SUPPLY CHAIN ATTACKS – THE DREAD OF BUSINESSES

Cyber world trending VSEC - BLOG

A supply chain attack is a cyber attack that targets an organization through its providers/vendors.

 

Current situation of supply chain attacks

A recent study shows that the supply chain attracts cyberattacks like a magnet. A whopping 97% of companies have been affected by supply chain attacks, with 93% of them admitting that they have been directly attacked due to vulnerabilities within the supply chain. According to an analysis by security provider Sonatype, these software supply chain attacks saw a staggering 650% increase in 2021, with Sonatype recording 12,000 incidents in the same year

“Supply chain attacks are terrifying because they are exceptionally challenging to deal with and because they demonstrate that you are placing your trust in the entire ecosystem,” said Nick Weaver, a security researcher at UC Berkeley’s International Computer Science Institute.

With a well-planned attack, they can disrupt a provider’s consumer network, resulting in hundreds or even thousands of victims. In addition, any firm that develops software or hardware for other organizations might be a potential target for these attackers.

 

Common supply chain attacks

  • SolarWinds SUNBURST backdoor: On December 13, 2020, the SUNBURST backdoor was first revealed. The attack leveraged the widely used SolarWinds Orion IT management and monitoring software to develop a malicious trojan update. Its targets included services running Orion software and the U.S. Department of Commerce. Fortune 500 companies, telecommunications firms, other government agencies, and universities are also likely to be affected. Of particular concern within the SUNBURST backdoor was the targeting of dedicated servers, which are typically less frequently monitored. Preventing attacks like the SUNBURST backdoor requires constant monitoring at all levels of the corporate network.
  • Exploiting vulnerabilities in Log4j: Another way of implementing a supply chain attack is by exploiting vulnerabilities in open source software. Notably, there was an attack where hackers exploited vulnerabilities in Log4j. This attack allows hackers to execute code remotely, including the ability to take full control of the server. Log4j is a zero-day vulnerability that was discovered by hackers before the software provider became aware of it. Since this vulnerability is associated with a part of the open-source library, it could potentially impact any of the 3 billion devices running Java.
  • Attacks on Kaseya VSA Software: The primary goal of a supply chain assault is to exploit the weaknesses of suppliers in order to launch attacks on customers. That’s the method the Revil hacking collective employed when they targeted Kaseya VSA, a customer-facing remote monitoring and management service platform for IT infrastructure. By exploiting a vulnerability in the Kaseya VSA, REvil was able to send ransomware to 1,500 companies that are customers of Kaseya VSA.

 

 

  • Capital One attack and cloud infrastructure security flaws: Not all cyberattacks originate from highly organized groups of hackers; in the case of Capital One (USA), a former Amazon employee used his insider knowledge of Amazon Web Services (AWS) to fraudulently charge $100 million to customer credit cards. The attack demonstrated the risks associated with cloud computing.
  • Vulnerabilities on Personal and Third-Party Devices: In March 2022, American cybersecurity firm Okta disclosed that one of its vendors, Sitel, had been infected by a virus. via an employee using a laptop to perform customer service. Fortunately, the extent of the breach was limited, only two of Okta’s authentication systems were compromised, and no client data or settings were altered. However, through this incident, there is a risk that hackers would target devices belonging to subcontractors or employees who carry their own devices to launch more extensive attacks.

 

How to reduce the risk of cyberattacks on supply chains?

Cyber attacks are a constant threat, and every company and organization in the supply chain needs to be prepared for them. That’s why it’s so important for businesses to strengthen their network security defenses. Listed below is a remedy that institutions can do to shield themselves from and reduce the impact of cyber threats.

Carefully select your suppliers: It is imperative for businesses to verify that their vendors use certified security policies and infrastructure. This should be expressed explicitly in any cooperation agreement between the two parties.

Keep a close eye on software vendors: This is especially important for software with access privileges to company assets.

Restrict access to your data from third parties such as vendors and partners: Having fewer people with access to the data will make it easier to manage and prevent security breaches.

Safeguard the devices used by developers: Set up an endpoint protection platform and endpoint detection and response technologies to see any unusual activity and troubleshoot appropriately if necessary.

Education of staff, vendors, and associates: Organize training seminars to instruct workers on how to properly implement all of the company’s security measures, from password protection to technical assaults. All important matters should not be overlooked.

Always have a backup plan in unexpected cases: While no strategy can guarantee that a crisis won’t occur, you can prepare for it by having an event response plan ready to implement.

To ensure your clients’ faith and patronage of your services, VSEC is present 24/7 to improve the security of the IT infrastructure.

Source: ictvietnam, computerweekly, helpnetsecurity, gep.com

5 subdomain scanners to assist the pentest process

For pentester VSEC - BLOG

In recent years, finding subdomains has become an important part of the pentest process. This mission usually takes time and effort. However, the development of digital technology platforms has provided us with effective tools. This article will outline 5 subdomain scanners to assist in the pentest process.

Outstanding methods for finding subdomains

The finding of subdomains helps in analyzing the domain infrastructure of any company. Let’s find out the most common uses of these tools.

DNS audit

DNS attacks are becoming more and more common, however, most companies are not aware of this threat. Very few companies perform DNS audit regularly although it brings more good things than bad ones. DNS audit can help find DNS vulnerabilities, and update and patch them. In addition, this process can find unused subdomains or potentially vulnerable ones.

 

Domain Intelligence

Red teams often use subdomain discovery took kit in their infosec investigations, which frequently include a number of OSINT techniques. These subdomain enumeration tools detect information exposed to the public such as information about users, apps, or technologies being used in the system.

 

Vulnerability scanning

An extensive list of domain names along with their subdomains can bring a lot of benefits to the process of vulnerability scanning

 

How subdomain scanners work  

Querying search engines

We can use Google to search for subdomains of any domain. Just use the simple command line below:

site:vsec.com.vn -www

This command line will return all the domains indexed by Google.

Most of today’s tools use Google or Bing as built-in modules to assist in searching.

Performing brute force discovery

Some discovery tools use this method for improving search results. While it isn’t the quickest way to find subdomains, it can be one of the most accurate

TLS/SSL information

SSl/TLS certificates are not only useful for encrypting data sent and received between browsers and servers, but it’s also helpful for pentester.

