search
TryHackMeHackTheBoxLinkedIn

IronShade

Perform a compromise assessment on a Linux host and identify the attack footprints. - by Dex01

LogoIronShadeTryHackMechevron-right

The following post by 0xb0b is licensed under CC BY 4.0arrow-up-right

The following challenge recreates an incident scenario, where a honeypot got attacked by an APT Group called IronShade. Our task is now to investigate on one of those compromised linux servers. We need to perform a thorough compromise assessment on the Linux server and identify the attack footprints. Below I provide the commands to answer the individual questions of the challenge. This is a somewhat challenging to write, as a lot is revealed with each answer to the question. I hope you like it anyway.

hashtag
Retrieving The Machine ID

To get the unique identifier of the machine, we issue the following command: cat /etc/machine-id. This ID is typically used for system identification, software licensing, and other purposes requiring a unique machine identifier.

hashtag
Backdoor User Account Created on the Server

To check for a backdoor user account created on the server, we issue the following command: cat /etc/passwd. This command lists all user accounts on the system, allowing you to review and identify any unauthorized or suspicious accounts that may have been added.

hashtag
Cronjob Set Up by Attacker for Persistence

To check if an attacker has set up a cron job for persistence, we issue the following command: sudo crontab -l. This command lists all scheduled tasks for the root user, allowing you to identify any unauthorized or suspicious cron jobs that may have been added by an attacker.

hashtag
Suspicious Hidden Process Identified from Backdoor Account

To identify a suspicious hidden process associated with a backdoor account, we issue the following command: ps aux | grep "home/m**********e". This command searches for processes related to the specified path, helping to detect any potentially malicious processes running under the backdoor account.

hashtag
Number of Processes Running from Backdoor Account's Directory

To determine the number of processes running from a backdoor account's directory, we issue the following command: ps aux | grep "home/m**********e". This command lists all processes associated with the specified directory, allowing you to count how many are currently active.

hashtag
Hidden File in Memory Found in the Root Directory

To identify a hidden file in memory located in the root directory, we issue the following command: ls -lah /. This command lists all files and directories in the root directory, including hidden ones, along with their sizes and other attributes, helping to spot any suspicious or hidden files that might be present.

hashtag
Suspicious Services Installed on the Server

To identify suspicious services installed on the server, we issue the following command: systemctl list-units --type=service --all. This command lists all services on the system, including active, inactive, and disabled ones, allowing you to review and spot any unauthorized or suspicious services that may have been installed. Here we find two services with a very short description. We have already found one of them in the home directory under the running processes. For validation, the services have the following names b*****.******e and s******.******e.

hashtag
Backdoor Account Created on the Infected System

To check if a backdoor account was created on the infected system, we issue the following command: grep -a 'useradd' /var/log/auth.log. This command searches the authentication log for any instances of the useradd command being executed, helping to identify unauthorized user accounts that may have been added.

hashtag
Multiple SSH Connections to Backdoor Account Originated from IP Address

To identify multiple SSH connections to a backdoor account originating from an IP address, we issue the following command: grep -a 'sshd' /var/log/auth.log.

hashtag
Number of Failed SSH Login Attempts on the Backdoor Account

To determine the number of failed SSH login attempts on the backdoor account, we issue the following command: grep -a 'Failed password for microservice' /var/log/auth.log. This command searches the authentication log for entries related to failed password attempts for the specified user, allowing you to count the number of failed login attempts on the backdoor account. Some log entries indicate "message repeated 2 times," totaling 3 failed attempts, keep that in mind.

hashtag
Malicious Package Installed on the Host

To identify a malicious package installed on the host, we issue the following command: grep 'install ' /var/log/dpkg.log. This command searches the package manager's log for entries related to package installations, helping to spot any potentially unauthorized or malicious packages that were installed on the system. One installation stands out clearly with its time of correlation. The previous events also occurred at approximately the same time.

hashtag
Secret Code Found in the Metadata of the Suspicious Package

To find the secret code or other metadata of a suspicious package, we issue the following command: apt show pscanner. This command displays detailed information about the package p*******, including its description, version, dependencies, and metadata, where a hidden or suspicious code might be found.

PreviousU.A. High SchoolNextBlock

Last updated

Was this helpful?