Det store nissehack: Ondsindede Loginforsøg

Challenge Name:

Det store nissehack: Ondsindede Loginforsøg

Category:

Det store nissehack

Challenge Description:

Julemandens hovedserver er blevet kompromitteret, og vi mistænker stærkt, at de ondsindede gnomer står bag angrebet.

Julens politi har sat en undersøgelse i gang, men de har brug for din hjælp til at identificere gerningsgnomen og afdække de kriminelle handlinger, der er blevet udført. Kan du hjælpe med at genoprette julefreden og få styr på de stjålne data?

Julens politi har sikret en logfil fra serveren, som indeholder detaljer om flere loginforsøg. De mistænker, at en gerningsgnom har opnået fjernadgang, men da julemandens egne nisser også har adgang til serveren, er det svært at skelne mellem legitime og mistænkelige loginforsøg.

Gerningsgnomen virker til at have været opmærksom på at skjule sine spor, men det kan jo glippe! Kan du identificere et loginforsøg med en særlig interessant IP-adresse, der kan sætte efterforskningen på sporet af den skyldige?

Flaget er formateret NC3{tidsstempel}, hvor tidsstempel svarer til tidspunktet i det fundne loginforsøg, formateret som i loggen.

Eksempel: NC3{Jan 18 13:55:02}

Attached: Auth.log

Approach

We were provided with a substantial auth.log file from a Linux server. Analyzing logs is a critical step in cybersecurity challenges, as they often reveal patterns or anomalies that point to unauthorized access or malicious activity. Given the size of the file, manual inspection wasn’t feasible. Therefore, I focused on automating my analysis using scripts (mostly generated by ChatGPT, then modified to my liking).

Initial Attempts: Searching for Patterns

I tried the following automated approaches to identify anomalies:

1. Grouping Log Lines by Function

Script

Using a script to categorize and count log entries, I found the data suspiciously uniform, which suggested it was fabricated for the challenge:

Log Categories and Counts:
Crea sudo: 834
Stopped OpenBDS: 834
Started OpenBDS: 834
Check pass, user unknown: 829
Authentication failure without user: 829
Invalid user: 829
Failed password: 829
Authentication failure with user: 834
Failed password user known: 834
Disconnected (preauth): 834
Received disconnect: 834

Although this confirmed the log’s artificial nature, I needed to explore other methods to uncover the anomaly.

2. Grouping Logins by IP

Script

Next, I analyzed logins grouped by IP addresses. Surprisingly, every login attempt originated from a unique IP. This again indicated fabricated data, as no patterns emerged.

3. Inspecting Sudo Commands

Script I then examined the executed sudo commands:

/bin/scp
/bin/cat
/bin/cp
/bin/chmod
/bin/ls
/bin/zip
/bin/mount

Each user appeared to have run the same set of commands, which was too uniform to be significant.

I also explored other areas

• Failed logins.
• Matching process IDs for logout events.
• Checking login statements for missing logouts.

Although I detected blocks of misplaced lines, they didn’t lead to a conclusive result.

Final Breakthrough: Inspecting IP Addresses

Revisiting the challenge description, I focused on the phrase “an especially interesting IP address.” This clue prompted me to scrutinize the IP addresses more carefully. This led me to analyze the IP addresses in more detail:

1. I filtered out internal IPs (RFC1918).
2. I checked the remaining public IPs using AbuseIPDB to identify suspicious activity.

Script.

For the remaining, I checked them on https://www.abuseipdb.com/,

After running the first few and manually inspecting them, I noticed all of them were TOR exit nodes. I added a filter to remove those and ran again.

Only one IP was left:

...
Checking IP: 93.95.228.125
Checking IP: 209.38.243.124
{'ipAddress': '209.38.243.124', 'isPublic': True, 'ipVersion': 4, 'isWhitelisted': None, 'abuseConfidenceScore': 0, 'countryCode': 'DE', 'usageType': 'Data Center/Web Hosting/Transit', 'isp': 'DigitalOcean, LLC', 'domain': 'digitalocean.com', 'hostnames': [], 'isTor': False, 'totalReports': 0, 'numDistinctUsers': 0, 'lastReportedAt': None}
IP: 209.38.243.124
Abuse Confidence Score: 0
countryCode: DE
ISP: DigitalOcean, LLC
Domain: digitalocean.com
Total Reports: 0
Last Reported At: None
----------------------------------------
Checking IP: 47.243.99.161
Checking IP: 185.67.82.114
...

This was the only non-TOR, public IP address with no suspicious history. According to the log, the login time associated with this IP was: Aug 09 11:41:09

Flag

NC3{Aug 09 11:41:09}

Reflections and Learnings

This challenge highlighted the importance of careful reading and attention to detail. In real-world cybersecurity scenarios, such skills are crucial for identifying anomalies hidden in large datasets or logs. This experience reinforced the value of combining automation with critical thinking, which can also be applied to other challenges, such as incident response, penetration testing, or forensic analysis. My initial focus on exhaustive analysis through scripting delayed progress. Revisiting the challenge description led me directly to the critical hint about the “interesting IP address.”

Key Learnings:

1. Efficiency over Exhaustion: While scripting helps automate tedious tasks, overanalyzing can obscure simple solutions.
2. Follow the Challenge Hints: The phrase “especially interesting IP address” was a vital clue. Always cross-reference hints with findings.
3. Use of External Tools: AbuseIPDB proved invaluable in narrowing down suspicious IPs.
4. Logical Filtering: Removing TOR nodes and internal IPs quickly reduced noise in the data.

In future challenges, I will focus on balancing thorough automation with targeted analysis. This approach will save time and improve efficiency in identifying critical data.