A freshly belligerent China is flexing its muscles in ways not seen since the USSR during the Cold War, forging a new illiberal alliance with Russia and North Korea. But the latent battlefield is farther reaching and more dangerous in the information age.
As we now know, over “a years long, coordinated assault,” China has stolen personal data from nearly every single American. This data lets them read our text messages, listen to our phone calls, and track our movements anywhere in the United States and around the world — allowing China to build a nearly perfect intelligence picture of the American population, including our armed forces and elected officials.
This state of affairs leaves corporate leaders, democracy advocates and other private citizens vulnerable to blackmail, cyber attacks and other harassment. Even our national leaders are not immune.
Last year, China targeted the phones of President Donald Trump and Vice President JD Vance in the course of the presidential campaign, reminding us that vulnerabilities in the network can affect even those at the highest levels of government. The dangers were drawn into stark relief earlier this year when Secretary of Defense Pete Hegseth used his personal phone to pass sensitive war plans to his colleagues, along with a high-profile journalist. That incident underscored what we’ve seen in Russia’s invasion of Ukraine, Ukraine’s Operation Spiderweb drone attacks on Russia, and on front lines the world over: Modern wars are run on commercial cellular networks, despite their vulnerabilities.
Many Americans would be surprised to learn that there is no impenetrable, classified military cellular network guiding the top-flight soldiers and weapons we trust to keep us safe. The cellular networks that Lindsay Lohan and Billy Bob Thornton sell us during NFL games are the same networks our troops and national security professionals use to do their jobs. These carriers have a long, shockingly consistent history of losing our personal data via breaches and hacks — as well as selling it outright, including to foreign governments. So it’s no wonder that, when the Pentagon asked carriers to share their security audits, every single one of them refused.
This isn’t a new revelation. Twenty years ago, I served as a Special Forces communications sergeant in Iraq. There, U.S. soldiers regularly used commercial BlackBerries — not because the network was secure, but because they knew their calls would connect. It’s surreal that two decades later, our troops are still relying on commercial phones, even though the security posture has not meaningfully improved.
A big part of the reason why this challenge persists stems from an all-too-familiar issue in our government: a wall of red tape that keeps innovative answers from reaching public-sector problems.
In this case, a solution to the Pentagon’s cell network challenge already exists. The Army requested it, and our soldiers need it. But when they tried to acquire this technology, they were immediately thwarted. Not by China or Russia — but by the United States government’s own bureaucracy.
It turns out that the Defense Department is required to purchase cellular service on a blanket, ten-year contract called Spiral 4. The contract was last renewed in early 2024 to AT&T, Verizon, T-Mobile and a few others, about a year before a solution existed. Yet despite this, rigid procurement rules dictate that the Pentagon will have to wait … presumably another eight years until the contract re-opens for competition.
The FCC recently eliminated regulations calling on telecoms to meet minimum cybersecurity standards, noting that the focus should instead be collaboration with the private sector. I agree. But to harness the full ingenuity of our private sector, our government should not be locking out startups. From Palantir to Starlink to Oura, startups have proven that they can deliver critical national security technologies, out-innovating entrenched incumbents and offering people services they need.
The Pentagon has made real, top-level policy changes to encourage innovation. But it must do more to ensure that our soldiers are equipped with the very best of what they need and deserve, and find and root out these pockets of stalled bureaucratic inertia. Because America’s enemies are real enough – our own red tape should not be one of them.
John Doyle is the founder and CEO of Cape. He previously worked at Palantir and as a Staff Sergeant in the Special Forces.
Google Chrome 144 and Firefox 147 patch 26 security flaws, including high-severity bugs and sandbox escapes. Here’s what’s fixed and why updates matter.
Google Chrome 144 and Firefox 147 patch 26 security flaws, including high-severity bugs and sandbox escapes. Here’s what’s fixed and why updates matter.
Cybersecurity researchers from Huntress detail a major VM Escape attack where hackers took over host servers. Using a secret toolkit called MAESTRO, the attackers stayed hidden for over a year. Read the exclusive details on how this breach was stopped and how to protect your network.
