Hacking Metasploitable Enumeration & vsFTPd vulnerability


In this series, I plan to show how I owned Rapid7’s vulnerable Virtual Machine, Metasploitable2.

When hacking computer systems, it is essential to know which systems are on your network, but also know which IP or IPs you are attempting to penetrate. In Metasploitable that can be done in two ways, first, you can quickly run the ifconfig command in the terminal and find the IP address of the machine or you can run a Nmap scan in Kali. I will attempt to find the Metasploitable machine by inputting the following stealth scan.

The SYN scan is the default scan in Nmap. It is also a quick scan and stealthy because it never completes TCP connections. This scan specifically searched all 256 possible IP addresses in the range, therefore, giving me the open machines. In my test lab, I had four computers running, one being my Kali box, I was able to find the Metasploitable2 box and all of the open ports.

The next step thing I want to do is find each of the services and the version of each service running on the open ports. Again I will use Nmap for this by issuing the following command.

This scan is again doing the Stealth Scan, but also the -sV flag is verifying the versions of the services, and the -O flag is verifying the operating system running on the machine.

So, what type of information can I find from this scan?

Now I know the operating system s Linux version 2.6.9-2.6.33, the host is running Telnet, which is vulnerable. Also older versions of Apache web server, which I should be able to find a vulnerability for, I see that port 445 is open, this is the SMB or server message block port, I know these are typically vulnerable and can allow you to enumerate the system reasonably easy using Nmap. These are the ones that jump out at me first. I know these will likely give me some vulnerabilities when searching CVE lists.

Next, since I saw port 445 open, I will use a Nmap script to enumerate users on the system.

I decided it would be best to save the results to a file to review later as well. I receive a list of user accounts. Here is where I should stop and say something. You should never name your administrator accounts anything like admin, It is easy for an attacker to determine which username is the administrator and then brute force that password and gain administrator access to that computer.

We found a user names msfadmin, which we can assume is the administrator.

Next, I am going to run another Nmap script that will list vulnerabilities in the system.

Using this script we can gain a lot of information. I saved the results to a text document to review later, and I’m delighted I did. I knew the system was vulnerable, but I was not expecting the amount of information I got back from the script. The script gives a lot of great information, below I am showing the first line I was able to retrieve.

As you can see, the script gives me a lot of information. It tells me that the service running on port 21 is Vulnerable, it also gives me the OSVBD id and the CVE id, as well as the type of exploit. This is very useful when finding vulnerabilities because I can plan an attack, but also, I can see the exact issue that was not patched and how to exploit it.

I decided to go with the first vulnerable port. As the information tells us from the Nmap vulnerability scan, by exploiting the vulnerability, we can gain access to the server by creating a backdoor. I decided to find details on the vulnerability before exploiting it. I followed the blog link in the Nmap results for scarybeastsecurity and was able to find some information about the vulnerability. From reading the documentation, I learned that vsFTPd server is written in the C programming language, also that the server can be exploited by entering a : ) smiley face in the username section, and a TCP callback shell is attempted.

I used Metasploit to exploit the system. The first step was to find the exploit for the vulnerability. I did this by searching vsFTPd in Metasploit.

Searching for the exploit returned the above exploit for the service, so the next steps were pretty simple. In Metasploit, I typed the use command and chose the exploit. Next, I ran the command show options, which told me I needed to provide the remote hosts (RHOSTS) IP address; this is the target machine’s IP address. After that, I just had to set the RHOSTS value to the IP address and type exploit in the command prompt.

From there, a remote shell was created and I was able to run commands.

Next, I wanted to set up proof that I had access. So I decided to write a file to the root directory called pwnd.txt.

I went to the Metasploitable server and changed my directory to the root directory; from there, I was able to see the pwnd.txt file and read the data.

I was left with one more thing. I wanted to learn how to exploit this vulnerability manually. So I tried it, and I sort of failed. First, I decided to use telnet to enter into the system which worked fine, but then I ran into some issues. I assumed that the username could be a smiley face; however, after searching on the web, I found out I needed to have a smiley face after the user parameter.

I did a Nmap scan before trying the manual exploit and found that the port at 6200, which was supposed to open was closed, after running the manual exploit the port is open.

