MY JOURNEY!!!! A RANT lol. (My Struggles & Inspirations) [Wed, March 9, 2022 : 14:00:16]

As much as I aspire to have this blog be a centralized space where people in the Infosec community can reference my work and learn from it, I also want to be transparent and document my struggles and the topics I find challenging to learn.

To date, I have successfully managed to teach myself the core fundamentals of Cybersecurity and how to be proficient in the different skill-sets required to be a cybersecurity professional, both with the knowledge of defensive and offensive techniques to incorporate within the real world. Overtime, my aspirations have broadened and deepened as I've come to see more advanced subjects within. At the core, I've always wanted to be able to find 0-day vulnerabilities within commonly used technologies as well as create programs that can be utilized within the Infosec community. However, I'd be lying when I say that the journey has been easy. In as much as I have created this blog for public and personal documentation, I study Cyber-security and Software Development professionally, so the struggles with coming to grasp with the topics literally follow me everywhere. But knowing me, I hardly give up. From the time I decided to learn hacking, I decided that I would be diving in uncharted territory, embracing the uncomfortability of the process. Sometimes, However, I ask myself why the hell I chose such a profession. But I find myself answering myself with the answer: PASSION. Its simply passion and vision that drives me to continue forward. One thing I can definitely iterate is: Hacking is definitely not the way it looks on the Hollywood screens. It takes alot of time and brain power. Its one of those professions that require creativity because that has been the very element that has been the driving force in the progression of Information Security. Seeing professionals thrive in this profession is definitely eye candy, seems cool and all, but once you see the process of what it takes to get there LOLLL. Crazy. I spend weeks and weeks trying to solve a particular problem, with dozens of files an books and notes I've taken overtime. The knowledge sometimes doesn't seem to stick. It gets real frustrating. Headaches on Headaches on Headaches. 

The topics I'm currently struggling with are:

1. The intermediate and advanced analysis of assembly language for Reverse Engineering and Exploit Development.

2. Analyzing intermediate level assembly code on the stack & C code and finding vulnerabilities like format string vulns etc. (especially within CTFs)

3. Understanding socket programming both in C & Python

4. Understanding kernel level security.

5. OWASP top 10 client and server side vulnerabilities (especially SSTI's, CSRF's and all...)

6. Understanding Cryptography & Reverse Engineering Cryptographic Algorithms (like RSA, Xor .etc)

Whats with the rant bruv?

As this blog is meant for documentation of my progress with CTF's, it is also meant to educate myself in the long-run, a means of reinforcing the knowledge acquired, drilling it into my brain so i don't forget lol. I intend on being transparent with the process of learning the craft I've dedicated myself to learn. Alot of security focused blogs out there are fantastic to learn from. Many of them actually inspired me to create my blog and share my work with the world. However, it helps to have rants like these because most of the time, the content focuses on the end result, which is in this instance, the demonstration of the knowledge acquired. Sometimes, It helps to see the struggles you face within a certain topic being faced by someone else. It confirms that you necessarily aren't the only one who struggles with learning that topic. So in my defense, the rant was necessary to load off all the frustration trapped within. Also to show the people that read this that... yeah... Hacking is not for the faint hearted. WILL an purpose MUST BE YOUR FRIENDS otherwise you'll hardly get through it all. Below is an episode of Pwny-racing, a hacker race whereby 4 challengers are given a problem, which in these terms either code or binaries which have hidden vulnerabilities. These vulnerabilities are to be found and exploited. Keep in mind that these are gamified to a certain degree. But a professional hacker or security analyst typically go exactly the same route in real life. Its content like these really keeps me on my toes and shows me just how security is a myth. Everything in software or hardware has a flaw. One just needs to have the knowledge to find it. 

With the little knowledge I've acquired, I'm definitely grateful to myself for pushing through and having a higher view of what I want to achieve within the Cybersecurity Industry. Secondly, many people within the Infosec industry who continue to release infosec content and writeups that help script kiddies like me to learn as easily as possible. Below are Youtubers that I appreciate and have helped me aside from practice and crazy amounts of reading.

JohnHammond

CryptoCat

LiveOverflow

Ippsec

Purple F0x Security (Blog)

KindredSec

I didnt wanna go all out. I just want this to serve as a reminder that one must pass in the fire to get to the fountain. Often we get discouraged in learning blocks but we have to persevere and be more resilient. If you're in Information Security, be sure to keep moving forward and work towards your goals. 

ELF x86 - Stack buffer overflow basic 2 | Pwn Challenge Documentation #3

Back again with another walkthrough from Root-Me Hacking & Information Security Platform. Straight into it. We're provided with the challenge source code as well as the binary protections.

Binary protections NX is enabled, immediately indicating that any code we put onto the stack won't be executed. Reading through, the source code is provided so we can analyze it.

