Security Engineer with a focus on Cloud Security and Penetration Testing.

This is the final part of my SANS Holiday Hack write-up covering Objectives 9–11.

Part 1 / Part 2

Image for post
Image for post

(Santa) Objective 9 — ARP Shenanigans

Objective: Go to the NetWars room on the roof and help Alabaster Snowball get access back to a host using ARP. Retrieve the document at /NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt. Who recused herself from the vote described on the document?

1. The overall goal for this is to do a combination ARP and DNS spoof to have HTTP traffic sent to your machine, then use this traffic to insert a malicious .deb file and retrieve a file of the victims computer.

Both the ARP and DNS spoof used Scapy to intercept and adjust the incoming…


This is part 2 of my SANS Holiday Hack write-up covering Objectives 5–8 and the related smaller trials in the following rooms: KringleCon Talks, Speaker UnPrepared Room, Workshop, and Roof.

Part 1

Image for post
Image for post

KringleCon Talks

This floor contained 3 side objectives that are similar in nature.

Speaker UNPrep

Access to the Speaker UnPrepared Room is gated behind a side objective to locate a password inside a binary. There are two more objectives that are similar that turn on the lights and vending machine inside the room. …


This is part 1 of my SANS Holiday Hack write-up covering Objectives 1–4 and the related smaller trials in the following rooms: Entryway, Dining Room, Courtyard, and Kitchen.

Image for post
Image for post

I had the pleasure of participating in the SANs Holiday Hack Challenge, affectingly called KringleCon this year and like years before, it was a blast. KringleCon is one of my favorite online CTFs, combining educational videos and talks with fun technical challenges. …


Utilizing a Cloud Command and Control (C2) server, along with various endpoint configurations, you can easily set up a full WireGuard network that allows direct access to private internal networks, or even routes all traffic through one IP for easy auditing. This blog and project was born out of a penetration testing need, but the concept can be easily applied for home and enterprise use elsewhere.

One of my recent challenges for my job was the creation of a way to allow internal penetration testers to securely access a company’s on-site internal network. …


Taking Privacy Back

Image for post
Image for post
Photo by Emiel Maters on Unsplash

Github Repo here!

With everything happening in the world many people are spending a lot more time at home, myself included. Due to that I got to spend the last few weeks upgrading my home lab, starting with a project I’ve been wanting to do for a while: self-hosting a password vault! Specifically Bitwarden, which is an open-source vault that boost comparable or better features to commercial ones like LastPass.

The official Bitwarden self-hosted server is located at https://github.com/bitwarden/server, however I choose not to use this version, mainly due to the requirement to use a large MSSQL database and the fact that some additional features are locked behind a paywall. Instead I choose to use https://github.com/dani-garcia/bitwarden_rs which at the time of writing had an update 5 days ago. …


A little while back I was tasked with figuring out how to automatically deploy security tooling and specific IAM functionality across an AWS Organization when a new account was created. To solve this problem I created a CloudFormation StackSet that had new Stacks added to it via a Lambda, triggered by CloudWatch events. It worked, but I never felt super comfortable with it. Luckily AWS has just released new CloudFormation improvements that allow for accounts in an AWS Organization OU to automatically add new accounts as StackSets.

The specific blog post can be found here and I recommend reading through it if the below is confusing at all. …


I have long been a fan of Hack the Box and the wide variety of machines that it allows you to try to break in fun and creative ways. That being said, some machines can ‘feel’ like they were designed for a site like this, with steps that don’t always flow naturally or represent what you might find in the real world.

This issue is not the case with Craft. The exploitation path for this machine is entirely realistic and I wouldn’t be surprised if most professional pentesters have faced something similar before.

Let’s dive in!

Image for post
Image for post
Breakdown of Craft Machine

Initial recon/enumeration:

Like most machines the first step to take is a simple nmap…


Over the weekend I had the pleasure of being able to participate in the annual Google CTF, or more specifically the Beginner’s Quest portion of the CTF. For the most part I was able to figure out the challenges myself, but I do have to say that a few of them were tricky. The residents of John Hammond’s Discord server (https://discord.gg/Gw9gSMV) were of great help in figuring out some of the more puzzling challenges.

Speaking of puzzling, today I want to dive into one of the challenges I thought was both one of toughest and most interesting challenge in the Beginner’s Quest. This challenge was called FriendSpaceBookPlusAllAccessRedPremium.com and was classified as a Reversing challenge. Honestly most people just called it the Emoji Reverser, for reasons you will see in a minute. …


How to have AWS metrics displayed in Slack with a simple Slack Command

Requirements:

  • AWS console access
  • AWS IAM user with Cloudwatch read access
  • AWS IAM user with read’/write to S3, Lambda, API Gateway
  • Admin access to Slack workspace

Basic steps:

  • Create Lambda to pull metric images from Cloudwatch using Flask backend to handle Slack POST requests
  • Deploy Lambda using Zappa to automatically create Lambda and API Gateway
  • Hook API Gateway into Slack slash command

Background

My work as production support involves a lot more staring at AWS Cloudwatch graphs than I would have thought. As anyone who has worked with AWS knows, it can be a pain to constantly open the AWS console, especially if you just want to check something simple like the current number of instances online. The more I logged into AWS, the more I thought that there had to be a better method for getting simple information from AWS than this, especially about being able to automatically share updated data with other who may not have access to AWS. …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store