The next step was to telnet into port 6200, where the remote shell was running and run commands.

In conclusion, I was able to exploit one of the vulnerabilities in Metasploitable2. Next, I will look at some of the websites offered by Metasploitable, and look at other vulnerabilities in the server.

Post Shmoocon 2020


                Over the last weekend, I was able to go to Shmoocon for the third year in a row. This year, however, I decided not to work on CTF challenges the whole time while “Listening” to talks. Instead, I was present at the talks, and it turns out, Shmoocon has some great discussions. While most people at Shmoocon typically try to take a lot of technical advice and come back in full force ready to tackle new exploits or something of that nature, this year I left in a more inquisitive than fired up ready to “pwn.” In this post, I hope to explain four topics that have made me think a lot since the weekend and things that maybe we don’t think of enough in the security community or the dev community.

The user isn’t stupid

Every year at Shmoo, one of the founders of Shmoocon, Bruce Potter, gives a rant about the industry and changes he wishes to make in the industry. Every year, I think I have heard Bruce talk about the same thing the users aren’t stupid. We need to start building better tools to protect the user. This got me thinking a lot about what we do in the security industry, I see this done in many areas of business, but we often call those who use bad passwords dumb, or we think someone is stupid because they can’t figure out things in our programs that we wrote. Often the user is not actually at fault. It is our fault for not educating the masses.

This includes any area of business really, I have seen people call clients stupid for not being able to do the work the company does, although if they did know how to do it, we wouldn’t have jobs. I remember a talk with a friend of mine recently who is in User Experience, and he said: “Developers and IT People are not great at designing tools, they work great usually, but internal tools are always a pain to work in.” And if we are honest, it is true. While some tools that we design function great for our needs, 80% of the staff is going to be confused by the buttons or naming convention or something else. We think differently than most. That is why your CEO doesn’t have 2FA and uses the same password for Facebook as they use for their corporate email. They haven’t been trained to think like a hacker, but they have been trained to make deals and sell an organization.

This talk made me think more about why I want to be in this industry. I think most people want to be in the industry for one of two reasons, they want to break stuff and not get arrested, or they want to break things and protect users. I hold firm that my purpose is to protect others, breaking stuff is fun, I find trying to figure out solutions to challenges exciting, but at the end of the day, I work in this industry to help others know how to protect themselves from people like me, who want to harm them.

Bruce ended by encouraging us to get better at what we are currently doing, instead of trying to learn everything, which leads to the next takeaway.

I need to stop working more and start working smarter

                Bruce also noted that the security industry has a hard time selling our industry because we also tell everyone they must work off the clock consistently to learn. This leads to a massive amount of burnout and fatigue and makes us irritable with future generations. The security community prides itself on people who work 60 hours a week, with at least 20 of that being off the clock on our own time. As a leader, it made me think more about learning opportunities for the employees around me. What can I do as a leader to provide more learning opportunities for the staff at my organization without forcing them to learn on their dime?

                I must admit this is a challenging endeavor, first because I must practice what I preach. I am the master of always working on something or some goal. Secondly, because I work for a small organization and it feels like there is always too much work to do. Four years ago, when I started in IT, I learned a lot of things by doing, I was pushed to learn new things because if I didn’t learn it, it would not get done. Luckily, my bosses gave me the time I needed. Maybe that is where it starts, giving others small projects that they can learn on, and that pushes them to do better. Training sessions and mentoring from the leadership will also help mold employees. The security community is small, and sometimes it seems that it is difficult to learn. Leaders need to start mentoring those under us (and I am still very new to the field also, I need mentoring myself) and give them the chance to learn when they are on the clock, not off the clock.

What was a great feature, could turn into a bug

                During the opening day, I got to see a talk by Jonathan Leitschuh, who is mostly known for finding the Zoom Zero-day in 2019. What I found most interesting about Jonathan’s speech was his interaction with Zoom developers. They insisted that the vulnerabilities that Jonathan found were features that made Zoom attractive to their clients. While the webserver was a feature in the Zoom product that made it easier and more efficient to use the product, it was creating a backdoor that put customers at risk.