In this write-up, we will explore the “Planning” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the “Planning” machine from Hack The Box by achieving the following objectives:
User Flag:
During reconnaissance, extensive fuzzing was required to identify a Grafana instance vulnerable to CVE-2024-9264—a critical flaw enabling arbitrary command execution through unsanitized SQL inputs in the DuckDB CLI. By deploying a proof-of-concept exploit, I successfully extracted files and ran commands, gaining entry to the Grafana container but not the underlying host. Subsequent enumeration uncovered valid credentials for the user “enzo,” which granted SSH access to the host system.
Root Flag:
Once on the host, I discovered the Crontab-UI service—a web-based tool for managing cron jobs—running on localhost:8000 and secured with Basic Authentication. Leveraging the earlier credentials for the “enzo” user, I authenticated to the interface and added a malicious cron job configured to establish a reverse shell connection.
Enumerating the Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
Port 22 (SSH): Secure Shell service for remote access.
Port 80 (HTTP): Web server running Apache.
Web Application Exploration:
The website for Edukate appears to be a standard educational platform.
What is Edukate?
Edukate is a free educational website template designed for online learning platforms and academic institutions. Its intuitive layout improves user engagement, while its clean, developer-friendly codebase makes customization simple. Built with Sass for easy maintenance, Edukate is optimized for page speed to deliver fast loading times and lower bounce rates. It is fully cross-browser compatible, ensuring a smooth experience across all major browsers, and SEO-friendly to help boost search engine rankings.
Gobuster found a valid virtual host: grafana.planning.htb.
This is likely an internal service meant for the organization’s team, not a public endpoint.
Since it contains grafana, it strongly suggests it is a Grafana dashboard instance.
Grafana Application
The grafana.planning.htb subdomain loads successfully and displays the Grafana login page.
We should be able to log in using the credentials provided by Hack The Box.
Username: admin
Password: 0D5oT70Fq13EvB5r
We need to inspect the traffic using Burp Suite.
First, I noticed that the endpoint /api/user/auth-tokens-rotate is available here.
We successfully gained access to the Grafana dashboard.
We also confirmed that the Grafana instance is running version 11.0.0
There are numerous tokens being rotated here.
This is what the response looks like in Burp Suite.
Critical SQL Expression Vulnerability in Grafana Enabling Authenticated LFI/RCE
This vulnerability targets Grafana 11’s experimental SQL Expressions feature, which allows users to post-process query results via custom SQL using DuckDB. The flaw arises because user input isn’t properly sanitized before being sent to the DuckDB CLI, enabling remote code execution (RCE) or arbitrary file reads. The root cause is unfiltered input passed directly to the DuckDB command-line interface. The CVSS v3.1 score is 9.9 (Critical).
Grafana doesn’t include DuckDB by default. For exploitation, DuckDB must be installed on the server and accessible in Grafana’s PATH. If it’s absent, the system is safe.
Using a PoC, we can exploit this flaw to read system files, demonstrating its impact and severity.
Let’s search Google for potential exploits targeting Grafana v11.0.0
This flaw enables authenticated users to attain remote code execution (RCE). I exploited it using the publicly available proof-of-concept from Nollium’s GitHub repository.
We successfully retrieved the /etc/passwd file.
When we ran the whoami command, it returned root, which is unexpected.
Let’s set up our listener.
Unfortunately, we were unable to execute the command due to an error.
As suspected, this is running inside a Docker container.
The environment variables reveal the Grafana admin credentials:
GF_SECURITY_ADMIN_USER=enzo
GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!.
Exploit CVE-2024-9264 using Burp Suite.
The api/ds/query endpoint is available in Grafana, and we can leverage it for this exploit.
If the full path is not specified, it responds with a “Not Found” message.
However, attempting to execute the full path results in an “Unauthorized” response.
It’s still the same; we need to send the JSON data here.
This JSON payload is a crafted query sent to Grafana’s api/ds/query endpoint. It uses the Expression data source with an SQL expression to run a sequence of commands: first installing and loading the shellfs extension, then executing whoami and redirecting the output to /tmp/output.txt. This effectively demonstrates command execution through CVE-2024-9264.
Reading the contents of /tmp/output.txt confirms that the whoami command executed on the target machine.
Let’s set up our listener to catch the reverse shell.
Use this SQL command to execute the bash script.
It’s hanging, which is a good sign that the payload is executing.
We successfully received a reverse shell connection.
