Roten

The iMoS is responsible for collecting and analyzing targeting data across various galaxies. The data is collected through their webserver, which is accessible to authorized personnel only. However, the iMoS suspects that their webserver has been compromised, and they are unable to locate the source of the breach. They suspect that some kind of shell has been uploaded, but they are unable to find it. The iMoS have provided you with some network data to analyze, its up to you to save us.

---

Overview

Our main objective is to analyze the given network data in a pcap file and locate the file suspected to contain the uploaded shell responsible for the security breach. By finding and examining this file, we can gather crucial information to understand the nature of the attack and prevent any further damage.

Analyzing the Network Data

To begin our investigation, we need to analyze the provided pcap file. A pcap (Packet Capture) file contains network traffic data captured during a specific period. In our case, it holds valuable information about the security breach and the potential shell uploaded to the iMoS webserver.

To examine the pcap file, we can use tools like Wireshark, which allows us to inspect network packets and extract relevant data. By carefully inspecting each packet, we can look for any clues or files that might be of interest to our investigation.

Searching for the shell

To kickstart our analysis in Wireshark, let us begin by examining the various protocols present in the network data. Our focus narrows down to the HTTP protocol since it is commonly used to upload files through web interfaces. Consequently, we filter the captured packets to exclusively display HTTP requests.

By utilizing the Wireshark filter http, we isolate the HTTP traffic and expose a subset of packets relevant to our investigation. This initial filtering step helps us narrow our search and concentrate on HTTP-related activities.

To further refine our search, we direct our attention towards HTTP POST requests, as they often serve as the means for uploading files to web servers. By applying the Wireshark filter http.request.method == "POST", we isolate only those packets that capture POST requests.

http.request.method == "POST"

With this filter in place, the vast amount of captured data is significantly reduced to a more manageable number of approximately 9 or 10 entries. This refined dataset provides a focused view of potential upload activities.

Unveiling the Suspicious Request

Among the filtered POST requests, one specific packet captures my attention due to its distinct characteristics. This particular request contains the Content-Type: application/x-php header, setting it apart from the rest of the packets, which mainly involve form submissions or PDF uploads.

To gain deeper insights into this intriguing request, we employ the “Follow > HTTP Stream” feature in Wireshark. By doing so, we reconstruct the HTTP stream related to this packet, allowing us to inspect its contents more comprehensively.

Decoding the Obfuscated PHP Code

The reconstructed HTTP stream reveals a PHP code snippet that appears to be obfuscated. Despite the obfuscation, I realized that this code is the key to unlocking the solution to the challenge. For the purpose of readability, I have omitted the obfuscated content from this write-up.

-----------------------------310973569542634246533468492466
Content-Disposition: form-data; name="uploaded_file"; filename="galacticmap.php"
Content-Type: application/x-php

<?php 
$pPziZoJiMpcu = 82; 
$liGBOKxsOGMz = array(); 
$iyzQ5h8qf6 = "" ; 
$iyzQ5h8qf6 .= "<nnyo ea\$px-aloerl0=e r\$0' weme Su rgsr s\"eu>\"e'Er= elmi)y ]_'t>bde e e  =p   xt\" ?ltps vdfic-xetrmsx'l0em0  o\"oc&'t [r\"e _e;eV.ncxm'vToil   ,F y"; 
...
eval( $bhrTeZXazQ ); 
?>
-----------------------------310973569542634246533468492466--

By leveraging a PHP malware decoder tool or replacing the eval function with echo and executing the code in a PHP sandbox, I decoded the obfuscated PHP code, exposing its true nature.

HTB{W0w_ROt_A_DaY}

Conclusion

The “Roten” forensics challenge showcased the importance of meticulous analysis, effective filtering, and tenacity in unraveling security breaches.

By combining network analysis techniques with knowledge of common attack vectors, we successfully located the uploaded shell within the provided pcap file and deciphered its obfuscated PHP code.

The challenge not only tested our technical skills but also emphasized the significance of attention to detail in forensic investigations.