The Holiday Season, How it Effects Cybersecurity and What You Should do About it.

Hello once again internet, its me your favorite (and only) Script Kitty here to wish you some holiday cheer as we talk about the holidays and what that means for Cybersecurity.

Every year during the holiday season hundreds of people go online to purchase Christmas gifts for their family members, and this influx of activity has some risk associated with it. Always remember to practice good internet hygiene as holiday themed Phishing attacks are a common occurrence as well as less than reputable sellers hawking counterfeit goods. Just because the amazon listing says it has good reviews or its a name brand product doesn’t mean it is and Amazon knows that but doesn’t care; Pro Tip always make sure you know exactly what you’re buying or at least have a look at the seller page to see if its shady.

I have 2 related articles coming out soon exposing how companies pay Facebook users to leave fake amazon reviews and how Etsy is knowingly selling fake “Handmade” goods and the proof I collected as well as their refusal to remove these products. In the mean time if something seems too good to be true it probably is, don’t risk it.

But what about once all the shopping is over? Does the risk stop once you gather with your loved ones to exchange gifts? No sadly as one big thing to be on the lookout for this holiday season as someone who is informed about Cybersecurity is configuration of new devices. It happens after someone unwraps their new smart toaster, VR headset that makes maps of your house, RGB enabled smart face mask , or something less cyberpunk like a new laptop or smart phone. Every Christmas there is a large influx new poorly secured devices coming online and the attackers know it. Many people rush to set up these devices as fast as possible and overlook important security controls thus creating this attack surface which in turn shows the true spirit of Christmas by gifting Cyber Criminals with the gift that keeps on giving. This year if you know tech gifts are coming up take the time to discuss with the gift giver beforehand and the recipient afterwards and make sure that best practices are followed and everyone stays safe this Christmas.

And of course no December would be complete without the annual SANS Holiday Hack. As they say on their website:

Join the global cybersecurity community in its most festive cyber security challenge and virtual conference of the year. The SANS Holiday Hack Challenge is a FREE series of super fun, high-quality, hands-on cybersecurity challenges where you learn new skills, help Santa defeat cybersecurity villains, and save the whole holiday season from treachery. The SANS Holiday Hack Challenge is for all skill levels, with a stellar prize at the end for the best of the best entries.

I would highly recommend everyone to check it out even if you’re new to the Infosec community there are lots of great talks by people in the industry, last year I watched a great talk by Josh Wright about open S3 buckets which I highly recommend watching as could security is still as relevant as ever perhaps even more so with more webdevs using cloud based tools. Click this hyperlink to get more information or to start playing and a big thank you to SANS for hosting this event every year. I hope to see you there this year readers, if you see me feel free to say hello.

And with that its Killer Kat signing off until next time happy holidays, stay safe out there and keep tuned for those articles exposing Amazon and Etsy for knowingly allowing fraud on their platforms.


Why I chose Infotainment, and how I think it could help shape our future.

Hello Internet! Once again its me, your resident script kitty here to talk about something meta.

As you are aware I chose to run my InfoSec blog as an infotainment platform and you may be wondering why, I would like to share my thoughts on the matter and how I think more Infotainment could help the industry as a whole.

Now right off the bat I would like to acknowledge some inspirations of mine, The SANS Holiday Hack challenge is probably the best example of infotainment in the Cyber Security sphere at time of writing. I personally enjoy it every year and I know when I was first starting out it helped make many of the complex ideas and discussions around Infosec less intimidating.

I would also like to spotlight some excellent Infosec Youtubers. LiveOverflow & PwnFunction come straight to my mind as excellent examples. Youtube as a platform as really brought infotainment into the mainstream as a medium and as someone who loves a lot of what these YouTubers are doing, and they ways they are making complex topics easy to understand and engage with while also providing free access to education content I think they deserve respect.

PBS digital studios, Game Theory and other independent creators have really spearheaded this trend and what we have seen is a massive increase in both interest and engagement in many topics often considered difficult or dry. I think the Infosec community could benefit greatly from a similar culture. How many times have you had someone say they “Just cant understand all this computer stuff” or “I don’t need to worry about my password or account security that’s what we have you for!” because they don’t understand and/or don’t want to learn even the fundamentals of Cyber Security because they view it as complex or uninteresting.

I think we all know, the human layer is the weakest part of security. This is why user awareness training is so important and why we as an industry invest so heavily into it. If you look around in the modern organization everyone is blueteam, each employee has the potential to either cause a security incident or strengthen the overall security landscape through their actions and knowledge. The future of blue team is going to involve making sure every person on board is aware of the nature of Cyber Security and the risks and potential warning signs that they may encounter.

I feel the next logical step is to move from user awareness training (Which often falls into the infotainment category itself) into a larger infotainment environment. While it may not appeal to everyone creating this media will bring these topics into conversation and provide an easy entry point for anyone who is interesting in learning more about InfoSec who may not have the resources or prior knowledge to learn through more traditional measures.

By taking something important and making it fun we can create a culture of learning and knowledge that will provide benefits to everyone involved. I truly believe that humanity is on the precipice of a new era and that educating people so they are better prepared to face the challenges of our ever evolving digital world is more important than ever.

