https://app.hackthebox.com/sherlocks/OpTinselTrace-2
Hack The Box Sherlocksã¨ã¯
Sherlock Scenario
It seems our precious technology has been leaked to the threat actor. Our head Elf, PixelPepermint, seems to think that there were some hard-coded sensitive URLs within the technology sent. Please audit our Sparky Cloud logs and confirm if anything was stolen! PS - Santa likes his answers in UTC...
ç§ãŸã¡ã®è²´é‡ãªæŠ€è¡“ãŒæ”»æ’ƒè€…ã«æµå‡ºã—ãŸã‚ˆã†ã§ã™ã€‚ç§ãŸã¡ã®é ã®ã‚¨ãƒ«ãƒ•ã§ã‚ã‚‹ PixelPepermint ã¯ã€é€ä¿¡ã•ã‚ŒãŸãƒ†ã‚¯ãƒŽãƒã‚¸ãƒ¼å†…ã«ãƒãƒ¼ãƒ‰ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ã•ã‚ŒãŸæ©Ÿå¯† URL ãŒã„ãã¤ã‹ã‚ã£ãŸã¨è€ƒãˆã¦ã„るよã†ã§ã™ã€‚ Sparky Cloud ã®ãƒã‚°ã‚’監査ã—ã¦ã€ä½•ã‹ãŒç›—ã¾ã‚ŒãŸã‹ã©ã†ã‹ã‚’確èªã—ã¦ãã ã•ã„。 PS - サンタã•ã‚“㯠UTC ã§ã®ç”ãˆã‚’好ã¿ã¾ã™...
2023å¹´ã®Sherlocksクリスマスイベントå•é¡Œã®2å•ç›®ã€‚
AWSã®CloudTrailã®ãƒã‚°ãƒ‡ãƒ¼ã‚¿ãŒä¸Žãˆã‚‰ã‚Œã‚‹ã®ã§ã‚¯ãƒ©ã‚¦ãƒ‰ã®ãƒ•ã‚©ãƒ¬ãƒ³ã‚¸ãƒƒã‚¯ã‚’進ã‚ã¦ã„ã。
Tasks
Task 1
What is the MD5 sum of the binary the Threat Actor found the S3 bucket location in?
è„…å¨ã‚¢ã‚¯ã‚¿ãƒ¼ãŒ S3 ãƒã‚±ãƒƒãƒˆã®å ´æ‰€ã‚’見ã¤ã‘ãŸãƒã‚¤ãƒŠãƒªã® MD5 åˆè¨ˆã¯ã„ãらã§ã™ã‹?
ä»–ã®Taskを全部解ã„ã¦ã€ä¸€ç•ªæœ€å¾Œã«è§£ã‘ãŸã€‚
è„…å¨ã‚¢ã‚¯ã‚¿ãƒ¼ã¯ã©ã“ã‹ã‹ã‚‰S3ãƒã‚±ãƒƒãƒˆã®å ´æ‰€ã‚’見ã¤ã‘ãŸã‚ˆã†ã§ã€S3ãƒã‚±ãƒƒãƒˆã®å ´æ‰€ã¨ã¯å¾Œè¿°ã™ã‚‹papa-noel.s3.eu-west-3.amazonaws.comã®ã“ã¨ã€‚
VirusTotalã§papa-noel.s3.eu-west-3.amazonaws.comを検索ã—ã¦ã¿ã‚‹ã€‚
https://www.virustotal.com/gui/domain/papa-noel.s3.eu-west-3.amazonaws.com/relations
ã‚ã‚Šã¾ã™ã。ã“ã“ã®Relationsを見ã¦ã¿ã‚‹ã¨é–¢é€£ã¥ã‘られã¦ã„ã‚‹ELFファイルãŒã‚ã£ãŸï¼
ã»ãƒ¼ã€ã‚ˆãã§ãã¦ã‚‹ã€‚
ã“ã“ã®MD5ãƒãƒƒã‚·ãƒ¥ã‚’é€ã‚‹ã¨æ£ç”。
62d5c1f1f9020c98f97d8085b9456b05
Task 2
What time did the Threat Actor begin their automated retrieval of the contents of our exposed S3 bucket?
