SOC-website, some light C and what I thought of BTL2

by Joost Agterhoek — on  ,  ,  , 

cover-image

What have I been up to? If you're seeing this site, not much. But in fact I have been working and studying quite hard, over the last two to three months. In no particular order, I have kept busy with:

A Flask-powered SOC-website

One of the final assignments of the in-depth but sometimes difficult to follow book Learn Python 3 The Hard Way was to build an interactive text-based web game, using the Python-module Flask. While I learned a lot from the book, I could not motivate myself to spend a lot of time building out the web game as I could not relate what I was learning to my daily SOC job. I still, however, felt it was important to learn Flask, and possibly relate it to my actual work. One of my (almost) daily tasks, is looking up IP addresses, domain names and URLs. Either on VirusTotal, AbuseIPDB, or the excellent Open Threat Exchange (OTX) from AlienVault, I check out how many vendors and for which reasons an online entity was or still is deemed malicious. Along with looking up SPF and DMARC information about domains to rule out the possibility of email spoofing, I spend quite some time hopping around between various websites, doing basically the same thing.

So instead of jumping around browser tabs and waiting for Cloudflare checks and captchas, why not make my own SOC-website? This https://code.joostagterhoek.nl/ik/flask-soc-site/ is going to be: a simple (probably onepage) barebones website where I can type in an IP address, a domain or a URL and get any and all relevant information out. Because describing what a website does is probably one of the deeper layers of hell, here are a few screenshots:

Main webpage with two forms, one for typed hosts (IPs, URLs, domains) and one for uploading files with hosts (only CSV so far).

After submitting a host with the first form, you are presented with the lookup results from a whois, the VirusTotal API and the AbuseIPDB API.

lookup-start-page

The second form works, but I am still working on a way to present these lookups for multiple hosts extracted from files. Further TODO's are documented here.

lookup-result-page

What I learned in this project:

  • flask in general (which teaches you about website routing, HTML method handling, HTML templating with jinja)
  • Building API-modules with modules like requests and json
  • Proper HTML template nesting with jinja and building dynamic HTML tables based on API-responses (add a table row for each element in the response, for example)
  • The beginnings of file handling (CSV) and uploading and reading binary files and their contents

Entry-level C and way-too-hard debugging

Because I want to learn programming as a solid foundation for malware analysis and reverse engineering, Python alone would be too high-level to properly understand exploits, vulnerabilities, etcetera. So I also (re)started with C. A great book to learn C for hacking purposes is Hacking: The Art of Exploitation, where you first learn C basics and immediately jump into debugging, ways to exploit your own code, common vulnerabilities. It has gotten me back into the habit of writing (basic) C while also debugging, which really helps to fundamentally understand what happens in memory and how a stack frame is layed out. It might be good to blog more about the debugging experience, as this work is kind of fleeting, as opposed to commited code.

Blue Team Level 2 exam

Last but definitively not least: I did the Blue Team Level 2 exam! Quite a while ago, end of February, I reserved three days to investigate an incident response lab and write a report. The main takeaway for me was: stick to your plan. Meaning: when you get stuck or get lost, start from the beginning. What is the scenario, what is the timeline, what are the assets, what does the report require? While it was definitely hard and stressful, I feel that I got a strong grip on the incident, managed to extract valuable evidence and wrote an understandable report. Someday soon I am expecting my exam to be marked. When I do, I will try to write a followup to this post.