Cowrie
Files password: tamuctf
Warning this challenge contains some malware samples.
What was the most common src ip (telnet & ssh)? What was the most common telnet username? What was the most common ssh username? What is the url and channel of the IRC server that the one downloaded script tried to connect to? (url, channel) 2/22 10:27 CST updated solutions for 2 and 3
ハニーポットのログログファイルが与えられる。 cowrieのログを見る。
$ ls cowrie.json cowrie.json.2018-11-14 cowrie-textlog.log cowrie-textlog.log.4.gz tty ttylogs.tgz.3.gz cowrie.json.1.gz cowrie.json.2.gz cowrie-textlog.log.1.gz lastlog.txt ttylogs.tgz cowrie.json.2018-11-12 cowrie.json.3.gz cowrie-textlog.log.2.gz lastlog.txt.1.gz ttylogs.tgz.1.gz cowrie.json.2018-11-13 cowrie.json.4.gz cowrie-textlog.log.3.gz lastlog.txt.2.gz ttylogs.tgz.2.gz
全てのログを確認するためcowrie.json._.gzを解凍して連結した。
$ cat cowrie.json* > log.json
1.What was the most common src ip (telnet & ssh)?
jqを使用して整形し、ログを集計して一番多いソースIPを確認する。
$ cat log.json | grep 'cowrie.login.failed' | jq '.src_ip' | sort | uniq -c | sort -nr 20592 "211.143.198.161" 1939 "110.52.28.54" 684 "5.188.86.173" 680 "5.188.86.172" 680 "41.230.64.46" 679 "5.188.86.212" 380 "5.188.86.216" 291 "119.67.210.71" 272 "37.79.118.232" 271 "178.47.162.131" 182 "90.150.200.255" 182 "188.18.181.98" 182 "188.16.39.27" 182 "188.16.30.118" 181 "213.100.205.249" 150 "41.38.245.28" 139 "62.45.211.218" 119 "203.129.248.10" 107 "120.72.20.86" 90 "171.229.193.189" (snip)
What was the most common src ip (telnet & ssh)?
FLAG1 : 211.143.198.161
What was the most common telnet username?
What was the most common ssh username?
cowrie.login.failedでログインに失敗しているログを集計して、jqでユーザ名を表示させて集計する。
$ cat log.json | grep 'cowrie.login.failed' | jq '.username' | sort | uniq -c | sort -nr 12958 "root" 7798 "admin" 1388 "" 1224 "shell\u0000" 1203 "enable\u0000" 441 "guest" 397 "user" 350 "Administrator" 291 "sh\u0000" 274 "superuser" 274 "super" 263 "tech" 254 "default" 249 "supervisor" 234 "support" 213 "service" 186 "operator" 185 "diag"
What was the most common telnet username?
FLAG2 : root
What was the most common ssh username?
FLAG3 : admin
What is the url and channel of the IRC server that the one downloaded script tried to connect to? (url, channel)
honeypot2\data\cowrie\downloadsにダウンロードしたスクリプトがある。 アンチウイルスソフトに引っかるため作業は仮想マシンで行う。 ファイルを見るとperlで書かれているため、取り敢えず整形する。 perl botらしい。
#!/usr/bin/perl (snip) chop( my $ircname = `whoami ` ); chop( my $realname = `whoami ` ); my $nick = $rircname[ rand scalar @rircname ]; $server = 'irc.quakenet.org' unless $server; my $port = '6667'; my $linas_max = '8'; my $sleep = '5'; my $homedir = "/tmp"; my $version = 'Undernet Perl Bot v1.0'; my @admins = ( "gov", "gov-", "fucker-", "fucker", "op" ); my @hostauth = ( "fucker.users.quakenet.org", "gov.users.quakenet.org", "cker.pro" ); my @channels = ("#bookz"); my $pacotes = 1; (snip)
$server = 'irc.quakenet.org' unless $server; my @channels = ("#bookz");
What is the url and channel of the IRC server that the one downloaded script tried to connect to? (url, channel)
FLAG4 : irc.quakenet.org, bookz