Shells

Challenge:

We know now that the attacker uploaded a file called info.php to gain access to the web server backend. What is the name of the tool/shell that gave the attacker a web shell?

Submit the flag as flag{tool_name}. For example: flag{psexec}.

Use the file from Scans.

Solution:

We began this challenge like most others involving a PCAP, using Zeek combined with our custom CTF-centric script. We were immediately alerted to possible remote shell activity on multiple network connections based on specific artifacts that triggered our Zeek signatures:

$ zeek -Cr ../capture_20220727141254.pcap ~/Tools/ctf_pcaps.zeek

Signature Match: Possible remote shell detected! [whoami]
Signature Match: Possible remote shell detected! [bash: no job control in this shell\x0aroot@esu-web-7734:~#]
Signature Match: Possible remote shell detected! [bash: no job control in this shell\x0aroot@esu-web-7734:~#]
Signature Match: Possible remote shell detected! [bash: no job control in this shell\x0aroot@esu-web-7734:~#]
Signature Match: Possible remote shell detected! [bash: no job control in this shell\x0aroot@esu-web-7734:~#]
Signature Match: Possible remote shell detected! [bash: no job control in this shell\x0aroot@esu-web-7734:~#]

Based on the whoami alert we jumped back into Wireshark and performed a string search:

This search produced two streams matching our search, stream 4999 and 5054. Choosing Follow TCP Stream on the first stream displays the initial activity that occurred over the remote shell, and more importantly for this challenge, the name of tool used to establish the remote connection.

The accepted flag was: flag{b374k}

Published:

Updated:

Leave a comment