HTB Sherlock - Ore Writeup

Aug 8, 2024 8 min read
HTB Sherlock - Ore Writeup

Sherlock Scenario

One of our technical partners are currently managing our AWS infrastructure. We requested the deployment of some technology into the cloud. The solution proposed was an EC2 instance hosting the Grafana application. Not too long after the EC2 was deployed the CPU usage ended up sitting at a continuous 98%+ for a process named “xmrig”. Important Information Our organisation’s office public facing IP is 86.5.206.121, upon the deployment of the application we carried out some basic vulnerability testing and maintenance.

Artefacts

After extracting the downloaded ZIP file, we get another archive file catscale_ip-172-31-13-147-20221124-1501.tar.gz and the usr directory (Fig. 1).

Fig. 1. Content of the extracted ZIP file.
Fig. 1. Content of the extracted ZIP file.
In the usr directory, there is a subdirectory share, followed by the home directory of the user grafana containing Grafana application files (configuration files, logs, bin directory, and data directory) (Fig. 2).
Fig. 2. Content of the <code>usr</code> directory.
Fig. 2. Content of the usr directory.

The archive catscale_ip-172-31-13-147-20221124-1501.tar.gz contains additional system logs, home directories of other users, a list of processes, open ports, etc. In total, we received about 5,578 files to solve the task (Fig. 3).
Fig. 3. Content of the archive <code>catscale_ip-172-31-13-147-20221124-1501.tar.gz</code>.
Fig. 3. Content of the archive catscale_ip-172-31-13-147-20221124-1501.tar.gz.

Solution

Task 1

Which CVE led to the initial compromise of the EC2?

Initially, I examined the home directory of the Grafana user located in the usr/share/grafana subdirectory. There, I found a file containing information about the Grafana version 8.0.2 (Fig. 4).

Fig. 4. Detected Grafana version.
Fig. 4. Detected Grafana version.
Next, I conducted a quick search on Google and found an exploit for vulnerability CVE-2021-43798, which corresponds to the detected Grafana version, thus providing the correct answer (Fig. 5).
Fig. 5. Found CVE and exploit for the detected Grafana version (source: https://github.com/pedrohavay/exploit-grafana-CVE-2021-43798).
Fig. 5. Found CVE and exploit for the detected Grafana version (source: https://github.com/pedrohavay/exploit-grafana-CVE-2021-43798).

Answer: CVE-2021-43798

Task 2

Please detail all malicious IP addresses used by the threat actor (TA) targeting our organisation.

To find the IP addresses used by the attacker during the initial phase of the attack, I first analyzed what exactly the exploit I found does (Fig. 6). From the exploit’s code, I deduced two values I focused on in the first phase. The first was the User-Agent header, but I did not find any log entries for the specified value (Fig. 7). Next, I decided to search for the first request made by the exploit. The exploit, to check for Grafana’s vulnerability, tries to fetch the /etc/passwd file. I thought it would be a good idea to start by finding all occurrences of passwd in the logs. This time I was successful and got results (Fig. 7).

Fig. 6. CVE-2021-43798 exploit code.
Fig. 6. CVE-2021-43798 exploit code.
Fig. 7. Logs indicating the use of the exploit.
Fig. 7. Logs indicating the use of the exploit.
In the next step, I extracted all IP addresses that tried to fetch the passwd file, excluding the IP address 86.5.206.121 because, as we know from the task description, it belongs to the organization (Fig. 8). Three addresses remained. To determine which of these addresses belonged to the attacker, I had to analyze each case individually.
Fig. 8. IP addresses involved in the communication.
Fig. 8. IP addresses involved in the communication.
The address 89.247.167.247 did try to fetch passwd, but it failed and did not perform any other interesting interactions with the system, so I excluded it (Fig. 9).
Fig. 9. Communication analysis for IP address 89.247.167.247.
Fig. 9. Communication analysis for IP address 89.247.167.247.
The next address I analyzed was 95.181.232.32. In the case of 95.181.232.32, it managed to fetch the passwd file, sample.ini, and defaults.ini, so this is definitely an attacker’s address (Fig. 10).
Fig. 10. Communication analysis for IP address 95.181.232.32.
Fig. 10. Communication analysis for IP address 95.181.232.32.
The address 195.80.150.137 also fetched the passwd file, so it can be assumed that it also belongs to the attacker.
Fig. 11. Communication analysis for IP address 195.80.150.137.
Fig. 11. Communication analysis for IP address 195.80.150.137.
However, these two obtained addresses did not solve the task, so they are not all that need to be provided. I found the third IP address while solving task 5. It is the IP address from which the attacker downloads a malicious script (Fig. 11).
Fig. 12. Found third IP address used by the attacker.
Fig. 12. Found third IP address used by the attacker.

Answer: 44.204.18.94, 95.181.232.32, 195.80.150.137

Task 3

Which account did the TA utilize to authenticate to the host OS?

I found the answer to this question by reviewing the collected logs in the Logs directory and the file ip-172-31-13-147-20221124-1501-lastlog.txt, which contains information about the last user logins. It shows the attacker’s IP address and the username grafana (Fig. 13).

