Today I felt my head was in the right place but I did had to make an effort for it to happen. I focused on the material and I got to do some CTF challenges with the CTF gang.
I got to use the Elastic Stack again today and I was surprised because now I feel like I actually prefer to use it than Splunk. The Kibana dashboard, it felt more cleaner and straightforward to me.
This lab was about getting intel about an attacker: it’s IP address, what recon the hacker used, and how he got access to the database.
One really good trick I found using Kibana, was just setting the timeline from old to new and then just look at the events. I saw every step the hacker did from an Nmap scan, gobuster scan, hydra brute forcing, and how he used Local File Inclusion.
After a couple of days of theory it was refreshing to have some practical exercises.
After that I gathered up with the CTF gang and we started one about DNS enumeration tools. It was supposed to be a 20 minute CTF but as soon as I reaad the description: “If we could dig into it, I am sure we could find some interesting records! But… it seems weird, this only responds to a special type of request for a givemetheflag.com domain?”
So I knew I had to use the dig command but I had to do some research how to use it. So I got this commands:
nmap -sU -p 53 -sV -Pn 10.10.243.157
dig @10.10.243.157 givemetheflag.com TXT
dnsrecon -d givemetheflag.com -n 10.10.243.157 -t std
The second command was all it took to get the flag. I was very surprised how fast it was to get it. It took me about 2 minutes.
After that we had to dive into another one. This was called Res.
This one I learned about redis which is a database and that it is possible, if not configured, to just login without authentication. I realised that I could write inside the database so all I needed was a payload with a reverse shell.
After that I took advantage of the GTFOBins to read /etc/shadow using:
LFILE=/etc/shadow
xxd "$LFILE" | xxd -rThen I had a hash. I just had to brute force it using my best friend john the ripper.
I escalated to root and that was it. Last flag obtained.
I felt good today. I tried to focus on just learning and on doing CTFs. This last few days we didn’t get to do much of those so it was nice to get back to it.
