Rangeforce -Identifying Linux IOCs-
Author: Stefan Waldvogel
Use a RangeForce lab to brush up your blue skills
Introduction
Many people are moving into Cybersecurity or think about it. I am writing this article for people without blue knowledge but interested in Cybersecurity. I will show you one small part of doing a job as a Security Analyst (SOC) with a RangeForce lab. It is not a classic review.
What do you need to follow:
If you are a student, you can spend $150 (pricing is constantly changing) to sign-up for all RangeForce modules or purchase the SOC 2 battle path. The $150 looks pretty expensive, but you get access to over 420 similar modules and labs.
Free alternative:
free RangeForce Community Edition
This edition offers 21 free labs. I recommend to do these free modules first if you like the style; great. If not, pick an alternative like INE or Security Blue Team (Junior Analyst / BTL1).
Additional resources:
If you have questions about the module or RangeForce, you can find me here:
Unofficial RangeForce discord
Matching module name:
SOC 2 path – Identifying Linux IOCs
This module is part of the SOC 2 battle path.
The goal:
This article is an alternative to the official solution and shows advanced tools to get the most out of a Linux system. I have the skills to work as pentester; therefore, you see tools that I would use on the offensive side to find exciting things. On the blue side, you can use the same tools to reach your goal.
This is an important lesson. If you want to work in Cybersecurity, you can quickly transfer your knowledge between the red and the blue side. People are hyped about the red side, but switching is straightforward. If you have OSCP, eCPPT or you played with tryhack.me, HTB, etc.; this gives you an advantage on the blue side, too.
Hunting for IOCs (indication of compromise)
Task 1:
The CrypominerA Crypominer needs many CPU power, and the system is low. This kind of “malware” is easy to find.
sudo su
My favorite tool is HTOP, because I like colors. I can sort via a mouse click and see the full path.
Many people are moving into Cybersecurity or think about it. I am writing this article for people without blue knowledge but interested in Cybersecurity. I will show you one small part of doing a job as a Security Analyst (SOC) with a RangeForce lab. It is not a classic review.
What do you need to follow:
If you are a student, you can spend $150 (pricing is constantly changing) to sign-up for all RangeForce modules or purchase the SOC 2 battle path. The $150 looks pretty expensive, but you get access to over 420 similar modules and labs.
Free alternative:
free RangeForce Community Edition
This edition offers 21 free labs. I recommend to do these free modules first if you like the style; great. If not, pick an alternative like INE or Security Blue Team (Junior Analyst / BTL1).
Additional resources:
If you have questions about the module or RangeForce, you can find me here:
Unofficial RangeForce discord
Matching module name:
SOC 2 path – Identifying Linux IOCs
This module is part of the SOC 2 battle path.
The goal:
This article is an alternative to the official solution and shows advanced tools to get the most out of a Linux system. I have the skills to work as pentester; therefore, you see tools that I would use on the offensive side to find exciting things. On the blue side, you can use the same tools to reach your goal.
This is an important lesson. If you want to work in Cybersecurity, you can quickly transfer your knowledge between the red and the blue side. People are hyped about the red side, but switching is straightforward. If you have OSCP, eCPPT or you played with tryhack.me, HTB, etc.; this gives you an advantage on the blue side, too.
Hunting for IOCs (indication of compromise)
Task 1:
The CrypominerA Crypominer needs many CPU power, and the system is low. This kind of “malware” is easy to find.
- ssh student@server
- where is it,
- can we stop it and
- why is this miner on this machine?
sudo su
My favorite tool is HTOP, because I like colors. I can sort via a mouse click and see the full path.
We have “two” miners with two different PIDs on this machine. We have to write down both PIDs and the path. If the VTA does not give you a green flag, try the second option.
HTOP allows you to kill the process right away, but that might not always work as expected. An intelligent hacker will restart the service. For this reason, we follow the official guide.
The VTA will ask you for the md5 hash. You can use VirusTotal to find out more about the file.
In this case, this will not work because the md5 hash is not known. With could work in a natural environment, you get more information about the software.
Task 2: The backdoor
The machine has a miner, and therefore an attacker had access to the machine. A miner is a big problem, but a backdoor is a bigger problem.
Bonus task, enumeration with LinEnum:
As a pentester, you start with enumeration, and the blue side is not very different. We are sitting on a machine, and we have no idea about it. We can use linenum to get more details about the system.
We can use the commands:
The script does not give you the things that we are looking for, but it is easy to see we have a vulnerable machine. We have access to ssh keys, the shadow file (stored password hashes), and much more.
Enumeration with linPEAS
To get more information, we can use LinPEAS. This tool is bigger and offers more data about the system and, most importantly, the network. Download LinPEAS to the server with:
git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
Switch the folder with:
The relevant output looks like this:
HTOP allows you to kill the process right away, but that might not always work as expected. An intelligent hacker will restart the service. For this reason, we follow the official guide.
The VTA will ask you for the md5 hash. You can use VirusTotal to find out more about the file.
In this case, this will not work because the md5 hash is not known. With could work in a natural environment, you get more information about the software.
Task 2: The backdoor
The machine has a miner, and therefore an attacker had access to the machine. A miner is a big problem, but a backdoor is a bigger problem.
Bonus task, enumeration with LinEnum:
As a pentester, you start with enumeration, and the blue side is not very different. We are sitting on a machine, and we have no idea about it. We can use linenum to get more details about the system.
We can use the commands:
- git clone https://github.com/rebootuser/LinEnum.git
- cd LinEnum
- ./LinEnum.sh -s -k xmrig -r report -e /home/student/LinEnum/ -t
The script does not give you the things that we are looking for, but it is easy to see we have a vulnerable machine. We have access to ssh keys, the shadow file (stored password hashes), and much more.
Enumeration with linPEAS
To get more information, we can use LinPEAS. This tool is bigger and offers more data about the system and, most importantly, the network. Download LinPEAS to the server with:
git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
Switch the folder with:
- cd privilege-escalation-awesome-scripts-suite/linPEAS
- ./linpeas.sh -a > /home/student/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.txt
- less -r linpeas.txt
The relevant output looks like this:
Here, we see a lot of exciting things. The red ones are usually problems, but it could be a unique lab configuration. We ignore it.
We know the miner’s name: xmrig
The line looks interesting:
With Nmap, we can confirm the open port on 10348. If you want to try Nmap, you can install it on the lab machine with:
sudo apt install nmap
We know the miner’s name: xmrig
The line looks interesting:
- 192.168.6.2:47496 54.37.7.208:3333 996/xmrig
With Nmap, we can confirm the open port on 10348. If you want to try Nmap, you can install it on the lab machine with:
sudo apt install nmap
Nmap is a very powerful scanner. Here we use the commands -p to set the ports, -T4 is fast speed, and -Pn gives us a better result if a port does not respond.
Investigation
We open port was connected to the PID 995, and linPEAS has some information about that:
Investigation
We open port was connected to the PID 995, and linPEAS has some information about that:
The attacker was lazy and put everything together. The first line gives us more details about a running bash script. If we deal with malware, we have to investigate everything:
You find more, and you can check the config file to see if you find more details about the malware. Here, it is a monero miner, and you see a username.
- /etc/rc.local
- /tmp/.junk
- /usr/share/.xmrabbit
You find more, and you can check the config file to see if you find more details about the malware. Here, it is a monero miner, and you see a username.
Finish the lab and if you do not get a green flag, make sure you removed the folders. Remove everything, but not too much.
Conclusion
You can do so much with the RangeForce labs. If you have access to the labs, do not rush. You will learn the most if you try new things and different paths. Technically, you can pick a random lab and try to get the most out of it. The labs are very open, and it is very convenient to use and practice new tools with internet access.
I am a massive fan of these labs, and to me, it is just fun.
If you do not have a job and access these labs, do the labs and write articles about them. The reason is simple. If you write a brief essay, you will remember things much better, and people see what you are doing. It is hard to get a job in Cybersecurity, but you have a higher chance of getting a job if you have hands-on.
Disclaimer:
RangeForce granted me free access to all modules, got the SOC 1 and the SOC 2 badge, and I did 112 modules so far.
Hint: You need permission to write such an article or a walk-through if you use RangeForce.
Conclusion
You can do so much with the RangeForce labs. If you have access to the labs, do not rush. You will learn the most if you try new things and different paths. Technically, you can pick a random lab and try to get the most out of it. The labs are very open, and it is very convenient to use and practice new tools with internet access.
I am a massive fan of these labs, and to me, it is just fun.
If you do not have a job and access these labs, do the labs and write articles about them. The reason is simple. If you write a brief essay, you will remember things much better, and people see what you are doing. It is hard to get a job in Cybersecurity, but you have a higher chance of getting a job if you have hands-on.
Disclaimer:
RangeForce granted me free access to all modules, got the SOC 1 and the SOC 2 badge, and I did 112 modules so far.
Hint: You need permission to write such an article or a walk-through if you use RangeForce.
© 2021. This work is licensed under a CC BY-SA 4.0 license