A few weeks back, it occurred to me I’ve never actually participated in a live CTF as of yet. With Boss of the SOCs EMEA Virtual Edition coming 30th September, thought it rude not to partake in this without first having a crack at the BOTSV3 challenges from last year.
For those using this as a guide, BOTSV3 dataset can be found here.
- Sample Question — What is the name of the company that makes the software that you are using for this competition?
A: Splunk — Cheers
200. List out the IAM users that accessed an AWS service (successfully or unsuccessfully) in Frothly’s AWS environment?
index=botsv3 sourcetype=aws*
From here, can see the only account_id is 622676721278
Pretty useless. Looking through the additional fields, it can be seen there are some of interest under if we type in ‘user’. Extracting the UserName field and with the following command, we get the solutions:
index=botsv3 sourcetype=aws* earliest=0 account_id
| stats count by UserName, sourcetype
| sort + UserName
A: bstoll,btun,splunk_access,web_admin
201. What field would you use to alert that AWS API activity have occurred without MFA (multi-factor authentication)?
A google of MFA detection in AWS environments, brings me here. Looking at how to create a Metric filter, we see:
{ $.eventName = “ConsoleLogin” && $.additionalEventData.MFAUsed = “No” }
The field ‘additionalEventData.MFAUsed’ useful. Back on Search & Reporting:
index=botsv3 sourcetype=aws* earliest=0 *mfa*
Searching through additional fields and we find that one there. Bob’s your uncle.
A: additionalEventData.MFAUsed
202. What is the processor number used on the web servers?
Index=botsv3 | stats count by sourcetype
From here we can see various source types, one that strikes interest is ‘hardware’.
Looking at the CPU types here, we can see one value:
Intel(R) Xeon(R) CPU E5–2676 v3 @ 2.40GHz
A: E5–2676.
203. Bud accidentally makes an S3 bucket publicly accessible. What is the event ID of the API call that enabled public access?
A quick google helps to confirm Cloudtrail is the sourcetype here.
A quick search on Cloudtrail logs for publically available buckets and we can see the event names to look out for are “PutBucketAcl” or “PutBucketPolicy”. With this in mind we search:
index=botsv3 sourcetype=”aws:cloudtrail” (eventName=”PutBucketAcl” OR eventName=”PutBucketPolicy”)
This provides 2 results; it’s important to note that user bstoll is also Bud…
The answer is the earliest event, presumably Bud made it private again in the later event. Looking at the EventId and not the Event Name obviously.
A: ab45689d-69cd-41e7–8705–5350402cf7ac
204. What is the name of the S3 bucket that was made publicly accessible?
Well, we have the search up already so it’s just a case of finding the right field…
A quick google of field names within Cloudtrail logging again and we see that there should be a field ‘bucketName’.
Searching all parameters finds us ‘requestParameters.bucketName’ and the result frothlywebcode. Done and dusted.
A: frothlywebcode
205. What is the name of the text file that was successfully uploaded into the S3 bucket while it was publicly accessible?
Well we have an open and close time period from the same search in Q203 and Q204. If memory serves the most efficient way to filter according to Splunk (which I disagree with because you can get the result quicker with wildcard inclusion) is through time frames.
Let’s search between 14:01:46 and 14:57:54 on 20/08/2018 and see what we get. With the inclusion of a *.txt* to the search:
index=botsv3 *.txt* bucket_name=frothlywebcode 200
A: OPEN_BUCKET_PLEASE_FIX.txt
206. What is the size (in megabytes) of the .tar.gz file that was successfully uploaded into the S3 bucket while it was publicly accessible? Answer guidance: Round to two decimal places without the unit of measure. Use 1024 for the byte conversion. Use a period (not a comma) as the radix character.
Same principles, different file type:
index=botsv3 *.tar.gz* bucket_name=frothlywebcode 200
We have multiple results with a filename of ‘frothly_html_memcached.tar.gz’. Looking at all fields we find ‘object_size’, we have two values of interest. Let’s use the stats function and eval. This is in bytes and we need to convert megabytes, which is 1024x1024 in binary.
index=botsv3 *.tar.gz* bucket_name=frothlywebcode 200
| eval objectsize=(object_size/(1024*1024))
| stats count by objectsize
This provides two answers, checking both:
A: 2.93
Weirdly, they have no question 207…
208. A Frothly endpoint exhibits signs of coin mining activity. What is the name of the first process to reach 100 percent CPU processor utilization time from this activity on this endpoint?
Looking at sourcetypes we can potentially use, Perfmon types of logs seem to give a lot of statistical information on performance of endpoints.
Searching the sourcetypes finds us with ‘PerfmonMk:Process’:
index=botsv3 sourcetype=”PerfmonMk:Process” process_cpu_used_percent=”100" | reverse
| table _time process_id
Weirdly the first process seen the first process is ‘MicrosoftEdgeCP#2’. I believe that the way this question has been asked is a bit off and so this should actually be the answer. In actual fact it is the second point in time at 14:37:50 for 100% usage which is….
A: chrome#5
209. When a Frothly web server EC2 instance is launched via auto scaling, it performs automated configuration tasks after the instance starts. How many packages and dependent packages are installed by the cloud initialization script?
A quick google of log types for cloud initialisation scripts highlights cloud-init. As it turns out there is a cloud-init-output. Looking through here:
index=botsv3 sourcetype=*cloud-init* sourcetype=”cloud-init-output”
Returns us 23 results. Refining with dependencies:
index=botsv3 sourcetype=*cloud-init* sourcetype=”cloud-init-output” dependencies
Looking through the logs we see:
A: 7 packages and 13 dependent packages
210. What is the short hostname of the only Frothly endpoint to actually mine Monero cryptocurrency?
Q 208 showed that user BSTOLL-L was the one crypto-mined.
But let’s confirm.
index=botsv3 earliest=0 (*coin* OR *monero*)
Looking at source=”stream:DNS” we see coinhive, in this instance it would be the endpoint querying the DNS request.
index=botsv3 earliest=0 (*coin* OR *monero*) source=”stream:DNS” “message_type{}”=QUERY
From this we see the host is…
A: BSTOLL-L
Part 2 will be up soon, as always stay safe!
