HA: Forensics: Vulnhub Walkthrough

Introduction

Today we are going to crack this vulnerable machine called HA: Forensics. This is a Capture the Flag type of challenge. It contains FOUR flags that are accessible as the solving of the lab progresses based on hints. It is a Forensics focused machine.

Download Lab from here.

 Penetration Testing Methodology

  • Network Scanning
    • Netdiscover
    • Nmap
  • Flag #1
    • Browsing the HTTP service
    • Directory Bruteforce using dirb
    • Enumerating an Image file
    • Extracting Metadata of Image file
    • Reading Flag #1
  • Flag #2
    • Directory Bruteforce using dirb
    • Decrypting PGP Encryption
    • Creating a Dictionary using crunch
    • Performing a Dictionary on ZIP file
    • Reading Flag #2
  • Flag #3
    • Enumerating DMP file using pypykatz
    • Extracting an NT hash
    • Cracking Hash using John the Ripper
    • SSH login using Metasploit
    • Convert SSH to Meterpreter
    • Enumerating Network Interfaces
    • AutoRoute an internal docker instance
    • Perform a ping sweep scan internally
    • Connect to the FTP service as Anonymous
    • Downloading the Image file
    • Transferring the Image file to the local machine
    • Analyze the image file using Autopsy
    • Reading Flag #3
  • Flag#4
    • Decoding the Base64 Encryption
    • Enumerating for Sudo permission
    • Exploiting the Sudo permissions on ALL
    • Reading Flag #4

Walkthrough

Network Scanning

To attack any machine, we need to find the IP Address of the machine. This can be done using the netdiscover command. To find the IP Address, we will need to co-relate the MAC Address of the machine that can be obtained from the Virtual Machine Configuration Setting. The IP Address of the Machine was found to be 192.168.0.174.

Following the netdiscover scan, we need a nmap scan to get the information about the services running on the virtual machine. An aggressive nmap scan reveals that 2 services: SSH (22) and HTTP (80) are running on the application.

Enumeration

Since we have the HTTP Service running on the virtual machine, let’s takes a look at the webpage hosted:

The webpage says a button that says “Click here to get flag!”. Make sure to click that.

FLAG #1

We see the webpage is a simple page with some forensics images. Nothing special. Next on the Enumeration tasks was Directory Bruteforce. We used our reliable dirb tool for the directory bruteforce.

This gave us an image directory. We looked into it through the Web Browser and found two images called DNA and fingerprint. We checked DNA it was just a rabbit hole. Then we downloaded the fingerprint.jpg file to the local system to further analyze it.

This machine is based on Forensics and we have an image at our hands, Exiftool seems the right tool to use. Upon a simple look at the metadata of the image using Exiftool, we see that we have our First Flag!

Flag #2

Now, Enumeration doesn’t always end with the one version of Directory Bruteforce. When in doubt, always use the Extension filter on the dirb. We got a hit on the txt filter and we have some tips.

Looking at the tips.txt we see that it is a kind of robots.txt file just named tips. As we are on the hunt for flags, we choose to browse the flag.zip file first.

It gave us an option to save the file. Let’s do it.

Now that we have the zip file on our local system, its time to extract the contents of this file. We use the unzip command to extract the files inside the flag.zip file. It requires a password. We don’t have one!!

We go back to the Web browser and the tips file. Here is a folder named igolder. It resembles a website that encrypts and decrypts public and private key messages. We browse the folder and see that there is another text file called clue.txt. Upon reading the file we see that it is a combination of a private key and a message.

To decrypt the message, we went on the igolder website and pasted the PGP Private Key and the Encrypted message from the clue.txt file. After clicking the Decrypt Message button, we have the secret message. It says to us that the password is 6 characters, with the first 3 being letters “for” and the last 3 being numeric characters.

Whenever we are in a situation where we have some partial hint of the password, we use crunch to create a dictionary fitting to that pattern. We used crunch and created a dictionary for cracking the password named dict.txt. Using fcrackzip we cracked the password to be for007.

We unzip the file and we have a pdf file labelled flag. We also get a DMP file but more on that later.

Let’s open the PDF file and take a look at our Second Flag

Flag #3

Now, we have 2 flags, 2 more to go. We received a DMP file from the previous section. In forensics, a dump file can be inspected using pypykatz. So, we will use it to check for some hints inside.

