☕
Writeups
TryHackMeHackTheBoxReferralsDonateLinkedIn
  • Writeups
  • TryHackme
    • 2025
      • Hackfinity Battle Vault
      • Security Footage
      • Ledger
      • Moebius
      • Mayhem
      • Robots
      • Billing
      • Crypto Failures
      • Rabbit Store
      • Decryptify
      • You Got Mail
      • Smol
      • Light
      • Lo-Fi
      • Silver Platter
    • 2024
      • Advent of Cyber '24 Side Quest
        • T1: Operation Tiny Frostbite
        • T2: Yin and Yang
        • T3: Escaping the Blizzard
        • T4: Krampus Festival
        • T5: An Avalanche of Web Apps
      • The Sticker Shop
      • Lookup
      • Mouse Trap
      • Hack Back
      • SeeTwo
      • Whiterose
      • Rabbit Hole
      • Mountaineer
      • Extracted
      • Backtrack
      • Brains
      • Pyrat
      • K2
        • Base Camp
        • Middle Camp
        • The Summit
      • The London Bridge
      • Cheese CTF
      • Breakme
      • CERTain Doom
      • TryPwnMe One
      • Hammer
      • U.A. High School
      • IronShade
      • Block
      • Injectics
      • DX2: Hell's Kitchen
      • New York Flankees
      • NanoCherryCTF
      • Publisher
      • W1seGuy
      • mKingdom
      • Airplane
      • Include
      • CyberLens
      • Profiles
      • Whats Your Name?
      • Capture Returns
      • TryHack3M
        • TryHack3M: Burg3r Bytes
        • TryHack3M: Bricks Heist
        • TryHack3M: Sch3Ma D3Mon
        • TryHack3M: Subscribe
      • Creative
      • Bypass
      • Clocky
      • El Bandito
      • Hack Smarter Security
      • Summit
      • Chrome
      • Exfilibur
      • Breaking RSA
      • Kitty
      • Reset
      • Umbrella
      • WhyHackMe
      • Dodge
    • 2023
      • Advent of Cyber '23 Side Quest
        • The Return of the Yeti
        • Snowy ARMageddon
        • Frosteau Busy with Vim
        • The Bandit Surfer
      • Stealth
      • AVenger
      • Dreaming
      • DockMagic
      • Hijack
      • Bandit
      • Compiled
      • Super Secret TIp
      • Athena
      • Mother's Secret
      • Expose
      • Lesson learned?
      • Grep
      • Crylo
      • Forgotten Implant
      • Red
    • Obscure
    • Capture
    • Prioritise
    • Weasel
    • Valley
    • Race Conditions
    • Intranet
    • Flip
    • Cat Pictures 2
    • Red Team Capstone Challenge
      • OSINT
      • Perimeter Breach
      • Initial Compromise of Active Directory
      • Full Compromise of CORP Domain
      • Full Compromise of Parent Domain
      • Full Compromise of BANK Domain
      • Compromise of SWIFT and Payment Transfer
  • HackTheBox
    • 2025
      • Certified
    • 2024
      • BoardLight
      • Crafty
      • Devvortex
      • Surveillance
      • Codify
      • Manager
      • Drive
      • Zipping
    • 2023
      • Topology
Powered by GitBook
On this page
  • Retrieving The Machine ID
  • Backdoor User Account Created on the Server
  • Cronjob Set Up by Attacker for Persistence
  • Suspicious Hidden Process Identified from Backdoor Account
  • Number of Processes Running from Backdoor Account's Directory
  • Hidden File in Memory Found in the Root Directory
  • Suspicious Services Installed on the Server
  • Backdoor Account Created on the Infected System
  • Multiple SSH Connections to Backdoor Account Originated from IP Address
  • Number of Failed SSH Login Attempts on the Backdoor Account
  • Malicious Package Installed on the Host
  • Secret Code Found in the Metadata of the Suspicious Package

Was this helpful?

  1. TryHackme
  2. 2024

IronShade

Perform a compromise assessment on a Linux host and identify the attack footprints. - by Dex01

PreviousU.A. High SchoolNextBlock

Last updated 9 months ago

Was this helpful?

