Over a year has passed since I’ve last done anything related to penetration testing. I decided to tackle the SwagShop machine on HackTheBox to ease back into things since it has a nice friendly green “Easy” rating. Note: This post is hidden until the machine is “Retired” to avoid spoilers to the community.
The explosion of cryptocurrency in recent years spurred a wave of exploits targeting unsuspecting machines to mine cryptocurrency for the attackers. Earlier in the year, the JW Player DevOps team discovered one of the aforementioned miners running on our development and staging Kubernetes clusters.
To be clear, our production cluster was not affected, no JW Player customer data was accessed or exposed, and service was uninterrupted. Malicious actors are not always intent on stealing information or taking a website down, they can be just as content (or more so) in stealing your compute power. We take any intrusion very seriously though, and wanted to share our findings to help other DevOps teams harden their systems.
This blog post is broken up into several parts detailing — discovery and diagnosis, our immediate response, discovering and replicating the attack vector, damage assessment, and plans for preventative measures to further protect our systems.
When using VMWare to do work on my virtual machines, I came across an annoying bug where all my SSH connections failed:
$ ssh firstname.lastname@example.org
packet_write_wait: Connection to 22.214.171.124 port 22: Broken pipe
Following up on my Bandit post, OverTheWire Natas teaches the basics of serverside web-security. These are quick notes for my solutions to level 0-10. I’ll be doing these in preperation for the OSCP pentesting course I plan on taking.
The password to this level is listed on the natas game description: