Follow the Cybersecurity Medicine Water Brother to fight the target field (emergency response)

Preface

Thank you, Xuanji, for not having to set up a target field locally (it is recommended to download xshell7 for connection).

Target Field Introduction

Server scenario operating system: Linux
Server account password: root Vulntarget@123
Question source public account: Crow Security
https://mp.weixin.qq.com/s/ZO-SXw5rvpLrjmcjcN9_6w
Task Environment Description:

Today, the business environment deployed by the customer on the Aliyun suddenly found that the homepage has become a ransomware interface, requiring users to pay a ransom to decrypt the data. The customer found that some important files were encrypted with the .vulntarget ending. Subsequently, the customer asked you to carry out emergency response and forensic analysis.
Specific requirements are as follows:
Analyze how the attack event occurred and provide an attack portrait
Decrypt Ransomware
Restore the original index.jsp page and restore the normal web service
Find 3 hidden flags in it

Forensic Analysis

flag1

1. Firstly, when encountering this kind of emergency response question, we can use the history command first to see if the attacker has left any traces.

ok directly find flag1

flag2

I

Continue to analyze the history command and find that the attacker has generated encrypted public and private keys and has not deleted them.

II. Ransomware Decryption

Find the address of the public key and private key through the find command -- find . -name pubkey.pem (if no results are found, it means that the current directory is not the root directory, and only cd / is needed to solve the problem).

Since the previous command searched for the public key, and the private key and public key are in the same directory, it is only necessary to execute a cd https://www.freebuf.com/articles/ and cat command to find the public key and private key.

Through history, it can be known that there are public keys, encrypted script files, and other files in the /opt/tomcat/webapps/ROOT/ directory. (Since the public key and private key have been known in the previous step, at this time, we only need to check the encrypted flag file, that is, flag.jsp.vulntarget file.)

Place the public key, private key, and encrypted flag file content in the online rsa decryption, and you can obtain flag2.

flag3

As can be seen from history, the website is built based on Tomcat, and the logs of Tomcat are generally located in /opt/Tomcat/logs. Since the event occurred on 2024.06.04, we only need to check localhost_access_log.2024-06-04.txt.

There are too many logs, just use | grep flag

That's all for the process of obtaining the flag

Expansion

• Through logs and history, we can find that the attacker uploaded a trojan and renamed it to 404.jsp. It was found to be a small trojan upon inspection.

So his attack path is:

1 The attacker uploaded a shell through the Tomcat PUT vulnerability
2 The attacker executed commands through shell
3 The attacker obtained permissions through shell (this entry is temporarily missing, no反弹shell)
4 The attacker generated rsa public and private keys on the victim's machine through commands
5 The attacker encrypted the key data with the public key
6 The attacker forgot to delete the generated public and private keys
7 Replace the index.jsp file with a ransomware interface by executing commands

• Introduction to Tomcat vulnerabilities: If the PUT method is enabled on Apache Tomcat on Windows (default is disabled), this vulnerability exists. Attackers can use this vulnerability to upload JSP files, resulting in remote code execution.
• The last point, the red team members must not forget to clean up the traces