Kilala.nl - Personal website of Tess Sluijter

Unimportant background
Login
  RSS feed

About me

Blog archives

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

> Weblog

> Sysadmin articles

> Maths teaching

Automatically integrate Vagrant-built VMs into VMWare ESXi and Active Directory

2021-08-05 15:49:00

I've been using Vagrant to build new VMs in my homelab, which saves me a boat-load of time. Afterwards I still needed to do a few manual tasks, to make sure the VMs integrate nicely into my Active Directory and my VMWare ESXi server. 

With a bit of fiddling, while setting up the Kubernetes cluster, I came to a pretty decent Vagrant provisioning script. It does the following:

The spots with ${MYUSER} and ${MYPASSWORD} are a privileged domain admin account. 


apt-get install -y open-vm-tools
systemctl enable open-vm-tools
systemctl start open-vm-tools

apt-get install -y oddjob oddjob-mkhomedir sssd sssd-tools realmd adcli \
samba-common-bin sssd-tools sssd libnss-sss libpam-sss adcli policykit-1 \
packagekit

cp /vagrant/realmd.conf /etc/realmd.conf
realm join --unattended --user ${MYUSER} corp.broehaha.nl <<< ${MYPASSWORD}

echo "sudoers: files sss" >> /etc/nsswitch.conf
cp /vagrant/sssd.conf /etc/sssd/sssd.conf

cat >> /etc/ssh/sshd_config << EOF
AllowGroups linux-login
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
EOF

systemctl enable sssd realmd ssh
systemctl restart sssd realmd

kilala.nl tags: , ,

View or add comments (curr. 0)

Is OSCP a good place to start pen-testing certification?

2021-08-05 07:46:00

Someone on Discord recently asked me: "Is OSCP a good first cert for someone who wants to go into pentesting?"

I thought I'd share the response I gave them. I hope it's still a valid viewpoint, what with my OSCP being a few years ago.

========================

Yes, but no.

OSCP is entry-level stuff when you look at it from a technical perspective. All the exploits and vulns we need to work with during the exam are relatively clear-cut and you don't have to do any development yourself. 

What makes OSCP a heavy-hitter is the non-technical aspects: you are under incredible pressure (X boxes in Y hours, plus a full report), you are given a black-box environment with targets that could be (almost) anything. OSCP is about research skills, about time management, about perseverance.

If you do the PWK class work before the exam, you are almost fully prepped for the technical aspects (vuln types, exploiting vulns, etc). Doing a large part of the PWK labs will prepare you for the research part of the exam. Which leaves time management and perseverance, which are personal skills that you need to bring yourself. 

If you were to ask me for a better place to start, I'd look at eJPT first. 

Get your feet wet with the basics and something that's also recognized as a solid first start. 

I personally think OSCP isn't a good first cert because, if you're still getting to know your way around the tech basics, then you won't have enough time to learn-on-the-job during the exam. 

If you have a good background on Linux/Unix and Windows, knowing how their services can be abused and how privesc can be done, and you've actually done it a few times, then you're on the way. Ditto for vulns and exploits in webapps or other network services: if you understand them and can apply them, then at least you have the basics out of the way.

With the OSCP exam, there's no telling what you're getting! It could be relatively new software on a new OS, or it could be an antique application in a weird old language. 

If you know the basics of vulns and exploits, then you at least know what you're looking for. You will only have to learn the actual target on-the-fly.


kilala.nl tags: ,

View or add comments (curr. 0)

Dick would have enjoyed this: new addition to the lab

2021-07-29 14:45:00

A stack of servers and a phone

Last week was awesome! It was the last Friday before summer break, so I decided to move the class on Vagrant and Docker forward. This would give my Linux+ students a few cool things to play with during their holiday!

Next to that very fun day, one of my colleagues at ITVitae also gifted me a piece of old gear: a lovely, 2009 Apple XServe 3.1. Dick would've loved that, what with us both being Apple-geeks.

The drives were wiped, so I've found a way to image the MacOS 10.11 installer onto one of them. Aside from that: it has dual Xeons like my R410 and R710, 3x2TB of disks (one of which will move to the R710 for my lab) and 24GB of RAM.

This baby might be noisy and a bit underpowered, but it'll make a great Docker-host to complete my lab. Awww yeah!


kilala.nl tags: , , ,

View or add comments (curr. 0)

Not renewing my CEH

2021-06-23 15:27:00

Over the past decade or two, I've put in a lot of study-time to garner certificates for continued professionalization. Some of'm I'm really proud of, some were fun or cool, some were frustrating and some were just "meh".

EC Council's CEH (Certified Ethical Hacker) is one of those "meh" certificates, where my biggest motivation for continued renewal was the dreaded HR-checklist. EC Council have a great marketing department, that's ensured that "CEH" is on many corporate security job requirements.

That's the only reason why I kept paying my annual dues. Never because I'm proud of it, or because I feel it adds to my profession, always for the market value. 

Not any more. 

Between recent social media muck-ups, between debatable practices and mediocre professional value, I've decided to stop sending my money to ECC. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Failure is a great teacher

2021-06-20 21:19:00

A few weeks ago I noticed that my Win2012 trial licenses are no longer tennable: a big change to my homelab is needed! Since then I've worked dilligently on a few projects, all happening in parallel.

That's a lot of stuff going on!

As the title of this post says: failure is a great teacher and boy did I have a lot of failures! 😂

For now there's too much to sum up in great detail, so I'll get back to the deets later. For now, some stuff I ran into:

After a weekend with lots of hard work, my AD domain is stable and usable again. All GPOs work again, the syncing between DCs works, the DFSR for SYSVOL works again. And the migration of the issuing CA to 2019 has also completed, with hosts being able to auto-enroll and validate certs again. 

There's so much more to do though! Thank ${Deity} for my Jira boards!


kilala.nl tags: , , ,

View or add comments (curr. 0)

CompTIA Pentest+: objectives comparison between PT0-001 and PT0-002

2021-06-01 19:08:00

It's a bit late, but people studying for the Pentest+ PT0-002 beta exam can probably use a list of all the differences between versions 001 and 002 of the objectives. I reckon the list could also be useful for students who want to give it a shot in October / November, because very few study materials will be available. 