                This could be true about just about any application. Most developers did not learn security, and honestly don’t think like hackers most of the time. Their jobs, in most cases, are to get a product out as fast as possible that meets the needs of the organization. Many of these developers are being pushed to do things much quicker. I have been pushed to get products out the door in my organization very quickly, and it has prevented me from doing the job that I would have liked. I’m sure most penetration testers could tell you that they wish they had longer to poke around for holes in a network as well. The point is, in the security community, as well as in all industries, we need to learn to adapt and understand that many of the “features” few are looking for in things, can create opportunities for holes that we weren’t expecting. As a security person, I need to understand that not everyone will think the way I think and that I need to be understanding of that and use it as a learning experience and not as a whipping stick. As a developer, I need to understand the scope of a program I am writing and think about the holes that could be opened because of a feature that makes things convenient.

Security isn’t just CVEs it’s also misconfigurations

                Lastly, I enjoyed a talk by Mark Manning on Kubernetes security for Pentesters. This was an excellent talk primarily because Mark notes that his talk was not on Zero Days in Kubernetes, but it was on misconfigurations. This is something I struggle with myself; I think we often focus on zero-day attacks or CVEs, but we don’t focus enough on proper configuration. Every conference seems to be focused on zero-days or new vulnerabilities. I rarely ever see a talk where a person shows how they pwned a system because it was not correctly configured, yet that seems to be the nature of a large number of attacks. The Capital One data breach did not happen because of a vulnerability that was disclosed and unpatched, or some new zero-day that was dropped. It happened because one of Capital One’s databases were left exposed to the internet. It has shifted my train of thought. There are likely three times as many systems that are vulnerable to attack over the internet because of misconfigurations as there are those that are vulnerable because of a zero-day.

Bandit Walk Through 4


Bandit Level 9

This challenge wanted us to read the file data.txt and find the human readable strings beginning with several equal signs. Since there was non-human readable code in there, I knew that I could use the strings command to get the readable code. I also used grep to find only the lines that matched the === pattern.

Password = truKLdjsbJ5g7yyJ2X2Ro3a5HQJFuLK

Bandit Level 10

This time the flag is again stored in a data.txt file, but the data is encoded using base64. For this challenge I need to read the data using echo and pipe it to decode using base64 decoder.

Password = IFukwKGsFW8M0q3IRFqrxE1hxTNEbUPR

Bandit Level 11

This time the flag is again stored in a data.txt file, but this time the encoding method is ROT13. I looked up how to encode ROT13 in linux and found a command using the translate command. I echoed the data from the file and piped the translate code.

Password = 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Bandit Level 12

This one was very tedious. I am sure there was a much simpler way than the way I did, it but I will have to find out later. Essentially this time the data.txt file has been compressed several times. The objective is to decompress the file every time by determining the name of the file, renaming it, then decompressing the file. This was done in several steps so I will not explain how I did it but will show it all below.

Password = 8ZjyCRiBWFYkneahHwxCv3wb2a10RpYL

Bandit Level 13

This time the challenge required us to use ssh from the level 13 server and log on as the level14 user using a private key. I had to look up how to use private keys in ssh and was able to find ample information. I’m becoming a Google Fu blackbelt!  I used the below command to do so.

Then it was as simple as reading the etc/bandit_pass/bandit14 file to get the flag.

Password = 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Bandit Level 14

For level 14 the requirement was to send the password for level 14 to port 30000 to retrieve the next flag. I used netcat and then put the current password in. That gave me the next flag

Password = BfMYroe26WYalil77FoDi9qh59ek5xNr

PicoCTF 2019 Part 2

This flag gives a weird Text File that has the flag hidden inside. At first glimpse, without downloading the file, I figure it must be hidden as a txt file, but it is another file type. After downloading the file, I use the file command to read the kind of file it is. Upon reading the output, I notice that flag.txt is a PNG image file, so I changed the extension to png and used eye of gnome to view the png file and get the flag.

Flag = picoCTF{now_you_know_about_extensions}

First Grep
The title of this challenge gives an obvious hint as to what the command we are going to use is. Grep is going to be piped into the reading the file to find an expression that is being passed. I am going to use the cat command to read the file, then pipe grep and search the file for anything that begins with pico. So the command would look like this “cat file | grep pico”. Which gives the flag.