è„…å¨ã‚¢ã‚¯ã‚¿ãƒ¼ã¯ã€å…¬é–‹ã•ã‚ŒãŸ S3 ãƒã‚±ãƒƒãƒˆã®å†…容ã®è‡ªå‹•å–得を開始ã—ãŸã®ã¯ã„ã¤ã§ã™ã‹?
papa-noel.s3.eu-west-3.amazonaws.comã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚¢ã‚¯ã‚»ã‚¹ã‚’å…ƒã«åˆ¤å®šã™ã‚‹ã€‚
ブラウザã‹ã‚‰ã‚¢ã‚¯ã‚»ã‚¹ã—ãŸå ´åˆã¯ favicon.icoã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’ä¼´ã†ã®ã§ãã‚ŒãŒç„¡ã‘ã‚Œã°è‡ªå‹•ã§å–å¾—ã•ã‚Œã¦ã„ã‚‹ã¨åˆ¤æ–ã§ãる。
時間差も考慮ã™ã‚‹ã¨.gitフォルダã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’ダウンãƒãƒ¼ãƒ‰ã—始ã‚ãŸã‚¿ã‚¤ãƒŸãƒ³ã‚°ãŒç”ãˆã€‚
2023-11-29T08:24:07Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/COMMIT_EDITMSG'}
2023-11-29T08:24:07Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/config'}
2023-11-29T08:24:07Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/description'}
2023-11-29T08:24:07Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/HEAD'}
2023-11-29T08:24:07Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/hooks/applypatch-msg.sample'}
2023-11-29T08:24:08Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/hooks/commit-msg.sample'}
2023-11-29T08:24:08Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/hooks/fsmonitor-watchman.sample'}
2023-11-29T08:24:08Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/hooks/post-update.sample'}
2023-11-29T08:24:08Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/hooks/pre-applypatch.sample'}
2023-11-29T08:24:09Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/hooks/pre-commit.sample'}
2023-11-29T08:24:09Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/hooks/pre-merge-commit.sample'}
2023-11-29T08:24:09Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/hooks/pre-push.sample'}
2023-11-29T08:24:09Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/hooks/pre-rebase.sample'}
2023-11-29T08:24:09Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/hooks/pre-receive.sample'}
2023-11-29T08:24:10Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/hooks/prepare-commit-msg.sample'}
2023-11-29T08:24:10Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/hooks/push-to-checkout.sample'}
2023-11-29T08:24:10Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/hooks/update.sample'}
2023-11-29T08:24:10Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/index'}
2023-11-29T08:24:10Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/info/exclude'}
2023-11-29T08:24:11Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/logs/HEAD'}
2023-11-29T08:24:11Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/logs/refs/heads/master'}
2023-11-29T08:24:11Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/objects/38/938fa8723c40cedfb7819340563c81961d7712'}
2023-11-29T08:24:11Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/objects/5d/24a8f411fc931b54fb9a4b58b6b55f1016c34d'}
2023-11-29T08:24:12Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/objects/62/13ad5b238260339ce346bf8f9063a8559c538a'}
2023-11-29T08:24:12Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/objects/69/a6bf0c5763a8cfc8d52d123e29986441869eab'}
2023-11-29T08:24:12Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/objects/6e/e67e3c147c7b310ea95271f07165056a84a1aa'}
2023-11-29T08:24:12Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/objects/8f/3ebb72ee80ee21f35e64ff2040ffbfb8d78d90'}
2023-11-29T08:24:13Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/objects/99/9775de5661604d8b3e7b5929d1fd1818db40ac'}
2023-11-29T08:24:13Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/objects/99/dbe4b3d52641ecb95dc3361bc7c324ba20f8e1'}
