Check In!
Announcements
Bsides Tampa CTF is THIS SATURDAY on campus!
EventsMeeting Content
Connect to VPN
curl -fsSL https://pkgs.netbird.io/install.sh | sh && netbird up -k 3FFED112-D505-4AF1-959A-F345D5891063Check if Netbird is running
# check if Netbird is running
ip add
# If it is running, but you don't have IP address for wt0:
netbird down; sudo systemctl stop netbird; sudo apt remove netbird -y; slHere are some commands to get you started, it is your job to understand them and apply them appropriately
Machine Context
cat /etc/os-releaseuname -aneofetchip asudo apt install net toolsnetstat -tulpnss -blunt -pps auxcat /etc/passwd | grep /*.shsudo systemctl --type=service | grep activeServices
ssh
-rw-r--r-- 1 root root 3206 Apr 1 00:56 /etc/ssh/sshd_config
Disable:
* PermitRootLogin
* PubkeyAuthentication
* PermitEmptyPasswords
Enable:
* PasswordAuthentication
systemctl restart sshdvsftpd
-rw-r--r-- 1 root root 3206 Apr 1 00:56 /etc/vsftpd.conf
Disable:
* anonymous access
* write_enable
* anon_upload_enable
* anon_mkdir_write_enable
* chown_uploads
* chown_username
Enable:
* xferlog_enable
systemctl restart vsftpd
# Logs
/var/log/vsftpd.logproftpd
-rw-r--r-- 1 root root 5822 Apr 1 01:13 /etc/proftpd/proftpd.conf
# remove anon configuration
rm /etc/proftpd/enabled_mod/anonymous.conf
# syntax check
sudo proftpd -td5
systemctl restart proftpd.serviceapache2
-rw-r--r-- 1 root root 438 Apr 12 2023 /lib/systemd/system/apache2.service
systemctl enable apache2.service
systemctl start apache2.serviceThreat Hunting
find / -perm -u=s -type f 2>/dev/nullchmod -s binarycat /etc/sudoerscat /etc/group | grep sudocat /etc/group | grep wheelgpasswd --delete user groupdeluser user groupls -la /etc/cron.*tail /etc/crontabcrontab -ecrontab -e -u userThe Phatty: (try to understand this one before running it)
echo "" && sudo find /etc/cron* -type f -exec grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}|nc|netcat|bash -i|/bin/bash|python|perl|ruby|wget|curl' {} \; -exec stat -c "%A %y %n" {} \; && sudo find /var/spool/cron/crontabs -type f -exec grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}|nc|netcat|bash -i|/bin/bash|python|perl|ruby|wget|curl' {} \; -exec stat -c "%A %y %n" {} \; | grep -v '^\s*#'ls -la /home/*/ | grep ".bashrc"echo "" && sudo find / -name '*bashrc' -exec grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}|netcat|bash -i|/bin/bash|python|perl|ruby|wget|curl' {} \; -exec stat -c "%A %y %n" {} \;ps aux | grep -E "nc|netcat|bash -i|/bin/sh|python|perl|ruby|wget|curl|bash"ls -la /etc/systemd/systemjournalctl -xewwhokill -9 <PID>pkill <proc name>passwd <USER>Kick everyone out using bash (won’t work if they’re using other shells, potentially dangerous)
pkill bashThis might help you at some point
ssh user@ip -t /bin/shTools
‣
‣
‣
Slides
add slides here