The following post by 0xb0b is licensed under


The following challenge recreates an incident scenario, where a honeypot got attacked by an APT Group called IronShade. Our task is now to investigate on one of those compromised linux servers. We need to perform a thorough compromise assessment on the Linux server and identify the attack footprints. Below I provide the commands to answer the individual questions of the challenge. This is a somewhat challenging to write, as a lot is revealed with each answer to the question. I hope you like it anyway.

Retrieving The Machine ID

To get the unique identifier of the machine, we issue the following command: cat /etc/machine-id. This ID is typically used for system identification, software licensing, and other purposes requiring a unique machine identifier.

cat /etc/machine-id

Backdoor User Account Created on the Server

To check for a backdoor user account created on the server, we issue the following command: cat /etc/passwd. This command lists all user accounts on the system, allowing you to review and identify any unauthorized or suspicious accounts that may have been added.

cat /etc/passwd

Cronjob Set Up by Attacker for Persistence

To check if an attacker has set up a cron job for persistence, we issue the following command: sudo crontab -l. This command lists all scheduled tasks for the root user, allowing you to identify any unauthorized or suspicious cron jobs that may have been added by an attacker.

sudo crontab -l 

Suspicious Hidden Process Identified from Backdoor Account

To identify a suspicious hidden process associated with a backdoor account, we issue the following command: ps aux | grep "home/m**********e". This command searches for processes related to the specified path, helping to detect any potentially malicious processes running under the backdoor account.

ps aux |grep "home/m**********e"

Number of Processes Running from Backdoor Account's Directory

To determine the number of processes running from a backdoor account's directory, we issue the following command: ps aux | grep "home/m**********e". This command lists all processes associated with the specified directory, allowing you to count how many are currently active.

ps aux |grep "home/m**********e"

Hidden File in Memory Found in the Root Directory

To identify a hidden file in memory located in the root directory, we issue the following command: ls -lah /. This command lists all files and directories in the root directory, including hidden ones, along with their sizes and other attributes, helping to spot any suspicious or hidden files that might be present.

ls -lah /

Suspicious Services Installed on the Server

To identify suspicious services installed on the server, we issue the following command: systemctl list-units --type=service --all. This command lists all services on the system, including active, inactive, and disabled ones, allowing you to review and spot any unauthorized or suspicious services that may have been installed. Here we find two services with a very short description. We have already found one of them in the home directory under the running processes. For validation, the services have the following names b*****.******e and s******.******e.

systemctl list-units --type=sercice --all

Backdoor Account Created on the Infected System

To check if a backdoor account was created on the infected system, we issue the following command: grep -a 'useradd' /var/log/auth.log. This command searches the authentication log for any instances of the useradd command being executed, helping to identify unauthorized user accounts that may have been added.

grep -a 'useradd' /var/log/auth.log

Multiple SSH Connections to Backdoor Account Originated from IP Address

To identify multiple SSH connections to a backdoor account originating from an IP address, we issue the following command: grep -a 'sshd' /var/log/auth.log.

grep -a 'sshd' /var/log/auth.log

Number of Failed SSH Login Attempts on the Backdoor Account

To determine the number of failed SSH login attempts on the backdoor account, we issue the following command: grep -a 'Failed password for microservice' /var/log/auth.log. This command searches the authentication log for entries related to failed password attempts for the specified user, allowing you to count the number of failed login attempts on the backdoor account. Some log entries indicate "message repeated 2 times," totaling 3 failed attempts, keep that in mind.

grep -a 'Failed password for microservice' /var/log/auth.log

Malicious Package Installed on the Host

To identify a malicious package installed on the host, we issue the following command: grep 'install ' /var/log/dpkg.log. This command searches the package manager's log for entries related to package installations, helping to spot any potentially unauthorized or malicious packages that were installed on the system. One installation stands out clearly with its time of correlation. The previous events also occurred at approximately the same time.

grep 'install ' /var/log/dpkg.log

Secret Code Found in the Metadata of the Suspicious Package

To find the secret code or other metadata of a suspicious package, we issue the following command: apt show pscanner. This command displays detailed information about the package p*******, including its description, version, dependencies, and metadata, where a hidden or suspicious code might be found.

apt show p*******
CC BY 4.0
TryHackMe | Cyber Security TrainingTryHackMe
Logo