Hacked Cyberdefenders

Category : Digital Forensics Medium " Linux FTK Disk"

• Details

You have been called to analyze a compromised Linux web server. Figure out how the threat actor gained access, what modifications were applied to the system, and what persistent techniques were utilized. (e.g. backdoors, users, sessions, etc).

• Questions

Q1 What is the system timezone?

We Can found it the /etc/timezone file

Ans : Europe/Brussels

Q2 Who was the last user to log in to the system?

We can find it in auth file on: /var/log/auth.log

57708Accepted password for mail from 192.168.210.131 port 57708 ssh2

Ans : mail

Q3 What was the source port the user 'mail' connected from?

from the priv screen we can found it the answer "57708"

Q4 How long was the last session for user 'mail'? (Minutes only)

We can found the last session started at 13:23:34 and finished at 13:24:11 then it's just 1 minute

Ans : 1

Q5 Which server service did the last user use to log in to the system?

in the last screen we can found sshd

Ans : sshd

Q6 What type of authentication attack was performed against the target machine

In the same file We found it's many failled attemped okay it's bruteforce!

Ans : brute-force

Q7 How many IP addresses are listed in the '/var/log/lastlog' file?

192.168.131- 192.168.56

Ans : 2

Q8 How many users have a login shell?

Users Having shell using /bin/bash

Ans : 5

Q9 What is the password of the mail user?

We can found password of email user in

/etc/shadow

sudo john --wordlist==/usr/share/rockyou.txt passwd.txt

Ans : forensics

Q10 Which user account was created by the attacker?

Back to auth.log searching for useradd command we can found it

php

Ans : php

Q11 How many user groups exist on the machine?

we can found group in etc/group

open it to count

lin 58

Ans : 58

Q12 How many users have sudo access?

in the same file searching for sudo

php,mail

Ans : 2

Q13 What is the home directory of the PHP user?

From Q10 When the attacker created the user PHP,

its home directory was /usr/php

Ans : /usr/php

Q14 What command did the attacker use to gain root privilege? (Answer contains two spaces).

We know from the prev Qusetions that the attacker logged in as the user mail , we find the it's home direcotry at: /var/mail

let's investigate it's bash history

sudo su -

Ans : sudo su -

Q15 Which file did the user 'root' delete?

let's check root’s bash history file

rm 37292.c

Ans : 37292.c

Q16 Recover the deleted file, open it and extract the exploit author name.

After some minutes I searching in /tmp

After i clicked on it Window defender running ")

After that search for the CVE in exploit-db:

Exploit Author: rebel

Ans : rebel

Q17 What is the content management system (CMS) installed on the machine?

it's found in etc

drupal opensource CMS

Ans : drupal

Q18 What is the version of the CMS installed on the machine?

By helping of chatgpt we can found the version of Drupal Cms in info files found in /var/www/html/

7.26

Ans : 7.26

Q19 Which port was listening to receive the attacker's reverse shell?

From the question 6 we can found the attacker ip 192.168.210.131

we can go to access.log

and grep it

we found decoded post request

decodebase64

let's going to cyberchief

$port = 4444

Ans : 4444

We fininsed , Thank UUUUUUU for reading ❤🥰