Purple 1: Drupal, Splunk, and Suricata (35 pts extra credit)

What You Need for This Project

Flag and Scoreboard

When you find a flag, enter it into the Scoring Engine

The scoreboard is here: Scoreboard

WARNING

Don't leave your Drupal cloud running when the project is over or it will get hacked.

CCSF blocks outgoing connections to port 8000, so you won't be able to connect to your Drupal cloud server unless you use another network, such as "Danger Zone".

Turning In Your Project

Take a screenshot of the scoreboard with your points.

Save the image with the filename "YOUR NAME Purple 1", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to cnit.50sam@gmail.com with the subject line: Purple 1 from YOUR NAME.

Task 1: Create Cloud Servers (10 pts)

Make two Google Cloud machines, allowing HTTP and HTTPS traffic, as shown below.

One machine is the attacker running Debian 9, and the other is the target running Ubuntu 18.04.

Creating an Account

Start at

https://cloud.google.com/free/

Click "TRY IT FREE".

On the next page, fill out the form, as shown below, and click "AGREE AND CONTINUE".

Fill in the next page. You must enter a credit card number, but it says you won't be charged without agreeing to that later.

Click "START MY FREE TRIAL"

A box says you have $300 in free trial credit, as shown below.

On the next pge, click "Compute Engine", as shown below.

The "VM instances" page appears, as shown below.

Wait while it gets ready.

When it's ready, you see the screen shown below. Click Create.

Creating a Linux Cloud Server

In the "VM instances" screen, click "CREATE INSTANCE", as shown below.

Debian Attack Server

Name the first machine debian and check both boxes in the "Firewall" section, as shown below.

Ubuntu Drupal Server

Create another Linux server, using Ubuntu. Name it drupal and check both boxes in the "Firewall" section, as shown below.

1.1: Record Your Success (5 pts)

On the Debian server, execute the lshw command. The text covered by the green box in the image below is the flag.

1.2: Record Your Success (5 pts)

On the Ubuntu server, execute these commands:
sudo apt update
sudo apt install hwinfo
sudo hwinfo
Find the portion of the output shown below. The text covered by the green box in the image below is the flag.


Task 2: Install Drupal 7.20 (5 pts)

Install Apache and MySQL

On the Ubuntu server, execute these commands, one at a time, entering reasonable answers to all the questions that appear.
sudo apt-get install apache2
sudo apt-get install mysql-server mysql-client
sudo mysql_secure_installation
sudo systemctl start mysql.service
sudo mysql -u root -p

Create the Drupal Database

At the mysql> prompt, execute these commands:
CREATE DATABASE drupal;
CREATE USER drupaluser@localhost IDENTIFIED BY 'password';

GRANT ALL ON drupal.* TO drupaluser@localhost;

FLUSH PRIVILEGES;
exit

Install PHP

On the Ubuntu server, execute these commands.
sudo apt-get install php 
sudo apt-get install libapache2-mod-php php-mysql php-xml 
sudo apt-get install php-curl php-gd 
sudo apt-get install imagemagick 
sudo apt-get install php-recode php-tidy php-xmlrpc

Install Drupal

On the Ubuntu server, execute these commands.
cd /tmp && wget ftp.drupal.org/files/projects/drupal-7.26.tar.gz
tar xzvf drupal*
sudo mv drupal-7.26/* /var/www/html

cp /var/www/html/sites/default/default.settings.php /var/www/html/sites/default/settings.php

sudo rm /var/www/html/index.html

sudo chmod -R 755 /var/www/html/*
sudo chown -R www-data:www-data /var/www/html/*

sudo a2enmod rewrite
sudo a2enmod env
sudo a2enmod dir
sudo a2enmod mime
On the Ubuntu server, execute this command:
sudo nano /etc/apache2/sites-enabled/000-default.conf
Remove all the contents and insert the code shown below.
<VirtualHost *:80>

     ServerAdmin admin@example.com
     DocumentRoot /var/www/html/
     ServerName example.com
     ServerAlias www.example.com
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

      <Directory /var/www/html/>
           Options FollowSymlinks
           AllowOverride All
           Require all granted
      </Directory>
      <Directory /var/www/html/>
           RewriteEngine on
           RewriteBase /
           RewriteCond %{REQUEST_FILENAME} !-f
           RewriteCond %{REQUEST_FILENAME} !-d
           RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
      </Directory>

</VirtualHost>
Savee the file with Ctrl+X, Y, Enter.

