Threat Hunting – A proactive Method to Identify Hidden Threat

According to ISO 27005, a threat is defined as a potential cause of an incident that may cause harm to systems and organization. Software attacks, theft of intellectual property, identity theft, sabotage, and information extortion are examples of information security threats. As a result, most of the organization chose active threat hunting practice to defend their organization from the network’s unknown threat.

Table of Content

What is Threat Hunting?

Why threat hunting is important?

Who is threat hunter?

What Are the IOCs?

Threat Hunting Plan

  • Design Your Network for Hunting
  • Get your Team Ready
  • Know your Enterprise
  • Collect Hunt Data
  • Know Your Adversary TTP
  • Threat Intelligence Feeds
  • Create a Hypothesis
  • Hunt Cycle
  • Measuring Success
  • Resources

What is threat hunting?

Threat hunting is a proactive offense approach that security professionals use with the aid of Intel Threat. It consists of iteratively scanning through networks to detect compromise indicators (IoCs) and threats such as Advanced Persistent Threats (APTs) which bypass your existing security framework.

Analysts monitor, detect and delete active opponents in a network. They do this as early as possible in order to minimize damage and to reduce the time needed to identify a suspected threat.

Threat hunting tools and techniques are used by researchers to monitor and detect hidden activities. An example of a threat hunting Framework is, implemented N-SOC as part of a next-generation SIEM framework.

The SANS Institute authors expand on the cyber threat hunting process, calling it an active defense strategy consisting of:

Intelligence: The process of collecting data, turning the data into usable information, analyzing the potentially competing sources of that information to produce a tactical defense strategy.

Offense: The countermeasures organizations may take to defend against cyberattacks, in particular Advanced Persistent Threats (APT).

Why threat hunting is Important?

Threat hunting’s main purpose is to reduce the time needed to find signs of threats who have already breached the IT infrastructure. Since zero-day and Advanced Persistent Threats (APT) continue to challenge security staff, researchers are implementing threat analysis tools and approach to discover threats more efficiently. Through discovering these imprints as soon as possible, the risk of breaches can be reduced on the enterprise.

Other benefits of threat hunting include:

  • Identification of gaps in visibility necessary to detect and respond to a specific attacker TTP.
  • Classification of gaps in finding.
  • Advancement of new monitoring use cases and detection analytics.
  • Exposing new threats and TTPs that response to the threat intelligence process.
  • Recommendations for new preventive measures.

Who is threat hunter?

A threat hunter is a security professional who is skilled to recognize, isolate and defuse APTs by using manual or AI-based techniques because such threats can not be detected by network monitoring tools. He may hunt for insider provocations or outside intruders to uncover risks posed by malicious actor typically employees, or outsiders, including a criminal organization.

Threat hunting activity is mainly related to the NSOC, which represents the Next-Generation Security Operations Center because the threat hunter reports to the threat hunting team manager for hidden threats, who reports to the Chief Information Security Officer (CISO) and is further reported to the SOC manager for integration with the Security Operations Center (SOC) 

What Are the IOCs?

Threat Intelligence feeds can aid in this phase by defining specific vulnerability identifying common indicators (IOCs) and suggesting measures necessary to prevent threat or breach.

Some of the most common indicators of compromise include:

  • A case would be when the intrusion that attacks an organizational host that established a connection with attackers such as IP addresses, URLs and Domain names
  • An example will be a phishing campaign based on an unwilling user clicking on a connection or attachment and a harmful instruction being activated such as Email addresses, email subject, links and attachments.
  • An instance would be an attempt by an external host that has already been detected for malicious behaviours such as Registry keys, filenames and file hashes and DLLs.

Threat Hunting Plan

The cyber threat hunting team should be answerable to these questions before planning for the operation.

  1. What is it that you hunt? You have to select exactly which adversaries you’re chasing for.
    • Exploitation?
    • Lateral movement?
    • Exfiltration?
  2. Where are you going to find the opponent/adversaries/IOC?
  3. How would you consider an opponent/adversaries/IOC?
  4. When will you find it?