I've done a quick cross-reference of the objectives documents (also linked below), to make an Excel / CSV with the differences between the objectives. Careful, they're probably not 100% on the money.

CompTIA trainers get a licensed document that does a better job at explaining the differences, but we can hardly share that, right? My comparison document was made the hard way, literally cross-matching both objective documents. Hence why I may have made a few mistakes.

The official objective documents:

And here's CompTIA's official blog about the two exam versions.


kilala.nl tags: ,

View or add comments (curr. 0)

Dynamic DNS and a discovery about Unifi equipment

2021-05-29 21:07:00

It's odd that I've never had much of a use for dynamic DNS solutions, but now that I'm testing VPN to my homelab I've also taken a look at AFraid's FreeDNS

So far I'm enjoying the late 90s, early 2000s look-and-feel of their management interface. It's endearing!


kilala.nl tags: ,

View or add comments (curr. 0)

Homelab rebuild needed

2021-05-29 20:39:00

Well darn. The "slmgr -rearm" trick will no longer work, after renewing the trial licenses on my WinSrv 2012 boxen a few times. This means I'll have to rebuild my Active Directory and Certificate Services infrastructure on short notice. Better yet, it's time to do something with my/our partnership contract with Microsoft, to get official licenses for Win2016. 

Oddly, Nicola's instructions on making the iDRAC6 remote console work on MacOS now fail for me. The connection that worked a month ago now reliably fails as "Connection failed". 

Luckily, Github user DomiStyle is awesome! They've prepared a Docker container that runs the iDRAC connection software and makes two local ports available: 5900 for VNC and 5800 for the web interface. It's excellent!


kilala.nl tags: , ,

View or add comments (curr. 0)

Know your limitations, even if it's "too late"

2021-05-27 10:55:00

I don't know if my old classmate René is still reading along. If he is, he'll nod approvingly and think to himself: "told you so". :)

I feel very heavy-hearted, because I feel that I’m letting a few awesome people (Stephen, Thomasina, Rick B. at CompTIA) down. 

I'm backing down from teaching the Pentest+ TTT. It seems that I’ve been harboring a lot of stress, piling on way too much for myself, without really noticing it. To make sure that I can still pay full attention to my family, my primary customer, my students at IT Vitae and my own studies, I have to drop this responsibility.

I was very much looking forward to helping CompTIA with Pentest+, but right now it would not be a smart thing to continue with.


kilala.nl tags: , ,

View or add comments (curr. 0)

DevChamps "Extreme Automation" training

2021-05-17 06:56:00

After completing PDSO's CDP (Certified DevSecOps Professional) two months ago, I was left wanting more. More CI/CD, more pipelines, more automation. That's when, via-via, I met Andrey Adamovich via LinkedIn. Andrey works with a collective of DevOps trainers, to teach his XA: Extreme Automation training.

To sum it up: I was looking for a little extra fun, to expand upon what I'd learned in the past two years and the price was right at €700 for a three-day training with all the labs neatly arranged for students. 

To summarize my impressions:

Would I recommend Andreys class? Yes, especially to folks in my shoes (security engineer) who need a quick introduction to modern-day IT infrastructure.

As to what I've learned during class? Well, Ansible and Docker weren't new to me, but that's perfectly okay. Terraform was very nice to get to know better, while Packer and Kubernetes were eye-opening. 

My biggest take-away is that I'm behind the times on modern-day infrastructure. This class has helped me recognize some of my bigger knowledge-gaps, which means I can now address them. 

My first order of business in my homelab should be to attempt a complete rebuild, using Packer to create golden images and using Terraform to drive VMWare ESXi, instead of using Vagrant. From there on out, I should try to use my Gitlab instance together with K8s and Docker to run many of my services. Luckily I have two Dell servers for my lab, so I can repurpose an old laptop as Terraform+Packer box while using the smaller Dell to first test-run my configs. 

The sad part is, as Andrey mentioned halfway through day 3: he expects that within a few years many apps and services will move to a server-less model, like Lambda or Azure Functions. That means that >60% of what we learned in XA will become much less useful. 


kilala.nl tags: , ,

View or add comments (curr. 0)

CompTIA closed beta for CASP+ CAS-004

2021-05-13 10:33:00

CompTIA often have beta releases for new versions of their exams. You'll notice my blog has articles dating back a few years, where I keep doing these beta tests, "for fun and profit". Most betas are open to all takers, but the CASP+ (advanced security practitioner) is "closed". With thanks to some very nice people at CompTIA I managed to get accepted into the closed beta. 

Took the test this morning, at home via the OnVue testing solution. As before my experiences with OnVue were decent. 

However! In a not-so-fun move, PearsonVue decided to do a big and unannounced IAM change! Anyone who's testing via PearsonVue for CompTIA, whom also has tested for other companies (such as Microsoft) has now been forced to take a new username. They literally changed everybody's login names, without warning them up front. And no, you also don't get an email. Now they have a warning on their login page, but last night I got a big fright because there was zero information!

Here's a few things I took away from the CAS-004 beta.

The exam gave me three hours time and took me between a bit less than two hours to power through without going back to any questions. There were plenty "bad" questions in there (see above) and a few where I honestly would not know the answer. Since this is a beta I decided to pludge it without studying any of the books or materials.


kilala.nl tags: ,

View or add comments (curr. 0)

A short review of CompTIA Security+

2021-04-30 09:41:00

Earlier this year I completed CIN's TTT (train-the-trainer) for Security+, CompTIA's entry-evel InfoSec certification. I hope to teach the subject matter at ITVitae or elsewhere in the near future, so I'd better prepare myself on the exam objectives. 

Overall I'm pleased with the body of knowledge covered by Security+; there's a reason why I frequently recommend the learning path to colleagues starting out in IT security. The BoK covers security fundamentals which I feel should be understood by anyone in IT: developer, engineer, risk management, I don't care. Everybody in IT should know this stuff. :)

Paul Jerimy's excellent security certification roadmap places Sec+ at the foundational level. There's no shortness of comparisons between Security+, SSCP, CISSP, GSEC, CEH and others on the Internet, for example this one. Most of us agree: Sec+ is foundational knowledge for those starting in IT. 

