Hurricanelabs.com



Roxy (00:00):So, what I have done so far is I have gone to and I downloaded the virtual box image. Um, now there's also a VMware image. There are several tutorials out there on setting up a Kali Linux VM. Um, so I am not going to go over that part. And I initially started it up, and I got an error that said, you know, something about disable USB 2.0. So that is something that you'll have to do to start up the VM. We're going to go to, you're going to select the VM and go to settings and then go to ports. And that's where you can, um, disabled USB 2.0. Um, the next thing you want to do is update, uh, the box. So after, um, so this year, um, for Kali Linux, uh, the default user is actually not the root user. So you'll log in as Kali, um, as the user, it's a password Kali.Roxy (01:19):So, uh, you'll have to run pseudo when you do update. Um, and then upgrade, um, PIP is a Python manager, so I've already done it, but I'll just show you sudo apt-get install. Um, the package is Python dash PIP, and then Python three dash PIP. So if you need to download any Python packages, um, you're going to use PIP install and then the name of the package. So now I'm going to show you some ways you can prepare the VM for CTF. Um, this is not an extensive list. This is just from the past three or four CTFs I've done. You could download all of the packages and the Kali repo, but, um, you probably don't need a majority of them. Kali Linux does come with a lot of tools as you can see here. So we're going to start with web exploitation. Um, those packages, those are the ones or those tools–Roxy (02:37):Those are the ones you're probably going to use the most. Let's go ahead and install WebScarab. So right now on here, we have, um, perhaps a Burp Suite. There is a version that has more features that you have to pay for WebScarab is pretty much just like Burp Suite. There's not a whole lot of difference sudo up to get install WebScarab. And so I'm going to show you, um, I'll open it up for you and show you how similar it is to Burp Suite. All right. Oh, it is purpose opening. Alright, I accept. All right. So let's look at these two tools. Um, this is WebScarab. So what it does is it intercepts a web traffic and you can view it, or you can modify traffic, you can inject headers. Um, you can make HTTP requests like C you can do it get request.Roxy (03:49):Um, it's, it's probably the web application tool that you're going to use the most. Now Burp, if we look at Burp can make requests, you can capture requests. WebScarab, I think is what I would go with over Burp Suite, just because you have all the features right away. And it does pretty much the same thing. I have not come in, come across the situation yet where I'm using WebScarab and I need to stop using it so that I can open up Burp Suite and do what I need to do in Burp Suite. There is a new tool that I just discovered. Um, I have not tried this tool yet, so don't take my word for it, but it looks pretty cool. So what I witnessed does is it takes screenshots of websites and it also provides with it, um, some header info. Um, it also does a little bit of scanning as well for, um, default, uh, credentials. Okay. This is what it is right here. So we can just install it when you do sudo. I would, yes.Roxy (05:20):Okay. So it's just a command line tool, which is great. I'm going to move on to steganography. Steganography is, um, hiding and it's when you hide information in images and you can actually hide entire files in images as well. So there is a tool called S it's, either Steg, Snow, or Stegs. Now, I don't know which one it is. It can hide and it can detect steganography in white space. And I'll have to show you on, um, on another stream. One of the challenges, uh, if I still haven't, but it was a regular text file that had white space in it. And there was, um, hidden message in the white space, which I had no idea you could do. Um, something else for steganography is Stego Suite. Stego Suite will, uh, hide and detect steganography in images. One of the tools that I've seen in several writeups, um, recently is called Sherlock.Roxy (06:31):I'll show you how to use Sherlock. What you do is if you have just a username and that's all you have, you can put it into Sherlock and it will check several–I mean, it checks a whole bunch of websites. Okay. So now it's going to check all of these websites for, um, for my username. There was a writeup that I just, that was just actually published today in the Hurricane Labs blog, where, um, I could have, uh, used Sherlock and it would have been really an easy challenge for me to solve the only account that's actually mine, that it found is my Twitch account. I think. I would've just, I would've been able to solve that, um, that challenge. Um, and I wrote about that in the blog post that was just posted on the Hurricane Labs blog. The next thing we're gonna do is install ExifTool, just go back home. Alright.Roxy (07:40):So what this does is it looks at the Exif data and photos. Um, a lot of times the OSINT challenges, um, this is what you'll need to do to find the location of where a photo was taken. Yeah. Let's put it in downloads. What was the name of that thing we just downloaded? Alright, so here it gives you, um, all of the Exif data. This is what it looks like. Of course there's no location because it's not a photo I'm kind of a newb at Ghidra.Roxy (08:18):So I'm going to want to learn more about it before I show it to you. I'm going to show you a few websites that you're going to want to bookmark CyberChef. It does a lot of things that you do in CTFs. Um, it can even, like I was telling you, sometimes images, um, have files in them and you can extract files from images with it, um, compress or decompress or deflate or inflate, hashing it even, uh, takes code and makes it look nicer for you.Roxy (08:58):The most useful thing for me is the decoders. Um, like it has a hex decoder and you just double click it to use the recipe. And there was a website about Enigma that I used to know how, you know, what to put in here. You can create a whole recipe that will do that will have multiple steps to it. I can't imagine a CTF where I wouldn't use it at least once there's also, um, the OWASP, um, project web security testing guide. I'm going to give you a lot of info on different web application attacks and how to perform them.Speaker 2 (09:53):Let me find the actual websiteRoxy (09:56):Here it is. This is in website format.Roxy (10:03):So as you can see, it covers a lot. So this is great, cause you can actually just copy and paste. Um, it gives you exactly what you need to do, um, for each situation. And there's a lot here. There's a whole lot here. Um, now I'm going to recommend though, instead of just copying and pasting, actually look at, um, like if it's an NMAP thing, actually do man NMAP and look at what the options that you're using actually mean. Even if you don't memorize them, I'm looking at them over and over. Eventually you'll get used to it. The other thing that I recommend you bookmark is payloads all the things. So Kali Linux does come with some lists, um, but they aren't, they aren't as extensive as this repo. Um, so one of the ones I've used, for example, in directory traversal, you'll see, they have a list and,Speaker 2 (11:27):AndRoxy (11:31):It's got a lot of different, um,Speaker 2 (11:35):Things to try.Roxy (11:38):So you're not going to want to type out all of these, right. Depends on what the challenge is. It's going to be different tools for these lists. Okay. So one of the challenges that CTF seemed to want to do recently is, um, are involves RSA encryption. There's also a YouTube video by John Hammond, which you'll need to watch before you use the tool, just so that you–why isn't it opening a new tab?–Just so that you understand it more, but this gives you exactly step by step, what you need to do to solve, um, an RSA encryption challenge. This is the video that you're going to want to watch.Roxy (12:20):Okay. So that was really all they had to show you today. I just wanted to give you, um, something to get started because I didn't want to start diving into CTFs and such and CTF challenges without giving you an opportunity to set up your Kali Linux VM. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download