Pham Tung Duong duongkai

## compromised_debian.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                duongkai
                / compromised_debian.md
            
            
              Created
              November 1, 2022 06:50
            
              
                Compromised debian.
              
          
    One server has been compromised. The Incident Response team has acquired its image for further forensics.
So, your task is reviewing this server image and develop a investigation report to answer what hacker had done on this server.
Image download link: https://drive.google.com/file/d/1DAJ0F8IbaTQQ_pqG73mE1qsJ5-ng0DCi/view?usp=sharing
Access credential:

rc3user:toor
root:toor

When review a Linux server, an investigator often reviews these places

bashrc


## cloud_metadata.txt
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

## links.txt
https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-4.14.18-300.fc27.aarch64.rpm
https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-core-4.14.18-300.fc27.aarch64.rpm
https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-devel-4.14.18-300.fc27.aarch64.rpm
https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-headers-4.14.18-300.fc27.aarch64.rpm
https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-modules-4.14.18-300.fc27.aarch64.rpm
https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-modules-extra-4.14.18-300.fc27.aarch64.rpm

## modsec_error.log
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [file "/etc/nginx/modsecurity/modsecurity.conf"] [line "44"] [id "200002"] [rev ""] [msg "Failed to parse request body."] [data "JSON parsing error: parse error: premature EOF\x0a"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.10.0.4"] [uri "/identity-authorization-service/api/v1/authorization"] [unique_id "15158061678.717189"] [ref "v699,1"]

ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "118"] [id "920130"] [rev "1"] [msg "Failed to parse request body."] [data "JSON parsing error: parse error: premature EOF\x0a"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"

## modsecurity.conf
# -- Rule engine initialization ----------------------------------------------

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine DetectionOnly


# -- Request body handling ---------------------------------------------------

## iops.txt


1x 256GB  a single drive  232 gigabytes ( w= 441MB/s , rw=224MB/s , r= 506MB/s )

2x 256GB  raid0 striped   464 gigabytes ( w= 933MB/s , rw=457MB/s , r=1020MB/s )
2x 256GB  raid1 mirror    232 terabytes ( w= 430MB/s , rw=300MB/s , r= 990MB/s )

3x 256GB  raid5, raidz1   466 gigabytes ( w= 751MB/s , rw=485MB/s , r=1427MB/s )

4x 256GB  raid6, raidz2   462 gigabytes ( w= 565MB/s , rw=442MB/s , r=1925MB/s )

## note.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                duongkai
                / note.md
            
            
              Last active
              December 20, 2016 13:18
            
              
                Surface linux installation
              
          
    Install Linux


Disable TPM, it also disables SecureBoot.


Boot from USB.


Fedora 25: keyboard, touch screen does not work


Mint: add PPA https://launchpad.net/~tigerite/+archive/ubuntu/kernel
sudo add-apt-repository ppa:tigerite/kernel
sudo apt-get update


## lecture_note.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              1 star
            
          
                duongkai
                / lecture_note.md
            
            
              Last active
              July 30, 2018 05:57
            
              
                CISSP lectures note
              
          
    Day 2

Chapter 2. Asset

Change management


Change Management

Create Change Request
Submit to CAB (Change advisory board)
Review the CR and impact
Create rollback plan


Hacking lifecycle


## System Design.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              0 stars
            
          
                duongkai
                / System Design.md
            
            
              Created
              April 20, 2016 06:51
                — forked from vasanthk/System Design.md
            
              
                System Design Cheatsheet
              
          
    #System Design Cheatsheet

Picking the right architecture = Picking the right battles + Managing trade-offs

##Basic Steps

Clarify and agree on the scope of the system


User cases (description of sequences of events that, taken together, lead to a system doing something useful)

Who is going to use it?
How are they going to use it?


## Ajnomoto - TVC
Vì cuộc sống Việt
https://www.youtube.com/watch?v=_OGr1MB9bVs

https://www.youtube.com/watch?v=RNbh2exZHdY

Mái ấm gia đình
https://www.youtube.com/watch?v=0d5hk_aKfLg

Vị ngon gắn kết
https://www.youtube.com/watch?v=37lQWkD4dfc
	## AWS
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

	http://169.254.169.254/latest/user-data
	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/ami-id
	http://169.254.169.254/latest/meta-data/reservation-id
	http://169.254.169.254/latest/meta-data/hostname
	http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
	https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-4.14.18-300.fc27.aarch64.rpm
	https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-core-4.14.18-300.fc27.aarch64.rpm
	https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-devel-4.14.18-300.fc27.aarch64.rpm
	https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-headers-4.14.18-300.fc27.aarch64.rpm
	https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-modules-4.14.18-300.fc27.aarch64.rpm
	https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-modules-extra-4.14.18-300.fc27.aarch64.rpm
	ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [file "/etc/nginx/modsecurity/modsecurity.conf"] [line "44"] [id "200002"] [rev ""] [msg "Failed to parse request body."] [data "JSON parsing error: parse error: premature EOF\x0a"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.10.0.4"] [uri "/identity-authorization-service/api/v1/authorization"] [unique_id "15158061678.717189"] [ref "v699,1"]

	ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "118"] [id "920130"] [rev "1"] [msg "Failed to parse request body."] [data "JSON parsing error: parse error: premature EOF\x0a"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"
	# -- Rule engine initialization ----------------------------------------------

	# Enable ModSecurity, attaching it to every transaction. Use detection
	# only to start with, because that minimises the chances of post-installation
	# disruption.
	#
	SecRuleEngine DetectionOnly


	# -- Request body handling ---------------------------------------------------


	1x 256GB a single drive 232 gigabytes ( w= 441MB/s , rw=224MB/s , r= 506MB/s )

	2x 256GB raid0 striped 464 gigabytes ( w= 933MB/s , rw=457MB/s , r=1020MB/s )
	2x 256GB raid1 mirror 232 terabytes ( w= 430MB/s , rw=300MB/s , r= 990MB/s )

	3x 256GB raid5, raidz1 466 gigabytes ( w= 751MB/s , rw=485MB/s , r=1427MB/s )

	4x 256GB raid6, raidz2 462 gigabytes ( w= 565MB/s , rw=442MB/s , r=1925MB/s )
	Vì cuộc sống Việt
	https://www.youtube.com/watch?v=_OGr1MB9bVs

	https://www.youtube.com/watch?v=RNbh2exZHdY

	Mái ấm gia đình
	https://www.youtube.com/watch?v=0d5hk_aKfLg

	Vị ngon gắn kết
	https://www.youtube.com/watch?v=37lQWkD4dfc