Pentesting 101
Date: 2021-11-10
Difficulty: Beginner to Advanced
Delivered By: Jack Roberts and Joshua Wardle
Overview
You may have heard of "pentests" and "CTFs" before, but what are they?
-
A penetration test, also known as a "pentest", is an authorized cyberattack on a computer system, performed to evaluate the security of the system. Such a test is performed to identify weaknesses and strengths, enabling a full risk assessment of the system to be completed, and remedial action to be taken.
-
CTF stands for "Capture the Flag". The objective of a CTF is for participants to find flags in purposefully insecure applications/hardware, with the winner generally being the person/team who finds the most in the shortest amount of time. Sometimes, you may encounter an attack/defense style CTF, where the objective is to steal flags from your competitors while defending your system.
These may seem rather different, but in reality, the toolset and thought process required are somewhat similar. In this session, we will cover the pentesting methodology to solve these challenges, the tools you will often use, and what to look out for. In particular, if you are new to CTFs, this session will begin to give you the confidence to tackle the challenges on websites such as HackTheBox and TryHackMe.
To begin, Jack and Josh will explain the overarching structure of a pentest and how to use common tools (such as nmap and Hydra). Following that, we will release two CTFs for you to tackle, either individually or in groups.
The CTFs
Harrison's Blog (Beginner)
Harrison (a close associate of Dave) has written a blog about all the things he enjoys, but has left some crucial flaws and secrets scattered around his website. This is a beginner-friendly web-based CTF developed by Jack, with challenge areas including cryptography, source code analysis and basic web app security.
If you've never taken part in a CTF before, this is a good starting point to get a feel for the style of such challenges.
Blue Box (Advanced)
Blue Box is a CTF developed by Josh (and some friends - credit to Kieran) which is aimed at a more advanced difficulty. This CTF is a more traditional "pwn"-type CTF where the objective is to gain root access. Along the way, there are 5 flags which - when decoded - provide hints as to where to look next.
Incorporating elements of web app security, software security, OSINT, steganography and password cracking, Blue Box should be enjoyable for those who are looking to take on HackTheBox-style challenges in the future.
Prerequesites
Harrison's Blog doesn't require any virtual machines to run - you just need a web browser which has developer tools, this is a warmup for some skills you have learnt already.
For Blue Box, you will need a host powerful enough to virtualize two Linux machines - one for Blue Box itself, and one for you. If you can't, you will want to group up with others. You may wish to install Kali Linux (described here), but any Unix-based VM with the right tools will suffice. We recommend using VirtualBox to run the VMs.
To tackle Blue Box, you will need to be aware of the subject areas outlined earlier. However, don't panic if you aren't; help is always on hand! A bit of informed Googling will help as well.
Session Links
Harrison's Blog
You can attempt Harrison's Blog by navigating to http://harrison.sucss.org!
Please note this is not a HTTPS link, so if you recieve an SSL/TLS or 403 error, make sure to check that your browser of choice did not change the URL by accident.
Uninformed brute forcing using tools such as Hydra is not allowed.
Blue Box
You can download Blue Box here.
The rules and setup guide for Blue Box are available here.