We covered three of the most common Linux persistence techniques such as writing commands in .bashrc file, scheduled tasks in crontab and adding a user in /etc/passwd file. This was part of TryHackMe Tardigrade.
A server has been compromised, and the security team has decided to isolate the machine until it’s been thoroughly cleaned up. Initial checks by the Incident Response team revealed that there are five different backdoors. It’s your job to find and remediate them before giving the signal to bring the server back to production.
A dirty wordlist is essentially raw documentation of the investigation from the investigator’s perspective. It may contain everything that would help lead the investigation forward, from actual IOCs to random notes. Keeping a dirty wordlist assures the investigator that a specific IOC has already been recorded, helping keep the investigation on track and preventing getting stuck in a closed loop of used leads.
It also helps the investigator remember the mindset that they had during the course of the investigation. The importance of taking note of one’s mindset during different points of an investigation is usually given less importance in favour of focusing on the more exciting atomic indicators; however, recording it provides further context on why a specific bit is recorded in the first place. This is how pivot points are decided and further leads, born and pursued.
The advantages of a dirty wordlist don’t end here. A quick way to formally document findings at the end of the investigation is to clean them up. It is recommended to put in every sort of detail that may help during the course of the investigation. So, in the end, it would be easy to remove all the unneeded details and false leads, enrich actual IOCs, and establish points of emphasis. The flag for this task is: THM{d1rty_w0rdl1st}
Room Answers
What’s the most interesting file you found in giorgio’s home directory?
In every investigation, it’s important to keep a dirty wordlist to keep track of all your findings, no matter how small. It’s also a way to prevent going back in circles and starting from scratch again. As such, now’s a good time to create one and put the previous answer as an entry so we can go back to it later.
Another file that can be found in every user’s home directory is the .bashrc file. Can you check if you can find something interesting in giorgio’s .bashrc?
It seems we’ve covered the usual bases in giorgio’s home directory, so it’s time to check the scheduled tasks that he owns.
Did you find anything interesting about scheduled tasks?
This section is a bonus discussion on the importance of a dirty wordlist. Accept the extra point and happy hunting!
What is the flag?
A few moments after logging on to the root account, you find an error message in your terminal.
What does it say?
After moving forward with the error message, a suspicious command appears in the terminal as part of the error message.
What command was displayed?
You might wonder, “how did that happen? I didn’t even do anything? I just logged as root, and it happened.”
Can you find out how the suspicious command has been implemented?
There’s one more persistence mechanism in the system.
A good way to systematically dissect the system is to look for “usuals” and “unusuals”. For example, you can check for commonly abused or unusual files and directories.
This specific persistence mechanism is directly tied to something (or someone?) already present in fresh Linux installs and may be abused and/or manipulated to fit an adversary’s goals. What’s its name?
What is the last persistence mechanism?
Finally, as you’ve already found the final persistence mechanism, there’s value in going all the way through to the end.
The adversary left a golden nugget of “advise” somewhere.
What is the nugget?
Video Walkthrough