Execute this command to restart Apache2:

sudo systemctl restart apache2

Set Up Drupal

In the Google Cloud Platform console, find the external IP address of your Drupal server, as shown below.

In a Web browser, open this URL, adjusting the IP address as necessary:

http://34.73.73.12
The Drupal installation page opens, as shown below.

Install Drupal with the default options. You chose the Drupal database name, username, and password earlier, after installing "MySQL".

DON'T ALLOW UPDATES!

We need to use an old, vulnerable version of Drupal.

Your Drupal page appears, as shown below.

2: Record Your Success (5 pts)

At the top right of this page, click Reports, "Status report". The text covered by the green box in the image below is the flag.


Task 3: Install Splunk

Getting the Download Link

In a Web browser, go to

https://www.splunk.com

At the top right, click the tiny head-and-shoulders icon, outlined in aqua in the image below.

If you have a Splunk account, log in. Otherwise create one now.

At the top right, click the green "Free Splunk" button.

At the lower left of the next page, in the "Splunk Enterprise" sectin, click "Download Free 60-Day Trial", as shown below.

On the next page, click the Linux tab, and, in the ".deb" line, click the "Download Now" button, as shown below.

On the next page, accept the agreement and click the "Start Your Download Now" button, as shown below.

When the download starts, cancel it. At the top right of the next page, click "Command Line (wget)".

Highlight the command in the pop-up box and copy it, as shown below.

Installing the Software

On your Target Linux machine, in a terminal window, execute the command you just copied. The file downloads, as shown below.

On the Ubuntu server, execute these commands.

sudo dpkg -i splunk-7.2.5-088f49762779-linux-2.6-amd64.deb
cd /opt/splunk/bin
sudo ./splunk start
A license agreement fills the screen. Press Q to close it.

Enter y to agree to the license. Enter a username and password for Splunk.

Splunk installs, as shown below.

Viewing the Splunk Page

Open this URL, replacing the IP address with the public IP address of your Drupal server:
http://34.73.73.12:8000
The page won't open, because the Google Cloud firewall is blocking it.

Opening Port 8000

In the Google Cloud Platform page, in the line for your Drupal server, on the right side, click the three-dot icon, and click "View network details", as shown below.

On the next page, on the left side, click "Firewall rules".

At the top center, click "CREATE FIREWALL RULE", as shown below.

Add a new "ingress" rule allowing port 8000, as shown below.

Open the Splunk management page again. It appears, as shown below.

Log in with the administrator credentials you specified when installing Splunk, as shown below.

3: Record Your Success (15 pts)

In the Splunk management page, at the too, click Settings, "Server settings", "General settings".

The text covered by the green box in the image below is the flag.


Task 4: Monitoring the Logs

In the Splunk administration page, click "Add Data", as shown below.

If a box pops up asking you to take a tour, click Skip.

In the next page, scroll down to the "Or get data in with the following methods" section, and click Monitor, as shown below.

In the "Add Data" screen, on the left side, click "Files & Directories".

On the right side, enter a "File or Directory" of

/var/log
as shown below.

At the top right, click the green Next button.

Click Review. Click Submit.

Click "Start Searching".

If a box pops up asking you to take a tour, click Skip.

Splunk shows log entries, as shown below.

Finding Private IP Address

On your Drupal target server, execute this command:
ip a
Find your server's private IP address, as highlighted in the image below.

Enabling Password Authentication

On your Drupal target server, execute this command:
sudo nano /etc/ssh/sshd_config
Enable password authentication, as shown below.

Save the file with Ctrl+X, Y, Enter.