I sat the exam this morning, version 601, and I passed. Would've been worrisome if I hadn't! ;) 

I'm pretty happy with the exam's contents: there's a decent spread of topics covered and only two out of my 82 questions were worded sub-optimally. The PBQs actually were pretty good!


kilala.nl tags: , ,

View or add comments (curr. 0)

CompTIA PT1-002 Pentest+ beta

2021-04-23 09:45:00

A little under three years have passed since I last took the CompTIA Pentest+ exam. Like last time, I took the beta-version of the exam. Just like last time, I decided to go into the exam completely blank, only taking a glance at the official objectives beforehand.

The OnVue at-home testing experience offered by PearsonVue, like always, was decent. The tooling works well enough, the proctor was communicative, waiting times weren't too bad. The software feels kind of intrusive, as to what it wants to do on your laptop, but at least it didn't want me to install anything, nor does it require admin-level rights. 

As to the exam itself, my experiences mirror what I felt back in 2018: 

I feel that the PT1-002 exam needs some polishing and a few corrections, but overall the level of difficulty and the type of questions asked do in fact do a fairly good job at testing someone with 2-3 years of pentesting experience.

I'm curious whether I've passed! As was said: I went in without preparation and there's definitely a number of objective areas where I don't have experience. 

EDIT:

A forum acquaintance reminded me of the following:

"You see a preponderance of exam items referring the same concept because the vendor is attempting to determine which of those (experimental) items to include in the (production) exam item pool. ... When taking a beta exam, you are helping to create the exam item pool for the initial public release of the exam, not taking the initial public release of the exam itself."


kilala.nl tags: , ,

View or add comments (curr. 1)

Finished a lot of hard work: the CDP exam, Certified DevSecOps Professional

2021-03-04 10:10:00

I know, I know: the past weeks it's been nothing but Gitlab over here :D That's going to quiet down now. How did all of that get started though?

Back in January, I posted the following question on the BHIS Discord:

"When it comes to CICD, microservices and the whole modern API reality I'm quite out of my depth. I never was a developer, can't code my way out of a wet paper bag; was always on the sysadmin and secops side. 

Are you guys aware of any trainings or bootcamps that are squarely aimed at grabbing my demography (sysadmin, secops) by the scruff of their neck and dumping them through the whole process of building a sample API, automated building and testing and then ramming it onto something like Azure of CloudFoundry? 

I've been on the sidelines of plenty CICD, helping DevOps teams with their Linux and security troubles... but now I really need to know what they do all day.

Anything commercial, that lasts multiple days and is from a reputable vendor would be absolutely great. I don't care too much about which solutions are used in said training. Key words may include: Spring.boot, Maven, Git, Azure DevOps, Github Actions, Fortify. Just an all-in-one "journey" would be lovely."

I asked around with friends and colleagues. Most folks weren't aware of any such trainings, though one pointed me at Kode Kloud, another suggested Dev Champs and two of them suggested Practical DevSecOps.

PDSO's CDP course, Certified DevSecOps Professional, listed selling points that matched what I wanted:

Having now completed the whole course and having passed the exam, here's my impressions about PDSO's CDP course:

My overall verdict, was the CDP course worth it? Yes, it was. I learned a lot, I got to mess around with a lot of cool tools and the exam was challenging.

One tip that I'd give students is to also run a CI/CD environment of their own, with more projects than the one or two in the labs. I have gained so much extra knowledge from running Gitlab in my homelab, with 6-7 vulnerable apps! It's been awesome and educational. 

A few of my fellow students asked for pointers on the exam. I wouldn't want to give anything away that's covered by the NDAs, but I can tell you this much:

Basically, be ready to do high-paced learning and studying on-the-fly. In that regards, this exam isn't too different from the OSCP pen-testing exam: the concepts are the same, but you will need to do research on the job :)

Most importantly:

  1. As John Strand always says: "Document as you go!" Take notes all the way through your work, don't put that off until the end.
  2. Clone your exam repository to your local computer and pull updates regularly! I lost 11 hours of work on my exam, because my Gitlab got reprovisioned.

kilala.nl tags: , ,

View or add comments (curr. 0)

Quick notes: script to setup Gitlab runners and run as Ansible

2021-02-26 10:55:00

Just some quick notes I've been making on how to quickly get gitlab-runner up on a Linux box. I still feel very yucky about curl-in a file into sudo bash, so I'll probs grab the file locally instead and make sure it doesn't do anything nasty.

The following example was used on my Ansible host, to install gitlab-runner and to have it run as the local "ansible" user account instead of root. It registers and starts two runners.

curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" | sudo bash
 
export GITLAB_RUNNER_DISABLE_SKEL=true; sudo -E yum install -y gitlab-runner
 
sudo gitlab-runner uninstall
 
sudo mkdir /etc/systemd/system/gitlab-runner.service.d/
cat > /tmp/exec_start.conf << EOF
 
[Service]
ExecStart=
ExecStart=/usr/bin/gitlab-runner "run" "--working-directory" "/home/ansible/gitlab" "--config" "/etc/gitlab-runner/config.toml" "--service" "gitlab-runner" "--user" "ansible"
EOF
 
sudo mv /tmp/exec_start.conf /etc/systemd/system/gitlab-runner.service.d/exec_start.conf
 
sudo systemctl daemon-reload
sudo systemctl enable gitlab-runner
sudo systemctl start gitlab-runner
 
sudo cp /tmp/broehaha-cachain.pem /etc/gitlab-runner/cachain.pem
 
read -p "gitlab reg token: " GITLAB_TOKEN
 
sudo gitlab-runner register --non-interactive
--tls-ca-file=/etc/gitlab-runner/cachain.pem
--tag-list ansible
--name ansible.corp.broehaha.nl
--registration-token ${GITLAB_TOKEN}
--url https://gitlab.corp.broehaha.nl
--executor shell
--locked=false
 
sudo gitlab-runner register --non-interactive
--tls-ca-file=/etc/gitlab-runner/cachain.pem
--tag-list ansible
--name ansible.corp.broehaha.nl
--registration-token ${GITLAB_TOKEN}
--url https://gitlab.corp.broehaha.nl
--executor shell
--locked=false

kilala.nl tags: , ,

View or add comments (curr. 0)

Security testing OWASP Juice Shop in Gitlab CI/CD

2021-02-20 16:10:00

Gitlab pipeline

After finishing the awesome BHIS "Modern Webapp Pen-testing" class (January), I immediately rolled into the "Certified DevSecOps Professional" course. I am lacking in experience with CI/CD, while having to support DevOps engineers every day.

