An unusual sighting

Catégorie: Forensics Difficulté: very-easy Flag: HTB{B3sT_0f_luck_1n_th3_Fr4y!!}

Challenge

Description

As the preparations come to an end, and The Fray draws near each day, our newly established team has started work on refactoring the new CMS application for the competition. However, after some time we noticed that a lot of our work mysteriously has been disappearing! We managed to extract the SSH Logs and the Bash History from our dev server in question. The faction that manages to uncover the perpetrator will have a massive bonus come the competition! Note: Operating Hours of Korp: 0900 - 1900

Analyse des logs

On a 2 fichiers :

  • sshd.log : contient toutes les connexions et tentaives en SSH

  • bash_history.txt : contient l’historique des commandes exécutées

Il faut se connecter à l’instance du challenge (un simple socket brut) et répondre au questions :

What is the IP Address and Port of the SSH Server (IP:PORT)

What time is the first successful Login ?

What is the time of the unusual Login

A 4h du matin, étrange

What is the Fingerprint of the attacker's public key

What is the first command the attacker executed after logging in

Il faut aller voir dans le fichier bash_history.txt

What is the final command the attacker executed before logging out

Script de résolution

from pwnlib.tubes.remote import remote

def solve(host, port):
    answers = [
        '100.107.36.130:2221',
        '2024-02-13 11:29:50',
        '2024-02-19 04:00:14',
        'OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4',
        'whoami',
        './setup'
    ]
    client = remote(host, port)
    for answer in answers:
        client.recvuntil(b'> ')
        client.sendline(answer.encode())
    flag = client.recvall(timeout=1).decode().split(': ')[1].strip()
    print(f'Flag: {flag}')

if __name__ == '__main__':
    solve('94.237.62.149', 44625)
PrécédentForensicSuivantData Siege

Dernière mise à jour

Cet article vous a-t-il été utile ?