Fig. 13. Information in the file <code>ip-172-31-13-147-20221124-1501-lastlog.txt</code>.
Fig. 13. Information in the file ip-172-31-13-147-20221124-1501-lastlog.txt

Answer: grafana

Task 4

Which file did the TA modify in order to escalate privileges and run the mining service as “root”?

From the previous task, I knew that the attacker logged into the grafana user account. I checked the contents of this user’s home directory and noticed a .bash_history file, which in Linux systems contains the history of commands executed by the user (Fig. 14).

Fig. 14. Found .bash_history file in the home directory of the user grafana.
Fig. 14. Found .bash_history file in the home directory of the user grafana.
At the end of the .bash_history file, I found information that the user (attacker) edited the updater.sh file located in the /opt/automation/ directory (Fig. 15).
Fig. 15. File modified by the attacker.
Fig. 15. File modified by the attacker.

Answer: /opt/automation/updater.sh

Task 5

Which program did the TA utilize to download the injector.sh script?

After extracting all the files located in the catscale_out directory, I used the command grep -r "injector.sh", which allowed me to find the answer almost immediately, in the first result (Fig. 16).

Fig. 16. Command used by the attacker to download the <code>injector.sh</code> script.
Fig. 16. Command used by the attacker to download the injector.sh script.

Answer: wget

Task 6

Where was the crypto mining binary & config file initially downloaded to?

From the task description, I learned that the attacker downloaded additional software. Therefore, I decided to search for what else was downloaded from IP address 44.204.18.94. I filtered out all results related to the injector.sh script and wget, because as the next task indicates, the attacker used something else to download these two files. In the next step, many entries related to the use of nc appeared, but they also did not contribute to the search, so I filtered them out as well. Ultimately, I obtained six entries, with the first one containing the answer to the question (Fig. 17).

Fig. 17. Initial directory containing the crypto mining binary.
Fig. 17. Initial directory containing the crypto mining binary.

Answer: /opt/automation/

Task 7

Which program did the TA utilize to download both the crypto mining binary & configuration file?

From the information obtained while solving the previous task, in the same log, besides information about the directory, there is also information about the executed

command (Fig. 18).

Fig. 18. Command used to download the binary and configuration file.
Fig. 18. Command used to download the binary and configuration file.

Answer: curl

Task 8

We need to confirm the exact time the SOC team began artefact collection as this was not included in the report. They utilize the same public-facing IP address as our system administrators in Lincoln.

I must admit, I puzzled over this task for a while. It turned out that the hint about what to look for is in the name of the archive we receive at the beginning of the task (catscale_ip-172-31-13-147-20221124-1501.tar.gz). Catscale, specifically Cat-Scale.sh, is a bash script from WithSecure used to collect artifacts for later analysis. I must admit I was not aware of this. However, once I knew what I was looking for, finding it was very simple. Using the command grep -r "Cat-Scale.sh" . executed in the main directory, I obtained information from the syslog, which contained the date of the script’s first run (Fig. 19).

Fig. 19. Detected time the SOC team began collecting artifacts.
Fig. 19. Detected time the SOC team began collecting artifacts.

Answer: 2022-11-24 15:01:00

Task 9

Please confirm the password left by the system administrator in some Grafana configuration files.

The hint to solve this task was already in the text. Since the administrator left a password in the configuration files, it is highly probable that in the configuration file, it would look like this: password=<some password>. Using the command grep -r password, I quickly located the password left by the administrator (Fig. 20).

Fig. 20. Password left by the administrator.
Fig. 20. Password left by the administrator.

Answer: f0rela96789!

Task 10

What was the mining threads value set to when xmrig was initiated?

Using the command grep -r "xmrig", I searched for everything that might be related to the execution of xmrig. Reviewing the obtained results, I found the answer to the question (Fig. 21).

Fig. 21. The number of threads set in xmrig.
Fig. 21. The number of threads set in xmrig.

Answer: 0

Task 11

Our CISO is requesting additional details surrounding which mining pool this may have been utilizing. Please confirm which (if any) mining pool this the TA utilized.

From the results obtained in the previous task, I also found the DNS address to which the mentioned software connected (Fig. 22).

Fig. 22. Detected DNS address used by xmrig.
Fig. 22. Detected DNS address used by xmrig.

Answer: monero.herominers.com

Task 12

We couldn’t locate the crypto mining binary and configuration file in the original download location. Where did the TA move them to on the file system?

From the results obtained in the previous task (Fig. 23).

Fig. 23. New location.
Fig. 23. New location.

Answer: /usr/share/.logstxt/

Task 13

We have been unable to forensically recover the “injector.sh” script for analysis. We believe the TA may have run a command to prevent us from recovering the file. What command did the TA run?

I executed the command grep -r "./injector.sh" again. At the very end of the six results obtained, there was the answer to the question (Fig. 24).

Fig. 24. Command executed by the attacker to delete the <code>injector.sh</code> file.
Fig. 24. Command executed by the attacker to delete the injector.sh file.

Answer: shred -u ./injector.sh

Task 14

How often does the cronjob created by our IT admins run for the script modified by the TA?

The answer to this question is located in the Persistence/var/spool/cron/crontabs/ directory, in the root file. The script is executed daily at 8:30 AM (Fig. 25).

Fig. 25. Cron configuration for the root user.
Fig. 25. Cron configuration for the root user.

Answer: daily - 08:30

HTB Sherlock DFIR Medium