The CDP labs by Practical SecDevOps are okay, but only testing Django.NV got stale.

What better way to learn about SAST, DAST, SCA and more than by running our beloved Juice Shop webapp through my own CI/CD pipeline?! :D 

Not only does this give me a private Juice Shop in a safe environment (my homelab), but it got me more familiar with Gitlab and all the things that come with DevSecOps / SecDevOps / Security in DevOps / however you wanna call it. 

The image above shows the Juice Shop project in my Gitlab, with its security testing and deployment stages. The last "Compliance" stage (with Inspec) didn't fit into the pic.

Running the pipeline builds a Docker image for Juice Shop, runs SAST, SCA, secret scanning and linters, then runs the Docker image on my testbox and runs Nikto, ZAP and SSLyze against it as DAST. All very much default/basic, but it's a start!


kilala.nl tags: , ,

View or add comments (curr. 0)

Practical DevSecOps and their CDP training

2021-02-19 07:42:00

I've been mentioning Gitlab for a while now and you might wonder why the sudden change. :D I'm working my way through the CDP training from Practical DevSecOps.

I needed a crash course that took me through a practical example of CI/CD pipelines, from A to Z, in a hurry. I'm in security and I need to advise DevOps engineers who work on those pipelines every day. I found it harder and harder to relate to them without having gone through their journey myself. Intellectually I understood most of the concepts, but everything stayed very vauge without me actually doing it hands-on.

So far the course is a resounding "okay". It's not wonderful, it's not bad, it's just that: pretty good. The slide decks are decent, the trainer narrating the videos has a nice voice, but the narration is quite literally reading from the text book. Some of the text on slides and in the labs was lifted directly from third party sources such as projects' Github pages or from articles like Annie Hedgpeth's series on running Inspec

They have a huge amount of online labs, which is good, even if they get repetitive. So what I've done is setup Gitlab in my homelab as well, and apply all the things the course teaches me to multiple intentionally-vulnerable web apps.

So I've got Git repos for Juice Shop (Node.JS and Angular), django.nv (Python and JS), Webgoat (Java), GoVWA (Go) and others, which I'm treating like they were projects for my simulated company. Each of these gets its own CI/CD pipeline to run code quality checks, SAST, DAST and automated build + deploy through Docker.

It's been one heck of a learning experience and I'm looking forward to the closing exam, which is another 24h practical exam. I love those!


kilala.nl tags: , ,

View or add comments (curr. 0)

Challenges running "owasp/zap2docker-stable" without docker:dind

2021-02-17 19:35:00

As part of the CDP course we're running unattended ZAP scans as part of integration testing, using the "owasp/zap2docker-stable" Docker container. The course materials tell you to run the CI/CD task using "docker:dind", a Docker-in-Docker solution. For some reason my Docker boxen aren't a fan of that; I'll have to debug that later.

Trying to run the ZAP container with a simple "shell" executor through gitlab-runner led to some fun challenges though! The course material suggests the following Docker run command:

docker run --user $(id -u):$(id -g) -w /zap -v $(pwd):/zap/wrk:rw --rm owasp/zap2docker-stable zap-baseline.py -t https://target:port -J zap-output.json

To sum it up: start the ZAP container, run the ZAP baseline script using your current UID and GID, mount your local directory as /zap/wrk and then write the results as a JSON file onto the mounted local directory.

This approach fails in two ways if you're not doing the fastest, dirty approach: running as the "root" user account.

Either you use it with "--user $(id -u):$(id -g)" and then you get the error message "Failed to start ZAP :(". Or you run it without that setting, then ZAP runs but it cannot save the output file, with a "permission denied: /zap/wrk/zap-output.json" message.

The issue here is that container has a very limited setup of users (as it should) and your uid+gid are most likely not in there. Under normal conditions, the ZAP scripts inside the container run as "zap:1000:1000" but that user doesn't have write access to your user's directory on the Docker host.

So... If you're running the ZAP container directly on your host and not as DinD, then you'll need to setup a temporary directory and setup write access for either uid:1000 or gid:1000 to it. The latter feels "better" to me. Then we'll end up with this (assuming Gitlab):

zap-baseline:
    stage: integration
    dependencies: []
    allow_failure: true
    tags:
        - shell
    before_script:
        - docker pull owasp/zap2docker-stable
        - mkdir output; chgrp -f 1000 output; chmod 770 output; cd output
    script: 
        - docker run --rm -v $(pwd):/zap/wrk owasp/zap2docker-stable zap-baseline.py -t http://target:port -J zap-output.json
    artifacts:
        paths: [output/zap-output.json]
        when: always 

kilala.nl tags: , ,

View or add comments (curr. 0)

Practical DevSecOps: CDP labs example pipeline

2021-02-07 22:08:00

A pipeline in Gitlab

I'll talk about it in more detail at a later point in time, but I'm about a week's worth into the Certified DevSecOps Professional training by Practical DevSecOps. So far my impressions are moderately positive, more about that later. 

In the labs we'll go through a whole bunch of exercises, applying a multitude of security tests to a Gitlab repository with a vulnerable application. Most of the labs involve nVisium's sample webapp django.nV.

Having reached the half-way point after that one week, I had not encountered two crucial parts of the DevOps / CICD pipeline which I'm not at all familiar with. We're applying all kinds of tests, but we never did the steps you'd expect before or after: creating the artifacts, deploying and running them. As I've said before, I'm #NotACoder.