The Chief Information Security Officer (CISO) should prepare a complete checklist that would be required for effective threat hunting before beginning the threat hunting operation within the company. This helps the team define the resources and tools used in the project and create a parallel strategy as the backup plan if the primary process fails.

1. Design Your Network for Hunting

It is important to consider that the proactive threat hunting should be conduct in a well secure environment where Chief information Security Office arrange all network essential equipment required in the activity, such as given below.

  • Segmentation : Security Zones
  • NTP : Network Time Protocol
  • Protection/Detection : FW/IDS/IPS/DLP/Proxy
  • Tapping : Dump PCAP Data
  • Visibility : Enable Logging as required

2. Get your Team Ready

The officer should build a team of professionals that are spontaneous in doing their job as per the situation requirements and know the situational awareness.

The skill of a threat hunter:

Proactively hunts for known adversaries—He is capable to identify the pattern of malicious code used by famous attackers that match to threat intel feeds or blacklist of known program.

Prevent the attack by identifying unknown threats— Threat hunters evaluate the computer system by means of constant surveillance. They choose behavioural analysis to identify abnormalities that indicate a threat.

Implements the incident response proposal—Hunters collect as much information as possible when they identify a threat before conducting an incident response strategy to nullify it. This could be used to refine the response plan and prevent future attacks.

3. Know your Enterprise

Group members should be mindful of the organization’s jewel crown by knowing the valuable assets and recognizing threat carriers that might affect the company. They should be able to calculate the effect of risk by prioritizing the unknown threat within the network.

Hence, they should be able to classify the following checklist for their organization:

  • Identify Assets
  • Know Threats to Your Assets
  • Prioritize ( High Value / Critical Assets First )
  • Baselining – Know what is normal ?

4. Know Your Adversary TTP

The Threat Hunters team aims to evaluate Tactics, Techniques, and Procedures (TTPs) that are learned from the indicators with the help of a process known as “Attack Tree Analysis” that includes defining certain measures an attacker can take to break the networks of an organization (Schneier, 1999). “The Lockheed Martin Cyber Kill Chain,” which describes one way of determining where an adversary’s actions occurred in the attack chain. Intruders also follow these steps on the Cyber Kill Chain while striving to get into a network or web server.

A cyber kill chain is a ‘Lockheed Martin’ model that uncovers the phases of a cyber-attack from early reconnaissance to the objective of data exfiltration: Flow Data NetFlow PCAP DNS Proxy Logs FW/SW/Routers.

5. Collect Hunt Data

When conducting the threat hunting task, the collection of hunting data is a very valuable phase in which one must collect the malicious data from the logs created in the network by monitoring the security equipment installed in the network in order to filter packets. Indeed, this phase is the big contribution in providing threat Intel feeds.

Through analyzing logs at each grade, the specialist may recognize the unknown threat carriers that would be active over a long period of time in the network and may constitute a threat of zero-day.

6. Threat Intelligence Feeds

 CTI is focused on data collection and analysis to identify potential or current threats to an IT infrastructure. This helps organizations to proactively defend critical infrastructure or intellectual property of an entity from cyber-attacks by using open-source intelligence (OSINT), social media intelligence (SOCMINT), human intelligence (HUMINT), deep and dark web technological intelligence or intelligence Security teams look for Indicators of Compromise (IoCs) for persistent threats and zero-day (recently discovered) exploits.

The cyber threat intel Feeds can be categorized in two broad categories:

Free Available: Open Source, OSINT, Social Listing

Paid: Private, Government, commercial vender

The intelligence feeds are continual streams of credible information about existing or potential threats and bad actors. The researchers are collecting security data from several sources on IoCs such as abnormal behaviour and suspicious domains and IP addresses. They can then correlate the information and process it to generate reports of threat intelligence and management.

7. Create a Hypothesis

8. Hunting cycle

The team should follow a common framework at the time of threat hunting which defines the threat hunting cycle process. It is a closed-loop that forms a model process for effective hunting which defines four vital stages.

