Deleting clues #1 - Esborrar el rastre

Persona --> Cristian Temps --> 02/03/2023 18:00 - 20:00h Acció --> Connectar com a root al servidor i eliminar el nostre rastre Endpoint --> 10.10.11.195 Resultat --> Hem aconseguit esborrar el nostre rastre de forma satisfactòria. Output:

En aquest apartat esborrem el nostre rastre a la màquina atacada per tal que no es detecti que hem aconseguit accés.

1-Esborrar el rastre d'accés per SSH amb l'usuari Bill

bill@broscience $ cat auth.log | grep 10.10.14.74
Feb  28 20:23:23 broscience sshd[24828]: Accepted password for bill from 10.10.14.74 port 43164 ssh2
bill@broscience $ sed -i '/10.10.14.74/d' auth.log
bill@broscience $ cat auth.log | grep 10.10.14.74
bill@broscience $
bill@broscience $ sed -i '/10.10.14.123/d' auth.log
bill@broscience $ cat auth.log | grep 10.10.14.123
bill@broscience $

2-Esborrar les consultes realitzades a la web des de les nostres IPs

bill@broscience $ cat access.log | grep 10.10.14.74
10.10.14.74 - - [02/Mar/2023:12:21:00 -0500] "GET / HTTP/1.1" 200 4708 "-" "Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0"
10.10.14.74 - - [27/Feb/2023:17:41:03 -0500] "GET /includes/img.php?path=bench.png HTTP/1.1" 200 31435 "https://broscience.htb/" "Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0"
10.10.14.74 - - [27/Feb/2023:17:41:03 -0500] "GET /includes/img.php?path=barbell_squats.jpeg HTTP/1.1" 200 112050 "https://broscience.htb/" "Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0"
10.10.14.74 - - [27/Feb/2023:17:41:03 -0500] "GET /includes/img.php?path=seated_rows.png HTTP/1.1" 200 46659 "https://broscience.htb/" "Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0"
10.10.14.74 - - [27/Feb/2023:17:41:04 -0500] "GET /includes/img.php?path=deadlift.png HTTP/1.1" 200 1012876 "https://broscience.htb/" "Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0"
10.10.14.74 - - [27/Feb/2023:17:41:04 -0500] "GET /includes/img.php?path=tricep_extensions.jpeg HTTP/1.1" 200 298570 "https://broscience.htb/" "Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0"
10.10.14.74 - - [27/Feb/2023:17:41:04 -0500] "GET /includes/img.php?path=dumbell_curls.jpeg HTTP/1.1" 200 327576 "https://broscience.htb/" "Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0"
10.10.14.74 - - [27/Feb/2023:17:41:04 -0500] "GET /includes/img.php?path=reverse_butterfly.jpeg HTTP/1.1" 200 69254 "https://broscience.htb/" "Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0"
10.10.14.74 - - [27/Feb/2023:17:41:04 -0500] "GET /includes/img.php?path=shoulder_press.jpeg HTTP/1.1" 200 599102 "https://broscience.htb/" "Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0"
...
bill@broscience $ sed -i '/10.10.14.74/d' access.log 
bill@broscience $ cat access.log | grep 10.10.14.74
bill@broscience $
bill@broscience $ sed -i '/10.10.14.123/d' access.log 
bill@broscience $ cat access.log | grep 10.10.14.123
bill@broscience $

3-Esborrar l'accés a la base de dades

bill@broscience $ cat postgresql.conf | grep log_connections
# "postgres -c log_connections=on".  Some parameters can be changed at run time
#log_connections = off
bill@broscience $

Com podem veure no està activada la directiva per guardar els accessos (log_connections) en els logs.

AngelMascaro / broscience_htb_hackingoldschool

Deleting clues #1 - Esborrar el rastre #27