In a previous post, I wrote about how to get a reverse shell on Drupal 7 (and possibly earlier).  I'm currently working on a project involving Drupal and I'm also teaching a class this weekend -- I thought... why not pair the two together.  I figured if I built something for the class with Drupal, that would lend a hand with my project.  Familiarity and such.  I "thought" I was going to recycle my knowledge from the previous post but it turns out in Drupal 8, they removed the filter function which allows you to insert PHP into the posts.  After some reading, it turns out their reasoning was due to the fact that hackers can exploit this functionality. 

    "Cymmetria’s MazeRunner platform lets you dominate an attacker’s movements from the very beginning and lead them to a monitored deception network."

    Let me start off by saying that this is a wicked cool product!  It was really well thought out and it shows when you're bolting on each of the pieces to build your puzzle maze.  Despite this being the community version, it is very functional and gives you a really good idea as to how it can help protect your network.

    The community version comes as an OVA.  After you spin it up, you are presented with the login page:

    I've been thinking about honeypots for the last few weeks and as I've been playing around with the various products, I wondered what it would take to write something up in Python.  Initially, I had these grand ideas but then it sort of dawned on me that a lot of what I'd been conjuring up would be a reinvention of the wheel.  

    With a honeypot, what do we really need?  If we're building a web server, we need to answer HTTP requests, we need some sort of logging, and we need some method to alert.  I could build something from scratch or I could leverage some existing tools.  Rather than alerting, I'm going with an IP ban by using Fail2Ban but it can also trigger emails which is something I might add later.

    The description states:  "nightfall is a born2root VM designed for beginners."

    I have to say that I was sort of disappointed at the direction this went because I thought it was going one way and then it ended up going another.  I guess if I had given some attention to the description, I would have realized my direction is a little more than beginner but I guess that's also in the eye of the beholder.  Anyway, let's get after it...

    If it seems like I'm on some sort of Wile E. Coyote quest to build the perfect booby trap, that is actually not the case despite how things look.  Canaries, mazes, honeypots, there's definitely a recent theme and it's all related to a current project.  The Pentbox honeypot doesn't actually fit my need but I saw it, downloaded it, and I thought it was an interesting idea.  Pentbox is actually an enumeration toolkit of sorts but the honeypot feature is based off of a question -- what happens if someone tries to hack the penetration tester?

    I think the assumption is that you need to have something watching your back when you're working and that's where the honepot feature comes into play.  After playing around with it for a minute or two, the most obvious setup is that you pop open a tab, launch the honeypot, and just leave that tab open.  Not to spoil but there's an advanced section where you can configure the system to beep on an alert.

    Disclosure date:  9/23/19

    Grav CMS v1.6.16 and possibly before are affected by numerous Cross Site Script vulnerabilities.  This vulnerability can be exploited with or without an authenticated account.  

    All things considered, this is fairly benign as far as I can tell.  There are a number of built-in protections and I think this is just a small hole that would be difficult (for me) to exploit.  That said, I like the exercise.  

    © 2020