2023-11-29T08:24:13Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/objects/a9/2e975c8c52221d5c1c371d5595f65eb13f8be5'}
2023-11-29T08:24:13Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/objects/d5/4035991ea077b39062f858dfab56ea4fc1eb32'}
2023-11-29T08:24:13Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/objects/da/4d9a7c2824a50b8615b0149da53df83e812529'}
2023-11-29T08:24:14Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/backup.py'}
2023-11-29T08:24:14Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/check.js'}
2023-11-29T08:24:14Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/objects/f1/3ae004942c081e8a345a35bc4c1a006fb9a9d6'}
2023-11-29T08:24:14Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/objects/ff/46564b94ef03aca8f76224d3286e7e608276e4'}
2023-11-29T08:24:14Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/refs/heads/master'}
2023-11-29T08:24:15Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/claus.py'}
2023-11-29T08:24:15Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/disk.ps'}
2023-11-29T08:24:15Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/organise.rb'}
2023-11-29T08:24:15Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/santa_journey_log.csv'}
2023-11-29T08:24:16Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/update.sh'}
2023-11-29T08:24:16Z | {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'santa-list.csv'}
より2023-11-29 08:24:07ãŒç”ãˆã€‚
Task 3
What time did the Threat Actor complete their automated retrieval of the contents of our exposed S3 bucket?
è„…å¨ã‚¢ã‚¯ã‚¿ãƒ¼ãŒå…¬é–‹ã•ã‚ŒãŸ S3 ãƒã‚±ãƒƒãƒˆã®å†…容ã®è‡ªå‹•å–得を完了ã—ãŸã®ã¯ä½•æ™‚ã§ã™ã‹?
Task 2ã‹ã‚‰åˆ†ã‹ã‚‹ã€‚2023-11-29 08:24:16ãŒç”ãˆã€‚
Task 4
Based on the Threat Actor's user agent - what scripting language did the TA likely utilise to retrieve the files?
è„…å¨ã‚¢ã‚¯ã‚¿ãƒ¼ã®ãƒ¦ãƒ¼ã‚¶ãƒ¼ エージェントã«åŸºã¥ã„ã¦ã€TA ã¯ãƒ•ã‚¡ã‚¤ãƒ«ã‚’å–å¾—ã™ã‚‹ãŸã‚ã«ã©ã®ã‚ˆã†ãªã‚¹ã‚¯ãƒªãƒ—ト言語を使用ã—ãŸã¨è€ƒãˆã‚‰ã‚Œã¾ã™ã‹?
Task 2ã®æœ€åˆã®é€šä¿¡ã®ç”Ÿãƒã‚°ã‚’見ã¦ã¿ã‚ˆã†ã€‚
{'eventVersion': '1.09', 'userIdentity': {'type': 'AWSAccount', 'principalId': '', 'accountId': 'anonymous'}, 'eventTime': '2023-11-29T08:24:07Z', 'eventSource': 's3.amazonaws.com', 'eventName': 'GetObject', 'awsRegion': 'eu-west-3', 'sourceIPAddress': '191.101.31.57', 'userAgent': '[python-requests/2.25.1]', 'requestParameters': {'bucketName': 'papa-noel', 'Host': 'papa-noel.s3.eu-west-3.amazonaws.com', 'key': 'NPoleScripts/.git/COMMIT_EDITMSG'}, 'responseElements': None, 'additionalEventData': {'aclRequired': 'Yes', 'CipherSuite': 'ECDHE-RSA-AES128-GCM-SHA256', 'bytesTransferredIn': 0, 'x-amz-id-2': 'EsErRevx2JN0jURB8pmZvZjvJyuO/JbQ+BowMNaus+9jaxwOH3jzC47Js5RRvdaNAbEn0G9Gqws=', 'bytesTransferredOut': 397}, 'requestID': 'CJECCNWQM7CK7DMX', 'eventID': '8510333e-e806-4548-bb4a-a5458d2a6743', 'readOnly': True, 'resources': [{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::papa-noel/NPoleScripts/.git/COMMIT_EDITMSG'}, {'accountId': '949622803460', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::papa-noel'}], 'eventType': 'AwsApiCall', 'managementEvent': False, 'recipientAccountId': '949622803460', 'sharedEventID': 'da15e9f6-0264-4ba6-88f6-2030701bcb3c', 'eventCategory': 'Data', 'tlsDetails': {'tlsVersion': 'TLSv1.2', 'cipherSuite': 'ECDHE-RSA-AES128-GCM-SHA256', 'clientProvidedHostHeader': 'papa-noel.s3.eu-west-3.amazonaws.com'}}
User-Agentã«python-requests/2.25.1ãŒä½¿ã‚ã‚Œã¦ã„ã‚‹ã®ã§pythonã§ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã•ã‚ŒãŸã“ã¨ãŒåˆ†ã‹ã‚‹ã€‚pythonãŒæ£ç”。
Task 5
Which file did the Threat Actor locate some hard coded credentials within?