Hypothesis: – Cyber threat hunting is started by making informative beliefs, about the different types of adversarial effects or behaviours that exist in your business network.

Investigate via tools & technique: – Hypotheses are examined via multiple tools and techniques in Identifying the relationship between different data sets. An analyst can use these to discover new malicious patterns in their data and reconstruct complex attack paths to reveal an attacker’s Tactics, Techniques, and Procedures (TTPs).

Uncover new pattern & TTP: – A hunter often uses manual methods, tool-based workflows or analytics to discover the specific patterns or anomalies that may be detected in an investigation. What you will find in this phase is a critical part of a hunt’s success criteria. Even if an anomaly or intruder is not detected, you want to be able to rule out the existence of a particular strategy or compromise. Essentially, this step acts as the step of “proving or disproving the hypothesis.”

Inform Enrich & Analytic: – Lastly, effective hunts form the basis for guiding and empowering predictive analytics. Do not waste time doing the same hunts over and over with your squad. If you discover an indicator or pattern that may reoccur in your system, automate its monitoring to keep your team focused on the next new hunt. Hunting information can be used to upgrade existing monitoring systems, which could include modifying SIEM rules or signatures for analysis.

9. Measuring Success

Once the hunting operation cycle has been completed, it is important to evaluate the finding and the assign task KRA to measure the success matrix.

  • Number of Incidents by severity
  • Number of Compromised Hosts
  • Dwell Time of Incidents Discovered.
  • Logging Gaps Identified and Corrected
  • Vulnerabilities Identified
  • Insecure Practices Identified and Corrected
  • Hunts Transitioned to Analytics
  • New Visibilities Gained

Resources:

TaHiTI-Threat-Hunting-Methodology-whitepaper.pdf

D2 BSIDES – Hunting Threats in Your Enterprise

Sqrrl: A Framework for Cyber Threat Hunting

Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

Beginners Guide to TShark (Part 2)

In the previous article, we learned about the basic functionalities of this wonderful tool called TShark. If you haven’t read it until now. Click here.

TL; DR

In this part, we will the Statistical Functionalities of TShark. We will understand different ways in which we can sort our traffic capture so that we can analyse it faster and effectively.

Table of Content

  • Statistical Options
  • Protocol Hierarchy Statistics
  • Read Filter Analysis
  • Endpoints Analysis
  • Conversation Analysis
  • Expert Mode Analysis
  • Packet Distribution Tree
  • Packet Length Tree
  • Color Based Output Analysis
  • Ring Buffer Analysis
  • Auto-Stop
    • Duration
    • File Size
  • Data-Link Types

Statistical Options

TShark collects different types of Statistics and displays their result after finishing the reading of the captured file. To accomplish this, we will be using the “-z” parameter with TShark. Initially, to learn about all the different options inside the “-z” parameter, we will be running the TShark with the “-z” parameter followed by the help keyword. This gives us an exhaustive list of various supported formats as shown in the image given below.

Protocol Hierarchy Statistics

Using the TShark we can create a Protocol based Hierarchy Statistics listing the number of packets and bytes using the “io,phs” option in the “-z” parameter. In the case where no filter is given after the “io,phs” option, the statistics will be calculated for all the packets in the scope. But if a specific filter is provided than the TShark will calculate statistics for those packets that match the filter provided by the user. For our demonstration, we first captured some traffic and wrote the contents on a pcap file using the techniques that we learned in part 1 of this article series. Then we will be taking the traffic from the file, and then sort the data into a Protocol Hierarchy.  Here we can observe that we have the frames count, size of packets in bytes and the Protocol used for the transmission.

Read Filter Analysis

During the first pass analysis of the packet, the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) has to be applied. Packets which are not matching the filter are not considered for future passes. This parameter makes sense with multiple passes. Note that forward-looking fields such as ‘response in frame #’ cannot be used with this filter since they will not have been calculated when this filter is applied. The “-2” parameter performs a two-pass analysis. This causes TShark to buffer output until the entire first pass is done, but allows it to fill in fields that require future knowledge, it also permits reassembly frame dependencies to be calculated correctly. Here we can see two different analysis one of them is first-pass analysis and the latter is the two-pass analysis.

