Hackzone VIII CTF- the monitoring task
This task has been solved after less than an hour of its publication and forced us not to reveal any additional hint.
Let’s begin from the beginning:
A sysadmin asked you to double-check the docker image. He said it might be vulnerable due to suspicious behaviour.
First, download the image as specified in the task description.
docker pull yurilz/hackzone-ctf-task-monitoringCreate a container from this image :
$ container_id=$(docker create yurilz/hackzone-ctf-task-monitoring mycontainer)$ mkdir /tmp/monitoring
$ cd /tmp/monitoring
$ docker export $container_id > fs.tgz
$ tar -xvf fs.tgz
Extract the entry-point binary from the container which is a Go ELF compiled
$ file app/entrypoint
app/entrypoint: ELF 64-bit LSB executable, x86–64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-x86_64.so.1, Go BuildID=7Da067kyHh6W43Jc54ti/-kPrUTVHazwaHnpoTpio/q0ynSOANe3Zgi6juDZT7/omroKl06lyt8O0RpQs7u, strippedMost of the CTF hunters extracted a hardcoded endpoint by stringifying the binary and grepping by my name as a keyword.
In general, dealing with malware is not so easy as that, Command and control server DNS/IP are not embedded in binaries.
cat app/entrypoint| strings | grep -i yuri
networkyurilz.com:4242
=> yurilz.com:4242 The service is accepting both TCP and UDP communication. It gives an idea that the hacker fetches from the infected machine two classes of data, let’s say important and less important like metrics, behaviour, resource consumption…
The first and the only hint is “netstat/ss”.
It means investigate the network traffic.By the way it’s the better approach to detects attacks. Professional intrusion detection system logs every single moving data to big databases for big data analysis.
So we drove you to analyze the image behaviour and not reverse the binary stored in it.
For your sake, there is no malware bound in it. But Never run binaries unless you trust its origins.
Let’s mount the /app directory and run the binary inside a tiny alpine container; you may customize your image with different hacking tools for farther tasks. I Installed Tmux and bash for a better debugging
$ docker run -v /tmp/exported/app:/app — rm -it alpine /bin/sh
container$ apk add bash tmux && tmux Run the binary now
Hmm, (Monitoring 100% Halal & Gratos.), the author is making fun of an entire community, shame on him lol.
The program hangs and prints “Please wait”. Shall we?
Create a new Tmux tab and inspect resources using top and lsof command
The program opens only the /etc/passwd file and consumes an appropriate memory and CPU.
Delete the file to verify if the program crashes. Please confirm that you’re inside a temporary container. DO NOT DELETE YOUR CURRENT /ETC/PASSWD file.
Return to the previous tmux tab with (Ctrl+b p) and rerun the program.
well done the program exit with no error
Add a few characters to the /etc/passwd and rerun the program. Its ends after a few seconds.
Continue to add characters and track the running time.
Bingo => it take 1 second per character.
Note: in practice, malware operate on available data on disk and its behaviour is depending on how much data to leaks and network bandwidth.
It’s clear now that the program is leaking the content of /etc/password.
Let’s create and sufficient fake data to operate on it.
Use you favourite network tracing tool to analyze the network traffic, you may find the IP and port of the service endpoint retrieved by the strings command. You may also find that the binary does not maintain a single TCP connection and closes it as soon it sends a small content bunch of data!
You find below a wireshark cheat sheet
https://www.comparitech.com/net-admin/wireshark-cheat-sheet/I will escape the network tracing technique because it needs more ink to explain it clearly. Reach me on twitter if you’re interested in a step by step Wireshark tutorial.
tshark -Y “(ip.addr == 46.105.30.138)&& (tcp.port == 4242)” -T fields -e dataDecoding a bunch of network communication shows that the data is encoded in base64 with no known encryption header. And you’re almost tired now, Yes I know, Dealing with the undocumented and non-standard protocol is hard. Pirates design and implement malware with strange logic, and sometimes they try to pass through a politic message as shown by Stuxnet APT. If you’re interested in malware hunting, I recommend Stuxnet malware analysis dossier to you. It’s full and intense content written by Symantec.
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
Run the following command to decode the stream sent to the C&C and filter it to frequent and known keywords like author name, flag prefix or the event name (Hackzone).
#Piping trace to a file
$ tshark -Y “(ip.dst == 46.105.30.138)&& (tcp.port == 4242)” -T fields -e data >>/tmp/pipeAnd filter the stream on another terminal window. Don’t forget to decode the base64 line by line
$ while true; do; while IFS= read -r line; do echo $line | xxd -r -p | base64 -d | egrep -i “HZVII|yuri|flag” ; echo -n “.”; done<<<$(tail -n 50 /tmp/pipe );sleep 5; done
I salute those who found the flag, I know this challenge is not apparent and it evokes many tricks.
I used to build CTF challenges based on real-world cases. Do not expect forensic and malware hunting to be as natural as CTFs.
Hackzone event aims to be a hub to exchange knowledge and to guide the community on different topics and domains. All members expect feedbacks by diffuse what they learnt in the IT industry, So please don’t hesitate to comment on this.
Finally, container orchestration like Docker & Kubernetes unlocks new security challenges, and the majority of both developers and administrators ignore the Linux containerization hygiene.
So hackers, pentester and bug-bounty seekers have a new opening to crack systems.
Don’t forget to follow me on both medium and twitter to fetch further exciting content.
