timb-machine

$ python3 PiKC.py

=== System Parameters Summary ===
System Role: web server
Open Ports: [80, 443, 8080]
IP Addresses: ['203.0.113.50']
Software: Apache httpd 2.4.54
Interactive User: False
Critical Asset: False
Virtualized: False

timb-machine

If you don't need persistence, why work so hard?

$ rm /foo; xmldbc -t "test:10:touch /foo"; ls -la /foo; xmldbc -D /tmp/config.xml; sleep 20; ls -la /foo
ls: /foo: No such file or directory
-rw-r--r--    1 root     root             0 Jun  5 22:11 /foo

timb-machine

Say for exmaple, you wanted a cron entry that would run persist.sh every 5 minutes...

$ xmldbc -s /system_mgr/crond/list/count "9"
$ xmldbc -s /system_mgr/crond/list/name:9 "persist"
$ xmldbc -s /system_mgr/crond/persist/count "1"
$ xmldbc -s /system_mgr/crond/persist/item:1/method "3"
$ xmldbc -s /system_mgr/crond/persist/item:1/1 "*/5"
$ xmldbc -s /system_mgr/crond/persist/item:1/2 "*"
$ xmldbc -s /system_mgr/crond/persist/item:1/3 "*"
$ xmldbc -s /system_mgr/crond/persist/item:1/4 "*"

timb-machine

Falcon-sensor strace:

1185 init_module(0x556ce33f8b00, 204357, "") = 0
1185 init_module(0x556ce3430940, 122757, "") = 0
1185 init_module(0x556ce342a950, 24541, "") = 0
1185 init_module(0x7f33243be010, 1718317, "configbuild=1007.8.0012905.1") = 0 

(gdb) catch syscall init_module
(gdb) run
…

timb-machine

$ ssh sshgw.stromberg.org The authenticity of host ‘sshgw.stromberg.org (136.47.201.206)’ can’t be established. RSA key fingerprint is SHA256:VqUUSiSuOQhm+3vrJG9VDb4fWa2dM23Th23T9D88+L4. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added ‘sshgw.stromberg.org’ (RSA) to the list of known hosts. OpenBSD 7.3 (GENERIC.MP) #0: Thu May 18 19:05:43 MDT 2023

Welcome to OpenBSD: The proactively secure Unix-like operating system.

timb-machine

<?php
if (password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "test", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"]) === password_hash("123567890123567890123567890123567890123567890123567890123567890123456789" . "hell", PASSWORD_BCRYPT, ["salt" => "1234567890123456789012"])) {
	print "matches\n";
}
?>

timb-machine

platformtags:
  - "linux"
checks:
  - type: "Informational"
    checks:
      - name: "Platform"
        exec:
          - command: "uname"
            stderr: true
            encode: ""

timb-machine

Recent:

$ ../../../src/tools/triage-binary.sh fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73.elf.x86_64 
[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1)
[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1)
[Defense Evasion: attack:T1070.004:File Deletion]: unlink@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: argv0 (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: prctl@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:ProcessTreeSpoofingForking]: fork@@GLIBC_2.2.5 (1)

timb-machine

NDSA20020719.txt.asc, CVE-2002-2331
NDSA20021112.txt.asc, CVE-2002-2399
NDSA20050719.txt.asc
NDSA20060705.txt.asc, CVE-2006-3848
NDSA20070206.txt.asc, CVE-2007-0838
NDSA20070412.txt.asc
NDSA20070524.txt.asc, CVE-2007-3190, CVE-2007-3191, CVE-2007-3189
NDSA20071016.txt.asc, CVE-2007-5691, CVE-2007-5492, CVE-2007-5493, CVE-2007-5694, CVE-2007-5695
NDSA20071119.txt.asc, CVE-2007-6100
NDSA20080215.txt.asc, CVE-2007-4074

timb-machine

$ ./get-attack-patterns.py treasury
I: searching for treasury%20
10
CVE-2017-3183
CVE-2019-0280
CVE-2019-0383
CVE-2019-0384
CVE-2020-6204
CVE-2019-20150
CVE-2019-20151