CyberDefenders: “Ulysses” Walkthrough

SPOILER ALERT — A possible Solution to the Challenge

Scenario

Here is the challenge

A Linux server was possibly compromised and a forensic analysis is required in order to understand what really happened.

Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge.

  • victoria-v8.sda1.img: acquired disk image
  • victoria-v8.kcore.img: memory dump done by dd’ing /proc/kcore.
  • victoria-v8.memdump.img: memory dump done with memdump.
  • Debian5_26.zip: volatility custom Linux profile.
Ulysses

Preparation

Mounting the disk image

sudo mount victoria-v8.sda1.img /mnt/server/data

Dealing with Memory image using Volatility

Example, process listing:

vol.py --profile LinuxDebian5_26x86 -f victoria-v8.memdump.img linux_pslist

Questions

  1. The attacker was performing a Brute Force attack. What account triggered the alert?

Authentication logs are under /var/log/auth.log

2. How many were failed attempts there?

Grep for all Failed auth in auth.log to and accumulate the results.

3. What kind of system runs on the targeted server?

/etc/issue.net is one of the files that holds the system type info.

4. What is the victim’s IP address?

On modern Linux distros:

look in /var/lib/NetworkManager for dhclient-<GUID>-<NIC>.lease files. These are text files containing details of DHCP leases acquired.

On older systems, look under /var/lib/dhc* for similar files.

Another way is, filtering for dhcp logs to identify the last IP address leased to the client.

5. What are the attacker’s two IP addresses? Format: comma-separated in ascending order ?

One if the Attacker IP was the cause for the Brute-Force attack.

Second IP was connecting to the Mail Service and testing the exploit.

Also shown in the Network connections in the memory image connecting to Mail service on port 25.

6. What is the “nc” service PID number that was running on the server?

Using the Memory Image we can see the process list and it’s PIDs.

7. What service was exploited to gain access to the system? (one word)

The Email service EXIM4 was the affected service.

8. What is the CVE number of exploited vulnerability?

From the Logs, I noticed a very large Headers and what seems to be an RCE (Remote Code Execution) attempts. where the attacker is trying to send a shell command to get executed.

Searching for CVE under EXIM with word Headers and registered prior 2011 which was the date mentioned in the logs. we can easily find the correct CVE.

9. During this attack, the attacker downloaded two files to the server. Provide the name of the compressed file.?

The dropper file was clear in the logged Headers.

10. Two ports were involved in the process of data exfiltration. Provide the port number of the highest one.?

Using Memory Network Connections, We can identify the ports that the attacker used.

11. Which port did the attacker try to block on the firewall?

To identify what the attacker tried to run on the system. we can look into many places like the bash history, cron jobs, etc.

the only place that had an iptable rule was the dropper the attacker downloaded into /tmp.

Uncompressing the dropped file, and navigating through the code. we can identify the firewall rule the attacker tried to add.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Elshaer

GIAC Advisory Board | DFIR | Purple/Blue Team | Detection Engineering