Target1: a One-Vulnerability VM
Now that you're in your subteams for the rest of the term, you're going to get started researching, imagining, designing, and building your final vulnerable virtual machines.
What you need to do
- Pick a team name. (See below for what we'll use it for.) Be nice, and make sure at least that your team name has a 1-2 word nickname.
- Using VMWare or UTM, create a new Linux virtual machine. You can either copy the one on the USB drive you got from Mike or build one from scratch. We'll call this VM the Target.
- Decide on a vulnerability you want to install on the Target. This should be a vulnerability that enables an attacker on the same network as the Target to port-scan the Target using nmap, find the problematic service one way or another, and exploit the problem to execute Unix commands on the Target.
- Implement the vulnerability.
- Test the vulnerability by attacking from your host machine.
- Export your VM to .vmdk format.
- Share your VM with the whole comps group (see the next section for details)
- Be prepared to offer a short verbal teaser/description of your VM for the class, to entice people to try to crack it.
How to share your VM
Once you figure out how to export your VM and share it among your team by physically sharing your USB drives with each other, I would like you to share your VMs with the whole comps group.
To do this, Mike has created local accounts for you on the iMac Olin302-52 located, shockingly, in Olin 302. Paula has asked the OneCard people to give you access to that room, so you should be able to get in soon.
So, to share your VM export:
- Sit down at the iMac Olin302-52 and login using your usual Carleton credentials
- Attach your USB drive to the iMac; note that Mike has placed a USB-A-to-USB-C adapter near that computer. Please leave the adapter there.
- If it doesn't already exist, create a folder /Users/Shared/SecurityComps/YOUR_TEAM_SHORT_NAME
- Copy your VM, named Target1.vmdk, to your folder. The "1" refers to this being the first VM you're going to share with the whole group.
Notes and references
- Want to use one of the web vulnerabilities from this week? That's fine. You could also try creating a vulnerability in the form of an unpatched server with a known public exploit. (I'll give you more info about how this looks on Friday in class.) Or, you know, whatever.
- Importing a VM from .ovf to Windows with VMWare
- Importing a VM from .vmdk to Windows with VMware
- Importing a VM from .ovf or .vmdk to macOS with UTM
- Exporting a VMware VM to .vmdk
- Exporting a UTM VM and converting it to .vmdk
What's next?
- You'll deliver your first VMs by Monday, Jan 22
- You'll try to break into other people's VMs by Wednesday, Jan 24
We'll use class time and some of your study time over the next couple weeks to explore a wider variety of vulnerability and attack types. Our first few topics along these lines will be:
- general pentesting methodologies
- reverse shells
- publicly available exploits, and how to find and use them
- users and groups
- sudo, sudoers, and gtfobins.github.io
- setuid and its many friends (seteuid, setreuid, setgid, the sticky bit,...)
- Linux capabilities
- more about SQL injection
- is there a way to incorporate vulnerabilities that depend on human action, like phishing, cross-site scripting, etc.?
- is there a way to create a (small) vulnerable network of VMs instead of just one vulnerable VM?
- ...