Yesterday I failed to win an OSCP voucher to get 60 days of lab time and the PWK (Pentesting With Kali) test so I figured I would speak about, show you my entry and share being as that was the reason for me starting the site.
It all started last month when I saw in one of the discord servers I frequent that Rob Fuller (Mubix) was giving away 3 vouchers for PWK (60 days of labs + test) and so I headed to the link which took me to his Github with all the details.
I won’t share the full post but there were three challenges to get through and then after all of that Rob would choose the three winners, the fact he set this up alone is amazing and was such an opportunity for people trying to get the certificate and in general Rob is such a good dude, he really is one of the good people and everyone agrees.
“Challenge 1: 2 (also known as “two”, or II, два, dos, दो, zwei, or اثنان) Twitter direct messages (DMs are open so no requirement to follow) from people you have worked with (be it a professional environment, a project or CTF, etc). They need to tell me about you and why they think you’d need the PWK voucher. This challenge is about humility (to ask people to do this for you), respect for people’s time (you need to let them know that you appreciate them taking the time out of their busy day to do this for you), and perseverance (finding two people to do this for you isn’t always easy). If the people you have worked with don’t have Twitter that’s fine. Email: (mubix at hak5.org with subject line of: PWK Voucher Contest) – Remember to have them mention your twitter handle or however you are contacting me so I can correlate who they are talking about.
Challenge 2: Email or DM me one infosec topic you are passionate about (no length requirement, but it needs to be long enough for me to understand that you have the drive and passion to complete the PWK/OSCP). Topics can be as broad or as specific as you want.
Challenge 3: If you complete Challenge 1 and 2, I will pose a technical question to you, one I would ask in an interview. No rules apply here (other than, you know, laws… and common decency but the questions shouldn’t steer you in that direction anyways)
Rule 1
If you have more than 2 endorsements sent to me I will assume you don’t respect my time and disqualify you due to the tenants of the contest. I am a single person looking through every person’s submissions in this contest. I don’t have infinite time to do so.
Rule 2
If you cannot seem to follow the directions as they are laid out in the above document, you will be disqualified. Read carefully.
Rule 3
Random mentions sent to me on Twitter are not Direct Messages, people vouching for you, or endorsements this way will be ignored and not count towards your contest submissions.”
Please go to https://gist.github.com/mubix/f14e3681df6aedd08394b71cfec6e49e and read the full post though, I am just sharing the challenges.
So challenge one I thought about who to ask for a long time and had about five people I was debating using but I decided to ask two people who like Rob are good people and also people in the InfoSec world who I speak to about this kind of stuff, the fact they both agreed was such a good feeling as mentioned they are both great people.
For challenge two I decided to write about what I was doing in my day job so spoke about ‘Data Security’.
“As for myself and my day job I do in fact work in IT for pretty big company but not in Security at all, my role is a Desktop Support Specialist which I have been doing for a few years and before that I worked in Application Support supporting Linux app in Red Hat 5 but I realise I much preferred the hardware, networking, security and server-side than I did in apps and through doing Desktop I have now fallen in love with Security and Ethical Hacking which is why I am desperate to make the jump to Information Security.
This has been so hard to choose because love many topics and aspects of InfoSec but I have decided to write about Data Security, probably the most boring one you will read about as I imagine a lot will be writing about the hacking aspect off it and don’t get me wrong I adore the Pentesting side of things but I am dumbfounded how many times I have started a role at a company and the lack of proper and good backups, backup process, encryption for important data that needs to be saved or sent and the crazy password management in place at these places as well as the lack of any multi factor authentication.
Again, I know this is possibly boring and I DO have Linux and Networking experience but in my current role I am dealing with Data Security a lot and where I can control things like having the back up process sorted and making sure all data is backed up and backed up regularly (which I do), we have implemented MFA and have a more strict password policy now in place it baffles my mind when users come to the department as none of the passwords they are trying to change to and use work because of new company policy them getting furious because they need to wait for access to a folder because there is a security group in place which we are waiting for approval for to add them into.
I won’t go on to much as will allow you to read some of the other more exciting messages.
