CBD: Hacked
CyberDefenders: Hacked
You have been called to analyze a compromised Linux web server. Figure out how the threat actor gained access, what modifications were applied to the system, and what persistent techniques were utilized. (e.g. backdoors, users, sessions, etc).
Tools:
Download the challenge file by clicking the download challenge button. Unzip the file as follows:
1unzip c53-Hacked.zip
What is the .E01 file format?:
Developed by ASR Data, the Expert Witness file format (aka E01 format aka EnCase file format) is an industry standard format for storing “forensic” images. The format allows a user to access arbitrary offsets in the uncompressed data without requiring decompression of the entire data stream. The specification does NOT provide for quantifyable assurance of integrity, it is up to the implementation to provide meaningful authentication for any data contained in an “evidence file”. - .EO1 format
I work as root in my linux vm's. If you don't then add sudo before the commands.
To mount the .E01 image I followed the guide provided above in the tools section:
Install the required tools:
1apt install ewf-tools sleuthkit kpartx
Create a mountpoint and mount the .E01 image:
1mkdir image
1ewfmount Webserver.E01 image
1ls -la image
mmls - Display the partition layout of a volume system (partition tables)
1mmls image/ewf1
Create a mountpoint for the partition:
1mkdir hacked.dsk
2ls -la
kpartx - Create device maps from partition tables
lvscan - List all logical volumes in all volume groups
1kpartx -a -v image/ewf1
2lvscan
Mount the partition to the mountpoint in read-only mode:
1mount -o ro,noload /dev/VulnOSv2-vg/root hacked.dsk
2ls -la hacked.dsk
We can check the mount as follows:
1mount | grep hacked.dsk
All set, now we can get to work:
Questions
1. What is the system timezone?
1cd hacked.dsk
2cat etc/timezone
2. Who was the last user to log in to the system?
1tail -20 var/log/auth.log
1mail
3. What was the source port the user 'mail' connected from?
1tail -20 var/log/auth.log | grep sshd | grep -i accepted
157708
4. How long was the last session for user 'mail'? (Minutes only)
11
5. Which server service did the last user use to log in to the system?
1sshd
6. What type of authentication attack was performed against the target machine?
1bruteforce
We can see loads of authentication failures in var/log/auth.log for username root indicating the attacker is trying a bruteforce attack
7. How many IP addresses are listed in the '/var/log/lastlog' file?
1cat var/log/lastlog
or
1strings var/log/lastlog
12
8. How many users have a login shell?
1cat etc/passwd
At first glance it looks like only /bin/bash is used
1cat etc/passwd | grep /bin/bash
If you don't want to count yourself:
1cat etc/passwd | grep /bin/bash | wc -l
15
9. What is the password of the mail user?
For this we need to extract the mail users' information out of etc/passwd and etc/shadow. Then use the unshadow tool and john the ripper to crack the hashfile:
1cat hacked.dsk/etc/passwd > passwd
2cat hacked.dsk/etc/shadow > shadow
3unshadow passwd shadow > unshadowed
4cat unshadowed | grep mail > mail.hash
The path of the wordlist will most likely be different, so change it accordingly:
1john --wordlist=/usr/share/wordlists/rockyou.txt mail.hash
1forensics
10. Which user account was created by the attacker?
1cd hacked.dsk
2cat var/log/auth.log | grep useradd
1php
11. How many user groups exist on the machine?
1cat etc/group | wc -l
158
12. How many users have sudo access?
First let's check etc/sudoers to see who and which groups can elevate privileges:
1cat etc/sudoers
Members of the admin and sudo group can elevate privileges. There are no specific usernames mentioned in the sudoers file. So let's check which users are in the admin and sudo groups:
1grep --color "^admin:\|^sudo:" etc/group
Only the sudo group exists on this system and it has 2 users in it: php, mail
12
13. What is the home directory of the PHP user?
1grep php etc/passwd
or
1grep useradd var/log/auth.log | grep php
The -d option in useradd command specifies the home directory
1/usr/php
14. What command did the attacker use to gain root privilege? (Answer contains two spaces).
1grep -B 10 "Successful" var/log/auth.log
1sudo /bin/su -
15. Which file did the user 'root' delete?
1grep rm root/.bash_history
137292.c
This however doesn't tell us where it was deleted from so we want to check some lines before this command too in .bash_history:
1grep -B 5 "rm" root/.bash_history
The file was deleted from the /tmp/ directory.
16. Recover the deleted file, open it and extract the exploit author name.
R-Studio for Linux Demo Mode allows you to evaluate R-Studio for Linux for free. R-Studio Demo Mode is limited to files smaller than 256 KB in Demo Mode. You can, however, preview supported files that are larger than 256 KB by double-clicking it. This allows you to predict your chances for successful recovery before purchasing an R-Studio for Linux license. - R-Studio
Download the appropriate version for your system and install it:
1wget https://www.r-studio.com/downloads/RStudio4_x64.deb
2dpkg -i RStudio4_x64.deb
1rstudio
Click on Demo
Locate the hacked.dsk Volume and click Show Files
Browse to the /tmp directory and select the file you want to restore. Then click Recover
We can't recover to hacked.dsk because it is mounted as read-only. So select one directory up and click Ok. Close rstudio.
Check the recovered file to retrieve the Author:
1ls -la
2cat 37292.c | less
1rebel
17. What is the content management system (CMS) installed on the machine?
First let's see what we should be looking for on google:
Configuration files are in the /etc/ directory on Linux so that is a good place to start looking:
1drupal
18. What is the version of the CMS installed on the machine?
Now we have an easy search in the log files:
1grep -i drupal var/log/apt/history.log
17.26
19. Which port was listening to receive the attacker's reverse shell?
From the recovered file we know the owner is www-data. This is the user used by webservers (apache / nginx, ...) We also know Drupal 7 is running on the system. A quick search leads us to:
- Let's check if we have log files for webservers on our system:
1cat var/log/apache2/access.log
Some entries don't seem normal in this log file:
It looks like POST requests were made encoded in base64
After base64_decode we see: %28. This is a urlencoded ( If we search for the closing ) in urlencoded format: %29 we can locate the end of the base64 encoded string and then decode it:
1grep -i "base64" var/log/apache2/access.log | grep "%29"
Decoding the base64 string:
1echo "base64string" | base64 -d
The listening port used for the reverse shell is:
14444
Conclusion
The threat actors gained access through a vulnerability in drupal 7 allowing remote code execution.
Searchsploit has the following Metasploit Modules for drupal:
1searchsploit drupal | grep -i metasploit
The first one needs to be (authenticated), so let's take a look at php/remote/44482.rb
1cat /usr/share/exploitdb/exploits/php/remote/44482.rb |less
That looks very familiar from the apache2 access logs
From here the attackers have a foothold as user www-data and escalated their privileges to root with the 37292.c exploit, which they deleted as seen in the .bash_history.
They added a new user php that has sudo access.
They changed the password and shell of user mail and added him to the sudo group.
They created a php webshell in
1var/www/html/jabc/scripts/update.php
and made sure it works correctly:
Really enjoyed this challenge. Solving the questions went pretty fast, but writing it all out and really figuring out what happened took some more time.
If I got something wrong, missed something or you know an easier way of doing things, don't hesitate to contact me.