We attempted to switch to the enzo user with su enzo, but it didn’t work.
SSH worked perfectly and allowed us to log in successfully.
We were able to read the user flag by running cat user.txt.
Escalate To Root Privileges Access
Privilege Escalation:
Locate the database file.
We discovered /opt/crrontabs/crontab.db.
The password for root_grafana is P4ssw0rdS0pRi0T3c.
Port 8000 is open here, which is unusual.
Let’s set up port forwarding for port 8000.
We need to provide the credentials to log in.
We need to use the credentials we discovered earlier to log in.
It turned out to be a cron jobs management interface.
What is Cronjob-UI?
Crontab-UI is an open-source Node.js web interface for managing cron jobs on Unix-like systems, simplifying tasks like creating, editing, pausing, deleting, and backing up crontab entries via a browser (default: http://localhost:8000). It reduces errors from manual text editing, supports error logging, email notifications, webhooks, and easy import/export for multi-machine deployment. Installation is via npm (npm install crontab-ui -g), with optional Docker support and Basic Auth for security. Ideal for beginners handling scheduled tasks.
We need to create a new cron job command.
The shell.sh file contains the reverse shell that will connect back to us.
We will use curl to fetch the file, as demonstrated earlier.
The file was transferred successfully, as expected.
We were able to access the root shell and read the root flag by running cat root.txt.
Continuous Vulnerability Management: The New Cybersecurity Imperative Security leaders are drowning in data but starving for actionable insights. Traditional penetration testing has become a snapshot of vulnerability that expires faster...
The AI Threat Landscape: How Adaptive Security is Redefining Cyber Defense Cybersecurity professionals are facing an unprecedented challenge. The rise of generative AI has transformed attack vectors from theoretical risks...
As winter approaches, it’s tempting just to sit back and put your feet up and not have to think about the garden until springtime. However, just a bit of extra work at this time of the year can save you a whole lot of hassle come planting time. Garden clean-up, the last big chore for gardeners, is often overlooked, especially […]
Winter Ornamentals – Bark Book Excerpt by Dan Hinkley Like the last and messy hours of a party gone on too long, the soggy, cool days of late autumn cast about the garden a mood of the season’s demise. Yet as the last colored leaves, varnished with the first rains of winter, fall earthward, the deciduous trees bare their sinewy […]
Penetration Testing and Formula One Racing – Preparation is Key
By Nathan JonesDirector, Customer Success, Synack
In Formula One, the most prepared teams have the best chances of success. Yet, preparation alone isn’t going to clinch a victory. Many factors contribute to crossing the finish line first: track conditions, weather, car setup, strategy changes and updates, as well as driver skill and decision making.
At Synack, we’ve got you covered throughout the entire engagement on our Crowdsourced Penetration Testing Platform before and after our trusted network of security researchers go to work hunting for your vulnerabilities.
Here’s what to expect throughout the Synack engagement:
It starts with high-quality, trusted researchers
Your pit team: Researchers’ skills are critically important to the success of any pentest. Because the vulnerability landscape is so broad and diverse, a single researcher — or even a small number of researchers — won’t have expertise across all vulnerability categories to fully test the assets in question.
That’s the value of the Synack crowdsourced testing platform because we attract the best researchers with a wide variety of skills and backgrounds. This allows large numbers of researchers to bring their experience to bear across the range of vulnerability categories, enabling the most thorough test of the assets in scope.
Results get collected in a well-designed platform
Right car, right tools: A top-quality vulnerability management platform should underpin any pentest initiative, allowing customers to manage the full vulnerability lifecycle from initial reports, to analyst review, and then onto remediation. At Synack, the customer portal lets your team view vulnerabilities flow through a logical, easy-to-use workflow from discovery to patch to patch verification.
In addition, our triage process ensures that vulnerability findings passed to the customer are valid, reproducible, high quality and actionable. This allows the customer to focus efforts on understanding the issues and taking appropriate action, saving considerable time and effort.
Control the testing environment and parameters
Know the course: Some penetration tests can be intrusive and noisy. The Synack experience has been designed to make the process as simple and seamless as possible. It is carried out in a controlled manner to mitigate any sort of impact to client’s everyday business operations. Researchers work from a known source IP to ensure proper monitoring. Customers are encouraged to monitor activity and traffic during the test but we recommend waiting for a formal vulnerability report before any patching. Patching during a test limits researchers’ ability to validate the finding and reward the researcher.
