One of my current roles is to be a part of the security architecture team, reviewing a lot of architectures and defining our own cloud security framework. As other companies, one of the most important issues when the IT teams works with cloud architectures here, is the possibility that sensitive data could be storaged and managed in cloud. In order to prevent this possibility, there are some services within cloud providers catalogue which help us in this task but many times, this services are not deployed in our region or the services doesn´t work fine with spanish words (for example, AWS Macie). With this scenario, and with the main goal of improve my knowledge in AWS, I´ve developed a very simple script that reviews objects storaged in the S3 buckets, and analyzes its content to detect sensitive data (real names, DNI, NIE, plates…etc). The script is only a proof of concept, it not works perfectly, but it shows the potential in the use of this kind of tools.

Happily I´ve had enough time to do another Vulnhub’s boot2root challange, in this case a medium level machine originally created for HackTheBox platform called Node 1. One of the things to choose this machine was that this machine could let me improve my knowledge in NodeJS platform, unfortunately this goal only was able to get partially. But, let´s go with the assessment!

Information Gathering and Penetration Steps

In the port scanning only two services was listening in the host, a SSH service listening in 22/TCP port and a web app in 3000/TCP. I didn´t retrieve any result with the UDP port scanning.

In addition to hacking challenges or other cybersecurity stuff, I enjoy a lot hardening new developments. As a Head of in New Initiatives in MAPFRE one of my main task is securize the software development in the company, both waterfall or Agile projects. So, one of the concepts which as a security member we have to know, is DevOps (or DevSecOps for us). There are a lot of definition of that term, but for me is securize the pipeline of developers and offer to them cybersecurity services that they can use to improve the security of their projects.

Information Gathering and Penetration Steps

It has been a very long time since I’ve written the last post. This has been due to a hard first middle of year, but I hope it could fix in the next one. Anyway, now I’m on vacation so I have more free time to enjoy with my “cyber-hobby” so I decided to do another Vulnhub machine as practice, in this case Toppo1 (really easy). Furthermore, in this case I took the opportunity to use this assessment to do my “pentest” practice of a security certification which I’m currently studying, CHEE of Security Sentinel.

This week I’ve had to do another malware analysis, again with a phising email as entry vector. Due to in my personal malware analysis lab I don’t have Outlook and the malware was attached in a .msg, first of all I had to looking for the way to extract it. To do that, I found the script msg-extractor which I was able to use in the Windows machine. The files extracted was two .ace compressed files that had two identical PE Windows executables but with different name. Despite the fact that the analysis was deep, I was not able to know exactly what the malware do but different things could be determined:

In this week, I´ve done another vulnhub machine, in this case Zico2. In my opinion, it was easier than previous machines, both intrusion and privilege escalation steps. As it´s shown below, the host has two main services running, a SSH service and a web application:

Today I want to post a real malware analysis which I’ve done in my actual company. A project manager contacted with me and sent me a suspicious email which seems to be a tipical phising attack. For people who doesn’t speak spanish, the body of the email blame us of tax evasion:

This pretend to be the walkthrough of LazySysAdmin: 1 vulnhub machine. As every penetration test, the first step was to make a ports and service discovery in order to detect misconfigured or vulnerable applications running on the server. As it’s shown below, a web application is running on 80/tcp port which seems to be generated using Silex cms generator.