Face Your Fears this Halloween and Return to Haunted Hollow
đ§ââïž Brace yourselves, brave souls! The haunted season has returned, and with it, an all-new cybersecurity adventureâHalloween 2024: Return to Haunted Hollow. The sinister spirits of cyberspace await you in this terrifying sequel to our 2023 Halloween collection, The Haunted Hollow. This is no mere challengeâitâs an eerie expedition through 9 haunted labs designed to test your skills and sanity alike. Whether you're a seasoned crypt keeper of the cybersecurity world or a curious newcomer, there's a fright waiting for everyone in this immersive capture-the-flag experience! đź From unraveling encrypted secrets to hunting ghosts in packet captures, every lab holds the key to defeating the horrors lurking within. Can you escape the Haunted Helpdesk, break the Encryption Enigma, or uncover the Spooky, Scary, Silly Snaps? Each step you take deeper into this digital graveyard will challenge your mind and test your courage, until you can break out of the park through the Emergency Exit! đ·ïž With a difficulty ranging from approachable to spine-chillingly tough, itâs not about conquering all the horrorsâjust enough to emerge from the shadows with your sanity intact. Gather your wits, grab your digital lantern, and get ready to explore the most terrifying corners of cyber horror! đ§ Release Date: October 16th â Estimated Time to Complete: 5 hours đ» Labs: 9, each more terrifying than the last đ Difficulty Range: 2-6 đ§ Collection Type: Challenge Lab details Note: These labs can be completed in any order, but we have ordered them from most accessible to most challenging. The final lab can only be completed after the other labs have been completed. The prequel collection doesnât need to be completed before you can dive into these labs, but if you're craving some extra chills and thrills, feel free to haunt them first! Phishing for Treats Difficulty: 2 Skills required: None â this lab should be accessible to all audiences What's involved: This lab is a new phishing emails lab, with Halloween-themed emails. Users have to identify whether the email is 'safe' or 'spam' based on indicators from the emails. PCAP Pandemonium Difficulty: 4 Skills required: Packet capture analysis (Wireshark) What's involved: In this lab, users will need to analyse multiple packet captures using Wireshark to identify answers to the questions from the network traffic. Delving Deeper Difficulty: 4 Skills required: Web application enumeration What's involved: Users will need to explore a web application in order to gain access to a computer terminal within the application. From there, they'll need to interact with a simple API. Encryption Enigma Difficulty: 5 Skills required: Modern encryption/encoding techniques (Knowledge of how to use CyberChef will be useful) What's involved: Users will need to identify the correct encoding and encryption technique used to obfuscate each message in an application, before decrypting/decoding each message. Confusing Code Difficulty: 5 Skills required: Linux enumeration techniques, reverse engineering (particularly using Ghidra) What's involved: Users will need to use Linux enumeration techniques to identify a binary, before reverse engineering that binary to figure out how to exploit it. Haunted Helpdesk Difficulty: 5 Skills required: Linux enumeration and privilege escalation techniques What's involved: Users will be dropped into a restricted environment. From there, they'll need to figure out how to escape, and escalate their privileges to root. Fearsome Forensics Difficulty: 6 Skills required: OSINT, web application enumeration, modern encryption techniques, steganography What's involved: In this lab, the user will need to explore the web application and discover clues using OSINT techniques. These clues will then be used to decipher encrypted messages, finally revealing how to extract a message hidden inside an image. Spooky, Scary, Silly Snaps Difficulty: 6 Skills required: AWS capabilities (particularly S3 and AWS permissions), Python scripting What's involved: Users will need to enumerate public S3 resources to identify credentials for an AWS account. From here, they'll need to interact with the AWS console, and identify a way of escalating their privileges on AWS. Emergency Exit Difficulty: 1 Skills required: None â this lab is a culmination of the preceding labs within the collection, but no specific skills are required to complete this lab. What's involved: In each of the labs in this collection, users would have been asked to make a note of a code. In this lab, they need to submit each of these codes. Share Your Thoughts Did you escape the Haunted Hollow? We'd love to hear from you! Remember you can post in our Help & Support Forum for hints, tips & collaboration from your fellow community of experts.Cozy Bear? Not So CozyâŠ
When you think of a âcozy bearâ, you might think of Winnie the Pooh or a faux fur throw by the fire, not a criminal hacker group thatâs been active since 2008. There was an intrusion to TeamViewer, the most popular remote access software, on 26 June 2024. Evidence points accountability towards Russiaâs Midnight Blizzard group, also known as APT29, the Dukes, and the Cozy Bear group. Not exactly the type of behavior youâd expect from a cozy bear, right? The Cozy Bear group has been observed using tools and techniques that target groups like government, healthcare and energy organizations. Its most common techniques include scanning (T1595.002) and exploitation (T1190) against vulnerable systems. Itâs also associated with the notorious SolarWinds incident in 2021 that resulted in the first ever SEC charges against a CISO. Itâs safe to say this bear isnât hibernating, itâs on the prowl. All honey pots aside, Immersive Labs has a dedicated Threat Actor Lab for APT29 and a wealth of content around other attack types perpetuated by this malicious threat group. Ensure your teams arenât caught in a bear trap by exploring or revisiting content designed specifically around this cyber espionage group: APT29: Threat Hunting with Elasticsearch Successful cyber threat hunting relies on a combination of information from cyber threat intelligence to detailed event logs via endpoints, network devices, and security tools. This lab collection gives you an opportunity to explore some of these concepts through the lens of an emulated APT29 attack scenario. APT29: Threat Hunting with Splunk These labs follow the same attack path as the above collection, but with different tactical and system focuses, providing an opportunity to explore concepts through the lens of an emulated APT29 attack scenario with Splunk. Brute Ratel: Extracting Indicators of Compromise Brute Ratel C4 is a commercial command and control (C2) framework for adversary simulation and red team engagements. This tool has been observed in the wild being used by nation-state actors, specifically APT29. The following labs are also based on this threat groupâs known tactics, techniques, and procedures (TTPs) and exploits. Check them out: CVE-2019-19781 (Citrix RCE) â Defensive CVE-2019-19781 (Citrix RCE) â Offensive CVE-2020-5902 (F5 BIG-IP) â Defensive CVE-2020-5902 (F5 BIG-IP) â Offensive We may be having fun here, but your cyber readiness is no joke. Make sure your teams are up to date on the newest CVEs and that theyâre well versed on established threat actors and attack vectors â so your organization stays out of the news đ ââïžđ»đ° Share your thoughts! Do you like bear-themed articles? Do you plan to assign or bookmark these recommended labs? Weâre beary eager for your feedback in the comments below!Where to Start? How Assess and Recommend can Unlock your Potential
What is Assess and Recommend? The Assess and Recommend feature was created with the end user in mind and helps determine the most appropriate content based on a learnerâs knowledge and experience. The assessment leverages computer adaptive testing (CAT), which is a computer-based assessment that adjusts the difficulty of questions based on how a test taker answers previous questions. CAT is also known as tailored testing because it personalizes the test to the test taker's ability level. Having a more personalized assessment allows for a more personalized recommendation. Customized learning paths â NICE Framework One of the best things about the Assess and Recommend feature is that it creates personalized learning paths aligned to NIST's Workforce Framework for Cybersecurity (NICE Framework). The NIST NICE Framework, or NIST Special Publication 800-181, provides a structured guideline for defining and categorizing cybersecurity work roles, knowledge, skills, and abilities (KSAs). It aims to standardize the language around cybersecurity tasks and roles, enhancing workforce development, training, and alignment between job requirements and individual qualifications. Unlike traditional training programs, which tend to be the same for everyone, Immersive Labs uses assessment data to identify which roles in the NICE framework are most applicable to you. This means users focus on what they need to learn, rather than wasting time on topics they already know. As users upskill, they can retake assessments to receive new recommendations that match their evolving skill level, keeping training relevant and engaging. This dynamic approach is essential in a field where staying current is critical. By aligning with the NIST NICE Framework, the learning paths are tailored to specific roles, such as SOC analyst, pentester, or cyber professional, making the training even more effective. Benefits for organizations and users For organizations, the Assess and Recommend feature is incredibly valuable. It gives a clear picture of the teamâs overall skills, strengths, and weaknesses. This information is crucial for planning targeted training, using resources wisely, and strengthening the organizationâs cybersecurity defenses. Additionally, by promoting continuous learning and development, organizations can improve employee satisfaction and retention. Employees are more likely to stay with a company that invests in their growth, recognizing the importance of updated skills for job security and career advancement. Where can I Find this Feature? To find this feature, click the Upskill drop-down and navigate to Recommended Activities. Here, youâll see a growing list of the assessments currently available in the platform. Share your Thoughts After completing your first assessment, tell us what you got as a recommendation in the comments below and share how your upskilling journey is going!Introducing The Human Connection Challenge: Season 1
Starting today we will begin releasing a series of all-new Challenge Labs. Each month youâll be given the chance to showcase your cybersecurity skills across a range of topics and climb the Season 1 Leaderboard, with the chance to win kudos and rewards along the way.A Step-by-Step Guide to Hosting Your Own Hacktober Event