è„…å¨ã‚¢ã‚¯ã‚¿ãƒ¼ã¯ã©ã®ãƒ•ã‚¡ã‚¤ãƒ«å†…ã§ãƒãƒ¼ãƒ‰ã‚³ãƒ¼ãƒ‰ã•ã‚ŒãŸèªè¨¼æƒ…å ±ã‚’è¦‹ã¤ã‘ã¾ã—ãŸã‹?
ディレクトリリスティングã•ã‚Œã¦ã„ã‚‹S3ã‹ã‚‰ãƒ•ã‚¡ã‚¤ãƒ«ã‚’全部ダウンãƒãƒ¼ãƒ‰ã—ã¦ãる。
.gitフォルダãŒå†æ§‹ç¯‰ã§ãã‚‹ã®ã§ã€git log -pã§ãƒã‚°ã‚’見ã¦ã¿ã‚ˆã†ã€‚
commit a92e975c8c52221d5c1c371d5595f65eb13f8be5 (HEAD -> master) Author: Author Name <[email protected]> Date: Tue Nov 28 09:42:16 2023 +0000 Removed the sparkly creds from the script! How silly of me! Sometimes I'm about as useful as a screen saver on Santa's Sleigh!!!!!! diff --git a/claus.py b/claus.py index 6ee67e3..38938fa 100644 --- a/claus.py +++ b/claus.py @@ -5,9 +5,7 @@ import csv import boto3 from botocore.exceptions import NoCredentialsError, ClientError -# AWS Credentials - Should probably come up with a safer way to store these elf lolz! -AWS_ACCESS_KEY = 'â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– ' -AWS_SECRET_KEY = 'â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– â– ' +# Removed keys for safer method BUCKET_NAME = 'north-pole-private' REGION_NAME = 'eu-west-2'
èªè¨¼æƒ…å ±ãŒæ¶ˆã•ã‚Œã¦ã„ãŸã€‚ã“ã‚Œã§ã™ã。claus.py
Task 6
Please detail all confirmed malicious IP addresses. (Ascending Order)
確èªã•ã‚ŒãŸã™ã¹ã¦ã®æ‚ªæ„ã®ã‚ã‚‹ IP アドレスã®è©³ç´°ã‚’記載ã—ã¦ãã ã•ã„。 ï¼ˆæ˜‡é †ï¼‰
