> For the complete documentation index, see [llms.txt](https://cl4nd3st1ne.gitbook.io/write-ups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cl4nd3st1ne.gitbook.io/write-ups/hack-the-box/sherlocks/optinseltrace24-2-cookie-consumption-walk-through.md).

# OpTinselTrace24–2: Cookie Consumption Walk-through

&#x20;We need to interpret these logs and answer the following:

**How many replicas are configured for the flask-app deployment?**

Replicas are basically identical pods to ensure uptime of a particular service. Grep or search for “replica” in the terminal or search in an IDE. You’ll see results from `deployments.log` and `pods.log`. The first file will reveal that there are 3 replicas available and in the second file we can find their respective IPs among other information.\
\&#xNAN;*Answer: 3*

<figure><img src="/files/s9kxFsxUxMGwLfckncru" alt=""><figcaption></figcaption></figure>

**What is the NodePort through which the flask-app is exposed?**

NodePort is the port on which a service is exposed externally. Like before, search for `NodePort` and the `services.log` file will contain the answer.\
\&#xNAN;*Answer: 30000/TCP*

<div data-full-width="false"><figure><img src="/files/NDzLEseRjFAdjAq67RVv" alt=""><figcaption></figcaption></figure></div>

**What time (UTC) did the attacker first initiate fuzzing on the /system/ endpoint?**

For this, we need to look into web server logs. We know that 3 flask apps are running. Inside `system_logs` > `node_logs`, there are web server logs for `flask-app-77fbdcfcff` ReplicaSet. Checking these for the pod IPs we found in the first question (10.42.0.14, 10.42.0.16 and 10.42.0.17) will lead us to the fuzzing logs. It started at 22:02 on the .16 pod and at 22:06 on the .17 and .14 pod. *Answer: 2024–11–08 22:02:48*

<figure><img src="/files/R9eS4gu8vH0xUwLV1EyH" alt=""><figcaption></figcaption></figure>

**Which endpoint did the attacker discover through fuzzing and subsequently exploit?**

Searching for `200 -\n` took me to this section of the logs where we can see that the attacker discovered the `/system/execute` endpoint and then exploited the `execute_command` function which was running OS commands.\
\&#xNAN;*Answer: /system/execute*

<figure><img src="/files/xWSNAOzy6RykOGjk32fB" alt=""><figcaption></figcaption></figure>

**Which program did the attacker attempt to install to access their HTTP pages?**

Continuing to examine the above logs, it’s clear that the attacker is trying to obtain a reverse shell by the error messages related to `/tmp/f`, `nc`, `sh`. We’ll be able to observe by the end of the file that the attacker downloaded `curl` on the host machine to launch a reverse shell to their machine.\
\&#xNAN;*Answer: curl*

<figure><img src="/files/h1MMFIaukv9Ob8TJQnTR" alt=""><figcaption></figcaption></figure>

**What is the IP address of the attacker?**

This can be obtained from the process log because we know now that the attacker used curl to establish a connection to themself. \
\&#xNAN;*Answer: 10.129.231.112*

<figure><img src="/files/ppJIol8Z6UUCNhddetxb" alt=""><figcaption></figcaption></figure>

**What is the name of the pod that was compromised and used by the attacker as the initial foothold?**

The pod with IP 10.42.0.16 is the one in which the attacker got access. The name can be obtained from the `pods.log` file.\
\&#xNAN;*Answer: flask-app-77fbdcfcff-2tqgw*

**What is the name of the malicious pod created by the attacker?**

On observing the `pods.log` file properly, the first and most recent entry is for a container named `evil` which is the pod created by the attacker.\
\&#xNAN;*Answer: evil*

<figure><img src="/files/Dnhl0R4JESycqcANB7vC" alt=""><figcaption></figcaption></figure>

**What is the absolute path of the backdoor file left behind by the attacker?**

The most obvious method of creating a backdoor is through cronjobs. In `cron.txt` we’ll see the backdoor shell script that’s configured to run every 5 minutes.\
\&#xNAN;*Answer: /opt/backdoor.sh*

<mark style="color:$info;">\[Originally Published on Jan 1, 2025]</mark>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://cl4nd3st1ne.gitbook.io/write-ups/hack-the-box/sherlocks/optinseltrace24-2-cookie-consumption-walk-through.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
