Skip to content

SECURE_CONNECTION//PRESS[CTRL+J]FOR ROOT ACCESS

BACK TO INTEL
MiscMedium

An Unusual Sighting

CTF writeup for An Unusual Sighting from HTB CTF TRY OUT

//HTB Forensics Challenge Writeup: An Unusual Sighting

Category: Forensic

Challenge Name: An unusual sighting

Flag: HTB{4n_unusual_s1ght1ng_1n_SSH_l0gs!}

>Challenge Description

As the preparations come to an end, and The Fray draws near each day, our newly established team has started work on refactoring the new CMS application for the competition. However, after some time we noticed that a lot of our work mysteriously has been disappearing! We managed to extract the SSH Logs and the Bash History from our dev server in question. The faction that manages to uncover the perpetrator will have a massive bonus come competition!

Remote Server: nc 94.237.121.49 34887

>Initial Analysis

The provided archive forensics_an_unusual_sighting.zip contains:

  • sshd.log — SSH daemon logs

  • bash_history.txt — Bash history

Extracted to 001.extracted/forensics_an_unusual_sighting/.

bash

unzip forensics_an_unusual_sighting.zip -d 001.extracted

ls -la 001.extracted/forensics_an_unusual_sighting

>Artifact Review

1. SSH Log Analysis (sshd.log)

Look for successful logins, failed publickey attempts, and logins outside normal hours (09:00–19:00).

First Successful Login

text

[2024-02-13 11:29:50] Accepted password for root from 100.81.51.199 port 63172 ssh2

Unusual Login (Outside Operating Hours)

text

[2024-02-19 04:00:14] Accepted password for root from 2.67.182.119 port 60071 ssh2

Attacker's Public Key Fingerprint

Just before the unusual login:

text

[2024-02-19 04:00:14] Failed publickey for root from 2.67.182.119 port 60071 ssh2: ECDSA SHA256:OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4

2. Bash History Analysis (bash_history.txt)

Find commands executed by the attacker during the session:

First Command After Login

text

[2024-02-19 04:00:18] whoami

Final Command Before Logout

text

[2024-02-19 04:14:02] ./setup

>Automating the Solution

To answer the interactive remote quiz, I wrote a Python script:

001.interactive_client.py

python

#!/usr/bin/env python3

import socket

import sys

import time

import re

  

HOST = '94.237.121.49'

PORT = 34887

  

answers = [

    '100.107.36.130:2221',       # SSH server IP:PORT

    '2024-02-13 11:29:50',       # First successful login time

    '2024-02-19 04:00:14',       # Unusual login time

    'OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4', # Attacker fingerprint

    'whoami',                    # First command after login

    './setup',                   # Final command before logout

    'root',                      # First logged-in user

    '100.81.51.199:63172',       # Source IP:PORT of first login

]

  

prompt_triggers = [

    r'IP Address and Port of the SSH Server',

    r'first successful Login',

    r'time of the unusual Login',

    r'Fingerprint of the attacker',

    r'first command',

    r'final command',

    r'Which user logged in first',

    r'IP address and port did they connect from',

]

  

s = socket.create_connection((HOST, PORT), timeout=10)

s.settimeout(2.0)

  

ai = 0

try:

    buffer_str = ''

    while True:

        try:

            data = s.recv(4096)

            if not data:

                break

            decoded = data.decode('utf-8', errors='ignore')

            sys.stdout.write(decoded)

            sys.stdout.flush()

            buffer_str += decoded

        except socket.timeout:

            decoded = ''

        if ai < len(answers):

            for trig in prompt_triggers:

                if re.search(trig, buffer_str, re.IGNORECASE):

                    tosend = answers[ai] + '\n'

                    sys.stdout.write(f"\n[--> Sending answer #{ai+1}: {answers[ai]}]\n")

                    sys.stdout.flush()

                    s.sendall(tosend.encode())

                    ai += 1

                    buffer_str = ''

                    time.sleep(0.2)

                    break

        if 'HTB{' in buffer_str:

            try:

                time.sleep(0.3)

                more = s.recv(4096)

                if more:

                    sys.stdout.write(more.decode('utf-8', errors='ignore'))

                    sys.stdout.flush()

            except Exception:

                pass

            break

except KeyboardInterrupt:

    pass

finally:

    s.close()

  

print('\n[Done]')

>Running the Script

bash

python3 001.interactive_client.py

Output (Flag)

[+] Here is the flag: HTB{4n_unusual_s1ght1ng_1n_SSH_l0gs!}

>Summary of Steps

  1. Extracted and reviewed SSH and bash logs for evidence.

  2. Identified key events: first login, unusual login, attacker fingerprint, commands.

  3. Automated answering the remote quiz using a Python script.

  4. Captured the flag.

>Lessons Learned

  • Always check for logins outside normal hours.

  • Failed publickey attempts can reveal attacker fingerprints.

  • Bash history is crucial for reconstructing attacker actions.

  • Automating CTF quiz solving saves time and avoids manual errors.

>Flag

HTB{4n_unusual_s1ght1ng_1n_SSH_l0gs!}