Endpoints Analysis

Our next option which helps us with the statistics is the “endpoints”. It will create a table that will list all endpoints that could be seen in the capture. The type function which can be used with the endpoint option will specify the endpoint type for which we want to generate the statistics.

The list of Endpoints that are supported by TShark is:

Sno. Filter Description
1 “bluetooth” Bluetooth Addresses
2 “eth” Ethernet Addresses
3 “fc” Fiber Channel Addresses
4 “fddi” FDDI Addresses
5 “ip” IPv4 Addresses
6 “ipv6” IPv6 Addresses
7 “ipx” IPX Addresses
8 “jxta” JXTS Addresses
9 “ncp” NCP Addresses
10 “rsvp” RSVP Addresses
11 “sctp” SCTP Addresses
12 “tcp” TCP/IP socket pairs Both IPv4 and IPv6 supported
13 “tr” Token Ring Addresses
14 “usb” USB Addresses
15 “udp” UDP/IP socket pairs Both IPv4 and IPv6 supported
16 “wlan” IEEE 802.11 addresses

In case that we have specified the filter option then the statistics calculations are done for that particular specified filter. The table like the one generated in the image shown below is generated by picking up single line form each conversation and displayed against the number of packets per byte in each direction as well as the total number of packets per byte. This table is by default sorted according to the total number of frames.

Conversation Analysis

Let’s move on to the next option which is quite similar to the previous option. It helps us with the statistics is the “conversation”. It will create a table that will list all conversation that could be seen in the capture. The type function which can be used with the conversation option will specify the conversation type for which we want to generate the statistics.

If we have specified the filter option then the statistics calculations are done for that particular specified filter. The table generated by picking up single line form each conversation and displayed against the number of packets per byte in each direction, the total number of packets per byte as well as the direction of the conversation travel. This table is by default sorted according to the total number of frames.

Expert Mode Analysis

The TShark Statistics Module have an Expert Mode. It collects a huge amount of data based on Expert Info and then prints this information in a specific order. All this data is grouped in the sets of severity like Errors, Warnings, etc., We can use the expert mode with a particular protocol as well. In that case, it will display all the expert items of that particular protocol.

Packet Distribution Tree

In this option, we take the traffic form a packet and then drive it through the “http,tree” option under the “-z” parameter to count the number of the HTTP requests, their mods as well as the status code. This is a rather modular approach that is very easy to understand and analyse. Here in our case, we took the packet that we captured earlier and then drove it through the tree option that gave us the Information that a total of 126 requests were generated out of which 14 gave back the “200 OK”. It means that the rest of them either gave back an error or were redirected to another server giving back a 3XX series status code.

Packet Length Tree

As long as we are talking about the Tree option, let’s explore it a bit. We have a large variety of ways in which we can use the tree option in combination with other option. To demonstrate that, we decided to use the packet length option with the tree option. This will sort the data on the basis of the size of the packets and then generate a table with it. Now, this table will not only consist of the length of the packets, but it will also have the count of the packet. The minimum value of the length in the range of the size of the packets. It will also calculate the size as well as the Percentage of the packets inside the range of packet length

Color Based Output Analysis

Note: Your terminal must support color output in order for this option to work correctly.

We can enable the coloring of packets according to standard Wireshark color filters. On Windows, colors are limited to the standard console character attribute colors. In this option, we can set up the colors according to the display filter. This helps in quickly locating a specific packet in the bunch of similar packets. It also helps in locating Handshakes in communication traffic. This can be enabled using the following command.

Ring Buffer Analysis

By default, the TShark to runs in the “multiple files” mode. In this mode, the TShark writes into several capture files. When the first capture file fills up to a certain capacity, the TShark switches to the next file and so on. The file names that we want to create can be stated using the -w parameter. The number of files, creation data and creation time will be concatenated with the name provided next to -w parameter to form the complete name of the file.

