I'm Stuck - What Now?

Starting Out

If you aren’t sure how to start or you’ve gotten some challenges but you’re stuck and aren’t sure what to try next, it can seem overwhelming to try to think of things to do - that’s totally normal! Hacking requires thinking like an attacker, or thinking about tinkering with the functionality before you to see what holes there might be in an application or environment, and then using those findings to gain some benefit. Here are some tips on how to move forward:

To start off, check out this video:
Thinking Like an Attacker – and introduction to the CMD+CTRL Cyber-range video to get you in the right mind-set

https://securityinnovation.hubs.vidyard.com/watch/Kd2w4C366VJce6rcY25LEh?

Now take a look at our platform overview and get familiar with the CMD+CTRL Cyber-range

https://securityinnovation.hubs.vidyard.com/watch/wmojAbzJRcRXSNbki7cCbs?

No matter what level you are at, we always recommend spending some time on “reconnaissance” first. This entails using the site or environment as it was meant to be used, making sure to try to test all the functionality that you can and look at every page you have access to. Look at the pages on the site, look through the HTML source by using the developer tools in your browser, and keep an eye on the URL. Take notes if you have questions or ideas about things that seem interesting or places that you want to test for vulnerabilities.

If you are playing a non-cloud range:

Web application ranges include Shadow Bank, Shred, AccountAll, The Gold Standard, LetSee, InstaFriends, and DigiExchange. If you are playing one of these ranges, read this Cheat Sheet that is available once you’re logged into the CMD+CTRL platform.

If you haven’t already, go to https://cmdnctrl.net and log into your account, and hit the “Start Site” or "Play" button and go to your site. Start exploring. Figure out how the site works and what it is supposed to do. Maybe try some attacks you learned about on the Cheat Sheet.

The goal of this exercise is to get some experience in penetration testing an application. You will need to think about what the developer expected the site to do, and what they did not expect the site to do. You will score points automatically for finding and using vulnerabilities on the site. Vulnerabilities will fall into a number of categories, you can check out what kinds of challenges you have left by visiting your challenges page once you are logged into the platform. You will not get points for simply finding something that deems the site insecure, you will have to use it to your advantage somehow to score a challenge. Keep in mind that these sites are designed to be vulnerable and to not have a lot of resources, so keep in mind that challenges will generally not include denial of service attacks.

All your attacks will come from input you give to the site. When you look at or think of a process on the site that could potentially have some benefit to you, look for hidden fields there, imagine what kind of opposite input you could provide instead of what is expected. Pay special attention to places that accept user input, whether they are obvious to a regular user or not. Notice the HTML source, the URL, and the functionality on every page. Your notes will help you keep track of what you have found and used already, and what you are still working on.

If you are playing a cloud range:

Cloud ranges include Forescient, Infinicrate, and MailJay. If you are playing one of these ranges, read through this Cheat Sheet that is available on the platform once you log in. It is written specifically for Forescient, but it is useful for tips on the other cloud ranges as well.

Be careful not to delete or destroy anything in your environment unless you are explicitly asked to do so.

The goal of this exercise is to understand how hackers exploit large enterprise systems that have cloud resources. You will be guided through what challenges you need to complete to score points. If you are stuck, reread the challenges that were given to you and pay attention to the information in those tasks. Make sure to follow the guidelines for completing the tasks. You will get points automatically for completing them, whether they are asking you to deliver a resource, or complete an action. The tasks will be based on vulnerabilities that fall into a number of categories - you can check out what kinds of challenges you have left by visiting your challenges page once you are logged into the platform. You will not get points for exploiting vulnerabilities that you aren’t specifically asked to, or delivering resources that weren’t requested.

Keep in mind that these sites are designed to be vulnerable and to not have a lot of resources, so  challenges will generally not include denial of service attacks. Use your resources and be thorough, patient and evil - and have some fun as well!