Hivestorm 2021 Writeup

Overview

Hivestorm is a collegiate-focused cyber defense competition. Teams compete by securing provided Windows and Linux based virtual machines – removing malware and other infections, correcting misconfigurations, mitigating vulnerabilities, disabling vulnerable services, and so on. Teams accumulate points for addressing each scored issue and must race against the clock to accumulate as many points as they can before time expires. (via hivestorm.org)

We were team208 for Hivestorm 2021. We placed 2nd, which takes away a lot of my ability to be smug in this writeup. Nonetheless, I'll be doing a partial walkthrough of how we approached the images, because someone on the Discord asked.

General Advice

Categories

Hivestorm images (especially newer ones) seem to fall into a couple predictable categories.

• Forensic Questions (~15% of points)
• Users (~15% of points)
  • Adding valid/README users
  • Removing invalid/hidden/evil users
  • Changing passwords, ensuring passwords are 'secure'
  • Securing groups, URA
  • Ensuring user policies are set to reasonable values
• Software (~20% of points)
  • Installing good software, services, and features
  • Removing bad software, services, and features
  • Removing backdoors and persistence mechanisms
  • Updating software
• Security mitigations (~15% of points)
  • Enabled the firewall
  • Enable Windows Defender
  • Other standard system defenses
• System configurations (~20% of points)
  • Linux will be with sysctl.conf, login.defs, lightdm.conf, whatever other system configuration files are pertinent
  • Windows will be primarily Group Policy
  • Following README policies
  • Misc fixes (permissions, SUID, other stuff)
• Service configurations (~15% of points)
  • This varies the most between images, and can be the hardest to practice
  • You need to understand your service and accomplish what the README asks, secure it, and keep it running

Time Usage

You only have four hours for Hivestorm, so you may want to establish a gameplan and make sure you're on the same page as your teammates.

The optimal strategy really depends on your team composition and your confidence. If you want to win, then you should spend a lot of time on forensic questions, preferably until you solve all of them, because those are guaranteed points.

A basic gameplan is:

1. Forensic Questions for about an hour or until finished
2. Run scripts
3. Manually do things that the script didn't cover or didn't do correctly
4. Manually scrounge and check obscure things and bad files

Remember that you often can't answer the Forensic Questions once you start securing an image, since you might destroy the data you need.

Scripting

Scripting is great, and you should really do it, if not just to learn {bash,powershell}. You can read my last writeup if you'd like more information on that.

Images

Debian 9

Forensic Question 1 correct
Forensic Question 2 correct
Forensic Question 3 correct
Forensic Question 4 correct

The forensic questions on Debian revolved around gathering info from the PostgreSQL database running on the box (which was its only critical service!). They gave some example commands on how to use the proper database/view, all you had to do was log in as the proper user (psql apache from the main user, or su postgres; psql) and run the commands in the forensic questions (slightly modified based on the new table they wanted you to retrieve). Otherwise, you had to check the command history \s and the users \du.

Note: If you put your answer in the Forensic Question file, and it says it's not right, and you didn't mess with the file or the scoring engine... 99.99999% of the time, the engine is right. Try other stuff.

Removed unauthorized user bahamut
Removed hidden user sephiroth
User jessie is not an administrator

These three are literally a sed 's/olduser/newuser/g' from last year, which is to be expected with user auditing.

User rtuesti has a maximum password age
Password for zfair is hashed with a secure algorithm
A minimum password length is required
Extra dictionary based password strength checks enabled

These are the standard /etc/pam.d/common-auth and /etc/pam.d/common-password configurations. Make sure to change your users' passwords after requiring a different hashing algorithm.

IPv4 TIME-WAIT assassination protection enabled
Logging of martian packets enabled
Restricted unprivileged access to kernel syslog enabled

/etc/sysctl.conf configuration options.

Firewall protection has been enabled
GRUB configuration is not world readable
Insecure permissions on PostgreSQL configuration files fixed

ufw enable into getting points is a true combo. I would also recommend running a privesc script (like LinPEAs), since it's an easy way to find important world writable and SUID/SGID files, and thus saves you from running two find commands.

Install updates from important security updates
PostgreSQL has been updated
Firefox has been updated

Update!

Apache2 service has been disabled or removed
DNS service is disabled or removed

While apache2 and bind9 are not conventionally thought of as unwanted, since they're not critical services, we should remove them.

Prohibited software fcrackzip
Removed netcat backdoor
Removed python backdoor

Make sure to check crontab, and ps auxf for any funky binaries that take -lvnp 4444 -e /bin/bash as arguments. Also, remove hacking tools (as they request in the README).

PostgreSQL requires authentication for all connections
PostgreSQL does not map any user to the postgres account

Here's where the aforementioned service hardening vulns live. Make sure to do everything in the README-- for example, the README also asked you to enable SSL connections to postgres, so that may be points.

Ubuntu 18

Many parts of this image are the same as the Debian image, and will go without commentary.