Although user and staff security training and awareness is another topic I could go off on as my boss doesn’t believe like I do that everyone should have some but that’s for another time.”
After submitting this the wait to hear was on, I was surprised at how anxious and nervous I was at hearing back and I believe this was maybe because I was starting to realise the full extent the opportunity could have for me in my work life and the chance to get over to the InfoSec world.
FINALLY on Friday last week, at 6AM, my alarm went off to get up for work and my phone pinged with a twitter DM alert, it was from Rob, I was fully expecting a “thank you for your time but it’s a no.” type message but it wasn’t, it was a GOOD message ? that ended by saying.
“Finally, the challenge:
I find it awesome that you are into data security and so many different topics of pentesting. Challenge 3 for you is to describe in as much detail as possible a privilege escalation attack, what protections can be applied to make sure it doesn’t work or doesn’t exist, and what effect it can have on an enterprise. Feel free to choose one or more points of view.”
Here are some tweets as well regarding the final.
And with that, I set to work on challenge three and here it if for you read or laugh at, whatever you choose I was and still am really pleased with it and here you go:-
What is privilege escalation (elevation) and what protections can be applied to make sure it doesn’t work/exist, and what effect it can have on an enterprise?
What is privilege escalation?
“Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions”
(Wikipedia)
Privilege escalation is a significant threat to all organisations and should be considered when performing risk assessments or implementing new technologies, applications or infrastructure.
Microsoft has specifically listed Privilege Escalation within their STRIDE model as a specific threat that needs to be considered for remediation, the “E” within STRIDE stands for Elevation of Privilege.
As can be seen from the definition from Wikipedia above, Privilege Escalation can occur via a wide range of sources. Consequently, a wide range of controls must be implemented by organisations, ensuring that a defence in depth strategy is in place is a commonly chosen strategy by organisations trying to reduce their risk profile to an acceptable level. The intention being that only attacks that are able to circumvent all of the controls are successful.
Privilege escalation as a vulnerability that you really don’t want to happen to you and your systems, it is when someone is able to gain a higher level of access to the systems than what they are authentically allowed to do, it is usually gained through the using a known vulnerability and exploiting that to escalate their access or it could also be used due to a bug or design flaw in an application/operating system.
Talking about a “Higher-Level” access means they will have more capabilities and access to places they should not be or have access to in the system, for instance, they could get access to Finance, Management and HR but the most common one to look for from their point of view would be an IT person who has Administration privileges on their account and so has full access to everywhere including the servers , In most privilege escalation attacks, the hacker first logs in with an ordinary end-user account, then searches for flaws in the system that they can exploit to elevate their privileges, in order to gain access to sensitive data they can steal.
When choosing how to defend against an attack, an organisation must first understand how the attack works. When researching attacks, a useful model used by many organisations is the Lockheed Martin Cyber Kill Chain. The Cyber Kill Chain can be seen below.
Current research indicates that somewhere in the region of 90% of all cyber-attacks begin with a phishing email. Gaining access to a network is the first part of performing an Elevation Privilege attack.
Phishing is a technique used by the attacker who is trying to con you into believing you are downloading something or putting details into an official site but instead gives the attacker access to your systems. This way they can either install some malware or create new user credentials for themselves.
They are essentially trying to make you believe that you are dealing with an official company so that you provide sensitive information, this is usually done by a link or an attachment with a link in it that they try and get you to use and this giving them access to your account on the company network.
Below I will recommend controls that should be implemented to help reduce the risk of a Phishing attack precipitating an Elevation of Privilege.
Reconnaissance.
Organisations should have policies in place that outline the ways in which their staff use Social Media. Barring this, there is little that organisations can do to prevent threat actors from performing reconnaissance.
Weaponization.
Organisations should ensure that their infrastructure and applications are fully up to date with the latest patches available from the vendors. By doing so organisations protect themselves from most threats that leverage vulnerabilities which have been patched.
Organisations should ensure that their infrastructure is protected via an enterprise-level antivirus solution.
Delivery.
Organisations should provide users with extensive awareness training on:
- Acceptable use policies
- How to avoid being Phished
- Safe use of removable media
- If users are sufficiently trained and follow the guidelines and policies the majority of attacks will not
- be successful.
