service into thinking it is accepting an image file.
Next, we need to figure out where in the directory that file has been placed so we can call on it to establish a reverse shell. There are a number of tools to do this (I even talked about it in a previous post on this blog), but some of the most common ones in a Kali Linux setup are DirBuster and MetaSploit. Rather than spend any time on that for this exercise, however, I decided to try entering the typical default URL for /uploads/ which, in this case actually works!
This should be a good example for why you should never go with default settings when setting up your stack or your online devices— they are rarely very secure.
Before we activate our php script, we need to use netcat on our AttackBox to “listen” for the shell connection request from our script. Once we do that, we simply click the php script to activate it, and then we’re in!
As you can see (ignore my spelling errors in the screenshot), we can now use our reverse shell to navigate around inside the vulnerable server and find the flag for this exercise!
And that’s the first two days of TryHackMe’s “Advent of Cyber 2.” Every day at 11am EST, they will be adding one new, holiday-themed exercise, and I highly recommend checking back often to complete them: they’re a lot of fun and very newcomer-friendly (there’s also prizes, if you’re in to that sort of thing).