Third Step to Become a Hacker - Haaga-Helia Assignment

Assignment 3

Task X

Mitre 2022: ATT&CK Enterprise Matrix

1. Reconnaissance

The adversary is trying to gather information they can use to plan future operations

Active Scanning

• Executing active reconnaissance scans to gather information that can be used during targeting.
• Opposed to the others since it doesn’t involve direct interaction
• Subtechniques:
  • Scanning IP Blocks - scanning victim IP blocks to gather information
  • Vulnerability Scanning - scanning victims for vulnerabilities
  • Wordlist Scanning - probing infrastructure using brute-forcing and crawling techniques
• Example: hacker gathers target machine’s information using port scanning and ping probe methodologies –> get the knowledge of which port is opened and vunerable, target machine’s IP address

2. Resource Development

Involving adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting

Establish Accounts

• Creating and cultivating accounts with services
• Building a persona to further operations
• Subtechniques:
  • Social Media accounts
  • Email Accounts
• Example: hacker spends time to create a Facebook account packed with posts and pictures so that the profile and its timeline looks realistic –> later use this account to perform phishing attacks

3. Initial Access

Consists of techniques that use various entry vectors to gain their initial foothold within a network

Phishing

• Sending phishing messages to gain access to victim systems
• Subtechniques:
  • Spearphishing Attachment - sending spearphishing emails with a malicious attachment
  • Spearphishing Link - sending spearphishing emails with a malicious link
  • Spearphishing via Service - sending spearphishing messages via third-party services
• Example: hacker builds an automated software that gether people’s emails and send them different kind of malicious emails that fit their usual habits. The emails contain phishing links that if the receivers click on them their information will be gathered up

4. Execution

Consists of techniques that result in adversary-controlled code running on a local or remote system

User Execution

• Rely upon specific actions by a user in order to gain execution
• Users may be subjected to social engineering to get them to execute malicious code
• Subtechniques:
  • Malicious Link
  • Malicious file
  • Malicious Image
• Example: hacker attempts to get victim to launch malicious docx attachment from a phishing email

5. Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access

Browser Extensions

• Abusing Internet browser extensions to establish persistent access to victim systems
• Example: hacker builds a Chrome extensions and lure users to add that to their browsers –> the extension steals cookies and user information.

6. Privilege Escalation

Consists of techniques that adversaries use to gain higher-level permissions on a system or network

Valid Accounts

• Obtaining and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasions
• Subtechniques:
  • Default Accounts - obtaining and abuse credentials of the accounts that are built-into an OS, such as the Guest or Administrator accounts on Windows systems
  • Domain Accounts - obtaining and abuse credentials of the accounts that are managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain
  • Local Accounts - obtaining and abuse credentials of the accounts that are configured by an organization for use by users, remote support, services, or for administration on a single system or service
  • Cloud Accounts - obtaining and abuse credentials of the accounts that are created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application
• Example: hacker has legit credentials that he/she steals from a user to log into Azure Active Directory to steal the user’s information and data.

7. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise

File and Directory Permissions Modification

• Modifying file or directory permissions/attributes to evade access control lists (ACLs) and access protected files
• Subtechniques:
  • Windows File and Directory Permissions Modification
  • Linux and Mac File and Directory Permissions Modification
• Example: hacker somehow gains access to the target’s machine remotely –> take ownership of a file and reset ACL permissions using takedown.exe /F filepath command

8. Credential Access

Consists of techniques for stealing credentials like account names and passwords

Steal Web Session Cookie

• Stealing web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials
• Example: hacker steals web session cookie from Chrome browser using XSS scripting

9. Discovery

Consists of techniques an adversary may use to gain knowledge about the system and internal network

Network Sniffing

• Sniffing network traffic to capture information about an environment, including authentication material passed over the network.
• Example: hacker uses network sniffing malicious software to check for unencrypted login credentials from a network.

OWASP: Cross Site Scripting (XSS)

Cross Site Scripting (XSS) is a type of injection but instead of SQL injection as in the previous tasks, it is script injection. An attacker can perform XSS attack by sending malicious scripts using a web application. Inputs are vunerable if their values aren’t validated or encoded, hence can be used to perform XSS attack. This kind of attack is pretty dangerous because it allows the attacker to access cookies, session tokens or sensitive data, even rewriting the content of the HTML page.

There are 3 categories of XSS attacks:

• Stored
• Reflected
• DOM Based XSS

To determine if the webpage is vunerable, perform a security review of the code and search for unprotected inputs and other possible unguarded HTML tags as well.

