UIUCTF 2021 / Simply Perfect
by umutoztunc
Last week, I played UIUCTF 2021 with my friends as BreakPoint. After the CTF ended, there were three challenges with zero solves and the organizers put bounties on those challenges. Two of them got solved and I decided to challenge myself with the last one remaining, which was Simply Perfect. Fortunately, I managed to solve it before DEF CON 2021 Finals began.
0x00 Overview
This challenge is about cleaning up a process accounting log file. The clean log
is a log file which would be the same as if the attacker did not infiltrate the
server. The flag is the md5 hash of this clean log file.
According to the story we are given, the attacker sneaks into a building and sets up remote access before he leaves. He then accesses the server remotely to investigate it further and adds a technique to securely perform collection before he leaves. Later on, he realizes that his usual remote access is no longer available. Suspecting he has been detected, he connects with a different access and removes his collection task.
We are told that there are log entries we need to clean that are associated with a tty session, with no session at all, and a pty session.
The expected size of the clean log file is 4618880. Since we know the size of
struct acct_v3 is 64 bytes, we can figure out how many lines we need to
remove. If we do the math, we see that there are 230 entries that need to be removed
and we should keep this in mind.
Keep in mind that all timestamps are based on my local timezone, which is UTC+3.
0x01 First Access
Since the attacker has physical access to server, I assumed he would open up a
tty session first. Once I noticed entries with tty1, I decided
to filter the log by tty1. There was a session where someone uses cat and
pipes it to less on Jul 24 that looked innocent. There was another session
which looked like an automated system monitoring script on Jul 26. Finally,
there was this following session on Jul 29 which looked suspicious:
60332 id |v3| 0.00| 0.00| 0.00| 0| 0| 15368.00| 0.00| 29332| 29331| | 0|tty1 |Thu Jul 29 06:28:56 2021
60333 bash |v3| 0.00| 0.00| 0.00| 0| 0| 11688.00| 0.00| 29331| 29330| F | 0|tty1 |Thu Jul 29 06:28:56 2021
60334 hostname |v3| 0.00| 0.00| 0.00| 0| 0| 6508.00| 0.00| 29334| 29333| | 0|tty1 |Thu Jul 29 06:28:56 2021
60335 bash |v3| 0.00| 0.00| 0.00| 0| 0| 11688.00| 0.00| 29333| 29330| F | 0|tty1 |Thu Jul 29 06:28:56 2021
60336 grep |v3| 0.00| 0.00| 0.00| 0| 0| 9096.00| 0.00| 29336| 29335| | 1|tty1 |Thu Jul 29 06:28:56 2021
60337 grepconf.sh |v3| 0.00| 0.00| 0.00| 0| 0| 9568.00| 0.00| 29335| 29330| | 0|tty1 |Thu Jul 29 06:28:56 2021
60338 tty |v3| 0.00| 0.00| 0.00| 0| 0| 4364.00| 0.00| 29338| 29337| | 0|tty1 |Thu Jul 29 06:28:56 2021
60339 tput |v3| 0.00| 0.00| 0.00| 0| 0| 6572.00| 0.00| 29339| 29337| | 0|tty1 |Thu Jul 29 06:28:56 2021
60340 bash |v3| 0.00| 0.00| 0.00| 0| 0| 11688.00| 0.00| 29337| 29330| F | 0|tty1 |Thu Jul 29 06:28:56 2021
60341 dircolors |v3| 0.00| 0.00| 0.00| 0| 0| 4372.00| 0.00| 29341| 29340| | 0|tty1 |Thu Jul 29 06:28:56 2021
60342 bash |v3| 0.00| 0.00| 0.00| 0| 0| 11688.00| 0.00| 29340| 29330| F | 0|tty1 |Thu Jul 29 06:28:56 2021
60343 grep |v3| 0.00| 0.00| 0.00| 0| 0| 9096.00| 0.00| 29342| 29330| | 1|tty1 |Thu Jul 29 06:28:56 2021
60344 consoletype |v3| 0.00| 0.00| 0.00| 0| 0| 4216.00| 0.00| 29344| 29343| | 0|tty1 |Thu Jul 29 06:28:56 2021
60345 bash |v3| 0.00| 0.00| 0.00| 0| 0|115392.00| 0.00| 29343| 29330| F | 0|tty1 |Thu Jul 29 06:28:56 2021
60395 ps |v3| 0.00| 3.00| 5.00| 0| 0|155584.00| 0.00| 29395| 29330| | 0|tty1 |Thu Jul 29 06:29:27 2021
60426 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29427| 29426| | 0|tty1 |Thu Jul 29 06:29:36 2021
60427 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29426| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60428 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29429| 29428| | 0|tty1 |Thu Jul 29 06:29:36 2021
60429 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29428| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60430 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29431| 29430| | 0|tty1 |Thu Jul 29 06:29:36 2021
60431 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29430| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60432 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29433| 29432| | 0|tty1 |Thu Jul 29 06:29:36 2021
60433 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29432| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60434 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29435| 29434| | 0|tty1 |Thu Jul 29 06:29:36 2021
60435 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29434| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60436 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29437| 29436| | 0|tty1 |Thu Jul 29 06:29:36 2021
60437 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29436| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60438 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29439| 29438| | 0|tty1 |Thu Jul 29 06:29:36 2021
