Innocent : linux forensic challenge

Description#

zohir wanted to learn hacking, like REAL hacking, so he installed kali and joined a russian hacking telegram group, and started chatting with one of the group members, after 2 days he came to me saying that suspicious files are appearing on his machine can you help him find out what is going on?
files provided :here

Author : L4Z3X

we have three artifacts the log folder, the pcap file and the home dir of the victim.
First, we take a look at the auth.log file located in the log folder, there we can see that there are a lot of failed ssh attampts from 192.168.56.5 which means there was a ssh bruteforce attack and after that we can see that the attacker succesfully logged via ssh:

1
2025-10-13T05:25:23.462609-04:00 kali sshd-session[227351]: Accepted password for zohir from 192.168.56.5 port 39866 ssh2

from here we then proceed to the /home/zohir dir and take a look at the .bash_history file,

1
   23  ls
2
   30  git clone https://github.com/l4z3x/better-prompt/
3
   33  rm -rf better-prompt
4
   36  ls

Investigating the better-prompt repo#

the file was intentioally tempered with some commands removed, but we can see that the attacker cloned the repo better-prompt from github, so we go ahead and take a look at the repo here. reading the code we can’t find anything suspicious, so let’s inspect the previous commits.
the commit with the message “bp2” has a suspicious script that listens (on port 1337) for commands from a remote server and decrypts them with aes 128 cbc with the key from an ENV variable named KEY and the iv hardcoded with the value 0123456789abcdef and then it executs the command and encrypts the output with same parameters and finally sends it back to the server, the commit also contained the executable version of the script under dist folder

Investigating the `.bashrc` and `.bash_aliases` files#

now let’s look for the KEY variable and where the script is being executed, going back to zohir folder, we see a file named .prompt, it’s likely related to the better-prompt repo, running file cmd on it we can see that it’s a ELF 64-bit executable,this confirms that it’s the malicious program.
inspecting the .bashrc file we can see at the end the key used for aes encryption which is oushou_n_tkhsayt, we know that .profile and .bash_aliases are often sourced in .bashrc, in our case we only have .bash_aliases sourced, so we go ahead and inspect the .bash_aliases file:

1
./.prompt > /dev/null 2>/dev/null &

basically what this line does is that it runs the malicious .prompt file (from the better-promt repo) in the background and redirects both stdout and stderr to /dev/null, so we can conclude that the .prompt file is being executed every time zohir open the terminal, now to the last part is extracting the communication between the attacker and the victim.

Analyzing the pcapng file#

we open the pcapng file in wireshark and filter the traffic with tcp.port == 1337 since it’s the port used in the script, then we can see the communication between the attacker and the victim, from there we can follow the tcp stream and extract the commands and the output, run it on the decryptor script and get the flag. NOTE: you have the install the required libraries

1
python -m venv env
2
source env/bin/activate
3
pip install pycryptodome

and then

1
import base64
2
from Crypto.Cipher import AES
3
from Crypto.Util.Padding import unpad
4

5
KEY = b"oushou_n_tkhsayt"
6
IV = b"0123456789abcdef"
7

8
def aes_decrypt_b64(ciphertext_b64: str) -> str:
9
    try:
10
        ciphertext = base64.b64decode(ciphertext_b64)
11
        cipher = AES.new(KEY, AES.MODE_CBC, IV)
12
        plaintext_padded = cipher.decrypt(ciphertext)
13
        plaintext = unpad(plaintext_padded, AES.block_size)
14
        return plaintext.decode("utf-8", errors="replace")
15
    except Exception as e:
16
        return f"<decrypt error: {e}>"

using scapy#

scapy is a powerful python library used for packet manipulation, we can use it to extract the commands and the output from the pcapng file, we can use the following script to do that:

1
import json
2
from Crypto.Cipher import AES
3
from Crypto.Util.Padding import unpad
4
import base64
5
try:
6
    from scapy.all import rdpcap, TCP
7
except ImportError:
8
    print("Scapy is not installed. Please install it using 'pip install scapy'")
9
    print("use .env")
10
    print("Exiting...")
11
    exit(1)
12
packet = rdpcap("../../Innocent/traffic.pcapng")
13

14
filtered_packets = [
15
    pkt
16
    for pkt in packet
17
    if TCP in pkt and (pkt[TCP].dport == 1337 or pkt[TCP].sport == 1337)
18
]
19
payloads = []
20
for pkt in filtered_packets:
21
    if pkt[TCP].payload:
22
        payloads.append(bytes(pkt[TCP].payload).decode(errors="ignore"))
23

24
ouput = []
25
commands = []
26
for payload in payloads:
27
    if "payload" in payload:
28
        j = json.loads(payload)
29
        commands.append(j["payload"])
30
    else:
31
        ouput.append(payload)
32

33

34
# decrypt the commincations
35

36
KEY = b"oushou_n_tkhsayt"
37

38
IV = b"0123456789abcdef"
39

40

41

42

43

44
def aes_decrypt(ciphertext_b64):
45
    try:
46
        ciphertext = base64.b64decode(ciphertext_b64)
47
        cipher = AES.new(KEY, AES.MODE_CBC, IV)
48
        padded_plaintext = cipher.decrypt(ciphertext)
49
        plaintext = unpad(padded_plaintext, 16)
50
        return plaintext.decode("utf-8", errors="replace")
51

52
    except Exception as e:
53
        print("AES decryption error: ", e)
54
        return ""
55

56

57
for i in range(len(commands)):
58
    print(f"> {aes_decrypt(commands[i])}")
59
    print(f"{aes_decrypt(ouput[i])}")
60
    print("-----")

1
source "you env folder"
2
pip install scapy
3
python solve.py

output:

1
> id
2
uid=1001(zohir) gid=1001(zohir) groups=1001(zohir),27(sudo),100(users)
3

4
-----
5
> ls
6
Desktop
7
Documents
8
Downloads
9
Music
10
Pictures
11
Public
12
zohir
13
zohir.tar
14
Templates
15
Videos
16

17
-----
18
> echo "you found meee"
19
you found meee
20

21
-----
22
> echo "good boooooy"
23
good boooooy
24

25
-----
26
> echo "don't ever contact a russion hacker"
27
don't ever contact a russion hacker
28

29
-----
30
> echo "i hope you learned your lesson"
31
i hope you learned your lesson
32

33
-----
34
> echo "bmV4dXN7YzJfZXhmMWx0cjR0MTBuX3ZpYV9iNHNoX2FsMTRzM3N9Cg=="
35
bmV4dXN7YzJfZXhmMWx0cjR0MTBuX3ZpYV9iNHNoX2FsMTRzM3N9Cg==
36

37
-----
38
> echo "see you next time ;)"
39
see you next time ;)
40

41
-----
42
> exit

base64-decode command and you’ll get the flag.

1
base64 -d <<< "bmV4dXN7YzJfZXhmMWx0cjR0MTBuX3ZpYV9iNHNoX2FsMTRzM3N9Cg=="
2
nexus{c2_exf1ltr4t10n_via_b4sh_al14s3s}

Summary#

an SSH brute-force attack from 192.168.56.5 resulted in a successful login to user zohir. The attacker deployed a backdoor by cloning a repository (better-prompt), running a local ELF named .prompt at shell startup, and used AES-encrypted TCP communications on port 1337 to receive commands and return results. We extracted the network traffic from the provided pcapng and decrypted the command/response exchange to recover the flag.

Flag#

nexus{c2_exf1ltr4t10n_via_b4sh_al14s3s}