This CTF challenge is made by The Honeynet Project organization. This challenge is a combination of several entry to intermediate-level tasks of increasing difficulty focusing on authentication, information hiding, and cryptography.
# Challenge Information
Description
You belong to a company specializing in hosting web applications through KVM-based Virtual Machines. Over the weekend, one VM went down, and the site administrators fear this might be the result of malicious activity. They extracted a few logs from the environment in hopes that you might be able to determine what happened.
Challenge Link & Author
CyberDefenders - EscapeRoom
The Honeynet Project Twitter Profile
# Walkthrough
We start analyzing the pcap file, i open it with Brim Security and checking the alerts!! Oh god! A lot of ssh flows! mmm I guess the attacker try to gain access through the ssh service, he did a bruteforce attack !
1- What service did the attacker use to gain access to the system?
The attacker use ssh protocol to gain access to the system !
Answer: ssh
2- What attack type was used to gain access to the system?(one word)
We found a lot of ssh packets! I am sure this is a bruteforce attack
Answer: bruteforce
3- What was the tool the attacker possibly used to perform this attack?
One of the most famous tools that can do this type of attack is hydra
Hydra is an amazing tool for testing the strength of your SSH security. It is capable of running through massive lists of usernames, passwords, and targets to test if you or a user is using a potentially vulnerable password.
Answer: Hydra
4- How many failed attempts were there?
Let’s inspect the alert events in Brim Security and apply the count() by feature in the alert.signature
. We found 53 NetSSH Hardcoded in Metasploit
. We decrease by 1 the success one!
Answer: 52
We have the hashes of the passwords! We know that the hashes are SHA-512(UNIX). The black cat (oh means hashcat) will help us cracking these hashes!
ٍ
1 | hashcat -a 0 -m 1800 shadow.log rockyou.txt |
5- What credentials (username:password) were used to gain access? Refer to shadow.log and sudoers.log.
Just wait for hashcat man!
manager:forgot
6- What other credentials (username:password) could have been used to gain access also have SUDO privileges? Refer to shadow.log and sudoers.log.
Hashcat will save you for sure !
sean:spectre
7- What is the tool used to download malicious files on the system?
Let’s check the user-agent
in brim security. you can do it with wireshark too!
Answer: wget
8- How many files the attacker download to perform malware installation?
Checking the non-media files in brim security will help us to know about the files
Answer: 3
9- What is the main malware MD5 hash?
The malware is an executable file for sure! let’s check it
Open the details about it and you’ll get the md5sum !
Answer: 772b620736b760c1d736b1e6ba2f885b
We found this bash script that rename the malware mail and hide it in /var/mail/ directory and make it executable at the startup!
1 |
|
10- What file has the script modified so the malware will start upon reboot?
The script /etc/rc.local is for use by the system administrator. It is traditionally executed after all the normal system services are started
Answer: /etc/rc.local
11- Where did the malware keep local files?
/var/mail/
12- What is missing from ps.log?
In the ps.log we don’t find the process related to the malware (the mail executable)
/var/mail/mail
13- What is the main file that used to remove this information from ps.log?
There is another binary that moved and renamed as sysmod.ko
Answer: sysmod.ko
14- Inside the Main function, what is the function that causes requests to those servers?
After unpacking the malware. I opened the binary with IDA Pro to decompile it. Check the main function and we found this !
Answer: requestFile
15- One of the IP’s the malware contacted starts with 17. Provide the full IP.
requestFile function use address array as parameters. let’s check it ! we found all the IP address. COOL !
Answer: 174.129.57.253
16- How many files the malware requested from external servers?
This is easy man ! just check the other downloaded files !
Answer: 9
17- What are the commands that the malware was receiving from attacker servers? Format: comma-separated in alphabetical order
After spending time on thinking and searching. We get the idea !
The malware will get message form attacker servers! So let’s check some functions call that related to something like messaging ! You’ll find these functions in main !
The function check if the parameter has these 2 values ! I want to check it
After using python to convert the numbers to text using long_to_bytes function i found that 2 values are instruction in the assembly , Bingo we get it !
Answer: nop,run