After completing my last book, I decided to go for another Sparc Flow book. Full disclosure, it had been in my partial read pile for some time (don’t let that reflect on the quality of the book, that’s totally on me). This review is for the book How to Hack Like a GHOST by Sparc Flow. It was published in May 2021 by No Starch Press. I got it as part of No Starch Press Humble Bundle.
This is another “not your typical tech book” from Sprac Flow (check this post to understand the full context of this quote). It reads like a novel. This book narrates the story of a hacker who wants to unearth the shady dealings of a political consultancy firm, Gretsch Politico (this is the same approach that has been demonstrated in my course Red Team Adversary Emulation where students set out to breach into a Fin Tech firm, Tax First Labz). It is primarily focused on exploiting DevOps and cloud technologies. In the book, the hacker sets out to identify an exploitable vulnerability in the Gretsch Politico network. This is when they land upon some ads being run by MXR Ads on Grestech’s behalf which leads them to MXR Ads doors. What happens next? You will need to read the book to find out.
The book is divided into four parts:
- Catch Me If You Can – This section encompasses first three chapters. The first chapter covers tools and techniques to hide an attacker’s identity and fingerprints before launching an attack. It also provides a glimpse of the attacking infrastructure architecture that is used throughout the book. The next chapter covers various Command and Control centers. This chapter discusses Merlin, Koadic, Silenttrinity and demonstrates how to setup each of these. The third chapter covers setting up the attacker infrastructure explained in the first chapter. It demonstrates infrastructure setup using traditional approach i.e. VMs and a more modern approach i.e. containers. It also covers deploying Metasploit and Silenttrinity on this infrastructure. Finally, it closes out by showing how to automate the infrastructure setup using Terraform.
- Try Harder – This section encompasses chapters four and five. In this section the attacker uses OSINT tools and techniques to gain a better understanding of the target organization, Gretsch Politico. Soon they discover a relationship between Gretsch Politico and MXR Ads. Once again, they leverage OSINT techniques to understand MXR Ads and find a vulnerability in their network. This leads them to a vulnerable AWS S3 bucket and following this a Server-Side Request Forgery (SSRF) vulnerability.
- Total Immersion – This section encompasses chapters six to nine. In this section the attacker leverages a Server-Side Template Injection (SSTI) vulnerability to get code execution in the MXR Ads AWS infrastructure. This section also has a refresher chapter on Kubernetes. Following this it demonstrates how to exploit Kubernetes, datastores and Redis. It closes out with the attacker installing a stealthy backdoor for persistent access.
- The Enemy Inside – This section encompasses chapters ten to thirteen. In this section, the attacker finally gets access to GP’s AWS account and infiltrates further until their objective is achieved.
- It covers exploiting DevOps and Cloud (AWS to be precise) technologies (a nice deviation from other books on the topic).
- It contains a lot of useful security insights about technologies covered in the book.
- It covers a brief theory about almost every technology covered in the book.
- Technologies covered (a non-exhaustive list) – AWS IAM, EC2, Lambda, EKS, RedShift, Redis, Apache Spark, Terraform, Jenkins, Google Workspace etc.
- Explains briefly how ad networks work and the privacy nightmare they can create.
- Though it doesn’t explicitly cover topics such as red reaming or adversary emulation, it demonstrates them practically.
- It is good for experienced penetration testers and red teams.
- If you are curious about how real-world breaches happen, go for this book.
Not so salient Features
- Throughout all the theory and explanations it is easy to lose track of the larger plot of the book. It would be nice if the author had included an attack path map after end of each chapter or major section.
- The author has covered too many technologies for a relatively compact book like this. It is difficult to wrap the head around some of the text if you don’t have prior knowledge of the topic. I would recommend reading Container Security by Liz Rice before diving into this book.
- A mapping of the hacker’s TTPs to the MITRE ATT&CK Framework would have been nice (this is more of a suggestion to the author for the next edition of this book).
- I would have loved a self-hosted hands-on lab to practice the techniques demonstrated in the book.
My rating 4.3 / 5.0
Join our book club on Discord and share your views on this book (or any other security book of your choice).
Other book reviews
- Ethical Hacking by Daniel G. Graham
- How to Hack Like a LEGEND by Sparc Flow
- CCSP for dummies by Arthur J. Deane
- Cyber Warfare – Truth, Tactics, and Strategies by Dr. Chase Cunningham
- Practical Threat Intelligence and Data-driven threat hunting by Valentina Costa-Gazcón
- Hacking APIs by Corey Ball
- Pentesting Azure Applications by Matt Burrough
- Penetration Testing Azure for Ethical Hackers by David Okeyode, Karl Fosaaen
- Red Team Development and Operations by Joe Vest and James Tubberville
- Container Security by Liz Rice
- Web Application Security by Andrew Hoffman
Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.