|TamuCTF 2019||MicroServices - 1_Logs||Forensic||100||228|
Download: filesystem.image - md5: 490c78e249177e6478539f459ca14e87
Thanks for discovering the malicious IP. We will add it to our block list. We also got a disk image of the web server while you were working. Can you dig a little deeper for us?
- What user was the attacker able to login as?
- What is the date & time that the attacker logged in? (MM/DD:HH:MM:SS)
filesystem.image - md5: 490c78e249177e6478539f459ca14e87
Mount image and read /var/log/auth.log
Once the archive is finally downloaded, we’ll mount it in readonly to avoid screwing everything inside:
▶ mkdir aaa ▶ sudo mount -o ro filesystem.image aaa
We know the attacker’s IP (10.91.9.93) and we are looking for a connection. Let’s see what the
auth.log file contains:
➜ microservices cat aaa/var/log/auth.log | grep '10.91.9.93' Feb 17 00:06:04 ubuntu-xenial sshd: Accepted publickey for root from 10.91.9.93 port 41592 ssh2: RSA SHA256:lR4653Hv/Y9QthWvXFB2KkNPzQ1r8mItv83OgiCAR4g
We got all flags immediately:
Flag 1: root Flag 2: 02/17:00:06:04