Flag = picoCTF{grep_is_good_to_find_things_eda8911c}

In this challenge, we are being challenged to use Netcat to comment to the shell server on port 32225 to get the flag. Netcat is used to read and write to TCP and UDP listening ports. When using the command, I am given the correct flag.

Flag= picoCTF{nEtCat_Mast3ry_b1d25ece}

This challenge required me to connect to the shell server using SSH and then to run a program. The knowledge necessary to run this challenge is how to run a program on a Linux environment. First, I connected using ssh to the shell server. Then I used the listing command ls to view the files in the directory. I noticed that a file named run_this is in the directory, so I ran the program using the command “./run_this.” Running that command returned the flag.

Flag = picoCTF{g3t_r3adY_2_r3v3r53}

This challenge required me to find a site that is not allowed to be seen by web scrapers. This challenge was named aptly for the type of file we are looking. When someone does not want google or other scrapers to find a site they may be hosting on their servers they use a file called robots.txt. This file is typically found by inputting the directory of the website and appending robots.txt at the end. I tried this and was given the robots.txt file. From there, we can view the file that is not allowed. As seen in the picture below, a file named 0194a.html is being disallowed.

When going to the file in question, the flag is seen.

Flag = picoCTF{calculating_Mach1n3s_0194a}

So Meta
In this challenge, we are given an image file that contains the flag. According to the name of the challenge, it is safe to assume that the flag is hidden in the metadata. I used a tool called exfiltool to extract the metadata out of the image file, and from there was able to see the flag under the artist’s header.

Flag = picoCTF{s0_m3ta_dc38ce45}

Strings it
In this file, we are given a program that has the flag hidden inside. The object is not to run the file, but to find it in the source code. Because the challenge is called strings it, I assume that I must have to use the strings command to find the data. The strings command shows the human-readable content within a file. What I decide to do is use strings to copy the information to another file that I can use grep. I use the strings command and the > operator to move all human-readable characters to a text document. This allows me to use grep to read anything that starts with pico from the text file.

Flag = picoCTF{5tRIng5_1T_d5b86184}

Vault Door Training
This challenge gives us a java program that is hiding the password. The java file is supposed to be used to determine if the user has input the correct password. If they have not, they are denied access. The password is hardcoded into the program, and the program is attempting to determine if the user input matches the hardcoded password. For this file, it is simple, read the source code and find the hardcoded password.

Flag = picoCTF{w4rm1ng_Up_w1tH_jAv4_3b50073Bc12}

This challenge is very similar to the vault door Training challenge; however, the programmer thinks they have hidden the password much better in the program. They have used the java charAt() command to hid the password. The charAt() command specifies the location of the character. If I wanted to construct the word pizza and I were to use the function charAt() with a parameter of 0, charAt(0) == ‘p’ && charAt(1) = ‘I’ and so forth I could spell out pizza. The developer has tried to use these out of order. The first thing I did was I used grep to find all of the lines that start with password.charAt. Then moved that to a file called vault.txt.

Next, I want to cut the file so that I can sort it. I use the bash command cut to cut out anything before the opening parenthesis.

Next. I use the bash command sort to sort the contents by number, and I have to write out the flag

Flag = picoCTF{d35cr4mbl3_tH3_cH4r4cT3r5_03f841}

Changing Threats in Healthcare

                October is cybersecurity awareness month. All month long, many organizations have made it a priority to spread awareness to the members of their organization as well as disseminating information to the public on how to protect themselves.

                Over the last decade, I am sure you have heard about your healthcare data and the importance of HIPPA to healthcare organizations. Healthcare data is essential to protect; every person reading this article right now plays an integral part in securing this type of data. As a consumer of healthcare products and apps, it is necessary to focus on protecting your data. Working in a healthcare company puts a unique amount of risk to threats we face. 

