it-admin user saves a file executing :saveas /bin/os-update.sh instead of using :wq! or ^zZ.
Taking the previous entries into account, the user it-admin edited the file /home/it-admin/bomb.sh using the vi editor and saved it as /bin/os-update.sh using the command :saveas /bin/os-update.sh.
When was the file from the previous question last modified? (Format: Month Day HH:MM)
What is the name of the file that will get created when the file from the first question executes?
root@ip-10-10-177-249:~# cat /bin/os-update.sh
# 2022-06-05 - Initial version
# 2022-10-11 - Fixed bug
# 2022-10-15 - Changed from 30 days to 90 days
OUTPUT=`last -n 1 it-admin -s "-90days" | head -n 1`
if [ -z "$OUTPUT" ]; then
rm -r /var/lib/dokuwiki
echo -e "I TOLD YOU YOU'LL REGRET THIS!!! GOOD RIDDANCE!!! HAHAHAHA\n-mistermeist3r" > /goodbye.txt
fi
A: goodbye.txt
Following the fuse
At what time will the malicious file trigger? (Format: HH:MM AM/PM)
root@ip-10-10-177-249:~# cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
0 8 * * * root /bin/os-update.sh
#
A cronjob comprised by attacker assigned to root user that executes /bin/os-update.sh everyday at 08:00 AM. You can use Crontab.guru to convert it.
Medium
Disgruntled
Nothing suspicious... So far
The user installed a package on the machine using elevated privileges. According to the logs, what is the full COMMAND?
A:
/usr/bin/apt install dokuwiki
What was the present working directory (PWD) when the previous command was run?
A:
/home/cybert
Let’s see if you did anything bad
Which user was created after the package from the previous task was installed?
cybert
user has executedadduser
command to create a user nameit-admin
.A user was then later given sudo priveleges. When was the sudoers file updated? (Format: Month Day HH:MM:SS)
cybert
user executesvisudo
command to configure/etc/sudoers/
file, and givesudo
permissions toit-admin
user.A script file was opened using the "vi" text editor. What is the name of this file?
it-admim
user executedvi bomb.sh
command in/home/it-admin
to edit/home/it-admin/bomb.sh
file.Bomb has been planted. But when and where?
What is the command used that created the file
bomb.sh
?it-admin
user saves a file executing:saveas /bin/os-update.sh
instead of using:wq!
or^zZ
.Taking the previous entries into account, the user
it-admin
edited the file/home/it-admin/bomb.sh
using thevi
editor and saved it as/bin/os-update.sh
using the command:saveas /bin/os-update.sh
.When was the file from the previous question last modified? (Format: Month Day HH:MM)
A:
Dec 28 06:29
What is the name of the file that will get created when the file from the first question executes?
A:
goodbye.txt
Following the fuse
At what time will the malicious file trigger? (Format: HH:MM AM/PM)
A
cronjob
comprised by attacker assigned toroot
user that executes/bin/os-update.sh
everyday at08:00 AM
. You can use Crontab.guru to convert it.