60439 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29438| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60440 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29441| 29440| | 0|tty1 |Thu Jul 29 06:29:36 2021
60441 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29440| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60442 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29443| 29442| | 0|tty1 |Thu Jul 29 06:29:36 2021
60443 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29442| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60444 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29445| 29444| | 0|tty1 |Thu Jul 29 06:29:36 2021
60445 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29444| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60446 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29447| 29446| | 0|tty1 |Thu Jul 29 06:29:36 2021
60447 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29446| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60448 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29449| 29448| | 0|tty1 |Thu Jul 29 06:29:36 2021
60449 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29448| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60450 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29451| 29450| | 0|tty1 |Thu Jul 29 06:29:36 2021
60451 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29450| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60452 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29453| 29452| | 0|tty1 |Thu Jul 29 06:29:36 2021
60453 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29452| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60454 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29455| 29454| | 0|tty1 |Thu Jul 29 06:29:36 2021
60455 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29454| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60456 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29457| 29456| | 0|tty1 |Thu Jul 29 06:29:36 2021
60457 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29456| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60458 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29459| 29458| | 0|tty1 |Thu Jul 29 06:29:36 2021
60459 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29458| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60460 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29461| 29460| | 0|tty1 |Thu Jul 29 06:29:36 2021
60461 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29460| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60462 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29463| 29462| | 0|tty1 |Thu Jul 29 06:29:36 2021
60463 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29462| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60464 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29465| 29464| | 0|tty1 |Thu Jul 29 06:29:36 2021
60465 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29464| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60466 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29467| 29466| | 0|tty1 |Thu Jul 29 06:29:36 2021
60467 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29466| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60468 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29469| 29468| | 0|tty1 |Thu Jul 29 06:29:36 2021
60469 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29468| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60470 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29471| 29470| | 0|tty1 |Thu Jul 29 06:29:36 2021
60471 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29470| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60472 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29473| 29472| | 0|tty1 |Thu Jul 29 06:29:36 2021
60473 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29472| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60474 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29475| 29474| | 0|tty1 |Thu Jul 29 06:29:36 2021
60475 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29474| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60476 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29477| 29476| | 0|tty1 |Thu Jul 29 06:29:36 2021
60477 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29476| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60478 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29479| 29478| | 0|tty1 |Thu Jul 29 06:29:36 2021
60479 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29478| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60480 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29481| 29480| | 0|tty1 |Thu Jul 29 06:29:36 2021
60481 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29480| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60482 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29483| 29482| | 0|tty1 |Thu Jul 29 06:29:36 2021
60483 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29482| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60484 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29485| 29484| | 0|tty1 |Thu Jul 29 06:29:36 2021