Subject Alternate name (SAN) of SSL/TLS certificate can be used to extract domain and subdomain names

 

Top 5 subdomain scanners (terminal-based)

  1. AMASS

Developed on the Go lang platform, it’s one of the most effective tools in discovering large numbers of subdomain

AMASS uses a variety of subdomain mapping techniques including scraping, recursive brute force, reverse DNS sweeping, and Machine Learning to get the best result. Installing AMASS is quite easy. Installation instructions and manual are available at:  https://github.com/OWASP/Amass

Or can install by using snap (on Kali Linux and other Linux distros), by a command line: snap install amass

After installing, you can use the simple command below to search subdomain: amass enum -d example.com

Result:

User manual: https://github.com/OWASP/Amass/blob/master/doc/user_guide.md

 

  1. SubBrute

This is one of the fastest subdomain discovery tools. One of its coolest features is the ability to conceal the origin of the subdomain scanning itself, by using open resolvers as proxy to DNS rate-limit. 

It can also work as a DNS spider that recursively crawls enumerated DNS records.

SubBrute supports filtering DNS records. For example, if you need to get only TXT records from any given domain name, you can use the –type option:

./subbrute.py -s google.names google.com –type TXT

Another great thing about SubBrute is the fact that it can be integrated into your own python scripts by using the subbrute.run() function. For example:

import subbrute

for d in subbrute.run (“yahoo.com”):

print(d)

For advanced usage, simply run: ./subbrute -h

 

  1. Sublist3r

Sublist3r is another Python-based tool that can be used as a massive subdomain scanner. It’s widely used by bug bounty hunters, as well as blue and red teams across the globe for subdomain data collection.

By querying search engines such as Bing, Yahoo, Google, Baidu, and other 3rd party sources like Netcraft or VirusTotal subdomain database, it can be one of the most effective and fastest tools around when you want to find subdomains.

Sublist3r minimum requirements are Python2 or Python3 versions.

Python 2 recommended version: 2.7.x

Python 3 recommended version: 3.4.x

To get started, you’ll need to clone the Git repo, and then run the installation for some of the dependencies with pip:

pip install -r requirements.txt

That’s it. Now you can perform subdomain scanning tasks:

./sublist3r.py -d securitytrails.com

Expected output:

Github: https://github.com/aboul3la/Sublist3r

 

4. DNSRecon

DNSRecon is one of the most well-known domain reconnaissance scripts. As with almost every other one on this list, it’s written in Python.

It works by checking all NS records for AXFR zone transfers and can be very useful in DNS enumeration for almost any type of record, including MX, SOA, NS, TXT, SPF, and SRV.

It also supports wildcard resolution checking and brute force-based discovery for A and AAAA type-records with wordlists. It can also query Google Dorks to fetch indexed subdomains by GoogleBot.

After downloading the DNSRecon package, you’ll need to install a few required packages with pip:

pip install -r requirements.txt

Then you are ready to test it: :

./dnsrecon.py -d securitytrails.com

Result

Github: https://github.com/darkoperator/dnsrecon

 

5. AltDNS

AltDNS is a subdomain discovery tool based on work with alterations and permutations.

By setting your own wordlist (or using the default wordlist at default altdns/words.tx), as well as using a list of confirmed subdomains, you can run the script to generate both altered or mutated results that may be present in the domain name.

It includes a dataset of 200+ subdomains that can be used to churn out valid subdomains.

After cloning the git project, install requested packages through pip:

pip install -r request.txt

Then you are ready to start using AltDNS:

./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt

Note: subdomains.txt is the actual subdomain list you know already exists, and words.txt is AltDNS’s own wordlist.

You can expect the output to look like this:

MIPS Assembly Language (P2)

Security for Newbie VSEC - BLOG

Gone is the one… the autumn coat is folded

Still hiding a bit of golden sunlight in the flap

My sorrow growing on branches as leaves

Not fall off quickly but wait for another autumn

Hello everyone, it’s me again, an amateur entering the field. Lately, due to being swamped with company projects, I haven’t had the time to explore and write blog anymore . But today, on the occasion of a leisurely day, just like my single status during the winter season – I take some time to continue this ongoing series, hoping you’ll continue reading?).

Arithmetic Computational Instructions.

Addition Instruction.

As far as I know, it includes:

Instruction Example Meaning
add add $1,$2,$3 $1=$2+$3
add immediate addi $1,$2,100 $1=$2+100 It means addition with constant numbers
add unsigned addu $1,$2,$3 $1=$2+$3 Unsigned integer addition,
add immediate unsigned addiu $1,$2,100 $1=$2+100 Unsigned integer addition,

 

Syntax:

For add, addu: <instruction name> <destination register>, <source register 1>, <source register 2>

For addi, addiu: <instruction name> <destination register>, <source register 1>, <constant number>

Specific example:

Compiling the above .c file with the MIPS architecture as follows:

mips-linux-gnu-gcc -O3 -S -mfp32 -march=mips32 Sum.c

Image when compiled to MIPS Assembly.

Why do I declare a signed int, but the assembly output uses addiu? From what I’ve briefly researched online, most compilers tend to use addu and addiu to avoid “overflow” traps. The add and addi instructions seem to be used only when manually coding or in ISAs like x86, ARM…

Subtraction Instruction.

Instruction Example Meaning
subtract sub $1,$2,$3 $1=$2-$3
subtract unsigned subu $1,$2,$3 $1=$2-$3 Unsigned integer subtraction

Syntax:

sub,subu: <instruction name > <destination register> , <register 1>, < register 2>

Specific example: 

Image when compiled to MIPS Assembly.

Multiplication Instruction.

Instruction Example Meaning
Multiply (withoutoverflow) mul $1,$2,$3 $1=$2*$3 Result fits in 32 bits.
Multiply mult $2,$3 $hi,$low=$2*$3 High 32-bit overflow multiplication saved in hi register

Low 32 bits stored in low register.

Specific example:

Division Instruction

Lệnh Ví dụ Ý nghĩa
Divide div $2,$3 $hi,$low=$2/$3 Kết quả được lưu trong thanh ghi hi

Thươn số được lưu trong thanh ghi low

 

Alright, I’m too lazy to capture images for this part 😄. This is similar to the previous images anyway.

Logic Computational Instructions.

Instruction Example Meaning
and and $1,$2,$3 $1=$2&$3 Bitwise AND
or or $1,$2,$3 $1=$2|$3 Bitwise OR
xor xor $1,$2,$3 $1 = $2 ??$3 Bitwise XOR
nor nor $1,$2,$3 $1 = ~($2 | $3) not of OR Bitwise NOR
and immediate andi $1,$2,100 $1=$2&100 Bitwise AND register, constant number
or immediate or $1,$2,100 $1=$2|100 Bitwise OR register, constant number
xor immediate xori $1, $2,10 $1 = ~$2 &~10 Bitwise XOR register, constant number
shift left logical sll $1,$2,10 $1=$2<<10 Left shift
shift right logical srl $1,$2,10 $1=$2>>10 Right shift

Specific example.