Instead of focusing on one of the next chapters, today I spent all day improving my Gitlab and Docker install by applying all the required trusts and TLS certificates. This, in the end, enabled me to create, push, pull and run a Docker image with the django.nV web app. 

If anyone's interested: here's my Dockerfile and gitlab-ci.yml that I'd used in my homelab. You cannot just throw them into your own env, without at least changing username, passwords and URLs. You'll of course also need a Docker host with a gitlab-runner for deployment.

Note: The Docker deploy and execute steps show a bad practice, hard-coded credentials in a pipeline configuration. Ideally this challenge should be solved with variables or even better: integration with a vault like Azure Vault, PasswordState or CyberArk PasswordVault. For now, since this is my homelab, I'll leave them in there as a test for Trufflehog and the other scanners ;)


kilala.nl tags: , , ,

View or add comments (curr. 0)

Integrating Gitlab into your lab with private PKI

2021-02-07 19:45:00

My homelab runs its own PKI and most servers and services are provided with correct and trusted certificates. It's a matter of discipline and of testing as close to production as possible. 

Getting Gitlab on board is a fairly okay process, but takes a bit to figure out. 

So my quick and dirty way of getting things set up:

  1. On ADCS generate a new, exportable key pair with the right settings. 
  2. Run this keypair through a locally created .inf request file with an extension for the subject alt. name (see example).
  3. Issue the requested cert and import it.
  4. Export the full keypair plus cert as a PKCS12 / .pfx file.
  5. Transfer the .pfx to the Gitlab server and store safely in "/etc/gitlab/ssl/". Set to ownership by root, and only readable by root. 
  6. Use "openssl" to extract the private key and certificate from the .pfx file. Then use it as well to decrypt the private key. 
  7. Replace the pre-existing gitlabhostname.crt and gitlabhostname.key files with the newly extracted files.

Now, you also want Gitlab and your runners to trust your internal PKI! So you will need to ask your PKI admin (myself in this case) for the CA certificate chain. You will also need the individual certificates for the root and intermediary PKI servers. 

  1. In your Gitlab host, copy the individual PKI certificates into "/etc/gitlab/trusted-certs". 
  2. On your Gitlab runner hosts, copy the CA chain into "/etc/gitlab-runner" and reconfigure "/etc/gitlab-runner/config.toml" so each runner has a line for "tls-ca-file". 
  3. If you haven't done so already, make sure the rest of your Linux host also trusts your PKI by importing the certs.
  4. According to the Docker manuals, Docker uses both its own config file and the Linux/Windows central trust store. So completing step #3 is good enough. But, Docker will only pick up new certs after you restart the engine!

Don't forget to restart Gitlab itself, the runners and Docker after making these config changes!

You can then perform the following tests, to make sure everything's up and running with the right certs.


kilala.nl tags: , , ,

View or add comments (curr. 0)

Debugging: Trufflehog reports no secrets in Gitlab CICD

2021-02-06 21:59:00

Durning the CDP class, one of the tools that gets discussed is Trufflehog. TLDR: yet another secrets scanner, this one built in Python. 

I ran into an odd situation running Trufflehog on my internal Gitlab CICD pipelines: despite running it against the intentionally vulnerable project Django.nv, it would come back with exit code 0 and no output at all. 

Why is this odd? Because it would report a large list of findings:

But whenever I let Gitlab do it all automated, it would always come up blank. So strange! All the troubleshooting I did confirmed that it should have worked: the files were all there, the location was recognized as a Git repository, Trufflehog itself runs perfectly. But it just wouldn't go...

I still don't know why it's not working, but I did find a filthy workaround:

trufflehog:
  stage: build
  allow_failure: true
  image: python:latest
  before_script:
    - pip3 install trufflehog
- git branch trufflehog
  script:
    - trufflehog --branch trufflehog --json . | tee trufflehog-output.json
  artifacts:
    paths: [ "trufflehog-output.json" ]
    when: always

If I first make a new branch and then hard-force Trufflehog to look at that branch locally, it will work as expected. 


kilala.nl tags: , , ,

View or add comments (curr. 0)

Gitlab-runner not picking up jobs after reboot

2021-02-06 19:35:00

As part of my studying for the CDP course, I've expanded my homelab with a private instance of Gitlab. I've got to say: I like it! A lot. It's good software! 

To accomodate my builds I expanded the RAM on my Docker host VM and set up three "gitlab-runners" to pick up jobs from Gitlab CICD pipelines. Microsoft's documentation is outstanding: the runners were installed and configured within minutes.

The only thing I really disliked was their instructions to "wget https://some-url | bash -". That always feels so fscking scary. 

As part of my change management process the Docker host of course needed a reboot, to see if things some up correctly. They did and the "gitlab-runner" process was there as well. But it wasn't picking up any jobs! Only when I SSHd into the host and ran "sudo gitlab-runner run" would jobs start flowing. 

At first I thought I just didn't understand the concept of the runner process well enough. Maybe I hadn't set them up correctly? Then I decided to do the logical thing: check the logs. I've been teaching my students to do so, so why didn't I? :D

"sudo systemctl status gitlab-runner -l" showed me the following:

$ sudo systemctl status gitlab-runner -l
● gitlab-runner.service - GitLab Runner
   Loaded: loaded
   Active: active

...
Feb 06 19:24:37 gitlab-runner[20361]: WARNING: Checking for jobs... failed
runner=REDACTED status=couldn't execute POST against https://REDACTED/api/v4/jobs/request: 
Post https://REDACTED/api/v4/jobs/request: x509: certificate signed by unknown authority

The self-signed cert isn't too surprising, since I still have a backlog item to get that fixed. I wanted to first get the basics right before getting a proper cert from my PKI. But I thought I had dealt with that by registering the runner with a CA cert override. 

Checking "/etc/gitlab-runner/config.toml" showed me where I had gone wrong: the CA cert override path was relative, not exact.

[[runners]]
  name = "REDACTED"
  url = "https://REDACTED"
  token = "REDACTED"
  tls-ca-file = "./gitlab.pem"
  executor = "docker"

I had assumed that the cert would be picked up by the runner config and stored elsewhere, instead of being referenced from the file system. Wrong! I made sure to copy the self-signed cert to "/etc/gitlab-runner/gitlab.pem" after which I corrected the "config.toml" file to use the correct path. 

