Security Labs

Below you'll find a few personal labs, projects, and random GitHub repos that I've enjoyed managing in my spare time.

About my Experience

Below I list a mix of my professional and private experience within the realm of Cyber and Information Security. This experience is gained over the course of the past few years.

These labs were performed with permission, on permitted devices, in permitted environments, with ethics in mind.

Projects

There are various projects that I have participated in and solely conducted over the course of my student and professional career. These projects aimed to expand my experience and knowledge in Cyber Security and in my professional line of work the projects were oriented around business needs and value I could return to the company.

Capture the Flag - College

During my college education, I performed CTF competitions within my class geared specifically around the use of various operating systems, that way we could get a feel for a broad range of tools.

Metasploitable 2

In college, one of the specific goals of my ethical hacking course was to use Kali Linux in order to quickly penetrate the public VM: Metasploitable 2. The goal was to exploit the intentionally vulnerable OS and gain access, capturing all the placed flags. Our instructor took the base Metasploitable 2 VM image and injected various "flags" in the form of txt files. We had to capture them in order as each flag gave a riddle with a clue to the whereabouts of the next flag. If a flag was missed we had to retrace back through various steps starting at Recon and attempt to find it. Once a flag was found, we had to figure out a way to decode the small message. Sometimes this was accomplished using basic well-known ciphers, other times it involved looking at the path we took from the previous flag to this one and finding clues that way. Once all flags were found and we had root access we had to provide evidence to our instructor along with a written report of the steps we took to accomplish our goal, including screenshots. The tasks itself was super fun.

Windows 7

Another VM we needed to take control of was a Windows 7 box. The guise was that it had been a popular webapp for an enterprise, recently taken out of production and now in the process of being decommissioned by multiple silo'd IT departments. The instructor informed us that it was not enough to take control of the app, but we had to take control of the entire box. The flags were the hashes that would be contained in the LSASS memory dump.
I used Kali Linux in order to establish a connection to a vulnerable Windows 7 VM. Upon scanning the local IP address of the VM, I found it was running a vulnerable webapp still, must not have been disabled yet. After a very quick glance, at the page it was easy to tell that the app was solely just a login page against a local database and didn't connect to AD at that point. I attempted some manual SQLi which, after a few attempts, allowed access to the app. From there, I found 2 things: a grayed out admin dashboard that I couldn't get to load no matter what I tried, and an enumeration issue in the app via my being able to navigate to a "/users/<username>" URL with information about other users; wherein I learned details that the application admin had a particular ID and a unique username. I set a password spray for the admin account and let it run, but the account immediately locked and errored out. After about an hour of trial and error with the timing, I made a script to delay the password spray by 10 second intervals and let it run overnight since it was late. By the time I woke up, the script had found a match to the application admin.
I logged in and found that the account had access to the admin dashboard, which was actually more than just a dashboard it was also a browser-based CLI for the admin for sake of "convenience", in order to access files stored locally on the system. I ran a quick query to see what context it was being ran in and got back the generic name "user". After pilfering around a bit without seeing anything worthwhile, I queried other users. With the latest information, I setup a remote password spray against the local device's admin account via RDP. It wasn't working, but eventually, I found a shared file containing an old admin password. I was able to tailor the password spray to this format/word selection which led to the discovery of the current admin password. Once I logged in with the current admin credentials, I set the execution policy to allow for remotely signed scripts and loaded up PowerSploit. Just a few clicks away and with the help of mimikatz, I had the hashes of the last 14 people, including IT admins, who had signed into this "retired" webapp and server.