Deep root is a challenge on h4k-it that is categorised under "IncidentResponse". Incident Response(IR) is a structured, systematic approach an organisation takes to detect, contain, eradicate and recover from cyber incidents. So as the incident responders this time round lets see what will recover this time round.
Lets get started with our challenge by reading the description.
Lets open the website that i provided and see what we need to recover.
On opening the website it shows us that Umoja microfinance website was hacked and defaced by the hackers called "shadow unit 9".
Where can we start from??? Can we check the source code???
Nothing much is there apart from links that lead us to no where other than a 404 page.
Its a good practice to check if any site has a robots.txt file before we can start doing a bruteforce on the site directories…
So can we check if our site has the robots.txt file???
Luckily we find something important the two something fishy which is internal and files… Can we traverse to the "/internal/" to see what it contains???
Well it shows us another page of Umoja.. So can we also check out its source code to see how it works or see if we can find something important???
Well we see something commented out… What could it be???
<! - cache_ref: .sys_update_cache →
<! - module_ver: 1.4 →On taking a deeper look on this comment we realise that ".sys_update_cache" is actually a file. So how can we access it???
Remember in our robots file we had found two directories and "/files" was also among. So can we access it???
It displays a bad request but remember 400 which is bad request is different from 404 which is page not found. Are we missing something in the URL??? Lets see… could we edit the URL adding the file we got from the source code???
http://209.38.92.205:33307/files?name=.sys_update_cache
Well its like we have landed on a python script and you can copy it and paste in any preferred IDE.
On reading and understanding the code we find that the build_rev variable that has to decode is missing but we had seen it in the "/internal" source code so we will go and copy and paste it in our python script.
We uncomment the line of build_rev and the line of decoded then we print the decoded variable to see its output.
Hoooraayy!!!! We can see our flag in auth_key so this is the one we can submit.
But if you go deep in reading the whole code and you realise its a reverse shell and the its connected to a c2_host which is "https://185.220.101.45". So we can use this information for further investigations if it was an incident.
#Happy hacking