60485 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29484| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60486 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29487| 29486| | 0|tty1 |Thu Jul 29 06:29:36 2021
60487 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29486| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60488 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29489| 29488| | 0|tty1 |Thu Jul 29 06:29:36 2021
60489 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29488| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60490 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29491| 29490| | 0|tty1 |Thu Jul 29 06:29:36 2021
60491 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29490| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60492 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29493| 29492| | 0|tty1 |Thu Jul 29 06:29:36 2021
60493 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29492| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60494 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29495| 29494| | 0|tty1 |Thu Jul 29 06:29:36 2021
60495 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29494| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60496 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29497| 29496| | 0|tty1 |Thu Jul 29 06:29:36 2021
60497 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29496| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60498 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29499| 29498| | 0|tty1 |Thu Jul 29 06:29:36 2021
60499 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29498| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60500 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29501| 29500| | 0|tty1 |Thu Jul 29 06:29:36 2021
60501 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29500| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60502 tr |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 29503| 29502| | 0|tty1 |Thu Jul 29 06:29:36 2021
60503 bash |v3| 0.00| 0.00| 0.00| 0| 0|115520.00| 0.00| 29502| 29330| F | 0|tty1 |Thu Jul 29 06:29:36 2021
60524 ps |v3| 0.00| 4.00| 14.00| 0| 0|155584.00| 0.00| 29524| 29330| | 0|tty1 |Thu Jul 29 06:29:44 2021
60545 netstat |v3| 0.00| 2.00| 8.00| 0| 0|117056.00| 0.00| 29545| 29330|S | 0|tty1 |Thu Jul 29 06:29:49 2021
60606 ls |v3| 0.00| 0.00| 0.00| 0| 0|125376.00| 0.00| 29607| 29330| | 0|tty1 |Thu Jul 29 06:30:08 2021
60607 ls |v3| 0.00| 0.00| 0.00| 0| 0|125376.00| 0.00| 29608| 29330| | 0|tty1 |Thu Jul 29 06:30:08 2021
60608 ls |v3| 0.00| 31.00| 47.00| 0| 0|125696.00| 0.00| 29609| 29330| | 0|tty1 |Thu Jul 29 06:30:09 2021
60609 ls |v3| 1.00| 17.00| 24.00| 0| 0|125696.00| 0.00| 29610| 29330| | 0|tty1 |Thu Jul 29 06:30:09 2021
60610 ls |v3| 0.00| 0.00| 0.00| 0| 0|125376.00| 0.00| 29611| 29330| | 0|tty1 |Thu Jul 29 06:30:09 2021
60611 ls |v3| 0.00| 0.00| 0.00| 0| 0|125376.00| 0.00| 29612| 29330| | 0|tty1 |Thu Jul 29 06:30:09 2021
60632 hostname |v3| 0.00| 0.00| 0.00| 0| 0| 6508.00| 0.00| 29633| 29330| | 0|tty1 |Thu Jul 29 06:30:14 2021
60643 vi |v3| 0.00| 0.00| 235.00| 0| 0|126464.00| 0.00| 29644| 29330| | 0|tty1 |Thu Jul 29 06:30:17 2021
60664 w |v3| 0.00| 0.00| 1.00| 0| 0|155264.00| 0.00| 29665| 29330| | 0|tty1 |Thu Jul 29 06:30:25 2021
60715 cat |v3| 0.00| 1.00| 1.00| 0| 0|108096.00| 0.00| 29716| 29330| | 0|tty1 |Thu Jul 29 06:30:40 2021
60736 cat |v3| 0.00| 1.00| 2.00| 0| 0|108096.00| 0.00| 29737| 29330|S | 0|tty1 |Thu Jul 29 06:30:44 2021
60747 cat |v3| 0.00| 1.00| 2.00| 0| 0|108096.00| 0.00| 29748| 29330| | 0|tty1 |Thu Jul 29 06:30:49 2021
60768 cat |v3| 0.00| 1.00| 2.00| 0| 0|108096.00| 0.00| 29769| 29330|S | 0|tty1 |Thu Jul 29 06:30:53 2021
60890 bash |v3| 1.00| 10.00| 15590.00| 0| 0|115520.00| 0.00| 29330| 17839|S | 0|tty1 |Thu Jul 29 06:28:57 2021
In the end, he runs vi and it is possible that he uses it to set up a backdoor.
However, we should also look for parent processes and timestamps to figure out
some extra entries that are associated with the above session. We see the parent
pid of bash is 17839. By looking at processes created by the same process
and also checking the timestamps, we notice that the following lines are needed
to be removed as well:
60328 unix_chkpwd |v3| 1.00| 0.00| 2.00| 0| 0| 26800.00| 0.00| 29326| 17839|S | 7|__ |Thu Jul 29 06:28:44 2021
60329 unix_chkpwd |v3| 2.00| 0.00| 2.00| 0| 0| 26800.00| 0.00| 29327| 17839|S | 0|__ |Thu Jul 29 06:28:56 2021
60330 unix_chkpwd |v3| 0.00| 0.00| 0.00| 0| 0| 24024.00| 0.00| 29328| 17839|S | 0|__ |Thu Jul 29 06:28:56 2021
60331 systemd-cgroups |v3| 0.00| 0.00| 3.00| 0| 0| 8672.00| 0.00| 29329| 804|S | 0|__ |Thu Jul 29 06:28:56 2021
60891 login |v3| 0.00| 20.00|1803558.00| 0| 0| 26032.00| 0.00| 17839| 1|S | 0|__ |Thu Jul 29 01:30:57 2021
60892 systemd-cgroups |v3| 0.00| 0.00| 1.00| 0| 0| 8672.00| 0.00| 29891| 804|S | 0|__ |Thu Jul 29 06:31:32 2021
0x02 Second Access
We know that our attacker set his backdoor up around Jul 29 06:28-06:31. Thus,
we should be focusing on finding a suspicious connection after that timestamp.
