Backdoored Splunk

Hit Start.

So we’ve got a url and a specific port. Firefox web browser yields…

So we need an Authorization header. 🤔

Time to look at the provided files. It looks to be the export of a Splunk application.

Time to download an eval copy of Splunk and… pause. There’s probably a simpler way to attack this.

The Silver Searcher is a command line tool I picked up during the CTF and I love it. It’s like Grep on PCP.

Once installed, the base command is ag, followed by what you’re searching for, and where. So let’s do a quick search for Authorization on all the contents of this directory.

That looks interesting. A clue? One of the PowerShell scripts has Authorization and what looks to be Base64 code.

We also see a comment about the $PORT being dynamic based on the Start button. Decoding the string in CyberChef…

At this point we have all the pieces, we just need to put them together. I started to look at different ways to pass an Authorization header to a web server. There’s proxy tools galore. And then there’s the basic’s like curl. After a bit of brushing up on my syntax I had:

curl -H "Authorization: Basic [longStringFromThePowershell]" http://site:$PORT

Yay what looks like more Base64. Once more with our Chef’s hat and…

Traffic

rita was a tool I hadn’t used before but it was very easy to use. I installed it on my REMnux box and then ran it against the dataset.

I then used the command to generate an html report.

Looking through the DNS requests there’s something sketchy indeed.

Let’s go take a look at that.

Dumpster Fire

Let’s start with the_silver_searcher again and see if we have any luck with “Password”.

There’s a number of hits including references to an encryptedUsername and encryptedPassword in the logins.json file. So we’ve got some encrypted Firefox user passwords. If only there were a utility that could decrypt those. Enter firepwd.py, an open source tool to decrypt Mozilla protected passwords.

Run the script in Python and point it to the directory for the user profile (where the logins.json file is).

That’s a pretty LEET password ;)

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.