PSA: A Safety Lesson about Team ServersApril 21, 2013
Here’s a fun anecdote for you. I usually run a Cobalt Strike team server the CCDC events and other exercises I go to. No problem. I have a virtual machine I use as the team server. There are no sensitive files on it and fortunately, it’s a virtual machine. I don’t care what happens to it.
At the end of the National CCDC event, our team captain announced that if we have access, we’re wrong… burn it! So, in a maniacal way, all of us jumped on sessions and destroyed system after system. All well and good, this is standard operating procedure for most exercise red teams… at the very end of an event.
In our maniacal zeal to take these actions, we sometimes make mistakes, it happens.
Anyways, let me relay a little factoid.
The Metasploit Framework has a console. Any input the console does not understand is immediately passed to the operating system, for your convenience. This input is run and its output is presented to you, the user. In classes, I’ve seen many people think they have shell when they type whoami in a Metasploit Console and learn that they’re root. They’re root, but it’s on their own system.
So, in the zeal at the end of the National CCDC event, someone issued an rm -rf / command to my team server. I lost data that would later become a large generated report I could provide to the teams (next year!). I’m not too worried about that. I wanted to speak to the safety lesson, one I discovered later.
I told VMWare to share folders with my host operating system. Fortunately, I was sharing just a dropbox folder with several tools that I keep around. I have a backup of all this stuff, no big deal.
These folders were gone!
If I had shared my home folder… oh boy! That was a close call, pretty funny since no harm came of it. Pretty scary otherwise.
If you’re going to host infrastructure for an event, do it on a separate server. If you’re crazy enough to use your laptop, like I am, make sure there’s isolation between your virtual machine and your operating system.