MicroServices - 4_Persistence

TamuCTF 2019 - Forensic (100 pts).

Challenge details

Event Challenge Category Points Solves
TamuCTF 2019 MicroServices - 4_Persistence Forensic 100 42

Download: filesystem.image - md5: 490c78e249177e6478539f459ca14e87

Description

Thanks for that information. We are working on how to recover from this breach. One of the things we need to do is remove any backdoors placed by the attacker. Can you identify what the attacker left behind?

  1. What is the new user that was created?
  2. What is the full name of the new docker image that was pulled down?

filesystem.image - md5: 490c78e249177e6478539f459ca14e87

Methology

This challenge was rather simple given the information found earlier. In step 2 (2_Analysis), I saw that the $HOME of the dev user is /root, so we suspect that it is the new user :

Flag 1: dev

Then, when I started investigating on docker containers (cf. 3_Forensics), I saw an image Kali named: tamuctf/kaliimage.

Flag 2: tamuctf/kaliimage

Flag

dev
tamuctf/kaliimage

Maki