Hey you😅! Welcome to my blog. Today i will take you through my thought process on how i was able to solve the “Paranoid” Challenge on BTLO. This is an Incident Response kinda challenge where we are presented with an auditd.log file for analysis and recommended to use tools like aureport to answer the questions as follows.
Ok…wait..So what’s aureport?🤔
Simply put, aureport - a tool that produces summary reports of audit daemonlogs
From the linux man page, aureport is a tool that produces summary reports of the audit system logs. The aureport utility can also take input from stdin as long as the input is the raw log data. The reports have a column label at the top to help with interpretation of the various fields.
This is a command line tool in linux. If your system doesnt have it installed by default, you can install it as follows:
1
sudo apt install auditd
Someone might ask, what is auditd?
Well, Auditd or audit daemon, is a userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk.
Once it finishes it will install some tools related to auditd tool. Here are the tools :
auditctl; is a tool to control the behaviour of the daemon on the fly, adding rules, etc/etc/audit/audit.rules; is the file that contains audit rulesaureport; is tool to generate and view the audit reportausearch; is a tool to search various eventsauditspd; is a tool which can be used to relay event notifications to other applications instead of writing them to disk in the audit logautrace; is a command that can be used to trace a process- /etc/audit/auditd.conf ; is the configuration file of auditd tool
- When the first time we install auditd, there will be no rules available yet.
If all goes well, you should be able to run aureport --help to see all the available options we can use to parse this log file as shown below:😁
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
usage: aureport [options]
-a,--avc Avc report
-au,--auth Authentication report
--comm Commands run report
-c,--config Config change report
-cr,--crypto Crypto report
--debug Write malformed events that are skipped to stderr
--eoe-timeout secs End of Event Timeout
-e,--event Event report
--escape option Escape output
-f,--file File name report
--failed only failed events in report
-h,--host Remote Host name report
--help help
-i,--interpret Interpretive mode
-if,<Input File name> use this file as input
--input-logs Use the logs even if stdin is a pipe
--integrity Integrity event report
-k,--key Key report
-l,--login Login report
-m,--mods Modification to accounts report
-ma,--mac Mandatory Access Control (MAC) report
-n,--anomaly aNomaly report
-nc,--no-config Don't include config events
--node <node name> Only events from a specific node
-p,--pid Pid report
-r,--response Response to anomaly report
-s,--syscall Syscall report
--success only success events in report
--summary sorted totals for main object in report
-t,--log Log time range report
-te,[end date/time] ending date & time for reports
-tm,--terminal TerMinal name report
-ts,[start date/time] starting data & time for reports
--tty Report about tty keystrokes
-u,--user User name report
-v,--version Version
--virt Virtualization report
-x,--executable eXecutable name report
If no report is given, the summary report will be displayed
To get a general overview of the provided log file, we can use the --summary flag and specify the input file by -if.
What account was compromised? (2 points)
In order to solve this question we can use -au parameter to get all the authentication attempts. Simply run
aureport -au -if audit.log
Third row displays the account info
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Authentication Report
============================================
# date time acct host term exe success event
//redacted
64. 10/05/2021 03:22:49 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465736
65. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465803
66. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465808
67. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465811
68. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465813
69. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465815
70. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465819
71. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465823
72. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465829
73. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465831
74. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465832
75. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465836
76. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465838
77. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465841
78. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465843
79. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465845
80. 10/05/2021 03:22:52 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465848
81. 10/05/2021 03:22:55 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465916
82. 10/05/2021 03:22:55 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465920
83. 10/05/2021 03:22:55 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465924
84. 10/05/2021 03:22:55 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465925
85. 10/05/2021 03:22:55 btlo 192.168.4.155 ssh /usr/sbin/sshd yes 465936
86. 10/05/2021 03:22:55 btlo 192.168.4.155 ssh /usr/sbin/sshd no 465962
87. 10/05/2021 03:22:56 btlo 192.168.4.155 ssh /usr/sbin/sshd no 466002
88. 10/05/2021 03:23:05 btlo 192.168.4.155 ssh /usr/sbin/sshd no 467227
89. 10/05/2021 03:23:13 btlo 192.168.4.155 ssh /usr/sbin/sshd yes 467550
90. 10/05/2021 03:23:34 btlo ? /dev/pts/1 /usr/bin/sudo yes 468442
91. 10/05/2021 03:25:40 btlo ? /dev/pts/1 /usr/bin/sudo no 473858
92. 10/05/2021 03:25:41 btlo ? /dev/pts/1 /usr/bin/sudo no 473860
btlo
What attack type was used to gain initial access? (2 points)
From the timestamps in the output above, we can be able to tell the number of authentication attempts in a span of 1 second are almost 16 times, this definately should be the attacker bruteforcing. He actually got lucky at 10/05/2021 03:22:55 where we see a yes in the success row.(Ok, was that last sentence even grammatically correct🤔😂?) Anyway 17 seconds later, he used the username and password to login and got a pseudo-terminal.