Looking at the DMP file a bit thoroughly and we find an NT hash file for a user called jasoos. It means a detective in Hindi. That might be a clue.

We copy the has and paste it inside a file named hash. Now we have a hash file and to crack that hash we need John the Ripper. After churning through, John the Ripper gave us the password. It was “[email protected]”. That’s not super secure, is it?

Now, here we can directly connect via SSH but logging in using Metasploit is better as it has a ton of post-exploitation tools that can be used afterwards. Hence using the ssh_login module we get an SSH session on the machine as user jasoos. Using the shell_to_meterpreter script we got ourselves a meterpreter session on the target machine.

Using the ifconfig command, we see that there is a docker interface running on the application with an IP Address 172.17.0.1

It is an internal IP address; means we cannot access it from outside normally.

No need for Panic. Metasploit has our back here. It has an autoroute exploit that can route the network in such a way that internal IP is accessible from outside. The autoroute will create a new host to connect with whose traffic will be redirected to the internal service. But, Autoroute doesn’t tell us the IP Address of the new host. So, we need to perform a ping sweep to find that particular IP Address which can be used to further exploit the target. Ping sweep gives us the IP address. It is 172.17.0.2. Now that we know the target IP Address, let’s see exactly what kind of service is this docker instance running at this moment. A Port scan reveals that it is an FTP service. But this service is unknown to us. We don’t have any credentials for us. But there is a feature in FTP service where an anonymous user can log in and access the files through the FTP. To confirm if this FTP has that kind of configuration, we use the ftp anonymous scanner in Metasploit.

It says that ftp allows anonymous service. So, let’s enumerate the FTP service by connecting to it as anonymous. We have a directory called pub. Inside that directory, we have a file with a 001 extension. It seems to be an image file that is usually used in forensic investigation. It is labeled sabot which is known as saboot. It means Evidence in Hindi.

Now using the Python One liner HTTP service we transfer the file from the target machine to our local machine.

As the Python One liner runs and provides the service at port 8000, we browse that port and get our saboot file.

We decided to use the Autopsy Forensic Investigation tool to inspect the image captured. It can be started using the following command. It tells us that the Autopsy is accessible on localhost port 9999. Let’s open it.

Here, we have a Web Interface for the Autopsy. We click on the New Case button

We name the Case, Provide the description, and give the Investigator name for the documentation purposes. And again, click on the New Case button.

Now it creates a case. After creating a case, it requires a host for that particular case. It asks for the name of the host. After providing the name click on the Add Host button to continue.

After the creation of the host, it asks us to add an image file. This is the step where we add the image file, we acquired from the target machine.

It asks for the location of the image file. Since we downloaded it from our Web Browser, it must be in the Downloads folder. We provide the path as shown in the image below. Also, choose the Partition in the Type option. As it is a partition, otherwise it would be quite bigger. Disks are bigger than partitions. After completing, click on the Next button to continue.

Here it asks for further options. Let them be the default and click on the Add button.

Now that our image has been mounted. It is time for Analyse-it. This can be done as shown in the image below.

We see that we have a bunch of files. Among those files, we have 2 text files. A flag file and a creds file. Let’s take a look at our Third Flag.

Flag #4

Now, we have a creds.txt file. We take a look at it to find that there is some encrypted text inside it.

It seems like it is a Base64 encoding. We use the echo command with a base 64 decoder as shown in the image below. This might be the password for another user.

We enumerate the home directory and found that there is another user by the name of forensics. The password must be for this user. We use the su command to login as forensic and the password we found. Now we use the sudo -l command to find what kind of binaries we can use to elevate privileges. We find that ALL is permitted. So, we just use the sudo bash command and get the root. Then look for the final flag in the root directory and we have our fourth and final flag.

This concludes this vulnerable machine.

Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on Twitter and LinkedIn

AlienVault: OSSEC (IDS) Deployment

In this article, we will discuss of Deployment of OSSEC (IDS) agents to the AlienVault server.

OSSEC is an open-source, host-based intrusion detection system (commonly called IDS) that market itself as the world’s most widely used intrusion detection system that performs or helps us to Monitor: –

  • Network Anomalies
  • Log analysis
  • Integrity Checking
  • Windows registry monitoring
  • Rootkit detection
  • Process monitoring
  • Real-time alerting
  • Active response
  • Policy monitoring

 Intrusion detection systems are customizable like a firewall and also, they can be configured to send alarm messages upon a rule’s instruction to automatically answer to the threat or warning as for your network or device.

