Hey, cyber enthusiasts! How are you doing, guys?
I’m great and ready to solve the challenges of the Advent of Cyber 2023. TryHackMe has released the task for day 12 of the Advent of Cyber 2023. So here I am with it’s walkthrough.
In this walkthrough, you’ll learn about Intrusion detection and prevention, diamond model, threat hunting, vulnerability access management, firewalls, and honeypot.
This room is straightforward, with only theoretical challenges. If you grasp the concepts, answering the questions will be easy for you.
I kindly request everyone to review their documentation. They have condensed these concepts into an easy-to-learn format that you can follow step by step.
Let’s directly move on to their challenges.
Which security model is being used to analyse the breach and defence strategies?
Diamond Model
The Diamond Model is a framework used to analyze and understand cyber threats, unravel the mysteries of adversary operations, and identify the elements used in an intrusion.
It consists of four key elements: adversaries, infrastructure, capabilities, and victims.
1. Adversary: This represents the attacker, their motivations, capabilities, and resources. Understanding the adversary helps predict their potential attack methods and target selection.
2. Infrastructure: This refers to the tools and resources used by the attacker, such as malware, hacking tools, and compromised systems. Analyzing the infrastructure helps identify the attack vectors and propagation paths.
3. Capability: This represents the specific actions and techniques the attacker employs to achieve their goals, such as deploying malware, exploiting vulnerabilities, or stealing data. Understanding the capabilities helps prioritize mitigation efforts and detect specific attack patterns.
4. Victim: This represents the target of the attack, including their systems, data, and vulnerabilities. Understanding the victim helps assess the potential impact of the attack and prioritize risk mitigation efforts.
Which defence capability is used to actively search for signs of malicious activity?
Threat hunting
Threat hunting is when computer security experts actively look for and root out cyber threats that have secretly penetrated their computer network. It involves looking beyond the known alerts or malicious threats to discover new potential threats and vulnerabilities.
What are our main two infrastructure focuses? (Answer format: answer1 and answer2)
Firewall and Honeypot
A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
A firewall can be hardware, software, software-as-a service (SaaS), public cloud, or private cloud (virtual).
Honeypot is a network-attached system used as a trap for cyber-attackers to detect and study the tricks and types of attacks used by hackers.
It acts as a potential target on the internet and informs the defenders about any unauthorized attempt to the information system.
Honeypots are mostly used by large companies and organizations involved in cybersecurity. It helps cybersecurity researchers learn about the different types of attacks used by attackers. Honeypots come in various forms: software applications, servers, or entire networks.
Which firewall command is used to block traffic?
Deny
Enable firewall: sudo ufw enable
Allow incoming traffic on a specific port: sudo ufw allow [PORT]
Deny incoming traffic on a specific port: sudo ufw deny [PORT]
There is a flag in one of the stories. Can you find it?
It’s very easy to find the flag. First, perform a port scan using nmap
nmap -A 10.10.176.122
We have two ports open.
Visit this link http://10.10.176.122:8090/ in your browser. And you’ll see that it’s showing that the page can’t be loaded. You have given a username and password for the ssh login. So let’s do it.
ssh -l vantwinkle 10.10.176.122
Let’s explore the available files.
Let’s review the permissions granted to the user vantwinkle. All commands can be executed by the user vantwinkle.
To view the content of Van_Twinkle_rules.sh, first change the user to root by executing the command.
sudo su
We can see that it is denying our request on port 8090 with the command sudo ufw deny 8090/tcp
Let’s change this command and allow port 8090 with the command
sudo ufw allow 8090/tcp
Now lets visit this link http://10.10.176.122:8090/
That’s it; we’re done. I kept this walkthrough straight to the point. I hope you guys find this useful. If you guys have any doubts, please connect me to LinkedIn and feel free to resolve your doubts. And stay connected for every day’s challenges and walkthroughs.
Check out our YouTube channel, Ethical Empire. If you’re preparing for the CEH Practical Exam, don’t forget to check out our playlist, ‘CEH Practical Exam Preparation’.
Until next time, stay secure, stay curious, and keep exploring the fascinating world of cyber security.