RedTrails
Description
Our SOC team detected a suspicious activity on one of our Redis instance. Despite the fact it was password protected it seems that the attacker still obtained access to it. We need to put in place a remediation strategy as soon as possible, to do that it's necessary to gather more information about the attack used. NOTE: flag is composed by three parts.
Solution
We are given single capture.pcap file and whole conversation seems to be in TCP. Redis also takes main percentage of conversation.
After following the TCP stream 0 at the end we get information about what attacker did:
First FLAG_PART:_c0uld_0p3n_n3w will be useful for us.
Second attacker setup cronjobs to download some package and execute them every minute, 5 minute and 7 minute.
Next stream shows the request going to that endpoint
Replace eval with echo
I commented piping commands to bash to avoid trouble, after running it:
Flag chunk: HTB{r3d15_1n574nc35
Now the flag is: HTB{r3d15_1n574nc35_c0uld_0p3n_n3w, looks like still need 3rd part....
The next stream contains wget command, but it must have failed because traffic doesn't contain this request.
Communication to revshell must have also failed?
Going back to the Stream 2, it's using system.exec and after quick google: https://github.com/jas502n/Redis-RCE
The exported file had first line which shouldn't have belonged to binary so I just removed it via vim
This ain't gonna be fun 😢
Well, struggle wasn't that hard. It's doing AES encryption and Key/IV is stored in plaintext.
Decode with
Flag: HTB{r3d15_1n574nc35_c0uld_0p3n_n3w_un3xp3c73d_7r41l5!}
Last updated