One quick restart of the runner service and now jobs are automatically picked up!


kilala.nl tags: , , ,

View or add comments (curr. 3)

Updating my pen-testing experience: "Modern Webapp Pen-testing" by BHIS and WWHF

2021-01-29 16:14:00

I've been dabbling in pen-testing for a few years now; it's never been my main gig and I wonder whether it'll ever be. For now it's a wonderful challenge which makes its way into my work assignments. 

Case in point: at my new customer I'll be performing pen-tests on contemporary applications and services. Java backends, Javascript frontends and lots of APIs! It's in that area that I feel I need additional development: I've learned and practiced with a lot of vulnerabilities and software stacks, but not these. 

Which is why I yet again turned to Black Hills InfoSec and WWHF, for another training! This time around, it's "Modern webapp pen-testing with B.B. King".

Where the "Applied Purple Teaming" class I recently took was okay, B.B.'s class was excellent! All the labs use OWASP's Juice Shop project, which combines NodeJS on the backend (with REST APIs!) with AngularJS on the frontend. Throw in MongoDB for some NoSQL and you've got a party going!

All in all, B.B.'s teaching style is great and his interactions with us students were pure gold. In general, the Discord chat was lively and had great contributions from people all over the world. I'd highly recommend this class! I'll defo learn more with Juice Shop and other vulnerable apps in the upcoming months. :)


kilala.nl tags: , ,

View or add comments (curr. 0)

"Applied Purple Teaming" training, by BHIS and Defensive Origins

2021-01-08 15:19:00

I fear that I may have been over-doing it a little bit the past few weeks. 

December 21st was my last day at my previous assignment, with my new assignment starting January 11th. The three weeks inbetween were spent on the holidays and on studying. I pushed through:

The latter two are both advertised as 16 hour trainings, but I've easily spent upwards of 20-25 hours on each to go through the labs and to research side quests. A few hours more on improvements to the labs for the latter, since I ran into many problems with their Terraforming scripts for Azure Cloud. Huzzah for cooperation through Github. 

While I found the APT class very educational, I can't shake the feeling that it could have been better. In some cases K&J skipped through a number of topics relatively quickly, as "these are basics, etc" and at some points there was rapid back-and-forth between slides. Granted, I did watch the VoD-recordings of their July session and I expect their more recent classes to have been more fluent. 

Thanks to K&J's class my todo list has grown tremendously. Between trainings and certifications added to my wishlist, I've also added a number of improvements that I would like to apply to my homelab. First and foremost: right-sizing my network segments and properly applying all local firewalls. This is a best-practice that will hinder lateral movement in simulations or real-world scenarios.


kilala.nl tags: , ,

View or add comments (curr. 0)

Powershell auditing: easy bypasses

2021-01-05 15:44:00

While I'm making my way through lab L1120 of BHIS' "Applied Purple Teaming" course, I noticed something interesting: none of my nefarious commands were showing up in HELK, despite me having enabled Powershell logging through a GPO.

In this lab, we're grabbing Sharphound.ps1 from the Bloodhound project, and either download and run it, or just load it into memory using Invoke-Expression. But none of that stuff was showing up in my Kibana dashboard, despite a "whoami" run from Powershell appearing correctly.

That's when I learned that A) downgrading your session to Powershell 2 kills all your logging, B) most of what you run in Powershell ISE (a script editor) is flat-out never logged. In my case: I make it a habit to work inside ISE, because I can easily edit script blocks.

See also this excellent blog post from 2018.

Luckily you can disable Powershell 2 with a GPO (which could end up breaking older scripts). But with regards to ISE: you'll have to completely uninstall, or deny-list it... if possible.

EDIT:

Based on this article by Microsoft themselves, it seems that turning on transcription will also work on Powershell ISE. I'll need to investigate a bit deeper... See if I haven't misconfigured my setup.

EDIT 2:

Yeah. The Powershell 2 logging bypass is valid, but the lack of logging through Powershell ISE was a case of #PEBCAK. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Passed AZ-900; experiences with OnVue exam at home

2021-01-02 14:48:00

It's nice when sidetracks during learning lead to measurable results. Case in point: while setting up the labs for the BHIS "Applied PurpleTeaming" training, I needed to quickly learn about Azure Cloud. ... And now I've passed the AZ-900 exam! :D

Microsoft offers (most of) their exams to take at-home remotely, through Pearson Vue's "OnVue" service. I already worked with OnVue back in August, when taking the Cloud+ beta exam. My experience this time around was very similar: the tooling works well, as long as you make sure to turn off your local outbound firewall like Little Snitch

As to the AZ-900 exam: it was a nice motivator (the proverbial carrot on the stick) for me to go through the six Azure Fundamentals modules on Microsoft Learn. I'm happy to have finally gotten some hands-on experience with Azure Cloud, or basically any cloud provider beyond running a shortlived VM on AWS.

After completing the BHIS APT training I intend to play around with Azure a bit more... Maybe I'll even rebuild this website on there!


kilala.nl tags: , ,

View or add comments (curr. 0)

Passed RedHat EX407V27K, experiences with remote Kiosk exams

2020-12-23 23:06:00

As I mentioned earlier this week, I've been studying for RedHat's EX407 exam. Looking back at my CPE records / bookkeeping I've been at it an embarassingly long time: I started studying back in March of 2019. Almost two years ago! Just too many fun and interesting things kept coming in the way!

Between teaching Linux+ to a group of students, with passing CTT+, Linux+, CySA+ and CRTP, as well as classes on DFIR and PKI it was just tooooo tempting! And Ansible was just a little too boring! So as I said before: "booo!" to my lack of discipline! Dragging my feet on EX407 caused me to almost lose my RHCSA/RHCE certifications, because they needed to be renewed. 

But enough about that! Let's talk some interesting points!

All those study materials I linked to, especially Tomas' practice exam, proved to be absolute gold. Without them I wouldn't have passed, because pass I did! Out of a max of 300 (I think?) and with a passing grade of 210 I scored 239 points.

