CTFtime.org / RITSEC CTF 2023 / Red Team Activity 2 / Writeup

# Red Team Activity 2

- 90 Points / 161 Solves

## Background

Q2: Name of the malicious service?

Note: Flag format is `RS{MD5sum(<answer string>)}`

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/RITSEC-CTF-2023/images/Pasted%20image%2020230401175855.png)

## Find the flag

**In this challenge we can download a file:**
```shell
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-Activity-2)-[2023.04.01|17:59:09(HKT)]
└> file auth.log
auth.log: ASCII text, with very long lines (1096)
```

As you can see, it's the `auth.log`, which is a Linux log file that stores **system authorization information, including user logins and authentication machinsm that were used.**

**Since the challenge's question is asking "service", we can use `grep` to find `.service` file:**
```shell
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-Activity-2)-[2023.04.01|18:03:05(HKT)]
└> grep '\.service' auth.log | grep 'systemctl enable'
Mar 25 20:10:40 ctf-1 sudo: root : (command continued) launchd (after installing config)#012start_teleport_launchd() {#012 log "Starting Teleport via launchctl. It will automatically be started whenever the system reboots."#012 launchctl load ${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist#012 sleep ${ALIVE_CHECK_DELAY}#012}#012# start teleport via systemd (after installing unit)#012start_teleport_systemd() {#012 log "Starting Teleport via systemd. It will automatically be started whenever the system reboots."#012 systemctl enable teleport.service#012 systemctl start teleport.service#012 sleep ${ALIVE_CHECK_DELAY}#012}#012# checks whether teleport binaries exist on the host#012teleport_binaries_exist() {#012 for BINARY_NAME in teleport tctl tsh; do#012 if [ -f ${TELEPORT_BINARY_DIR}/${BINARY_NAME} ]; then return 0; else return 1; fi#012 done#012}#012# checks whether a teleport config exists on the host#012teleport_config_exists() { if [ -f ${TELEPORT_CONFIG_PATH} ]; then return 0; else return
Mar 25 20:51:39 ctf-1 snoopy[2530]: [login:ubuntu ssh:((undefined)) sid:2393 tty:/dev/pts/2 (0/root) uid:root(0)/root(0) cwd:/root/.ssh]: systemctl enable bluetoothd.service
```

Found it! The `bluetoothd.service` looks sussy!

**MD5 hash the answer:**
```shell
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-Activity-2)-[2023.04.01|17:59:10(HKT)]
└> echo -n 'bluetoothd.service' | md5sum
a9f8f8a0abe37193f5b136a0d9c3d869 -
```

> Note: The `-n` flag is to ignore new line character at the end. Otherwise it'll generate a different MD5 hash.

- Flag: `RS{a9f8f8a0abe37193f5b136a0d9c3d869}`

Original writeup (https://siunam321.github.io/ctf/RITSEC-CTF-2023/Forensics/Red-Team-Activity-1-4/#red-team-activity-2).

Red Team Activity 2

Comments

Sign in with