Organizing engaging, informative, and enjoyable cybersecurity events like Swisscom's Hacktober event doesn't have to be daunting. With strategic groundwork and relevant, interactive challenges, you can create a cybersecurity event that is both fun and educational. Are you considering hosting a similar cybersecurity event? This blog provides a step-by-step guide to creating an impactful event, resulting in a more skilled and prepared workforce.New CTI Labs: Palo Alto Expedition Critical Vulnerabilities
CVE-2024-5910 (Palo Alto Expedition) - Defensive Identify signs of exploitation in event logs and extract indicators of compromise CVE-2024-5910 (Palo Alto Expedition) - Offensive Use publicly available Proof of Concept code to exploit the vulnerabilities gaining access to sensitive data What is Expedition and Why should you care? The flaws were found in Palo Alto Networks' Expedition solution, which helps migrate configurations from other Checkpoint, Cisco, or supported vendors. This application can be exploited to access sensitive data, such as user credentials, that can help take over firewall admin accounts significantly impacting the security of an organisations network. These labs provide steps to identify any potential signs of exploitation and detail how the exploit functions. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Red Teams Pen testers Offensive Security professionals Complete CVE-2024-5910 (Palo Alto Expedition) - Defensive here Complete CVE-2024-5910 (Palo Alto Expedition) - Offensive hereHuman Connection Challenge: Season 1 â Scanning Walkthrough Guide (Official Version)
Timeâs Up! Congratulations to everyone who completed Lab 2: Scanning from the Human Connection Challenge: Season 1. In this walkthrough, I'll share some strategies for efficiently completing the lab, based on my perspective as the author. Remember, there are often multiple ways to approach a challenge, so if you used a different method and succeeded, that's perfectly fine! The goal is to learn, and I hope these notes help clarify any steps and reinforce key concepts for the next challenge. This challenge has now ended, but the lab remains available for practice. While prizes are no longer up for grabs, you can still complete the lab and use this walkthrough guide for support if needed. Iâve also used placeholders in some of the commands that would give away an answer directly, so if you see anything enclosed in angle brackets, such as <name server>, please make sure you replace it with the actual value, such as nameserver. With all that considered, let's get started. Overview Task: Identify the name server records of tinytown.bitnet. 1. What is the IP of the first name server for tinytown.bitnet? Youâll first need to open a Terminal on the Kali desktop. Next, youâll need to query the DNS Server IP (found in the Machines panel) about the tinytown.bitnet domain using the nslookup (Name Server Lookup) tool. Youâre specifically looking for NS (Name Server) records, so you can use the -type=ns parameter with nslookup to specify this: nslookup -type=ns tinytown.bitnet [DNS Server IP] The output of this command will return two name servers for the domain labelled with 1 and 2. Your next step is to identify what IP address is associated with the first name server (1). To do this, you can use nslookup along with the name server, domain, and DNS Server IP: nslookup <name server>1.tinytown.bitnet [DNS Server IP] This command will then return an IP address for the name server. 2. What is the IP of the second name server for tinytown.bitnet? As youâve already identified both name servers, youâll just need to run the previous command, except with the second (2) name server: nslookup <name server>2.tinytown.bitnet [DNS Server IP] Youâll then find the IP address associated with it. Task: Identify port service information for Target 1. 3. What service version is running on port 53? A network scanning tool like Nmap can help you identify the service version running on a specific port. To do this with Nmap, you can use the -sV option for service detection: nmap -sV [Target 1 IP Address] The output will show what service version is running on port 53. 4. What is the full service banner of port 22? There are a couple of ways to find the full service banner of port 22 â such as with Nmap or Netcat. If youâre using Nmap, you can modify the previous command to include the âbannerâ script along with the port number: nmap -sV -script=banner [Target 1 IP Address] -p22 The command line will then display the service banner from port 22. You can alternatively use netcat to manually connect to the SSH server. When a client connects, Netcat may present a banner that contains version information. To use Netcat, youâll need the nc command along with the Target 1 IP address and specify you want to connect to port 22: nc [Target 1 IP Address] 22 When you run this command, the banner appears before the terminal hangs. Task: Identify a token on one of the ports. 5. What is the token? With the previous Nmap command, you initially found that three ports were open on Target 1. However, youâll need to do a more thorough network scan to find another open port, one not initially found with the previous scans. To do this, you can expand your port scan to cover a much wider range by using Netcat to scan for open ports from 1 through 9000: nc -zvn <Target 1 IP Address> 1-9000 Here, -z will scan for listening services but wonât send any data, -v is verbose mode, which provides more detailed information, and -n tells Netcat not to resolve hostnames via DNS. This command will reveal a fourth open port. Now, you can use Netcat to connect to this port: nc <Target 1 IP Address> <open port> The token will then be displayed in the terminal. Task: Scan the TLS configuration on Target 2. 