The files option will fill up new files until the number of files is specified. at that moment the TShark will discard data in the first file and start writing to that file and so on. If the files option is not set, new files filled up until one of the captures stops conditions matches or until the disk is full.

There are a lot of criteria upon which the ring buffer works but, in our demonstration, we used 2 of them. Files and the Filesize.

files: value begin again with the first file after value number of files were written (form a ring buffer). This value must be less than 100000.

filesize: value switches to the next file after it reaches a size of value kB. Note that the file size is limited to a maximum value of 2 GiB.

Auto-Stop

Under the huge array of the options, we have one option called auto-stop. As the name tells us that it will stop the traffic capture after the criteria are matched.

Duration

We have a couple of options, in our demonstration, we used the duration criteria. We specified the duration to 10. This value is in seconds. So, the capture tells us that in the time of 10 seconds, we captured 9 packets.

File Size

Now another criterion for the auto-stop option is the file size. The TShark will stop writing to the specified capture file after it reaches a size provided by the user. In our demonstration, we set the filesize to 1. This value is in kB. We used the directory listing command to show that the capture was terminated as soon as the file reached the size of 1 kB.

Data-Link Types

At last, we can also modify the statistics of the captured traffic data based on the Data-Link Types. For that we will have to use an independent parameter, “-L”. In our demonstration, we used the “-L” parameter to show that we have data links like EN10MB specified for the Ethernet Traffic and others.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Hack the Box: Networked Walkthrough

Today, we’re sharing another Hack Challenge Walkthrough box: Networked design by Guly and the machine is part of the retired lab, so you can connect to the machine using your HTB VPN and then start to solve the CTF.

The level of the Lab is set: Beginner to intermediate.

Task: Capture the user.txt and root.txt flags.

Penetration Methodologies

Network Scanning

  • Nmap

Enumeration

  • Dirbuster

Exploiting

  • Malicious file upload

Privilege Escalation

  • Abusing Exec function via nohup
  • Abusing Sudo Right

Network Scanning

As we know the victim’s machine IP thus, we can start with Nmap scanning to identify the open ports and services running across it.

From this scanning result, we found that port 80 is open for HTTP. besides, port 22 is also open for SSH.

Enumeration

As a result, we looked at the victim IP in the web browser and the welcomed web page is shown in the image below.

I read the text given on the web page, but I didn’t find the message was enough to guess next clue, so I decided to go with the listing of the web directory.

Thus, I choose dirbuster for the directory brute force attack and enter the target URL.

As a result I found some php files and directories like /uploads and /backup as shown in the given image.

So, first I explored the /backup directory and found a backup.tar file on the website.

Without wasting a lot of time, we downloaded the file backup.tar in our local machine and extracted the file to analyze what’s in it.

So, basically, it holds some php files like index.php, lib.php, photos.php, and upload.php. Then we explored upload.php file where this file has been linked to uploads directory to validate uploaded photo via extensions like jpg, png, gif & jpeg.

Then I explored photo.php in the web browser and note that it was the photo gallery where the uploaded photos are available.

And when I scanned the /upload.php file in the web browser, I found the upload parameter that allows any image file to be uploaded.

It could be exploited by uploading a backdoor by injecting a malicious payload into the image. So, we’ve got the image named “1.png” that I used to inject a malicious payload.

After injected the payload with the help of exfil tool, I saved the image as shell.php.png

When all things are set then I upload the file “shell.php.png” and as a result, the uploaded file is shown to refresh the gallery successfully.

So, again we browse the http://10.10.10.photos.php file and found the link for our malicious file that we have uploaded.

Now, it was time to execute the backdoor but before that, we need to start netcat listener in the background.