Image when compiled to MIPS Assembly.

Ending Part 2 for the chilly winter here. See you in the next parts ^^.

Vu Van Tien ( aka n0_be3r )

MIPS Assembly Language (P1)

Security for Newbie VSEC - BLOG

First of all, I’d like to warmly welcome all of you who found out about my blog to read what I write here         ()ノシ. You might wonder why I’m writing about this MIPS assembly language, as it’s not exactly a new topic and I’m writing about it again 🙁. The reason here is that I’m currently interested in researching and exploring the intricacies of IoT devices (especially Wi-Fi routers). So, as you might already know, IoT devices often use the MIPS architecture for their RISC instruction set.

Speaking of instruction sets, there are two types: CISC and RISC.

  • CISC is mainly used in personal computers and servers because its instruction set is extensive and quite complex, leading to resource and power consumption. That’s why IoT devices aren’t so exciting?)
  • In contrast, RISC is less and simpler, consuming fewer resources and less power, making it suitable for IoT devices or mobile devices.

Enough of that babble, let’s dive into today’s main topic.

MIPS assembly language.

After several upgrades, MIPS now has two versions: 32-bit and 64-bit. However, this article and later I will concentrate solely on the 32-bit version because of the simplicity, and I’m also learning about it, so please understand ^^.

MIPS has a total of 32 registers for storing values, numbered from 0 to 31, along with a common convention when used. Among them, register 0 is always hard-assigned with the value 0.

Register Common Name Meaning
$0 $zero The registers always contain the value 0
$1 $at Reserved for assembler
$2 – $3 $v0,$v1 Saves the return values of a function
$4 – $7 $a0-$a3 Saves arguments passed to functions
$8 – $15 $t0 – $t7 Saves temporary variables
$16 – $23 $s0 – $s7 Saves register values
$24 – $25 $t8 – $t9 Similar to registers $8 – $15
$$26 -$27 $k0 – $k1 Reserved for kernel. Not for general use.
$28 $gp Points to the global area (Global Area Pointer)
$29 $sp Stack Pointer
$30 $fp Frame Pointer
$31 $rp Return Address

MIPS Instruction Format:

In some processors, particularly CISC processors, the size of an instruction varies based on the instruction itself and its operands.

However, MIPS, like most RISC processors, employs fixed-length instruction formats. All MIPS instructions are precisely 32 bits long. The fixed-length instructions provide the advantage of simpler instruction fetching, which translates to smaller and cheaper processors. Simpler and smaller leads to faster performance, lower power consumption, and reduced production costs.

Register Instructions:

Register instructions involve two source registers and one destination register.

Register Instruction Format.

Opcode Source 1 Source 2 Destination Shift Amount Function
000000 5 bits 5 bits 5 bits 5 bits 6 bits

 

Explanation:

Opcode (6 bits): This register contains 6 bits set to 0, indicating that this is a register instruction (RI).

Function (6 bits): This register uses 6 bits to differentiate between different instruction types.

Source 1, Source 2 (10 bits): These two registers, each consisting of 10 bits, represent the source registers used for performing computations.

Destination (5 bits): This field stores the computed result.

Shift Amount (5 bits): The number of bits to shift left or right when there’s a bit shift instruction

Example: add $t3, $t4, $t1

Where: $t3 = 11, $t4 = 12, $t1 = 9

000000 01100 01001 01011 00000 10000
RI $t4 $t1 $t3 unused add

 

Jump Instructions

Opcode Target Offset
0001xx 26 bits

 

In the case if the leftmost 6 bits are 00001x, then this is an unconditional jump instruction.

Example:

000010 xxxxxxxxxxxxxxxxxxxxxxxxxx ~ j label

000011 xxxxxxxxxxxxxxxxxxxxxxxxxx ~ jal label

 

Looking at this, you might wonder how, with 26 bits, it’s possible to jump to the 32-bit destination address. The target address expansion to 32 bits occurs dynamically at runtime when the jump instruction is executed. The destination address field converts to a 32-bit address, be occurs at runtime when the jump instruction is executed.

Coprocessor Instructions

If the leftmost 6 bits are 0100xx, the instruction is processed by the coprocessor (an extension for the basic MIPS CPU). The last two bits represent the coprocessor.

Opcode Source 1 Source 2 Destination Shift Amount Function
0100xx 5 bits 5 bits 5 bits 5 bits 6 bits

 

 

Immediate Instructions

If the leftmost 6 bits differ from all above, the instruction is used for the immediate format.

Immediate instructions use one source register, one destination register, and a 16-bit immediate operand.

The immediate operand is limited to 16 bits, allowing unsigned values from 0 to 65535 or signed values from -32768 to 32767 (MIPS processors use two’s complement for signed operands).

Opcode Source Destination Immediate Operand
0100xx 5 bits 5 bits 16 bits

 

For example: addi $t1, $t5, 7

Opcode Source Destination Immediate Operand
001000 sssss ttttt 0000000000000111
addi $t1 $t5 7

 

And that concludes the article. The main purpose of this piece was to provide a brief and general introduction to the MIPS assembly language. In the upcoming articles, I will explai the details of the instructions that I consider crucial within MIPS :D. This will be a long-term series, so if you find it informative, please giving me a like and subscribe ^^.

Reference link:

https://chortle.ccsu.edu/AssemblyTutorial/index.html

https://en.wikipedia.org/wiki/MIPS_architecture

The path from zero to a skilled pentester (part 1)

For pentester VSEC - BLOG

Perhaps this topic is the one that really impresses me. It’s October, the month that I feel warm and ambitious.

This is the sharing of my personal opinion, so if you have different ideas, please feel welcome to email me to discuss

I started as an IT specialist but security is my passion. I used to be a professional programmer and perhaps, my close friends and teachers at Ha Noi University of Science and Technology encouraged me to this field. It’s true that I hadn’t known anything about security before. So in my third year of university, as the requirement of my major, I joined a company for an internship and met my instructor there. This company specialized in information security, but in a short period of three months, I just got some basic stuff about DVWA (Damn Vulnerable Web App) from my instructor to study and attack. By chance, the company Director let me take a field trip for experience. There, I got acquainted with SIEM, to manage events by QRADA, … for a bank. Every day, I came to check the events and emailed my senior to notify me of any abnormalities. It might be a little boring that I decided to resign, frankly speaking, it was the end of my internship and I resigned. Realizing that it was time for further studying and practicing, I decided to pursue Information Security despite not being so sure of what this field was for.

