# Red Team Activity 1 \- 84 Points / 199 Solves ## Background Q1: what was the script name that was dropped? Note: Flag format is `RS{MD5sum()}` ![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/RITSEC- CTF-2023/images/Pasted%20image%2020230401175355.png) ## Find the flag **In this challenge, we can download a file:** ```shell ┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team- Activity-1)-[2023.04.01|17:54:12(HKT)] └> file auth.log auth.log: ASCII text, with very long lines (1096) ``` As you can see, it's the `auth.log`, which is a Linux log file that stores **system authorization information, including user logins and authentication machinsm that were used.** **Since the challenge question is asking "script", we can search `.sh` files via `grep`:** ```shell ┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team- Activity-1)-[2023.04.01|17:55:28(HKT)] └> grep '\\.sh' auth.log Mar 25 20:10:40 ctf-1 sudo: root : (command continued) # sha256sum is installed by default in some other distros#012 elif check_exists sha256sum; then#012 SHA_COMMAND="sha256sum"#012 fi#012 if [[ "${SHA_COMMAND}" != "" ]]; then#012 log "Will use ${SHA_COMMAND} to validate the checksum of the downloaded file"#012 SHA_URL="${URL}.sha256"#012 SHA_PATH="${OUTPUT_PATH}.sha256"#012 ${CURL_COMMAND} -o "${SHA_PATH}" "${SHA_URL}"#012 if ${SHA_COMMAND} --status -c "${SHA_PATH}"; then#012 log "The downloaded file's checksum validated correctly"#012 else#012 SHA_EXPECTED=$(cat "${SHA_PATH}")#012 SHA_ACTUAL=$(${SHA_COMMAND} "${OUTPUT_PATH}")#012 if check_exists awk; then#012 SHA_EXPECTED=$(echo "${SHA_EXPECTED}" | awk '{print $1}')#012 SHA_ACTUAL=$(echo "${SHA_ACTUAL}" | awk '{print $1}')#012 fi#012 log_important "Checksum of the downloaded file did not validate correctly"#012 Mar 25 20:49:58 ctf-1 snoopy[2515]: [login:ubuntu ssh:((undefined)) sid:2393 tty:/dev/pts/2 (0/root) uid:root(0)/root(0) cwd:/root/.ssh]: vim /dev/shm/_script2980.sh [...] ``` Found it! The `_script2980.sh` script looks sussy! **MD5 the answer:** ```shell ┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team- Activity-1)-[2023.04.01|17:54:13(HKT)] └> echo -n '_script2980.sh' | md5sum 5d8b854103d79677b911a1a316284128 - ``` > Note: The `-n` flag is to ignore new line character at the end. Otherwise > it'll generate a different MD5 hash. \- **Flag: `RS{5d8b854103d79677b911a1a316284128}`** Original writeup (https://siunam321.github.io/ctf/RITSEC- CTF-2023/Forensics/Red-Team-Activity-1-4/#red-team-activity-1).