I filtered the commands by the number of times they have been run
and noticed that crontab was run three times. After filtering the log by both
no tty and crontab, I noticed that all three were used at Jul 30 00:47, which
looked interesting to me. After analyzing the log, I decided that the following
entries needed to be removed:
62380 cat |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 31417| 29566| | 0|__ |Fri Jul 30 00:40:53 2021
62384 crontab |v3| 0.00| 0.00| 1.00| 0| 0|126016.00| 0.00| 31424| 31422| | 1|__ |Fri Jul 30 00:47:39 2021
62385 bash |v3| 0.00| 0.00| 1.00| 0| 0|113280.00| 0.00| 31422| 29566| F | 0|__ |Fri Jul 30 00:47:39 2021
62386 crontab |v3| 0.00| 0.00| 1.00| 0| 0|126400.00| 0.00| 31423| 29566| | 0|__ |Fri Jul 30 00:47:39 2021
62387 crontab |v3| 0.00| 0.00| 0.00| 0| 0|126016.00| 0.00| 31425| 29566| | 0|__ |Fri Jul 30 00:47:46 2021
62412 systemctl |v3| 0.00| 0.00| 1.00| 0| 0|134912.00| 0.00| 31454| 29566|S | 0|__ |Fri Jul 30 00:51:31 2021
62417 iptables |v3| 0.00| 0.00| 0.00| 0| 0| 20384.00| 0.00| 31459| 29566|S | 0|__ |Fri Jul 30 00:52:04 2021
62459 cat |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 31549| 29566| | 0|__ |Fri Jul 30 00:53:08 2021
62460 cat |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 31597| 29566| | 0|__ |Fri Jul 30 00:54:07 2021
62468 last |v3| 0.00| 0.00| 0.00| 0| 0| 10776.00| 0.00| 31670| 29566| | 0|__ |Fri Jul 30 00:55:28 2021
62470 ls |v3| 0.00| 0.00| 0.00| 0| 0|125376.00| 0.00| 31763| 29566| | 0|__ |Fri Jul 30 00:57:23 2021
62472 bash |v3| 0.00| 2.00|6656244.00| 0| 0|113280.00| 0.00| 29566| 1| | 0|__ |Thu Jul 29 06:29:58 2021
In order to get the correct entries, I focused on the bash process which was
started at Jul 29 06:29, exactly when our attacker was doing his thing when
he was in the building. Then, I just selected entries which were created by that
bash process.
Now, we know that the attacker probably set up some cron jobs to collect data.
0x03 Collection Task
Since we know that he modified the crontab Jul 30 00:47, we should look for
crond processes that are triggered after this timestamp. I found the following
pattern running every 20 minutes starting from Jul 30 01:00:
62483 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 31904| 31902| | 1|__ |Fri Jul 30 01:00:01 2021
62484 postdrop |v3| 0.00| 0.00| 2.00| 0| 0| 89792.00| 0.00| 31907| 31906| | 0|__ |Fri Jul 30 01:00:01 2021
62485 sendmail |v3| 0.00| 1.00| 5.00| 0| 0| 89792.00| 0.00| 31906| 31902| | 0|__ |Fri Jul 30 01:00:01 2021
62486 crond |v3| 0.00| 1.00| 21.00| 0| 0|128512.00| 0.00| 31902| 1889|SF | 0|__ |Fri Jul 30 01:00:01 2021
However, we are strictly told in the description that we should only be removing
entries that are directly run by the collection task itself, which suggests that
we should only remove scp entries.
