Magnet Weekly CTF Challenge Week 8 Writeup

This week's Magnet Weekly CTF Challenge is once again another two-parter. Part I of the challenge asked the following:

What package(s) were installed by the threat actor? Select the most correct answer!

From the user hadoop's .bash_history file, there was an entry that indicated hadoop used ll command to list out the details of a /usr/local/hadoop/bin/cluster.php file. Since Hadoop does not run on PHP, why on Earth would there be a cluster.php file inside the Hadoop binary folder?

Moreover, from either /var/log/apt/history.log or /var/log/apt/term.log, it was shown that the php package was installed on 2019-10-17 and most of the packages were installed on 2017.


Therefore, it was highly likely that the threat actor installed the php package on the HDFS primary node and it turned out to be correct.

After that, Part II of the challenge was released and it asked the following:
Why?
  •  hosting a database
  •  serving a webpage
  •  to run a php webshell
  •  create a fake systemd service

 As the cluster.php file was found earlier, the contents of cluster.php file should be inspected and there was some intriguing PHP code:


This piece of PHP code would bind a socket on all IP addresses on the local machine on TCP port 17001. Then it would continuously receive incoming remote commands and execute them. Upon remote command execution, the command execution output would be returned to the command issuer. 
Thus, this cluster.php should be a PHP webshell and the answer to this part should be to run a php webshell.




Comments

Post a Comment

Popular posts from this blog

Dumpster Diving in Google Photos Android App: "local_trash.db"

Image
  This article will explore the Trash within the Google Photos Android App. If you delete any media file from Google Photos on your mobile device, the deleted media file would then be relocated to the Trash within Google Photos. All items inside Trash will be permanently deleted after 60 days in Trash. In fact, the information of the Google Photos Trash items will be stored inside the " local_trash.db " under " /data/com.google.android.apps.photos/databases/ ": The " local " table of  " local_trash.db " contains most of the useful information, including " local_path " ( the original path of the deleted media file ), " trash_file_name " ( a UUID value that becomes the new name of the deleted media file ), " deleted_time " ( a Unix timestamp in milliseconds that recorded the delete time ), " is_video " ( where "0" = "no", "1" = "yes" ), etc. As soon as a media file was ...
Read more

Hexordia Weekly CTF Challenge 2024 - Week 1 Writeup

Image
 Recently, Hexordia has started a new weekly CTF challenge and I have signed up to join the challenge. The following is my writeup for the week 1 challenges: iOS - Crewmates are Sus (15 marks) What is Chad's user ID for the multiplayer social game? The terms "Crewmates" and "Sus" used in the question name suggests to the popular multiplayer social game "Among Us" From iLEAPP "Application State report" page, Among Us ( com.innersloth.amongus ) was installed and the sandbox path for Among Us can be found at  /private/var/mobile/Containers/Data/Application/AE23352D-C47B-43D9-87A7-6141653955A2 Using FTK Imager, the sandbox file path could be navigated to and I have decided to inspect iOS app Preferences related files first as we are looking for a gaming user ID: Using plistEditor Pro, the plist files could be opened and one of them ( com.innersloth.amongus.plist ) has a userid key with value 001381.5ced44f175f640fb9264ce19cc43683f.2043 which wa...
Read more

Hexordia Weekly CTF Challenge 2024 - Week 2 Writeup

Image
Following the 1st week of the Hexordia Weekly CTF Challenge 2024, we are now into week 2 of this CTF. The challenges of this week consisted of Android-related challenges only: Android -  Total Freedom (10 marks) What URL was opened after pasting language from ONeal's gist? After reading the question, we would be most likely looking for web browsing history on the Android image since we were after a certain opened URL. At the same time, the term "gist" used here had immediately reminded me of GitHub Gists. In case you have not heard of GitHub gists before, ' Gists are one feature of GitHub, which defines them as "a simple way to share snippets and pastes with others." ', according to the research article " What is the Gist?: understanding the use of public Gists on GitHub " available on ACM digital library. After running a quick search of the term " gist " in Magnet AXIOM Examine, only Google Chrome had web visit hits against GitHub Gi...
Read more