Then finally! We obtained the victim’s machine reverse connection via netcat session and a bash shell. I found three files inside the /guly folder as: “check attack.php” “user.txt” “crontab.guly” where I try to read the user.txt file but couldn’t read it due to the least permission. 😓

Privilege Escalation

Then I explored crontab.guly where I found a cronjob running in the background to run attack php file every three minutes after that, the attack.php file will check for the malicious content inside /var /www /html/uploads and report it by mail to guly. In addition, the “exec”  function here is used for “nohup”, which stands for No Hungup.

The nohup command runs another program defined as its argument and disregards all signals from SIGHUP (hangup). The given exec function along with nohup will delete the files from the get namechecks function under $path = /var/www/html/uploads/ and $value.

Therefore, I decided to use the exec function by passing two arguments separated by semi-colon (;) under /var/www/html / uploads, so I use the touch command to build a file that will be our first argument and then continue the second argument separated by; for netcat reverse connection wait for three to get the reverse connection via new netcat session. 😇

We got a reverse connection of the host machine after three minutes in a new terminal where we had our netcat in listening mode and catch the 1st flag by reading user.txt file.

Now it’s time to get the root flag too, but we need to raise the root privileges for these, so we search for the user’s sudo permission.

So, we found user guly can run a program changename.sh from inside /user/local/sbin as root and fill the input which will give a root shell. Just move inside the/root directory and capture the root flag.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

Tempus Fugit: 1: Vulnhub Walkthrough

In this article, we are going to crack the Tempus Fugit: 1 Capture the Flag Challenge and present a detailed walkthrough. The machine depicted in this Walkthrough is hosted on Vulnhub. Credit for making this machine goes to 4nqr34z and DCAU. Download this lab by clicking here.

Level: Hard/Insane

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover Scan
    • Nmap Scan
  • Enumeration
    • Browsing HTTP Service in Browser
    • User Enumeration using Command Injection
    • Getting netcat session using Command Injection
    • Enumerating Cgroup for Dockers
    • Enumerating FTP service for CMS Credentials
    • Installing Nmap On Target Machine
    • Nmap Scan
  • Exploitation
    • Crafting Payload using MSFvenom
    • Transferring Payload to Target Machine
    • Getting Meterpreter Session
  • Post Exploitation
    • Port Forwarding using portfwd
    • Enumeration of /etc/hosts on Target Machine
    • Installing Bind Tools
    • Enumerating using DiG
    • Adding CMS URL in attacker’s /etc/hosts
    • Accessing the CMS
    • Exploiting CMS using a Theme template
    • Getting Session for www-data
    • Getting Credentials using Responder
    • Enumerating the mails of the user
    • Getting credentials of another user
  • Privilege Escalation
    • Enumerating for Sudoers List
    • Escalating Privilege using nice
  • Reading Root Flag

Walkthrough

Network Scanning

We downloaded, imported and ran the virtual machine (.ova) on the VMWare Workstation, the machine will automatically be assigned an IP address from the network DHCP. To begin we will find the IP address of our target machine, for that use the following command as it helps to see all the IP’s in an internal network:

We found the target’s IP Address 192.168.43.100. The next step is to scan the target machine by using the Nmap tool. This is to find the open ports and services on the target machine and will help us to proceed further

Enumeration

Here, we performed an Aggressive scan to gather maximum information in a single step. The scan revealed that we only have the TCP port 80 opened. It was running the Nginx server which is hosting the HTTP service. As for the lack of better option let’s get on to enumerate the port 80.

We have a very nice site, which looked like it is made of some popular CMS but, all my hard work exploring the webpage didn’t yield any benefit. But we did find this message.

It was in the About section, it tells us the meaning of the word Tempus Fugit which really translates to “Time Flies”. The message also informs that this webpage was designed to upload some scripts onto an internal FTP server. Now all we need to find that upload option. It was on the menu of the webpage. After enumerating for a while, it was clear that this upload option was white-listed. Only .txt and .rtf extensions were allowed. After an exhaustive list of ways to upload any kind of shell but we were unsuccessful. Now it hit us that we could try command injection through this upload option. We tried the very basic injection with “;whoami”. For this we intercepted the request on the “Upload!” and added the injection text in the filename field as shown in the image given below. After this, we forwarded the request to the Target Machine Server.