                Over the last four years, the threats have changed significantly. According to Steve Mansfield-
Devine (2017), the threat landscape has changed from stealing and selling patient data to attacking healthcare organizations using ransomware techniques. Ransomware is a malware type that takes over a computer’s records and holds it ransom until the owner of the data pays the ransom. Most of the time, this type of attack uses encryption and encrypts the files of the computer and will not release the decryption key until the ransom is paid. You may have heard of this in the news recently. Personal Identifiable Information or PII is not worth as much as it used to be because of the massive amounts of data breaches that have occurred over the last few years. Stolen health data was worth $75.00 – $100.00 per patient in 2015, now that price has dipped to $25.00 to $50.00 per patient record on the dark web (Mansfield-Devine, 2017).  Ransomware attack averages are much higher. Healthcare organizations cannot afford to have downtime for patient safety and financial reasons, which means they are twice as likely to pay the ransom. The Crytpolocker attack that happened in 2013 made the attackers $30,000,000 in 3 months (Slayton, 2018). 

 Attackers are financially motivated to attack healthcare organizations, who cannot afford downtime. Many small healthcare organizations could not afford to pay the ransoms that the attackers are requesting. Even if they were able to, HIPPA regulators could fine the companies for each patient record that was attacked, which could bankrupt an organization. For most, this should be incentive enough to ensure the safety of files. Some of the ransomware attacks are linked to Nations such as North Korea or related to criminal and terrorist organizations. 

                Many of the ransomware attacks have stemmed from phishing and spamming campaigns (Mansfield-Devine, 2017). Weaknesses in protocols, such as the SMB protocol has led to ransomware spreading and infecting entire networks. It is crucial to understand how these types of infections spread and to be wary about clicking on links. Many of the attacks come from what is called spear-phishing. In spear phishing, the attacker crafts an email from a client or member of the organization, and requests that the user opens a malicious pdf or click a link that downloads a malicious file onto their computer. The malicious file allows the attacker to control the victim’s computer. As healthcare professionals, we are all responsible for protecting the data integrity of our clients as well as protecting our data. Ensure you are not clicking on any links that are being sent to your email unless you can confirm the validity of the email. If you are unsure, do not hesitate to ask, no one will be angry with you for ensuring the security of the organization. It is the responsibility of everyone to protect company assets as well as protecting your data.

Works Cited.

Mansfield-Devine, S. (2017). Leaks and Ransoms- The Key threats to Healthcare Organisations. Network Security. June(2017).

Slayton, T. (2018). Ransomware: The Virus Attacking the Healthcare Industry. Journal of Legal Medicine. Doi: 10.1080/01947648.2018.1473186

picoCTF 2019 part 1


In the 2warm challenge, we are given a base 10 number, 42, and we have to change it to a binary base 2 number. I decided to use a python script to complete this challenge. Created an input that saves the number, converted the number to binary, and took out the leading two characters. Then I printed that to the command line, and it gave us the solutions.

Flag = picoCTF{101010}


This next challenge gives the flag encoded using ROT13 encryption. I decided to use python again for this operation. I created an input for the flag that stored the encrypted flag in a variable called rottenCode. Then decoded rottenCode using the codecs library in python and stored that in a variable called ripecode. I added a new step here where I added pyperclip to copy the code straight to the clipboard so that I could paste it much easier.

Flag = picoCTF{not too bad of a problem}

Glory of the Garden

At first, I tried to use hexedit to view the file. However, the file was too large to look through and view the flag. Even when I moved it to a text document it was not easy to grep. Instead I used Strings, and I pasted placed the output into a text file so that I could grep the output. I then grepped the output looking for the line that started with pico, which gave me the flag.

Flag = picoCTF{more_than)m33ts_the_3y31e0af5C7}

Lets Warm Up

This challenge requirement is that a hexadecimal value is converted to ASCII. This is another challenge that is great to solve with python. I imported codecs, saved the hex value into a variable called hexInput. Then decoded the hexInput using codecs. The string needs to be converted from bytes to UTF-8. Then printed the flag.

