RESSI 2016

For the second edition of the RESSI, the challenge was a forensic one. It was rather short but enjoyable. However, it seems that we were the only team (cheers Thibault Soubiran <3) to find all the planned answers. Winners two years in a row!

I translated the scenario (you can find it below). The required files are:

Thanks François Lesueur from INSA Lyon for creating this challenge :-)

Scenario

TFTE (Toulouse From / To Everywhere) is a travel agency specializing in Toulouse tourism. During the last days, accounting errors were detected. Indeed, after suspecting some errors, employees kept a paper record of payments and controlled the balance between this paper and the sum of all transfers from the bank account. Both amounts were not matching. You have been called to find the problem. Here are some informations about the events:

  • The interest period begins April 15 and ends April 28,
  • Monday, April 25, supposed payment errors appear,
  • Since April 25, employees start keeping a written record of transactions, in addition to IT workflow described later in this document,
  • The next day, they found that the actually paid amounts exceed the legitimate transactions,
  • They have investigated but have not found the cause,
  • Thursday, April 28 morning, your company is contacted,
  • You arrive on April 28 at 15:00 to investigate.

For reasons of confidentiality and continuity of service, TFTE does not wish to provide administrator access on the workstations and corporate servers. However, they provide:

  • Workflow of a legitimate transaction
  • The internal reference document describing the network topology and the flow matrix associated
  • Logs of each position of the company (archive folder /var/log)

Moreover, it is a small company, employees are there for long time and know each other well: they are not suspects. No employee or student has left the company recently.

Workflow of a legit transaction

The workflow of a legit transaction is the following. The secretary, Julien Lepont (jlepont@tfte.com), meets clients and saves the orders in a file. Salesman, Frédérique Durand (fdurand@tfte.com) periodically retrieves the file stored on the secretary computer, via a network share. Frédérique then executes transactions from his machine, using the payment server running a dedicated application doing banking transactions. Gaëlle Friuli (gfrioul@tfte.com) is the administrator of the information system.

Rules

You must trace back the problem and submit each step on the scoring site to validate the path followed (you have to create an account first). Going up the trail to the problem, you have to always describe the problem found and propose appropriate recommendations to prevent recurrence. You only have the logs so you have an incomplete view of the system (no access to machines, no network captures, etc.) certain stages of the attack will thus be inferred from visible traces but no formal proof. The interest period is between April 15 and April 28. The oldest logs that are possibly present are not relevant for the challenge. Note also that you have all the logs of IS machines, which are all useful for the challenge.