{"id":168,"date":"2024-01-24T19:14:56","date_gmt":"2024-01-24T19:14:56","guid":{"rendered":"https:\/\/blog.ishsome.com\/?p=168"},"modified":"2024-04-16T20:55:27","modified_gmt":"2024-04-17T01:55:27","slug":"tryhackme-bulletproof-penguin","status":"publish","type":"post","link":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-bulletproof-penguin\/","title":{"rendered":"TryHackMe: Bulletproof Penguin"},"content":{"rendered":"\n

Bulletproof plugin<\/a>\u00a0is an easy room that deals with hardening security on the common services that run on a Linux machine. This room covers services such as FTP, MySQL, Redis, SSH, etc., and how their configurations can be changed to secure them from unauthorized access.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Our goal in each task is to make appropriate changes to the services running to get flags. To get a flag after each task is completed, we need to run the command \u2018get-flags\u2019 as shown below.<\/p>\n\n\n\n

First, we need to connect to the machine via SSH using the credentials provided to us:<\/p>\n\n\n\n

username: thm password: p3ngu1n<\/code><\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n

Task 1: Redis Server No Password<\/mark><\/h2>\n\n\n\n

By running NMAP, we need to find out if Redis is running on the machine.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n
<\/div>\n\n\n\n

We can now try to connect to the Redis <\/em><\/strong><\/mark>server. We are being instructed that\u00a0redis<\/em>\u00a0can be accessed without authentication.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n

As we can see, the\u00a0requirepass<\/em>\u00a0<\/strong><\/mark>field is blank. Our task is to assign a password to avoid unauthorized access<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n

After changing the password, we are asked to authenticate.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\n

For some reason, I was not able to retrieve the flag after making this change. So I decided to change the config file.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n

<\/div>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n

We need to restart the service for the changes to take effect.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n

Task 2: Report Default Community Names of the SNMP Agent<\/mark><\/h2>\n\n\n\n

Our task here is to change the community name for the SNMP. Let\u2019s run\u00a0snmpwalk<\/em><\/strong>\u00a0<\/mark>with using the string\u00a0public.<\/em><\/strong><\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n
<\/div>\n\n\n\n

Let\u2019s change the string to something hard to guess.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n
<\/div>\n\n\n\n

Now, we need to restart the service and get our flag.<\/p>\n\n\n\n

<\/div>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n

Task 3: Nginx Running as Root<\/mark><\/h2>\n\n\n\n

Nginx should not be running as root. An attacker can compromise the web server and gain root privileges. The existing www-data account must be used instead which has low privileges.<\/p>\n\n\n\n

Our task here is to change the user account from root to www-data<\/em><\/strong><\/mark>.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n
<\/div>\n\n\n\n

We will replace the user root with www-data and restart the service.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n

Task 4: Cleartext Protocols<\/mark><\/h2>\n\n\n\n

For this task, we are required to:<\/p>\n

    \n
  • Take down the telnet service<\/li>\n
  • Take down the service in port 69\/udp<\/li>\n<\/ul>\n<\/div>\n\n\n\n

    Let\u2019s check what is running on port 69.<\/p>\n\n\n\n

    <\/div>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    <\/div>\n\n\n\n

    Now we need to disable the\u00a0telnet<\/em><\/strong>\u00a0<\/mark>and\u00a0tftp<\/em><\/strong>\u00a0<\/mark>on the server. As can be seen from the below output, we need to make changes to the\u00a0inetd<\/em><\/strong>\u00a0<\/mark>config file.<\/p>\n\n\n\n

    <\/div>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    <\/div>\n\n\n\n

    We will just comment on the lines highlighted in the below screenshot<\/p>\n\n\n\n

    <\/div>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    <\/div>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    <\/div>\n\n\n\n

    Task 5: Weak SSH Crypto<\/mark><\/h2>\n\n\n\n

    Our task is to disable all of the reported weak algorithms currently available to the SSH service<\/p>\n\n\n\n

