Paranoid
- What account was compromised? (2 points)
btlo
- What attack type was used to gain initial access? (2 points)
brute force
- What is the attacker's IP address? (2 points)
192.168.4.155
- What tool was used to perform system enumeration? (2 points)
linpeas
- What is the name of the binary and pid used to gain root? (3 points)
evil, 829992
- What CVE was exploited to gain root access? (Do your research!) (3 points)
CVE-2021-3156
The following line gave me the crucial information I needed to track down the exploit:
type=EXECVE msg=audit(1633393630.049:481001): argc=20 a0="/usr/lib/gcc/x86_64-linux-gnu/9/cc1" a1="-quiet" a2="-imultiarch" a3="x86_64-linux-gnu" a4="hax.c" a5="-quiet" a6="-dumpbase" a7="hax.c" a8="-mtune=generic" a9="-march=x86-64" a10="-auxbase" a11="hax" a12="-fasynchronous-unwind-tables" a13="-fstack-protector-strong" a14="-Wformat" a15="-Wformat-security" a16="-fstack-clash-protection" a17="-fcf-protection" a18="-o" a19="/tmp/ccXFk5Iz.s"
Searching up "hax.c" led me to the actual file, which was actually created by a guy I've ran across a few times on Twitter for making a super neat Pwn2Own enter for a printer display.
- What type of vulnerability is this? (3 points)
heap-based buffer overflow
- What file was exfiltrated once root was gained? (3 points)
/etc/shadow