Hammered Blue Team Challenge Write-Up
Category : Endpoint Forensics
LEVEL : Medium
Challenge Download link : https://cyberdefenders.org/blueteam-ctf-challenges/enroll/42
Instructions:
Unzip the challenge (pass: cyberdefenders.org), analyze logs, and find the answers.
Challenge files:
- kern.log
- auth.log
- daemon.log
- dmesg
- apache2
Q1-Which service did the attackers use to gain access to the system?
- Open auth.log file and grep with failed , you will notice a huge number of SSH failed login attempts , so i guess the answer is SSH:
└─$ cat auth.log| grep -i "failed"
THE Answer : SSHQ2-What is the operating system version of the targeted system? (one word)
- Open kern.log file and Search for standard Linux distro (Ubuntu, Debian, etc.)
- So i grep the log file with “ubuntu” :
└─$ cat kern.log| grep -i "ubuntu"
THE Answer : 4.2.4-1ubuntu3Q3-What is the name of the compromised account?
- Open auth.log file and grep with “ Accepted password ” to find the successful login attempts :
└─$ cat auth.log| grep -i "Accepted password"
THE Answer : RootQ4-Consider that each unique IP represents a different attacker. How many attackers were able to get access to the system?
- We need to extract IPs from auth.log file , so i used this commend to extract the IPs that successfully login to root account :
└─$ cat auth.log| grep -i "accepted password" |grep root | cut -d " " -f 11 |uniq
- But some of those IPs are good ( not belong to the attacker ) , so i grep each IP with number of failed attempts to know the bad IPs:
└─$ cat auth.log| grep -i "failed password" |grep root | grep "THE IP-addr" |wc -l- do this commend to each IP :
- So we have 6 bad IPs :
219.150.161.20
222.66.204.246
121.11.66.70
222.169.224.197
122.226.202.12
61.168.227.12THE Answer : 6Q5-Which attacker’s IP address successfully logged into the system the most number of times?
- Just grep each bad IP from the image above with “ accepted password”
└─$ cat auth.log| grep -i "accepted password" |grep root | grep "BAD-IP" |wc -l
- Now we know 219.150.161.20 is the most number of successful logins .
THE Answer : 219.150.161.20Q6-How many requests were sent to the Apache Server?
- Easy one , just calculate the number of lines in www.access.log file :
The Answer : 365Q7-How many rules have been added to the firewall?
- I used google to search about firewalls logs in ubuntu systems , and found that , i need to search about iptables type A in auth.log file:
└─$ cat auth.log| grep -i "iptables"
THE Answer : 6Q8-One of the downloaded files to the target system is a scanning tool. Provide the tool name.
- you can search in dpkg.log file or term.log file ( The term. log file records the output of apt-get and apt-cache commands run in a terminal) :
- from the question, he is asking about scanning tool ( nmap i guessed) so i opened dpkg.log and grep with nmap :
OR
THE Answer : NmapQ9-When was the last login from the attacker with IP 219.150.161.20? Format: MM/DD/YYYY HH:MM:SS AM
- Open auth.log file and grep with the IP-add and ‘accepted password’
└─$ cat auth.log| grep -i "accepted" |grep "219.150.161.20"
- the answer isn't complete , we need the year of login attempt
- so just use “ls -lha” to list all files with the date :
THE Answer : 04/19/2010 05:56:05 AMQ10-The database displayed two warning messages, provide the most important and dangerous one.
- Just open daemon.log and grep with “warning” :
└─$ cat daemon.log | grep -i "warning"
THE Answer : mysql.user contains 2 root accounts without password!Q11-Multiple accounts were created on the target system. Which one was created on Apr 26 04:43:15?
- Open the auth.log file and search about “ useradd ” keyword and grep with time in the question :
└─$ cat auth.log | grep -i useradd
THE Answer :wind3str0yQ12-Few attackers were using a proxy to run their scans. What is the corresponding user-agent used by this proxy?
- Open www.access.log file and look at user agents , you will find the answer easily :
THE Answer : pxyscand/2.1THE END
BY : Ahmed Nasser
