Hacked

You have been called to analyze a compromised Linux web server. Figure out how the threat actor gained access, what modifications were applied to the system, and what persistent techniques were utiliz

LogoHacked blueteam challenge.CyberDefenders

Q1 What is the system timezone?

to find the time zone we need to search in /etc files

we will find the mentioned file is root/etc/timezone

Answer: Europe/Brussels

Q2 Who was the last user to log in to the system?

let us find it in the auth.log file , will find it at the path: root/var/auth.log

Answer: mail

Q3 What was the source port the user 'mail' connected from?

from the same file.

Answer: 57708

Q4 How long was the last session for user 'mail'? (Minutes only)

again from the same file, we have to calculate the time between the "opened" and "Closed" session time

Answer: 1

Q5 Which server service did the last user use to log in to the system?

from the previous screen, look at the session opened or closed line.

will know what is the session service.

Answer: sshd

Q6 What type of authentication attack was performed against the target machine?

if u scroll down at the auth.log file u would find many trying to log in, so that is a brute force attack

Answer: brute-force

Q7 How many IP addresses are listed in the '/var/log/lastlog' file?

192.168.56.101 192.168.210.131

Answer: 2

Q8 How many users have a login shell?

to find the users number we need to search at passwd file so any password put in /bin/bash leads to opening a login shell

the file will be at the path: root/etc/passwd

Answer: 5

Q9 What is the password of the mail user?

we would find the password hash by using the command : 

unshadow passwd shadow

and make a filter for the user: mail, by a grep command 

unshadow passwd shadow | grep 'mail'

note: shadow file & passwd in the path: root/etc/

finally, take the hash to john the Ripper.

Answer: forensics

Q10 Which user account was created by the attacker?

by searching for new users in auth.log we find that 'mail' who is the attacker-created user in name of php

Answer: Php

Q11 How many user groups exist on the machine?

let us go to the groups name, search for the group file in path root/etc/group

Answer: 58

Q12 How many users have sudo access?

from the previous screen sudo members located on sudo group

Answer: 2

Q13 What is the home directory of the PHP user?

Answer: /usr/php

Q14 What command did the attacker use to gain root privilege? (Answer contains two spaces).

let us look at the commands this user has written,go to root/var/mail

Answer: sudo su -

Q15 Which file did the user 'root' delete?

Search for root/root/.bash_history

Answer: 37292.c

Q16 What is the content management system (CMS) installed on the machine?

go to the path: root/var/www/html/jabc and find any file containing a cmd command targeted to the cms

Answer: drupal

Q17 What is the version of the CMS installed on the machine?

go to the path: root/var/www/html/jabc/includes/bootstrap

Answer:7.26

Q18 Which port was listening to receive the attacker's reverse shell?

From Q7 we knew that the IP is 192.168.210.131 so let us search for the connection made from this IP

go to the path: root/var/log/apatche2/access.log

while reading the URL there is base64 in the text, so we have to convert the text from base 64 using cyberchef.

try to take the URL text link and use cyberchef

Answer : 4444

PreviousHireMeNextDetectLog4j

Last updated