I dropped points mostly due to inexperience with Jinja2 templating and its logic (tests, loops) and with Ansible Galaxy and requirements-files. Out of 16 tasks I knew up front that I'd fail 3 of them because I couldn't get the playbooks to work correctly. Lessons learned and I'll definitely try to practice more in my homelab!

Finally, after being one of the first 100 people to take a Red Hat Kiosk exam, I'll also weigh in on Red Hat's remote, at-home exams. RH had fallen behind to its competitors in that regard, still forcing students to come in to testing centers. What with Covid-19, that strategy needed to change, fast. So they did, in September of this year.

All in all I very much appreciate Red Hat's remote, at-home testing. To sum it up: you flash a RH-provided Linux image to a USB drive, plug that into your PC and boot it up. This turns your private PC into a RH Kiosk system, exactly like they use in their official testing centers! The only vexing part of the setup is that you need TWO functioning web cams, one of which MUST be cabled and pointed at you from the side. 

Overall, the bootable Kiosk Linux is great. It provides pre-exam setup testing to ensure you can actually take the exam. From there on out things work exactly like, or actually better than, the Kiosk at the testing center. Testing from home is absolutely great! After my bad experiences with EX413 I'd been turned off of RH's exams, but this has turned me around a bit. 

I'm happy to have passed EX407! Time to go over my plan for the next few months! I have a few pen-testing classes lined up and will also need to prepare for teaching my next group of students!


kilala.nl tags: , ,

View or add comments (curr. 0)

RedHat EX407 / EX294 study materials

2020-12-17 08:39:00

I've been studying on and off for the EX407 Ansible exam for ... lemme check... 1.8 years now. Started in March of 2019, hoping to renew my RHCE in time, but then I kept on getting distracted. Two certs and three other studies further, I still need to pass EX407 to renew my RHCE. Way to go on that discipline! ( ; ^_^)

Anywho, there's a few resources that proved to be helpful along the way; thought I'd share them here. 


kilala.nl tags: , , ,

View or add comments (curr. 0)

Finally! Red Hat offers at-home exams

2020-09-06 21:18:00

It's been a while in coming and I'm very happy they finally made it! Red Hat have joined the large number of companies who now offer at-home test taking for their professional certifications

I quite enjoyed the way CompTIA handled their at-home examinations, but it looks like Red Hat have taken a very different approach. I still need to take the EX407 exam, so I'd better take a quick look!

Back in 2013 I was one of the first hundred people to use the Red Hat Kiosk exams, still have the souvenir key chain on my laptop bag. Let's see if their at-home tests work better than the Kiosk ones. 


kilala.nl tags: , ,

View or add comments (curr. 1)

Taking the 2020 CompTIA Cloud+ beta

2020-08-13 11:35:00

It's become a bit of a hobby of mine, to take part in CompTIA's "beta" exams: upcoming versions of their certification tests, which are given a trial-run in a limited setting. I've gone through PenTest+, Linux+ and CySA+ so far :)

After failing to get through the payment process at PearsonVue a friendly acquaintaince at CompTIA helped me get access to the Cloud+ beta (whose new version will go live sometime early next year).

I sat the beta test this morning, using the new online, at-home testing provided by PearsonVue. Generally speaking I had the experiences as outlined in the big Reddit thread.

Most importantly, on MacOS the drag-n-drop on PBQs is really slow. You have to click and hold for three seconds before dragging something. Aside from that the experience was pleasurable and it all worked well enough.

I'm not as enthused about the Cloud+ beta as I was about Linux+ and PenTest+ at the time. The questions seemed very repetitive, sometimes very predictable (if "containers" was an option, two out of three times it'd be the correct answer) and some just unimaginative (just throw four abbreviations or acronyms at the test-taker, two or three of which are clearly unrelated). Knowing CompTIA I assume there will be plenty of fine-tuning happening in the next few months.

I'm pretty sure I didn't pass this one, but I'm happy to have had the chance to take a look :)


kilala.nl tags: , ,

View or add comments (curr. 0)

Preparing for PearsonVue at home, online testing

2020-08-12 15:35:00

This Reddit thread offers a plethora of information on the at-home, online test taking offered by PearsonVue.

Big lesson I learned as MacOS user: disable Little Snitch and other filtering / security software while you're taking the test. It feels dirty, but to ensure the software does not encounter any hickups (which may result in you botching the test) you're going to have to. Better yet, don't disable, but quit the software because any popups on your screen will also alert the proctor.

Just to be safe, I made a dummy user account on my Macbook, so I can remove all trace of the software afterwards. Luckily it runs from your downloads folder and doesn't need any admin-level access.


kilala.nl tags: , ,

View or add comments (curr. 0)

Finding study goals

2019-12-27 13:52:00

2020's right around the corner and I've been poking colleagues, urging them to set study-goals for the upcoming year. In Dutch, we have saying equating a lack of progress to deterioration: "Stilstand is de dood" ("Stagnation is death"). I believe that this proverb applies very heavily to work in IT: if you're not keeping up with the times, you're going to get out-dated real quickly. 

A colleague asked for suggestions on how to set goals for yourself, to which I replied:

I'd suggest taking into account things like A) where do you want to be in 2-3 years? B) is your team or company lacking particular knowledge or experience? C) do you, or your team, have requirements that you need to fulfill through training? D) do you see any chances that will allow you to quickly up your perceived value?

Basically: train for the job you want, fill any gaps that your team has and make sure you're not dropping any balls.

For me, EX407 fills categories B and C (my current team has little Ansible experience and it will renew my RHCE which will lapse in 1.5 years). The Python for pen-testing course will help me with A (I want to move towards red-teaming and my current coding skills are almost nill).

This year's CySA+ was for category D (it was heavily discounted and I'm pretty sure I could pass it, thus adding a well-regarded cert to my name). Ditto for trying the SANS Work/Study programme, which gets me a heavy discount on a very big-name training and cert.

