my friend gave me a hella cool offensive security challenge
#1
Hey everyone,

The former president of the cyber security club gave me an excellent challenge. He gave me a vulnerable virtual machine of windows he needed feedback on before he publishes it officially both to the club and hopefully to other places as well.

It's basically a vulnerable 7 that is meant to be hacked with Kali. I tried it out and gave him some good feedback.

Don't want help with it as its not the kind of thing that your supposed to get help on. It is a challenge after all.

I think that its hella cool as a VM.

Haven't been able to get the flag though. I did manage to break into the VM using kali.

Today I had a hard time working on it because of daylight savings. He told me to let him know when I finally get the flag.

Its definitely an interesting challenge. Very CTF-ish.
Reply
#2
What exactly is a "cyber security club" ?
Reply
#3
(03-12-2018, 07:15 AM)paran0id1 Wrote: What exactly is a "cyber security club" ?

We do a number of things:

1. we get sponsored IT certifications in regular IT and CyberSecurity Areas ranging from ethical hacking to defensive computer security, as well as CISCO, Linux, networking, and windows certs, etc. for free, although our school legally can't hand out certs themselves
2. we get weekly lectures about CyberSec, hacking, defensive security, or even occasionally the business side of security
3. we get to compete in CTFs as a club like NCL or PicoCTF, no tryouts are required
4. we get to compete in the annual cyber-collegiate defense competition where each team has to defend its stations from real hackers. to do this competition specifically they only let people who have some basic certs + training on actual equipment they have on premises, into the team. In this case, to try out, shortly after CCDC ends for the year, all one has to do to try and join is ask to start helping the team on premises. the people who show themselves to be the best at their jobs get to be on the team. they only  accept the best, although they believe I am smart enough to make the team. different certifications get different positions. to even begin, one must have basic IT skills of some kind and a certification to prove it before they can start working on the team, although that by itself won't guarantee a position and one member thinks certifications shouldn't be a requirement.
Reply
#4
(03-12-2018, 06:44 AM)fogbright Wrote: -Snip-

Vulnerable VMs are always good fun breaking into, and I've always learned a lot from them. If you're interested, there's a whole slew of CTF-like VMs over at Vulnhub that are worth taking a look at (though they're mostly linux machines) if you weren't already aware. Just download, spin them up, and take a crack at them Smile
Reply
#5
Once you can hack without Kali, you’ll be a hacker. Until then, you’re just a kid that knows how to use Kali.
Reply
#6
Good luck with the challenge OP. Please consider posting a write-up.
Reply
#7
(03-12-2018, 12:38 PM)ekultek Wrote: Once you can hack without Kali, you’ll be a hacker. Until then, you’re just a kid that knows how to use Kali.

Good advice. So you would say regular Ubuntu? Obviously, I would start with Kali for learning but I understand what your saying 100%. Maybe Debian is better? Obviously, what I would do is download the programs on a normal Linux OS.
Reply
#8
(03-14-2018, 12:27 AM)fogbright Wrote:
(03-12-2018, 12:38 PM)ekultek Wrote: Once you can hack without Kali, you’ll be a hacker. Until then, you’re just a kid that knows how to use Kali.

Good advice. So you would say regular Ubuntu? Obviously, I would start with Kali for learning but I understand what your saying 100%. Maybe Debian is better? Obviously, what I would do is download the programs on a normal Linux OS.

I think he's trying to say that to be a real haxor you shouldn't need to use tools, whether it's on Kali Linux, or not. I also believe Kali runs on Debian, it's just a modification of Debian with tools added.
Reply
#9
(03-14-2018, 12:36 AM)Lunar Wrote: I think he's trying to say that to be a real haxor you shouldn't need to use tools, whether it's on Kali Linux, or not. I also believe Kali runs on Debian, it's just a modification of Debian with tools added.

One thing maybe I should add. It's important to know the hows and why your tools work! As a hacker, tools will save you a lot of time. So even if you can do your attacks manually, I wouldnt hold it against you to use tools as it will be a quick way to save you some time.

