Xtreme Web Hacking with Akash and Riyaz

All set to take you through the journey of one of the best hacking time which I had with two of the most prestigious hackers. Before I start, everyone must know these 2 wonders of the cyber world. Akash Mahajan(aka @makash) and Riyaz Walikar (aka @riyazwalikar ), as title of the course suggests they are “Xtreme Web Hackers”. I will be referring them as “Masters” further as they are. They are the one who knows how to break the web applications in most efficient manner because they know how to build one. Once you know the fundamentals of building the things you can easily find the ways of breaking them. And that’s their secret in my view. Sorry but I have to stop here otherwise I need to write another blog then to describe these 2 legends of cyber world.
Coming back to the course, it was not just normal 2days workshop with bunch of slides to go through and forget about. It will all start with building up of war room to embark the journey towards Xtreme web hacking. As I said war room, it was not just machine but man as well and that’s too supermen 😉 with their strategy to break in.

Training Moto: As they say “War games are best way to learn hacking” and “A story can put whole brain to work”. This reflects in their 2 days of workshop.

Lab setup:
1) Target web app Machine
2) Intermediate target for lateral movement
3) Offender’s League setup
4) And of course most important offensive strategy

XWH journey:

Day I : It all started with setting up a lab infrastructure which was most important part of the journey including installing virtual machines, configuring virtual network, testing connectivity and be ready with your observation book for making a note of each and every observation during this journey.
Whole 2 day’s journey go by their words or we can say strategy of our Masters to put our brains on wheels by narrating, executing and involving everyone into the story woven by them.
It all starts with the target given to you for penetration which is of course a web application. It’s our turn now to wear a devil’s hat and start breaking into application but remember we had 2 Masters along directing our force where exactly we should go. We started with performing a DNS recon on our target domain to get the idea of different web application it is running. Proceeding with finding SQL injection vulnerability on our target for hunting sensitive data from database, but this was done manually and not using any automated tool particularly to make you understand the basics of hacking along with the understanding of application behavior. Next step was to get the admin access of the web application and try to execute the arbitrary code on the server to achieve our goal. Moving forward we started with another target which we found during the time of initial recon of the DNS. Through next course of actions we learned abusing PHP wrapper, using LFI, attack serialization, using hash function, bit padding, and executing final exploit. We reached our final target for Day 1 where we learnt more on XSS, SOP, CORS Headers, setting up XSS payload, hosting your payload, uploading the payload, tricking admin user into executing the payload, cookie stealing, binary stuffing and finally uploading & executing your payload using LFI. So much of offensive security stuff loaded on our mind at the end of day one. In our Master’s language, we were drunk with hacking at the end of Day I.

Day II:
We started with our focus on moving laterally within the network to find out other hidden servers which were serving internally. We used the previously collected information to hunt internal target with the plan of tunneling the traffic to internal network using pivoting. We tried 2 methods for pivoting, pwfd script and Socat. Then we created our PHP shell using meterpreter and hosted the same on python http server followed by uploading the shell on our target using LFI. Our shell reached the target now it was our turn to ready our metasploit and run the shell on target. Bingo! We have the active meterpreter connection now. Using this connection we started moving further into the network by tunneling the traffic using pivoting. In last we learnt Server Side Request Forgery (SSRF)/ Cross site port attack (XSPA) and also learnt how Riyaz earned Bug bounty using this 😉
We declared the overflow of knowledge but our Master were wearing devil’s hat and they decided to take our exam in the form of CTF where we need to apply the knowledge of 2 days. This CTF helped us in understanding the web application security and methodological sequence to apply while performing any application security.

Key Learning’s: As I always say, what all matters is strategy rather than tools. You might be knowing hundreds of tools but if you don’t know when and where to apply them, then everything fails.

To conclude, we learnt:
How to identify vulnerable application
How to identify exact vulnerability
How to Use the identified vulnerabilities to exploit and gain system access
How to Escalate the privileges and moving laterally to other systems

The Nullcon Social Engineering CTF and Team Hackster

Finally Nullcon fever is over and I am back to pavilion. Everyone must be settled now to their day to day routine of corporates. Here I take a chance to write down my first ever experience of Social Engineering Capture the flag event hosted @ Nullcon 2016, Goa. This is not just about participating in such event first time but winning it as well.

