Fedora - CyberDiscord Open

In this post, I will walk you through my experience with a 2023 CyberDiscord Open competition involving a Fedora image. I will explain the steps I took and the solutions I found along the way.

To begin, I carefully read through the lengthy readme file, investing a good 20 minutes to grasp the details. Then I moved into the forensics

WARNING:

The content below is full of grammatical errors, read it at your own risk hehehe~

Forensics 1 - Incomplete

NOTE: This is a 3 part question with 3 answers. You must correctly answer all parts in order to get credit.

Powder has gone missing. You have discovered a computer that contains a clue to her location within a picture. You were able to image two of the computer's hard drives in the files named sda and sdc on your Desktop.

What is the name of the recovered picture?

There were two image in the Desktop (sda and sdc):

These files were type of “Linux Software Raid”. I wanted to load the SDA and look at it’s content. But I did not know how to do it.

I tried to use mount command, but it did not work for some reason.

If anyone knows how we were suppose to do this challenge, please let me know!

Forensics 2 - Completed

FYI: I used an OCR for the description below, so the regex is probably incorrect. To find the actual question/answer, go here: https://i.imgur.com/MO60plI.png

NOTE: This is a 2 part question with 2 answers. You must correctly answer all parts in order to get credit.  

The Council wishes to know how many files ending in .txt inside the directory '/srv/archives' contain text matching the following regular expression:  

^[A-z]+c[a-z1-8LS]{3,}(!|g|1|a|[A-z] |)+\s*[^aem]\S{}, }[^\n]*({[:\[\]\@\#\$\%] | [^\d\w]+)  

(EXAMPLE: 29 )  

ANSWER: 15

Which of the above files (that contain text matching the above regular expression) has an absolute path that matches the following regular expression: 

^[^\w\d]*\s*[A-z]{2,} [u-w]?[\S]*\s? [w]k#F%e0\-1@lske] [^\n]*I{1,3} [^\w\d] [A-E] [T-Z] [^\n#2f]*$  

( EXAMPLE: /srv/archives/journal/secret.txt)

ANSWER: /srv/archives/records/03 - Inmate #516/III/EXTERNAL CORRESPONDENCE.txt|

For this challenge, I think I used grep -rlE '<THE REGEX>' /srv/archives 2>/dev/null >> output.txt command to grep recursively using the regex and only get file name/path, and then save it in a file called output.txt

Then I used wc -l output.txt to get the number of files

For the second question, I could not get the regex to work using grep, so I used an online website https://regex101.com to find the answer. It worked perfectly

Forensic 3 - Completed

Instructions/Answer: https://imgur.com/wrVxhdl.png

HINT: This was NOT provided to you in the README.

(EXAMPLE: username ) (EXAMPLE: P@ssword! )

ANSWER: presta
ANSWER: Pr3st@shop

The "ps_info" table in PrestaShop is a database table that st about the current state of the PrestaShop installation, inclu number, database revision, and the installed modules.

what is the absolute path of the file that stores the "ps_info" table in PrestaShop database?
(EXAMPLE: /path/to/file)
ANSWER: /var/lib/mysql/prestashop/ps_info.ibd

This is incomplete instructions. By the time of writing, I don’t have the question with me however, I believe the first question was something regarding finding user and password for an web application.

For this question, I logged in as root (the password was given in the ReadMe):

sudo mysql -u root -p

I went through the basic SQL recon step to understand the database. In couple of minutes, I was able to find an suspicious user. Just by looking at the username, I knew this is the user that the question wanted.

Now, that I have the username, I needed to find the password. However, the password was encrypted.

Since, I could not decode this password, I did the next best thing: search for the password/username in running web application.

I assumed that you will need to login to the SQL database for the web application (running in port 80). Therefore, I used grep in /var/www/html (I honestly forgot the actual location, but the actual location was what ever folder/file that port 80 was using).

I used grep using the username, and found the password in couple of minutes.

The next question was “what is the absolute path of the file that stores the ‘ps_info’ table in PrestaShop database?”

In MySQL, the actual storage location of table data in Linux depends on the underlying storage engine used by the table. By default, InnoDB and MyISAM are two commonly used storage engines in MySQL.

