-
As the Red Team, you will attack a vulnerable VM within your environment, ultimately gaining root access to the machine.
-
As the Blue Team, you will use Kibana to review logs taken during the Day 1 engagement to extract hard data and visualizations for an assessment report.
This will serve as an outline to the version of this project.
The following machines live on the network: Kali: 192.168.1.90 ELK: 192.168.1.100 Target: 192.168.1.105
See
The webserver suffers from several vulnerabilities but outlined below are the top three:
| Vulnerability | Description | Impact |
|---|---|---|
| Sensitive Data Exposure | The secrect_folder directory and connect_to_corp_server files were exposed compromising the credentials of the Web DAV folder. | Malicious actors can now gain access to company servers and files. |
| Unauthorized File Upload | Users are able to upload payloads to the web server. | This vulnerability allows attackers to upload scripts such as PHP to the server exposing the machine to a number of attacks enabled by malicious files. |
| Remote Code Execution | As a consequence of the file upload vulnerability, attackers can upload web shells. | Malicious code can be injected and executed to gain access to critical data, root access, and compromise any sensitive data to include theft or deletion. |
-
Exploitation: Sensitive Data Exposure
- Tools & Processes
- nmap command to determine IP address of machine and open ports.
- dirb command is used to find existing and/or hidden web objects.
- Achievements
- The secret_folder directory was discovered through this exploited vulnerability.
- Login prompt reveals that authorized user is Ashton.
- Directory is password protected however susceptible to a brute-force attack.
- Impact
- Obtaining username helps enable a brute force attack which leads to access and potential theft of data.
- Tools & Processes
-
Exploitation: Brute Force Attack
- Tools & Processes
- gunzip rockyou.gz to unzip wordlist for use during password cracking.
- Utilizing a Hydra attack we will run: hydra -l ashton -P /usr/share/wordlists/rockyou.txt -s 80 -f -vV 192.168.1.105 http-get /company_folders/secret_folder. This command will be executed using the rockyou.txt file previously unzipped.
- Achievements
- Once the attack is complete the username ashton and password leopoldo are returned.
- Impact
- Credentials for login access to the WebDAV server have been obtained and data is now at risk.
- Tools & Processes
-
Exploitation: Password Hash Crack
- Tools & Processes
- Using login credentials, access to the WebDAV folder was obtained and a hashed password found within the folder
- https://crackstation.net for cracking the password hash.
- Achievements
- Password is revealed to be: linux4u
- Impact
- Full user credentials were obtained to gain access to company folders and files.
- Tools & Processes
A considerable amount of data is available in the logs. Specifically, evidence of the following was obtained upon inspection:
- Traffic from attack VM to target, including unusually high volume of requests
- Access to sensitive data in the secret_folder directory
- Brute-force attack against the HTTP server
- POST request corresponding to upload of shell.php
Unusual Request Volume: Logs indicate an unusual number of requests and failed responses between the Kali VM and the target. Note that 401, 301, 200, 207, and 404 are the top responses.
| HTTP Status Code | Meaning | Count |
|---|---|---|
| 401 | Unauthorized | 16,067 |
| 301 | Moved Permanently | 2 |
| 200 | OK | 536 |
| 207 | Multi-Status(WebDAV;RFC 4918) | 10 |
| 404 | Not Found | 4 |
Also important to note the connection spike in the Connections over time [Packetbeat Flows] ECS, as well as the spike in errors in the Errors vs successful transactions [Packetbeat] ECS
On the dashboard, a look at the Top 10 HTTP requests panel shows that the /company_folders/secret_folder was requested 31,430.
The logs also indicate that an unauthorized actor was able to access protected data in the webdav directory. A graphing of the status codes and HTTP queries below can identify the increase in requests.
-
Blocking the Port Scan
- The local firewall can be used to throttle incoming connections
- ICMP traffic can be filtered
- An IP allowed list can be enabled
- Regularly run port scans to detect and audit any open ports
-
High Volume of Traffic from Single Endpoint
- Rate-limiting traffic from a specific IP address would reduce the web server's susceptibility to DoS conditions, as well as provide a hook against which to trigger alerts against suspiciously suspiciously fast series of requests that may be indicative of scanning.
-
Access to sensitive data in the secret_folder directory
- The secret_folder directory should be protected with stronger authentication.
- Data inside of secret_folder should be encrypted at rest.
- Filebeat should be configured to monitor access to the secret_folder directory and its contents
- Access to secret_folder should be whitelisted, and access from IPs not on this whitelist, logged.
-
Brute-Force attack against the HTTP server
- The fail2ban utility can be enabled to protect against brute force attacks.
- Create a policy that locks out accounts after 10 failed attempts
- Create a policy that increases password complexity (requirements)
-
Identifying Reverse Shell Uploads
- Set write permissions to read only on webdav to prevent payload deliveries.
- Isolation of uploads to a dedicated storage partition.
- Installation and configuration of Filebeat.
**Group
- Laura Pratt
- Josh Black
- Courtney Templeton
- Robbie Drescher
- Julian Baker**