We ran into a few issues with flight delays and technology – unfortunately our streaming and recording failed to save audio for this event so we do not have a video available. But RISE attendees pulled together to make this a great interactive meeting covering Hack the Box. If you weren’t able to make the event, keep reading for notes from the demonstrations. Special thanks to R&K Solutions for hosting this event.

Full house for a discussion of penetration testing

Tyler Booth suffered flight delays, but RISE member Aaron McPhall started us off with his walk-through of the Hack the Box registration and one of the machines. The site terms of service prohibit posting solutions to the challenges, but who wants to see solutions? We’re here for the challenge! Aaron described his thought process, trying to exploit basic vulnerabilities and exploring all of the information available to him on the registration challenge page. Once Aaron demonstrated his solution, other attendees described their process to reach the goal of obtaining a registration code. This was a fantastic intro, as each solution used different methods but achieved the same result. An excellent demonstration of hacking: most often there are multiple avenues to reach a goal. Aaron then presented his solution of challenge “DigitalCube”. This gave attendees an idea of how the challenges work, and the goal of obtaining “user” and “superuser” tokens as the solution. It also introduced the variety of tools, techniques, and information that users would learn through this system. Aaron’s solution covered foundations such as base-64 encoding, image formats, and some impressive vim skills.

Aaron McPhall explores code for the Registration challenge

Tyler arrived with plenty of time to spare and walked through Hack the Box challenge “Haystack”. First – expect lots of failure. Failure is simply a path to the solution and should be embraced for the learning achieved even if it didn’t result in a solution. Tyler starts with information gathering. Penetration testing involves heavy research of the site or system being evaluated and the technologies in use. Be prepared to read – lots of reading about unfamiliar applications and how they operate or communicate. Tools such as nmap ease enumeration of services on the target VM and are a great starting point for understanding the technical environment. But tools alone cannot replace fundamental knowledge of how protocols and applications function.

Next steps will be dictated by the environment – what applications or protocols are discovered? You’ll need to rely on your knowledge and experience as well as a dose of research to fill in information gaps. A career in red teaming is one of constant learning. Tyler showed how he used tools and techniques already at his disposal along with foundational knowledge and research of new applications to solve the user token challenge of this machine.

Tyler Booth introduces the Haystack challenge

What did we learn? Penetration testing is about failure and tenacity. Failure as in not every technique will work, even if previously successful. Tenacity in that there is always a way in and it’s just a matter of finding the vulnerability in the app under test. The career is about learning, constant research, and adapting techniques and foundational knowledge to new situations. Its non-linear: oftentimes there is more than one solution to the challenge. And it’s exciting – Everyone in the room certainly felt the thrill when an exploit resulted in privilege escalation or uncovered a clue to the next step.

Hack the Box terms of use prohibit sharing steps to solutions for active machines, so we are unable to post Tyler’s detailed notes for the challenge. However we can list some of the tools and techniques discussed that will be of interest to those those wishing to try other Hack the Box challenges or pursue a career in red teaming.

This list referenced items discussed during the meeting and is provided so that attendees can reference for more information. It is not an exhaustive list of security tools and does not represent endorsement of any tool over another.

• nmap – Network Mapper for host and service enumeration
• DirBuster – Now part of OWASP Zed Attack Proxy
• Cyberchef – Multi-use toolkit including decoding, formats, and data operations
• Gobuster – Brute-force tool for URIs, DNS, and virtual hosts on web servers
• Burpsuite – Popular tool kit for web vulnerability testing
• SecLists – Repository of useful lists for security testers for thing such as usernames, passwords, sensitive data patterns, URLs, etc.
• Elasticdump – Tools for moving and saving indices
• ProxyChains – Unix tool for redirecting application network traffic through a SOCKS or HTTP proxy
• FoxyProxy (Firefox | Chrome) – Browser add-on that features advanced proxy settings

The Open Web Application Security Project (OWASP) Foundation page holds many great resources for those wishing to learn more. One related to this event is the page on Attack categories, which defines many common application attacks.

Interested in learning more about RISE or attending a meeting? Reach us at roanokeinfosec@gmail.com to get on our mailing list for meeting reminders and upcoming events!