It’s good news! The injection was successful. We get a reply “root”. Now the next logical step is to enumerate around the application.

For enumeration, we thought that Directory Listing is a good way. So, we replaced “;whoami” injection to “;ls”. After performing the ls command injection, we see that we have all the files in the directory listed. This was a pretty consolidated format. But we clearly saw that there was a file named main.py. This must be important.

We tried to read the main.py file using the cat command. We get an error “Only RTF and TXT files are allowed”. We deduced from this is that the filter is not allowing “.py” in the injection as well. So, to work around this filter, we thought to try the wildcard option (*).

It worked! We were able to read the main.py file. It was the internal FTP server that is working on the backend. On taking a closer look we see that we have a username and a hash which looks like MD5.

Now, we cannot proceed further without a proper shell to work. But as we figured out earlier that the dot (.) is also blacklisted. We went on to the internet to find the representation of IP Address without the dot. We came across Long IP. So, we thought of trying to gain the session using the Long IP format of our attacker IP. The conversion to Long IP was not difficult, there were many converters available online.

Now using the command injection, we found earlier, we entered a netcat invocation shell command. This command invoked a shell on port 6666 on our attacker machine.

We started a Listener before executing the command to invoke a shell. After execution, we get the shell. But to convert the improper shell into TTY shell, we used the python one-liner. Now that we have the TTY shell, we ran the whoami command which told us that we are the root user.

Now we knew that this was not that easy. So, we went straight up to the root directory. Here we see that we have a text file named message.txt. We read the contents of the message.  As expected, it tells us that we are not done yet.

Now we started to enumerate the other directories that are available for us in search of some hint to move forward. We used the ls command in the root directory which revealed a folder named .ncftp. We decided to take a look at it. Inside it, we found some files, in which trace.234 file revealed some information that was worth looking into. We saw that there was an IP Address that didn’t seem to be part of our subnet. There were attempts to connect to that particular IP Address.

At this moment it hit us that, as we are root and there are multiple IP Addresses involved. It is possible that we are in a docker environment. So, to confirm that we tried to read the proc cgroup file. As expected, we are indeed in a docker environment. As we know that we can run the netcat in this environment, and we found a new IP Address inside an NcFTP directory. We had a hunch that the IP Address we found must be running an NcFTP service. To confirm, we ran a port scan using the netcat on the IP Address we found as shown in the image given below.

Our port scan reveals that the IP Address we found is running an FTP service on port 21. We used the lftp command to login into the FTP service. We used the credentials that we found in the main.py earlier. Now, we found a hash in the main.py. We decoded it and it came out to be “mofo”. We tried that as a password. But it wasn’t a success. So, we tried the hash as a password. That worked and we were inside the FTP Server.  Now in the FTP server, we found a cmscreds.txt file. In this file, we have a set of credentials that would help us logging into a CMS but the location of CMS still remains a mystery.

We went back to the root directory where we found the .ncftp directory. Here we found a file named .python_history. Anything that is hidden, and is named history is worth looking into. So, we dig in to find a set of credentials. But wait there is more. We have an IP Address that is mentioned inside the code. We see that this seems to be out on a different subnet. But definitely requires investigation.

Now, although we have the standard netcat method to scan for active ports, we need something more powerful. Nmap. I checked if we have Nmap installed on this machine. But it wasn’t. Then it hit us, that we are root. So, if there is something that is not installed, we can install it. I tried apt install Nmap but that gave back an error. So, I investigated on the flavour of the Linux that we have here. Then while we were reviewing our steps, there we saw that when we read the file named trace.234. It tells us that our Target is running Alpine Linux 3.7. That’s quite helpful. This means that we will have to run the apk add command to get Nmap installed. Now as we are surrounded by multiple IP Address that is only accessible through the target machine. We went on the mission to find all the IP Address that is in question by scanning the whole subnet for available IP Addresses. This gave us a total of 4 IP Addresses.

