Capstone-Engagement-Project-Red-Team-v.-Blue-Team
As the Red Team, attack a vulnerable VM within the environment, ultimately gaining root access to the machine. As Blue Team, use Kibana to review logs taken during Day 1 engagement of Red Team’s attack. Use the logs to extract hard data and visualizations for a detailed report of findings.
This document serves as an outline for the Presentation of the Capstone Engagement Project.
Network Topology
The following machines live on the network:
| Name | IP Address |
|---|---|
| Kali | 192.168.1.90 |
| Target | 192.168.1.105 |
| ELK | 192.168.1.100 |
| Azure Hyper-V | 192.168.1.1 |
Red Team
While the web server suffers from several vulnerabilities, here are three that were initially discovered:
| Vulnerability | Description | Impact | |
|---|---|---|---|
| 1 | Sensitive Data Exposure (A02:2021 OWASP Top 10) Critical | The secret_folder is publicly accessible, but contains sensitive data intended only for authorized personnel. | The exposure compromises credentials that attackers can use to break into the web server. |
| 2 | Brute Force Vulnerability | An attack method where login information, passwords and encryption keys are attempted until there is a successful login. | This type of attack can have a significant impact because the attacker can cause loss of data, identity theft, and unauthorized access to confidential data. |
| 3 | Remote Code Execution via Command Injection (A03:2021 OWASP Top 10) Critical | Code injection, also called Remote Code Execution (RCE), occurs when an attacker exploits an input validation flaw in software to introduce and execute malicious code. | Malicious code can be injected to possibly gain access to sensitive data and compromise the confidentiality and integrity of the information. |
Exploits
-
Explotation: Sensitive Data Exposure
-
Tools & Processes
nmapcommand to determine open ports and IP addresses accepting connections.dirbcommand that is used to find existing and/or hidden web objects, which are the elements of a web page.- Explore different avenues of the web page.
-
Achievements
- The exploit revealed a
secret_folderdirectory - Folder says for Asthon’s eyes only, leading the direction of the login efforts.
- This directory is password protected, but susceptible to brute-force.
- The exploit revealed a
-
Aftermath
- The login prompt reveals that the user is
Ashton - This information is used to run a brute force attack and steal the data that is needed for the Remote Code Injection.
- The login prompt reveals that the user is
-
-
Explotation: Brute Force Vulnerability
-
Tools & Processes
gunziprockyou.gz file to unzip the file to be used later in the password cracking step.- Run
hydra -l ashton -P /usr/share/wordlists/rockyou.txt -s 80 -f -vV 192.168.1.105 http-get /company_folders/secret_folder. Running this command with hydra (built into the Kali Linux OS) with the username Ashton, against the rockyou.txt is the process for obtaining Ashton's password. Hydra is a common login cracker.
-
Achievements
- Brute force attack gaining access to log into the browser to gain access to Ryan’s hashed password, which later leads to access to the webdav browser.
-
Aftermath
- Crack hash and proceed with brute force attack, logging into the web browser, then receiving further instruction on how to connect to the webdav server, which is used in the remote code injection.
-
-
Explotation: Remote Code Injection
-
Tools & Processes
- Use Meterpreter to connect to uploaded web shell
- Use shell to explore and compromise target.
-
Achievements
- Deploying the remote code injection allows up to open the Meterpreter shell into the target.
- Once this shell is opened, this opens the door to access the full database.
-
Aftermath
- Having access to the full database, provided the opportunity to find the flag, demonstrating the ability to access sensitive data.
-
Blue Team
A considerable amount of data is available in the logs. Specifically, evidence of the following was obtained upon inspection:
- Traffic from attack VM to target, including unusually high volume of requests
- Access to sensitive data in the secret_folder directory
- Brute-force attack against the HTTP server
- POST request corresponding to upload of shell.php
Unusual Request Volume: Logs indicate an unusual number of requests and failed responses between the Kali VM and the target. Note that 401, 301, 200, 207, and 404 are the top responses.
| HTTP Status Code | Meaning | Count |
|---|---|---|
| 401 | Unauthorized | 16,067 |
| 301 | Moved Permanently | 2 |
| 200 | OK | 536 |
| 207 | Multi-Status(WebDAV; RFC 4918) | 10 |
| 404 | Not Found | 4 |
In addition, note the connection spike in the Connections over time, which indicates the time the spike occurred at 2:46PM (1446 hours).
This shows the Top Hosts Creating Traffic, which indicates the Kali-Linux Machine have the most traffic at 2:46PM.
Access to Sensitive Data in secret_folder: On the dashboard, a look at the Top 10 HTTP requests panel shows that the /company_folders/secret_folder was requested 16,071.
HTTP Brute Force Attack: Searching for url.path: /company_folders/secret_folder/ shows conversations involving the sensitive data. Specifically, the results contain requests from the brute-forcing tool Hydra, identified under the user_agent.original section.
In addition, the logs contain evidence of a large number of requests for the sensitive data, of which only 2 were successful. This is a telltale signature of a brute-force attack.
WebDAV Connection & Upload of shell.php: The logs also indicate that an unauthorized actor was able to access protected data in the webdav directory. This image shows that the /webdav/shell.php has a count of 10 with a http status 207, meaning that there are several different responses based on the sub-requests that were made.
Mitigation steps are provided below.
-
Blocking the Port Scan
- The local firewall can be used to throttle incoming connections
- ICMP traffic can be filtered
- An IP allowed list can be enabled
- Regularly run port scans to detect and audit any open ports
-
High Volume of Traffic from Single Endpoint
- Rate-limiting traffic from a specific IP address would reduce the web server's susceptibility to DoS conditions, as well as provide a hook against which to trigger alerts against suspiciously suspiciously fast series of requests that may be indicative of scanning.
-
Access to sensitive data in the secret_folder directory
- The secret_folder directory should be protected with stronger authentication.
- Data inside of secret_folder should be encrypted at rest.
- Filebeat should be configured to monitor access to the secret_folder directory and its contents.
- Access to secret_folder should be whitelisted, and access from IPs not on this whitelist, logged.
-
Brute-force attack against the HTTP server
- The fail2ban utility can be enabled to protect against brute force attacks.
- Create a policy that locks out accounts after 10 failed attempts
- Create a policy that increases password complexity (requirements)
- Enable MFA
-
Identifying reverse shell uploads
- Write permissions can be restricted on the host.
- Uploads can be isolated into a dedicated storage partition.
- Filebeat should be enabled and configured.
- Write permissions can be restricted on the host.
Assessment Summary
| Red Team | Blue Team |
|---|---|
| Accessed the system via HTTP Port 80 CVE-2019-6579 | Confirmed that a port scan occurred |
| Found Root accessibility | Found requests for a hidden directory |
| Found the occurrence of simplistic usernames and weak passwords | Found evidence of a brute force attack |
| Brute forced passwords to gain system access CVE-2019-3746 | Found requests to access critical system folders and files |
| Cracked a hashed password to gain system access and use a shell script | Identified a WebDAV vulnerability |
| Identified Directory Indexing Vulnerability CWE-548 | Recommended alarms |
| Recommended system hardening |
Group
- Laura Pratt
- Josh Black
- Courtney Templeton
- Robbie Drescher
- Julian Baker