Hack The Box: Ore Sherlock Walkthrough – Medium Difficulty

In this post, I would like to share some walkthroughs on the Sherlock Challenges such as Ore which can be considered a medium Difficulty

Introduction of Ore Challenge

In this challenge, You’ll grapple with an anomaly in Forela’s AWS infrastructure, managed by a technical partner. After deploying an EC2 instance to host the Grafana application, the CPU usage unexpectedly soared to a constant 98%+ due to a process named “xmrig”. This task calls on the you to probe into this anomalous behavior, leveraging your understanding of cloud infrastructure, EC2 instances, and system processes. You’ll need to identify what “xmrig” is, why it’s consuming so much CPU power, and if it poses a threat to the organization’s operations.

Case Scenario on Ore Challenge

One of our technical partners are currently managing our AWS infrastructure. We requested the deployment of some technology into the cloud. The solution proposed was an EC2 instance hosting the Grafana application. Not too long after the EC2 was deployed the CPU usage ended up sitting at a continuous 98%+ for a process named "xmrig". Important Information: Our organisation's office public facing IP is 86.5.206.121, upon the deployment of the application we carried out some basic vulnerability testing and maintenance.

Firstly, we are required to download the log file into our machine for further investigation.

We will be presented with those files which are shown in the screenshot above.

We also need to extract another compressed file which might lead to more files for us.

Sadly, we cannot investigate the catscale_out directory because of the error “Permission denied” to us.

I’m not sure why the directory cannot be accessed but my guts said to me to permit the file

The permission would look something as shown in the screenshot above.

At last, we managed to access the catscale_out directory for further investigation on the Ore Challenge.

We need to extract all the log files inside the Logs Directory

We require more information on what we will be facing here. After i have to analyze one of the log files that are stored in the Persistence Directory. To be frankly honest, i have no idea what is xmrig that mentioned in the log

After doing some research, XMrig is normally used for mining cryptocurrencies like Monero and Bitcoin

The information can be found here

For my curiosity, let’s investigate the Process_and_Network and analyze each log file that is stored in the directory.

We managed to find some logs that related to xmrig in the Process_and_Network directory

Question on Ore Challange

1. Which CVE lead to the initial compromise of the EC2?

When i look carefully, i notice that there’s a plugins/alertlist request which could be an attempt for the vulnerability.

Let’s do some research and find the CVE version such as CVE-2021-43798 which might be the answer to this question

2. Please detail all malicious IP addresses used by the threat actor (TA) targeting our organization.

To answer this question, we need to execute the command “cat syslog”

We managed to find some Remote IP addresses that look suspicious that mentioned inside the log

3. Which account to the TA utilize to authenticate to the host OS?

We can find the answer by looking into the crontab log which provides Grafana

4. Which file did the TA modify to escalate privileges and run the mining service as “root”?

The evidence for the question is been mentioned within the previous screenshot on question 3

5. Which program did the TA utilise to download the injector.sh script?

We need to analyze further the syslog which i noticed the command to download for injector.sh would be the wget command

6. Where was the crypto mining binary & config file initially downloaded to?

I also noticed the xmrig is been stored inside the /opt/automation

7. Which program did the TA utilise to download both the crypto mining binary & configuration file?

The command that has been used to download the mining binary is curl

8. We need to confirm the exact time the SOC team began artefact collection as this was not included in the report. They utilise the same public facing IP address as our system administrators in our Lincoln. Please confirm the date time in UTC

From the screenshot shown above, we can confirm the time for the SOC team to begin the artifact would be Nov 24 at 15:01:37

9. We believe the system administrators who setup Grafana may have left some hardcoded credentials in one of the files. Please confirm the file path, name & credentials

We can see the admin_password which could be the password required to answer this question.

10. What was the mining threads value set to when xmrig was initiated?

The threads value set is been mentioned when we analyze the log saved in the Process_and_Network Directory

11. Our CISO is requesting additional details surrounding which mining pool this may have been utilising. Please confirm which (if any) mining pool this the TA utilised

We also found the URL that can be potential for a mining pool has been utilized.

12. We couldn’t locate the crypto mining binary and configuration file in the original download location. Where did the TA move them to on the file system?

From the log shown in the screenshot above, we are aware of the location that TA moves on the file system.

13. We have been unable to forensically recover the “injector.sh” script for analysis. We believe the TA may have ran a command to prevent us doing recovering the file. What command did the TA run?

We also noticed a command that could be used to prevent from recovering the file

14 . How often does the cronjob created by our IT admins run for the script modified by the TA?

I also noticed that the cronjob that shows at the 08:30 on two days which i assume will be done on daily process