· 6 min read

Advent of C and C

A Decorative Image

And then, the funniest thing happened…

Bo Burnham, All Eyes On Me

Preamble

2023 is a gift that keeps on giving. Forget whatever difficulties I’ve had at my (prior) job and the slight embarrasment of being laid off - I’ve made as much lemonade as I could with them lemons. No, this yeah has had a couple of parting gifts, to make sure I’m not too complacent. A “this isn’t even my final form!” boss fight, if you will.

A Decorative Image

October 7th, The Black Shabbat, needs no elaboration. I never thought I’d have to teach my toddler what to do in case of an air raid siren, and we didn’t even bother explaining that the reason we now have friends in a nearby kibbutz is that they have lost everything and had to evacuate.

With all that going on, it wasn’t until December that I found the time and the motivation to boot my mac (and my brain), just in time for the TryHackMe Advent of Cyber 2023 challenge.

In a nutshell, this is a beginner-friendly CTF-like advent calendar, meant to introduce various subjects, techniques and tools relevant to the broad field of cyber security. Each task comes with a step-by-step guide, as well as a handy virtual environment, saving you hours of setups and installations. I didn’t see a point in making a traditional writeup, seeing as the step-by-step guides were very good. Instead, I thought I’d extract all the terminology, tools and #TILs from the various challenges into a lexically ordered list, and hopefully someone will find it useful (I know I will).

Unfortunately, I only made it to day 8 of the advent calendar, thanks to that pesky second C, the second form of that boss fight. But more on that later.

Terms, Tools and TILs

A Decorative Image

Prompt Injection

Language models are trained on data, which basically means they detect patterns of which words tend to follow which words in the data, and then use these patterns to complete sentences and parse questions. Any sensitive data in the training set is a part of the possible patterns, and can be yielded by using the right prompt. For instance, if a model was trained on internal code, it might contain credentials or API keys; a model trained on logs can learn IPs, domains and various PIIs. Presenting the language model with the right question can fetch the sensitive data, as well as circumvent various methods to defend that data.

As a developer, this mostly tells me to keep my code sanitized even if it isn’t public, and especially if it is. The emergence of various copilots in public source control repositories means anything you commit & push can end up in a dataset. And remember, even if you’ve removed data from the code, GIT has a long memory.

SIEM

Security Information and Event Management, a tool that aggregates logs, alerts and events into one real-time system.

When dealing with large enterprise environments, the amount of noise generated by monitoring systems can be staggering. In my days as a QA, I often spend hours trying to correlate events from like 6 different logging systems and event monitors to pinpoint the exact cause of some obscure bug. Having one centralized system, and knowing how to query its contents to highlight suspicious or malicious behavior, is invaluable.

Brute-Forcing

In the context of the challenge - trying to figure out sensitive data (i.e. a password) by trying all possible combinations. Some tools used for brute-forcing:

  • Crunch: A command-line tool that generates a list of all possible combinations based on a set of characters and min/max length limits. The list can then be fed into a brute-forcing tool when attempting to crack a password.

    Combinatorics plays an important role in determining password complexity (in addition to it being one of my favorite branches of discrete maths). Essentially, the larger the charset and longer the password, the more combinations there are for the brute-force to try.

    You can calculate the average time to crack a password by dividing the total number of combinations by the number of guesses per second your tool can make.

  • CeWL: A web crawler that generates a wordlist for a site. Since the time it takes to brute-force credentials is dependent on the total amount of passwords, shortening that amount can save time.

    For instance, if you’re trying to find a username to log into some company’s system, and that company has a “Meet our Team!” page on their site, you can use that to generate a list of potential usernames.

  • Hydra: A command-line tool for brute-forcing passwords over HTTP, using a pre-generated list of possible passwords.

  • Wfuzz: A command-line tool for brute-forcing web apps.

Magic Bytes/File Signature

The first bytes of a binary file are indicators of the type of that file. They are used, for instance, when a computer decides which app to use to open a particular file. A file signature can be faked to make a file seem like something else, for instance, make an executable look like a picture.

Log Analysis

When you need to crunch some data but you have no cool SIEM system, not even a BI tool with a proprietary querying language, what do you do? Who do you call? Well, it so happens Linux has you sorted with a bunch of command-line tools that honestly work amazingly well, enough to stop me from reaching for my old faithful spreadsheet. Pipe these commands into one another for best results!

  • grep search for a term (or a regex) in a file\folder. Comes with a truckload of useful flags.
  • cut slice a file into columns by a given delimeter, and show the desired columns.
  • sort sort the results of a list of strings.
  • uniq remove duplicates from a given list of strings (works best if the list came pre-sorted).
FTK Imager

A forensics tool that allows forensic specialists to acquire computer data and perform analysis without affecting the original evidence, preserving its authenticity, integrity, and validity for presentation during a trial in a court of law.

The tool also allows to analyze hardware contents in a safe environment, for instance, if you want to look at the contents of a USB you found on the floor.

The Second C

In the backround, between adventing, parenting and monitoring the hostage situation, I was also casually checking a suspicious lump I’ve encountered during a routine mammary gland inspection. One lab led to another, and before long we’ve realized this is not a drill, I repeat, THIS IS NOT A DRILL. The boss made his final transformation. The big C has arrived.

So what happens next?

A Decorative Image

Honestly, by this point I’m not sure making plans is even worth it. On the other hand, I am facing prolonged combat, months of unemployment, hours in an armchair strapped to an IV; I might as well do something productive with that time. Find things I can gain, to balance out everything I’m about to lose (some hair, some soft tissue, possibly several meals). Let 2024 be the year of C&C, Cyber and Cancer, and may the former grow as the latter shrinks.

Squeeze your titties, friends, and may none of you join the C&C club this year!