Skip to content

Cyber Security Learnings

These are my notes on the challenges from blue team perspective on what detection/prevention measures could be taken to prevent exploitation/compromise involved in the challenges.

 

Wireshark Practice

The host got infected because the user clicked on a link an email to download a zip file.
Below measures could help in preventing this :

1)     Email Monitoring to detect and potentially quarantine emails from suspicious senders.

2)     Network monitoring and prevention on which external domains/IP user can go to.

3)     EDR on workstations to block executions on suspicious files.

4)     Phishing simulations on uses with the intent to educate them to not click on arbitrary links.

 

Windows Events Logs

- Enable PowerShell Auditing

- EDR on hosts to block execution of suspicious executables based on behavior (keylogging)

 

Prison Escape

The user in the container was a privileged user and that allowed them to mount the host drives and then access them.

- Dont assign root privileges to the users in a container.

 

Jolly CI/CD

The developer checked in their SSH private key in the GitLab repo.

- The GitLab repos should be monitored for hard coded SSH keys or any sensitive information relevant to the organization

- Upon detection of sensitive keys [e.g., SSH private key] in the repo, the keys should be rotated immediately.

 

Naughty IP & Credential Mining

That one IP address 18.222.86.32 sent >900 POST requests to /login.html within the same minute 10/05/2022 16:46 a clear case of brute force attempt.

- Implement strong passwords and for the compromised logins, reset passwords.

- Implement rate limiting so we dont see so many attempts in a short time

- Implement MFA to stop the attacker if the password is compromised.

- Implement BOT protection/Captcha to prevent automated attempts.

 

IMDS, XXE and other abbreviations

In this case AWS EC2 Instance Metadata Service version 1 was used which allows programmatic access to metadata about the EC2 instance, its network and Its storage and that would include security credentials too.
- Use
IMDSv2 instead which makes it harder for an attacker to exploit than IMDSv1.

 

Open Boria Mine Door

We can send the inline Javascript as input because of the insecure content security policy unsafe-inline'

- Implement strict content security policy depending upon the architecture of the app.

- Implement output encoding of HTML and Javascript on the server side using corresponding standard framework libraries.

This illustrates usage of a Node.js library to encode Javascript.

 

Glamtariels fountain

This leveraged XXE (XML External Entity) injection to retrieve arbitrary files from the host system.

XXE injection leverages DTD (Document Type Definition) processing which we should disable altogether when loading the input XML on the backend. Here is an example .NET framework property which can be used to totally prohibit DTD processing which will prevent XXE injection.

 

Exploit a smart contract

I think if the root hex value was not hardcoded in the request payload and visible for every request, we would not have been able to inject our own Merkle tree. If It was not hardcoded and our wallet/proof values were checked with the root hex of the Merkle tree on the server side, It would have been difficult to exploit this.

- Never hardcode any input.

- Any artifact which is needed to make a logical/business decision, have a server side check on them to prevent any security issue with the business logic.

- Include manual code review of the application in the SDLC.

- Implement Automated static code analysis in the CI/CD pipeline. This may few false positives but may show some glaring hard-coded values