Here is a list of entries we need to remove from this part:
62483 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 31904| 31902| | 1|__ |Fri Jul 30 01:00:01 2021
62610 scp |v3| 0.00| 0.00| 1.00| 0| 0|176000.00| 0.00| 524| 522| | 1|__ |Fri Jul 30 01:20:01 2021
62627 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 1522| 1519| | 1|__ |Fri Jul 30 01:40:01 2021
62646 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 2511| 2508| | 1|__ |Fri Jul 30 02:00:01 2021
62687 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 3518| 3516| | 1|__ |Fri Jul 30 02:20:01 2021
62712 scp |v3| 0.00| 1.00| 1.00| 0| 0|176000.00| 0.00| 4505| 4503| | 1|__ |Fri Jul 30 02:40:01 2021
62735 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 5490| 5488| | 1|__ |Fri Jul 30 03:00:01 2021
62775 scp |v3| 0.00| 1.00| 1.00| 0| 0|176000.00| 0.00| 6487| 6484| | 1|__ |Fri Jul 30 03:20:01 2021
62795 scp |v3| 0.00| 0.00| 3.00| 0| 0|176000.00| 0.00| 7468| 7465| | 1|__ |Fri Jul 30 03:40:01 2021
62820 scp |v3| 0.00| 0.00| 1.00| 0| 0|176000.00| 0.00| 8458| 8455| | 1|__ |Fri Jul 30 04:00:01 2021
62856 scp |v3| 0.00| 1.00| 1.00| 0| 0|176000.00| 0.00| 9464| 9461| | 1|__ |Fri Jul 30 04:20:01 2021
62871 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 10439| 10437| | 1|__ |Fri Jul 30 04:40:01 2021
62930 scp |v3| 0.00| 0.00| 1.00| 0| 0|176000.00| 0.00| 11460| 11457| | 1|__ |Fri Jul 30 05:00:01 2021
63010 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 12501| 12499| | 1|__ |Fri Jul 30 05:20:01 2021
63097 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 13550| 13548| | 1|__ |Fri Jul 30 05:40:01 2021
63208 scp |v3| 0.00| 1.00| 1.00| 0| 0|176000.00| 0.00| 14623| 14621| | 1|__ |Fri Jul 30 06:00:01 2021
63292 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 15704| 15702| | 1|__ |Fri Jul 30 06:20:01 2021
63451 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 16823| 16820| | 1|__ |Fri Jul 30 06:40:01 2021
63475 scp |v3| 0.00| 1.00| 1.00| 0| 0|176000.00| 0.00| 17808| 17805| | 1|__ |Fri Jul 30 07:00:01 2021
63502 scp |v3| 0.00| 1.00| 1.00| 0| 0|176000.00| 0.00| 18795| 18793| | 1|__ |Fri Jul 30 07:20:01 2021
63529 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 19784| 19782| | 1|__ |Fri Jul 30 07:40:01 2021
63561 scp |v3| 0.00| 1.00| 1.00| 0| 0|176000.00| 0.00| 20777| 20775| | 1|__ |Fri Jul 30 08:00:01 2021
63595 scp |v3| 0.00| 1.00| 1.00| 0| 0|176000.00| 0.00| 21773| 21771| | 1|__ |Fri Jul 30 08:20:01 2021
63617 scp |v3| 0.00| 1.00| 1.00| 0| 0|176000.00| 0.00| 22753| 22751| | 1|__ |Fri Jul 30 08:40:01 2021
63637 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 23736| 23733| | 1|__ |Fri Jul 30 09:00:01 2021
63670 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 24730| 24728| | 1|__ |Fri Jul 30 09:20:01 2021
63728 scp |v3| 0.00| 1.00| 4.00| 0| 0|176000.00| 0.00| 25750| 25747| | 1|__ |Fri Jul 30 09:40:02 2021
63748 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 26729| 26726| | 1|__ |Fri Jul 30 10:00:01 2021
63784 scp |v3| 0.00| 1.00| 6.00| 0| 0|176000.00| 0.00| 27728| 27726| | 1|__ |Fri Jul 30 10:20:01 2021
63799 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 28702| 28700| | 1|__ |Fri Jul 30 10:40:01 2021
63826 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 29690| 29688| | 1|__ |Fri Jul 30 11:00:02 2021
63883 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 30710| 30708| | 1|__ |Fri Jul 30 11:20:01 2021
63906 scp |v3| 0.00| 0.00| 4.00| 0| 0|176000.00| 0.00| 31692| 31690| | 1|__ |Fri Jul 30 11:40:01 2021
63927 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 32675| 32673| | 1|__ |Fri Jul 30 12:00:01 2021
63954 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 1219| 1216| | 1|__ |Fri Jul 30 12:20:01 2021