OSSEC (IDS) can warn us against DDOS, brute force, exploits, data leak, and more external attacks. it monitors our network in real-time and interacts with us and with our system as we decide. It can be used to monitor one server or thousands of servers in a server/agent mode.

Table of content

For Linux

  • Prerequisites
  • Required dependencies
  • Download OSSEC source code
  • Extract & install OSSEC agent from source code
  • Installation of OSSEC HIDS Agent
  • Deploying OSSEC Agent to OSSEC server
  • Running OSSEC Agent

For Windows

  • Download OSSEC agent for Windows
  • Install OSSEC agent
  • Generate OSSEC key for the agent
  • Run and verify OSSEC agent is connected or running

Prerequisites

  • Ubuntu 20.04.1
  • Windows 10
  • Root or Admin privileges

For Ubuntu 20.04.1

Required Dependencies

To install OSSEC agent on Ubuntu 20.04.1 there are some requirement need to be installed before agent installation as listed below: –

  • GCC
  • Make
  • Libevent-dev
  • Zlib-dev
  • Libssl-dev
  • Libpcre2-dev
  • Wget
  • Tar

You can download this all requirement by simply running this command: –

Download OSSEC source code

You can download the latest OSSEC source code from the Official release page of GitHub or simply running this command: –

Extract & install OSSEC agent from source code

Once the source download complete you can extract it by simply running this command

In manner to install OSSEC agent navigate to the source code directory and run the installation script as shown below

Further then select your installation language or press ENTER to choose default installation options and follow the steps as described below: –

  • Specify the type of installation. In our case we are installing an OSSEC-HIDS agent, so we go with the option of the agent.
  • Choose the installation path. By default, it is /var/ossec or you can define the path as per your environment.
  • Enter the OSSEC-HIDS server IP or AlienVault server IP.
  • Enable the system integrity check.
  • Enable rootkit detection.
  • Enable or disable active directory response.
  • Once you are done with defining the default options, proceed to install the OSSEC agent by pressing ENTER
  • Then after press ENTER to close the installer as shown below

v

Deploying OSSEC agent to AlienVault server

In a manner the agent to communicate with the server

  • You need to first add it to the HIDS server or AlienVault server
  • After that extract, the agent authentication key from the AlienVault server

To extract agent key from server, go to the AlienVault Web UI and then navigate to Environment > Detection as shown below: –

Then select or add Agent where you installed OSSEC agent and then extract or copy the key as shown below

Once you have extracted the key, Import the key on the agent simply by running the following command: –

Enter I, paste the key that you copied from AlienVault Web UI and confirm adding the key then exit from the window by pressing Q as shown below

Running OSSEC agent

Once the installation completes starting the OSSEC agent simply by running the following command:

Or

To stop the agent run the below command

Other service control commands are described below.

To check the status.

check the logs to see if the agent has connected to the server.

As you can see the agent is successfully connected to the AlienVault server

Congratulations !!! you have successfully deployed your Ubuntu machine to the AlienVault server

For Windows Machine

Download OSSEC agent for Windows

You can download the OSSEC agent for windows from the OSSEC official page

Locate and select package Agent Windows ossec-agent-win-32-3.6.exe or the latest one as shown below:

Install OSSEC Agent

Go to the Downloads and run the OSSEC agent installer and hit next as shown below 

Choose the path where you want to install the OSSEC agent and hit install

Further, then wait for the setup completion and then hit next

Select finish and then exit from the installer.

Generate OSSEC key for the agent

Follow the steps as described below:

  • At AlienVault Web UI go to “Environment > Detection > HIDS”
  • Go to Agents (top right corner)
  • Add a new agent
  • Copy the key and use it at the agent as shown below

Come back to the windows machine

Enter the AlienVault server IP and paste the key as shown below

After that confirm agent deployment by pressing ok

Run and verify OSSEC agent is connected or running

After a successful deployment of OSSEC agent start service of OSSEC agent by navigating to “Manage > Start OSSEC” as shown below

As you can see the server is started successfully

A new windows service can be found at OSSIM Web UI as shown below

Congratulation !!! you have successfully deployed your windows agent to the AlienVault server.

Hmm…

Let’s verify it checking the logs of windows machine it is processing or not by navigating to “Analysis > Security Events (SIEM)”

Where 192.168.1.7 is my windows machine IP

As we can see the windows machine started sending the processing logs.