After reading and researching, I found that IT is the broadest field. Information Security is narrower but still quite wide. Information Security is also divided into many areas. When I applied for an internship at the company where I’m working, I was oriented to Pentest (Penetration testing), and deeper into the website Pentest.

 

First, we need to understand what pentest is. Pentest stands for Penetration Testing, which means “An authorized simulated attack performed on a computer system to evaluate its security”. More simply, pen-testers can be considered as the hackers in black, wearing masks to attack the system. Such an explanation makes it easier to imagine. As far as my knowledge, pentest can be divided into 3 following areas:

  • Evaluation of network infrastructure: network structure, policies (firewall), logging, VPN, Router, Switch,…
  • Evaluation of servers system: Configuration, services update, patches, account and password policies, logging policies, authorization review, reserved capacity, load balancing, distributed database.
  • Evaluation of website apps: evaluation of vulnerabilities such as buffer overflow, SQL injection attack, and XSS,… evaluation of the checking of web source codes in order to identify problems on authentication, authorization, data verification, session management, and encryption. In my opinion, we should call this “apps evaluation” because, besides web apps, there are other ones such as mobile,… 

 

There are 2 concepts that many people may still be confused about vulnerability and threat.

  • Vulnerability: weak points in the system that can be exploited and manipulated to cause damage to the system
  • Threat: behaviors that are potentially harmful to the system,

So, What are the types of pentest?

  • Black box pentest: This is a kind of evaluation from the outside to the inside. Pentesters have no information about the target system other than what has been publicized. This is the most common type of attack.
  • Gray box pentest: Pentesters will be provided some or limited information about the target system
  • White box pentest: Evaluation from inside to the outside, Pentesters will be provided all system and network information such as: network infrastructure, source code, IP address details, OS, and policies,…

 

Next, I will discuss the procedure of an attack which can be summarized in three stages:

Prepare for attack:

  • Reconnaissance/Footprinting
  • Scanning

Conduct the attack

  • Gaining access
  • Maintaining access

Clearing tracks

In details:

Reconnaissance/Footprinting
  • Actions of the attacker to gather information about the system: users, customers, business activities, organizational information…
  • Can be repeated periodically until there is an easier chance to attack
  • Active reconnaissance: Interact with the target
  • Passive reconnaissance: not interact with the target: Social Engineering
  • Search engine: Google, Shodan, Censys
  • Information from social networks: Facebook, Twitter, Linkedin
  • Email reconnaissance: whois/smartphones, Email Extractor
  • Internet connection reconnaissance: traceroute
  • DNS information: dnsenum / nslookup, dnswatch.info
  • File robots.txt: This is the file for… Google
  • What web
  • DNS-enum
  • The harvester: gathering emails, names, subdomains, Ips, and ULRs
  • Email extractor

 

Scanning
  • Scanning to identify information of the system based on information gathered from the reconnaissance stage
  • The attacker will get an in-depth and more detailed view of the system: services provided, open service ports, IPs, OS, and software.
  • Extraction information from this stage allows the attackers to plan details for the attack.

 

Gaining Access
  • The attackers with information gathered from the previous stage will conduct the attack on the system to gain access using web security gaps such as SQLi, RCE,…

 

Maintaining Access
  • Once access has been gained, the attacker will use some techniques to maintain access without relaunching the attack such as creating a back door, opening a network connection,…

 

Clearing Tracks 
  • This is an important stage to clear tracks of your penetration into the system so that no one can detect it. It will be very difficult for the investigator to identify who you are or what you have done as you have deleted the system logs,…

 

Seem like a lot of theories, but it’s the door to Pentester

For myself, first, I did a thorough research about the above contents. Next is to choose the way and I have chosen the mobile and website application Pentest.

In this section, my presentation about the path focuses on the evaluation of website applications.

During the internship at the company, I first learned about the network starting with OSI and TCP/IP reference model, the TCP three-way handshake process, using Wireshark, nmap, hping.

This is the introduction step about the network. Going deeper into the website, you need to understand website technology, Client, Server, HTTP protocol, URL, URI, and what headers in HTTP protocol are used for.

The first book I came across was:

“The Web Application Hacker’s Handbook”.

Theory should be combined with practice to study and install environments such as DVWA, BWAPP (I found it far more interesting and difficult than DVWA),… Finishing BWAPP, you will have the background knowledge because BWAPP follows the OWASP assessment standard, the famous name is OWASP Top Ten. By trying to study these labs and always asking “Why”, you will get a better understanding.

If you don’t want to build a lab, you can learn here, There’s a lab and tutorial, and I think they are quite good:  

https://portswigger.net/web-security

After gaining enough background knowledge, you can take CTF tests to improve your skills.

I personally go straight forward to bug bounty programs instead of taking CTF. These programs offer rewards when you find bugs and report to them. The most important thing here is “money”- which motivated me to fight. Right, when you have high motivation, you will try and fight with all your best. When first joining such programs,  you should choose easy targets for gradual learning. In my case, the company had this kind of program in private form for people to participate. In addition, there are public programs in Vietnam that you can find out for yourself, In the world, some famous programs are:

https://hackerone.com/

https://www.bugcrowd.com/

One more thing, You guys who have been reading my blog can see that I always talk about CVE, right? CVE seemed too luxurious for me before, but I have overcome myself and improved my knowledge to look for it and find open sources to install and run it. The most important thing is to choose my favorite language. I personally prefer PHP,… with CMS like WorldPress, Joomla!, Drupal,…

In addition to CVE, you can pursue more advanced education for such certificates as OSCP, OSCE, AWAE,… or learn about other certificates like GPEN,…

There is a very valuable information source on GitHub:

https://github.com/swisskyrepo/PayloadsAllTheThings

Maybe, it is mind

https://github.com/HoangKien1020/pentest

TOP 4 RANSOMWARE VULNERABILITIES EXPOSING YOUR COMPANY AT RISK

Cyber world trending VSEC - BLOG

In 2023, there are two organization groups: those having been attacked by ransomware and those that will shortly be targeted. The current state of cybersecurity resembles an ongoing cyber arms race between ransomware groups and cybersecurity professionals. Experts in cybersecurity have developed the necessary tools and strategies to combat ransomware groups. This cat-and-mouse game is an endless war of attrition with no distinct victor. While in some aspects the situations are probably out of the IT team’s control, there are a number of measures that can be taken to reduce the risks of successful ransomware attacks.

According to research from Securin, hundreds of organizations’ security vulnerabilities are asserted to be exposed. A brief overview of the four most prevalent categories that should be well aware of is listed as follows.

