 Hello everybody, my name is John Hammond welcome back to another all-army cyber stakes or ACIC TF video in this case I want to be showcasing a different challenge I'm still trying to climb up the ones that I've covered so far and was able to solve starting at the harder point one So we don't burn out when I'm trying to record all these or as many as I can anyway This challenge is called I see you it's worth 200 points in the miscellaneous category at the time recording It has 168 solves it's Friday right now and I'm recording and the game ends on Sunday So we might get a few more in it says we think someone has been attacking our web server Can you help us by finding the IP address of the attacker in our logs? I just want to double-check the hints here because it will tell you the flag itself Is the IP address of the attacker without any prefixes or braces around it audit logs can be read via the AU search command So let's grab this File that they're providing for us and let's go make a directory over here in the current ACI folder that we have I'll call it I see you and that is the name the challenge. So let's hop in there and W get this guy It is a GZ file. So I'll go ahead and gun zip it. There we go. Now. I have an audit log So I will just cat this thing out so you can get an idea for what it is. It is a bunch of audit log messages You could solve this in a lot of different ways as far as I know they do tell you about the awsearch command I had Poked around with it and used it a little bit truth be told. I didn't have a whole lot of success with it Maybe that's just because I'm not I'm bad at looking at logs. I'm a bad blue teamer. I got to say but I Don't know. I just didn't I couldn't figure out what to search for I didn't know what to deal with But I was like man, this is all plain text whatever So maybe I solved this in a dirty way, but I want to show it to you So I actually opened up the whole audit log in sublime text so I could really look at everything because it was kind of overwhelming in the command line Immediately, I kind of thought like well if it's looking for in IP address What I could do is I could just search for IP addresses like if I were to cat that audit log out and grep for things like Oh, let's get zero through nine like one to three times and then we'd have one octet built out I could do that for a couple of other octets like let's get four of them in there And that would give me a lot of stuff I need to verify that with a actual period that is escaped so Regex doesn't think that that means any character, but it means a literal period. So I would go ahead and sort that Sortac you and that would give me three IP addresses and I try to submit each of these But man, they did not take those were the incorrect flags And I'm like, I don't know what the heck is it then what am I missing like it if it's plain text and it's asking me for IP address It's got to be in there somewhere, right? Then I got to thinking like well, maybe it's just base 64 if some attacker is calling back out to an IP address Maybe it's encoded in some way. So I went ahead and just looked at the thing as a blind text There are a lot of messages in here, right? I actually even searched for catting this stuff out A lot of output it looked like there seemed to be a lot of lines that had python 3.6 in them Um, and I was like, maybe they're doing something but that's a lot of stuff Like if I just simply ran that cat audit log and grept for that python 3.6 typing Typing there are all of these lines and I was like, let's go ahead and get those out of there because maybe that's just Making some noise for me with fields that I can't read or understand Then when I looked at this output, I was thinking like wait a second Some of these entries have some cmd Property in them and they seem to be including something that looks like hex, right? I can see numbers zero through nine in the occasional d or f or a through f like letter c b, etc, etc And there were a lot of these so I was like, well, okay Maybe they're actually including the commands in here as hexadecimal So I did something again stupid and dirty because I just like to be on the command line I would grep for those cmd Things I would grep for like anything that just looked like hex, right? So I'll look for grep only e on a through f and that was all caps in my case zero through nine and let's get like Three or more of them, right? So there's a lot of stuff in here a lot of output a lot of nonsense I thought like great. Let's take this. Let's uh redirect it to just hex dot text Give that a little bit some breathe in time to actually spit that all in there And if I were to look at all of that hex I was like, well, I only care about stuff that's again unique So we'll sort unique and then just get maybe the worthwhile things So I'll again redirect that to something new new hex dot text And now I'll start to carve through all that hex and see what it really is So let me do that. I'll create a python script just to be able to read through all of that user bin environment python And let's just import bin ascii because I'll use that to decode all that hex So I'll do a little width open my new hex dot text I'll make it in read mode as handle I can do uh Lines, I don't know what to call this variable. I don't know why I do this off the top of my head Let's go ahead and do our handle dot read lines And let me split that So I'll go for each l dot strip. Sorry For l and handle read lines. So I remove all those new lines. So now I just have a giant long list of lines So let me go ahead and try that out python 3 that ape script Now I have all of that hexadecimal values out and available for me. So I could loop through let's say for l in lines Now let's go ahead and print out what this bin ascii dot on a hexlify That hexadecimal line might be so I'll pass in that l Um, and let's print this out. You can probably assume well, we're going to have some odd length string stuff in there So that will go ahead and error for us. Let's go ahead and do a little try accept on that bin ascii error That is uh Yep capital e error So let's just pass on those because I don't care Just extract the things that you can't get right if we were to do that in python 2 It might not show all those bytes for us or It's going to whine even more. So let's not care about that. Let's go ahead and just decode these So their actual strings That'll python 3 all that and it's also getting a unicode error So let's accept on that as well Don't care about all those Now I can string some stuff And get some potentially Interesting information There are a lot of ones that seem to be nonsense. So let's remove those like n 5 maybe there we go Now we can see a little server dot pi that might be running ssh that might be running And Catting it set reshadow into a netcat call to an ip address on a seemingly strange port That's it. That was the flag in my case. It was this 4 4 6 8 1 3 9 2 4 1 ip address So I would go ahead and just submit that guy and it would say great. That's it. You solved it Probably could be done in a little bit of a cleaner way I think an a search command would do it also really well not just a u search But I think there's an a search. Is that a thing? Maybe Maybe I'm maybe I'm just wrong But that's how I solved that dirty method of hey carving out the stuff that I care about getting all those commands that are represented and hex out and they'd be able to Just dart through it. That's the benefit. I guess python and bash some dirty command line stuff, but That gave me the command that they ran Trying to exfiltrate the shadow file over to an attacker ip address and that one looks definitely dangerous compared to all the others So that's that thank you guys so much for watching I hope you guys enjoyed this video if you did Please do press that like button if you didn't like the video press the dislike button twice So I know how much you hated it. Uh, leave a comment do the whole youtube algorithm stuff subscribe Please I appreciate all your guys support. Thank you so much for anything that you offer If you're willing jump over to patreon or paypal for some support. I'm so so thankful I can't say it enough But uh also got linked in also got facebook for some reason Also have the discord server link in the description So if you want to track me down you can totally find me there instagram twitter all those good stuff But love to see you there. Thanks so much for watching guys. I'll see you in the next one. Take care