ITPro.TV: CompTIA Security+ (SY0-601) & TryHackMe: Jr. Penetration Tester

author: Nathan Acks
date: 2022-04-20

ITPro.TV: CompTIA Security+ (SY0-601)

Incident Response Process

Event = Something that raises a potential security flag.

Incident = A violation of some security process or policy.

Phases:

Part of recovery is ascertaining how the incident occurred and remediating the associated vulnerability/vulnerabilities.

A good distinction: A “runbook” is an automated playbook.

Things to have in your after action report:

Incident Response Plans

BCDRP = Business Continuity and Disaster Recovery Plan

Exercises, in order of how closely they mimic/interrogate the IRP:

There’s actually a tabletop game created by Black Hills Information Security that’s designed to help with tabletop exercises.

Attack Frameworks

An “attack framework” is just a way to describe an attack in a standardized fashion.

The diamond model can be summarized as, “for every intrusion, there exists an adversary who is using their capabilities over/with some kind of infrastructure infrastructure to attack a victim.”

MITRE ATT&CK is really the gold standard though.

TryHackMe: Jr. Penetration Tester

Enumeration

Useful Linux post-exploit enumeration commands

Instead of u, j can be used with ps to get a slightly different column output format. This is mostly useful for finding out numeric user IDs and parent process IDs.

The netstat command supports the -t and -u flags to limit returned ports to TCP and UDP, respectively. Note that by default netstat will try to resolve hostnames, which can cause hangs; use -n to skip this (and only display IP addresses).

Automated Enumeration Tools

Of these, only LES is available in the Kali Linux repos (sudo apt install linux-exploit-suggester).

Privilege Escalation: Sudo

Basically: GTFOBins!

Sometimes, you can also get applications to leak information about sensitive files (such as /etc/shadow by passing these as if they were configuration files. Apache is one app that does this.

Also, exploiting LD_PRELOAD.

Exploiting sudo nano:

Exploiting sudo less is as simple as !/bin/sh.

If find can be run with sudo, then try sudo find . -exec /bin/sh \; -quit.

Privilege Escalation: SUID

Find (not always so quickly) SUID and SGID files:

find / -type f -perm -04000 -ls 2>/dev/null

Note that Linux systems still fall back to password hashes in /etc/passwd if an entry in /etc/shadow isn’t present. This means that we can just directly add root-equivalent users directly here (remember that the UID and primary GID can be duplicated!).

To generate a password acceptable for inclusion in /etc/passwd:

openssl passwd -1 -salt $SALT $PASSWORD

Privilege Escalation: Capabilities

“Capabilities” are finer-grained permissions that can be assigned to a binary. Think of them as a kind of granular SUID/SGID.

The getcap command displays a binary’s capabilities (if there are any), and can even be used to perform a search for such binaries using getcap -r $PATH 2> /dev/null.

Privilege Escalation: Cron Jobs

Basically, check to see if any scripts run by a privileged user can be written to by an unprivileged user.

Also look for “zombie” cron jobs that are still running but refer to a non-existent file in a writable location.

Bash as a reverse proxy makes an appearance again here.

Privilege Escalation: NFS

NFS exports are listed in /etc/exports; if an export is configured with no_root_squash, then root permissions won’t be stripped from created files and it’s possible to create root-owned SUID/SGID binaries on the mount. (Remember that files on NFS mounts are created using the UID/GID values of the local user!)