      \n
    • Disable the reported weak KEX algorithm(s)<\/li>\n\n\n\n
    • Disable the reported weak encryption algorithm(s)<\/li>\n\n\n\n
    • Disable the reported weak MAC algorithm(s)<\/li>\n<\/ul>\n\n\n\n
      <\/div>\n\n\n\n
      <\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
      diffie<\/span>-<\/span>hellman<\/span>-<\/span>group1<\/span>-<\/span>sha1<\/span><\/span>\n3des<\/span>-<\/span>cbc<\/span><\/span>\naes128<\/span>-<\/span>cbc<\/span><\/span>\naes256<\/span>-<\/span>cbc<\/span><\/span>\nhmac<\/span>-<\/span>md5\u2013<\/span>96<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
      <\/div>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      <\/div>\n\n\n\n
      After removing the highlighted items from the configuration file, we will restart the service.<\/p>\n\n\n\n
      <\/div>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      <\/div>\n\n\n\n
      Task 6: Anonymous FTP Logging<\/mark><\/h2>\n\n\n\n
      Our goal here is to disable Anonymous login via FTP on the machine. To do this we will need to edit the vsftpd <\/mark>configuration file. All we need to do is change the Value from\u00a0YES<\/em><\/strong>\u00a0<\/mark>to NO.<\/em><\/strong><\/p>\n\n\n\n
      <\/div>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      <\/div>\n\n\n\n
      Task 7: Weak Passwords<\/mark><\/h2>\n\n\n\n
      In this task, we need to make the following changes:<\/p>\n\n\n\n
        \n
      • Change passwords for users\u00a0mary<\/em><\/strong>\u00a0<\/mark>and\u00a0munra<\/em><\/strong>\u00a0<\/mark>to something complex so that it is hard to guess and not not easily brute-forced<\/li>\n\n\n\n
      • Remove accounts\u00a0joseph<\/em><\/strong>\u00a0<\/mark>and\u00a0test1<\/mark><\/em><\/strong><\/li>\n<\/ul>\n\n\n\n
        <\/div>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        <\/div>\n\n\n\n
        Next, we will delete the accounts from the machine<\/p>\n\n\n\n
        <\/div>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        <\/div>\n\n\n\n
        Task 8: Review SUDO Permissions<\/mark><\/h2>\n\n\n\n
        Here, we are required to do the following tasks:<\/p>\n\n\n\n
          \n
        1. Revoke all sudo privileges from user\u00a0munra<\/mark><\/em><\/strong>.<\/li>\n\n\n\n
        2. The user\u00a0mary<\/em><\/strong>\u00a0<\/mark>must be able to run the\u00a0\/usr\/bin\/ss<\/em><\/strong><\/mark>\u00a0command as root. When doing so, she must NOT be asked for her password. Assign the corresponding sudo privileges.<\/li>\n<\/ol>\n\n\n\n
          To revoke munra\u2019s SUDO privileges, we need to comment out the highlighted line. And add a line (see below screenshot) to give mary SUDO permissions on \/usr\/bin\/ss binary.<\/p>\n\n\n\n
          \n
          It is very important that we use the below command to make changes. Also, we need to make sure the syntax we are using to add anything to the file is correct otherwise it will break the file and can cause a lot of problems.<\/p>\n<\/blockquote>\n\n\n\n
          sudo visudo<\/strong><\/mark><\/h3>\n\n\n\n
          <\/div>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          <\/div>\n\n\n\n
          To verify, you can try running the binary as sudo while logged in as mary.<\/p>\n\n\n\n
          <\/div>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          <\/div>\n\n\n\n
          Task 9: Exposed Database Ports<\/mark><\/h2>\n\n\n\n
          In this task, we are required to:<\/p>\n\n\n\n
          1. Modify the MySQL\u2019s service configuration to bind port 3306 to 127.0.0.1 (localhost) only
          2. Modify the Redis\u2019 service configuration to bind port 6379 to 127.0.0.1 (localhost) only<\/p>\n\n\n\n
          First, let\u2019s change the bind-address in the MySQL config file to local host only.sudo nano \/etc\/mysql\/mysql.conf.d\/mysqld.cnf<\/p>\n\n\n\n
          <\/div>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          <\/div>\n\n\n\n
          Now, we can restart the sshd.service and fetch our flag<\/p>\n\n\n\n
          Next, we need to make the same change to the Redis configurationsudo nano \/etc\/redis\/redis.conf<\/p>\n\n\n\n
          <\/div>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          <\/div>\n\n\n\n
          Restart the redis service to get the final flag<\/p>\n\n\n\n
          <\/div>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          <\/div>\n\n\n\n
          We may know how to abuse these misconfiguration but at the same time, we also need to know how to fix them. This room clearly showcases how a simple misconfiguration can lead to the compromise of the machine, how a simple change can prevent unauthorized access, and why managing system user accounts regularly is so important.<\/p>\n\n\n\n
          Hope you liked this walkthrough. Thanks for reading \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