The source code of the challenge gives 3 functions within the binary. The main function, which is the most important function in C programs, shows a integer variable called 'var', a function pointer pointing to the function 'sup' and interestingly, a character buffer of 128 bytes. From that alone, we can see that this challenge will be a classic buffer overflow challenge. the next line introduces the fgets function, which takes in 133 bytes in total from standard input (stdin) and passes it into the buf variable. 

executing this binary, will only execute the main function. We see from the source that there is a shell function which gives us a shell (/bin/bash) in order for us to get the flag. The goal will be to use a buffer overflow attack to overwrite the instruction pointer and write the memory address of where the shell function is located, essentially redirecting execution to get a shell. 

Note: The memory address of the shell function can be found by loading the binary into GDB and typing 'p shell' to leak the address

I copied the source code and compiled the binary on my local machine but alternatively, Root-Me provides the SSH credentials to access the remote server to connect to and complete the challenge. 

To exploit this binary to get a root shell, we can utilize python located on the remote server to write 128 bytes of junk to the binary, plus the address of where the shell function is in memory, we can then pipe the output of that into the binary to exploit the binary. The 'cat' at the end simply a means to prevent any errors once we get a shell and executes any commands.

Exploit Code: (python -c 'print "A"*128 + "\x16\x85\x04\x08"';cat) | ./ch15

Flag: B33r1sSoG00D4y0urBr4iN

Nmap For Network Reconnaissance

Most of the time, especially as a hacker, you have to have a means to identify and investigate the target network in which you have either been assigned with by a company or whether you operate in the shadows (which I recommend you don't lol). Aside from passively acquiring information from publicly accessible information from the internet, a method called passive reconnaissance, it is possible to actively gather quite useful information about a specific target or the target network, which is called active reconnaissance.

Nmap, A network auditing and reconnaissance tool, that can be utilized by network engineers or system administrators, can be used by hackers to essentially gain access to uncontrolled parts of the system. Nmap can essentially identify active running hosts on a target network, the open TCP ports, the various services running on the hosts, and even utilize NSE scripts Nmap provides within the suite to do more a detailed analysis of the target network. Nmap can be installed both on Windows and in majority of the Linux distributions, but comes pre-installed in Kali Linux, a penetration testing and information security linux distribution. To follow along, you can download Nmap here.

Basics of Networking (enough to get the point across)

A network is essentially a bunch of devices connected together with the ability to transfer information and/or data between them. However, for this to occur, these devices need to have a way to be identified, and this is done using IP Addresses. Every device, including the one you are using to view this, has been assigned with an IP Address from your Internet Service Provider. That IP Address is essentially your identifier on the internet. The Internet itself, which in full, is 'International Network' is a plethora of computers, servers and devices connected with each other, having the ability to transfer all this information. There is so much to networking but this is the surface level information you need to understand how useful Nmap is.

Consider the following:

Nmap "Aggressive Scan"

Above is an nmap scan, an "Aggressive" scan (indicated with the "-A" flag) was conducted against the target domain "scanme.nmap.org". This scan has uncovered alot of information about the remote target such as its IP Address (45.33.32.156) as well the open ports found on the respective IP Address/Domain. Within a target host, there are various services that are open in order to process information. For example, the service of file sharing (also known as FTP) is usually configured on port 21, the service of SSH, which is all about providing an encrypted remote access to a server or a computer is usually configured on port 22. So for every port, there is a respective service, which has software of some sort, that runs on that port. 

Above, we found the following:

PORT 22, which is SSH and the software version running on this port is OpenSSH 6.6.1p1 Ubuntu

PORT 80, which is HTTP and the software version running on this port is Apache httpd 2.4.7 (Ubuntu Web Server)

As well as other ports which would need more extensive research. Already from this Nmap scan, we have enumerated the open ports, the services running on those ports and the versions running on these ports, and even the operating system of the web server. This information can be VERY useful as a hacker can search for vulnerabilities within these services, exploit the vulnerabilities and gain remote access to the host or to the network. Aside from performing recon on a local network, you can also conduct recon on a remote network. 

The NSE scripts can perform more advanced reconnaissance, automate brute-force attacks, detect CVEs, detect Web-Application Firewalls that blocks malicious network traffic to and from the web server the firewall is protecting and many other useful tasks. Nmap has proven itself within the security industry, from malicious attackers, security researchers, system administrators, network engineers and ethical hackers to be a tool that provides effectiveness and accuracy in terms of its auditing and its fingerprinting of systems and networks. This posts has outlined the basics of the functionalities of nmap. In future posts, I will show off on how the NSE scripts can detect vulnerabilities, automate brute-force attacks and other useful reconnaissance techniques.