digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-21 11:18:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

lab updates, fixes #338

Browse Source
This commit is contained in:
Z. Cliffe Schreuders
2024-11-16 16:28:21 +00:00
parent c04230c44c
commit a4d831b831
2 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/generators/structured_content/hackerbot_config/live_analysis_v2/templates/lab.xml.erb
View File

@@ -120,7 +120,7 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
<quiz>
<question>What was the full command that was used to start nc listening on the compromised server?</question>
<answer>.*ncat -l -p <%= $hidden_port %> -e /bin/bash</answer>
<answer>.*ncat -l -p <%= $hidden_port %> -e /bin/bash.*</answer>
<correct_answer_response>:) <%= $flags.pop %></correct_answer_response>
<trigger_next_attack />
</quiz>

12
modules/generators/structured_content/hackerbot_config/live_analysis_v2/templates/live_evidence_collection.md.erb
View File

@@ -131,9 +131,9 @@ Run the command:
ssh <%= $compromised_server_ip %> "/media/cdrom0/statbins/linux2.2_x86/ls /proc" | tee evidence/proc_ls_static
```
**On your Desktop VM**, find the newly created files and ==compare the list of pids (numbers representing processes) output from the previous commands==. This is the second column of output in the ps\_out, with the numbers in proc\_ls\_static.
**On your Desktop VM**, find the newly created files and ==compare the list of pids (numbers representing processes) output from the previous commands==. This is the second column of output in the local\_ps\_output, with the numbers in proc\_ls\_static.
Hint: you can do the comparison manually, or using commands such as "cut" (or [*awk*](http://lmgtfy.com/?q=use+awk+to+print+column)), "sort", and "diff". For example, `cat ps_out | awk '{ print $4 }'` will pipe the contents of the file ps\_out into the awk command, which will split on spaces, and only display the fourth field. Ensure this is displaying the list of pids, if not try selecting a different field. You could pipe this through to "sort". Then save that to a file (by appending " &gt; pids\_ps\_out"). Remember "man awk", "man sort", and "man diff" will tell you about how to use the commands (and Google may also come in handy).
Hint: you can do the comparison manually, or using commands such as "cut" (or [*awk*](http://lmgtfy.com/?q=use+awk+to+print+column)), "sort", and "diff". For example, `cat local_ps_output | awk '{ print $2 }'` will pipe the contents of the file local\_ps\_output into the awk command, which will split on spaces, and only display the second field. Ensure this is displaying the list of pids, if not try selecting a different field. You could pipe this through to "sort". Then save that to a file (by appending " &gt; pids\_ps\_out"). Remember "man awk", "man sort", and "man diff" will tell you about how to use the commands (and Google may also come in handy).
Are the same processes shown each time? Can you explain why the outputs from different tools are giving you a different picture of the system? If not, that is very suspicious, and likely indicates a break-in, and that we probably shouldn't trust the output of local commands.
@@ -222,12 +222,12 @@ Note that on this system the root partition (mounted on "/"), is /dev/sda1.
> Help: on some VMs, you may need to replace "sda1" with "hda1".
Then **you could** (see the tip below) copy byte-for-byte the contents of the entire root ("/") partition over the network (where /dev/sda1 was identified from the previous command):
Then **you could** copy byte-for-byte the contents of the entire root ("/") partition over the network (where /dev/sda1 was identified from the previous command):
```bash
ssh -t <%= $compromised_server_ip %> "/media/cdrom0/statbins/linux2.2_x86/dd if=/dev/sda1 conv=noerror,sync" | tee evidence/sda1.img
ssh -t <%= $compromised_server_ip %> "/media/cdrom0/statbins/linux2.2_x86/dd if=/dev/sda1 bs=1M count=5 conv=noerror,sync" | tee evidence/sda1.img
```
> Tip: Feel free to ==skip this step==. Running this will take some time, so if you do run this, you may wish to continue with the next steps while the copying runs.
> Tip: Doing a full copy of the disk would take quite some time, so for demonstration purposes we are only copying 5MB of the disk.
This command could be repeated for each partition including swap partitions. For now, let's accept that we have all we need.
@@ -317,7 +317,7 @@ It is now safe to run chkrootkit[^1]:
**On your Desktop VM**, run:
```bash
ssh -t <%= $compromised_server_ip %> "PATH=/media/cdrom0/statbins:$PATH sudo /media/cdrom0/statbins/chkrootkit-linux/chkrootkit" | tee evidence/chkrootkit_out
ssh -t <%= $compromised_server_ip %> 'sudo bash -c "export PATH=/media/cdrom0/statbins/linux2.2_x86:$PATH; /media/cdrom0/statbins/chkrootkit-linux/chkrootkit"' | tee evidence/chkrootkit_out
```
> Help: you may get a message in the terminal before you type the password. You should still type the password for the script to run. The script should not take long to run.