Hold tight! this is not enough…..

Have patience …

In this article, we explained the Deployment of the OSSEC agent to AlienVault OSSIM.

In the next article, our focus will be on the Threat Hunting, Malware analysis, network traffic monitoring, and much more…

Author – Vijay is a Certified Ethical Hacker, Technical writer and Penetration Tester at Hacking Articles. Technology and Gadget freak. Contact Here

Forensic Investigation: Pagefile.sys

In this article, we will learn how to perform a forensic investigation on a Page File. There is a lot of information that can be extracted from valuable artifacts through a memory dump. Yet, there is more: you can perform memory forensics even without a memory dump that is by virtual memory analysis.

There are records on the drive that contain a few pieces of memory. These files are pagefile.sys, swapfile.sys, and hiberfil.sys. We will be moving forward with pagefile.sys.

Table of Contents

  • Introduction
  • Capturing the memory and pagefile using FTK imager
  • Analyzing using Belkasoft Evidence Centre

Introduction

The Pagefile.sys also referred to as a swap file or virtual memory file is utilized inside Windows operating frameworks to store information from the RAM when it turns out to be full. The pagefile.sys in Windows operating framework is located at C:\pagefile.sys. Windows OS supports up to 16 paging files; only one is used currently.

At whatever point you open an application in Windows, your PC will consume RAM. At the point when you have more applications open than the RAM on your PC can deal with, programs previously running in the RAM are moved to the Page file. This is known as Paging and implies the Page file goes about as reinforcement RAM, also known as virtual memory.

Capturing the memory and pagefile using FTK Imager

We will use FTK Imager to capture the memory along with the pagefile.sys.

FTK® Imager is a tool for imaging and data preview FTK Imager also create perfect copies (forensic images) of computer data without making changes to the original evidence. You can download FTK imager from here.

Click on capture memory to create a memory dump.

 

The next step is to browse the destination path as you like, select the alternative “include pagefile” and click on Capture Memory.

The memory capture process will begin once you click on capture memory.

After completion of the process, the memory dump and page file will be carved in the destination folder previously selected.

Analyzing using Belkasoft Evidence Centre

Now to analyze the carved file we will be using the tool, Belkasoft Evidence Centre for analysis of the pagefile.sys. Belkasoft Evidence Centre is an all-in-one forensic tool for acquiring analyzing and carving digital evidence. You can download the free trial of the tool from here.

 First of all, let’s create a new case. Fill in the case information, select the root folder, if you want, you can add a case described as well. Click on create and open to proceed further with the analysis. 

To analyze the captured memory (pagefile), select the option RAM Image; add the pagefile.sys file you carved previously as the evidence source using FTK imager.

Choose the desired data type you would like to search for. There are a whole lot of data types supported by the tool. Click finish afterward.

Here is the dashboard for the case after completion of the above steps. It shows proper segregated information about the data carved from the pagefile. A total of 1097 files have been carved, which includes URLs, pictures, and other artifacts.

The case explorer tab right next to the dashboard tab allows expanding and viewing each profile column. The data has been carved from browsers, pictures, system files, and other files as well.

Let’s expand and analyze the Browsers profile. It has carved the chrome history which consists of URLs, let’s check the chrome carved section for more details. It consists of the URLs for the sites visited, one of which is highlighted in the following screenshot.

Another in browsers profile is opera. Analyze the opera(carved) profile similarly, shows details about the URLs visited.

The carved data from pagefile also consists of some images. These images can be from the sites I have visited and other thumbnails.

The great feature of the belkasoft evidence center is it allows you to simply right on the picture and analyzes it for various aspects such as check skin, detect pornographic content from the picture, detect text, and also faces. All these aspects are useful during live analysis.

Some system files are also carved from the captured virtual memory, show the NetBIOS name, file path, and size.

The timeline tab shows the overall view of the data carved for easy analysis along with the time and URL of the search site visited.

A search results tab is also there in the tool which shows predefined search results. The following screenshot shows the search engine results along with the link and profile name. 

Similarly, you can perform the forensic investigation for hiberfil. Export the hiberfil.sys (stores the data while the windows system is on Hibernate mode) using FTK located at C:/hiberfile.sys and further analyze it using Belkasoft Evidence Centre.

The analysis of virtual memory files serves a great purpose for web browser forensic.

Author: Vishva Vaghela is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here