Đề bài
Phân tích PCAP
File 10.10.0.53_ns_capture.pcap có link‑type DLT_IPV4 (228) ⇒ khung bắt đầu bằng IP header, không có Ethernet header
Theo quan sát thì mình thấy có nhiều truy vấn với tên miền bất thường đến hex.cloudflar3.com với dạng kiểu như sau:
p.<HEX>.hex.cloudflar3.com
f.<HEX>.hex.cloudflar3.com
Mình sẽ trích xuất ra theo thứ tự nhận được cho dễ nhìn
p.c7aec5d0d81ba8748acac6931e5add6c24b635181443d0b9d2.hex.cloudflar3.com
p.f8aad90d5fc7774c1e7ee451e755831cd02bfaac3204aed8a4.hex.cloudflar3.com
p.3dfec8a22cde4db4463db2c35742062a415441f526daecb59b.hex.cloudflar3.com
p.f6af1ecb8cc9827a259401e850e5e07fdc3c1137f1.hex.cloudflar3.com
f.6837abc6655c12c454abe0ca85a596e98473172829581235dd.hex.cloudflar3.com
f.95380b06bf6dd06b89118b0003ea044700a5f2c4c106c3.hex.cloudflar3.com
Mình sẽ ghép các nhãn HEX theo thứ tự xuất hiện lần đầu, chia theo tiền tố p và f
- Nhóm p → 96 byte khi decode hex
- Nhóm f → 48 byte khi decode hex
Tổng cộng 144 byte dữ liệu, có entropy cao ⇒ ciphertext
Sau một hồi thì mình thấy pcap đã làm tốt nhiệm vụ của nó nên mình qua đọc file log xem sao
Phân tích Log
Đầu tiên mình sẽ check file 10.10.5.80_access.log trước để xem có những truy vấn gì
Sau một hồi lâu tìm kiếm trong 10.10.5.80_access.log thì mình thấy đây là dạng File Upload Vulnerability + OS Command Injection trong web vì nó tồn tại những truy vấn như sau
192.168.13.37 - - [10/Oct/2025:09:21:00 +0700] "GET /media/image1.php?c=whoami HTTP/1.1" 200 249 "-" "curl/7.88.1"
192.168.13.37 - - [10/Oct/2025:09:21:02 +0700] "GET /media/image1.php?c=id HTTP/1.1" 200 271 "-" "curl/7.88.1"
192.168.13.37 - - [10/Oct/2025:09:21:04 +0700] "GET /media/image1.php?c=uname%20-a HTTP/1.1" 200 291 "-" "curl/7.88.1"
192.168.13.37 - - [10/Oct/2025:09:21:06 +0700] "GET /media/image1.php?c=ping%20-c%201%2010.10.10.53 HTTP/1.1" 200 284 "-" "curl/7.88.1"
192.168.13.37 - - [10/Oct/2025:09:21:08 +0700] "GET /media/image1.php?c=cat%20/etc/shadow HTTP/1.1" 403 131 "-" "curl/7.88.1"
192.168.13.37 - - [10/Oct/2025:09:21:10 +0700] "GET /media/image1.php?c=cat%20/flag HTTP/1.1" 403 284 "-" "curl/7.88.1"
192.168.13.37 - - [10/Oct/2025:09:21:12 +0700] "GET /media/image1.php?c=ls%20-la%20/var/www/html HTTP/1.1" 200 773 "-" "curl/7.88.1"
Ngoài ra mình còn thấy attacker có thể cũng đã tấn công theo dạng parameters ẩn vì mình thấy có request như sau
192.168.13.37 - - [10/Oct/2025:09:26:03 +0700] "GET /media/getfile.php?debug=true HTTP/1.1" 500 195 "-" "curl/7.88.1"
192.168.13.37 - - [10/Oct/2025:09:26:10 +0700] "GET /media/getfile.php?file=L2V0Yy9wYXNzd2Q%3D&prefix=p HTTP/1.1" 200 832 "-" "curl/7.88.1"
192.168.13.37 - - [10/Oct/2025:09:26:12 +0700] "GET /media/getfile.php?file=L2ZsYWc%3D&prefix=f HTTP/1.1" 200 118 "-" "curl/7.88.1"
192.168.13.37 - - [10/Oct/2025:09:26:14 +0700] "GET /media/getfile.php?file=L3Zhci93d3cvaHRtbC8uZW52&prefix=e HTTP/1.1" 404 651 "-" "curl/7.88.1"
Bây giờ từ 10.10.5.80_access.log mình sẽ qua 10.10.5.80_error.log để đọc xem nó trả về những lỗi gì, mình sẽ tìm kiếm dựa trên request và thời gian trả về cho nhanh
Sau một hồi thì mình sẽ thấy một đoạn như sau
