Scenario:

  • You belong to a company specializing in hosting web applications through KVM-based Virtual Machines. Over the weekend, one VM went down, and the site administrators fear this might be the result of malicious activity. They extracted a few logs from the environment in hopes that you might be able to determine what happened.

This challenge is a combination of several entry to intermediate-level tasks of increasing difficulty focusing on authentication, information hiding, and cryptography. Participants will benefit from entry-level knowledge in these fields, as well as knowledge of general Linux operations, kernel modules, a scripting language, and reverse engineering. Not everything may be as it seems. Innocuous files may turn out to be malicious so take precautions when dealing with any files from this challenge. 

 

Supportive Resources:

 

Helpful Tools:

# Question Weight Solved
1 What service did the attacker use to gain access to the system? 50 112

2 What attack type was used to gain access to the system? 50 103

3 What was the tool the attacker possibly used to perform this attack? 50 94

4 How many failed attempts were there? 50 75

5 What credentials (username and password) were used to gain access? Refer to shadow.log and sudoers.log. 100 50

6 What other credentials (username and password) could have been used to gain access also have SUDO privileges? Refer to shadow.log and sudoers.log. 100 49

7 What is the tool used to download malicious files on the system? 50 85

8 How many files the attacker download to perform malware installation? 50 84

9 What is the main malware MD5 hash? 100 73

10 What file has the script modified so the malware will start upon reboot? 150 64

11 Where did the malware keep local files? 150 64

12 What is missing from ps.log? 150 64

13 What is the main file that used to remove this information from ps.log? 200 61

14 What IPs had the malware connected to? 200 73

15 Inside the Main function, what is the function that causes requests to those servers? 200 38

16 How many files the malware requested from those servers? 100 64

17 What are the commands that the malware was receiving from attacker servers? 200 22

18 The image files are important because they contain the RSA-encrypted payload(s). Find the private key decryption exponent for the first file. "The public RSA key given in the HTTP request must be factored, but note that Fermat’s factorization method is very effective." 300 6

19 The final payload is a binary aimed to escape the Qemu/KVM virtualization and run code on the host operating system. What is the PoC command that has been executed? 200 13

20 This attack was not successful because there was a bug in the malware. What is the error message that comes with this fault? 150 20