And that is why I say: Until next time, this is your resident Script Kitty signing off!


HackTheBox Delivery User own Write-up.

Hello Internet, its your resident script kitty here to talk about how I got my first own on a HTB machine. Now that Delivery is retired I can share with you the details of exactly how I got user and the interesting process that it involved.

Interestingly the largest challenge for me to overcome was that I did not initially realize that I would have to manually add the server to my hosts file because of the architecture of the lab environment. For those who are confused like I was allow me to explain, because the HTB boxes are not connected to the internet in order to resolve subdomains you must add the ip and subdomain manually to your hosts file. On Linux its as simple as just doing sudo nano /etc/hosts and making the changes, without this you may repeat my mistake of getting stuck because the subdomain wont load and going down a rabbit hole looking for the solution.

Now with that out of the way lets begin our examination, when first scanning with Nmap we see that there are only a few ports open. 22,80, and 8065. With a open port 80 its pretty obvious our first move, we connect to the server with out web browser and sure enough its a website(Pictures not included sadly as I forgot to take them at the time and I don’t have the premium subscription so I cant get back into retired machines). A cursory examination of the landing page reveals that they have a help desk page, this is where adding the subdomain to your hosts file is important. But perhaps more interesting is that they have a Mattermost server that only requires a @Delivery.htb email address, but how would we get one?

Now this next step took me awhile because as previously mentioned I was unaware of the need to add the subdomain to the hosts file. Once you check out the help desk site you notice 2 things right away, the first is that it generates you an email address based on your ticket number that you can email to update the ticket and the second is that you don’t need any authentication to submit a ticket.

From here the solution is pretty obvious however I did get stuck for a second because when viewing the ticket you have to use the exact same email address you used to submit it, otherwise it wants you to create an account and verify your email address which is impossible because the server is isolated from the internet. I don’t know if this is a quirk of Firefox or if I just didn’t see a space or something but when it auto-filled for me the site would reject the email, I had to manually copy paste the email in.

Now that we have a ticket we can open a new tab and direct our browser to and see the Mattermost page, when creating a new account it sends an email with a link that validates your account however how can we view the email? Simply have it send the email to the ticket updating email we got in the last step, once sent you can see it updates the ticket and you are able to click the link and login.

Now that we are in the Matermost server we can see that the admin has left a few messages that give us exactly what we need, the login for a user with standard privileges and instructions for what we need to do if we want to get root on the box.

The next step is as simple as logging into the server via SSH on port 22 and doing cat user.txt and submitting the hash. Now I wont be covering root here today as I don’t currently have access to the retired machines, but if you’re interested the official walk though has been posted now that the machine is retired.

That’s all I have for you in this one, but if you liked this write-up please consider subscribing so you can get even more Infosec content like this, and if you have any thoughts or questions you can leave them in the comments below. Until next time, this is your resident script kitty signing off.


Windows Physical Access Vulnerability, Intentional Backdoor or Gross Incompetence?

Hello once again internet, today I wanted to talk about a pretty old hack that I’m sure most of you are already familiar with: using a windows install USB stick to gain a privileged command line.

Now if you were like me then this hack might have been one of the first that you performed on an actual production system. Whether it was your own system and you just were curious to see if it would work or if like me you had a friend who forgot their password after changing it and said “Hey you’re a hacker right? Can you help me get back into my laptop.”.

The simplicity of this exploit allows even script kiddies to gain control over a windows system provided that they have physical access, this raises the question why hasn’t Microsoft patched this exploit? Today I seek to answer that question, first we are going to look at just how this vulnerability can be exploited and then we are going to look at how it can be prevented, then I’ll share my thoughts on why I think Microsoft hasn’t patched it.

Where this vulnerability really shines is in how simple and easy to use it is, you need 2 things, A windows install loaded onto a USB flash drive and physical access to the target machine. Once you boot to the flash drive you can use a keyboard shortcut to bring up a command line, next you replace one of the executables in the system32 folder with cmd.exe or ftp.exe, restart the computer and boot into the OS and then launch the executable either via keyboard shortcut or by the GUI. This brings up a privileged command line and then you own the system. For an in depth guide I recommend checking out this guide from TrustedSec.

Now lets talk about prevention, this is a relatively easy attack to prevent the obvious solution being secure the machine against physical access. However for use cases where this is infeasible the next step is to disable USB ports or use a bootlocker, if the attacker cant boot from the usb drive or change the executable names then they cant exploit this vulnerability. The third option is anti virus signatures/definitions, tellingly windows even has signatures that allow windows defender to block certain renamed executables preventing this Trojan from occurring however not all combinations are blocked.

Building on that last point lets talk about why this still works, although some combinations of filename/executable are blocked from running Microsoft has allowed some to still function including my personal favorite changing magnify.exe to ftp.exe. Personally I believe this was intentional on Microsoft’s part as there are advantages to leaving a backdoor in windows.

