- Personal website of Tess Sluijter

Unimportant background
  RSS feed

About me

Blog archives

















> Weblog

> Sysadmin articles

> Maths teaching

CTF036 2019, the Secured By Design CTF

2019-04-05 09:10:00

Me, on stage

The photograph on the left was provided by Secured By Design.

I love CTFs and though I can't take part in a lot of them, I make it a point to always play in Secured By Design's CTF036. Four years in a row now and the events just keep getting better! 

I was invited to give a small talk again, this time covering the basics of PKI: public key infrastructure. In short, PKI is one of the ways to solve the challenge of "trust" in an environment: how can you trust that someone or something really is whom they claim to be? We were very much cramped for time, so I had to try and smush everything into half an hour! While the talk went smoothly, I'm not entirely happy: there was just too much info in too little time. And I didn't even cover it all! 

My slide deck for "When Alice met Bob..." is over here. 

The CTF itself was, as always, a blast! Roughly a hundred participants, attacking six copies of the same target environment: three servers and two desktop systems, part of a fake school's infrastructure. Our goal was to grab as many student IDs as possible. 

The usual suspects were there yet again: weak passwords on mailboxes, SMB shares without proper ACLs, simulated end-users and a rudimentary daemon which you could try a buffer overflow on.

I spent most of my time on attacking one of the end users: a professor. The school's website featured an open forum, with sections dedicated to each of the classes taught. One professor warned his students that their final presentations were due any day now and that they should be submitted "through the usual share". This refers to the aforementioned, open SMB share which had a subfolder "Presentations". 

I recalled that SETookit and Metasploit offered options to create Word/Powerpoint/Office payloads, but had forgotten how to. I'm rusty, it's been a while since I've done this :) After a bit of research, I turned to exploit/windows/fileformat/office_OLE*. When configuring the exploit I simply chose to target all possible options, which generated roughly twenty files with shellcode. In real life this would obviously not work, because who would fall for that?! Twenty files without content, clicking through all of them? Nope :) But in this case the script set up on the workstation (to simulate the professor) was greedy and simply went through all of them. 

Using this method I got a nice and shell_reverse_tcp to my port 443. Looking to escalate my privileges on the workstation I tried to get a Meterpreter payload to run in the same way, but failed. I guess the payload was too tricky for the target. 

I explained this particular attack vector to two teams (ex-colleagues to my right, the team in #1 slot to my left), which was a fun exercise. I love explaining stuff like this to people who're just getting their feet wet (my ex-colleagues). The #1 team quickly latched onto the idea and offered an improvement to the attack: use the reverse shell to download a Meterpreter payload .EXE file. Duh! I should've thought of that! 

Anyway: a wonderful day with fun hacking and meeting cool people! Heartily recommended :) tags: , ,

View or add comments (curr. 1)

PKI: using a private versus a public ca

2019-04-05 06:17:00

This morning an interesting question passed through the SANS Advisory Board mailing list:

"Looking for anyone that has done a cost benefit analysis, or just general consideration, of using a Public CA vs. a Private CA for a PKI deployment. Some vendors are becoming very competitive in this space and the arguments are all one-sided. So aside from cost, I’m looking for potential pitfalls using a public CA might create down the road."

My reply:

My previous assignment started out with building a PKI from scratch. I’d never done this before, so the customer took a gamble on me. I’m very grateful that they did, I learned a huge amount of cool stuff and the final setup turned out pretty nicely! I’ll try and tackle this in four categories.








If your infrastructure needs to be cut off from the outside world, you will HAVE to run your own, private PKI. 

I’ve recently presented on the basics of PKI and on building your own PKI, be it for fun, for testing or production use. The most important take-away was: “If you’re going to do it, do it right!”. You do NOT simply fire up a Linux box with OpenSSL, or a single instance Windows Server box with ADCS and that’s that. If you’re going to do it right, you will define policy documents, processes and work instructions that are to be strictly followed, you’ll consider HA and DR and you’ll include HSMs (Hardware Security Modules). The latter are awesomely cool tech to work with, but they can get pricy depending on your wants and needs. 

