IrisCTF Tracem 1 Write up === # Initial Analysis ## Description *Here at EI Corp, ethics are our top priority! That's why our IT team was shocked when we got a knock from our ISP informing us that someone on our computer network was involved in some illegitimate activity. Who would do that? Don't they know that's illegal? Our ISP's knocking (and so is HR), and we need someone to hold accountable. Can you find out who committed this violation?* Đề bài yêu cầu ta tìm tên của username đã thực hiện hành động bất hợp pháp, với format là `irisctf{username}`. ## Artifact file Đề bài cho ta một file log:   Mình có thể xem bằng LogViewPlus vì nó parse sẵn với format dễ tìm evidence hơn:  # Solution ``` cat logs.json | jq -c '. | select(.source == "stream:dns")' > stream_dns_logs.json ``` Mình sẽ tiến hành lọc DNS log: ```python= import json file_path = "stream_dns_logs.json" unique_names = set() with open(file_path, "r", encoding="utf-8") as file: lines = file.readlines() # Đọc toàn bộ dòng trong file for line in lines: record = json.loads(line.strip()) # Parse dòng JSON thành dict queries = record.get("data", {}).get("queries", []) # Lấy danh sách queries for query in queries: name = query.get("name") if name: unique_names.add(name) # Thêm tên vào tập hợp print("Các tên duy nhất:") for name in sorted(unique_names): print(name) # Ghi danh sách tên duy nhất vào file output_file_path = "ten_duy_nhat.txt" with open(output_file_path, "w", encoding="utf-8") as output_file: for name in sorted(unique_names): output_file.write(name + "\n") print(f"Danh sách các tên duy nhất đã được lưu vào {output_file_path}") ``` Sau khi lọc mình thấy có một query khả nghi là `copious-amounts-of-illicit-substances-marketplace.com`   Query khả nghi: ``` { "host": "primary", "source": "stream:dns", "sourcetype": "stream:dns", "_time": "2024-12-04 06:30:18.99", "data": { "timestamp": "2024-12-04 06:30:18.347812", "protocol_stack": "ip:udp:dns", "transport": "udp", "src_ip": "10.33.18.209", "src_port": 7419, "dest_ip": "10.33.0.2", "dest_port": 53, "transaction_id": 45042, "queries": [ { "type": "A", "class": "IN", "name": "copious-amounts-of-illicit-substances-marketplace.com" } ] } } ``` IP của người dùng thực hiện yêu cầu DNS là 10.33.18.209. Check những log khác có IP 10.33.18.209 sẽ ra tên user:  ``` "data": { "_raw": "2024-12-04 04:58:35.622504||https://sso.evil-insurance.corp/idp/profile/SAML2/Redirect/SSO|/idp/profile/SAML2/Redirect/SSO|5b52053ac1ab1f4935a3d7d6c6aa4ff0|authn/MFA|10.33.18.209|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3 Edge/16.16299|https://sso.evil-insurance.corp/ns/profiles/saml2/sso/browser|llloyd||uid|service.evil-insurance.corp|https://sso.evil-insurance.corp/idp/sso|url:oasis:names:tc:SAML:2.0:protocol|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|kzYQV+Jk2w3KkwmRjR+HK4QWVQ3qzLPLgA5klV2b8bQT+NLYLeqCZw5xUGKbx1U1158jlnUYRrILtVTtMkMdbA==|urn:oasis:names:tc:SAML:2.0:nameid-format:transient|_60b0fd4b0ed5bba3474faeb85b3944e|2024-12-04 04:58:35.622504|_c4b56d58-625b-49aa-b859-4a2068422979||||urn:oasis:names:tc:SAML:2.0:status:Success|||false|false|true", "timestamp": "2024-12-04 04:58:35.622504", "NLYLeqCZw5xUGKbx1U1158jlnUYRrILtVTtMkMdbA": "=|urn:oasis:names:tc:SAML:2.0:nameid-format:transient|_60b0fd4b0ed5bba3474faeb85b3944e|2024-12-04" } ``` => flag: irisctf{llloyd} https://yun.ng/c/ctf/2025-iris-ctf/forensics/tracem-1 https://team-bytesized.github.io/ctf/iris2025/writeups/tracem-1.html https://github.com/thmai11/writeups/blob/main/2025/traceem/en.md