Trent Walraven

A 2024 Cyber Security Engineering Student at Iowa State University

CYBE230 Lab 12 - Capstone

3 minute read


Our final lab, was less a lab and more like a final project. For this project we were given a virtual machine that was running many services with many of them being poorly configured. We were given a username and password to login. At the first login there was a message that there was new mail for the user. I went to go find the mail in the /var/mail/ directory. If you open up the email and read it, it describes some of the services that are running on the systems, and that are poorly configured and need redone.

The first major issue is that there is an FTP server running on the default port without a password. If you login anonymously, you can read and write all the contents of the / directory. This is a major issue, if anyone can change any file in any directory, they can just give themselves access.

After that section of the email there was a talk about a cron job that would copy shadow, group, and passwd files from a backup directory to /etc/ directory. This was to “prevent” the issues that came up with the FTP server being used for access, and anyone else getting on the system. Pulling security based files from a local backup as a remediation to intrusion, is a bad idea, as when an attacker has gotten onto the system. They can just modify that backup to allow them back into the system whenever they want.

After seeing that the cron job trusts the files in this backup directory, I went to take a look at the files that are being copied. Taking a look at these, I found the files had been tampered with, and had a new user added to them. This added user was a user with a username backdoor, and without a password. I decided to try login as this user, and it worked, alongside dropping into a root shell. A backdoor user without a password dropping to a root shell, is extraordinarily dangerous. Anyone who knows that user exists on the system can easily get full access.

Continuing in the email there were a list of web vulnerabilities that were found on the system. Being all done in virtual machines, I did not want to spend a bunch of time on these websites, so I just picked a single vulnerability. I decided to take a look at SQL injection issues on the login page. After finding the login page, there was a basic login page that had the same issue as Lab 8. Using this with the username admin allows anyone to login as an admin to the website and make modifications to the database.

After getting most of the information from the email that was sent, I decided to used netstat -tulpn to show all the processes that are maintaining control of a port on the system. This showed a few interesting things with a netcat process running on port 1337, a sshd server on port 14580 when there was also one running on port 22, and a finger server on port 79.

I started by taking a look at the netcat process that was running on port 1337. I decided to just connect to it with my own instance of netcat. When connecting it takes a second or two, but then drops you into a root shell. To me, this seems like a malicious reverse shell that had been planted on the machine. Obviously having a root shell open to anyone on the system is always a bad idea.

The next running service I thought to look at was the second ssh server. When visiting this ssh server it would ask for a password, but with just pressing enter it would log you in anyway. This is most likely a rouge ssh server that was added to be able to login to the backdoor user. A good way to stop this would be having a firewall set up to default deny incoming connections, as this would prevent that SSH server from being used from an outside network. It should then be removed as soon as possible.

The final thing that I looked at was the finger server. This is server that has will give system information when probed, both on physical things like CPU and memory usage. It also gives information like the users who have a shell, and what process they are running. This would allow the person who created the backdoor to see when they could get on the system when nobody else was on. While this could be used for something locally, it is not a good idea to leave that open to the internet.

Categories:

Updated:

You may also enjoy

Cyber Tractor Challenge

3 minute read

My experience with the John Deere event that brought in students from around the country to test the security of John Deere equipment

CYBE231 Lab 12 - Final Project Part 3

4 minute read

The last part of the final project where we had to attack other networks and get into the systems that had been secured by other students