 

1- Vulnerability allowing intruders to enter the network

According to the research conducted by Securin, external tele services, VPNs, and public apps contain 133 ransomware-related vulnerabilities that can be exploited for initial access.

External tele services including Windows Server Message Block (SMB) and Microsoft Remote Desktop Protocol, since the pandemic’s outbreak and the evolution of work-from-home (WFH), have become more common. Some of them with misconfigurations or popular exploited technology, are easily attacked. For instance, one of the largest ransomware attacks in history, WannaCry in 2017, exploited the SMB vulnerability. In addition to the Log4Shell vulnerability affecting 176 products from 21 vendors and having been exploited by six ransomware groups, including Conti and AvosLocker, there are many other unpatched ones.

 

2- Vulnerability requiring user’s action

It is noted that “vulnerability” not only relates to software or hardware problems but also to user mistakes. In fact, a significant proportion of ransomware attacks result from this factor. By acting as a friend, colleague, or supervisor of the victim for example, ransomware groups are able to achieve their objectives. Users may inadvertently enter malicious code when accessing email attachments, links, or files. Unfortunately, users become more observant. Now it is the turn of the thief to modify their tools.

The human problem requires human solution response: intensive face-to-face proper training in which IT team members instruct employees from other departments on how to identify potential threats (and what to do if they accidentally allow someone into the system). It is imperative that IT departments stay social-technology-trend-updated and routinely inform the company of what to be cautious.

 

3- Vulnerability allowing advanced access

The vulnerabilities that have been discussed thus far mention methods hackers attempt to breach into your network. Sadly, it is usually the first step only. Once hackers have exploited vulnerabilities to gain access to your system, they can exploit additional vulnerabilities— those permit privilege escalations—to execute malicious software and take deeper control of the network. In other words, if the hackers have enough understanding of active vulnerabilities in your system, they can approach a restricted account and become an admin whose access to more sensitive data.

According to Securin’s research mentioned above, there are 75 ransomware-related vulnerabilities that could allow ransomware groups to escalate privileges and facilitate movement across organizational domains, including the Privilege Escalation attack of Windows CLFS and Microsoft Exchange Server.

 

4- Vulnerability allowing stealthy access

Hackers have been employing techniques such as disabling security software or preventing script execution from breaking into vulnerable networks without being detected. Mark-of-the-web bypass (T1553.005), is a typical example that ransomware groups apply to exploit certain file formats and override controls.

Or, BlackByte, a new ransomware group about which the FBI issued a warning last year, according to ZDNet, is famous for a technique “allowing attacks to bypass security products’ detection by exploiting vulnerabilities in more than 1,000 drivers of anti-virus software.” This issue, considered as “Bring your own drivers”, shows a significant and alarming aspect during the war against ransomware attacks.

Ransomware considerably increases and every organization, regardless of field or size, may face such attacks as no system could guarantee to be completely protected. What organizations can do is avoid simple errors through appropriate employee training, a deeper understanding of their systems’ vulnerabilities, and appropriate solutions. The war against ransomware may not end soon, but we can take measures to limit the losses.

According to Cyber Security

$4,000 salary is not difficult if you have these 5 important cybersecurity certifications

Outstanding Security for Newbie VSEC - BLOG

Up to now, cybersecurity has been globally recognized as a “hot” major in the field of information technology and has attracted a lot of attention from youngsters as well as domestic and international corporations. Besides, the salary of a cybersecurity staff can rise up to tens of thousands of dollars. Having certified can contribute to enhancing both your skillset and earning.

At the global workshop and exhibition on the safety of cyberspace (Vietnam Security Summit 2021), cybersecurity experts see that Vietnam belongs to a group that has a high rate of malware infection and cyberbullying suffering. Criminal activities in cyberspace also tend to increase. 

However, these days, human resources for the need of cybersecurity seem to be in contrast to the risks of information security and safety. The lack of human resources mostly comes from a group of those who are high-qualified information safety experts. So, what is crucial to becoming a Vietnamese cybersecurity engineer and professor?

In order to make a more clear-cut vision and be well-prepared for the future, VSEC specialists suggest 5 “must-have” fundamental certifications for a cyber safety professor:

1. Offensive Security Certified Professional (OSCP)

OSCP Certification

White hat hackers all rate OSCP as the most difficult cybersecurity certification exam. OSCP is a rigorous, real-world test for penetration testers who want to seek promotions for their careers. To join OSCP, you must have extensive experience in cybersecurity. Sure, you need knowledge of a programming language like Python as well as basic Linux skills. You also need to know about TCP/IP networking.

VSEC Specialist Comments on OSCP Certification

2. Certified Information Systems Security Professional (CISSP)

Even though the OSCP exam is the hardest due to time limitations and practical approaches, CISSP is regarded as the best of cybersecurity certification. CISSP is for those who want to examine the intruding ability and cyber safety experts who crave to keep the gold standard of the excellence of cybersecurity certification. 

The CISSP exam has 100-150 multiple-choice and “advanced” questions, lasting 3 hours. 

The passing score is 700 out of 1000.

CISSP Certification

3. Offensive Security Web Expert (OSWE)

The OSWE certification is one of the security certifications of Offensive Security – an American international company operating in the fields of information security, penetration testing, and digital forensics. The OSWE certification is invaluable to any individual pursuing a career in web application security.

OSWE Certification

4. Certified Ethical Hacker (CEH)

The CEH is an intermediate-level certification issued by the International Council of Electronic Commerce Consultants (EC-Council) that any IT professional who wants to pursue a career in security needs to equip themselves. CEH-certified professionals have knowledge and skills in areas such as network exploratory testing, investigations, Trojans, viruses, system attack prevention, home page attacks, wireless and other web applications, SQL penetration, cryptography, penetration testing, IDS evasion, firewalls, etc.

In order to sit on this exam, you need to be CEH trained first. The exam also includes 125 questions and lasts for 4 hours.

CEH Certification

5. Computer Hacking Forensics Investigator (CHFI)

CHFI is a professional security certification with the skills and knowledge to detect and analyze complex digital evidence. This is a difficult exam, but the time is shorter and less intense than the above exams.

