TAMUctf 18 Writeup: HSO
Scenario - HSO
I really enjoyed this whole ctf. While I solved a few other challenges with my team, I liked these particular writeups because I feel they told a good, complete story with technical lessons. This was a neat scenario that described a breach and provided evidence to recreate the intrusion. This scenario focuses on network traffic, log analysis and Linux file system forensics. I also found the multiple choice questions interesting (suggested answers), as it made it easier to brute force / guess solutions to save time.
00_Intrusion
Q 1: Is there any signs of an attack (yes/no)?
A 1: yes
Q 2: If so, what was the IP address of the attacker?
A 2: 10.0.0.44
Q 3: If so, what service was targeted?
A 3: ssh
The following statistics on the traffic provided shows what looks like a brute force attack on ssh.
01_Logs
Q 1: Was ssh used to compromise the server (yes/no)?
A 1: yes
Q 2: If so, what type of attack was used (zero-day, backdoor, brute-force, phishing)?
A 2: brute-force
Q 3: If so, what user was compromised?
A 3: ftp
Q 4: If so, what time did the compromise happen (MM/DD-HH:MM:SS)?
A 4: 11/04-10:43:00
Here we are provided auth logs that show when the ssh brute force was successful.
02_Analysis
Q 1: What is the password to the ftp user?
A 1: ftp
For this challenge, we are given a hash to crack, but I ended up guessing it as it was simple.
03_Forensics
Q 1: list the series that were exfiltrated in alphabetical order comma separated with no spaces ex: (series_name_a,series_name_b,...).
A 1: game_of_chairs,golfers
For this challenge we are given an image to do file system forensics on. It’s an LVM2 image, which contains two logical volumes. After we mount the LVM2 image, we can start to look at the logical volumes contained inside.
Now that I can look at the file system I decided to pull the .bash_history files to look at a quick list of commands that were run. This shows a bunch of the attackers post exploitation actions.
04_Privilege_Escalation
Q 1: What was the highest level of access the attacker able to obtain (ftp, root)?
A 1: root
Q 2: if the attacker was able to escalate privileges, list the sha1 hash of any files that may have been used to gain the higher level of access (hash0,hash1,hash2,...).
A 2: edb1b9f3a55ca63e32bbcd332e9b45dc17bfde43
Q 3: If the attacker was able to escalate privileges, what CVE was used (CVE-YYYY-NUMBER OR MSYY-NUMBER)?
A 3: CVE-2016-5195
The attacker used Dirty Cow to privesc.
05_Backdoor
Q 1: Is there any indications of an active compromise (yes/no)?
A 1: yes
Q 2: If so, is it a reverse shell (yes/no)?
A 2: yes
Q 3: If so, what IP address is the backdoor using?
A 3: 10.0.0.44
Q 4: If so, what port is the backdoor using?
A 4: 4444
Q 5: If so, what is the filename of the backdoor?
A 5: rs
Q 6: If so, what is the PID of the backdoor?
A 6: 1963
The provided netstat output shows what looks to be the default port for metasploit being used as a call back to the attackers server.
06_Persistence
Q 1: What method(s) is the attacker using to do persistence in alphabetical order comma separated with no spaces (cron, rc.local, LD_PRELOAD, backdoored-system-binaries)?
A 1: backdoored-system-binaries,cron
Q 2 : List the full path(s) to any file(s) connected to the persistence in alphabetical order comma separated with no spaces (/dir/file0,/dir/file1,...).
A 2: /bin/...,/bin/cat,/bin/ls
We can recover the cron temp file here and see how ls was used along w/ backdoored system binaries (from the previous bash history screen shot) to achieve persistence
07_Lateral_Movement
Q 1: What are the ip address(es) of the attacked machines (sort in order by last octet, comma separated no spaces)?
A 2: 192.168.1.20
Q 2: What attack may have been used (CVE-YYYY-NUMBER OR MSYY-NUMBER, comma separated no spaces)?
A 2: MS08-067
Here we can pull out the pcap from before and look at the SMB traffic this time. The attacker used SMB to move laterally.
