h1

PSA: A Safety Lesson about Team Servers

April 21, 2013

Here’s a fun anecdote for you. I usually run a Cobalt Strike team server the CCDC events and other exercises I go to. No problem. I have a virtual machine I use as the team server. There are no sensitive files on it and fortunately, it’s a virtual machine.  I don’t care what happens to it.

At the end of the National CCDC event, our team captain announced that if we have access, we’re wrong… burn it! So, in a maniacal way, all of us jumped on sessions and destroyed system after system. All well and good, this is standard operating procedure for most exercise red teams… at the very end of an event.

In our maniacal zeal to take these actions, we sometimes make mistakes, it happens.

Anyways, let me relay a little factoid.

The Metasploit Framework has a console. Any input the console does not understand is immediately passed to the operating system, for your convenience. This input is run and its output is presented to you, the user. In classes, I’ve seen many people think they have shell when they type whoami in a Metasploit Console and learn that they’re root. They’re root, but it’s on their own system.

So, in the zeal at the end of the National CCDC event, someone issued an rm -rf / command to my team server. I lost data that would later become a large generated report I could provide to the teams (next year!). I’m not too worried about that. I wanted to speak to the safety lesson, one I discovered later.

I told VMWare to share folders with my host operating system. Fortunately, I was sharing just a dropbox folder with several tools that I keep around. I have  a backup of all this stuff, no big deal.

These folders were gone!

burned

If I had shared my home folder… oh boy!  That was a close call, pretty funny since no harm came of it. Pretty scary otherwise.

If you’re going to host infrastructure for an event, do it on a separate server. If you’re crazy enough to use your laptop, like I am, make sure there’s isolation between your virtual machine and your operating system.

🙂

2 comments

  1. Glad to hear you didn’t have anything major destroyed and yet I have to say perhaps its time for metasploit to institute some additional protection measures. I mean what if you were at a client site mounted a remote file system of theres after hacking in and then that command was issued. Well I bet your never working for that company again.
    Regardless tell the team members next time the faster way and more forgiving way is to use fdisk. That way if he realizes his mistake before he runs a reboot the system isn’t completely screwed. And if i am not mistaken because its just the partition table it should still be recoverable with a boot disk allowing you to recover the system.


    • This blog post was written because it was a funny side effect and I really wanted to show a different side of the exercise red team. I strongly disagree with your statement about safety features in the Metasploit Framework. It’s like asking for a child safety lock on a tank.

      We do not need a forgiving way to destroy systems. We only destroy systems in an exercise environment. We destroy them because it is funny. We do not want you to recover them.

      Penetration testers do not destroy systems during their engagements.

      I appreciate your speculation about all of the things that could go wrong, but I really feel it’s misplaced. Please, take this blog post for what it was meant to be “haha, the (National CCDC) red team got a taste of their own medicine”.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s