It’s Maruf Murtuza here, back again with a write-up from RCTS CTF.
The CTF was really really awesome! I’ve learned a lot from this CTF.
So, I want to share my experiences with you, (specially with beginners) by sharing write-ups of various challenges from RCTS CTF.
In that CTF there was all kind of challenges from easy to advance. But as I want to inspire the beginners, I’m writing this write-up for the challenge “Something Suspicious” as it was a beginner friendly challenge.
So, let’s get started.
As you can see in the picture, we were provided with two log file and asked to investigate the hack and figure out if there was any compromised host.
(I’m providing the files here as well.)
To figure this out, me must have go through the log files very carefully. So, I started reading the “ftp.log” file at first.
In that file, I noticed that the hacker was trying to login into the FTP server by using the username “anon” and the password “IEUser@”.
Actually this "IEUser@" string was not inputted by the attacker, rather it was filled automatically. The reason behind this auto-filling is, The ftp servers are designed to take the username "anonymous" or "ftp" as username and an email address as password. So, whenever someone tried to login as an anonymous user keeping the password part empty, it gets automatically replaced with "IEUser@" by the server.
He did 12 attempt, but all of those attempt went in veil.
So, he stared to try some random passwords with the username “anon”. He tried 44 different passwords that didn’t work. But at 45th attempt, the hacker used the password “123456”.
And guess what?
That was the password. 😑
The system administrators should never ever use such easy guess and weak passwords at all.
Okay,let’s get back to our game,
The hacker logged into the ftp server by the username “anon” and the password “123456” and finally he downloaded a file named as “note.txt”
And here’s where the “ftp.log” file ends.
But there’s something that I didn’t tell you about this ftp log file.
I noticed something suspicious while reading the logs.
Do you remember, the hacker attempted 44 passwords when he failed to login with empty password?
In those 44 passwords, I found a password that was a bit suspicious.
And that suspicious password is “ZmxhZ3tzMG0zdGgxbmc=”
It’s a base64. So, I tried to decode that. And here is the result:
So, I moved on to the second file, which was “ssh.log”
In that file, I found that,
The hacker was trying to log into the ssh server by the username “root”.
But that didn’t help him at all.
So, started trying to login with the username “X3N1c3AxYzEwdXN9”.
And that username is very suspicious. Because, no one will ever use such a gibberish as his username and basically it was a base64 as well.
So, I tired to decode that and got the following output:
So, I concatenated the output of the both base64 strings and found the flag.
This challenge was really very easy.
Hope you enjoyed!
If you have any question, please leave them in the comment section below. We will reach you soon.
Thanks for your support!
See you soon, in another write up.
Till then, take care.