We think our system got compromised, our hosting company uses some strange logtool. Are you able to dig into the logfile and find out if we are compromised?

Challenge created by the Digital and Biometric Traces division of the Netherlands Forensic Institute. download

Extracting the archive we got FOR100.scap file the scap extension is the commonly used by sysdig a system analyzer

Using csysdig -r FOR100.scap we were able to process the logfile with a pratical interface

cysdig

Looking for the files we found the execution of /tmp/challenge.py

challenge

looking deeper we can see that it’s called with a base64 as argument

challenge_arg

cnKlXI1pPEbuc1Av3eh9vxEpIzUCvQsQLKxKGrlpa8PvdkhfU5yyt9pJw43X9Mqe

using the Echo function of csysdig we were able to obtain the source of challenge.py

source

from Crypto.Cipher import AES
import base64
import sys
obj = AES.new('n0t_just_t00ling',AES_MODE_CBC,'7215fc61c2edd24')
ciphertext = sys.argv[1]
message = obj.decrypt(base64.b64decode(ciphertext))

executing the script with the previously found argument we got the flag

b'Congrats! flag{1da3207f50d82e95c6c0eb803cdc5daf}'