Engage with researchers before and after the test
Connected to the pit crew: A testing engagement should not be a fire-and-forget activity. Customers should be looking to provide regular feedback, including information about new releases or changes, areas of scope on which researchers should focus and updates on any customer actions.
Scope changes are a critical area of communication. A class of vulnerabilities caused by the same underlying issue should be temporarily removed from scope to prevent inundating the client with repetitive findings. We do this at Synack because it reduces noise as well as shifts the focus of researchers to other areas, thus ensuring better coverage.
Augment manual testing with smart automation
Change out the equipment when needed: Penetration testing harnesses human creativity to create value, but automated scanners are an important tool, as well, to help augment human efforts. Too often, however, security teams have had to accept trade offs, investing in cheap self-service scanning solutions to get broad attack surface coverage. There’s a better way. Smarter technologies built on machine learning principles can make a difference and help scale the testing effort. At Synack, SmartScan®, our vulnerability assessment solution, enables, rather than burdens, security teams by scaling security testing and accelerating their vulnerability remediation processes. SmartScan® combines industry-best scanning technology, proprietary risk identification technology, and a crowd of the world’s best security researchers, the Synack Red Team (SRT) for noiseless scanning and high-quality triage.
Recognize the possibility of unintended consequences
Expect the unexpected: Every pentester and testing company seeks to avoid unwanted impact to the customer. Most issues can be avoided by having an accurate scope and researcher guidelines agreed ahead of testing. On the rare occasion that there is an incident, we have a process in place to deal with it immediately.
Act on the results
Celebrate your wins, learn from your mistakes: It’s essential that clients act on findings. Just discovering vulnerabilities does not improve an organization’s risk posture. The vulnerabilities should be patched and remediated as soon as possible. Clients should look to monitor and track their risk posture over time using a risk metric such as Synack’s Attacker Resistance Score to chart improvements.
For long-term testing engagements, clients should not wait until the pentest has completed, but should fix issues and receive confirmation from the pentester that the mitigation was successful throughout the test.
Verifying compliance with necessary regulations is also a key part of using the results of a penetration test. Synack strongly recommends that clients opt for a testing package that includes checking compliance, including either relevant OWASP categories, PCI DSS 11.3, and NIST SP 800-53. A testing checklist provides auditable documentation for compliance-driven penetration testing requirements.
Keep on testing
Always winning: In Formula One, when the race ends, the work isn’t’ over. There are always more races to run and further developments and improvements to make to stay ahead of the pack.
The same is true in pentesting. As adversaries get more advanced, staying one step ahead in their cybersecurity is more important than ever. Regular pentesting is a key component of this. A client is only as strong as their weakest link, making appropriate pentesting against their entire attack surface critical to remaining cyber secure.
Winning looks like an overall reduction in vulnerability risk. While it’s impossible to eliminate all vulnerabilities, a healthy pentesting cadence will strengthen your security posture over time.
Nathan Jones is Director of Client Operations at Synack. He’s also a huge racing fan.
While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations.
Shedding light on the “cracked doors” that cybercriminals are using to compromise cloud environments, the 2022 X-Force Cloud Threat Landscape Report uncovers that vulnerability exploitation, a tried-and-true infection method, remains the most common way to achieve cloud compromise. Gathering insights from X-Force Threat Intelligence data, hundreds of X-Force Red penetration tests, X-Force Incident Response (IR) engagements and data provided by report contributor Intezer, between July 2021 and June 2022, some of the key highlights stemming from the report include:
Cloud Vulnerabilities are on the Rise — Amid a sixfold increase in new cloud vulnerabilities over the past six years, 26% of cloud compromises that X-Force responded to were caused by attackers exploiting unpatched vulnerabilities, becoming the most common entry point observed.
More Access, More Problems — In 99% of pentesting engagements, X-Force Red was able to compromise client cloud environments through users’ excess privileges and permissions. This type of access could allow attackers to pivot and move laterally across a victim environment, increasing the level of impact in the event of an attack.