CHFI Certification

 

The Vietnamese Security Company Network” (VSEC) with 20 years of experience is a member of the G-Group technology group (which was voted to be the best place to work in Asia for 2 years consecutively by HR Asia magazine). VSEC has a team of leading experts and has achieved many achievements in the international market–leading innovation in the field of investigation and analysis of information security threats. VSEC is also the first unit to conduct information security assessment in Vietnam, and the first Vietnamese security service provider who obtain CREST certification for security assessment services – Pentest and Supervisor. information security monitoring – SOC. VSEC has cooperated to organize Training – Rehearsals for many large domestic units such as Electricity of Vietnam and its member units, the Ministry of Health, the State Bank, Ministries and departments of provinces and cities,…”

Cloud Data Security – Not the responsibility of any individual

Outstanding Security on Cloud VSEC - BLOG

On May 13th, The Vietnamese Security Network Joint Stock Company (VSEC), in collaboration with CIO Vietnam community and Noventiq, organized a sharing and practical session on solving cybersecurity incidents in the Azure cloud computing platform. The event was attended by representatives from the Department of Information Security, Ministry of Information and Communications, who shared about security policies in cloud computing environment for businesses.

In addition to providing general updates on global security trends and emphasizing the importance of digital transformation to the cloud computing environment, participants also gained a clearer insight into the community activities of CIO Vietnam, policies and regulations ensuring Information Security when using cloud, and NIST framework aiding organizations in arranging security operations, and the tools that Microsoft equips in Azure environment.

On May 13th, 2023, the “Cyber Security in the Cloud” Boot Camps were held in Ho Chi Minh City.

Regarding the issue of many participants was interested in during the process of digital transformation to the cloud environment, such as regulations on data management in the cloud environment. Mr. Tran Nguyen Chung, the Head of Information System Security Department at the Department of Information Security, shared insights from the perspective of the regulatory agency, the information security is a core issue for successful digital transformation, it is as the brake that facilitates the achievement of digital transformation, rather than being an obstacle. He also recommended that businesses ensure various considerations while utilizing the cloud, such as: Assessing the current situation – actual needs to choose the appropriate cloud model, adhering to regulations and documents issued by Government Authorities, following data center standards, complying with the 4-layer management regulations to enhance the capabilities of organizations, agencies, organizations, etc. and adhering to data sovereignty regulations to promote transparency in data and safeguard the interests of businesses.

With the two documents that the Department of Information Security has advised the Ministry of Information and Communications for issuance, namely Document No. 1145/BTTTT-CATTT dated April 3rd, 2020, regarding guidelines for criteria and technical indicators to assess and select cloud computing platform solutions for E-Government/E-Administration, and Document No. 2612/BTTTT-CATTT dated July 17th, 2021, concerning the supplementation of criteria and indicators to assess and select cloud computing platform solutions for E-Government/E-Administration, these two documents assist enterprises in ensuring network information security issues during the digital transformation process, up to the present time.

Mr. Tran Nguyen Chung, Head of the Information System Security Department, Department of Information Security, shared his insights at Boot Camps.

In response to questions regarding data security in the cloud environment, both Mr. Chung and Mr. Huan Tran – Chairman of CIO Vietnam, emphasized that whether the data on the cloud is the original or backup version, it’s essential to consider whether the data is usable or not. The responsibility for data storage is not solely assumed by the cloud computing service provider; rather, enterprises and their IT teams also must actively backup and safeguard their own data systems.

From another perspective, the responsibility for the exploitation of user data originating from any business lies primarily with the entity that owns the customer data rather than solely attributing the responsibility to the unit entrusted with storage. Mr. Huan Tran shared, “As time goes by, the act of collecting data for competitive advantage will progressively tighten; this is no longer a new concept worldwide. Customer data ownership belongs to the customers. When customers entrust us with their data in exchange for enhanced services, the responsibility of the exploiting entity is to ensure proper and secure usage in order to retain the trust of users.” Therefore, proactively selecting service providers or methods to secure user data is a responsibility that businesses need to prioritize during the safe digital transformation process.

Proactively selecting service providers or methods to secure user data is a responsibility that businesses need to prioritize during the safe digital transformation process” – Mr. Huan Tran – Chairman of CIO Vietnam stated.

In the role of an information security management service provider, Mr. Le Minh Quy  – Senior solution consultant, raises the question about the awareness of information security within businesses. With 20 years of conducting security audits in various companies of both large and small scales, VSEC has observed that sometimes the most unforeseeable vulnerabilities are located in what appears to be the most secure positions, which might not be apparent without scanning thoroughly. It could be the network system, misconfigurations during cloud migration, etc. or simply due to the lack of information and knowledge, practical drills related to information security for the “human” aspect – the employees in the organization.

“In a cybersecurity survey conducted among end users, despite having awareness of information security issues, up to 45% of respondents still clicked on phishing links. In many cases, ransomware doesn’t directly come from hackers, but hackers will attack a specific object or employee, thereby infiltrate the company’s systems from there. Humans are considered the “weakest link” in information security management.” Mr. Le Minh Quy from VSEC said.

Mr. Le Minh Quy – VSEC Security Solution Consultant shared about information security issues during the digital transformation process at Boot Camps

Despite significant investments in information technology systems with substantial costs, neglecting the human factor could pose hidden risks that businesses should not overlook. Therefore, equipping businesses with information security training and drills is a necessary proactive measure, depending on each enterprise’s scale. Similar to the challenges that startups in Vietnam currently face, which involve reducing or even cutting costs for security audits and enhancing security features in applications to ensure solution, application delivery time and optimize operating costs. Mr. Tran Thanh Long, CEO of VSEC, and Mr. Huan Tran both agree that opting for cloud environments to expedite development while disregarding cybersecurity is a difficult dilemma for startups.

However, startups or businesses investing in cloud-based services can consider the option of investing each step or each important segment in high-security measures. Moreover, the crucial aspect is that when startups complete their offering service to Big ENT, the question these enterprises raise revolves around whether the product adheres to specific security standards, whether there are any cybersecurity risks, and so on, rather than solely focusing on the product’s features. Thus, it can be acknowledged that network security and information safety will remain the foremost concerns that businesses need to carefully consider during the service development and cloud transformation process.

Mr. Pham Minh Sang – Representative of Novetiq

Mr. Vu The Hai – Head of VSEC Security Monitoring Center  – guiding the participating units before participating in the Practical Training Session.

During the final session of the event, representatives from both Noventiq and VSEC also shared about the security tools equipped in the Azure system – Microsoft 365 Defender, which is developed based on the core value of the Zero Trust model. Participants gained detailed information about the operational model of the service and, in particular, had the opportunity to directly experience practicing malware scanning, detecting, and handling malicious code in the cloud environment.

The participating units engaged in practical drills on the training field

According to VSEC

Which type of Network Security Operation and Monitoring Center is suitable for the Banking – Finance sector?

Outstanding Security for Newbie VSEC - BLOG

The Security Operations Center – SOC – assumes the role of detecting and handling attacks in the fastest way to reduce risks to the enterprise’s information technology system. Especially for Banking and Finance units, which are the top targets of hackers. Depending on the size of the IT system, and human resources, which models of SOC centers will be reviewed for use by these units?