brute force
What is the attacker’s IP address? (2 points)
From the output shown above, we can acertain that the IP address must be the attackers
192.168.4.155
What tool was used to perform system enumeration? (2 points)
We can use the --tty parameter to get a report on tty keystrokes. Now as shown in the screenshot attached, the attacker run commands like hostanme to obtain the DNS(Domain Name System) name and set the system’s hostname or NIS(Network Information System) domain name, whoami to displays the username of the current user and ls to list contents of the current directory. Looking at the wget command, we can tell the attacker tried getting linepeas script from his machine which he had hosted it on port 8000. (Now from a CTF POV, i kinda related to this whole scenario, whereby if i was solving a machine, lets say on HTB, and i’ve gotten a shell on the target system, i would start by performing some situational awareness to understand more about the system and potentially find ways i can potentially elevate my privileges to a root user.).
So in this scenario, we know that LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. . you can read more about some of the enumeration checks it does on book.hacktricks.xyz
linpeas
What is the name of the binary and pid used to gain root? (3 points)
If we go ahead and follow the output of the previous commamd, we saw that the attacker went ahead and run lsb_release -a which is a command to obtain information specific to your LSB (Linux Standard Base) and distribution- specific information. He then went ahead to run sudo -V command which basically Prints the sudo version string as well as the version string of the security policy plugin and any I/O plugins (If the invoking user is already root the -V option will display the arguments passed to configure when sudo was built and plugins may display more verbose information such as default options.). 5 Seconds after determining the sudo verison, the attacker downloaded a compressed file on the target’s machine which was still hosted on his machine. Run the ls command to confirm it was downloaded successfully then extracted it and navigated to the extracted directory and run the make command.
For those not familiar with the make commnd, i can quote IBM’s Blog on the same and state that it: “uses information from a description file, which you create, to build a file containing the completed program, which is then called a target file. The internal rules for the make command are located in a file that looks like a description file.”
With this in mind, we know that there might be some some sort of description file in the current extracted directory. Once the build process completes, he executes a binary called evil. With this in mind, we can use the -p parameter to list all process id’s. In this case we are particularly interested in any information related with "evil" binary, so we are going to use grep command to filter out uneccesary stuff that we dont really need. We get:
1
2
3
➜ aureport -p -if audit.log | grep "evil"
16156. 10/04/2021 20:27:17 829992 /home/btlo/evil/evil 59 1001 481021
➜ aureport -p -if audit.log | grep "evil"
We can be able to see the pid of the binary as 829992 running from /home/btlo/evil/evil path at 20:27:17. This is 7seconds after the attacker run the command .evil, in this case, he run the whoami command. If you are still following this, we can can assume that he was checking if he successfully attained root privileges. This brings us to the answer as:
evil, 829992
What CVE was exploited to gain root access? (Do your research!) (3 points)
From the analysis above, we can assume that after running version specific commands after enumeration such as sudo -V, he went ahead to search if there are publicly available vulnerability targeting the version he got. From my research, i tried looking for any "sudo vulnerabilities that you can build with the make command". Here is the output i got.
The first result i got was CVE-2021-3156 dubbed as Heap-Based Buffer Overflow in Sudo (Baron Samedit) discovered by the The Qualys Research Team. From the linked blog post, we can gain further understanding on what sudo versions are affected.
- All legacy versions from 1.8.2 to 1.8.31p2
- All stable versions from 1.9.0 to 1.9.5p1
With this in mind, i used a tool called searchsploit to get an exploit that the attacker potentially used.
CVE-2021-3156
What type of vulnerability is this? (3 points)
Heap-Based Buffer Overflow
What file was exfiltrated once root was gained? (3 points)
Still on the --tty output, we saw the attacker tried to clean up by deleting the zip file downloaded and the extracted directory. Assuming he now has root privileges after exploiting the Heap-Based Buffer Overflow in Sudo, he was trying to read contents of the shadow file located in /etc
A shadow password file also known as /etc/shadow, is a system file in Linux that stores encrypted user passwords and is accessible only to the root user, preventing unauthorized users or malicious actors from breaking into the system.
So we can be certain that it is the only file he exfiltrated
/etc/shadow
That was the end of my blog. Now
Just kidding…Hope you enjoyed my thought process. This was a fun challenge and educational as well. I’d like to thank my team mates:
for solving this with me. We definately learnt alot.
Until the next challenge, take care and keep safe.🙂✌🏼