Secure Universal Cyber Kittens (S.U.C.K)

 Quick update on my status               I've been taking the  OSCP  PWK  course, kinda crazy how fast things move. This was a good experience that I honestly did not believe I was capable of. It's interesting that the course was in a lot of way easier than I expected, that being said, it is in no way easy. I likely wont pass my first time and the 60 day mark (about two weeks from today) is coming up quick! I'll update this blog and probably do a few walk throughs and work on build an OS from BIOS when I'm done with this.  BROUGHT TO YOU BY YOUR FAVORITE... Peace out for now homies!!!

Bandit 16 Level Goal The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000 . First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it. Commands you may need to solve this level ssh, telnet, nc, openssl, s_client, nmap Helpful Reading Material Port scanner on Wikipedia Okay so per our instructions it seems we need to use a port scanner here. I used nmap here last time and am fairly familiar with it, bandit16@bandit:~$ nmap -sV -p 31000-32000 localhost Starting Nmap 6.40 ( http://nmap.org ) at 2017-08-27 20:04 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.00063s latency). Other addresses for localhost (not scanned): 127.0.0.1 Not shown: 996 closed ports PORT STATE SE

Bandit 15 Level Goal The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption. Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command… Commands you may need to solve this level ssh, telnet, nc, openssl, s_client, nmap Helpful Reading Material Secure Socket Layer/Transport Layer Security on Wikipedia OpenSSL Cookbook - Testing with OpenSSL Last time on bandit! : BfMYroe26WYalil77FoDi9qh59eK5xNr So our next thing, we need to read two things, it's pretty obviously hinting that we should use ssl, and by luck! We've got a command called "openssl" lets look at that first, which I found here . So first of all the synopsis: openssl command [ command_opts ] [ command_args ] openssl [ list-standard-comman

Bandit 14 Level Goal The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost . Commands you may need to solve this level ssh, telnet, nc, openssl, s_client, nmap Helpful Reading Material How the Internet works in 5 minutes (YouTube) (Not completely accurate, but good enough for beginners) IP Addresses IP Address on Wikipedia Localhost on Wikipedia Ports Port (computer networking) on Wikipedia Okay so I know telnet doesn't have authentication. I know I'm probably using that so I check the man page. Synopsis telnet [ -8EFKLacdfrx ] [ -X authtype ] [ -b hostalias ] [ -e escapechar ] [ -k realm ] [ -l user ] [ -n tracefile ] [ host [ port ]] Okay so the command will be "telnet localhost 30000", remember those instructions from the previous level on where that password was? Neither do , lets read it again! "The pa

Bandit 13 The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14 . For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on Commands you may need to solve this level ssh, telnet, nc, openssl, s_client, nmap Helpful Reading Material SSH/OpenSSH/Keys So the link provided kind of sucked for telling us what we need here, if you don't know already, RTFM. Looking at the man page we see a switch for ssh. ... SYNOPSIS ssh [ -1246AaCfGgKkMNnqsTtVvXxYy ] [ -b bind _ address ] [ -c cipher _ spec ] [ -D [ bind _ address :] port ] [ -E log _ file ] [ -e escape _ char ] [ -F configfile ] [ -I pkcs11 ] [ -i identity _ file ] [ -L address ] [ -l login _ name ] [ -m mac _ spec ] [ -O ctl _ cmd ] [ -o option ] [ -p port ] [ -Q query _ option ] [ -R

Bandit 12 bandit12@bandit:~$ ls data.txt bandit12@bandit:~$ mkdir data bandit12@bandit:~$ cp data.txt ./data bandit12@bandit:~$ cd data bandit12@bandit:~/data$ ls data.txt bandit12@bandit:~/data$ file data.txt data.txt: ASCII text 0000000: 1f8b 0808 4572 4259 0203 6461 7461 322e ....ErBY..data2. 0000010: 6269 6e00 0143 02bc fd42 5a68 3931 4159 bin..C...BZh91AY 0000020: 2653 59a3 fd61 8800 0019 ffff dffb 1ff5 &SY..a.......... 0000030: f7d7 dfdb fe4f ffb3 b5f7 ffdf b2d8 fefb .....O.......... 0000040: e7dd fffa fefd 7f7b d1fb fe3f b001 3b56 .......{...?..;V 0000050: a106 81a0 1a00 07a8 0068 01a1 a69a 0000 .........h...... 0000060: d1a0 d034 6868 34f5 0641 a000 000d 000f ...4hh4..A...... 0000070: 5064 00d0 321a 69e9 0323 1a27 a883 4003 Pd..2.i..#.'..@. 0000080: 41a0 01ea 0000 0003 4000 0068 7a4f 4800 A.......@..hzOH. 0000090: 0c8c 803d 41a0 64d1 a3d4 d1a3 6a68 01a0 ...=A.d.....jh.. 00000a0: 34da 8340 003d 4347 a83a 69a6 8699 0034 4..@.=CG.:i....4 00000b0: 3203 4610 3

