July 26, 2024
We’ve been tasked with analyzing the memory capture of a compromised device to find various IOCs and pieces of evidence, including the attacker’s reverse shell, IP address, and location.
Ghazy, my friend, is new to web development and started his website, but it seems that the website was vulnerable and one of the attackers was able to get root access. Could you examine this memory dump for us?
What is the Linux kernel version of this memory dump?
We’ll start by running the imageinfo command with Volatility2 to determine which profile we will to analyze the memory dump.
Note: imageinfo can take quite some time to complete, especially in the lab environment.
The imageinfo command fails to suggest a profile, but all is not lost. Next to the “No suggestion”, in parenthesis, is an instantiated profile that we can use to examine this memory capture.
If we set volatility to use the initiated profile LinuxUbuntu_5_4_0-150-generic_profilex64, we can start examining the data.
The profile name suggests that this is the 5-4-0-150-generic kernel, but we’ll run the Volatility’s linux_banners command to confirm.
What was the command that our friend Ghazy used to run his website?
To view Linux commands in volatility two we use the linux_bash command.
This memory dump only contains a few commands so we won’t have to do much digging.
The first command, systemctl start apache2, starts the Apache2 service.
The second command, sudo docker run -dp 8001:80 ghazy, starts an image named ghazy and publishes the container’s port 80 to the host port 8001.
You can check out this link for a quick cheat sheet on docker CLI.
We’re looking for a command used to run a website. Although the Apache2 service serves webpages and performs other web server tasks, the question is expecting the docker command as the answer.
As we touched on earlier, the docker command is doing a couple of notable things. It is publishing port 80 (-p), which is used by HTTP, it is running in the background (-d), and the image is named ghazy. Given the port, we can assume it is running a website, and the name indicates it is being used by our friend Ghazy.
We are sure that the attacker has uploaded a shell to the site. Can you get the Inode address?
We can use the linux_enumerate_files command, and grep for paths containing /var/www/, which is the default location of webserver files on Linux systems. If we wanted to start with a smaller net, we could search for the uploads directory first.
As we can see in the output, there is a file plainly labeled shell.php sitting in the uploads directory.
We’ll copy down the inode address, listed in the leftmost column, for this file.
What is the attacker’s IP address and port?
With the inode in hand, we can dump the file using the linux_find_file command.
Documentation for the linux_find_file command: https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference#linux_find_file
The syntax for linux_find_files is python vol.py -f <memory.dump> –profile= linux_find_file -i -O <path/to/output/file>
With the file extracted, we can start digging into its contents to learn how it works.
We can read the file with the less command in Linux.
We can determine a number of things from scrolling through this file. The script comes from pentestmonkey, and links, instructions, and disclaimers are provided within the header of the file.
Below the usage instructions, we see a several variables being set. Among them are IP and port.
According to the IP address you got, what is the country of the attacker?
We can use any number of tools to look up the IP address and its reputation.
AbuseIPDB is one such freely available site.
Searching the IP address on AbuseIPDB shows us that it has a questionable reputation and is located in Singapore.
What is the name of the user with UID value 1000?
To get the usernames and UIDs we can check the /etc/passwd file.
Of course, we’ll need to extract it from the memory capture.
As before, we’ll use the linux_find_file command to extract it. We can also use it to locate it, instead of relying on linux_enumerate_files.
Thanks to the passwd file we can see that the UID 1000 belongs to user kirito.
What is the IP address of the victim?
Volatility comes prepared for this task and provides the linux_ifconfig command.
This command returns the IP address, MAC address, and Promiscuous Mode for each interface on the endpoint.
Previous post
Next post