6. How many protocols are enabled? To scan for SSL/TLS configurations, you can use the sslscan tool. By default, sslscan scans port 443 and will return supported server ciphers, certificate details, and more. You can use sslscan like this: sslscan <Target 2 IP Address> The returned output will be verbose, but you can find and count the number of enabled protocols under the SSL/TLS Protocols subheading. 7. Name an enabled protocol. Using the previous output, name one of the enabled protocols. 8. What exploit are the protocols NOT vulnerable to? Using the same output, scroll down through the results until you find a subheading thatâs named after a vulnerability and contains a similar string to: <Protocol> not vulnerable to <vulnerability name> The vulnerability has the same name as the subheading. Task: Identify and extract information from an SMB share on Target 3. 9. What Disk shared directory can you access? To extract information from an SMB (Server Message Block) share, you can use the smbclient tool. First, youâll need to list the SMB shares on the target using the -L flag (the list/lookup option) with: smbclient -L //<Target 3 IP> Youâll then be prompted for a password, but you can press Enter to skip this. A list of SMB shares will then be displayed, three of which are shown to be a Disk type, so you know the answer will be one of these. You can now begin to go through the list and try to connect to the shares with: smbclient //<Target 3 IP>/<Sharename> However, this time when youâre prompted for a password and you press Enter, you might encounter a message when you try and connect to a share: NT_STATUS_ACCESS_DENIED If you attempt to connect to all shares, youâll find you can connect to one share without a password. Youâll then be greeted with the following prompt to show the successful connection: smb: \> 10. What is the token stored in the directory? Now that youâre connected, you can execute commands to interact with the SMB share. If you run ls, youâll find a token.txt file in the current directory. You can then download the file from the share onto your local machine with: get token.txt On the Kali desktop, open the Home folder and the token.txt will be inside. Open this file and find the token. 11. What is the username stored in the directory? After youâve run ls in the SMB share, youâll find not only token.txt, but also a file named creds.txt. Use the same command as you just did previously to download the file onto your machine: get creds.txt This file will also be downloaded to the Home folder, where you can find a username and password. Task: Identify open services on Target 3. Task: Connect to Target 3 with the previously found credentials. 12. What is the token stored in the user's /Documents directory? For this final task, you first need to scan the target using Nmap. Youâll find that if you attempt to scan the target without using the -Pn flag, youâll get a response saying that the host seems down. However, if you run Nmap with -Pn, youâll find some ports are open: nmap -Pn <Target 3 IP Address> However, the ports returned from this command donât offer a way to connect to the target. Youâll also need to scan the 6000 most popular ports: nmap -Pn --top-ports 6000 <Target 3 IP Address> These results will now show two additional ports are open regarding the Web Services Management (Wsman) protocol, which is used to communicate with remote machines and execute commands. One of the tools that implement this protocol is Windows Remote Management (WinRM) which is Microsoftâs implementation of Wsman. Knowing this, you can now use Metasploit to interact with the target. In your terminal, run: msfconsole Once loaded, you can use the the following auxiliary module to connect to a system with WinRm enabled and execute a command with: set cmd ls Youâll then need to set the following options, using the credentials you found in the creds.txt file: set username <username> set password <password> set rhosts <Target 3 IP Address> Next, you need to set the cmd option with the command you want to run. If you use the ls command, youâll be able to find what out files are in the directory you connect to: set cmd ls With all the options set, you can now run the module: run The results of the executed command will be printed on the screen and also saved to a directory, but both show the existence of a token.txt file in the current directory. You can now set the cmd option to type token.txt in Metasploit: set cmd type token.txt Once set, use the run command to send the updated command: run The contents of token.txt will then be displayed on the screen and outputted to a file. Tools For this challenge, youâll use a range of tools including: Nslookup Nmap Netcat Sslscan Smbclient Metasploit Tips You can use different tools and parameters within those tools to scan for and find information, so donât be afraid to try out a few different things! If you want to learn more about some of the tools within this lab, take a look at the following collections: Reconnaissance Nmap Infrastructure Hacking Introduction to Metasploit Post Exploitation with Metasploit Conclusion The steps Iâve laid out here arenât the only way to find the answers to the questions, as long as you find the answer, you did it â well done! If you found another way to find some of these answers and think thereâs a better way to do it, please post them in the comments below! I hope you enjoyed the challenge and Iâll see you for the next one.
