So today I had the first contact with the labs. Connection test done, VM image downloaded and fee paid.
Little small things I also did as a SOP.
1) I changed the passwords on the VM .. obvious.
2) I changed the Background Image on my Host and on the VM. Might sound silly. But having a different colortheme going on helps actually to differentiate the different machines. While working I found it helpful to know on which server your connection was. Machine Red, Blue etc.
3) I worked a little bit on the post exploitation phase. Might seem silly. But I have a forensic background. So normally I don’t work on exploits. But I think I can look through files 😉 And I don’t want to look like these stupid criminals.
I mean there will be a situation were I will break into a server during this course. I mean that is the whole goal in that lab. So my list for after the fact is so far:
SOP: “GRAB AND RUN”
Of course I have to make this list for each OS I will encounter.
Assuming I have a root shell what should I do ?
I want to stay .. so persistence is needed. Basically it is a admin task. Adding a new user with root, maybe install some new programs or services. Basic admin stuff. I need to look up some of the commands. OS X etc …
2) The grab phase. What do I want. Lets start on my normal forensic checklist.
-userlist and hashes
-a list of all running processes into a file
-a list of all open network connections
-all important config files, especially for all the running services
-look around for other interesting files, especially ssh keys or stuff left behind from a attacker
-timeline Well I will likely not need a timeline of my attack for a judge .. WELL I HOPE SO 😉
So seems a nice start. Okay I will not upload a bunch of forensic tools to the “victim”. So I will have to think about how to exfiltrate the files. But the basic procedure is clear.
1) create a folder for each host
2) copy the files into their “normal folders”
3) Look through them or just run a dif against the “normal” config files to find interesting parts.