Flag = picoCTF{p}


This challenge offers a picture that has a bunch of numbers that needs to be converted to letters to find the flag. First look I noticed that it had the curly braces that are typical of the picoCTF flag, so I noted that it was likely the entire flag. Since each of the numbers was under 23 I figured it must be the location of the letter in an alphabet array. I used python to convert this one, as well. Using python I started by placing the alphabet into the variable alphabet. I set up two arrays, one to start the first half of the flag before the curly braces and the second array for the second half of the array. I iterated through the alphabet variable to find the letter that was at each spot in the alphabet variable. I realized that the variable would start at the location of zero, so I had to subtract one from each number in the arrays. Then I concatenated the values of the flag with the curly braces and printed the value of the variable picoFlag.



This was an easy flag that I was able to do in the terminal. First, I used wget to download the zipped file into my folder. I Unzipped the folder, then noticed there was a png file inside the zipped folder. Sometimes the file may be a png file, but upon further inspection you can notice that the file is something different. So I checked the file to ensure it was a png file, which was then used Eye of Gnut to open the image, which gave me the flag.

Flag = picoCTF{unz1pp1ng-1s3a5y}

Warmed up

In this challenge, the flag is a base 16 converted to a base 10. In other words a hexadecimal value needs to be converted into a decimal. I used python to find this flag, as well. I stored the value in a hexstring variable. Converted the hexstring to an integer, then printed the concatenated the flag wrappers with the value of the hexString variable and printed that to the command line, and copied it using pyperclip.

Flag = picoCTF{61}


This flag gives a website that you need to inspect to find the flag. The first thing I noticed was that the website mentioned HTML, CSS, and JS. This made me automatically think that the flags were going to be hidden in all three of the files in the source code.

I first checked the HTML source code and found the first 1/3 of the flag.

Next I viewed the CSS file and found the middle section of the flag.

Lastly, I found the last portion of the flag in the JavaScript file.

Flag = picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?1638abde7}


One of the most frustrating things to me is that the easiest way to secure yourself and your data is to not use the same incredibly insecure password for every account you have. No matter the amount of information on the web informing users to use different passwords for every account, or the password complexity rules that organizations use on their websites, users do not seem to understand the importance of proper password hygiene. Do users take all the blame, though? Have we as security professionals made password security too complicated, and failed to teach appropriate password security?

Users will inherently use the same password over, and over again because, quite frankly, there are too many passwords to remember for all the accounts we have access. When an organization is breached, and usernames and passwords are stolen, the combinations are sold on the dark web. When users are alerted that their information is taken in that breach, they may change their password on the site that was breached, but most of the time they do not change their passwords for other sites as well. When a user buys this information on the dark web, they can use these lists to attack other sites and find matches. This is called a credential stuffing attack. The Open Web Application Security Project defines credential stuffing as “the automated injection of breached username/password pairs to fraudulently gain access to user accounts” (OWASP, n.d.). When the username and password pair is compromised, and an attacker has access to another account they can take over the account, the user was not aware was compromised. The attacker then can drain stolen account of credit card numbers, personally identifiable information, or use the account to send spam, or make other transactions (OWASP, n.d.). If a user uses the same password for a corporate account that they use for breached accounts, corporate networks can be exploited. Need more proof of their popularity? Research a couple of breaches such as the Yahoo and Sony breaches in 2011 and 2012, both of which were the result of credential stuffing.

This is a prevalent type of attack, and many users are vulnerable to this type of attack, but how do users protect themselves from attacks? The most important way is to use a different password for every account, and keep them 24 characters in length and keep them as random characters. It’s that simple… Many users, dare I say all regular users, would have a challenging time remembering all of these random passwords. This is where technology can benefit the user.

First, multifactor authentication should be used on all accounts that prohibit it. While text messaging the password is not secure to sim swapping, it will help secure the average user. Applications such as Google Authenticator are much more secure, but it is not widely adopted currently. Other authenticators are physical authenticators such as YubiKey. These are USB devices that are plugged into phones or computers to authenticate the user. If the user does not have the device, then they are not able to access accounts. However, a targeted attack could leave a user vulnerable in this type of attack if they were to leave the Yubikey in their computer and walk away.

Another option for securing information is to use a password vault, such as LastPass. When using this type of program, a user only has to remember their password to the vault, which should be a very secure passphrase that is 16-24 characters in length, using substituted characters. The password vault can create randomized strings as passwords for each account. The user only has to remember the one password to vault. Both of these measures should be used together to secure accounts. However, there is not a foolproof method to secure an account.