Remember: PKI might be cool tech, but the point of it all is TRUST. And if trust is damaged, your whole infrastructure can go tits-up. tags: , , ,

View or add comments (curr. 0)

Solved: Citrix Receiver - Cannot create connection file CitrixID

2019-03-24 14:12:00

Error message and creation

Earlier this week I had a need to use Citrix Receiver on MacOS, to connect to a remote desktop environment. That's a pretty normal use-case :) Unfortunately it kept throwing me an error: "Cannot create connection file CitrixID". 

Looking around the web it seems that plenty of people run into this issue, with plenty of hokey "fixes" going around. None of them got to the root of the issue. But here you are: the root cause!

When installing Citrix Receiver, the installation script uses your admin-rights to run a few commands using the actual root-account. Kind of yucky, but not very abnormal. The problem is that the scripts also creates configuration directories in your personal homedirectory. For example in "/Users/tess/Library/Application Support/Citrix Receiver". As you can see from the screenshot above, these directories and files are assigned root ownership, meaning that your normal user account cannot access or overwrite these files. 

The solution consists of either A) changing the ownership to your account and group, or B) just hard-removing these directories and re-creating them. Option A is neater and either requires use of the Terminal (sudo chown -R tess:tess "/Users/tess/Library/Application Support/Citrix Receiver"), or you can try with with the Info-view of the directory and changing the permissions from there. tags: ,

View or add comments (curr. 0)

Adding your own, trusted CA certificates in RedHat and Debian derivatives

2019-03-12 20:02:00

The past week I've gotten my start in an Ansible course and a book, starting my work towards RedHat's EX407 Ansible exam. I've been wanting to get a start in Ansible, after learning a lot about Puppet a few years back. And if I manage to pass EX407 it'll renew my previous RedHat certs, which is great. 

Anywho! The online course has its own lab environment, but I'm also applying all that I learn to my homelab. So far Ansible managed the NTP settings, local breakglass accounts and some systems hardening. Next stop was to ensure that my internal PKI's certificates get added to the trust stores of my Linux hosts. I've done this before on RedHat derivatives (CentOS, Fedora, etc), but hadn't done the trick on Debian-alikes (Ubuntu, Kali, etc) yet. 

First stop, this great blog post by Confirm IT Solutions. They've provided an example Ansible playbook for doing exactly what I want to do. :) I've taken their example and I'm now refactoring it into an Ansible role, which will also work for Kali (which unfortunately has unwieldy ansible_os_family and ansible_distribution values).

To summarize the differences between the two distributions:

RedHat expects:

Debian expects: tags: , ,

View or add comments (curr. 1)

Network segmentation in the homelab

2019-03-01 22:36:00

My network layout

Continuing where I left off a few weeks ago, I've redone the network design for my homelab. When we last looked at the network, it was all flat with all VMs tucked in a single subnet behind a pfSense router. Because I want to work towards implementing the CSC in my lab, I've moved everything about quite a lot. tags: , ,

View or add comments (curr. 0)

GCCC certification achieved

2019-02-28 14:39:00

It's been two weeks since finishing my index of the SEC566 course materials. This morning, I took the GCCC certification exam and passed with a 93% score! Yay!

On to the next big thing: RedHat's EX407 Ansible exam :) tags: ,

View or add comments (curr. 2)

Be a good netizen: enable SPF to prevent email spoofing for your domain

2019-02-25 09:57:00

Continuing with security improvements all site and domain admins can apply: everybody that runs their own domain can and should implement SPF: Sender Policy Framework.

What it does, is explicitly tell the whole Internet which email servers are allowed to send email on behalf of your domain(s). Like many similar advertisements, this is achieved through DNS records. You can handcraft one, but if things get a bit too complicated, you can also use the handy-dandy SPF Wizard. tags: , ,

View or add comments (curr. 0)

GIAC GCCC index and studying

2019-02-18 20:29:00

a stack of books

Ooofff!! I've spent the past three weeks building my personal index for the SANS SEC566 course books. It was quite a slog because the books are monotonous (twenty chapters with the exact same layout and structure), but I've made it through! 29 pages with 2030 keywords.

The index was built using the tried and true method made famous by Hacks4Pancakes and other InfoSec veterans.

Right after finishing the index I took my first practice exam and scored a 90%. That's a good start! tags: , ,

View or add comments (curr. 2)

Older blog posts