copy Copy chevron-down
CTF walkthrough Hacked You have been called to analyze a compromised Linux web server. Figure out how the threat actor gained access, what modifications were applied to the system, and what persistent techniques were utiliz
Q1 What is the system timezone?
to find the time zone we need to search in /etc files
we will find the mentioned file is root/etc/timezone
Answer: Europe/Brussels
Q2 Who was the last user to log in to the system?
let us find it in the auth.log file , will find it at the path: root/var/auth.log
Answer: mail
Q3 What was the source port the user 'mail' connected from?
from the same file.
Answer: 57708
Q4 How long was the last session for user 'mail'? (Minutes only)
again from the same file, we have to calculate the time between the "opened" and "Closed" session time
Answer: 1
Q5 Which server service did the last user use to log in to the system?
from the previous screen, look at the session opened or closed line.
will know what is the session service.
Answer: sshd
if u scroll down at the auth.log file u would find many trying to log in, so that is a brute force attack
Answer: brute-force
Q7 How many IP addresses are listed in the '/var/log/lastlog' file?
192.168.56.101 192.168.210.131
Answer: 2
Q8 How many users have a login shell?
to find the users number we need to search at passwd file so any password put in /bin/bash leads to opening a login shell
the file will be at the path: root/etc/passwd
Answer: 5
Q9 What is the password of the mail user?
we would find the password hash by using the command :
and make a filter for the user: mail, by a grep command
note: shadow file & passwd in the path: root/etc/
finally, take the hash to john the Ripper.
Answer: forensics
Q10 Which user account was created by the attacker?
by searching for new users in auth.log we find that 'mail' who is the attacker-created user in name of php
Answer: Php
Q11 How many user groups exist on the machine?
let us go to the groups name, search for the group file in path root/etc/group
Answer: 58
Q12 How many users have sudo access?
from the previous screen sudo members located on sudo group
Answer: 2
Q13 What is the home directory of the PHP user?
Answer: /usr/php
Q14 What command did the attacker use to gain root privilege? (Answer contains two spaces).
let us look at the commands this user has written,go to root/var/mail
Answer: sudo su -
Q15 Which file did the user 'root' delete?
Search for root/root/.bash_history
Answer: 37292.c
Q16 What is the content management system (CMS) installed on the machine?
go to the path: root/var/www/html/jabc and find any file containing a cmd command targeted to the cms
Answer: drupal
Q17 What is the version of the CMS installed on the machine?
go to the path: root/var/www/html/jabc/includes/bootstrap
Answer:7.26
Q18 Which port was listening to receive the attacker's reverse shell?
From Q7 we knew that the IP is 192.168.210.131 so let us search for the connection made from this IP
go to the path: root/var/log/apatche2/access.log
while reading the URL there is base64 in the text, so we have to convert the text from base 64 using cyberchef.
try to take the URL text link and use cyberchef
Answer : 4444