That being said. Learn how and why your tools work. If you're doing SQL injection, start doing your own manual SQL injections every now and then, at least until you understand how and why it works. Then you can go back to using tools whenever needed.

I think it's easy to missunderstand: Hackers usually do use tools in some way or another. Coding your own scripts are great too. But the difference between hackers and script kiddies, from my point of view is that a script kiddie pushes a button and he has no idea what is happening or what the operations are doing.

To the script kiddie, your kali linux is just a magic box that gives you things.

Although in my opinion, sometimes using manual attacks is of course quite nessecary if you want to be silent. As many many tools are very noisy and leaves a big footprint in the webserver logs.
Reply
#10
(03-14-2018, 12:36 AM)Lunar Wrote:
(03-14-2018, 12:27 AM)fogbright Wrote:
(03-12-2018, 12:38 PM)ekultek Wrote: Once you can hack without Kali, you’ll be a hacker. Until then, you’re just a kid that knows how to use Kali.

Good advice. So you would say regular Ubuntu? Obviously, I would start with Kali for learning but I understand what your saying 100%. Maybe Debian is better? Obviously, what I would do is download the programs on a normal Linux OS.

I think he's trying to say that to be a real haxor you shouldn't need to use tools, whether it's on Kali Linux, or not. I also believe Kali runs on Debian, it's just a modification of Debian with tools added.

I think Ubuntu is a derivative of Debian and Kali is the successor to BackTrack which is the result of modifying Ubuntu.

Good advice though.

(03-14-2018, 12:44 AM)Insider Wrote:
(03-14-2018, 12:36 AM)Lunar Wrote: I think he's trying to say that to be a real haxor you shouldn't need to use tools, whether it's on Kali Linux, or not. I also believe Kali runs on Debian, it's just a modification of Debian with tools added.

One thing maybe I should add. It's important to know the hows and why your tools work! As a hacker, tools will save you a lot of time. So even if you can do your attacks manually, I wouldnt hold it against you to use tools as it will be a quick way to save you some time.

That being said. Learn how and why your tools work. If you're doing SQL injection, start doing your own manual SQL injections every now and then, at least until you understand how and why it works. Then you can go back to using tools whenever needed.

I think it's easy to missunderstand: Hackers usually do use tools in some way or another. Coding your own scripts are great too. But the difference between hackers and script kiddies, from my point of view is that a script kiddie pushes a button and he has no idea what is happening or what the operations are doing.

To the script kiddie, your kali linux is just a magic box that gives you things. 

Although in my opinion, sometimes using manual attacks is of course quite nessecary if you want to be silent. As many many tools are very noisy and leaves a big footprint in the webserver logs.

Also good advice. I have heard that before. I wouldn't stop using Kali for hacking, but I would want to know how the tools I'm using on Kali actually work. Lol, I actually do want to be able to make my own tools one day.

That's actually why I made an equipment to learn CCENT, linux+, and sec+ before I started learning hacking. Not just to be employable but also because I asked around at my school and on other forums and it appears that the prerequisite knowledge to start learning hacking and using tools on Kali is there. The answer I get if I ask about learning a specific kind of hacking i.e. web exploitation, wifi hacking, etc. is almost always something like:

"you can learn the basics of web development as you learn web hacking if you do it right but to use kali and know what your doing you need basic networking, linux, and computer security knowledge" and the people at my school even recommended the knowledge behind those certs first before learning kali in order to not start off as a complete script kiddy.

Obviously, that doesn't teach me to program my own tools. But I've been told multiple times that I will understand how to use the tools better when I do learn them, as well as a good amount about how they work, once I can master the basic knowledge from those certs.

I don't know if you agree with that or not. Maybe?
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  which is better: elearn security or SANS? QMark 5 976 04-30-2020, 06:56 PM
Last Post: QMark
  Is it ever ethical to hack a personal friend or an enemy? QMark 6 5,718 08-11-2018, 02:59 AM
Last Post: lazyone
  Starting in cyber security (PATH/GUIDE) Lummania 0 3,409 05-14-2018, 10:21 PM
Last Post: Lummania
  How did you get into security? kms 18 9,935 05-09-2018, 09:44 PM
Last Post: 0xide