Raided

medium | forensics | 482 points

The police raided a server belonging to a very 1337 hax0r that was used to stage attacks. Upon further investigation, this server turned out to be a jump server for the attacker to access more infrastructure. A memory snapshot was taken of the machine. See if you can figure out what the attacker was doing and what other systems the hacker was accessing.

First Impressions

The challenge comes with a ZIP file containing a memory image, raided-challenge-dump-vmem. It is a Kali Linux memory image, as detected by volatility3.

$ volatility3 -f raided-challenge-dump-vmem banners.Banners
Volatility 3 Framework 2.4.2
Progress:  100.00		PDB scanning finished
Offset	Banner

0x7144cd0	Linux version 6.1.0-kali9-amd64 (devel@kali.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1kali1 (2023-05-12)

Create a Volatility Profile

To analyze Linux images, Volatility requires a custom profile. This process took ages, as I attempted to create profiles for both Volatility 2 and 3, and both kept returning errors, one error even breaking my VM. However, I'll save you the trouble and provide a gist of what worked.

Volatility 3 requires a symbol table, which can be generated from a DWARF file using a tool called dwarf2json. The symbol table differs depending on the kernel version.

The DWARF file for Kali Linux can be installed the debug symbols using apt. The version number is taken from the banner.

$ sudo apt upgrade
$ sudo apt install linux-image-6.1.0-kali9-amd64-dbg

Then I generated the symbol table with the DWARF file, located in /usr/lib/debug/boot. This may take some time.

$ git clone https://github.com/volatilityfoundation/dwarf2json
$ cd dwarf2json/
$ go build
$ ./dwarf2json linux --elf /lib/debug/boot/vmlinux-6.1.0-kali9-amd64 > linux-image-6.1.0-kali9-amd64.json

Once completed, I moved the table to volatility's symbols directory.

$ sudo mv linux-image-6.1.0-kali9-amd64.json > /opt/volatility3/volatility3/symbols

Initial Analysis

The first thing I checked after setting up the profile was the list of running processes, using the PsAux plugin.

$ volatility3 -f raided-challenge-dump-vmem linux.psaux.PsAux
Volatility 3 Framework 2.4.2
Progress:  100.00		Stacking attempts finished
PID		PPID	COMM		ARGS

1		0		systemd		/sbin/init splash
2		0		kthreadd	[kthreadd]
3		2		rcu_gp		[rcu_gp]
...
1266	1		qterminal	/usr/bin/qterminal
1365	1266	zsh			/usr/bin/zsh
1398	759		obexd		/usr/libexec/bluetooth/obexd
1690	1365	ssh			ssh -i /home/l33t/.ssh/id_ed25519 l33t@167.172.12.154

Based on the output, it seems like the user, l33t started a terminal session using qterminal, with zsh as the shell, and logged in to another server via ssh using a private key, id_ed25519.

At this point, my brain was pretty fried, and I was looking for attempts to extract interesting files, not realizing that an interesting file was right in front of my eyes. I followed another rabbit hole extracting SSH session keys, and that didn't lead anywhere.

And finally, it clicked. I checked if the host 167.172.12.154 was actually live, and it was. So all I needed was the private key to access this server.

Extract the SSH Private Key

I'd been used to extracting files using the dump_file plugin from volatility2, and volatility3 doesn't have that plugin.

I sat confused for a while, but soon remembered that SSH private keys start with the phrase -----BEGIN OPENSSH PRIVATE KEY----- which can be easily found through grep.

$ cat raided-challenge-dump-vmem | grep -A 20 -a 'BEGIN OPENSSH PRIVATE KEY'
...
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDx5+PcHHdCbysQVTdmPbKyd1qZBRe4OEhD0YoBDH2IKgAAAJBE81SyRPNU
sgAAAAtzc2gtZWQyNTUxOQAAACDx5+PcHHdCbysQVTdmPbKyd1qZBRe4OEhD0YoBDH2IKg
AAAEBFmHMBRmsUnpUBeiO91vIYYjICQHypyprNdh9IoONK3fHn49wcd0JvKxBVN2Y9srJ3
WpkFF7g4SEPRigEMfYgqAAAACmwzM3RAaDR4MHIBAgM=
-----END OPENSSH PRIVATE KEY-----
...

I saved the key to a file, changed its permissions, logged in, and got the flag.

$ chmod 600 raided_id_ed25519
$ ssh -i raided_id_ed25519 l33t@167.172.12.154
flag{654e9dc4c424e25423c19c5e64fffb27}
Connection to 167.172.12.154 closed.

Well, that was easier than I thought.

Flag: flag{654e9dc4c424e25423c19c5e64fffb27}

More writeups from NahamCon CTF 2023