2025/10/10 09:26:00 [notice] 1224#0: *5200 PHP Notice: upload-media.php: received file 'getfile.php' from 192.168.13.37, moving to /var/www/html/media/getfile.php, client: 192.168.13.37, server: portal.local, request: "POST /admin/upload-media.php HTTP/1.1", host: "intra.portal.local"
2025/10/10 09:26:03 [error] 1224#0: *5210 FastCGI sent in stderr: "PHP Fatal error: Uncaught Exception: Debug mode enabled in /var/www/html/media/getfile.php:41\nStack trace:\n#0 /var/www/html/media/getfile.php(21): build_key()\n#1 {main}\n thrown" while reading response header from upstream, client: 192.168.13.37, server: portal.local, request: "GET /media/getfile.php?debug=true HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "intra.portal.local"
2025/10/10 09:26:03 [error] 1224#0: *5210 FastCGI sent in stderr: "PHP Notice: DEBUG VARS: APP_SECRET=F0r3ns1c-2025-CSCV; DATE_UTC=20251010" while reading response header from upstream, client: 192.168.13.37, server: portal.local, request: "GET /media/getfile.php?debug=true HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "intra.portal.local"
2025/10/10 09:26:03 [error] 1224#0: *5210 FastCGI sent in stderr: "PHP Notice: H=SHA256(APP_SECRET); AES_KEY=H[0..15]; AES_IV=H[16..31]" while reading response header from upstream, client: 192.168.13.37, server: portal.local, request: "GET /media/getfile.php?debug=true HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "intra.portal.local"
2025/10/10 09:26:08 [warn] 1224#0: *5300 FastCGI sent in stderr: "PHP Deprecated: Required parameter $request follows optional parameter $opts in /var/www/html/vendor/guzzlehttp/guzzle/src/Client.php on line 112" while reading response header from upstream, client: 172.20.9.10, server: portal.local, request: "GET /api/v1/messages HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "intra.portal.local"
2025/10/10 09:26:09 [warn] 1224#0: *5301 FastCGI sent in stderr: "PHP Deprecated: Required parameter $request follows optional parameter $opts in /var/www/html/vendor/guzzlehttp/guzzle/src/Client.php on line 112" while reading response header from upstream, client: 172.20.9.124, server: portal.local, request: "GET /api/v1/messages HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "intra.portal.local"
2025/10/10 09:26:10 [notice] 1224#0: *5220 PHP Notice: getfile.php served "/etc/passwd" to 192.168.13.37, client: 192.168.13.37, server: portal.local, request: "GET /media/getfile.php?file=/etc/passwd HTTP/1.1", host: "intra.portal.local"2025/10/10 09:26:10 [warn] 1224#0: *5302 FastCGI sent in stderr: "PHP Deprecated: Required parameter $request follows optional parameter $opts in /var/www/html/vendor/guzzlehttp/guzzle/src/Client.php on line 112" while reading response header from upstream, client: 172.20.9.154, server: portal.local, request: "GET /api/v1/messages HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "intra.portal.local"2025/10/10 09:26:11 [warn] 1224#0: *5303 FastCGI sent in stderr: "PHP Deprecated: Required parameter $request follows optional parameter $opts in /var/www/html/vendor/guzzlehttp/guzzle/src/Client.php on line 112" while reading response header from upstream, client: 172.20.9.239, server: portal.local, request: "GET /api/v1/messages HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "intra.portal.local"2025/10/10 09:26:12 [notice] 1224#0: *5221 PHP Notice: getfile.php served "/flag" to 192.168.13.37, client: 192.168.13.37, server: portal.local, request: "GET /media/getfile.php?file=/flag HTTP/1.1", host: "intra.portal.local"2025/10/10 09:26:12 [warn] 1224#0: *5304 FastCGI sent in stderr: "PHP Deprecated: Required parameter $request follows optional parameter $opts in /var/www/html/vendor/guzzlehttp/guzzle/src/Client.php on line 112" while reading response header from upstream, client: 172.20.9.148, server: portal.local, request: "GET /api/v1/messages HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "intra.portal.local"2025/10/10 09:26:13 [warn] 1224#0: *5305 FastCGI sent in stderr: "PHP Deprecated: Required parameter $request follows optional parameter $opts in /var/www/html/vendor/guzzlehttp/guzzle/src/Client.php on line 112" while reading response header from upstream, client: 172.20.9.8, server: portal.local, request: "GET /api/v1/messages HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "intra.portal.local"
Trong 10.10.5.80_error.log vào khoảng 2025/10/10 09:26
- upload-media.php nhận file getfile.php từ 192.168.13.37, chuyển vào /var/www/html/media/getfile.php
- Gọi GET /media/getfile.php?debug=true in ra thông tin bí mật
- APP_SECRET = F0r3ns1c-2025-CSCV
- H = SHA256(APP_SECRET)
- AES_KEY = H[0..15] (16 byte đầu), AES_IV = H[16..31] (16 byte tiếp theo)
- Sau đó helper lần lượt phục vụ: /etc/passwd rồi /flag
⇒ Đây là chìa khóa để giải mã payload đã exfil qua DNS
Giải mã AES
Từ debug log
- APP_SECRET = "F0r3ns1c-2025-CSCV"
- H = SHA256(APP_SECRET) ⇒ H = 5769179ccdf950443501d9978f52ddb51b70ca0d4f607a976c6639914af7c7a6
- AES_KEY = H[0..15] = 5769179ccdf950443501d9978f52ddb5 (16 byte, AES‑128)
- AES_IV = H[16..31] = 1b70ca0d4f607a976c6639914af7c7a6
Thuật toán: AES‑128‑CBC, padding PKCS#7
OpenSSL
Đến đây mình sẽ sử dụng OpenSSL để giải mã
# Concatenate all hex (p then f, in first-seen order) into cipher.hex:
cat > p.hex <<'HEX'
c7aec5d0d81ba8748acac6931e5add6c24b635181443d0b9d2\
f8aad90d5fc7774c1e7ee451e755831cd02bfaac3204aed8a4\
3dfec8a22cde4db4463db2c35742062a415441f526daecb59b\
f6af1ecb8cc9827a259401e850e5e07fdc3c1137f1
HEX
cat > f.hex <<'HEX'
6837abc6655c12c454abe0ca85a596e98473172829581235dd\
95380b06bf6dd06b89118b0003ea044700a5f2c4c106c3
HEX
xxd -r -p p.hex > p.bin
xxd -r -p f.hex > f.bin
# Giải "p" (sẽ ra /etc/passwd)
openssl enc -d -aes-128-cbc \
-K 5769179ccdf950443501d9978f52ddb5 \
-iv 1b70ca0d4f607a976c6639914af7c7a6 \
-in p.bin -out p_plain.bin
# Giải "f" (ra flag đầy đủ)
openssl enc -d -aes-128-cbc \
-K 5769179ccdf950443501d9978f52ddb5 \
-iv 1b70ca0d4f607a976c6639914af7c7a6 \
-in f.bin -out flag.bin
strings -a flag.bin
Kết quả
- Khối p giải ra một phần /etc/passwd
- Khối f giải ra flag
Flag
Flag: CSCV2025{DnS_Exf1ltr4ti0nnnnnnnnnnNN!!}
'WriteUp > Forensics' 카테고리의 다른 글
| [Forensics] Case AlphaS - CSCV 2025 (2) | 2025.10.19 |
|---|---|
| [Forensics] NostalgiaS - CSCV 2025 (0) | 2025.10.19 |
| [Forensics] MZGZ - Dreamhack (0) | 2025.10.14 |
| [Forensics] HKLMystery - Dream (0) | 2025.10.14 |
| [Forensics] flask-forensics - Dreamhack (0) | 2025.10.12 |