‘Hackaton’ in cooperation with GlobalKnowledge

During a hackathon organised by GlobalKnowledge, the pen testers had to attempt to breach the security of The Clerks Collecting Office. Niels Gilis and Benjamin Eygenraam, working at Axxes as System Engineers, were two of the participants.

There is no chance that you have heard about The Clerks Collecting Office before, as the company, fortunately, does not exist. However, everything you need to bring the company to life was created in TryHackMe, a platform on which you can create virtual machines. There was a website, for example, and ‘employees’ had social media accounts. Just like real life.

Over the course of five days, Niels, Benjamin, and hundreds of others from the Netherlands and abroad tried to access the back-end of the virtual company to score points using the principle of capture the flag. They spent at least one hour every day completing assignments. Whoever found the first flag just after midnight received extra points, which led to numerous nightly escapades. The plan devised by Niels and Benjamin consisted of three major phases.

PHASE 1: EXPLORATION

‘First, it is important to become thoroughly acquainted with the company’, says Niels. ‘You do this by properly categorising all information you can find online.’ These are matters everyone can obtain legally. Such as whatever can be found on a website or social media. This may always come in useful at a later time, according to Niels.

For example, there was a picture of a dog on an Instagram profile, which name was used as a password. It may seem obvious, but this is the reality in a world in which 1234 is still the most popular password. ‘We were also able to extract some data through social engineering, just like in real hacks. I was able to discover the telephone number of the CEO, for example, by pretending I was someone else on Instagram.’

Each relevant tip led to points, which differed based on the way in which you discovered them. Anyone who found the same phone number on a hidden page of the website received a slightly lower score. ‘The great thing about hacking is that you can approach matters like this in a variety of ways. You can scrape a section automatically, but there is often still a human factor’, says Benjamin.

PHASE 2: OPENING THE DOOR

Once all legal means were exhausted, Benjamin, Niels, and their competitors pulled out their fiercer tools to “take a look at what could be behind the door”. One of the most important tools in this respect was Kali Linux, an operating system with numerous features that can be used in a penetration test.

Niels: ‘You can use these, for example, to check the system on which a website operates and what you are looking at precisely. The software offers a lot more information than shown in a regular browser.’

Two tools stand out. The first one is DirBuster, which shows things like hidden web pages when you connect the right word list. There is also Nmap, which shows you the version of the service, among other things. When you did so, you discovered a hidden folder, for example.

‘The most important thing,’ says Benjamin, ‘is to be able to place yourself in someone else’s shoes. People who develop websites often create test pages or leave files at places from which they should have been removed after launching the site. Examples are folders with test files. As a tester, you can use a retroactive approach to find these.’

PHASE 3: BREAKING THE CODES

The next step? Breaking certain encrypted files. Niels: ‘You will often find files you cannot open immediately, such as old backups, when conducting scans. In this case, you could use the name of the dog as a password, for example. The final step was finding the user name to log in to the back end. You had to place yourself in the shoes of the developer who created the system again. Once you took a deep look at the situation, you discovered that he or she was not very experienced and followed the manual of the hosting company. This manual recommended using the IP address in combination with the domain name of the website as the user name. This discovery enabled us to access the back end.’

The over hundred tools in Kali Linux also proved to be useful here but can be overwhelming. Niels: ‘You can waste a lot of time if you don't know what you are doing. It is better to think about what you want to do first and then look for the tool. You can often find tools that you can use without any technical knowledge online. An example is CrackStation, which can read encrypted information and tell you more about what the file could be. Cryptii converts binary codes into legible language, and Cyberchef goes one step further and can actually tell you which encryption is used by the code, and already break the lock of weaker forms of encryption and recognisable passwords for you.’

WHAT’S NEXT?

Ultimately, Niels ended up in the global top 50 of the hackathon, and Benjamin even ranked in the top 20. ‘I notice that I am quite good at this, and want to focus on it more. Competitions like this one help me expand or refresh my knowledge’, says Benjamin. Niels confirms this: ‘One of the most important things I learnt is that it is important for a developer to properly check what you need for your finished product after a launch. When you are a programmer, don't leave any unused code, and don’t leave any unused gates if you are a network engineer, and don't leave any unused accounts if you are a system administrator. Unfinished work offers hackers an easy way in! You can close many open doors by removing superfluous files. Humans will always remain the weakest link: do not only secure your systems but especially your people.

By Niels Gillis & Benjamin Eygenraam