Skip to main content

Detecting privilege escalation, incident response and mitigation, Splunk

 For example, your sensitive file is configured in such a way to splunk so that any change's on that file would let you know. 

You now know your /etc/passwd file has been changed and the user did this her/her uid is 1002 and the user user /bin/cp exe tool to do this. 

From the victim server, auditd and sshd logs are forwarded to splunk. Our task is find out the user's name. 

Query in splunk:

source="/var/log/victim-server/audit.log" uid=1002 /Home

Now we shall know the username of uid 1002 which is victor.

Now this user victor may try to ssh on the victim-server. We want to know the ip address of the system from where victor trying for ssh. 

source="/var/log/victim-server/sshd.log" "failed password for victor"

now we shall get the ip address of victor's machine. 

Now there is another way to get the username of uid 1002, for that you need to what does acct auid field means in auditd logs. acct for accounts and auid for audit uid. 

source="/var/log/victim-server/audit.log" auid=1002 AND acct=* AND exe="*sshd" | top 0 acct

or 

source="/var/log/victim-server/audit.log" auid=1002 AND acct=* AND | top acct


Now investigating the audit logs, how to find what tool attacker download over https after getting access on the system?

source="/var/log/victim-server/audit.log" https   (we could also use .com keyword)

 

Now say attacker switch the user account using su command. How you gonna find that?

source="/var/log/victim-server/audit.log" uid="1002" exe="/bin/su" | top 0 acct

or

source="/var/log/victim-server/audit.log" uid="1002" exe="/bin/su"

Now we shall get the name of user account that had been switched to. 


Now access the server to investigate further:

after accessing the server issue sudo -i command to get root access. 

now type history command or cat /root/.bash_history command to see what commands previously launched by the attacker. 

check /root/.ssh/authorized_keys files. 

In this case the vulnerability lies in /bin/cp utility. Because SUID permission is set on /bin/cp utility. When this permission is set then command execute in root privileges and any unprivileged user can write to any file on the system if they use cp tool. 

so to find that tool, 

find / -perm -u=s -type f 2>/dev/null

after find that tool, now issue the below command. 

chmod u-s /bin/cp


Now remove scanner user from the /etc/passwd file. You can use vim or nano or mousepad or pluma tool to do that or can use the below command. 

sed -i "$ d" /etc/passwd

Also remove the entry from /root/.ssh/authorized_keys file. 

sed -i "$ d" /root/.ssh/authorized_keys

Avi



Comments

Post a Comment

Popular posts from this blog

API hacking lab setup

 Follow the commands to install and configure API hacking lab: 1. Install kali linux and update all the packages.  apt update -y apt upgrade -y or apt dist-upgrade -y or apt full-upgrade -y If you face any problem regarding update, install cloud flare warp in the host machine, then again start updating packages in your kali vm.  2. Install and configure burpsuite professional.  Open burpsuite and go to Extender tab. Click on BAppStore. Search for Autorize extension, It will help us to automate authorization testing. Click on Download Jython. From Jython website click on Jython standalone and save it. Go to Extender > Options and under python environment select the jython jar file that you just downloaded. Now again go to BAppStore and re-search for Autorize extension. You will see Install option this time after selecting Autorize extension. Install it. You will see all the installed extensions under Extender > Extensions tab.  3. Install foxy proxy to prox...
Post a Comment
Read more

Installing Codename SCNR web application scanner on ubuntu | kali

  Perform the following steps from a non-root user. We will go for manual installation.  https://github.com/scnr/installer?tab=readme-ov-file#manual-installation https://github.com/scnr/installer/releases wget https://github.com/scnr/installer/releases/download/v1.7.3/scnr-v1.7.3-linux-x86_64.tar.gz   (Download using normal user) tar -xvzf scnr-v1.7.3-linux-x86_64.tar.gz cd scnr-v1.7.3 cd bin Now go to their website ( https://ecsypno.com/products/scnr ) and subscribe for community edition license from your official email.  ./scnr_activate 6XQ97FW3LVBECD0UJ5H214 ./scnr https://www.example.net/Login.aspx --system-slots-override Now they generate .ser format report after testing the application by default which is hard to read. We need html report. So for example, to generate an HTML report: ./scnr_reporter --report=html:outfile=my_report.html.zip /home/user/.scnr/reports/report.ser Avi
Post a Comment
Read more

Install Nessus from docker

Docker installation. Give the below commands one by one. apt install docker-cli or apt install docker.io After the installation is complete, if you are inside wsl then give this command to start docker, because inside wsl systemd (systemctl) does not work: service docker start WSL troubleshooting : If the above command " service docker start " does not work then use below command: dockerd (It may not work if any previous docker process is running. It will show you pid of that process. Use this command to kill that process " kill -9 pid " and run dockerd command again) If " docker ps -a " giving error like " Cannot connect to the Docker daemon at unix:///run/podman/podman.sock. Is the docker daemon running? " This is because you may installed podman-docker package. If you remove the package still you will get this error but you should remove the package. Then issue this command: env | grep -i docker DOCKER_HOST=unix:///run/podman/podman.sock   --...
Post a Comment
Read more