If you would like to know if your account has been breached Troy Hunt’s website Have I been Pwned is a great resource to see which accounts have been breached. The website can be viewed here https://haveibeenpwned.com/

Security professionals should ensure that usernames and passwords do not show up on password lists when a user sets up a password for an organization. Have I been Pwned can help in securing corporate networks by ensuring breached passwords have not been used.

Works Cited

Credential Stuffing. (n.d.) Retrieved on July 8, 2019 from https://www.owasp.org/index.php/Credential_stuffing

Baltimore Encoded: RobbinHood

For the last month, the city of Baltimore has been dealing with a ransomware variant called Robbinhood. The ransomware author is asking for 100,000 dollars to decrypt the city’s files. As has been explained previously in my blog, Ransomware is a type of malware that infects systems and encrypts each file on the infected endpoint. Once it has completed the encryption process, a ransom note is left to instruct the user how to decrypt their files. If a company has not followed proper security controls and created offline backups of critical systems, all of their information could have been lost if they do not pay the ransom. Unfortunately, many targets of this type of malware have learned this the hard way.

Baltimore is not the first city to deal with this type of attack. Atlanta had a similar incident happen by the Iranian malware Sam Sam ransomware in 2018. The Baltimore attack does not appear to be from the Iranian Sam Sam group.

A recent media article insisted that Robbinhood made use of the NSA developed exploit Eternal Blue that was used in the Stuxnet attack against Iran, and to some is considered the first Cyber Weapon (More to come on this in a later blog post). Brian Krebs of “Krebs on Security” has reported that it is not likely that it uses the Eternal Blue exploit (Krebs, 2019). Because of the Media report that this exploit was used, some have argued that this attack is the fault of the NSA and the Federal Government is held responsible for the attack.

I’m going to stray away from the explanation of the ransomware for a second because I think something needs to be discussed. The eternal blue exploit was leaked by the Shadow Brokers in 2017, from there the WannaCry, and NotPetya cyberattacks were developed, and a subsequent patch was released. While the exploit was developed by discovering a vulnerability in the SMB protocol and held by the NSA for use did create the opportunity for these types of attacks to occur, it is in no way the NSA’s responsibility that a municipality would allow their systems to go unpatched from a very well-known vulnerability. We can argue the ethicality of the NSA stockpiling exploits, but that does not change the fact that Baltimore did not patch a well-known vulnerability. –End rant

Bleeping computer has a great article that I would suggest everyone if they are interested in how this ransomware works. The article is located here https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/.

Essentially the tl;dr is that Robbinhood disconnects network shares upon execution and then is likely pushed through a domain controller. The ransomware looks for an RSA encryption key in the C:\\windows\temp directory. If the key is present, it will then shut off services, such as antivirus, database, mail server, and so forth that would prevent encryption. During its preparation stage, it clears shadow copies, event logs, and disables automatic repair. Once preparation is complete, the malware begins encrypting the files on the endpoint. Once complete a message appears that explains to the user how to decrypt their data. The surprising thing to me is that the message explains Asymmetric encryption to the user.

Brian Krebs reports that this is vanilla ransomware; it is not highly sophisticated and does not seem to use any lateral movement (Krebs, 2019). Something interesting in this attack is that the code uses a text string that says Valery, which shows similarity with the GanCrab ransomware strain that the developers had just announced they had retired (Krebs, 2019). This would make me think that either one of the developers from that attack decided to start their new strain or someone is trying to frame the GanCrab developers. Krebs and other security researchers believe that the author may be marketing their malware (Krebs, 2019). If this is a marketing campaign, which would make sense with the tweets targeted toward the Mayor of Baltimore, this could mean a bigger target, or more targets are possibly next by other adversaries who will rent it out. Municipalities are known for not paying the ransoms, so it would not have been a great target except for the marketing purposes. This attack is expected to cost Baltimore, an already fledgling financially city, 18 million dollars in recovery and lost revenues.

