Bulletproof Penguin TryHackMe Writeup

Overview

Can you harden this Linux server? Bulletproof Penguin is a comprehensive TryHackMe room focused on system hardening and security best practices. You'll work through multiple security tasks to secure various services and configurations, earning flags for each successfully hardened component.

Room Objectives

This room covers system hardening concepts including:

Redis authentication configuration
SNMP security hardening
Nginx privilege escalation prevention
Cleartext service identification and mitigation
SSH cryptographic algorithm hardening
FTP security configuration
Password policy enforcement
Sudo permissions management
Database service exposure control

1. Redis Authentication

What is the redis_nopass flag?

Redis was running without authentication, allowing unauthorized access. To secure Redis, we need to enable authentication.

sudo systemctl edit redis

Add authentication configuration to Redis. The correct documentation link for Redis authentication is:

https://redis.io/docs/latest/operate/oss_and_stack/management/security/#authentication

Flag: THM{ae4e5bb7aac2c2252363ca466f10ffd0}

2. SNMP Configuration

What is the snmp_public flag?

SNMP was configured with default public community string, exposing sensitive system information. We need to configure proper SNMP security.

sudo nano /etc/snmp/snmpd.conf

Update SNMP configuration with secure community strings and proper access controls, then restart the service:

sudo systemctl restart snmpd

Flag: THM{aa397a808d527fd71f023c78d3c04591}

3. Nginx Privilege Management

What is the nginx_asroot flag?

Nginx was running as root, presenting a significant security risk. We need to configure Nginx to run as a dedicated non-privileged user.

sudo nano /etc/nginx/nginx.conf

Modify the user directive to use a non-privileged account, then restart the service:

sudo systemctl restart nginx

Flag: THM{bebb02b22bb56b2f79ba706975714ee2}

4. Cleartext Services

4.1 What other cleartext service is running on port 69/udp?

TFTP (Trivial File Transfer Protocol) was running on UDP port 69, transmitting data without encryption.

Answer: TFTP

4.2 What is the cleartext_services flag?

To secure TFTP, we disable it or configure proper access controls:

sudo nano /etc/inetd.conf

Comment out or remove the TFTP service entry, then restart inetd:

sudo systemctl restart inetd.service

Flag: THM{33704d74ec53c8cf50daf817bea836a1}

5. SSH Cryptographic Hardening

5.1 What is the ssh_weak_macs flag?

SSH was configured with weak Message Authentication Code (MAC) algorithms. We need to disable insecure MAC algorithms.

sudo nano /etc/ssh/sshd_config

Update the MAC configuration to use only secure algorithms, then restart SSH:

sudo systemctl restart sshd

Flag: THM{e3d6b82f291b64f95213583dcd89b659}

5.2 What is the ssh_weak_kex flag?

SSH was using weak Key Exchange (KEX) algorithms. Secure key exchange algorithms must be enforced.

sudo nano /etc/ssh/sshd_config

Configure only modern, secure key exchange methods, then restart SSH:

sudo systemctl restart sshd

Flag: THM{d9baf598ee934d79346f425a81bd693a}

5.3 What is the ssh_weak_ciphers flag?

SSH was configured with weak encryption ciphers. Only strong encryption ciphers should be allowed.

sudo nano /etc/ssh/sshd_config

Update ciphers configuration to use only secure algorithms, then restart SSH:

sudo systemctl restart sshd

Flag: THM{9ff9c182cad601291d45951c01d0b2c7}

6. Anonymous FTP

What is the anon_ftp flag?

vsFTPd was configured to allow anonymous FTP access, exposing the system to unauthorized file access. We need to disable anonymous access.

sudo nano /etc/vsftpd.conf

Set anonymous_enable=NO to disable anonymous FTP, then restart the service:

sudo systemctl restart vsftpd

Flag: THM{f20b5ff5a3d4c779e99c3a93d1f68c6d}

7. Password Policy

7.1 What is the change_pass flag?

User passwords were weak or default. We need to enforce strong password policies and change default passwords.

sudo passwd [username]

Change weak passwords to strong, complex passwords following security best practices.

Flag 1: THM{be74a521c3982298d2e9b0e347a3807d}

7.2 What is the change_pass flag?

Additional password changes were required for different user accounts to ensure all default/weak passwords are secured.

Flag 2: THM{1b354db0e71f75057abe69de26a637ab}

8. Sudoers Configuration

8.1 What is the sudoers_munra flag?

User 'munra' had excessive sudo privileges. We need to properly configure sudo access according to the principle of least privilege.

sudo visudo

Modify sudoers file to revoke unnecessary privileges for the munra user account.

Flag: THM{1e9ee13fb42fea2a9eb2730c51448241}

8.2 What is the sudoers_mary flag?

User 'mary' also had inappropriate sudo permissions. Proper access controls must be enforced.

sudo visudo

Configure appropriate sudo permissions for user mary following security best practices.

Flag: THM{a0bcb9b72fd26d0ad55cdcdcd21698f1}

9. Database Service Exposure

9.1 What is the mysql_port_public flag?

MySQL was publicly accessible on default port 3306. Database services should not be exposed to the public internet.

sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

Configure MySQL to bind only to localhost (127.0.0.1), then restart the service:

sudo systemctl restart mysql

Flag: THM{526e33142b54e13bb47b17056823ab60}

9.2 What is the redis_port_public flag?

Redis was publicly accessible on default port 6379. We need to configure Redis to only accept local connections.

sudo nano /etc/redis/redis.conf

Set Redis to bind only to localhost (127.0.0.1), then restart the service:

sudo systemctl restart redis

Flag: THM{20a809866dbcf94109189c5bafabc5c2}

Linux Hardening Best Practices

Core Security Principles

Principle of Least Privilege: Grant minimal necessary access
Defense in Depth: Multiple layers of security controls
Secure Defaults: Change defaults that are known to be insecure
Regular Updates: Keep systems and software updated
Monitoring: Log and monitor system activities

Common Hardening Areas

Authentication: Strong passwords, multi-factor authentication
Access Control: Proper file permissions, sudo configuration
Network Security: Firewall rules, service exposure control
Service Hardening: Disable unnecessary services, secure configurations
Monitoring: Log analysis, intrusion detection

Hardening Automation

System hardening can be automated using tools like:

OpenSCAP: Security Content Automation Protocol
Ansible: Configuration management and automation
Chef/Puppet: Infrastructure as code frameworks
Custom Scripts: Bash/Python automation scripts
CIS Benchmarks: Center for Internet Security guidelines

Lessons Learned

Running services as root significantly increases security risk
Default configurations are often insecure by design
Weak cryptographic algorithms can be exploited even with good passwords
Database services should never be exposed to the public internet
Anonymous access to any service is a major security vulnerability
Sudo privileges must follow the principle of least privilege
Cleartext protocols should be avoided in production environments
System hardening is an ongoing process, not a one-time task
Documentation and standards (like CIS) provide excellent hardening guidance

Useful Commands

# Check running services
sudo systemctl list-units --type=service

# Check listening ports
sudo ss -tuln

# Check file permissions
ls -la /etc/passwd

# Edit configuration files
sudo nano /etc/ssh/sshd_config

# Restart services
sudo systemctl restart sshd

# Check user privileges
sudo -l

# Audit system logs
sudo journalctl -u sshd

Bulletproof Penguin Writeup