Introduction:
In this room, you will explore the Linux file system to understand its structure, examine various files, and perform analysis to uncover potential vulnerabilities and misconfigurations.
Task 1: Connect to TryHackMe VPN
Access the TryHackMe website (https://tryhackme.com) and log in to your account.
Navigate to the Linux File System Analysis room (https://tryhackme.com/r/room/linuxfilesystemanalysis).
Click on the "Start Machine" button to deploy the virtual machine (VM) for this room.
Connect to the TryHackMe VPN using OpenVPN or the web terminal provided on the room page.
Task 2: Explore the Linux File System
Once connected to the VPN, access the deployed VM using SSH. Use the provided credentials (username and password) to log in.
ssh <username>@<IP_address>
Begin exploring the Linux file system. Start by navigating to the root directory:
cd /
Use commands like
ls
,cd
, andpwd
to navigate through directories and examine files and directories.Look for important system directories such as
/bin
,/etc
,/var
,/home
, etc.Take note of any interesting files or directories that may contain valuable information, such as configuration files, executables, or user directories.
Task 3: Files, Permissions, and Timestamps
- Identifying the Foothold
Explore web directories to find potential clues of exploitation.
- Main Command:
ls -al /var/www/html/
- Main Command:
Review uploaded files in the web server's directory.
- Main Command:
ls -al /var/www/html/uploads
- Main Command:
Focus on non-image files for further investigation.
- Main Command:
ls -al /var/www/html/uploads | grep -v ".jpeg"
- Main Command:
- Ownership and Permissions
Check file ownership and permissions to identify potential malicious files.
- Main Command:
ls -al /var/www/html/assets/reverse.elf
- Main Command:
Investigate files owned by a specific user for suspicious activity.
- Main Command:
find / -user www-data -type f 2>/dev/null | less
- Main Command:
- Timestamps
Use timestamps to track file modifications and access times.
Main Commands:
View Modify Timestamp:
ls -l /var/www/html/assets/reverse.elf
View Change Timestamp:
ls -lc /var/www/html/assets/reverse.elf
View Access Timestamp:
ls -lu /var/www/html/assets/reverse.elf
View all timestamps at once:
stat /var/www/html/assets/reverse.elf
- Metadata
Analyze metadata to understand file characteristics and origins.
- Main Command:
exiftool /var/www/html/assets/reverse.elf
- Main Command:
- Checksums
Calculate checksums to identify known signatures of malicious files.
Main Commands:
MD5 Checksum:
md5sum /var/www/html/assets/reverse.elf
SHA-256 Checksum:
sha256sum /var/www/html/assets/reverse.elf
Question and Answer
- To practice your skills with the
find
command, locate all the files that the user bob created in the past 1 minute. Once found, review its contents. What is the flag you receive?
THM{0b1313afd2136ca0faafb2daa2b430f3}
- Extract the metadata from the
reverse.elf
file. What is the file's MIME type?
application/octet-stream
- Run the
stat
command against the/etc/hosts
file on the compromised web server. What is the full Modify Timestamp (mtime) value?
2020-10-26 21:10:44.000000000 +0000
Task 4 : Users and Groups
- Identifying User Accounts
Explore
/etc/passwd
to view system accounts and their attributes.- Main Command:
cat /etc/passwd
- Main Command:
Use
cut
andgrep
to quickly identify potential backdoor accounts.- Main Command:
cat /etc/passwd | cut -d: -f1,3 | grep ':0$'
- Main Command:
- Identifying Groups
Investigate
/etc/group
to understand group memberships and privileges.- Main Command:
cat /etc/group
- Main Command:
Check specific user's group memberships.
- Main Command:
groups [username]
- Main Command:
View members of a specific group.
- Main Command:
getent group [groupname]
- Main Command:
- User Logins and Activity
Analyze user login history using
last
andlastlog
.Main Commands:
last
lastlog
View failed login attempts from authentication logs.
- Main Command:
cat /var/log/auth.log
orcat /var/log/secure
- Main Command:
Check currently logged-in users with
who
.- Main Command:
who
- Main Command:
- Sudo Configuration
Investigate
/etc/sudoers
for sudo privileges.- Main Command:
sudo cat /etc/sudoers
- Main Command:
Understanding these concepts and commands will help in investigating users and groups on a system, aiding in the detection of suspicious activity and potential backdoors.