ã¨ã‚Šã‚ãˆãšIPアドレスを列挙ã—ã¦ã¿ã¦ã€ã©ã†ã„ã†ã‚¢ã‚¯ã‚»ã‚¹ãŒã‚ã‚‹ã‹è¦‹ã¦ã¿ã‚ˆã†ã€‚
109.205.185.126 golangã‹ã‚‰arn:aws:s3:::papa-noelã«å¯¾ã—ã¦ã‚¤ãƒ™ãƒ³ãƒˆãŒ1ã¤ã ã‘残ã£ã¦ã„る。æ„図ä¸æ˜Ž 138.199.59.46 arn:aws:s3:::papa-noelã«å¯¾ã—ã¦ä½•ã‹ã—ã¦ã„ã‚‹ãŒæ„図ä¸æ˜Ž 191.101.31.26 arn:aws:s3:::papa-noelã«å¯¾ã—ã¦ä½•ã‹ã—ã¦ã„ã‚‹ãŒæ„図ä¸æ˜Ž 191.101.31.57 arn:aws:s3:::papa-noelã«å¯¾ã—ã¦ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªãƒªã‚¹ãƒ†ã‚£ãƒ³ã‚°ã¨ã€ãƒ•ã‚¡ã‚¤ãƒ«å–å¾—ã‚’ã—ã¦ã„る。悪性有り 195.181.170.226 arn:aws:s3:::papa-noelã«å¯¾ã—ã¦ä½•ã‹ã—ã¦ã„ã‚‹ãŒæ„図ä¸æ˜Ž 3.236.115.9 arn:aws:s3:::papa-noelã«å¯¾ã—ã¦ä½•ã‹ã—ã¦ã„ã‚‹ãŒæ„図ä¸æ˜Ž(slackã«ãƒªãƒ³ã‚¯ã‚’å¼µã£ãŸï¼Ÿ) 3.236.226.247 arn:aws:s3:::papa-noelã«å¯¾ã—ã¦ä½•ã‹ã—ã¦ã„ã‚‹ãŒæ„図ä¸æ˜Ž(slackã«ãƒªãƒ³ã‚¯ã‚’å¼µã£ãŸï¼Ÿ) 45.133.193.41 arn:aws:s3:::north-pole-privateã«å¯¾ã—ã¦ã‚¢ã‚¯ã‚»ã‚¹ãŒã‚る。Task 7以é™ã®è¨å•ã‹ã‚‰æ‚ªæ€§æœ‰ã‚Šã¨åˆ†ã‹ã‚‹ 45.148.104.164 arn:aws:s3:::papa-noelã«å¯¾ã—ã¦ä½•ã‹ã—ã¦ã„ã‚‹ãŒæ„図ä¸æ˜Ž 86.5.206.121 大é‡ã«ãƒã‚°ãŒæ®‹ã£ã¦ã„ã‚‹ãŒã€2023-11-28以å‰ã®æ“作ã§ã‚ã‚Šã€ãƒã‚°ã®é‡ã‹ã‚‰ã—ã¦ã‚‚所有者ã®IPアドレスã¨æŽ¨å¯Ÿã§ãã‚‹
ã¨ã„ã†ã“ã¨ã§45.133.193.41, 191.101.31.57ãŒç”ãˆã€‚
Task 7
We are extremely concerned the TA managed to compromise our private S3 bucket, which contains an important VPN file. Please confirm the name of this VPN file and the time it was retrieved by the TA.