Bandit 11 The transformation can be done using a lookup table, such as the following: Input ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz Output NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm But we do not actually need to know this, head to that wiki link. It will give you the answer in an example The ROT13 and ROT47 are fairly easy to implement using the Unix terminal application tr; to encrypt the string "The Quick Brown Fox Jumps Over The Lazy Dog" in ROT13: $ # Map upper case A-Z to N-ZA-M and lower case a-z to n-za-m $ echo "The Quick Brown Fox Jumps Over The Lazy Dog" | tr 'A-Za-z' 'N-ZA-Mn-za-m' Gur Dhvpx Oebja Sbk Whzcf Bire Gur Ynml Qb So this has an echo command, I don't know why, and even though knowing everything can help, doesn't mean we need to. I tried tr 'A-Za-z' 'N-ZA-Mn-za-m' data.txt This didn't work, "tr" seems to rotate the characters in context of the exa

bandit 10 bandit10@bandit:~$ ls data.txt bandit10@bandit:~$ cat data.txt VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg== bandit10@bandit:~$ base64 -d data.txt The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR Nice "base64 -d" is the command we need. "-d" here obviously stands for 'decode'

Bandit 9 bandit9@bandit:~$ ls data.txt bandit9@bandit:~$ grep data.txt '===' grep: ===: No such file or directory bandit9@bandit:~$ strings data.txt | grep '===' J========== the ========== password ========== is W========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk bandit9@bandit:~$ DONE, READ THOSE INSTRUCTIONS FOR HINTS, INFORMATION IS VALUABLE Glowfish Contrast

Bandit 8 bandit8@bandit:~$ ls data.txt bandit8@bandit:~$ sort data.txt | uniq -u UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR bandit8@bandit:~$ Glowfish Contrast

Bandit 7 I wish I didnt feel so cruddy bandit7@bandit:~$ ls data.txt bandit7@bandit:~$ cat data.txt cardinals CAw2INEcfQXgeU9pJo2sblodpZAlJPFc intending Qr2KViD9ulk1UJuPwi1OQ0XwFLSNjWi1 absorbs 2e4afAv6hGQenW7fhqJrIB1u7txUJQ5k ... enumerable 3cNAcvD2jNnnHtlHuADdjcCl9lEpUQre nonfatal bjxaP056aQtdfFofagtsYNuYu1E2Cdzf vicinity's iR6NdwRFD9hQsFTHLDDpnqMbeT5yP4Rn rosin DyinTKcvwMTLQNEn5dWEir2chv29CS9g bandit7@bandit:~$ that is a lot to search through and I am lazy, but I want to do a lot. Being efficient is the best way to be lazy and accomplish your goals, remember, get what you need done but don't try to hard! bandit7@bandit:~$ cat data.txt | grep millionth millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV bandit7@bandit:~$ Glowfish Contrast

Bandit 6 Level Goal The password for the next level is stored somewhere on the server and has all of the following properties: owned by user bandit7 owned by group bandit6 33 bytes in size Commands you may need to solve this level ls, cd, cat, file, du, find, grep Somewhere on the server? I didn't read the instructions all that well, I knew the user and the group switch before this for the find command but forgot what the size switch for bytes was. Now if I didn't write this blog and have that documentation, I would have had to read the man page for "find" again! bandit6@bandit:~$ ls bandit6@bandit:~$ find ./* -user bandit7 -group bandit6 -size 33c find: `./*': No such file or directory Weird it's not in our current directory,after realizing there was nothing in the directory and looking at the instructions about being somewhere on the server I tried this. bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c find: `/var/log&

Bandit 5 Level Goal The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: human-readable 1033 bytes in size not executable Commands you may need to solve this level ls, cd, cat, file, du, find If you happen to be solving this one on your own, we need to check the man page for it. We need to find the file that has a size of 1033 bytes. We need to indicate it with the size switch and use the 1033c in which the c indicates the number of bytes bandit5@bandit:~$ ls inhere bandit5@bandit:~$ cd ./inhere bandit5@bandit:~/inhere$ ls maybehere00 maybehere04 maybehere08 maybehere12 maybehere16 maybehere01 maybehere05 maybehere09 maybehere13 maybehere17 maybehere02 maybehere06 maybehere10 maybehere14 maybehere18 maybehere03 maybehere07 maybehere11 maybehere15 maybehere19 bandit5@bandit:~/inhere$ find -size 1033c ./maybehere07/.file2 bandit5@bandit:~/inhere$ cat ./maybehere07/.

