Linux systems provide a reliable and robust alternative to closed-source systems, such as MS Windows Server and UNIX. Moreover, choosing Linux can help cut down licensing costs dramatically.
If you are not convinced, compare the cost of hosting a web server using Debian 11 with the cost of hosting a web server using MS Windows Server 2022.
When we compare the combined costs of licensing and the minimum required hardware for each of these modern releases, we will have a strong case for Linux.
Of course, we cannot claim that Linux is always the best choice; however, Linux is the best choice for many scenarios. Before using this option, we must focus on securing our Linux systems, also known as Linux hardening.
Task 2 Physical Security
root@AttackBox# grub2-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.534B77859C13DCF094E90B926E26C586F5DC9D00687853487C4BB1500D57EC29E2D6D07A586262E093DCBDFF4B3552742A25700BAB6B76A8206B3BFCB273EEB4.4BA1447590EA8451CD224AA1C5F8623FE85D23F6D34E2026E3F08C5AA79282DB65B330BAB4944E9374EC51BF11EFF418EDA5D66FF4D7AAA86F662F793B92DA61It is important to note that adding a password for GRUB is not available for systems deployed using cloud service providers (such as our Linux VM); a GRUB password does not make sense as you don’t have access to the physical terminal.
Ensuring proper physical security is a must considering how easy it is for an attacker with physical access to wreak havoc. Adding a password to GRUB is a reasonable measure to block users with physical access to a system’s keyboard from gaining access.
However, we need a plan in case an attacker finds a way to steal the disk drives.
Answer the questions below
Question: What command can you use to create a password for the GRUB bootloader?
Answer: grub2-mkpasswd-pbkdf2
Question: What does PBKDF2 stand for?
Hint: You should visit your favorite search engine.
Answer: Password-Based Key Derivation Function 2
Task 3 Filesystem Partitioning and Encryption
root@AttackBox# user@TryHackMe$ sudo lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sdb 8:16 1 14.3G 0 disk
└─sdb1 8:17 1 14.3G 0 part /run/media/strategos/Strategos
[...]
user@TryHackMe$ sudo blkid
[...]
/dev/sdb1: LABEL="Strategos" BLOCK_SIZE="512" UUID="59402B4A4E12CD06" TYPE="ntfs"
user@TryHackMe$ sudo cryptsetup -y -v luksFormat /dev/sdb1
WARNING: Device /dev/sdb1 already contains a 'ntfs' superblock signature.
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sdb1:
Verify passphrase:
Existing 'ntfs' superblock signature on device /dev/sdb1 will be wiped.
Existing 'dos' partition signature on device /dev/sdb1 will be wiped.
Key slot 0 created.
Command successful.
user@TryHackMe$ sudo cryptsetup luksOpen /dev/sdb1 EDCdrive
user@TryHackMe$ sudo mkfs.ext4 /dev/mapper/EDCdrive -L "Strategos USB"
mke2fs 1.46.5 (30-Dec-2021)
[...]
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
user@TryHackMe$ sudo mount /dev/mapper/EDCdrive /media/secure-USBLinux linux
If you want to check the LUKS setting, you can issue the command cryptsetup luksDump /dev/sdb1. In the terminal output below, we can see the UUID of the encrypted disk. We can also see that the cipher used is aes-xts-plain64. As for the key, PBKDF2 used SHA256 with the provided salt for 194180 iterations.
root@AttackBox# sudo cryptsetup luksDump /dev/sdb1
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 41199bad-d753-4dce-9284-0a81d27acc95
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 965922
Threads: 4
Salt: bd 45 40 96 27 93 cd fa 50 60 f4 28 d4 d8 b2 bd
58 69 72 72 35 2f 26 9c a8 14 ef 91 04 b2 dc cd
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 194180
Salt: 6e e1 70 a4 3f d6 71 44 c8 e6 84 4d 99 51 7d c9
49 66 bf 37 61 b8 c3 d2 4e aa f7 25 27 e2 b3 8a
Digest: c1 87 99 a1 d1 7a 05 8a ca cd 13 74 f0 33 ef 3a
98 c9 d7 a8 70 93 e2 ac 07 0f 2a 5c 89 f1 18 1d Answer The Questions Below
Question: What does LUKS stand for?
Answer: Linux Unified Key Setup
Question: We cannot attach external storage to the VM, so we have created a /home/tryhackme/secretvault.img file instead. It is encrypted with the password 2N9EdZYNkszEE3Ad. To access it, you need to open it using cryptsetup and then mount it to an empty directory, such as myvault. What is the flag in the secret vault?
