Ciphers Security THM Walkthrough TryHackMe Walkthrough: Linux System Hardening
THM Walkthrough

TryHackMe Walkthrough: Linux System Hardening

Linux systems provide a reliable and robust alternative to closed-source systems, such as MS Windows Server and UNIX. Moreover, choosing Linux can help cut down licensing costs dramatically.

If you are not convinced, compare the cost of hosting a web server using Debian 11 with the cost of hosting a web server using MS Windows Server 2022.

When we compare the combined costs of licensing and the minimum required hardware for each of these modern releases, we will have a strong case for Linux.

Of course, we cannot claim that Linux is always the best choice; however, Linux is the best choice for many scenarios. Before using this option, we must focus on securing our Linux systems, also known as Linux hardening.

linux

Task 2 Physical Security

root@AttackBox# grub2-mkpasswd-pbkdf2
Enter password: 
Reenter password: 
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.534B77859C13DCF094E90B926E26C586F5DC9D00687853487C4BB1500D57EC29E2D6D07A586262E093DCBDFF4B3552742A25700BAB6B76A8206B3BFCB273EEB4.4BA1447590EA8451CD224AA1C5F8623FE85D23F6D34E2026E3F08C5AA79282DB65B330BAB4944E9374EC51BF11EFF418EDA5D66FF4D7AAA86F662F793B92DA61

It is important to note that adding a password for GRUB is not available for systems deployed using cloud service providers (such as our Linux VM); a GRUB password does not make sense as you don’t have access to the physical terminal.

Ensuring proper physical security is a must considering how easy it is for an attacker with physical access to wreak havoc. Adding a password to GRUB is a reasonable measure to block users with physical access to a system’s keyboard from gaining access.

However, we need a plan in case an attacker finds a way to steal the disk drives.

Answer the questions below

Question: What command can you use to create a password for the GRUB bootloader?

Answer: grub2-mkpasswd-pbkdf2

Question: What does PBKDF2 stand for?

Hint: You should visit your favorite search engine.

Answer: Password-Based Key Derivation Function 2

Task 3 Filesystem Partitioning and Encryption

root@AttackBox# user@TryHackMe$ sudo lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
sdb           8:16   1  14.3G  0 disk 
└─sdb1        8:17   1  14.3G  0 part /run/media/strategos/Strategos
[...]

user@TryHackMe$ sudo blkid
[...]
/dev/sdb1: LABEL="Strategos" BLOCK_SIZE="512" UUID="59402B4A4E12CD06" TYPE="ntfs"

user@TryHackMe$ sudo cryptsetup -y -v luksFormat /dev/sdb1
WARNING: Device /dev/sdb1 already contains a 'ntfs' superblock signature.

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sdb1: 
Verify passphrase: 
Existing 'ntfs' superblock signature on device /dev/sdb1 will be wiped.
Existing 'dos' partition signature on device /dev/sdb1 will be wiped.
Key slot 0 created.
Command successful.

user@TryHackMe$ sudo cryptsetup luksOpen /dev/sdb1 EDCdrive

user@TryHackMe$ sudo mkfs.ext4 /dev/mapper/EDCdrive -L "Strategos USB"
mke2fs 1.46.5 (30-Dec-2021)
[...]
Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

user@TryHackMe$ sudo mount /dev/mapper/EDCdrive /media/secure-USB

Linux linux

If you want to check the LUKS setting, you can issue the command cryptsetup luksDump /dev/sdb1. In the terminal output below, we can see the UUID of the encrypted disk. We can also see that the cipher used is aes-xts-plain64. As for the key, PBKDF2 used SHA256 with the provided salt for 194180 iterations.

root@AttackBox# sudo cryptsetup luksDump /dev/sdb1
LUKS header information
Version:        2
Epoch:          3
Metadata area:  16384 [bytes]
Keyslots area:  16744448 [bytes]
UUID:           41199bad-d753-4dce-9284-0a81d27acc95
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
    offset: 16777216 [bytes]
    length: (whole device)
    cipher: aes-xts-plain64
    sector: 512 [bytes]

Keyslots:
  0: luks2
    Key:        512 bits
    Priority:   normal
    Cipher:     aes-xts-plain64
    Cipher key: 512 bits
    PBKDF:      argon2id
    Time cost:  4
    Memory:     965922
    Threads:    4
    Salt:       bd 45 40 96 27 93 cd fa 50 60 f4 28 d4 d8 b2 bd 
                58 69 72 72 35 2f 26 9c a8 14 ef 91 04 b2 dc cd 
    AF stripes: 4000
    AF hash:    sha256
    Area offset:32768 [bytes]
    Area length:258048 [bytes]
    Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
    Hash:       sha256
    Iterations: 194180
    Salt:       6e e1 70 a4 3f d6 71 44 c8 e6 84 4d 99 51 7d c9 
                49 66 bf 37 61 b8 c3 d2 4e aa f7 25 27 e2 b3 8a 
    Digest:     c1 87 99 a1 d1 7a 05 8a ca cd 13 74 f0 33 ef 3a 
                98 c9 d7 a8 70 93 e2 ac 07 0f 2a 5c 89 f1 18 1d 