Execute this command to restart SSH:

sudo systemctl restart ssh

Making Login Attempts

On your attacker server, execute this command, replacing the IP address with the private IP address of your Drupal server.
ssh fred@10.142.0.4
Enter incorrect passwords several times, as shown below.

Viewing Recent Events

In the Splunk management page, at the top left, click splunk. The main Splunk page appears, as shown below.

On the left side, click "Search & Reporting".

In the Search page, in the lower right, click the "Data Summary" button, as shown below.

A "Data Summary" box pops up, as shown below.

Click the hostname of your server, which appears in blue letters.

4: Record Your Success (10 pts)

In Splunk, find a "Failed password" event for "fred", as shown below.

The text covered by the green box in the image below is the flag.


Task 5: Install Suricata

Installing Suricata from a PPA Repository

On your Drupal target server, execute these commands:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt-get install suricata 

Configuring a Test Rule

On your Drupal target server, execute this command:
sudo nano /etc/suricata/rules/test-ddos.rules
Paste in the code below. This rule fires when there are more than 10 attempted connections within one second.
alert tcp any any -> $HOME_NET 80 (msg: "Possible DDoS attack"; flags: S; flow: stateless; threshold: type both, track by_dst, count 20, seconds 1; sid:1000001; rev:1;)
Save the file with Ctrl+X, Y, Enter.

On your Drupal target server, execute this command:

sudo nano /etc/suricata/suricata.yaml
Press Ctrl+W and search for "rule-files".

Adjust the "default-rule-path" and insert a "Custom Test Rule", as shown below.

Use Ctrl+W to find all references to "eth0" and change them to "ens4"

Save the file with Ctrl+X, Y, Enter.

Start Suricata

On your Drupal target server, execute these commands:
sudo service suricata stop
sudo rm /var/run/suricata.pid
sudo suricata -D -c /etc/suricata/suricata.yaml -i ens4

Monitor the Suricata Log

On your Drupal target server, execute this command:
tail -f /var/log/suricata/fast.log

Perform a SYN FLOOD Attack

On the attack server, execute these commands, replacing the IP address in the second command with the address of your Drupal server.
sudo apt install hping3
sudo hping3 -c 20 -S -p 80 -i u10000  10.142.0.4
The packet flood runs, as shown below.

5: Record Your Success (15 pts)

An alert appears on the target server.

The text covered by the green box in the image below is the flag.


Task 6: Updating Suricata Rules

Getting the Rules

On your Drupal target server, execute this command:
sudo suricata-update
This places a ruleset into the directory highlighted in the image below:

Configurting Suricata to Use the New Rules

On your Drupal target server, execute this command:
sudo nano /etc/suricata/suricata.yaml
Press Ctrl+W and search for "rule-files".

Adjust the "default-rule-path" and comment out the "Custom Test Rule", as shown below.

Save the file with Ctrl+X, Y, Enter.

Restarting Suricata

On your Drupal target server, execute these commands:
sudo service suricata stop
sudo rm /var/run/suricata.pid
sudo suricata -D -c /etc/suricata/suricata.yaml -i ens4

Viewing Suricata Alerts in Splunk

In your Splunk page, at the top left, click splunk>

On the left side, click "Search & Reporting".

In the lower center, click the "Data Summary" button.

In the "Data Summary" box, click the Sources tab. Several source files appear, as shown below.

In the "filter" box, enter sur

Several Suricata files appear, as shown below.

Click /var/log/suricata/fast.log.

The alert you saw previously appears in Splunk, as shown below.

Perform Another SYN FLOOD Attack

On the attack server, execute this command, replacing the IP address in the second command with the address of your Drupal server.
sudo hping3 -c 20 -S -p 80 -i u10000 10.142.0.4

Viewing the Suricata Alert in Splunk

In Splunk, at the top right, click the green magnifying glass button.

6: Record Your Success (10 pts)

An alert appears, as shown below.

The text covered by the green box in the image below is the flag.


References

How to Install Drupal CMS on Ubuntu 17.04 / 17.10
MKorostoff/drupalgeddon
Install and Setup Suricata on Ubuntu 18.04

Posted 3-21-19
Log entry image fixed 4-11-19