We decided to start with the 172.19.0.1 and we saw that it has the port 22, 80 and 8080 open. And we have some sort of Proxy running on the system. Now whenever we come across a proxy, we know we have to use port forwarding to get through. There are multiple ways to do this. But we prefer using Metasploit. For this, we will have to gain a meterpreter session on the system.

Exploitation

To gain meterpreter, we first need to craft a payload. We used the msfvenom for this task. As the target machine was running Alpine Linux. We decided to craft the payload in .elf format. After creating the payload, we use the python one line to host the payload on the port 80 in order to transfer the payload from our attacker machine to target machine.

Now, onto the session that we have of the target machine. We used wget to download the payload file to the target machine. Now we need to give proper permissions to the payload so that it can be executed easily.

Post Exploitation

After giving proper permissions, we execute the elf file. After execution, we see that we have the meterpreter session on our attacker machine. Now, we used the portfwd command to forward the 8080 port of the internal IP to our attacker machine i.e., Kali Linux.

We tried to access the CMS but we were not successful. This means that some more enumeration is required. We went back to our shell on the target machine and started to look around. As the CMS was not accessible, we thought to take a look at the etc directory for any hosts. Here we found “sid” mapped to the IP Address of CMS. We looked inside the resolve.conf and found “mofo.pwn” written.

It was quite possible this might be the host that would lead us to the CMS. To confirm our suspicions, we decided to use the bind tools. As they were not installed, we used the apk add command to install those. After that, we ran the dig command and found the host that we were looking for. ourcms.mofo.pwn seems to be the host that would take us to the CMS that we need.

Since the Tempus Fugit original webpage is still running on the target IP Address, we need to kill that process in order to access this CMS. We ran the netstat command and found that Nginx running with the PID 9. So, we killed it.

Now to access the CMS, we need to add that host we found in our i.e., Kali’s /etc/hosts file.

Now, all that left is to access the CMS from our browser. As we forwarded the port. We will access the webpage on 8080.

Finding the admin login panel was quite easy and if we remember correctly, we have the credentials for this CMS.

After logging in the CMS, we went to the Themes Section. Themes are mostly designed in PHP format and those are easier to edit and gain a shell. We edited the Innovation Theme’s template file.

We replaced the contents of the template.php file with the PHP reverse shell payload and edited the IP Address and the port as shown in the image given below.

Now before saving and accessing the template from the URL provided. We ran a netcat listener to receive the session that would be generated by the reverse shell payload upon execution. The shell popped up. We ran the whoami command and found that we are www-data user. Now we need to escalate privilege from here.

Here we were stuck for a bit, there was almost no hint possible and we were left with enumeration. Here we contacted the author and got the hint that Wireshark would be helpful. If Wireshark is helpful it means that there must be some queries in the network. We ran the Wireshark to find some DNS queries in the network but to get some credentials we need the responder tool. We ran the responder and let it work for a while in the network. After a while, we got some credentials. It was for the user roxi.

We used the su command to login as roxi.

We started our enumeration for this user roxi. We see that this user has some mails.

Let’s dig into that. There was some elaborate story in those emails but in the end, these mails have some credentials. It was for the user dorelia.

Privilege Escalation

We again used the su command to login as the newly found user named dorelia. Let’s use the sudo -l command to enumerate if this user can run some application with root privileges.

Dorelia user can run the “nice” command as the Nancy user which we suppose have the root access. We need to find more about this “nice”. We used the help parameter to get some information about this command. At last, we checked the gtfobin for the nice command and found a way to escalate privileges using the nice command. So, we ran the nice command to invoke the sh shell with the sudo command. This gave us the root privileges.

Reading Root Flag

We traversed to the root directory to find the flag and we have a script here named proof.sh. We ran the script and it gave us the final flag.

This was a long tiring but learning experience, I would like to thank the lab authors for creating such a lab that helped me learn so much. Also, I would like to thank Erik for his help.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn