Hacked Cyberdefenders
Category : Digital Forensics Medium " Linux FTK Disk"
You have been called to analyze a compromised Linux web server. Figure out how the threat actor gained access, what modifications were applied to the system, and what persistent techniques were utilized. (e.g. backdoors, users, sessions, etc).
Q1 What is the system timezone?
We Can found it the /etc/timezone
file

Ans : Europe/Brussels
Q2 Who was the last user to log in to the system?
We can find it in auth file on: /var/log/auth.log

Ans : mail
Q3 What was the source port the user 'mail' connected from?
from the priv screen we can found it the answer "57708"
Q4 How long was the last session for user 'mail'? (Minutes only)

We can found the last session started at 13:23:34 and finished at 13:24:11 then it's just 1 minute
Ans : 1
Q5 Which server service did the last user use to log in to the system?
in the last screen we can found sshd
Ans : sshd
Q6 What type of authentication attack was performed against the target machine

In the same file We found it's many failled attemped okay it's bruteforce!
Ans : brute-force
Q7 How many IP addresses are listed in the '/var/log/lastlog' file?

Ans : 2
Q8 How many users have a login shell?
Users Having shell using /bin/bash

Ans : 5
Q9 What is the password of the mail user?
We can found password of email user in
/etc/shadow

sudo john --wordlist==/usr/share/rockyou.txt passwd.txt

Ans : forensics
Q10 Which user account was created by the attacker?
Back to auth.log searching for useradd command we can found it

Ans : php
Q11 How many user groups exist on the machine?
we can found group in etc/group
open it to count

Ans : 58
Q12 How many users have sudo access?
in the same file searching for sudo

Ans : 2
Q13 What is the home directory of the PHP user?
From Q10 When the attacker created the user PHP,
its home directory was /usr/php
Ans : /usr/php
Q14 What command did the attacker use to gain root privilege? (Answer contains two spaces).
We know from the prev Qusetions that the attacker logged in as the user mail , we find the it's home direcotry at: /var/mail
let's investigate it's bash history

Ans : sudo su -
Q15 Which file did the user 'root' delete?
let's check root’s bash history file

Ans : 37292.c
Q16 Recover the deleted file, open it and extract the exploit author name.
After some minutes I searching in /tmp
After i clicked on it Window defender running ")

After that search for the CVE in exploit-db:

Ans : rebel
Q17 What is the content management system (CMS) installed on the machine?
it's found in etc

Ans : drupal
Q18 What is the version of the CMS installed on the machine?
By helping of chatgpt we can found the version of Drupal Cms in info files found in /var/www/html/


Ans : 7.26
Q19 Which port was listening to receive the attacker's reverse shell?
From the question 6 we can found the attacker ip 192.168.210.131
we can go to access.log
and grep it
we found decoded post request

let's going to cyberchief

Ans : 4444
We fininsed , Thank UUUUUUU for reading ❤🥰
Last updated