Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/JohnsNotHere/statuses/111138591666705517">JohnsNotHere :verified: (johnsnothere@infosec.exchange)'s status on Thursday, 28-Sep-2023 03:53:19 JST</a><a href="https://infosec.exchange/@JohnsNotHere" title="johnsnothere@infosec.exchange"><img src="https://gnusocial.jp/avatar/179881-48-20230927185319.webp" width="48" height="48" alt="JohnsNotHere :verified:" style="position: absolute; left: 0; top: 0;">JohnsNotHere :verified:</a></section><article><p>I'm writing a sample report of an internal network pen test, but to keep it short and anonymous, I'm using a TryHackMe box as the target of the report.  It's an easy box since I don't want to go crazy, but it is relatively realistic in terms of showing how some poor choices can add up to a complete machine compromise.  This is the "Startup" machine for those interested.</p><p>I'm struggling as I am only showing one machine on the network, but I can cover the main points: unintended services being exposed, outdated software (not relevant to the challenge, but a fact nonetheless), security mis-configurations, poor file management, "hidden" directories, and some sweet privilege escalation.  The point of these reports is to show how the reports I write look like, and what the customer can expect.  I have one for web applications (think SaaS) that is based off of OWASP's Juice Box, but only a few vulnerabilities there.</p><p>People may hate on CTF-style machines, but I find them very helpful, not just in training for a particular attack technique, but also for projects like this one that helps me not having to setup a whole new network environment to create a sample report.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2110540#notice-4144388">In conversation</a><time datetime="2023-09-28T03:53:19+09:00" title="Thursday, 28-Sep-2023 03:53:19 JST">about a year ago</time> <span>from <span><a href="https://infosec.exchange/@JohnsNotHere/111138591666705517" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@JohnsNotHere/111138591666705517">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
JohnsNotHere :verified: (johnsnothere@infosec.exchange)'s status on Thursday, 28-Sep-2023 03:53:19 JST JohnsNotHere :verified:
I'm writing a sample report of an internal network pen test, but to keep it short and anonymous, I'm using a TryHackMe box as the target of the report. It's an easy box since I don't want to go crazy, but it is relatively realistic in terms of showing how some poor choices can add up to a complete machine compromise. This is the "Startup" machine for those interested.
I'm struggling as I am only showing one machine on the network, but I can cover the main points: unintended services being exposed, outdated software (not relevant to the challenge, but a fact nonetheless), security mis-configurations, poor file management, "hidden" directories, and some sweet privilege escalation. The point of these reports is to show how the reports I write look like, and what the customer can expect. I have one for web applications (think SaaS) that is based off of OWASP's Juice Box, but only a few vulnerabilities there.
People may hate on CTF-style machines, but I find them very helpful, not just in training for a particular attack technique, but also for projects like this one that helps me not having to setup a whole new network environment to create a sample report.
In conversationabout a year ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice