Linux

avatar
Created by
GiganticAngonoka72710

Cards (74)

  • Linux Analysis:
    • From the above analysis, it appears the attacker uploaded a .phtml document to execute PHP code on the server. Due to the unsafe system() call in the PHP code, this file allows the execution of arbitrary commands on the system remotely. The attacker likely exploited this to establish a more stable connection from the web server to their system.
  • Linux Analysis
    • After identifying the uploaded file that led to the foothold, it is now a good idea to look into the web server logs to correlate the request and gain more insights into the attack. Web server logs, such as Apache or Nginx logs, can provide valuable information about the attacker's activities, request patterns, and origin.
  • Linux Analysis:
    Attackers often target directories with write permissions to upload malicious files. Common writable directories include:
    • /tmp: The temporary directory is writable by all users, making it a common choice.
    • /var/tmp: Another temporary directory commonly with world write permissions.
    • /dev/shm: The shared memory file system, which is also normally writable by all users.
  • Linux Analysis: Metadata
    • Metadata refers to the embedded information that describes files, which provides insights into a file's characteristics, origins, and attributes. It can include various types of information, such as file creation dates, author details, composition, and file types.
    • When performing live analysis on a system, metadata can be highly useful in determining the origin and modification timestamps and, in some cases, author details of specific files.
  • Analysing Checksums
    • Checksums are unique values generated from data using cryptographic hash functions (such as MD5 or SHA-256). These functions produce fixed-size strings of characters representing the data so that even a minor change in the data will result in a significantly different checksum.
    • Checksums are often used for data integrity verification, ensuring that data has not been altered or corrupted. For an incident responder, they can also be used to identify malicious files and executables based on known signatures
  • Linux Analysis: Checksum
    • Once we have obtained the hash values, we can submit them to a malware detection service like VirusTotal for further analysis. Upon doing so, we will find evidence of various vendors flagging this file as a Meterpreter reverse shell payload.
    • This quick analysis suggests that the attacker placed and executed the reverse.elf file using their initial RCE to achieve an interactive reverse shell connection to the web server.
  • Linux Analysis: Timestamps
    • Timestamps are additional pieces of metadata associated with files or events that indicate when a particular action occurred.
    • Timestamps are one of the most essential aspects for tracking the creation, modification, and access times of files and directories in incident response and forensic activities.
    • These timestamps are invaluable in forensic investigations as they provide essential clues about the sequence of events and the actions performed on a system and help establish a timeline.
  • Linux Timestamps
    In Unix-based systems, three main timestamps are commonly recorded:
    • Modify Timestamp (mtime): This timestamp reflects the last time the contents of a file were modified or altered. Whenever a file is written to or changed, its mtime is updated.
    • Change Timestamp (ctime): This timestamp indicates the last time a file's metadata was changed. Metadata includes attributes like permissions, ownership, or the filename itself. Whenever any metadata associated with a file changes, its ctime is updated.
  • Linux Timestamps
    In Unix-based systems, three main timestamps are commonly recorded:
    • Access Timestamp (atime): This timestamp indicates the last time a file was accessed or read. Whenever a file is opened, its atime is updated.
  • Linux Analysis: Timestamps
    • As mentioned, a file's Access Timestamp (atime) can be easily and inadvertently updated as we perform investigative actions. When we viewed the metadata using ExifTool or analysed its checksums with md5sum or sha256sum, we performed read actions on reverse.elf, thus altering its access time.
    • This is an important concept to consider with live forensic analysis, which is why it's crucial to obtain forensically sound backups and copies of the affected system beforehand. Because of this, the atime will not be a reliable metric for us.
  • Identifying User Accounts
    • Within UNIX-like systems, the /etc/ directory is a central location that stores configuration files and system-wide settings.
    • Specifically, when investigating user accounts, /etc/passwd is a colon-separated plaintext file that contains a list of the system's accounts and their attributes, such as the user ID (UID), group ID (GID), home directory location, and the login shell defined for the user.
    • Attackers can maintain access to a system by creating a backdoor user with root permissions
  • Identifying Groups
    In Linux systems, certain groups grant specific privileges that attackers may target to escalate their privileges. Some important Linux groups that might be of interest to an attacker include:
    • sudo or wheel: Members of the sudo (or wheel) group have the authority to execute commands with elevated privileges using sudo.
    • adm: The adm group typically has read access to system log files.
  • Identifying Groups
    • shadow: The shadow group is related to managing user authentication and password information. With this membership, a user can read the /etc/shadow file, which contains the password hashes of all us
    • disk: Members of the disk group have almost unrestricted read and limited write access inside the system.
  • User Logins and Activity
    • Checking user logins and activity is valuable for performing a real-time analysis of a compromised system. Fortunately, a couple of useful utilities and logs can assist us.
  • Last and lastb
    • The last command is an excellent tool for examining user logins and sessions. It is used to display the history of the last logged-in users. It works by reading the /var/log/wtmp file, which is a file that contains every login and logout activity on the system.
    • Similarly, lastb specifically tracks failed login attempts by reading the contents of /var/log/btmp, which can help identify login and password attacks.
  • Sudoers File
    • As a result, it can be a target for attackers seeking persistence. For instance, if an attacker can find a way to insert their user account (or one that they control) into the sudoers file, they could grant themselves elevated privileges without requiring authentication. Alternatively, they may alter existing entries to broaden their access.
  • Sudo
    • richard is the username being granted sudo privileges.
    • ALL indicates that the privilege applies to all hosts.
    • (ALL) specifies that the user can run the command as any user.
    • /sbin/ifconfig is the path to the specific binary, in this case, the ifconfig utility.
    With this configuration, Richard can execute ifconfig with elevated sudo privileges to manage network interfaces as necessary.
  • Hidden Files
    • Hidden files, identified by a leading dot in their filenames, often store sensitive configurations and information within a user's home directory. By default, we cannot list out these hidden files using ls. To view them, we need to provide the -a argument, which will include all entries starting with a dot. E.g. .bash_history
  • Hidden Files
    • Some common files that would be of interest during an investigation include:
    • .bash_history: This file contains a user's command history and can be used to show previous commands executed by the user.
    Additionally, we can look at other files and directories of interest, like browser profiles and the .ssh directory.
    • .bashrc and .profile: These are configuration files used to customise a user's Bash shell sessions and login environment, respectively.
  • SSH and Backdoors
    • The .ssh directory is a susceptible area containing configuration and key files related to SSH connections. The authorized_keys file within the directory is critical because it lists public keys allowed to connect to a user's account over SSH.
    • If a malicious user gains unauthorised access to a system and wants to persistently access another user's account (for example, Jane's account) by adding their public key to the authorized_keys file, we can potentially uncover artefacts that hint at these actions.
  • Linux Analysis
    • Another area to look at within our compromised host's file system is identifying binaries and executables that the attacker may have created, altered, or exploited through permission misconfigurations.
    Once we identify an executable or binary that we want to investigate further, we can perform metadata analysis as we have done previously, performing integrity checking on it using checksums or inspecting its human-readable strings and raw content.
  • Strings
    • The strings command is valuable for extracting human-readable strings from binary files. These strings can sometimes include function names, variable names, and even plain text messages embedded within the binary. Analysing this information can help responders determine what the binary is used for and if there is any potential malicious activity involved.
  • Debsums
    • Like the integrity checking we performed earlier, debsums is a command-line utility for Debian-based Linux systems that verifies the integrity of installed package files. debsums automatically compares the MD5 checksums of files installed from Debian packages against the known checksums stored in the package's metadata.
    • If any files have been modified or corrupted, debsums will report them, citing potential issues with the package's integrity. This can be useful in detecting malicious modifications and integrity issues within the system's packages.
  • Binary Permissions
    • SetUID (SUID) and SetGID (SGID) are special permission bits in Unix operating systems. These permission bits change the behaviour of executable files, allowing them to run with the privileges of the file owner or group rather than the privileges of the user who executes the file.
  • Binary Permissions
    • If a binary or executable on the system is misconfigured with an SUID or SGID permission set, an attacker may abuse the binary to break out of a restricted (unprivileged) shell through legitimate but unintended use of that binary.
    • For example, if the PHP binary contained a SUID bit to run as root, it's trivial for an attacker to abuse it to run system commands through PHP's system exec functions as root.
  • Binary Permissions
    • Much of the output here is expected as these binaries require the SUID bit and are not vulnerable. However, two of these results stand out. Firstly, Python should never be given SUID permission, as it is trivial to escalate privileges to the owner.
    • Additionally, any SUID binaries in the /tmp or /var/tmp directory stand out as these directories are typically writable by all users, and unauthorised creation of SUID binaries in these directories poses a notable risk.
  • Rootkits
    • A rootkit is a type of malicious set of tools or software designed to gain administrator-level control of a system while remaining undetected by the system or user. The term "rootkit" derives from "root", the highest-level user in Unix-based systems, and "kit", which typically refers to a set of tools used to maintain this access.
  • Rootkits
    • Rootkits are particularly dangerous because they can hide their presence on a system and allow attackers to maintain long-term access without detection.
    • Attackers can also use them to stage other malicious activities on the target, exfiltrate sensitive information, or command and control the compromised system remotely.
  • Chkrootkit
    • Chkrootkit (Check Rootkit) is a popular Unix-based utility used to examine the filesystem for rootkits. It operates as a simple shell script, leveraging common Linux binaries like grep and strings to scan the core system programs to identify signatures.
    • It can use the signatures from files, directories, and processes to compare the data and identify common patterns of known rootkits. As it does not perform an in-depth analysis, it is an excellent tool for a first-pass check to identify potential compromise, but it may not catch all types of rootkits.
  • RKHunter
    • RKHunter (Rootkit Hunter) is another helpful tool designed to detect and remove rootkits on Unix-like operating systems. It offers a more comprehensive and feature-rich rootkit detection check compared to chkrootkit.
    • RKHunter can compare SHA-1 hashes of core system files with known good ones in its database to search for common rootkit locations, wrong permissions, hidden files, and suspicious strings in kernel modules. It is an excellent choice for a more comprehensive assessment of the affected system.
  • RKHunter
    • Because rkhunter leverages a live database of known rootkit signatures, checking for database updates (rkhunter --update) before running in the field is crucial. Because this system is isolated, we won't be able to run a database update here, but the latest version was acquired before mounting our tools to the system.
  • Redis Auth
    • Authentication method is enabled by editing the redis.conf file, and providing a database password using the requirepass setting. This password is then used by all clients.
    • When the requirepass setting is enabled, Redis will refuse any query by unauthenticated clients. A client can authenticate itself by sending the AUTH command followed by the password.
  • SNMP: Default Community Names of SNMP Agent
    • Simple Network Management Protocol (SNMP) is a protocol which can be used by administrators to remotely manage a computer or network device. There are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE' (or PUBLIC and PRIVATE).
    • If an attacker is able to guess a PUBLIC community string, they would be able to read SNMP data (depending on which MIBs are installed) from the remote device. This information might include system time, IP addresses, interfaces, processes running, et
  • SNMP: Default Community Names of SNMP Agent
    • If an attacker is able to guess a PRIVATE community string (WRITE or 'writeall' access), they will have the ability to change information on the remote machine.
    • This could be a huge security hole, enabling remote attackers to wreak complete havoc such as routing network traffic, initiating processes, etc. In essence, 'writeall' access will give the remote attacker full administrative rights over the remote machine.
  • Nginx Root
    • Nginx should not be ran as root. An attacker can compromise the web server and gain root privileges.
    • Go to /etc/nginx/nginx.conf and change user to non-privileged account
  • Vulnerability: Telnet Unencrypted Cleartext Login
    • The remote host is running a Telnet service that allows cleartext logins over unencrypted connections. An attacker can uncover login names and passwords by sniffing traffic to the Telnet service.
    • Replace Telnet with a protocol like SSH, which supports encrypted connections.
  • Vulnerabilities: Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)
    • The remote SSH server is configured to allow / support weak key exchange (KEX) algorithm(s). An attacker can quickly break individual connections.
    • Disable the reported weak KEX algorithm(s).
  • Processes:
    • In Linux, a process is a running instance of a program. When you execute a program or command in Linux, the operating system creates a process for running that program.
    • Each process has its unique identifier called a Process ID (PID), which helps the operating system to manage and track it.
  • Processes
    • Processes can have parent-child relationships, forming a hierarchical structure. When one process spawns another process (for example, when one shell session spawns an additional process in a subshell), the new process becomes the child of the process that created it, referred to as its parent.
    • This relationship is essential for managing processes and resource allocation within the operating system.
  • ps
    • The ps command is a versatile utility in UNIX-like operating systems that reports a snapshot of the active processes on the system. By default, it displays information about processes associated with the current (active running) console session, but it can also be used to gather system-wide and other user's process information
    • The utility retrieves this information by reading files in the /proc virtual filesystem, a hierarchical directory structure corresponding to each process on the running system.