Get your forensics gloves out.
We’ve managed to exploit a network service running on a C2 server used for orchestrating a large botnet. From there we were able to escalate our privileges and use that server as a proxy to pivot to other machines in the network.
It’s quite fascinating, based on the machines we have found, we think that these guys are a known bad actor, responsible for leaking private documents and data from corporate and government targets, which changes our current focus from a reconnaissance mission to a criminal investigation which involves gathering evidence on them so we can attribute names to actions for further prosecution in the courts.
Thus, we’ve started to image the disks of all the machines we have managed to pivot on. It’s not the most ideal circumstances for admissibility of evidence, but we do have a warrant on the guys involved and we can let our lawyers do the rest.
Anyway, I’ve attached a disk image of a small Linux server which we believe they’re using for temporarily keeping exfiltrated files.
Can you take a look and see what you find?
We are given an image.E01 file and are asked to investigate this. E01 files are Encase image file formats for disk evidence.
I viewed this file using Autopsy. We see a small Linux system in here:
Looking closely into the main files like HOME and ROOT, I found a PGP message long with PGP public and private keys:
To decode this, I exported the PGP message and private key and used gpg.
This manual is helpful for decrypting PGP using a private key: https://www.gnupg.org/gph/en/manual/x110.html#:~:text=To%20decrypt%20a%20message%20the,output%20doc%20%2D%2Ddecrypt%20doc.
Initially, my output was to doc, but looking further it seems that doc contains HTML elements worth looking into. So I ran it again and extracted the output to an HTML file.
Looking at the doc.html, we see a rather creepy picture:
Those values in the picture seem interesting, so I copied those and decoded from hex, revealing our flag at the bottom: