Purple Team 2: Metasploit & Drupalgeddon


What You Need for This Project

Purpose

Practice using Google Cloud, Suricata, Splunk, Metasploit, and custom exploits in Python and Ruby.

Task 1: Creating Cloud Servers

Creating a Google Cloud Debian Server

If you made a Google Cloud Debian server previously, use that.

If you did not, follow these instructions:

Google Cloud Preparation

Creating an Image

First, you need to create a disk image from my public image, which is stored on the Google Cloud.

In Google Cloud Platform, on the left side, click "Compute Engine", Images, as shown below.

At the top center of the next page, click "CREATE IMAGE", as shown below.

As shown below, create an image using a Source of "Cloud Storage file" and a Cloud Storage file of:

gs://sams-images/purple1.tar.gz
Click Create. This took 5 minutes when I did it.

When the process finishes, your image appears in the Images list, as shown below.

Creating the Target Server

At the top left, click "VM instances".

In the top center, click "CREATE INSTANCE".

In the "Boot disk" section, click the Change button, as shown below.

In the "Boot disk" box, on the "Custom images" tab, select purple1, as shown below.

Click Select.

In the Firewall section, allow both HTTP and HTTPS traffic, as shown below.

Click Create.

When your server is created, it appears in the "VM instances" list, as shown below.

Testing Drupal

Find the "External IP" of your target server, as shown in the image above.

In a Web browser, open this URL, replacing the IP address with the correct address of your target server.

http://35.236.41.106
You should see a Drupal page, as shown below.

Starting Splunk

In the "VM instances" list, on the right side, on the line for your target server, click SSH to open a Terminal.

In the Terminal, execute this command to start Splunk:

sudo /opt/splunk/bin/splunk start
Splunk starts, as shown below.

Starting Suricata

On your Drupal target server, execute these commands:
sudo service suricata stop
sudo rm /var/run/suricata.pid
sudo suricata -D -c /etc/suricata/suricata.yaml -i ens4

Testing Splunk

In a Web browser, open this URL, replacing the IP address with the correct address of your target server.

Note that this page uses port 443, but it does NOT use HTTPS.

http://35.236.41.106:443
You see the Splunk login page, as shown below.

Log in with these credentials:

If you see a message saying your license has expired, log out, log in again, and choose the "Free" license.

You see the Splunk home page, as shown below.

Testing Connectivity

In the "VM instances" list, on the right side, on the line for your Debian attack server, click SSH to open a Terminal.

In the Terminal, execute this command, replacing the IP address with the IP address of your target Drupal server:

ping -c 2 35.236.41.106
You should see replies, as shown below.

Sending Suspicious Traffic

In the "VM instances" list, on the right side, on the line for your Debian attack server, click SSH to open a Terminal.

In the Terminal, execute this command, replacing the IP address with the IP address of your target Drupal server:

curl -A "Hentai" 35.236.41.106
The source code for the main Web page loads, beginning with the HTML code shown below, and scrolling down for a few screens.

Viewing the Suricata Alert in Splunk

In your Splunk page, at the top left, click splunk>

On the left side, click "Search & Reporting".

In the lower center, click the "Data Summary" button.

In the "Data Summary" box, click the Sources tab. Several source files appear, as shown below.

In the "filter" box, enter sur

Several Suricata files appear, as shown below.

Click /var/log/suricata/fast.log.

You see an alert containing "Hentai", as shown below.

Flag P2 1: "Hentai" Alert (20 pts)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Task 2: Protecting Your Server

The vulnerable Drupal server will get hacked before long by automated attacks.

To prevent that, we'll configure the Google Cloud firewall to restrict access to only trusted IP addresses.

Finding your Public IP Address

In Google, search for

whats my ip

Your public IP appears, as shown below.

Make a note of it.

Adjusting the Firewall

In the Google Cloud Platform page, in the line for your Drupal server, on the right side, click the three-dot icon, and click "View network details", as shown below.

On the next page, on the left side, click "Firewall rules".

In the list of rules, click default-allow-http, as shown below.

In the "Firewall rule details" page, at the top center, click EDIT.

Adjust the Source IP range to only include the IP of your Drupal attack server, and the public IP of your own computer, as shown below.

At the bottom of the page, click Save.

Flag P2 2: Firewall Rule (5 pts)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Task 3: Drupalgeddon Attack

On your Debian attack server, copy code from this page into a file named "dru":

https://github.com/kenorb/drupageddon/blob/master/drupal_7.x_sql_injection_sa-core-2014-005.py

Then copy code from this page into a file named "drupalpass.py":

https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py

Use chmod to make "dru" executable and send some attacks to your target server, as shown below.

Detecting the Attack

In Splunk, find the Suricata alert shown below.

Flag P2 3: Drupalgeddon Alert (10 pts)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Task 4: Drupalgeddon 2 Attack

On your Debian attack server, use this attack to exploit your target:

https://github.com/dreadlocked/Drupalgeddon2

You will have to install Ruby and resolve a missing dependency.

Attack your target server, as shown below.

Recording Your Success

In Splunk, find the Suricata alert shown below. The flag is the text covered by a green box. Enter that flag into the scoring engine to record your success.

Flag P2 4: Drupalgeddon 2 Alert (20 pts)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Task 5: Resizing your Disk

To add more Splunk modules, we'll need a larger hard disk.

On the purple1 machine, in an SSH session, execute these commands to see the current disk space and begin a proper shutdown:

df -h
sudo halt

If it's taking too long, which it did for me, force a shutdown from the "VM instances" page:

In Google Cloud Platform, on the left side, click "Compute Engine", Disks.

Click on the purple1 disk, and then, at the top, on EDIT.

Cchange the disk size from 10 to 20 GB, as shown below.

Flag P2 5: Disk Type (10 pts)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Restarting your Server

In Google Cloud Platform, start the purple1 server.

Run the df -h command and verify that the disk has more space, as shown below.

Restarting Suricata and Splunk

Restart Suricata and Splunk.

Task 6: Adding Splunk Stream

Go here:

https://splunkbase.splunk.com/app/1809/

Log in to a Splunk account. Download the splunk-stream_712.tgz file.

At the top left of Splunk, click "splunk>"

At the top left , click the gear icon. The Apps page opens, as shown below.

At the top right, click "Install app from file".

Click "Choose File and browse to the splunk-stream_712.tgz file.

Click Upload.

After a few minutes, you are prompted to restart Splunk. Do that.

Now Splunk has stream data, as shown below.

Flag P2 6: Splunk Stream (10 pts)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Task 7: Installing Metasploit

Install Metasploit on your Debian attack server, as explained here:

https://computingforgeeks.com/how-to-install-metasploit-framework-on-ubuntu-18-04-debian-9/

Execute these commands to start Metasploit and search for drupal attacks:

msfconsole
search drupal
Drupalgeddon and drupalgeddon2 are both available, as shown below.

Flag P2 7: Metasploit (10 pts)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Task 8: Drupalgeddon via Metasploit

Use Metasploit to perform a Drupalgeddon attack, as shown below.

In the meterpreter session, execute these commands:

shell
curl http://ad.samsclass.info
In Splunk, search for
ad.samsclass.info
as shown below.

Flag P2 8: Source (10 pts)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Posted 4-13-19
Switched to Sam's scoring engine 4-14-19
Scoring engine removed for WCIL 5-20-19
Flag labels improved 8-8-19
Search term for task 7 corrected to "drupal" 8-8-19
Free Splunk license process added 8-8-19