Works Cited:

Abrams, L. (2019). A closer look at the Robbinhood Ransomware. Retrieved on June 5, 2019 from, https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/

Krebs, B. (2019). Report No Eternal blue Exploit Found in Baltimore City Ransomware. Retrieved on June 5, 2019, from https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/

Bandit Walk through 3

Level 5:

This level required me to find the password stored in the inhere directory that had three properties; it had to be human readable, 1033 bytes in size, and not an executable. For this, I decided to use the find command. I knew I would need to give it a few other flags, so I started by changing the directory to the inhere directory. I constructed the command to look for the size of 1033c ensure it was readable with the readable flag and not an executable by inputting the special character for not in front of the flag for executable. This returned a directory and file; I used the cat command to read the file, notice the file has a period in front of it, so I had to use an escape character to get to it.

The password for level 6: DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6:

Level six’s password was stored somewhere on the server and had to be owned by the user bandit7 and the group bandit6 and had to be 33 bytes in size. Using the find command, I searched the entire server by inputting /. Then looked for a file type of f for file and inputted a couple of flags for size, the user and the group. Initially, when I did this it returned so much information, I got a headache. I wanted to figure out how to only return the one location that met all these parameters. I came across the Linux documentation and saw the final command in the string 2>/dev/null. This specific string returns only the correct location because it stores all the errors (stderr) I was seeing earlier into the dev/null file. Once I got that information, I was able to cat the file and receive the password.

Password for level 7: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7:

I got Occupy the Web’s book “Linux Basics for Hackers” for Christmas, when reading that book I learned a lot about grep, I had used it previously but was not very familiar with it prior. As soon as I saw this challenge I knew how to figure this one out. Level 7 stores the password in a data.txt file next to the word millionth. I know I could pipe grep millionth into a cat command call and it would return the password.

Password for level 8: cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8:

Level 8 had a password stored in the data.txt file, but it was the only line of text that was unique. I decided to read the file, sort it by piping the sort command, and then identify the unique line of text by using the uniq -u command. That inevitably returned the password.

Password for level 9: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

The Art of Deceptive Magic

Recently I was listening to a podcast, Hacking Humans, by the team at the Cyberwire. Joe Carrigan was speaking about an article he had recently read. The article was about a study from eye movements in illusions. The specific illusion in question was an illusion where the magician throws the ball in the air several times, the last time the ball is thrown the magician catches the ball, yet pretends the ball is still being thrown. The person watching does not realize this then magically the ball disappears. When people are asked what happened to the ball or when the ball disappeared, they swear the ball was still in motion even after the ball has been laid in the lap of the magician.

Why does the audience still swear they see the ball even though it has disappeared? The article explains that the audience members are watching the eyes of the magician and not the ball, so when the magician’s eyes continue to show the movement of the ball, the audience is convinced that the ball is still in motion. However, when the audience members know the trick, they are no longer tricked.

At this point in this blog post, you, the reader, are probably wondering what this has to do with cybersecurity? Social engineering is a practice in information security in which a malicious actor uses psychology to manipulate and deceive users into revealing sensitive information. These types of attacks usually distribute malware. A social engineering attack can be carried out in multiple ways, and in many cases, have multiple layers. If you were to read Kevin Mitnick’s book, “The Art of Deception,” you would hear of many attacks that used many hacking attempts that use multiple layers of social engineering. It could be calling a company, pretending to be from another branch to get a company directory, then from there working up to get in touch with the CEO, and from there sending out an email with a malicious link and so forth. The point is there are many ways that social engineering attacks can be played out, but they all use deception.

The CIA had a guide for Trickery and Deception from the Cold-War that taught Agents how to deceive others in the field. One of the ways it taught to poison a drink was to light the other person’s cigarette and drop the poison in their drink. The reason this works is that the person will not take their eyes off of the fire. The social engineer would do the same thing; they deceive you by using fear of what is right in front of you, to exploit another hole. Social engineering attacks have the main purpose of taking your eyes off one thing, while a weak spot is exploited.

Social engineering awareness training is very important as can be seen from the example from the magician. Once the audience members understand the trick, they are never tricked again. A good trainer would know of many different ways in which social engineering attacks are carried out and would prevent them by giving explanations and testing employees. The training must be done in a way that the employees would understand the importance, and would be something that employees would want to do. Once they learn how to spot tricks, the company becomes safer.