Technical solutions that organisations may choose to employ also include:
- Antivirus solutions specifically designed for email servers.
- Email scanning services, blocking spam messages automatically.
- Blocking certain file types from being delivered via email E.g. executable code.
- Blocking access to USB ports and Optical disc drives.
Exploitation.
Organisations should ensure that their infrastructure and applications are fully up to date with the latest patches available from the vendors. By doing so organisations protect themselves from most threats that leverage vulnerabilities which have been patched.
Organisations should consider the use of Vulnerability scanners. These tools are designed to scan the organisation’s network and indicate where applications and infrastructure may be vulnerable to exploitation.
Organisations should ensure that standard user accounts do not have sufficient privileges to allow installations to take place.
Organisations should ensure that remote access is controlled via multi-factor authentication.
Organisations should ensure that Office 365 access is controlled via Multi-factor Authentication.
Organisations should ensure that all user accounts have passwords that are changed regularly and are sufficiently complex to avoid becoming a victim to a brute force attack.
Organisations should ensure that local accounts on both workstations and servers are removed. If these accounts are required by the organisation then the organisation should perform the following:
- The accounts should be renamed
- The accounts should have their passwords changed regularly
- The account password should be of sufficient complexity, ensuring that brute force attacks
- are ineffective.
Organisations should ensure that technology networks are segregated from the normal user networks. Ensuring that only authorised users can access the administration VLANs.
Installation.
Organisations should ensure that their infrastructure and applications are fully up to date with the latest patches available from the vendors. By doing so organisations protect themselves from most threats that leverage vulnerabilities which have been patched.
Organisations should ensure that their infrastructure is protected via an enterprise-level antivirus solution.
Organisations should ensure that traffic between sensitive sections of the network is encrypted.
Organisations should ensure that they have alerts set up for when membership to sensitive active directory groups are changed. For example, membership to the domain admins group.
Organisations should ensure that standard user accounts do not have sufficient privileges to allow installations to take place.
Command & Control.
Organisations should consider the use of tools such as a SIEM solution to provide an overview of the traffic entering and leaving the network. This could be strengthened through the use of other technical solutions such as DarkTrace and FireEye.
Actions on Objective.
Organisations should ensure that network shares do not contain passwords in plain text files.
Organisations should ensure that users’ access is based upon the least privilege model, this reduces the impact in the event that an account has become compromised.
How do they manage to escalate the account?
They can gain access a few different ways, it can be done for instance inf the user can find a bug that allows them to gain access to the root account which will have full permissions or by using a vulnerable application that is running as administrator and they can mirror the permissions there is also misconfiguration and even for things like iPhones there is Jailbreak to allow the escalation.
With the attacker on the network they can use different tools to scan the network and look for network shares that have clear passwords held on them, they can look for administrator accounts with a stale password or are easy to guess like ADMIN, Adm1n, Root etc and even have the option of a man in the middle attack if they can find the password hash.
This is why to me privilege escalation is not just changing your password every 60 days but a much more fundamental and important part of cyber-security that is often overlooked, I also believe that not enough companies are teaching their staff good protocol or of basic cybersecurity training like looking for and identifying the phishing email that will more than likely start the whole process.
Privilege Escalation is a large subject that could easily be treated to a much longer essay than this one. However, I believe that it essentially boils down to the points I have raised above.
Regards
Alex
NOW, the wait was on again to hear the results 🙂
When I found out I never got one of the vouchers yesterday I was absolutely devasted for most of the day, not because I thought I should have won or anything like that, more at possible imposter syndrome kicking in, started to think am I even good enough to hang in this company, is this site just a mistake and at 41 years old had I maybe missed the bus on all of this but today is a new day.
I woke up today in a totally different mindset, I am a naturally happy, chirpy dude and I am back to that today, I am seeing the competition as a great experience, an experience I really enjoyed being part of and one which has made me LOADS of new contacts in twitter all in the same boat as me.
Also, as I started to write this I was looking over my previous posts and realised how far I have come already in such a short space of time and I felt re-energised and refocused on my goals and back to my training plan.
Thanks for the opportunity Rob, greatly appreciate it.