As you should know, life in MINAF (Ministry of Joy and Happiness, Ministerio de la Alegria y la Felicidad in Spanish) is always interesting! The SOC team scalates an interesting alert: one webserver is connecting to a malicious domain, so further investigation is required.
These webserver is quite interesting, because is part of the PORTA project, part of MINAF initiative to change its IT to be modular, more scalable and resilient. PORTA hosts several Docker containers:
- Container1: Apache1 (prod)
- Container2: Apache2 (prod)
- Container3: Apache3 (prod)
- Container4: Apache4 (dev)
- Container5: Jenkins
- Container6: Jira/Confluence
PORTA is still considered as a "baby project", and has its critics between MINAF IT (who defend the old motto "If it works do not touch it"). A severe security incident could undergrade the project's credibility and could lead to its early demise.
Evidences
MINAF CISO gives you these evidences:
MINAF-PORTA_RAM.dmp : PORTA RAM dump
MINAF-PORTA_disk.zip : PORTA full disk
Here you have the hashes for all the collected evidence:
hashes.txt
[Note0]: The flags are all case-insensitive and must be answered in plaintext (oldschool guy here).
[Note1]: Any evidence you find before XXX UTC must be discarded because it's not related to our case.
Your mission
... should you choose to accept it, its to answer all the challenges and find the truth about this incident. Have the attackers compromised just one misconfigured container, or do they have control over all the container infrastructure ? Help MINAF guess how the attackers compromised this container so they can solve the incident and save all its container initiative!
Made by
This challenge has been made by Antonio Sanz (
@antoniosanzalc), with support from DIEC (Telecommunications Engineering Department) at University of Zaragoza. Extra large thanks go to José Luis Salazar (crypto man) and Alvaro Alesanco (network and medical devices security guy), professors from DIEC/Unizar for their support. Play, learn, share & have fun!