ç§ãŸã¡ã¯ã€TA ãŒé‡è¦ãª VPN ファイルをå«ã‚€ç§ãŸã¡ã®ãƒ—ライベート S3 ãƒã‚±ãƒƒãƒˆã‚’侵害ã—ãŸã“ã¨ã‚’éžå¸¸ã«æ‡¸å¿µã—ã¦ã„ã¾ã™ã€‚ã“ã® VPN ファイルã®åå‰ã¨ã€TA ã«ã‚ˆã£ã¦å–å¾—ã•ã‚ŒãŸæ™‚刻を確èªã—ã¦ãã ã•ã„。
eventSource == "s3.amazonaws.com" and eventName == "GetObject"ã®æ¡ä»¶ã§ãƒã‚°ã‚’æ¼ã‚‹ã¨bytesparkle.ovpnã¨ã„ã†ã®ãŒè¦‹ã¤ã‹ã‚‹ã€‚
{'eventVersion': '1.09', 'userIdentity': {'type': 'IAMUser', 'principalId': 'AIDA52GPOBQCODESVPGAQ', 'arn': 'arn:aws:iam::949622803460:user/elfadmin', 'accountId': '949622803460', 'accessKeyId': 'AKIA52GPOBQCBTZ6NJXM', 'userName': 'elfadmin'}, 'eventTime': '2023-11-29T10:16:53Z', 'eventSource': 's3.amazonaws.com', 'eventName': 'GetObject', 'awsRegion': 'eu-west-2', 'sourceIPAddress': '45.133.193.41', 'userAgent': '[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.sync]', 'requestParameters': {'bucketName': 'north-pole-private', 'Host': 'north-pole-private.s3.eu-west-2.amazonaws.com', 'key': 'bytesparkle.ovpn'}, 'responseElements': None, 'additionalEventData': {'SignatureVersion': 'SigV4', 'CipherSuite': 'ECDHE-RSA-AES128-GCM-SHA256', 'bytesTransferredIn': 0, 'AuthenticationMethod': 'AuthHeader', 'x-amz-id-2': 'bW43GrgXgIHi7X277fPbnOt7T/eahMosjOIYUlJISlJyNMOUR8WJKQJX3rzps55aZ3sdek7gNX4=', 'bytesTransferredOut': 273}, 'requestID': 'DGARSWVSE9EAKMA7', 'eventID': '34e39afe-659e-438f-831c-ea354a4c19ea', 'readOnly': True, 'resources': [{'type': 'AWS::S3::Object', 'ARN': 'arn:aws:s3:::north-pole-private/bytesparkle.ovpn'}, {'accountId': '949622803460', 'type': 'AWS::S3::Bucket', 'ARN': 'arn:aws:s3:::north-pole-private'}], 'eventType': 'AwsApiCall', 'managementEvent': False, 'recipientAccountId': '949622803460', 'eventCategory': 'Data', 'tlsDetails': {'tlsVersion': 'TLSv1.2', 'cipherSuite': 'ECDHE-RSA-AES128-GCM-SHA256', 'clientProvidedHostHeader': 'north-pole-private.s3.eu-west-2.amazonaws.com'}}
bytesparkle.ovpn, 2023-11-29 10:16:53ãŒæ£è§£ã€‚
Task 8
Please confirm the username of the compromised AWS account?
侵害ã•ã‚ŒãŸ AWS アカウントã®ãƒ¦ãƒ¼ã‚¶ãƒ¼åを確èªã—ã¦ãã ã•ã„?
Task 7ã§ä½¿ã‚ã‚ŒãŸãƒ¦ãƒ¼ã‚¶ãƒ¼åã‚’ç”ãˆã‚‹ã€‚
elfadmin
Task 9
Based on the analysis completed Santa Claus has asked for some advice. What is the ARN of the S3 Bucket that requires locking down?
完了ã—ãŸåˆ†æžã«åŸºã¥ã„ã¦ã€ã‚µãƒ³ã‚¿ã‚¯ãƒãƒ¼ã‚¹ã¯ã„ãã¤ã‹ã®ã‚¢ãƒ‰ãƒã‚¤ã‚¹ã‚’求ã‚ã¾ã—ãŸã€‚ãƒãƒƒã‚¯ãƒ€ã‚¦ãƒ³ãŒå¿…è¦ãª S3 ãƒã‚±ãƒƒãƒˆã® ARN ã¯ä½•ã§ã™ã‹?
ディレクトリリスティングã•ã‚Œã¦ã„ãŸS3ãƒã‚±ãƒƒãƒˆã®ARNã‚’ç”ãˆã‚‹ã¨æ£ç”。
arn:aws:s3:::papa-noel