          Bulletproof plugin\u00a0is an easy room that deals with hardening security on the common services that run on a Linux machine. This room covers services such as FTP, MySQL, Redis, SSH, etc., and how their configurations can be changed to secure them from unauthorized access. Our goal in each task is to make appropriate changes to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1,49,11,13,12],"tags":[],"class_list":["post-168","post","type-post","status-publish","format-standard","hentry","category-blog","category-ctf","category-ctf-write-ups","category-linux","category-tryhackme"],"aioseo_notices":[],"featured_image_src":null,"author_info":{"display_name":"ishsome","author_link":"https:\/\/blog.ishsome.com\/index.php\/author\/e5c77740144cd4a8\/"},"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":103,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/","url_meta":{"origin":168,"position":0},"title":"TryHackMe: Umbrella","author":"ishsome","date":"January 24, 2024","format":false,"excerpt":"Umbrella from TryHackMe is a Linux machine with multiple misconfigurations. To get a foothold, we need to perform enumeration on the Docker Registry and obtain credentials for the MySQL database. By accessing the DB, we can get usernames and passwords for multiple users to log in to a webpage and\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":422,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/05\/tryhackme-kitty\/","url_meta":{"origin":168,"position":1},"title":"TryHackMe: Kitty","author":"ishsome","date":"February 5, 2024","format":false,"excerpt":"Kitty from TryHackMe is a Linux machine running a web application with security vulnerabilities. We are tasked with finding the vulnerabilities and exploiting them to gain root privileges on the machine. NMAP We have only two ports open 22 for SSH and HTTP port 80. \u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Linux-Boxes\/Kitty] \u2514\u2500$ nmap -p22,80 10.10.113.181\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":447,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/","url_meta":{"origin":168,"position":2},"title":"TryHackMe: Red Team Capstone Challenge","author":"ishsome","date":"February 18, 2024","format":false,"excerpt":"The Red Team Capstone challenge from TryHackMe is an in-depth network challenge simulating a Red Teaming engagement. The challenge includes several phases structured around the cyber kill chain that will require you to enumerate a perimeter, breach the organization, perform lateral movement, and finally perform goal execution to show impact.\u2026","rel":"","context":"In "Active Directory"","block_context":{"text":"Active Directory","link":"https:\/\/blog.ishsome.com\/index.php\/category\/active-directory\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":359,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/28\/tryhackme-reset\/","url_meta":{"origin":168,"position":3},"title":"TryHackMe: Reset","author":"ishsome","date":"January 28, 2024","format":false,"excerpt":"Reset is a Windows machine that is part of a domain and consists of many misconfigurations. Our goal is to perform a Pentest as a Red Teamer and exploit the misconfigurations to become the Administrator on the machine. We will begin our enumeration with NMAP as usual. NMAP \u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Windows-Boxes\/Reset] \u2514\u2500$\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":625,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/05\/09\/cve-2023-33831\/","url_meta":{"origin":168,"position":4},"title":"CVE-2023-33831","author":"ishsome","date":"May 9, 2024","format":false,"excerpt":"This vulnerability allowed remote command execution (RCE) vulnerability in the \/api\/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. This is due to lack of control or sanitization on inputs that can be controlled by users, thus allowing the use of dangerous methods\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":638,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/06\/15\/palo-alto-firewall-initial-configuration\/","url_meta":{"origin":168,"position":5},"title":"Palo Alto Firewall: Initial Configuration","author":"ishsome","date":"June 15, 2024","format":false,"excerpt":"Embarking on the path to becoming a Network Security Engineer or already a seasoned Network Engineer interested in mastering Palo Alto firewalls? You've come to the right place. In this blog, we delve into the essential steps of configuring a Palo Alto firewall in EVE-NG, focusing on the initial setup.\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/06\/image-22.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/06\/image-22.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/06\/image-22.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/06\/image-22.png?resize=700%2C400&ssl=1 2x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/comments?post=168"}],"version-history":[{"count":6,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/168\/revisions"}],"predecessor-version":[{"id":207,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/168\/revisions\/207"}],"wp:attachment":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/media?parent=168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/categories?post=168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/tags?post=168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}