My reasoning is twofold, first because of the numerous ways to prevent such and attack and that it requires physical access I doubt that large organizations are putting pressure on Microsoft for a fix as this will mainly effect end users and personal systems. This allows legitimate technicians and state sponsored intelligence agencies/law enforcement access into these personal devices. And second because this is a well known vulnerability Threat Actors are more likely to attempt this attack instead of looking for other vulnerabilities that leverage physical access, this gives Microsoft and security researchers time to find and address these vulnerabilities before they can be exploited in the wild.

Now I should state that I currently have no affiliation with Microsoft and that I would personally disagree that the vulnerability should be intentionally allowed to remain, however I do feel that Microsoft’s actions or rather inaction in this case is not an example of ignorance but instead is a strategic move on the part of Microsoft.

Let me know your thoughts in the comments down below, and until next time this is your resident Script Kitty signing off.


Digital Wildfire, How to Hack Facebook’s Algorithm to Spread Your Message.

Hello fellow hackers, its your resident script kitty here to talk about some of my recent research. How to use Facebook’s algorithm to spread your message by increasing visibility of posts.

Despite what Hollywood may have you think hacking isn’t always breaking into mainframes by typing binary into a phosphor monitor, if it was all you would need to do is type: color 0a, echo 01110100 01101000 01100101 00100000 01101101 01100001 01110100 01110010 01101001 01111000, and boom you’re Kevin Mitnick. Hacking in its essence is using a system in a way that was unintended to produce a result that favors you, that can be exploiting a system process to gain a root shell or it could be wearing a phone company uniform to gain access to a restricted area.

When it comes to hacking the Facebook algorithm we are going to focus on the second form, how do we make it work for us simply by using its core functions in a way that was unintended? Simple, we do what marketing teams have already been doing but in a more deliberate manner. Facebook’s post algorithm takes in a number of factors before showing a user a post in their news feed, many of these factors are out of our control such as who the user is friends with, the time of day, what geographical area they live in, etc.

What we can control however are some of the most important factors, user engagement. Facebook has come out on record that the reactions weigh the algorithm stronger than likes, in a 2017 statement Facebook said the following:

“So we are updating News Feed to weigh reactions a little more than Likes when taking into account how relevant the story is to each person.” (Source)

In 2018 Facebook made the next important change, prioritizing “meaningful conversations” In their official statement they said the following:

“Page posts that generate conversation between people will show higher in News Feed. For example, live videos often lead to discussion among viewers on Facebook – in fact, live videos on average get six times as many interactions as regular videos. Many creators who post videos on Facebook prompt discussion among their followers, as do posts from celebrities. In Groups, people often interact around public content. Local businesses connect with their communities by posting relevant updates and creating events. And news can help start conversations on important issues.”(Source)

This caused the perfect storm, due to these algorithm changes users were more engaged than ever but what they were engaging with was extremist content due to its natural ability to gather large amounts of reactions and comments. This brought a lot of scrutiny onto Facebook and now they are doing damage control, adding fact checks to misinformation and more importantly changing the algorithm once again.

The more recent change was to give positive reactions more weight than negative reactions, like remains rather neutral while Love, Wow & Angry, Sad give positive and negative weight respectively. Even in my own testing I have been unable to figure out how the Laugh react influences posts, it seems to be positive when its only Laughs but when laugh is used on a post with other reacts its influence is unknown (Probably due to sarcasm) if anyone knows more about how the Laugh influences the algorithm please let me know in the comments below!

So how do we use this to our advantage? Lets say that hypothetically we had a group of individuals that had a message that they wanted to spread, something really important like “Subscribe to the Buf-fur Overflow blog for topical Cyber Security discussion!” what is the best way to get this to as many people as possible? We use the tools we have just defined.

We know that positive reacts give greater weight so a coordinated effort to love every post, even if the content of the post was negative like “The Buf-fur Overflow blog is down for maintenance”. Despite the tragedy in the post prompting a natural want to react with Sad or Angry, the Love, and Wow reacts will spread the message further.

The next is to exploit the comments, a large number of comments with no replies will get flagged by the algorithm as engagement bait so the way around this would be to comment and to reply to others in the comments, for example to spread more information like so:

Commenter 1: The site may be down for maintenance but I know with our support it can be back up and running soon.

Commenter 2: That’s right! Once its back up remember we still have to subscribe to get the latest content!

Commenter @: Here is a link with some more information on server maintenance:

This way Facebook will flag it as an active discussion, thus pushing it back into news feeds even if the user has already seen it. It also helps spread it to users who have not seen it by giving the post more weight.

The third and final strategy is to exploit media types. Some of you might remember the arms race between pages posting images and the Facebook algorithm trying to push video (Source). Well we are going to do the same here, videos especially live videos are highly favored by the algorithm. So instead of text posts we use live videos showing people how to subscribe to the Buf-fur Overflow blog or discussing server maintenance, this gives our message the final push.

With all these tricks combined the whole world will know that the Buf-fur Overflow blog is the best Cyber Security blog on the net! And hopefully you will too thanks to my not so subtle hinting. Now that you have read this I hope you keep it in mind next time you are scrolling through your news feed and at the very least I hope you learned something interesting about how the Facebook algorithm works.

That’s all for now but stay tuned for more Cyber Security discussion!

Signed: Your resident Script Kitty,

~Killer Kat