# Hammered Cyberdefenders

* [Details](https://cyberdefenders.org/blueteam-ctf-challenges/42#nav-overview)

This challenge takes you into the world of virtual systems and confusing log data. In this challenge, figure out what happened to this webserver honeypot using the logs from a possibly compromised server.

Challenge files:

* kern.log

* auth.log

* daemon.log

* dmesg

* apache2

* [Questions](https://cyberdefenders.org/blueteam-ctf-challenges/42#nav-questions)

#### Q1 Which service did the attackers use to gain access to the system?

let's investigate <mark style="color:blue;">auth.log</mark> file to see the authentication of accounts&#x20;

```bash
cat auth.log | grep -F 'Failed'
```

<figure><img src="/files/9WuWxX22J6UNmfcNxBTK" alt=""><figcaption><p>sshd</p></figcaption></figure>

by greping failed authentication attempets we can see that there are many attempts to login by <mark style="color:blue;">sshd</mark> .

okay the service is ssh&#x20;

**Ans : ssh**

#### Q2 What is the operating system version of the targeted system? (one word)

we can look in the <mark style="color:blue;">kern.log</mark> file, as it contains information logged by the kernel

```bash
head kern.log
```

<figure><img src="/files/PakCOiOuEhZ7vahlTH6m" alt=""><figcaption><p>(Ubuntu 4.2.4-1ubuntu3)</p></figcaption></figure>

**Ans : 4.2.4-1ubuntu3**

#### Q3 What is the name of the compromised account?

We can back to <mark style="color:blue;">auth.log</mark> file to see which account was successfully login

```bash
cat auth.log | grep -F 'Accepted password'
```

<figure><img src="/files/HbnKED9HplrmjzYhJEou" alt=""><figcaption><p>root</p></figcaption></figure>

**Ans : root**

#### Q4 Consider that each unique IP represents a different attacker. How many attackers were able to get access to the system?

let's grep failed auth ip&#x20;

```bash
grep sshd auth.log| grep "authentication failure" | awk '{print $14}'  | sort | uniq -c | sort -n
```

<figure><img src="/files/3mlboIletaHgG6E2jGMA" alt=""><figcaption></figcaption></figure>

and success ip

```bash
cat auth.log |grep "Accepted" | awk '{print $11}' | sort | uniq -c | sort -n
```

<figure><img src="/files/kidoZuKfhzA7TFRVWwB2" alt=""><figcaption></figcaption></figure>

By comparing them we found it's 6 login to system

219.150.161.20, 222.66.204.246, 121.11.66.70, 222.169.224.197, 122.226.202.12, 61.168.227.12

**Ans : 6**&#x20;

#### Q5 Which attacker's IP address successfully logged into the system the most number of times?

The two IP addresses 188.131.23.37 and 219.150.161.20 are the highest value &#x20;

but 188.131.23.37 appears only six times in auth.log, and appears 219.150.161.20  many times.

```bash
grep "Accepted" auth.log| grep Accepted | grep root | awk '{print $11}' | sort | uniq -c | sort -n
```

<figure><img src="/files/pR8X1yN7pMZTs2q0ZzTh" alt=""><figcaption></figcaption></figure>

Ans : 219.150.161.20 &#x20;

#### Q6 How many requests were sent to the Apache Server?

The requests store in <mark style="color:blue;">www-access.log</mark>

<figure><img src="/files/qTFA0Rr9qGEO1rdZPsAv" alt=""><figcaption></figcaption></figure>

Ans : 365

#### Q7 How many rules have been added to the firewall?

<figure><img src="/files/pAjLbJ1sjfSKpCvpetQt" alt=""><figcaption><p> there are 6 rules that have been added.</p></figcaption></figure>

**Ans : 6**

#### Q8 One of the downloaded files to the target system is a scanning tool. Provide the tool name.

We can Look for installed package in <mark style="color:blue;">dpkg.log</mark> file

<figure><img src="/files/qO52EowLhgvhRF5kLet7" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/VxkjD4ScF611mVd5nflh" alt=""><figcaption></figcaption></figure>

**Ans : nmap**&#x20;

#### Q9 When was the last login from the attacker with IP 219.150.161.20? Format: MM/DD/YYYY HH:MM:SS AM

back to auth.log file and grep login success from the attacker ip address

```bash
 grep "Accepted password" auth.log | grep "219.150.161.20"
```

<figure><img src="/files/SMqHBwv7MYwOAi7uS4gQ" alt=""><figcaption></figcaption></figure>

last log in Apr 19 05:56:05

Ans :  04/19/2010 05:56:05 AM&#x20;

#### Q10 The database displayed two warning messages, provide the most important and dangerous one.

database  information  stores in <mark style="color:blue;">daemon.log</mark>

<figure><img src="/files/IuPuOntrgdhlI6r4M3D7" alt=""><figcaption></figcaption></figure>

The most dangerous one is creates root users **without passwords**

**Ans : mysql.user contains 2 root accounts without password!**

#### Q11 Multiple accounts were created on the target system. Which one was created on Apr 26 04:43:15?

grep the time in the Q

<figure><img src="/files/oZ2o69jaqN4rJ4jIhPIa" alt=""><figcaption><p>name=wind3str0y</p></figcaption></figure>

**Ans : wind3str0y**

#### Q12 Few attackers were using a proxy to run their scans. What is the corresponding user-agent used by this proxy?

Grep User-Agent Value from <mark style="color:blue;">www-access.log</mark> file&#x20;

```bash
cat apache2/www-access.log | cut -d ' ' -f 12 | sort | uniq 
```

<figure><img src="/files/SwIxNy1IvhLJoNnfpwT3" alt=""><figcaption><p>pxyscand/2.1</p></figcaption></figure>

Ans : pxyscand/2.1\
\
\
\
Thanks UUUUUUUUUUUUUUUUUU 🥰


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xmedhat.gitbook.io/whoami/writesup/hammered-cyberdefenders.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.