Let me start with introducing to our “Team Hackster”. We are 2 member team participating SECTF(Social Engineering CTF) at Nullcon Hacker village myself “Avkash Kathiriya” and my friend “Hemang Soni”(@Galactic_Master what he loves to call himself). We are definitely not professional penetration testers nor are we any social engineering champions. We are just infosec professional with few years of experience.

Coming back to the SECTF, It was all about expecting the unexpected. Contest was well conceptualized to be a realistic con event that can put you think like a conmen and take out every little devil inside you. All kudos to Neelu Tripathy (aka br3ckp0int), the mastermind of SECTF. Rules were explained, targets were given and each team was eagerly waiting to hunt their target with their social engineering skills. Each team was given a time of 30 min for capturing the flags with all possible tools but without launching any offensive test against the target company. Team could collect the phone numbers for their social engineering target within the given time, but we were not supposed to call ourselves. Instead each team needs to call the target in presence of SECTF volunteer in separate sound proof room using voice internet callers.

 Targets:

We were really surprised when handed over the target details. As targets were good choices for the CTF being no dummy targets to hunt, and all teams were given with unique real companies to target.

Flags:

There were 20 flags which need to be captured. Each flags were mainly categorized as below.

• TECH
• General
• Physical pen-test

Each flag was having unique id for reporting. As one can figure out from the type of information we needed to gather from each flag was valuable information asset for any company. By looking at the flags, I was of the opinion that if one gets hold this information it could fetch a lot of value. In my view flags were designed in such a way to collect the information from targeted company which will be linked to each phase in Cyber Kill Chain. And which can be used to launch targeted attacks. Starting from techy stuff like operating system details, pdf reader version details, mail client details, etc. to general details like domain names, email id’s was covered .

Here we go hunting!

Ok, here is the time to get our hands dirty.

As a team our strategy was clear to break the flag list into 2 parts -> Man vs Machine. One team member to focus on using machine tools to captures technical details and other member to focus on available social media platforms to target humans with social engineering tactics. We went ahead with DNS dumping to capture all domain details, public ip range and then identifying company owned domains. Getting the valid company email id were easy with the help of so information rich social platforms and hunting for the company employee for targeted company. Job postings by the company were the most rich information source in terms of technologies being used by the company and people structure within the company. Our efforts on techie tools to render through the company details have helped us in capturing most of the flags. Now time has come to use humans to get our remaining flags and confirm the information which already got online. Our simple hunt was to identify the technical staff of the company and getting their contact details to call upon. Thanks to social networking sites like LinkedIn, Facebook, and Google which helped us in getting contact details of our target, background research of the target company and background research of our target human. We had planned to target the human ambition by offering more lucrative and more ambitious job offer to the human target which we identified and giving us back the flags we were hunting for. Call placed to our identified target was live and was relayed to the main room for all other audiences to listen. Care was taken not to disclose the real targets to ensure safety of the person receiving the call and the company itself. Bang on, Social engineering one more time proved its metal. All your technology investment is at toss in a matter of time if people behind them are not security aware. Before securing any technology, one must secure human knowledge.

Tools Used:

• Google Dorks
• Social Engineering platforms like Facebook, LinkedIn, Twitter
• Job portals
• DNS dumping tools
• OSINT

Conclusion we were able to make out was the information we found out through passive searching were the actual information company leaks out to build an easy case for attacker to make a targeted attack. Finally, we documented all the flags along with all the required evidences collected and wherever required attached screenshots and submitted in the format shared by the CTF team. Mainly we were able to get the details like operating system, Antivirus, security technologies being implemented, head quarter landmark, etc. of the target company through the call. Although targets were real, all rounds were carried out in controlled environment to ensure safety.

Overall it was fun along with some scary truth of the Social Engineering. Hope to see many such events happening in India in near future. And special thanks to Nullcon for encouraging such events.