Forensic Question 1 correct
Forensic Question 2 correct
Forensic Question 3 correct

Unfortunately I don't remember what these forensic questions were. But, it seems in general that Linux forensic questions bottom out in difficultly much sooner than Windows forensic questions, at which point they become CTF challenges. This could be because Windows boasts many more forensic artifacts to look through (can't imagine why). So, to practice, it would behoove you to play some CTFs (try picoCTF, overthewire, or MetaCTF if you're a beginner).

Removed hidden user akatosh
Removed unauthorized admin alduin
User belethor is not an administrator
Disabled shell login for user irc
A default minimum password age is set
Null passwords do not authenticate
X Server does not allow TCP connections

The last scored vulnerability in this block is interesting, since it focuses on the display manager (LightDM in this case).

IPv4 TCP SYN cookies have been enabled
Ignore broadcast ICMP echo requests enabled
Uncomplicated Firewall (UFW) protection has been enabled
Insecure permissions on shadow file fixed
Insecure sudo configuration fixed

A quick way to check your sudo settings is to run sudo -l. Additionally, ensure you don't mangle your UFW rules such that it prevents CCSClient from reaching out to the scoreboard. I haven't seen any points from setting specific UFW rules in the past, but it's possible there could be in the future.

IRC daemon has been disabled or removed
APT has been updated
Samba has been updated
Firefox has been updated
Prohibited MP3 files are removed
Prohibited software dsniff removed
Prohibited software rfdump removed
Removed perl owl-shell backdoor

In regards to the backdoor, it's probably most productive to familiarize yourself with the default rc, crontab, service, and other autorun files for Debian and Ubuntu, which will make any backdoors stand out. Doing the same for the output of ps auxf also helps in being able to Know Good, Find Evil.

Samba SMB1 protocol is disabled
Samba encryption is required

Samba was a critical service for this box, so ensure that you configure it and disable/remove things that are "malicious." Do beware, if you take this mentality to CCDC or similar, you need to be extremely careful to not nuke something that looks "malicious," but is actually a scored component.

Windows 2019

Unfortunately for you, dear reader, our Windows 2019 performance could only be described as an otherworldly catastrophic choke. Due to this fact, I will not be covering it in detail.

Forensic Questions for this machine were pretty fierce, by Hivestorm standards. Of the hard ones, one was solveable through zsteg (the homemade Skyrim logo), for another you had to pour through the NTDATA files (this one was made easy since it was specified that the user in question was unauthorized-- in this case, tolfdir, the only one), and for the last, you had to look through a ton of NTDATA files, or (ab)use a niche Windows cache.

Windows 10

People who specialize in Windows have my undying respect, since they are sacrificing fun for the greater good (of other people being saved from using it).

Forensic Question 1 correct
Forensic Question 2 correct
Forensic Question 3 correct

These FQs were apparently pretty doable, so unfortunately I didn't do them (and therefore don't remember them). My recommendation about getting some CTF experience applies for Windows challenges as well.

Removed unauthorized user brynjolf
Changed insecure password for delphine
User borri password expires
Passwords are not stored using reversible encryption
A secure maximum password age exists
Audit User Account Management [Success]
Audit System Integrity [Failure]
User irileth may not manage auditing and security log

Users, user rights assignments, and audit log are all pretty consistent appearances on images like this.

Firewall protection has been enabled
Validate heap integrity setting enabled
AutoPlay has been disabled [all users]

These are kind of weird, other than the firewall one. I would recommend to look through CIS handbooks and DoD STIGs, and adding everything useful, that could be a vuln, to a script.

Remote Registry service has been stopped and disabled
Windows updates installed
Firefox has been updated

Service management and updates. Services on Windows can be a huge pain, since there are so many of them, and they all sound stupid. Remote Registry is kind of a low hanging fruit, but who would think, "oh yeah, Xbox Live Game Save, that's gotta be big points"? In any case, this is easily scriptable if you have a list of bad services.

Remove Etherium cryptominer Geth

Look for standalone binaries, features, media files, and installed programs that shouldn't be there. It's a fair bet that there will be quite a few programs that you need to remove on a box with this many vulns, so keep looking if you only found one or two.

Removed phpinfo file
PHP display errors has been disabled
IIS server requires use of SSL connections

Finally, since this box was running IIS and PHP, you can pretty much guarantee that there will be multiple vulns for both of them. And as always, read the README.

Wrap up

Thank you to UTSA's CIAS for running this competition! I'd also like to thank my teammates and my other friends (among them, Altoid, Paradox, and Anub1s) for being cool people.

If you crave more of this type of content, for whatever reason, make sure you've read Dwayne's email sent out to competitors titled /2021 Hivestorm Image Hints/ (copy here). You can also read my writeup from last year. For real practice, there are some practice images in the CyberPatriot Discord, or you can make your own (we made an engine to help accomplish such a thing).

Finally, I'd like to put some respect on UCSD's Linux skills (writeup when, Josh?).