TAMUctf 19 Writeup Honeypot Cowrie

Cowrie

Files password: tamuctf

Warning this challenge contains some malware samples.

What was the most common src ip (telnet & ssh)? What was the most common telnet username? What was the most common ssh username? What is the url and channel of the IRC server that the one downloaded script tried to connect to? (url, channel) 2/22 10:27 CST updated solutions for 2 and 3

ハニーポットのログログファイルが与えられる。 cowrieのログを見る。

$ ls
cowrie.json             cowrie.json.2018-11-14  cowrie-textlog.log       cowrie-textlog.log.4.gz  tty               ttylogs.tgz.3.gz
cowrie.json.1.gz        cowrie.json.2.gz        cowrie-textlog.log.1.gz  lastlog.txt              ttylogs.tgz
cowrie.json.2018-11-12  cowrie.json.3.gz        cowrie-textlog.log.2.gz  lastlog.txt.1.gz         ttylogs.tgz.1.gz
cowrie.json.2018-11-13  cowrie.json.4.gz        cowrie-textlog.log.3.gz  lastlog.txt.2.gz         ttylogs.tgz.2.gz

全てのログを確認するためcowrie.json._.gzを解凍して連結した。

$ cat cowrie.json* > log.json

1.What was the most common src ip (telnet & ssh)?

jqを使用して整形し、ログを集計して一番多いソースIPを確認する。

$ cat log.json | grep 'cowrie.login.failed' | jq '.src_ip' | sort | uniq -c | sort -nr
  20592 "211.143.198.161"
   1939 "110.52.28.54"
    684 "5.188.86.173"
    680 "5.188.86.172"
    680 "41.230.64.46"
    679 "5.188.86.212"
    380 "5.188.86.216"
    291 "119.67.210.71"
    272 "37.79.118.232"
    271 "178.47.162.131"
    182 "90.150.200.255"
    182 "188.18.181.98"
    182 "188.16.39.27"
    182 "188.16.30.118"
    181 "213.100.205.249"
    150 "41.38.245.28"
    139 "62.45.211.218"
    119 "203.129.248.10"
    107 "120.72.20.86"
     90 "171.229.193.189"
(snip)

What was the most common src ip (telnet & ssh)?

FLAG1 : 211.143.198.161

What was the most common telnet username?

What was the most common ssh username?

cowrie.login.failedでログインに失敗しているログを集計して、jqでユーザ名を表示させて集計する。

$ cat log.json | grep 'cowrie.login.failed' | jq '.username' | sort | uniq -c | sort -nr
  12958 "root"
   7798 "admin"
   1388 ""
   1224 "shell\u0000"
   1203 "enable\u0000"
    441 "guest"
    397 "user"
    350 "Administrator"
    291 "sh\u0000"
    274 "superuser"
    274 "super"
    263 "tech"
    254 "default"
    249 "supervisor"
    234 "support"
    213 "service"
    186 "operator"
    185 "diag"

What was the most common telnet username?

FLAG2 : root

What was the most common ssh username?

FLAG3 : admin

What is the url and channel of the IRC server that the one downloaded script tried to connect to? (url, channel)

honeypot2\data\cowrie\downloadsにダウンロードしたスクリプトがある。 アンチウイルスソフトに引っかるため作業は仮想マシンで行う。 ファイルを見るとperlで書かれているため、取り敢えず整形する。 perl botらしい。

#!/usr/bin/perl

(snip)

chop( my $ircname = `whoami ` );

chop( my $realname = `whoami ` );

my $nick = $rircname[ rand scalar @rircname ];

$server = 'irc.quakenet.org' unless $server;

my $port = '6667';

my $linas_max = '8';

my $sleep = '5';

my $homedir = "/tmp";

my $version = 'Undernet Perl Bot v1.0';

my @admins = ( "gov", "gov-", "fucker-", "fucker", "op" );

my @hostauth =
  ( "fucker.users.quakenet.org", "gov.users.quakenet.org", "cker.pro" );

my @channels = ("#bookz");

my $pacotes = 1;

(snip)
$server = 'irc.quakenet.org' unless $server;
my @channels = ("#bookz");

What is the url and channel of the IRC server that the one downloaded script tried to connect to? (url, channel)

FLAG4 : irc.quakenet.org, bookz