From f1c40c14370aba51f25eead5e71e0336e5dbf6d5 Mon Sep 17 00:00:00 2001 From: KinJih Date: Mon, 10 Jun 2024 22:30:30 +0800 Subject: [PATCH] Update the post content of HTB Sherlock Brutus Writeup --- content/posts/HTB+Sherlock+Brutus/index.md | 35 ++++++++++++++-------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/content/posts/HTB+Sherlock+Brutus/index.md b/content/posts/HTB+Sherlock+Brutus/index.md index 062c6f7..e93d019 100644 --- a/content/posts/HTB+Sherlock+Brutus/index.md +++ b/content/posts/HTB+Sherlock+Brutus/index.md @@ -10,10 +10,18 @@ tags: ["HackTheBox", "HTB", "Sherlock", "Brutus"] ## Sherlock Scenario In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We'll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution. -## 題目素材 -壓縮檔中有兩個檔案 -- auth.log -- wtmp +## Evidences Overview +```bash +┌──(kali㉿kali)-[~/Desktop/HTB/Brutus] +└─$ unzip -l Brutus.zip +Archive: Brutus.zip + Length Date Time Name +--------- ---------- ----- ---- + 43911 03-06-2024 11:47 auth.log + 11136 03-06-2024 11:47 wtmp +--------- ------- + 55047 2 files +``` ### auth.log 問 ChatGPT: @@ -59,10 +67,10 @@ user2 pts/1 192.168.1.101 Sun May 8 08:00 - 10:15 (02:15) 要讀取 `wtmp` 檔案的二進制格式需要一些特殊的工具或程式庫來解析。可以自行編寫程式來讀取,或在 Unix 和 Linux 系統中使用 `utmpdump`。 -## 問題 +## Questions ### Question 1 -Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute force attack? +> Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute force attack? `grep` 一下 `auth.log` 中 `sshd` 一直登入失敗的紀錄,看是哪個 IP 被攻擊者使用。只有 65.2.161.68 這一個 IP 有失敗多次的紀錄。 @@ -118,10 +126,11 @@ sshd[2409]: Failed password for root from 65.2.161.68 port 46890 ssh2 sshd[2423]: Failed password for backup from 65.2.161.68 port 34834 ssh2 sshd[2424]: Failed password for backup from 65.2.161.68 port 34856 ssh2 ``` + **Ans: 51.2.161.68** ### Question 2 -The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account? +> The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account? 一樣 `grep` 一下 `auth.log`,這次要找的是成功登入的紀錄,關鍵字是 Accepted。攻擊者的 IP 成功登入的使用者是 `root`。 @@ -137,7 +146,7 @@ sshd[2667]: Accepted password for cyberjunkie from 65.2.161.68 port 43260 ssh2 **Ans: root** ### Question 3 -Can you identify the timestamp when the attacker manually logged in to the server to carry out their objectives? +> Can you identify the timestamp when the attacker manually logged in to the server to carry out their objectives? 暴力破解僅嘗試密碼是否可以登入,成功登入就會馬上登出。後續待攻擊者自行登入利用。一開始先回答了 `auth.log` 的時間戳,結果是錯誤的答案,確認一下提示得知要參考的是 `wtmp` 的時間。 @@ -192,7 +201,7 @@ Can you identify the timestamp when the attacker manually logged in to the serve **Ans: 2024-03-06 06:32:45** ### Question 4 -SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker's session for the user account from Question 2? +> SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker's session for the user account from Question 2? `grep` 一下 `auth.log` 中 New session 的紀錄,對應時間建立的工作階段編號是 37。 @@ -208,7 +217,7 @@ Mar 6 06:37:34 ip-172-31-35-28 systemd-logind[411]: New session 49 of user cybe **Ans: 37** ### Question 5 -The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account? +> The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account? 攻擊者新增了一個使用者,並賦予他更高的權限,相關的指令是 `groupadd`,所以 `grep` 一下 add 看看。攻擊者新增了一個叫 `cyberjunkie` 的使用者,並把它加進 `sudo` 群組。 @@ -226,7 +235,7 @@ Mar 6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to shadow group **Ans: cyberjunkie** ### Question 6 -What is the MITRE ATT&CK sub-technique ID used for persistence? +> What is the MITRE ATT&CK sub-technique ID used for persistence? 攻擊者新建了一個本地使用者。 @@ -236,7 +245,7 @@ What is the MITRE ATT&CK sub-technique ID used for persistence? **Ans: T1136.001** ### Question 7 -How long did the attacker's first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds) +> How long did the attacker's first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds) 從 `auth.log` 尋找 session 37 的相關紀錄,然後計算開始到結束的時間差。結果送出答案後是錯的,所以改用 `wtmp` 的時間試試看,Bingo! @@ -252,7 +261,7 @@ Mar 6 06:37:24 ip-172-31-35-28 systemd-logind[411]: Removed session 37. **Ans: 279** ### Question 8 -The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo? +> The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo? 攻擊者新建的後門帳戶使用高權限去下載惡意腳本,前面提到該帳戶被加入 `sudo` 群組,所以 `grep` 字串 `sudo` 發現有兩個命令被執行,其中一個正是透過 `curl` 下載腳本。