Cloud Account Sales Gain Grounds in Dark Web Marketplaces — X-Force observed a 200% increase in cloud accounts now being advertised on the dark web, with remote desktop protocol and compromised credentials being the most popular cloud account sales making rounds on illicit marketplaces.
As the rise of IoT devices drives more and more connections to cloud environments, the larger the potential attack surface becomes introducing critical challenges that many businesses are experiencing like proper vulnerability management. Case in point — the report found that more than a quarter of studied cloud incidents were caused due to known, unpatched vulnerabilities being exploited. While the Log4j vulnerability and a vulnerability in VMware Cloud Director were two of the more commonly leveraged vulnerabilities observed in X-Force engagements, most vulnerabilities observed that were exploited primarily affected the on-premises version of applications, sparing the cloud instances.
As suspected, cloud-related vulnerabilities are increasing at a steady rate, with X-Force observing a 28% rise in new cloud vulnerabilities over the last year alone. With over 3,200 cloud-related vulnerabilities disclosed in total to date, businesses face an uphill battle when it comes to keeping up with the need to update and patch an increasing volume of vulnerable software. In addition to the growing number of cloud-related vulnerabilities, their severity is also rising, made apparent by the uptick in vulnerabilities capable of providing attackers with access to more sensitive and critical data as well as opportunities to carry out more damaging attacks.
These ongoing challenges point to the need for businesses to pressure test their environments and not only identify weaknesses in their environment, like unpatched, exploitable vulnerabilities, but prioritize them based on their severity, to ensure the most efficient risk mitigation.
Excessive Cloud Privileges Aid in Bad Actors’ Lateral Movement
The report also shines a light on another worrisome trend across cloud environments — poor access controls, with 99% of pentesting engagements that X-Force Red conducted succeeding due to users’ excess privileges and permissions. Businesses are allowing users unnecessary levels of access to various applications across their networks, inadvertently creating a stepping stone for attackers to gain a deeper foothold into the victim’s cloud environment.
The trend underlines the need for businesses to shift to zero trust strategies, further mitigating the risk that overly trusting user behaviors introduce. Zero trust strategies enable businesses to put in place appropriate policies and controls to scrutinize connections to the network, whether an application or a user, and iteratively verify their legitimacy. In addition, as organizations evolve their business models to innovate at speed and adapt with ease, it’s essential that they’re properly securing their hybrid, multi-cloud environments. Central to this is modernizing their architectures: not all data requires the same level of control and oversight, so determining the right workloads, to put in the right place for the right reason is important. Not only can this help businesses effectively manage their data, but it enables them to place efficient security controls around it, supported by proper security technologies and resources.
Dark Web Marketplaces Lean Heavier into Cloud Account Sales
With the rise of the cloud comes the rise of cloud accounts being sold on the Dark Web, verified by X-Force observing a 200% rise in the last year alone. Specifically, X-Force identified over 100,000 cloud account ads across Dark Web marketplaces, with some account types being more popular than others. Seventy-six percent of cloud account sales identified were Remote Desktop Protocol (RDP) access accounts, a slight uptick from the year prior. Compromised cloud credentials were also up for sale, accounting for 19% of cloud accounts advertised in the marketplaces X-Force analyzed.
The going price for this type of access is significantly low making these accounts easily attainable to the average bidder. The price for RDP access and compromised credentials average $7.98 and $11.74 respectively. Compromised credentials’ 47% higher selling price is likely due to their ease of use, as well as the fact that postings advertising credentials often include multiple sets of login data, potentially from other services that were stolen along with the cloud credentials, yielding a higher ROI for cybercriminals.
As more compromised cloud accounts pop up across these illicit marketplaces for malicious actors to exploit, it’s important that organizations work toward enforcing more stringent password policies by urging users to regularly update their passwords, as well as implement multifactor authentication (MFA). Businesses should also be leveraging Identity and Access Management tools to reduce reliance on username and password combinations and combat threat actor credential theft.
To read our comprehensive findings and learn about detailed actions organizations can take to protect their cloud environments, review our 2022 X-Force Cloud Security Threat Landscape here.
If you’re interested in signing up for the “Step Inside a Cloud Breach: Threat Intelligence and Best Practices”webinar on Wednesday, September 21, 2022, at 11:00 a.m. ET you can register here.
Login