Hint: sudo cryptsetup open –type luks secretvault.img myvault && sudo mount /dev/mapper/myvault myvault/
Run the following command in the terminal
tryhackme@ip-10-10-9-110:~$ sudo cryptsetup open --type luks secretvault.img myvault && sudo mount /dev/mapper/myvault myvault/
Enter passphrase for secretvault.img:
tryhackme@ip-10-10-9-110:~$ ls
myvault secretvault.img
tryhackme@ip-10-10-9-110:~$ cd myvault/
tryhackme@ip-10-10-9-110:~/myvault$ ls
lost+found task3_flag.txt
tryhackme@ip-10-10-9-110:~/myvault$ cat task3_flag.txt
THM{LUKS_not_LUX}
tryhackme@ip-10-10-9-110:~/myvault$ Answer: THM{LUKS_not_LUX}
Task 4 Firewall
root@AttackBox# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROPIn practice, you should flush (delete) previous rules before applying new ones. This action can be achieved using iptables -F.
root@AttackBox# sudo nft list table fwfilter
table ip fwfilter {
chain fwinput {
type filter hook input priority filter;
tcp dport 22 accept
}
chain fwoutput {
type filter hook output priority filter;
tcp sport 22 accept
}
}We hope the above example gave you a general overview of how nftables work.
Answer The Questions Below
Question: There is a firewall running on the Linux VM. It is allowing port 22 TCP as we can ssh into the machine. It is allowing another TCP port; what is it?
for the answer of this question type the following command in the ssh console
tryhackme@ip-10-10-9-110:~$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
14298/udp ALLOW Anywhere
12526/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
14298/udp (v6) ALLOW Anywhere (v6)
12526/tcp (v6) ALLOW Anywhere (v6) Answer: 12526
Question: What is the allowed UDP port?
Answer: 14298
Task 5 Remote Access
Answer The Questions Below
Question: What flag is hidden in the sshd_config file?
you need to do cat the following file in ssh console
tryhackme@ip-10-10-9-110:~$ cat /etc/ssh/sshd_config
# THM{secure_SEA_shell}
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Answer: THM{secure_SEA_shell}
Task 6 Securing User Accounts
Answer The Questions Below
Question: One way to disable an account is to edit the passwd file and change the account’s shell. What is the suggested value to use for the shell?
Answer: /sbin/nologin
Question: What is the name of the RedHat and Fedora systems sudoers group?
Answer: wheel
Question: What is the name of the sudoers group on Debian and Ubuntu systems?
Answer: sudo
Question: Other than tryhackme and ubuntu, what is the username that belongs to the sudoers group?
Hint: One way is to check the /etc/group file.
so we need to do cat group file and see the other users attached to sudo group
tryhackme@ip-10-10-9-110:~$ sudo cat /etc/group | grep sudo
sudo:x:27:ubuntu,tryhackme,blacksmith
tryhackme@ip-10-10-9-110:~$ Answer: blacksmith
Task 7 Software and Services
Answer The Questions Below
Question: Besides FTPS, what is another secure replacement for TFTP and FTP?
Answer: SFTP
Task 8 Update and Upgrade Policies
Answer The Questions Below
Question: What command would you use to update an older Red Hat system?
Answer: yum update
Question: What command would you use to update a modern Fedora system?
Answer: dnf update
Question: What two commands are required to update a Debian system? (Connect the two commands with &&.)
Answer: apt update && apt upgrade
Question: What does yum stand for?
Answer: Yellowdog Updater, Modified
Question: What does dnf stand for?
Answer: Dandified Yum
Question: What flag is hidden in the sources.list file?
Answer: THM{not_Advanced_Persistent_Threat}
tryhackme@ip-10-10-9-110:~$ cat /etc/apt/sources.list
# THM{not_Advanced_Persistent_Threat}
## Note, this file is written by cloud-init on first boot of an instance
## modifications made here will not survive a re-bundle.
## if you wish to make changes you can:
## a.) add 'apt_preserve_sources_list: true' to /etc/cloud/cloud.cfg
## or do the same in user-data
## b.) add sources in /etc/apt/sources.list.d
## c.) make changes to template file /etc/cloud/templates/sources.list.tmpl
Task 9 Audit and Log Configuration
Answer The Questions Below
Question: What command can you use to display the last 15 lines of kern.log?
Answer: tail -n 15 kern.log
Question: What command can you use to display the lines containing the word denied in the file secure?
Answer: grep denied secure
Task 10 Conclusion and Final Notes
