|TamuCTF 2019||MicroServices - 4_Persistence||Forensic||100||42|
Download: filesystem.image - md5: 490c78e249177e6478539f459ca14e87
Thanks for that information. We are working on how to recover from this breach. One of the things we need to do is remove any backdoors placed by the attacker. Can you identify what the attacker left behind?
- What is the new user that was created?
- What is the full name of the new docker image that was pulled down?
filesystem.image - md5: 490c78e249177e6478539f459ca14e87
This challenge was rather simple given the information found earlier. In step 2 (2_Analysis), I saw that the $HOME of the
dev user is
/root, so we suspect that it is the new user :
Flag 1: dev
Then, when I started investigating on docker containers (cf. 3_Forensics), I saw an image Kali named:
Flag 2: tamuctf/kaliimage