Question and answer
- Investigate the user accounts on the system. What is the name of the backdoor account that the attacker created?
b4ckd00r3d
- What is the name of the group with the group ID of 46?
plugdev
- View the
/etc/sudoers
file on the compromised system. What is the full path of the binary that Jane can run as sudo?
/usr/bin/pstree
Task 5 : User Directories and Files
- User Home Directories
User home directories store personalized settings and data.
- Main Command:
ls -l /home
- Main Command:
- Hidden Files
Hidden files store sensitive configurations within user directories.
- Main Command:
ls -a /home/[username]
- Main Command:
Common hidden files include
.bash_history
,.bashrc
, and.profile
.
- SSH and Backdoors
The
.ssh
directory contains SSH configuration and key files.- Main Command:
ls -al /home/[username]/.ssh
- Main Command:
Check
authorized_keys
for authorized SSH keys.- Main Command:
cat /home/[username]/.ssh/authorized_keys
- Main Command:
Ensure proper permissions on
authorized_keys
to prevent unauthorized access.- Main Command:
ls -al /home/[username]/.ssh/authorized_keys
- Main Command:
Question and Answer
- View Jane's
.bash_history
file. What flag do you see in the output?
THM{f38279ab9c6af1215815e5f7bbad891b}
- What is the hidden flag in Bob's home directory?
THM{6ed90e00e4fb7945bead8cd59e9fcd7f}
- Run the
stat
command on Jane'sauthorized_keys
file. What is the full timestamp of the most recent modification?
2024-02-13 00:34:16.005897449 +0000
Task 6 : Binaries and Executables
- Identifying Suspicious Binaries
Use
find
command to discover all executable files within the filesystem.- Main Command:
find / -type f -executable 2> /dev/null
- Main Command:
Analyze executable files for potential malicious activity.
- Tools: Metadata analysis, checksum verification, inspecting human-readable strings.
- Strings
Extract human-readable strings from binary files to identify potential malicious activity.
- Main Command:
strings [binary_file]
- Main Command:
- Debsums
Verify the integrity of installed package files on Debian-based Linux systems.
- Main Command:
sudo debsums -e -s
- Main Command:
- Binary Permissions
SetUID (SUID) and SetGID (SGID) are special permission bits in Unix systems.
Check for SUID binaries to identify potential privilege escalation vectors.
- Main Command:
find / -perm -u=s -type f 2>/dev/null
- Main Command:
Investigate suspicious commands in user history files.
- Main Command:
sudo cat /home/[username]/.bash_history | grep -B 2 -A 2 "[command]"
- Main Command:
Perform integrity checks on suspicious binaries.
- Main Command:
md5sum [binary_file]
- Main Command:
Question and answer
- Run the
debsums
utility on the compromised host to check only configuration files. Which file came back as altered?
/etc/sudoers
- What is the
md5sum
of the binary that the attacker created to escalate privileges to root?
7063c3930affe123baecd3b340f1ad2c
Task 7: Rootkits
- Rootkits Overview
Rootkits are malicious tools designed to gain administrator-level control of a system while remaining undetected.
They can hide their presence, allowing attackers to maintain long-term access without detection.
- Chkrootkit
Function: Examines the filesystem for rootkits using common Linux binaries like grep and strings.
Usage: Good for a first-pass check to identify potential compromise, but may not catch all types of rootkits.
Example Command:
sudo chkrootkit
- RKHunter (Rootkit Hunter)
Function: Detects and removes rootkits on Unix-like operating systems.
Features: Offers a more comprehensive rootkit detection check compared to chkrootkit.
Checks: Compares SHA-1 hashes of core system files with known good ones, searches for common rootkit locations, wrong permissions, hidden files, and suspicious strings in kernel modules.
Usage: Recommended for a more thorough assessment of the affected system.
Example Command:
sudo rkhunter -c -sk
Question and answer
- Run chkrootkit on the affected system. What is the full path of the
.sh
file that was detected?
/var/tmp/findme.sh
- Run rkhunter on the affected system. What is the result of the
(UID 0) accounts
check?
warning