In developed countries, SOC (Security Operations Center) is very familiar to government agencies, large enterprises, banks, and financial institutions. Since the early years of the 21st century, Asian businesses have tended to use SOC as an indispensable part of their information technology system. However, this model has not been applied much in Vietnam due to cost and lack of specialized personnel

Each unit can develop a different SOC model; however, it is aimed at meeting the security needs of enterprises in general. Thanks to large transaction volume, multi-point connection, and rapid development of digital banking, mobile banking, virtual payment, etc., the SOC model for the financial and banking sector has to be designed to be better suitable to the system scale

5 levels of SOC center

  • Level 1: Basic Detection & Prevention
  • Level 2: Context, Control & Coverage,
  • Level 3: Basic Hunting & APT,
  • Level 4: Remediation
  • Level 5: Deep Hunting

For each of these levels, the business operator will need a team of staff with similar levels of expertise; namely warning and monitoring, prevention staff, and staff with more complex levels of analysts, other than threat researchers and threat hunters

On average, a SOC center will need a minimum of 10 to 20 personnel to undertake specialized work. The more complex the SOC model, the larger the number of employees, and the more challenging the cost for managers. Because the payment is not only salaries for the expert but also the cost of recruiting and hiring people from the initial stage of SOC development. As a result, the world has divided into 3 SOC models that according to Gartner, businesses can choose, namely: fully insourced, fully outsourced, and Hybrid/co-managed SOC

Whether it is fully insourced or hybrid/co-managed SOC, business managers must also pay attention to the costs of maintaining personnel and investing in equipment and technology. Even though a new SOC system is being planned, the business has to pay the cost of designers and developing the operating model before it can achieve measurable effects. Therefore, banks and financial institutions do not always build a fully insourced or hybrid/co-managed SOC even with large capital.

Fully outsourced model – VSEC

“In 20 years of providing security services in Vietnam, serving more than 50% of banks and financial institutions, we believe that fully outsourced SCO can satisfy the story of optimizing financial resources and investment for businesses. We can spend thousands of hours to save technology systems after an attack, but it only takes less than 4 hours to find and stop threats through the SOC center” – Mr. Vu The Hai, SOC Manager of VSEC shared.

VSEC – Vietnamese Security Network Joint Stock Company expands the scope of service provision in accordance with the criteria of MSSP – Managed Security Service Provider – A comprehensive security service provider in Vietnam. VSEC’s SOC Center is also the first SOC center in Vietnam to receive a CREST certificate – meeting international standards in terms of expert competence, professional experience, technological capabilities, policies, and procedures. Processes and professional ethics related to the provision of SOC center services. Not only providing a complete solution of SOC, but VSEC can also consult, train, and test international standard SOC model in accordance with the needs of each business.

Security Operations Center – SOC -VSEC

According to ictnews: https://ictnews.vietnamnet.vn/cuoc-song-so/loai-hinh-trung-tam-van-hanh-va-giam-sat-an-ninh-mang-nao-phu-hop-voi-doanh-nghiep-tai-chinh-ngan-hang-418237.html

 

SOC Intern (HN)

Tech Job EN
  1. Job description:
  • Learn and perform analysis and handling of cyber attacks such as web application attacks, account attacks, malware, etc.
  • Learn and participate in the research of new attack techniques, develop a code of detecting attack techniques.
  • Learn and participate in the administration of SOC’s technology systems and solutions: SIEM, SOAR, TIP,….

 

  1. Job requirements:
  • Senior students majoring in Information Security/IT; Having a certificate or having completed a CEH course is an advantage.
  • Have basic knowledge of operating systems, Windows and Linux operating systems administration.
  • Have basic knowledge about network: OSI model, TCP/IP, IP protocols.
  • Learn and have basic programming ability in any language: C/C++, C#, Python, Java,…

 

  1. Benefits:
  • Internship certificate and wages.
  • Participating in real projects, professional working process and clear and methodical training route.
  • Opportunity to become a full-time employee with competitive salary and good benefits.
  • Professional, modern and dynamic working environment; Friendly, open-minded colleagues.
  • Opportunity to become a member of VSEC’s successor team project with attractive remuneration and the company creates all resources to develop.
  • Enjoy other benefits according to the company’s regulations.

 

  1. Contact:
  • Human Resources Department – hr@vsec.com.vn
  • Address: Hanoi: M Floor, N01A Golden land Building, 275 Nguyen Trai, Thanh Xuan Trung Ward, Thanh Xuan District, Hanoi City.

How did I pass the OSCP certificate?

Security for Newbie VSEC - BLOG

Hi, it’s time we meet again, I make a new blog at the end of the month. This time the theme will be a little different. Basically at the beginning of this June, after a year of so-called temporary graduation, I took the first security exam in my life, which was OSCP, and fortunately, without humiliating myself, I passed:’ >. So this post will be about my recent OSCP experience and the takeaways from it. Hope this information is useful

 

OSCP Examination

First of all, what is OSCP? Offensive Security Certified Professional (OSCP) is a certification program that focuses on security testing and attack skills. It consists of 2 parts: a pentest lasts within 23 hours and 45 minutes and a report submitted within 24 hours after that. OSCP is a very practical test.

So why should you take the OSCP test? I have 2 main reasons:

  • To learn and improve knowledge and skills about security testing. As mentioned in the previous post, I just switched to Pentest recently, so I need something more oriented about this area. When you register for the test, you will be able to experience more than 54 very practical labs and have a very clear and specific set of instructions.
  • To increase salary (of course). Last time, there was an article from Cyradar that said that OSCP certification helps increase salary by 200%. OSCP is now a rising certificate, because of its practicality and difficulty. It is ranked in the TOP 5 desirable and necessary pentest certificates for pentester. It will greatly increase your self-worth because besides CEH, this is a required certificate for many contractors.

The skills you will acquire through the OSCP course:

– Passive Information Gathering

– Active Information Gathering

– Vulnerability Scanning

– Buffer Overflows

– Working with Exploits

– File Transfers

– Privilege Escalation

– Client-Side Attack

– Web Application Attacks

– Password Attacks

– Port Redirection and Tunneling

– The Metasploit Framework

– Bypassing Antivirus

My OSCP journey

Let’s go into the main part of this article. I will cover what I went through in the OSCP course and what I learned (experience and advice).

Because the company requires a certain employee to have an OSCP certificate, and if that employee has one, they will get a salary raise =))) and I feel that I am quite predestined with all kinds of tests, so I accept it :v

The journey will be divided into 3 main stages:

Preparation stage:

There are a few things you need to prepare before you register for the test.

