You belong to a company specializing in hosting web applications through KVM-based Virtual Machines. Over the weekend, one VM went down, and the site administrators fear this might be the result of malicious activity. They extracted a few logs from the environment in hopes that you might be able to determine what happened.
This challenge is a combination of several entry to intermediate-level tasks of increasing difficulty focusing on authentication, information hiding, and cryptography. Participants will benefit from entry-level knowledge in these fields, as well as knowledge of general Linux operations, kernel modules, a scripting language, and reverse engineering. Not everything may be as it seems. Innocuous files may turn out to be malicious so take precautions when dealing with any files from this challenge.
What service did the attacker use to gain access to the system?
What attack type was used to gain access to the system?
What was the tool the attacker possibly used to perform this attack?
How many failed attempts were there?
What credentials (username and password) were used to gain access? Refer to shadow.log and sudoers.log.
What other credentials (username and password) could have been used to gain access also have SUDO privileges? Refer to shadow.log and sudoers.log.
What is the tool used to download malicious files on the system?
How many files the attacker download to perform malware installation?
What is the main malware MD5 hash?
What file has the script modified so the malware will start upon reboot?
Where did the malware keep local files?
What is missing from ps.log?
What is the main file that used to remove this information from ps.log?
What IPs had the malware connected to?
Inside the Main function, what is the function that causes requests to those servers?
How many files the malware requested from those servers?
What are the commands that the malware was receiving from attacker servers?
The image files are important because they contain the RSA-encrypted payload(s). Find the private key decryption exponent for the first file.
"The public RSA key given in the HTTP request must be factored, but note that Fermat’s factorization method is very effective."
The final payload is a binary aimed to escape the Qemu/KVM virtualization and run code on the host operating system. What is the PoC command that has been executed?
This attack was not successful because there was a bug in the malware. What is the error message that comes with this fault?
You have successfully completed the challenge. you can share your achievement with the community.