63975 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 2208| 2206| | 1|__ |Fri Jul 30 12:40:01 2021
63991 scp |v3| 0.00| 0.00| 3.00| 0| 0|176000.00| 0.00| 3191| 3189| | 1|__ |Fri Jul 30 13:00:01 2021
64037 scp |v3| 0.00| 2.00| 8.00| 0| 0|176000.00| 0.00| 4199| 4196| | 1|__ |Fri Jul 30 13:20:02 2021
64070 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 5193| 5191| | 1|__ |Fri Jul 30 13:40:01 2021
64092 scp |v3| 0.00| 0.00| 5.00| 0| 0|176000.00| 0.00| 6176| 6173| | 1|__ |Fri Jul 30 14:00:01 2021
64123 scp |v3| 0.00| 1.00| 4.00| 0| 0|176000.00| 0.00| 7168| 7165| | 1|__ |Fri Jul 30 14:20:01 2021
64150 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 8155| 8153| | 1|__ |Fri Jul 30 14:40:01 2021
64174 scp |v3| 0.00| 0.00| 5.00| 0| 0|176000.00| 0.00| 9154| 9152| | 1|__ |Fri Jul 30 15:00:01 2021
64215 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 10156| 10154| | 1|__ |Fri Jul 30 15:20:01 2021
64237 scp |v3| 0.00| 1.00| 3.00| 0| 0|176000.00| 0.00| 11139| 11136| | 1|__ |Fri Jul 30 15:40:01 2021
64266 scp |v3| 0.00| 1.00| 5.00| 0| 0|176000.00| 0.00| 12129| 12126| | 1|__ |Fri Jul 30 16:00:02 2021
64299 scp |v3| 0.00| 0.00| 3.00| 0| 0|176000.00| 0.00| 13122| 13120| | 1|__ |Fri Jul 30 16:20:01 2021
64366 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 14150| 14148| | 1|__ |Fri Jul 30 16:40:01 2021
64390 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 15135| 15133| | 1|__ |Fri Jul 30 17:00:01 2021
64425 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 16130| 16128| | 1|__ |Fri Jul 30 17:20:01 2021
64444 scp |v3| 0.00| 0.00| 4.00| 0| 0|176000.00| 0.00| 17109| 17106| | 1|__ |Fri Jul 30 17:40:01 2021
64482 scp |v3| 0.00| 0.00| 5.00| 0| 0|176000.00| 0.00| 18109| 18107| | 1|__ |Fri Jul 30 18:00:01 2021
64527 scp |v3| 0.00| 1.00| 5.00| 0| 0|176000.00| 0.00| 19115| 19113| | 1|__ |Fri Jul 30 18:20:02 2021
64565 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 20114| 20112| | 1|__ |Fri Jul 30 18:40:01 2021
64593 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 21103| 21100| | 1|__ |Fri Jul 30 19:00:01 2021
64629 scp |v3| 0.00| 0.00| 3.00| 0| 0|176000.00| 0.00| 22100| 22098| | 1|__ |Fri Jul 30 19:20:01 2021
64661 scp |v3| 0.00| 1.00| 1.00| 0| 0|176000.00| 0.00| 23091| 23088| | 1|__ |Fri Jul 30 19:40:01 2021
64684 scp |v3| 0.00| 1.00| 3.00| 0| 0|176000.00| 0.00| 24077| 24075| | 1|__ |Fri Jul 30 20:00:01 2021
64716 scp |v3| 0.00| 0.00| 3.00| 0| 0|176000.00| 0.00| 25070| 25068| | 1|__ |Fri Jul 30 20:20:01 2021
64739 scp |v3| 0.00| 1.00| 6.00| 0| 0|176000.00| 0.00| 26056| 26054| | 1|__ |Fri Jul 30 20:40:02 2021
64777 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 27052| 27050| | 1|__ |Fri Jul 30 21:00:01 2021
64828 scp |v3| 0.00| 1.00| 3.00| 0| 0|176000.00| 0.00| 28065| 28062| | 1|__ |Fri Jul 30 21:20:01 2021
64856 scp |v3| 0.00| 0.00| 5.00| 0| 0|176000.00| 0.00| 29054| 29051| | 1|__ |Fri Jul 30 21:40:01 2021
64889 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 30050| 30047| | 1|__ |Fri Jul 30 22:00:02 2021
64922 scp |v3| 0.00| 1.00| 5.00| 0| 0|176000.00| 0.00| 31043| 31040| | 1|__ |Fri Jul 30 22:20:01 2021
64981 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 32063| 32061| | 1|__ |Fri Jul 30 22:40:01 2021
65034 scp |v3| 0.00| 0.00| 1.00| 0| 0|176000.00| 0.00| 628| 626| | 1|__ |Fri Jul 30 23:00:01 2021
68231 scp |v3| 0.00| 0.00| 2.00| 0| 0|176000.00| 0.00| 4808| 4806| | 1|__ |Fri Jul 30 23:20:01 2021
68282 scp |v3| 0.00| 1.00| 2.00| 0| 0|176000.00| 0.00| 5826| 5824| | 1|__ |Fri Jul 30 23:40:01 2021
0x04 Last Access
At this point, the attacker realizes that his backdoor is not available anymore.