First is the information about the certification, You must know what you are taking and what the test format is, right? It will be located here https://support.offensive-security.com/oscp-exam-guide/.

Second is the necessary knowledge and skills. When you register for the test, you will have to buy a package that includes the exam fee, Penetration Pentesting with Kali Course includes an 800+ page PDF and over 8 hours of video tutorials, and a VPN to connect you to the lab environment (the most valuable in the package). For Lab, you can buy 30-day, 60-day, or 90-day types depending on your intentions. I chose 60 days. Because time is money, before you buy this package, you need to prepare the right knowledge and spirit, otherwise, you will be overwhelmed (like me) in terms of knowledge and skills, and in those 60 days, I’m sure you will not have enough time to practice enough for the test. Because at school, I have been taught and practiced these things, I am quite familiar so I am not surprised.

 

So what you need to prepare in terms of knowledge is:

  • Linux and Windows environments. This is what I consider the most important. You need to have knowledge and familiarity when working with both Windows and Linux environments, especially Command Line Interface on Linux because that’s where you work the most, especially Kali. If you are new, this book may come in handy: Kali Linux Revealed.
  • Basic programming skills. This includes reading, understanding, and being able to modify Python, Bash, Perl code, etc. You won’t need to write a complete exploit, but you should at least understand how it works. There are millions of websites out there that can help you get familiar with Python. Before I jumped straight into it, I didn’t have a very useful method :v
  • Web Application Attacks (SQLi, Local File Inclusion, Remote File Inclusion, Command Injection, …), In the labs you will have to exploit mainly Web Applications, so you need to have a certain understanding of these types of attacks. Web Application Hackers Handbook, this book is very useful for those who are new to this problem.
  • Tools that run on Kali/Linux: The last thing is that you need to be familiar with or at least know how the tools work – which you need to rely on to be able to complete the test. Some tools you need to know are Metasploit, Nmap, and Netcat.
  • Get familiar with the lab environment: To avoid being surprised when attacking a computer. You can familiarize yourself with the labs similar to OSCP on Hack The Box, or refer to the link here OSCP Like Vulnerable Machines List by abatchy.

 

Before taking the test stage:

Once you’re confident and mentally prepared, you can register to get started on the Offensive Security homepage. After you sign up for the lab term, on the day you sign up, you’ll receive an email with course materials and instructions for connecting to the lab environment.

I don’t know about you, but I always have the habit of having basic knowledge first, knowing what I have to do before I start doing it. So I divided this stage into 2 parts, theory and practice.

 

Theory:

I spent almost the first month just reading and studying the material provided. It includes an 800+ page PDF book and a set of accompanying visual videos. There are also Exercises in the book at the end of each section, if you do all the work and submit the reports you will get 5 extra points of attendance on the final test result. My opinion about the document is that it is very complete, it is designed so that a complete beginner can get the most basic knowledge, and it is also very broad and comprehensive in all areas. If there is no preparatory stage, you will really be overwhelmed by the amount of information it brings.

My advice and experience is that you may not need to see and know the whole thing, but you should read it once. You can skip the parts you think you already know, and read the parts that feel new to you. Because there are information and tools in the material that are very good and useful, which will directly help you do the lab exercises and tests easier.

 

Practice:

This is the most valuable part of the whole package, according to the comments of most people. Because this is what helps you prepare for your test, it can also serve as a sample question.

There are a total of 57 public servers for you to attack, and in addition, there are 3 internal servers that you can pivot to when you get the keys from a certain public computer. During the lab time, I was able to root about 52/57 computers.

 

My learned experience is that:

  • You should start with Alpha and Beta machines first, with IPs of .71 and .72. Because these are samples, there are sample reports on the student’s forum that are very detailed on the approach and methodology to attack and gain permission to a server.
  • There are 2 keywords you always need to remember which are “Enumerate more” and “Try Harder”. Really after you finish this one, you’ll definitely stick to these two phrases, because they’re the keywords every time you get stuck somewhere. Sometimes it’s only a hidden port away before you find the answer or sub-directories that you haven’t enumerated yet. Regarding enumerations, I found a pretty good and detailed tool that helped me with one computer for the final test: https://github.com/Tib3rius/AutoRecon.
  • Always take note of what you find and achieve. I have an Excel file to record what I enumerated, as well as the exploit code I used to exploit and gain permission. Because there are some computers that require you to hack into another machine in order for you to access it. This will make it easier to go back to that computer and know the link between each computer to go back to.
  • You can refer to the student’s forum for instructions if you are stuck somewhere for too long. There are posts to discuss each computer, or you can also inbox your fellow test takers for more approaches. However, you should not abuse it, because you will not have it when you take the test.
  • Always revert a computer before doing it. Because you are not the only one accessing that lab environment. You should revert to what others have done on it before to make sure the environment is as clean as possible.

 

On the test day:

Before the test day, you should prepare very carefully, both physically and mentally. Because it’s a 24-hour test. No help, no suggestions, just you and your supervisor.

Prepare your health, food, and drink plan you need to complete the test. Get enough sleep. For the duration of the test, you are allowed to leave your seat, move around, and rest. Don’t stress when you’re stuck somewhere, stop, pause, or switch to another computer. Never let stress, panic, and anxiety take over your mind. On the test day, during the first 12 hours, I didn’t have a shell on a single computer, everything was missing a tiny bit, and I swear you don’t know how much I swear on this question. After 3/4 of the time, it improved a bit when I finished each Buffer Overflow exercise (similar to drawing a function graph in the university entrance exam). But after I went out to breathe for about 20 minutes, I came back and suddenly I saw something I hadn’t seen before, and I found my reel again. As a result, I finished the test with only 1 computer that could not be rooted. One result I know is more than enough to pass. From there, I understood the two spells “Enumerate more” and “Try Harder”.

Within the next 24 hours, you must complete and submit a report, about the enumeration process as well as how you exploit and gain permission. The report requires specific screenshots and instructions to reproduce, so you must make sure to take pictures of the steps during the test, because when you finish the test, the VPN connection will be disconnected, and no there will be no chance for you to connect to the server to do it again.

And finally, after submitting the reports, the results will be available within 10 working days. And when the results come, yayyy, I finally have a chance to get a salary raise =))))

 

Conclusion

And in both the study and test process, always find enjoyment. There’s always a certain happiness either small or big when you learn something new, something that makes you surprised, or when you successfully root a computer that took you days to do. :’> So have fun.

Be Duy ( aka chalizard )