Sunday, July 5, 2020

Openfaas and infosec uses

OpenFaaS:

OpenFaaS is a function as a service project that can be self-hosted, much like AWS Lambda or Google Functions. Essentially, instead of writing a full project that does various things, you write and maintain functions instead. OpenFaaS can be deployed with Docker Swarm, Kubernetes, and OpenShift.

OpenFaaS documentation is pretty clean and easy to understand. To use it, you need either Docker Swarm, Kubernetes, or OpenShift. Once you deploy OpenFaaS, you need to create a function and deploy it. There are several ways to supply data to the function, one of them is via http requests.

You can use function in sync or async way, without modifying any code at all. You just modify the URL you're sending the http requests too. In addition to that, OpenFaaS will do scaling on its own. If you're using a function a lot and OpenFaaS will spin up containers for that specific function automatically. It's also possible to utilize ci/cd with OpenFaaS to ensure that deploying changes to functions is easy and quick.

I've been mainly experimenting with OpenFaaS on Vultr but it's also possible to play with it in Docker Playground.

Infosec use cases:

I looked through some of my past projects and I can see myself using OpenFaaS if I were to rewrite them. For example, file analysis. It is possible to combine OpenFaaS with other technologies such as Redis (to keep track of operations) and Minio (to allow download/upload of files/artifacts inside of functions) to analyze malicious files or extract metadata from files. In addition to this, you can also implement machine learning and analyze features of a bunch of PE files in a function and return info about if they are malicious or not.

Another use case is analyzing phishing links. I wrote a golang project that takes links from phishtank and splits them into more URLs recursively and checks each URL to see if there is an open directory. It's possible to completely implement this with OpenFaaS. For example, you can send phishtank data to OpenFaaS function every 8 hours and split each link into multiple URLs, send URLs to another function to detect open directory, finally send the URLs that have open directory to another function that downloads files (this would be phishing kit zip files in most cases) from the open directory.

Log analysis or enrichment is another use case. For example, if you were receiving logs about remote sign-ins, you could send the logs in batches or individually to a function or functions to extract IP and do log enrichment based on API lookups for the IP or finding geolocation.

OpenFaaS can be useful for doing analysis of forensic artifacts. If you're working an incident and need to analyze artifacts from hundreds of computers, you can collect the evidence, throw it in Minio, have a bunch of functions to analyze the evidence, maybe even send the output to another set of functions for enrichment before sending the final evidence to storage or SIEM.



I discovered the OpenFaaS project earlier this month and it has been fun to play with and I can see myself using it a lot. Being able to deploy and maintain specific functions instead of a huge application is much easier for me. Also not having to write code that's threaded and OpenFaaS doing automated scaling is very nice.

Links:

https://www.openfaas.com/
https://docs.openfaas.com/deployment/
https://docs.openfaas.com/reference/triggers/
https://docs.openfaas.com/reference/async/
https://docs.openfaas.com/reference/cicd/intro/
https://www.vultr.com/docs/deploying-openfaas-using-docker-swarm
https://docs.openfaas.com/deployment/play-with-docker/
https://redis.io/
https://min.io/
https://www.phishtank.com/
https://blog.alexellis.io/openfaas-storage-for-your-functions/
https://youtu.be/XiagsmRVoNY

https://www.vultr.com/?ref=7127410 (Affiliate link...)

Saturday, April 25, 2020

Vulnhub VMs and guide/hints

I released some VM's on Vulnhub almost a month ago.


This post has guide/hints for those VM's.

Cloud Antivirus/Cloud AV:
1. Start by port scanning your network and locate the Easy Cloud AV VM’s IP address.
a. Port 22 and 8080 should be open and the MAC address should be: 08:00:27:BA:A5:BA
2. Do an Aggressive nmap scan on the target IP address and find out what services are running.
3. Visit the web server running on the target IP
4. You were not provided an Invite code. Bypass the Invite code page.
a. Input data in the invite form field to cause an error on the web server
b. Read the error messages and craft input to bypass the invite code page
5. Get command line injection on the scanner page
a. Based on scanner output, determine what the input could have been
b. Inject your own commands
c. To make sure command execution works, cat /etc/hostname
i. Output from it will be “cloudav”
6. Gather information about the users
a. View linux files that could contain user information
7. Brute force port 22/SSH
a. Use the gathered usernames to build a list of usernames and passwords
b. Use the list for brute forcing port 22/SSH
8. Examine home directory of users and exploit vulnerable application to get root
a. Examine the left behind source code
b. Determine how to inject commands
c. Inject commands to gain root privileges!

Socnet/social network:
Goal: Get root privilege on the machine (hostname: socnet)
1. Start by port scanning. Locate socnet VM’s IP address.
a. Port 22 and 5000 should be open. Mac address should be: 08:00:27:A6:E2:EC
2. Do an aggressive nmap scan on the target IP and find out which services are running
3. Visit the webpage on the target IP
a. Examine it for any vulnerabilities
4. Use dirb to scan the website for hidden pages
5. Use the input on the hidden page to test code
a. https://www.geeksforgeeks.org/exec-in-python/
b. Try Python’s time.sleep module and see if website will take sleep and take longer to
respond. Try 5 second sleep then 10 second sleep to observe different response times.
6. Abuse to the code testing functionality to get a reverse shell
a. http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
7. Setup a more stable reverse shell with meterpreter
a. https://netsec.ws/?p=331
b. Create the reverse shell binary
c. Transfer the binary to target machine using a webserver on the attacker machine and
running wget on the target machine
d. Use metasploit to handle meterpreter reverse shell
8. Utilize the ‘arp’ command in meterpreter to look for other machines on the target network
9. Utilize the ‘ifconfig’ command in meterpreter to get targets network information
10. Using metasploit, setup a route via meterpreter session
11. Utilize auxiliary/scanner/portscan/tcp to scan other machines on the target network
12. Google open ports and find out what they’re used for
13. Utilize meterpreter session to do port forwarding from your local machine to the machine with
port 9200 open
14. Utilize curl and query machine with port 9200 open and find what’s running on it, including any
version numbers
15. Exploit the service running on port 9200
a. Search for an exploit that works against version of service running on 9200
b. Utilize the exploit and gain shell access
c. Examine / directory for interesting files
16. Utilize passwords file collected from machine with port 9200 open, crack the passwords, and
build a username and password list
a. https://crackstation.net/
17. Attack SSH running on the target machine with the username and password list
18. After logging in successfully on the target machine via SSH, gather machine information
a. Get OS info
b. Get kernel info
c. Arch info (64bit or 32bit)
19. Use privesc exploit to get root privs
a. Utilize collected info to search for privesc exploits
b. Compile the privesc exploits and transfer the compiled files to target system using SCP
c. Execute the exploits to finally get root privs

Socnet2/social network 2:
Goal: Get root privilege on the machine
1. Start by port scanning and locating socnet2 VM.
a. Port 22, 80, and 8000 should be open. Mac address should be: 08:00:27:e9:e5:e6
2. Do an aggressive nmap scan and find more information about the services running
3. Visit webservers
4. Visit webserver on port 80 and examine it
a. Sign up
b. Explore the site
c. Look for any issues
5. Get a backdoor on the webserver
a. Utilize file upload functionality to get a backdoor on the webserver
b. Run the backdoor
6. Utilized the backdoor to find more information about whats running on port 8000
a. Examine the file system, processes
b. Be sure to read social network posts as well
7. Abuse the service running on port 8000 to get another shell
a. Examine the source code for the service running on port 8000
b. Write a custom tool/script to gain shell through service running on port 8000
i. https://docs.python.org/2/library/xmlrpclib.html
8. Load a meterpreter backdoor on the victim machine and utilize it to examine files in the users
directory
9. Write an exploit for SUID binary
a. Find the SUID binary in the user folder
b. Binary includes a backdoor function
i. https://github.com/radareorg/cutter
c. Download the binary, use a debugger, and different inputs to trigger a crash and control
the EIP
d. Create a working exploit that launches backdoor function
10. Put the exploit on victim machine and exploit the SUID binary to get root

Moriarty Corp:
Goal: Get all the flags

No guide or hints. Sorry.