Magnet Weekly CTF (Week 8) - PHP Cluster

Previous (Android): Week 1 | Week 2 | Week 3 | Week 4

Previous (Linux): Week 5 | Week 6 | Week 7

The last week of Linux month is complete, and I'm glad it was somewhat of a breeze to answer again. We got another 2 parter this week with a focus on installed packages and an insider attacker usecase. 

Challenge 8 (Nov. 23-30) Part 1 (20)

What package(s) were installed by the threat actor? Select the most correct answer!

Knowing nothing about where to look a quick Google search for "linux installed packages" gave me some clues where to start after reading this article from It's FOSS. The file of interest we can see what packages were installed on the system can be found at:

/var/log/dpkg.log

Opening the log in NotePad++ and doing a keyword search for "install" whole word only (there is some noise) will help narrow things down a bit. I figured to start at the end of the file and work backwards as the threat actor most likely had access to the box after default installation. The last package that I see that was installed on 2019-10-07 was "php", which was the answer.


Challenge 8 (Nov. 23-30) Part 2 (20)

Why?

    • hosting a database
    • serving a webpage
    • to run a php webshell
    • create a fake systemd service

Part 2 asks why the php package was installed on the system. Across the image there was only one .php file available, called "cluster.php". Knowing php is generally related to webpage items and knowing the attacker installed the package made me believe that the first two options were too general of answers, there's got to be more to the story! Tracking down another file for package installation led me to:

/var/log/apt/term.log

Looking for the installation of the php package I saw a quick line reference to "systemd".

Educated guess led me to picking "create a fake systemd service", and it ended up being the correct answer.

Ali Hadi's OSDFCon talk from 2019 broke down the case of these images and also references the systemd service.