Thomas was alone

Well, not him. In fact it was me, alone in my boredom. (But check the game about Thomas, it’s a life changing experience).

Then I realized, that it was more than a year that I haven’t studied anything new or even remotely exciting. How come? Good old routine. And a lack of practice doesn’t make anyone better. Plus I have a lot of CPE to grab and blogging is an easy way.

In the following articles I’ll get a random machine from and describe a process of hacking it. I’ll start from easy ones to see how things are going and then will get to more advanced boxes.

On your trail

This post is also available in Russian

My dad always says that there are two types of malfunction in any electronic device – presence of contact where it should not be and absence where it must be. I think it summarizes pretty much all the cybersec in the first place because it also applies to privileges. Our goal in general is to make sure that people with right privileges were able to access data and others were not.

Privileges management is not an easy task, although it may look straight forward at first. You start with list of resources and list of accounts, you match them and get some sort of access matrix. When it grows, and grows, and changes and in a couple of years no one remembers what privileges were given and why. Sad but true, no one documents anything. And it’s no surprise that fired employee still has access to some resource, and group for remote access is filled with accounts no one knows where came from.


Continue reading “On your trail”

По твоему следу

Мой отец всегда говорит, что в электронике всего два типа проблем: наличие контакта, где его быть не должно, и отсутствие там, где надо. По большому счету, это полностью описывает ситуацию с привилегиями в информационной безопасности. От специалистов зачастую и требуется обеспечить доступ к ресурсам легитимным пользователям и запретить тем, кому не положено такого доступа иметь.

Задача, к сожалению, не такая простая, как это кажется на первый взгляд. Обычно все начинается с перечня ресурсов и списка учетных записей. Мы назначаем учетные записи ресурсам и формируем таким образом матрицу доступа. Затем она растет, меняется, еще растет и через пару лет уже никто не помнит, кому и зачем выдали те или иные права. Это печально, но это так – никто ничего толком не документирует. И абсолютно не удивительно, что мы регулярно видим уволенных сотрудников с сохранившимся доступом к корпоративным ресурсам, и какие-то загадочные временные аккаунты в ACL для удаленного доступа.


Continue reading “По твоему следу”

So you want to be a pentester

In previous article we’ve learned about owasp 10, basic attack techniques and overall idea of penetration testing. And you might ask, what should I do next? Am I a pentester now? Well, you’re not. But it’s only a matter of time when you will.jedi
Continue reading “So you want to be a pentester”

A10 2017 – Insufficient Logging and Monitoring

How do you know that your site works as it supposed to? How do you know if it’s down? I was thrilled to realize that most of admins say – well, if nobody calls me on the phone, then it’s fine. But what if you’re in charge of a web hosting platform with thousands of web sites? And let’s say one-minute downtime costs a million? You’d better start planning some monitoring solution before it’s too late.


Continue reading “A10 2017 – Insufficient Logging and Monitoring”

A9 2017 – Using Components with Known Vulnerabilities

You’ve done it! Congratulations! Your code is nearly perfect and secure, it was tested by a dozen pairs of eyes and money spent on code analyzing software was not in vain. It’s just one final step – let DevOps deploy it and let your customers work with the amazing web site you’ve made.

Next morning you’ve got an email from your boss and he’s not angry. He’s in rage! He’s not impressed with progress you made, but asks a single burning question – what’s that huge white face with stupid mustache he sees instead of a web site?

Your site was defaced overnight. You call DevOps and now it’s your turn to ask questions – guys, what web server do you deploy it on? Is it secure? Do you update it from time to time? Never? Oh …
Continue reading “A9 2017 – Using Components with Known Vulnerabilities”