Answer The Questions Below

Question: What does LUKS stand for?
Answer: Linux Unified Key Setup

Question: We cannot attach external storage to the VM, so we have created a /home/tryhackme/secretvault.img file instead. It is encrypted with the password 2N9EdZYNkszEE3Ad. To access it, you need to open it using cryptsetup and then mount it to an empty directory, such as myvault. What is the flag in the secret vault?
Hint: sudo cryptsetup open –type luks secretvault.img myvault && sudo mount /dev/mapper/myvault myvault/

Run the following command in the terminal

tryhackme@ip-10-10-9-110:~$ sudo cryptsetup open --type luks secretvault.img myvault && sudo mount /dev/mapper/myvault myvault/
Enter passphrase for secretvault.img: 
tryhackme@ip-10-10-9-110:~$ ls
myvault  secretvault.img
tryhackme@ip-10-10-9-110:~$ cd myvault/
tryhackme@ip-10-10-9-110:~/myvault$ ls
lost+found  task3_flag.txt
tryhackme@ip-10-10-9-110:~/myvault$ cat task3_flag.txt 
THM{LUKS_not_LUX}
tryhackme@ip-10-10-9-110:~/myvault$ 

Answer: THM{LUKS_not_LUX}

Task 4 Firewall

root@AttackBox# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

In practice, you should flush (delete) previous rules before applying new ones. This action can be achieved using iptables -F.

root@AttackBox# sudo nft list table fwfilter
table ip fwfilter {
    chain fwinput {
        type filter hook input priority filter;
        tcp dport 22 accept
    }

    chain fwoutput {
        type filter hook output priority filter;
        tcp sport 22 accept
    }
}

We hope the above example gave you a general overview of how nftables work.

Answer The Questions Below

Question: There is a firewall running on the Linux VM. It is allowing port 22 TCP as we can ssh into the machine. It is allowing another TCP port; what is it?

for the answer of this question type the following command in the ssh console

tryhackme@ip-10-10-9-110:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
14298/udp                  ALLOW       Anywhere                  
12526/tcp                  ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
14298/udp (v6)             ALLOW       Anywhere (v6)             
12526/tcp (v6)             ALLOW       Anywhere (v6) 

Answer: 12526

Question: What is the allowed UDP port?

Answer: 14298

Task 5 Remote Access

Answer The Questions Below

Question: What flag is hidden in the sshd_config file?

you need to do cat the following file in ssh console

tryhackme@ip-10-10-9-110:~$ cat /etc/ssh/sshd_config
# THM{secure_SEA_shell}

#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Answer: THM{secure_SEA_shell}

Task 6 Securing User Accounts

Answer The Questions Below

Question: One way to disable an account is to edit the passwd file and change the account’s shell. What is the suggested value to use for the shell?
Answer: /sbin/nologin

Question: What is the name of the RedHat and Fedora systems sudoers group?
Answer: wheel

Question: What is the name of the sudoers group on Debian and Ubuntu systems?
Answer: sudo

Question: Other than tryhackme and ubuntu, what is the username that belongs to the sudoers group?
Hint: One way is to check the /etc/group file.

so we need to do cat group file and see the other users attached to sudo group

tryhackme@ip-10-10-9-110:~$ sudo cat /etc/group | grep sudo
sudo:x:27:ubuntu,tryhackme,blacksmith
tryhackme@ip-10-10-9-110:~$ 

Answer: blacksmith

Task 7 Software and Services

Answer The Questions Below

Question: Besides FTPS, what is another secure replacement for TFTP and FTP?
Answer: SFTP

Task 8 Update and Upgrade Policies

Answer The Questions Below

Question: What command would you use to update an older Red Hat system?
Answer: yum update

Question: What command would you use to update a modern Fedora system?
Answer: dnf update

Question: What two commands are required to update a Debian system? (Connect the two commands with &&.)
Answer: apt update && apt upgrade

Question: What does yum stand for?
Answer: Yellowdog Updater, Modified

Question: What does dnf stand for?
Answer: Dandified Yum

Question: What flag is hidden in the sources.list file?
Answer: THM{not_Advanced_Persistent_Threat}

tryhackme@ip-10-10-9-110:~$ cat /etc/apt/sources.list
# THM{not_Advanced_Persistent_Threat}

## Note, this file is written by cloud-init on first boot of an instance
## modifications made here will not survive a re-bundle.
## if you wish to make changes you can:
## a.) add 'apt_preserve_sources_list: true' to /etc/cloud/cloud.cfg
##     or do the same in user-data
## b.) add sources in /etc/apt/sources.list.d
## c.) make changes to template file /etc/cloud/templates/sources.list.tmpl

Task 9 Audit and Log Configuration

Answer The Questions Below

Question: What command can you use to display the last 15 lines of kern.log?
Answer: tail -n 15 kern.log

Question: What command can you use to display the lines containing the word denied in the file secure?
Answer: grep denied secure

Task 10 Conclusion and Final Notes

If you have any queries regarding the above content, or you want to update anything in the content, then contact us with your queries. You can directly post your question in the group.

Connect with us on these platforms

Exit mobile version