Magnet Weekly CTF — Week 8

This week was more centered around Incident Response, which isn’t normally in my wheelhouse, so I Was excited to maybe learn a few tricks.

Part 1

The first part of the question was asking what package was installed by the attacker. Considering some of the previous questions, I immediately went to a previous file /var/log/apt/history.log and found the following:

So it looks like there’s a large gap in time between the latest upgrade and the php install. So I tried “php” and that was the answer!

Part 2

The question only said “Why?” with a multiple choice question. So at this point I thought I was supposed to try and map the whole attack which I was a little worried about, but based on the multiple choice question, I knew I only had to narrow my search to what they did with the PHP install. I tried a few things until I thought about doing some timeline analysis. Since the gap between what appeared to be the latest update and the PHP install was 2 years, it felt safe to find any files modified after that log file was modified. Using my trusty find command:

find ./ -type f -newercm ./var/log/apt/history.log
This command finds the files newer than the history.log’s last modified time

Since the previous question asked about php, the obvious culprit here was cluster.php

I’m not super well versed in websockets and this type of code, but the “shell_exec” function led me to believe this was a webshell.

So to answer the question, the answer was “To run a php webshell”.

An easier week this time round, can’t decide if I was relieved that it was easier than I expected or disappointed that I didn’t learn any new IR skills.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store