However, he has another way of accessing the server. We know that the attacker
knows the root password since he managed to log in when he was in the building.
The description also says the there are logs we need to remove associated with
a pty session. This suggests that the attacker probably used ssh to connect
again and ran some commands to clear the crontab.
Also, we know that the last cron job was executed at Jul 30 23:40. Therefore,
the attacker must have connected after that timestamp and before Jul 31 00:00.
This was the hardest part for me, but considering timestamps, PIDs, and the commands that are executed, I concluded that the last access contained the following entries:
68255 unix_chkpwd |v3| 0.00| 0.00| 0.00| 0| 0| 24024.00| 0.00| 5678| 5674|S | 0|__ |Fri Jul 30 23:37:34 2021
68256 sshd |v3| 0.00| 0.00| 53.00| 74| 74|117632.00| 0.00| 5675| 5674|SF | 0|__ |Fri Jul 30 23:37:34 2021
68257 unix_chkpwd |v3| 0.00| 0.00| 2.00| 0| 0| 24024.00| 0.00| 5679| 5676|S | 0|__ |Fri Jul 30 23:37:34 2021
68258 sshd |v3| 0.00| 0.00| 38.00| 74| 74|117312.00| 0.00| 5677| 5676|SF | 0|__ |Fri Jul 30 23:37:34 2021
68259 id |v3| 0.00| 0.00| 0.00| 0| 0| 15368.00| 0.00| 5683| 5682| | 0|pts/0 |Fri Jul 30 23:37:35 2021
68260 bash |v3| 0.00| 0.00| 0.00| 0| 0| 11688.00| 0.00| 5682| 5681| F | 0|pts/0 |Fri Jul 30 23:37:35 2021
68261 hostname |v3| 0.00| 0.00| 0.00| 0| 0| 6508.00| 0.00| 5685| 5684| | 0|pts/0 |Fri Jul 30 23:37:35 2021
68262 bash |v3| 0.00| 0.00| 0.00| 0| 0| 11688.00| 0.00| 5684| 5681| F | 0|pts/0 |Fri Jul 30 23:37:35 2021
68263 grep |v3| 0.00| 0.00| 0.00| 0| 0| 9096.00| 0.00| 5687| 5686| | 1|pts/0 |Fri Jul 30 23:37:35 2021
68264 grepconf.sh |v3| 0.00| 0.00| 0.00| 0| 0| 9568.00| 0.00| 5686| 5681| | 0|pts/0 |Fri Jul 30 23:37:35 2021
68265 tty |v3| 0.00| 0.00| 0.00| 0| 0| 4364.00| 0.00| 5689| 5688| | 0|pts/0 |Fri Jul 30 23:37:35 2021
68266 tput |v3| 0.00| 0.00| 0.00| 0| 0| 6572.00| 0.00| 5690| 5688| | 0|pts/0 |Fri Jul 30 23:37:35 2021
68267 bash |v3| 0.00| 0.00| 0.00| 0| 0| 11688.00| 0.00| 5688| 5681| F | 0|pts/0 |Fri Jul 30 23:37:35 2021
68268 dircolors |v3| 0.00| 0.00| 0.00| 0| 0| 4372.00| 0.00| 5692| 5691| | 0|pts/0 |Fri Jul 30 23:37:35 2021
68269 bash |v3| 0.00| 0.00| 0.00| 0| 0| 11688.00| 0.00| 5691| 5681| F | 0|pts/0 |Fri Jul 30 23:37:35 2021
68270 grep |v3| 0.00| 0.00| 0.00| 0| 0| 9096.00| 0.00| 5693| 5681| | 1|pts/0 |Fri Jul 30 23:37:35 2021
68271 consoletype |v3| 0.00| 0.00| 0.00| 0| 0| 4216.00| 0.00| 5696| 5694| | 0|pts/0 |Fri Jul 30 23:37:35 2021
68272 bash |v3| 0.00| 0.00| 1.00| 0| 0|115392.00| 0.00| 5694| 5681| F | 0|pts/0 |Fri Jul 30 23:37:35 2021
68273 grep |v3| 0.00| 0.00| 0.00| 0| 0| 9096.00| 0.00| 5698| 5697| | 1|__ |Fri Jul 30 23:37:35 2021
