Building the BoKS Puppet module

2016-04-20 20:35:00

Yesterday I published the BoKS Puppet module on Puppet Forge! So far I've sunk sixty hours into making a functional PoC, which installs and configures a properly running BoKS client. I would like to thank Mark Lambiase for offering me the chance to work on this project as a research consultant for FoxT. I'd also like to thank Ger Apeldoorn for his coaching and Ken Deschene for sparring with me. 

BoKS Puppet module at the Forge.

In case anyone is curious about my own build process for the Puppet module, I've kept a detailed journal over the past few months which has now been published as a paper on our website -> Building the BoKS Puppet module.pdf

I'm very curious about your thoughts on it all. I reckon it'll make clear that I went into this project with only limited experience, learning as I went :)

kilala.nl tags: work, sysadmin,

View or add comments (curr. 0)

A very productive week: BoKS, Puppet and security

2016-04-17 00:28:00

I have had a wonderfully productive week! Next to my daily gig at $CLIENT, I have rebuilt my burner laptop with Kali 2016 (after the recent CTF event) and I have put eight hours into the BoKS Puppet module I'm building for Fox Technologies.  

The latter has been a great learning experience, building on the training that Ger Apeldoorn gave me last year. I've had a few successes this week, by migrating the module to Hiera and by resolving a concurrency issue I was having.

With regards to running Kali 2016 on the Lenovo s21e? I've learned that the ISO for Kali 2016 does not include the old installer application in the live environment. Thus it was impossible to boot from a USB live environment to install Kali on /dev/mmcblk1pX. Instead, I opted to reinstall Kali 2, after which I performed an "apt-get dist-upgrade" to upgrade to Kali 2016. Worked very well once I put that puzzle together.

kilala.nl tags: work, sysadmin,

View or add comments (curr. 0)

CTF036 security event in Almere

2016-04-01 19:01:00

A few weeks ago Almere-local consulting firm Ultimum posted on LinkedIn about their upcoming capture the flag event CTF036. Having had my first taste of CTF at last fall's PvIB event, I was eager to jump in again! 

The morning's three lectures were awesome!

• Neelen & van Duijn's talk on boobytrapping your network was fun to theorycraft new ideas, while it also gave me a blast of nostalgia: their three ideas of making attrictive fake hosts, fake admin-users and fake files all reminded me of Clifford Stoll's "The Cuckoo's Egg" where the exact same ideas were applied to catch a CCC-hacker in the early eighties. 
• Tong Sang's talk on bruteforcing RFID badges might not have resulted in a practical attack vector, but it still gave a nice look into the workings of RFID access systems.
• Schuijlenburg gave an interesting look into "mobile forensics" as performed by the dutch, military police. Good stuff!

The afternoon's CTF provided the following case (summarized): "De Kiespijn Praktijk is a healthcare provider whom you are hired to attack. Your goal is to grab as many of their medical record identifiers as you can. Based on an email that you intercepted you know that they have 5 externally hosted servers, 2 of which are accessible through the Internet. They also have wifi at their offices, with Windows PCs." The maximum score would be achieved by grabbing 24 records, for 240 points. 

I didn't have any illusions of scoring any points at all, because I still don't have any PenTesting experience. For starters, I decided to start reconnaissance through two paths: the Internet and the wifi. 

As you can see from my notes it was easy to find the DKP-WIFI-D (as I was on the D-block) MAC address, for use with Reaver to crack the wifi password. Unfortunately my burner laptop lacks both the processing power and a properly sniffing wlan adapter, so I couldn't get in that way. 

I was luckier going at their servers:

• Their website was found at www.dekiespijnpraktijk.nl, at 172.20.16.15. It runs on Drupal, which included a forum (which in turn allowed HTML comments). 
• Digging the DNS server for dekiespijnpraktijk.nl found aliases like ns1 and mta for that IP. An nmap scan showed ssh, dns, http, squid and webmin.
• A ping sweep across that IP range also found 172.20.16.25 which apparently didn't have DNS records, but turned out to be running their IMAP and POP, as well as Squirrelmail webmail. 
• The second server ran ssh, ftp, www, imap and pop.
• From their forums I ascertained that there were at least four verified user accounts: Sanne (an employee) and patients Remon, Barry and Marijke. I couldn't register a new account. 
• Firing up Metasploit allowed me to use an exploit on the .25 hosts's ProFTPd, to immediately get root access. BAM! GREAT!
• On the .25 host I found:

1. Sanne's home directory, which actually contained a text file with "important patients". BAM! Three medical records!!
2. The /etc/shadow file had an easily crackable password for user Henk. Unfortunately that username+password did not let me access the .15 server through SSH or Webmin.
3. Sanne has a mailbox! In /home/vmail I found her mailbox and it was receiving email! I used the Drupal site's password recovery to access her Drupal account. 

I didn't find anything using Sanne's account on the Drupal site. But boy was I wrong! 16:00 had come and gone, when my neighbor informed me that I simply should have added q=admin to Sanne's session's URL. Her admin section would have given me access to six more patient records! Six! 

Today was a well-spent day! My first time using Metasploit! My first time trying WPA2 hacking! Putting together a great puzzle to get more and more access :) Thanks Ultimum! I'm very much looking forward to next year's CTF!

kilala.nl tags: work, sysadmin, ctf, security,

View or add comments (curr. 1)