
forens/An unusual sighting (? solves)

As the preparations come to an end, and The Fray draws near each day, our newly established team has started work on refactoring the new CMS application for the competition. However, after some time we noticed that a lot of our work mysteriously has been disappearing! We managed to extract the SSH Logs and the Bash History from our dev server in question. The faction that manages to uncover the perpetrator will have a massive bonus come competition!

We start this challenge with two files: bash_history.txt and sshd.log.

Question 1

What is the IP Address and Port of the SSH Server (IP:PORT)

Looking inside the sshd.log, line 3 says the following:

[2024-01-28 15:24:23] Connection from port 47721 on port 2221 rdomain ""

The on section is the server.


Question 2

What time is the first successful Login

Reading the sshd.log, the lines containing Accepted are the successful logins, so whats the earliest instance?

[2024-02-13 11:29:50] Accepted password for root from port 63172 ssh2

Answer: 2024-02-13 11:29:50

Question 3

What is the time of the unusual Login

Reading the sshd.log, there is a weird login time at 4am onto the root account:

[2024-02-19 04:00:14] Connection from port 60071 on port 2221 rdomain ""
[2024-02-19 04:00:14] Failed publickey for root from port 60071 ssh2: ECDSA SHA256:OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4
[2024-02-19 04:00:14] Accepted password for root from port 60071 ssh2
[2024-02-19 04:00:14] Starting session: shell on pts/2 for root from port 60071 id 0
[2024-02-19 04:38:17] syslogin_perform_logout: logout() returned an error
[2024-02-19 04:38:17] Received disconnect from port 60071:11: disconnected by user
[2024-02-19 04:38:17] Disconnected from user root port 60071

The rest of the logins being from ~0900-1900, this is highly suspicious.

Answer: 2024-02-19 04:00:14

Question 4

What is the Fingerprint of the attacker's public key

Reading those suspicious logs from question 3, we can see the public key fails on the second line.

Answer: OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4

Question 5

What is the first command the attacker executed after logging in

This time reading bash_history.txt and going to the suspicious time (4am), we can see the first command executed is whoami.

[2024-02-16 12:38:11] python ./server.py --tests
[2024-02-16 14:40:47] python ./server.py --tests
[2024-02-19 04:00:18] whoami
[2024-02-19 04:00:20] uname -a

Answer: whoami

Question 6

What is the final command the attacker executed before logging out

Reading the same logs segment, we get the final command:

[2024-02-19 04:12:02] shred -zu latest.tar.gz
[2024-02-19 04:14:02] ./setup
[2024-02-20 11:11:14] nvim server.py

Answer: ./setup

And in return, we are given our flag: HTB{B3sT_0f_luck_1n_th3_Fr4y!!}

Original writeup (https://seall.dev/posts/htbcyberapocalypsectf2024#forensan-unusual-sighting--solves).