Description

This challenge is of medium difficulty. You have identified a malicious script that was executed before the computer shut down. A copy of the disk was made, and your task is to investigate the disk to understand the “extent of the damage” caused by the script.

URL: Mega.nz Download Link

Fingerprint (SHA256): eb135b3db3efe64220753c2b6495cc30bd51a1fa0268d1b7074323c91e872492

Format: HERO{flag} Author: Mallon

Resolution

During the investigation, I used multiple tools to explore the disk image and uncover information regarding the malicious activities. Here is a step-by-step analysis:

Step 1: Mounting the Disk Image

To begin, we mounted the disk image using the following command to explore its contents:

sudo mount -o ro /path/to/disk/image /mnt/disk_image

Step 2: Analyzing Cron Jobs and Scheduled Tasks

One of the first areas of investigation was looking at scheduled tasks, such as cron jobs, which could have run malicious scripts before the shutdown. Using the command:

sudo find /mnt/disk_image/etc/cron* /mnt/disk_image/var/spool/cron /mnt/disk_image/var/spool/cron/crontabs -type f -exec cat {} \;

We discovered a suspicious cron job scheduled to run every minute, which executed the following script:

* * * * * /tmp/.wrapper_script.sh

Step 3: Investigating the Wrapper Script

We navigated to /tmp/.wrapper_script.sh to examine the script. The wrapper script appeared to execute another script in a loop, with a 15-second delay between executions:

#!/bin/bash
while true; do
  # Your main script code here
  /tmp/.script.sh   
  # Wait for 15 seconds before running again
  sleep 15
done

Step 4: Analyzing the Executed Script

The main script /tmp/.script.sh was found to have the following code:

#!/bin/bash
RANDOM_NUMBER=$(shuf -i 1-13 -n 1)
INSULTS=$(curl -s https://pastebin.com/raw/59mL2V9i)
temp=$(echo "$INSULTS" | sed -n "${RANDOM_NUMBER}p" )
# Decode the message and send it
temp= echo "$temp" | base64 -id
wall $temp

The script was using curl to download data from a Pastebin link, then selecting a random line and decoding it from Base64 before sending it as a message to all logged-in users (wall). The content of the downloaded data from Pastebin was Base64 encoded insults, as revealed during the investigation.

Step 5: Decoding the Base64 Data

We copied the Base64 encoded strings found on the Pastebin link and used an online Base64 decoder to reveal their contents. Here is an example of the decoded output:

You suck !
...
[Decoded string includes HERO{AlwaYs-Ch3ck_What_u-C0Py-P4ste}]
You suck !

The flag obtained from the decoded output was:

Flag: HERO{AlwaYs-Ch3ck_What_u-C0Py-P4ste}

Summary

The malicious script was set up to repeatedly send messages to all users using the wall command. The messages were pulled from a Pastebin link, which included both insults and the flag hidden in the content. The script was designed to run every minute, and the wrapper script ensured that it kept running in an endless loop. This was likely intended to frustrate users or administrators until the system was shut down.