Bandit 4 Level Goal The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command. Commands you may need to solve this level ls, cd, cat, file, du, find bandit4@bandit:~$ ls inhere bandit4@bandit:~$ cd ./inhere bandit4@bandit:~/inhere$ ls -file00 -file02 -file04 -file06 -file08 -file01 -file03 -file05 -file07 -file09 bandit4@bandit:~/inhere$ file ./* ./-file00: data ./-file01: data ./-file02: data ./-file03: data ./-file04: data ./-file05: data ./-file06: data ./-file07: ASCII text ./-file08: data ./-file09: data bandit4@bandit:~/inhere$ cat ./-file07 koReBOKuIDDepwhWk7jZC0RTdopnAYKh Glowfish Contrast

 Bandit 3  The instructions: Level Goal The password for the next level is stored in a hidden file in the inhere directory. Commands you may need to solve this level ls, cd, cat, file, du, find bandit3@bandit:~$ bandit3@bandit:~$ ls inhere bandit3@bandit:~$ cd ./inhere bandit3@bandit:~/inhere$ ls bandit3@bandit:~/inhere$ ls -als total 12 4 drwxr-xr-x 2 root    root    4096 Jun 15 11:41 . 4 drwxr-xr-x 4 bandit3 bandit3 4096 Aug 19 23:32 .. 4 -rw-r----- 1 bandit4 bandit3   33 Jun 15 11:41 .hidden bandit3@bandit:~/inhere$ cat ./.hidden pIwrPrtPN36QITSp3EQaw936yaFoFgAB Okay so this all is pretty easy, we don't get our first taste of something interesting until a few levels in. So  we display the contents of our working directory. We see a folder called "inhere" and then use "cd" to change directories into that folder. Once inside we try to display the contents of that directory, which comes up with nothing. I add a couple of switches to our

Bandit 2 root@kali:~# ssh bandit2@bandit.labs.overthewire.org -p 2220 _ _ _ _ | |__ __ _ _ __ __| (_) |_ | '_ \ / _` | '_ \ / _` | | __| | |_) | (_| | | | | (_| | | |_ |_.__/ \__,_|_| |_|\__,_|_|\__| a http://www.overthewire.org wargame. bandit2@bandit.labs.overthewire.org's password: Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.0-71-generic x86_64) * Documentation: https://help.ubuntu.com/ The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. bandit2@bandit:~$ ls spaces in this filename bandit2@bandit:~$ cat ./'spaces in this filename' UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK This is the last time I'll leave in how to ssh into a device. The 'ls' command list the contents of our dire

Bandit 1  We just got the password for level one and are now logging in. I got sick of PuTTY and VM'ed kali really quickly. root@kali:~# ssh bandit1@bandit.labs.overthewire.org -p 2220 The authenticity of host '[bandit.labs.overthewire.org]:2220 ([176.9.9.172]:2220)' can't be established. ECDSA key fingerprint is SHA256:SCySwNrZFEHArEX1cAlnnaJ5gz2O8VEigY9X80nFWUU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[bandit.labs.overthewire.org]:2220,[176.9.9.172]:2220' (ECDSA) to the list of known hosts. _ _ _ _ | |__ __ _ _ __ __| (_) |_ | '_ \ / _` | '_ \ / _` | | __| | |_) | (_| | | | | (_| | | |_ |_.__/ \__,_|_| |_|\__,_|_|\__| a http://www.overthewire.org wargame. bandit1@bandit.labs.overthewire.org's password: Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.0-71-generic x86_64) * Documentation: https://help.ubuntu.com/ The programs included wi

Bandit 0 The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org , on port 2220. The username is bandit0 and the password is bandit0 . Once logged in, go to the Level 1 page to find out how to beat Level 1. I'm using PuTTY in windows while doing this, in linux you can just use your terminal, your command will be something like this magic@WhiteRabbit:~$ ssh bandit0@bandit.labs.overthewire.org -p 2220 Okay so simple stuff. We use the ssh command, to connect to this host name with the "-p" indicating the port. Instructions for level 1:` Level Goal The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game. Commands you may need to solve this level ls, cd, cat, file, du, find Using

60 seconds to what!? First and foremost, I should brush up on my basic linux skills. After all that time on networks it's time to kick the dust off my boots. Lets play the first CTF I ever completed. Bandit.

Alright so OSCP, this insane crazy test that sounds so difficult. When looking into what certifications I wanted to pursue, I found this quote "The CEH will get you an interview, the OSCP will get you the job" . I am by no means a pentester or even a cyber security analyst, my skills are not that strong and the force is definitely not with me otherwise I'd not apply to jobs at places like Walmart right now. I considered these other cerifications before settling on this.   Why I'm stupid and chose to try harder. -CISSP without 5 years experience in IT, I chose not to pursue this. Higher level blue teaming -CEH, while this is good, I do not feel I have the backend technical ability to justify taking this, first hand as an analyst, concepts and practice are two separate things. Entry level Red & Blue teaming CASP, Higher level blue teaming GIAC anything, I like SANS and all but it's expensive and I am not that rich homies CSA+, I considered this h

Okay, so I'm struggling financially due to some poor decisions on someone hopeless. Recently I lost my first IT job with IBM as an Level II analyst and since this is a personal blog I will be open about what happened. I did not like my job and felt much better after I was done with it, I had been working hard to be a top level analyst and was looking for a promotion to engineer. I was becoming foundational to my section for ticket resolutions I took  what was hard, easy, anything in front of me, often going beyond my scope to help resolve issues for the technicians I supported because I had the free time, helping them with their job was my job, and keeping future issues from arising. I made sure I was handling the most amount of tickets with as many difficult issues as I could get too and contributing as much knowledge and information as possible every week. I learned a couple valuable lessons from that job and only realized it when I started reflecting on it with other professiona