Defense while attacking with Hackthebox and Wazuh

Hello blue team,

Today I am going to share on how to make your pentesting activites on hackthebox even exciting. I would like to bring you to the different side of world when you are doing a pentesting activities such as nmap, web crawling, exploitation and lateral movement from the eyes of defender.

Why i am doing this, because i like to be the purple team which sitting on the middle of Red and Blue team. I managed to install wazuh client on one of hack the box machine. Don’t worry about the other HTB member. It will not disturb them as my membership is VIP+, this box is fully dedicated for me.

So with the WAZUH agent installed, I can see what alerts are triggered and what not so that I know which activities of my pentesting activities is quite safe (default setup). In the other hand, I also know which alert that are not triggered that requires creating new rules or finetuning the existing one.

Web Dir Forced Browsing (Feroxbuster)

I tested to do directory finding using feroxbuster to do a forced browsing with the setup like below image

We can see that Wazuh gives us highglight of some activities are actually happening at the backend and show them in the beautiful chart in the dashboard like below. It detect that there are few activities which related to web, recon and web_scan

We can also drill down into some categories of the event. We can see that our feroxbuster cause alot of web server error 400

Running Linpeas.sh

If we run linpeas.sh on the server then we can see that there are new category event are shown to the dashboard which related to authentication_failed, pam and sudo

We can see that default Wazuh setup is quite OK, eventhough there are more things can be finedtuned to have a better detection. I will post some of my finetuning in order to detect my activities with Wazuh

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s