68274 grepconf.sh |v3| 0.00| 0.00| 1.00| 0| 0| 9568.00| 0.00| 5697| 5695| | 0|__ |Fri Jul 30 23:37:35 2021
68275 consoletype |v3| 0.00| 0.00| 0.00| 0| 0| 4216.00| 0.00| 5700| 5699| | 0|__ |Fri Jul 30 23:37:35 2021
68276 bash |v3| 0.00| 0.00| 0.00| 0| 0|113280.00| 0.00| 5699| 5695| F | 0|__ |Fri Jul 30 23:37:35 2021
68277 ls |v3| 0.00| 0.00| 0.00| 0| 0|125376.00| 0.00| 5705| 5681| | 0|pts/0 |Fri Jul 30 23:37:40 2021
68294 cat |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 6017| 5681| | 0|pts/0 |Fri Jul 30 23:43:48 2021
68299 ls |v3| 0.00| 0.00| 0.00| 0| 0|125376.00| 0.00| 6080| 5681| | 0|pts/0 |Fri Jul 30 23:45:00 2021
68300 cat |v3| 0.00| 0.00| 0.00| 0| 0|108096.00| 0.00| 6083| 5681| | 0|pts/0 |Fri Jul 30 23:45:03 2021
68301 ls |v3| 0.00| 0.00| 0.00| 0| 0|125376.00| 0.00| 6097| 5681| | 0|pts/0 |Fri Jul 30 23:45:20 2021
68307 bash |v3| 0.00| 3.00| 63163.00| 0| 0|115520.00| 0.00| 5681| 5674|S | 0|pts/0 |Fri Jul 30 23:37:36 2021
68308 sshd |v3| 2.00| 22.00| 63306.00| 0| 0|115392.00| 0.00| 5674| 1250|S | 0|__ |Fri Jul 30 23:37:34 2021
68309 systemd-cgroups |v3| 0.00| 0.00| 2.00| 0| 0| 8672.00| 0.00| 6237| 804|S | 0|__ |Fri Jul 30 23:48:07 2021
68310 sftp-server |v3| 0.00| 0.00| 63175.00| 0| 0| 72320.00| 0.00| 5695| 5676|S | 0|__ |Fri Jul 30 23:37:36 2021
68311 sshd |v3| 1.00| 11.00| 63272.00| 0| 0|119488.00| 0.00| 5676| 1250|S | 0|__ |Fri Jul 30 23:37:35 2021
68312 systemd-cgroups |v3| 0.00| 0.00| 2.00| 0| 0| 8672.00| 0.00| 6238| 804|S | 0|__ |Fri Jul 30 23:48:07 2021
68313 systemd-cgroups |v3| 0.00| 0.00| 0.00| 0| 0| 8672.00| 0.00| 6239| 804|S | 0|__ |Fri Jul 30 23:48:07 2021
Here we see that the attacker uses cat to clear the crontab. If we count all
the entries we found, we verify that we found 230 entries at total.
0x05 Cleaning up
In order to clean up the log file, I put these commands’ indexes into a file
named blacklist and wrote the following script to generate the clean log file:
#!/usr/bin/env python3
with open('blacklist', 'r') as f:
blacklist = set(map(int, f.read().rstrip().split('\n')))
with open('log', 'rb') as f:
data = f.read()
original_commands = [data[i:i+64] for i in range(0, len(data), 64)]
cleaned_commands = []
for i in range(len(original_commands)):
if i not in blacklist:
cleaned_commands.append(original_commands[i])
with open('clean_log', 'wb') as f:
for command in cleaned_commands:
f.write(command)
0x06 Conclusion
This was a really different and unusual challenge to me, but it was also a lot of fun. I’ve learned a lot while solving this challenge and talking to the challenge author. I’m also happy since I have claimed both the challenge bounty and write-up bounty for this amazing challenge!