Finally: just keep a list of things that you want to investigate or work on. Maintain it throughout the year, add new things, remove unwanted things, change priorities. That way you're always set for A) next year's study plans and B) that all-time favorite interview question "Where do you see yourself in two years? What are your short-term development plans?"


kilala.nl tags: , ,

View or add comments (curr. 0)

CompTIA CySA+ beta experience (CS1-002)

2019-12-09 12:53:00

Another day taken off from work for fun stuff! This time around I went in for yet another CompTIA beta exam, the new CS1-002 CySA+. Like before I sat the exam at my favorite testing center: IT Vitae in Amersfoort. The old Onze Lieve Vrouwe monastery and green surroundings make for a relaxing atmosphere! What was new this time, is that I sat the exam in tandem with my colleague D. She's great company, darn clever and she was looking to get back into the certification-game.

First up, let me point you at a great review of the CS1-002 beta exam, by u/blackvapt on Reddit. And here's the official thread on Reddit, inviting people to take part in the beta.

I will echo everything /u/blackvapt said. The new CySA+ exam is in fact good! The questions are in-depth and technical, without overly focusing on commandline options and flags. In that regard it matches my experience with the PenTest+ exam in 2018: the exam tests for insight and experience in the field of incident response. It's not something you can simply cram books for, you'll need to have experienced many of the situations discussed on the test. The thing is: it's nigh impossible to learn every log format and every OS out there, but if you can intuit the meaning of logs and commands based on your experience, you'll go a long way!

The PBQs (performance based questions) were great! I enjoyed most of them and thought them to be actually fun and a nice multi-layered puzzle. So much better than my experience with the Linux+ exam which only managed to frustrate me with its strict and limited PBQs. 

Preparation-wise I'll admit that I took it easy. I was relying mostly on A) my experience from the past 5-10 years, B) the Jason Dion practice exams for CS1-001 on Udemy and C) the Chapple & Seidl book from Sybase. I spent about twenty hours reviewing and researching, over a month's time.

I didn't spend more than $25 on the preparations, as the practice exams were on discount down to $10 and I got the C&S book through Humble Bundle in a large stack of awesome Sybex books. One note about Humble Bundle: I cannot recommend the Packt books or bundles! Skip those. But snag anything you can get from Sybex, NoStarch or O'Reilly!

Regarding the Dion practice tests: I was not passing any of these while preparing as I mentioned earlier this week. It was odd because I felt good on most of the answers I gave to Jason's questions, but I kept missing the passing grade by a fair margin. During the beta exam I felt great about ~85% of the questions, so it's really a crap-shoot on whether I passed the beta or not. :)

If I didn't pass, I wouldn't mind at all! This was a great exam, with solid challenging questions. If I don't make it, I will definitely take the exam again (at full price), now know what to expect.


kilala.nl tags: , ,

View or add comments (curr. 0)

Almost time for another Beta exam: CompTIA CySA+

2019-12-05 09:31:00

I've got my exam planned for Monday and I'm looking forward to it. I'll mostly treat it as a recon mission, doing it part for fun and part to see if I'd like to take the exam "for real" should I not pass.

I've got a sneaking suspicion I won't pass this time around though (unlike the Linux+, Pentest+ and CFR-310 betas) because my experience keeps tripping me up. Sounds like a #HumbleBrag, I know, sorry :D What I mean is that CompTIA mostly seems targeted at US-based SMB, while my experience comes from EU-based international enterprises. I've been doing a few of Jason Dion's test-exams for the previous version, to get into the right mindset, but I fail a lot of questions because of the aforementioned factors.

Well, let's see how it turns out. For now, I'll just go and have fun with it :)


kilala.nl tags: , ,

View or add comments (curr. 0)

In many cases, just cramming for an exam won't work

2019-11-18 20:44:00

Today, someone on Reddit posted the following question

"I have the [...] practice exams, I typed the entire [...] video course from YouTube and I just brought the exam cram book but no matter how much I study I don’t retain anything. Do you guys have tips?"

OP ran into the wall that is learning styles: cramming simply doesn't work for everybody! I'm no expert by any means, but I did explain the following:

It is entirely possible that your current method simply does not suit your personal learning style! If you start poking around the web a little bit, researching learning styles, you will find very quickly that there are many different methods!

You can try and keep brute-forcing your learning the way you have right now, but maybe that will simply not get the results you want. Why not have a think about your days in primary, middle and high school? What did the classes you did best in have in common?

Perhaps you're someone who simply needs something else than quiet self-study, taking notes while listening to a teacher.

Personally I have found that I put great importance on putting new information into context. I don't want to learn floating, individual topics, I want to put them into a context that I'm already familiar with, or build a context around them. This helps me better understand the new material's place. One thing that could help you with this is making mind maps.

Or perhaps you're someone who better learns by doing then by hearing. I understand that playing around with new tools and concepts in a lab can take a lot of time, but there's a reason why many books include lab exercises for the reader. It is often said that people learn <20% by hearing and >50% by doing.

Finally, it is also often said that one way to solidify and test your understanding of a subject, is to explain the topic to somebody else. If you can explain X or Y to a friend, your partner or a rubber ducky, then you can be sure that you've come to a proper understanding. Or perhaps you will find a few gaps in your knowledge that you need to fill out. Either way, it's a win-win.

 


kilala.nl tags: ,

View or add comments (curr. 0)

Network segmentation in the homelab

2019-03-01 22:36:00

My network layout

Continuing where I left off a few weeks ago, I've redone the network design for my homelab. When we last looked at the network, it was all flat with all VMs tucked in a single subnet behind a pfSense router. Because I want to work towards implementing the CSC in my lab, I've moved everything about quite a lot.


kilala.nl tags: , ,

View or add comments (curr. 0)

GIAC GCCC index and studying

2019-02-18 20:29:00

a stack of books

Ooofff!! I've spent the past three weeks building my personal index for the SANS SEC566 course books. It was quite a slog because the books are monotonous (twenty chapters with the exact same layout and structure), but I've made it through! 29 pages with 2030 keywords.

The index was built using the tried and true method made famous by Hacks4Pancakes and other InfoSec veterans.

Right after finishing the index I took my first practice exam and scored a 90%. That's a good start!


kilala.nl tags: , ,

View or add comments (curr. 2)

Older blog posts