For InnoDB tables, the table data is stored in the InnoDB tablespace files, usually located in the MySQL data directory. The specific file format used for InnoDB tables is .ibd. The default location for the data directory in MySQL on Linux is typically /var/lib/mysql/.

So I went to the /var/lib/mysql/ directory and searched for filename: ps_info.ibd

sudo find . -name *.ibd | grep "ps_info"

And here is the file:

/var/lib/mysql/prestashop/ps_info.ibd

Forensic 4 - Incomplete

This forensic looked really troublesome, so I did not even read it completely.

User/Group Management

Creating/Deleting Users

I got list of all the users with this bash command:

awk -F: '$7 ~ /(\/.*sh)/ { print $1 }' /etc/passwd | sort -o userlist.txt

This only checks for user with shell (or file that ends in sh . So I had to double check the /etc/passwd file)

Next I placed list of all the authorized user in authorized.txt (one per line)

Then I ran this command:

diff userlist.txt <(sort authorized.txt)

Output will list out all the users that are not in authorized.txt, but exist in userlist.txt

Once I got the list of all the users, I needed to delete. I double checked the output, and then started deleting the users. I remember deleting user being little bit awful/cumbersome. I think I had to manually edit the /etc/passwd file to changed the UID of certain user or even remove the user from passwd file.

PS: I also used the same concept (diff) to check if any users needed to be added.

Creating Groups

I listed out all the groups using getent group and made sure all the required groups exists.

User’s Group

I used this script to check for each user’s group. If a user needed to an part of the group I added them, otherwise I deleted them.

I could have probably done this faster, if I created an bash script, but I was too lazy that day and it might have taken more time to actually create one.

for user in $(cat authorized.txt);
do
 id $user;
 echo ""
 read -p "continue..."
 echo ""
done

Other than the required group names, I also checked is the user had admin group such as adm, wheel, sudo, etc.

Updating

Update/Upgrade got me couple of points.

I think this got me points for:

• Updating firewalld

• Updating systemd

• And removing shell backdoor (idk why though)

Non-work related media file

I also got some points for removing the mp3 files. This was mentioned in the ReadMe (Remove all non-work related media file).

To find the mp3 files, I used this command:

sudo find / -name *.mp3 2>/dev/null

Firewall Configuration

The ReadMe told us to enable firewall. The only default firewall that I know exists in the fedora is firewalld (I think the readme also told us that the default firewall application was firewalld).

First, I checked the status of the firewall application (make sure it actually exists). It did exist but the service was down

systemctl status firewalld

If I remember it correctly, when you tried to start this service, you got some error like this "failed to enable unit. *.service is masked". This basically meant that the service unit file is marked as “masked.” The “masked” state prevents the service from being started or enabled.

Masking a service is a deliberate action typically performed to prevent accidental starting or enabling of critical services. If you need to enable or start a masked service, you will need to unmask it first. Follow these steps to unmask a service:

To unmask the service, use the following command:

systemctl status firewalld

After unmasking the service, you can then enable and start it using the usual systemctl commands.

systemctl enable firewalld
systemctl start firewalld

You also need to set the zone of the firewalld to public

firewall-cmd --set-default-zone=public

Points Breakdown

Forensics Question -> 4pts Everything else -> 1pts

- [X] Forensics Question 2 correct

- [X] Forensics Question 3 correct

- [X] Removed user Tamara

- [X] Removed user Gysbert

- [X] Removed user Colette

- [X] Heimerdinger is not a councilor

- [X] Created and configured firelights group

- [X] All users cannot manage user settings

- [X] Group firelights does not have polkit privileges

- [X] Firewalld protection has been enabled

- [X] Systemd has been updated

- [X] Firewalld has been updated

- [X] Removed prohibited MP3 files

- [X] Removed shell backdoor

Conclusion

Overall, participating in the CyberDiscord Open 2023 competition was a rewarding and enjoyable experience.

Although we encountered some challenges along the way, we were able to overcome many of them and complete various tasks successfully. I hope this post provides some insight into our approach and the steps we took to address the challenges.

I look forward to participating in similar competitions in the future…