These are some examples of XSS attack syntax

• Using Script in Attributes

1

<img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);>

• Using Script Via Encoded URI Schemes

1

<img src=j&#X41vascript:alert('test2')>

• Using Code Encoding

1
2

<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg">

• Using Javascript script

1
2
3

<script type="text/javascript">
var adr = '../evil.php?cakemonster=' + escape(document.cookie);
</script>

• Using Error page

1
2
3
4
5
6
7

<html>
  <body>
    <? php
      print "Not found: " . urldecode($_SERVER["REQUEST_URI"]);
    ?>
  </body>
</html>

Task Y - Cross Site Story

(Please note that the following story is totally fictional and there are many flaws for sure so please read with a relaxed and non-judgemental mind. Thank you! 🙂)

Mr.Hacker is a sort of IT genius out there whose life is unfortunately not going in the right direction that he wants it to go. He doesn’t want to do any labour work and he thinks maybe it’s time to put his IT skills in use. Mr.Hacker is a hateful person so he decides to make the person he is holding grudges on pay for what he deserves.

Mr.Hacker knows that Mr.Douche is a hardcore gambler who visits Gambling Paradise - not the most famous gambling website in the country but attracting many gamblers nowadays - on a daily basis. Mr.Douche has done something really bad to Mr.Hacker here and he is going to pay for his nasty behavior really soon.

Mr.Hacker plots a good plan to steal Mr.Douche’s money without laying a finger on him. He has spent quite some time to check Gambling Paradise website www.gambling-paradise.io for flaws and he finds out that the game runs on sessions. He also stalk Mr.Douche sometimes and he knows that Mr.Douche has the habit of going to a small pub nearby for a drink and gamble at the same time. Since Mr.Douche is a careless person, he uses the pub’s public wifi to access the internet.

Here are the steps that Mr.Hacker does to steal money from Mr.Douche:

Task A - WebGoat: A3 Sensitive Data Exposure

Following the instruction, I clicked the Log in button. To check the request we just sent, right click, choose Inspect and find the Network tab as in the below image.

We can see that there is 1 request seems to be not successful. If you know Rest API, you would know that status 200 means sucessful request, status range from 400 to 499 means unsucessful request. So the request we just sent has 405 status code which means Method Not Allowed. This method is known by the server but has been disabled and can’t be used.

This is understandable because we use the login function without providing username and password. To inspect further we can click on the unsucessful request and check the Request tab like the following image.

Seems to me that when we clicked the Login button, we sent a request that contains credentials of another user. Lucky us, the credentials is not encrypted so we can just copy paste them to the inputs and the task is done!

Task B - WebGoat: A7 Cross Site Scripting (XSS)

2. What Is XSS

Just as the task suggest, I opened the browser’s developer tool and type in the console

1

alert(document.cookie);

The browser alerts the session ID. I opened a couple more tabs to check the session ID of other pages and they were the same.

7. Try It! Reflected XSS

This task is not so hard to figure out. The first 4 inputs accept only number so it’s understandable that I shouldn’t try those.

Then I tried the credit card number input with this code

1

<script>console.log()</script>

The input isn’t safe guarded on the server side so I had figured out the unsafe input

Bonus - Darknet Diaries

This week’s assignment is rather short so I decided to write a bonus task for myself which is summarizing another Darknet Diaries episode. I’m quite excited to summarize this episode because it’s just amazing.

Lottería

The story is basically about a guy goes with the name OS who is used to be in Marine Corps and later joined a consulting company to work on cybersecurity and digital forensics. Then 1 day, the government of Puerto Rico hired his agency to do some work for them.

OS didn’t know that he would stay in Puerto Rico longer than a couple few weeks. He thought that he was there only to analyze and improve their network but they told him to investigate their lottery system because they were losing millions of dollars a month and they had no clue why that happened. They were confident that their lottery system only generated profits not loss so even the governer was involved in this investigation.

Since the governer was involved, they had all the clearances and permission they needed. They first investgated the physical security side of the lottery system such as checking out the lottery balls, how a lottery session was conducted, and the employees who were there etc. Unfortunately, no flaws were found in the process. This is when they shift the investigation from the physical security side to the digital one.

The process from drawing the lottery to cashing out the winning money went like this:

They then went to investigate the department that monitored this database. They checked the database system itself and it was a solid financial database. They analyzed the transactions, all of the numbers and nothing was wrong. Because of this, the government gave OS indemnity and permission to hack into their system to investigate even further. The process of OS becoming a real hacker, sneaking and working undercover was described vividly in the episode so if you want you could check it out but I have to skip the details here.

So in the process of finding out what was really going on, OS got himself into a room that had a suspicious computer that ran Windows 98 operating system. He did pen testing, then hacked into the computer successfully and he saw something very weird. I have outlined for you the lottery process, OS found out that there were an extra step between step 3 and 4 and another one after step 4 that I mentioned.

These are the new steps:

So mystery was solved here, this was how they cheated the system. They did some extra fews step to figure out it was a guy from an IT team involved in this fraud. I had goosebumps at the end of the story knowing that this lottery fraud was not just as it seemed to be. This was a part of cartel operations where they laundered money and whatnot. This OS guy was amazing, he cracked a big case for the FBI without knowing it from the start.