Walkthrough of Linux File System Analysis

Walkthrough of Linux File System Analysis

·

6 min read

Introduction:

In this room, you will explore the Linux file system to understand its structure, examine various files, and perform analysis to uncover potential vulnerabilities and misconfigurations.

Task 1: Connect to TryHackMe VPN

  1. Access the TryHackMe website (https://tryhackme.com) and log in to your account.

  2. Navigate to the Linux File System Analysis room (https://tryhackme.com/r/room/linuxfilesystemanalysis).

  3. Click on the "Start Machine" button to deploy the virtual machine (VM) for this room.

  4. Connect to the TryHackMe VPN using OpenVPN or the web terminal provided on the room page.

Task 2: Explore the Linux File System

  1. Once connected to the VPN, access the deployed VM using SSH. Use the provided credentials (username and password) to log in.

     ssh <username>@<IP_address>
    
  2. Begin exploring the Linux file system. Start by navigating to the root directory:

     cd /
    
  3. Use commands like ls, cd, and pwd to navigate through directories and examine files and directories.

  4. Look for important system directories such as /bin, /etc, /var, /home, etc.

  5. Take note of any interesting files or directories that may contain valuable information, such as configuration files, executables, or user directories.

Task 3: Files, Permissions, and Timestamps

  1. Identifying the Foothold
  • Explore web directories to find potential clues of exploitation.

    • Main Command: ls -al /var/www/html/
  • Review uploaded files in the web server's directory.

    • Main Command: ls -al /var/www/html/uploads
  • Focus on non-image files for further investigation.

    • Main Command: ls -al /var/www/html/uploads | grep -v ".jpeg"
  1. Ownership and Permissions
  • Check file ownership and permissions to identify potential malicious files.

    • Main Command: ls -al /var/www/html/assets/reverse.elf
  • Investigate files owned by a specific user for suspicious activity.

    • Main Command: find / -user www-data -type f 2>/dev/null | less
  1. Timestamps
  • Use timestamps to track file modifications and access times.

    • Main Commands:

      • View Modify Timestamp: ls -l /var/www/html/assets/reverse.elf

      • View Change Timestamp: ls -lc /var/www/html/assets/reverse.elf

      • View Access Timestamp: ls -lu /var/www/html/assets/reverse.elf

      • View all timestamps at once: stat /var/www/html/assets/reverse.elf

  1. Metadata
  • Analyze metadata to understand file characteristics and origins.

    • Main Command: exiftool /var/www/html/assets/reverse.elf
  1. Checksums
  • Calculate checksums to identify known signatures of malicious files.

    • Main Commands:

      • MD5 Checksum: md5sum /var/www/html/assets/reverse.elf

      • SHA-256 Checksum: sha256sum /var/www/html/assets/reverse.elf

Question and Answer

  • To practice your skills with the find command, locate all the files that the user bob created in the past 1 minute. Once found, review its contents. What is the flag you receive?

THM{0b1313afd2136ca0faafb2daa2b430f3}

  • Extract the metadata from the reverse.elf file. What is the file's MIME type?

application/octet-stream

  • Run the stat command against the /etc/hosts file on the compromised web server. What is the full Modify Timestamp (mtime) value?

2020-10-26 21:10:44.000000000 +0000

Task 4 : Users and Groups

  1. Identifying User Accounts
  • Explore /etc/passwd to view system accounts and their attributes.

    • Main Command: cat /etc/passwd
  • Use cut and grep to quickly identify potential backdoor accounts.

    • Main Command: cat /etc/passwd | cut -d: -f1,3 | grep ':0$'
  1. Identifying Groups
  • Investigate /etc/group to understand group memberships and privileges.

    • Main Command: cat /etc/group
  • Check specific user's group memberships.

    • Main Command: groups [username]
  • View members of a specific group.

    • Main Command: getent group [groupname]
  1. User Logins and Activity
  • Analyze user login history using last and lastlog.

    • Main Commands:

      • last

      • lastlog

  • View failed login attempts from authentication logs.

    • Main Command: cat /var/log/auth.log or cat /var/log/secure
  • Check currently logged-in users with who.

    • Main Command: who
  1. Sudo Configuration
  • Investigate /etc/sudoers for sudo privileges.

    • Main Command: sudo cat /etc/sudoers

Understanding these concepts and commands will help in investigating users and groups on a system, aiding in the detection of suspicious activity and potential backdoors.

Question and answer

  1. Investigate the user accounts on the system. What is the name of the backdoor account that the attacker created?

b4ckd00r3d

  1. What is the name of the group with the group ID of 46?

plugdev

  1. View the /etc/sudoers file on the compromised system. What is the full path of the binary that Jane can run as sudo?

/usr/bin/pstree

Task 5 : User Directories and Files

  1. User Home Directories
  • User home directories store personalized settings and data.

    • Main Command: ls -l /home
  1. Hidden Files
  • Hidden files store sensitive configurations within user directories.

    • Main Command: ls -a /home/[username]
  • Common hidden files include .bash_history, .bashrc, and .profile.

  1. SSH and Backdoors
  • The .ssh directory contains SSH configuration and key files.

    • Main Command: ls -al /home/[username]/.ssh
  • Check authorized_keys for authorized SSH keys.

    • Main Command: cat /home/[username]/.ssh/authorized_keys
  • Ensure proper permissions on authorized_keys to prevent unauthorized access.

    • Main Command: ls -al /home/[username]/.ssh/authorized_keys

Question and Answer

  1. View Jane's .bash_history file. What flag do you see in the output?

THM{f38279ab9c6af1215815e5f7bbad891b}

  1. What is the hidden flag in Bob's home directory?

THM{6ed90e00e4fb7945bead8cd59e9fcd7f}

  1. Run the stat command on Jane's authorized_keys file. What is the full timestamp of the most recent modification?

2024-02-13 00:34:16.005897449 +0000

Task 6 : Binaries and Executables

  1. Identifying Suspicious Binaries
  • Use find command to discover all executable files within the filesystem.

    • Main Command: find / -type f -executable 2> /dev/null
  • Analyze executable files for potential malicious activity.

    • Tools: Metadata analysis, checksum verification, inspecting human-readable strings.
  1. Strings
  • Extract human-readable strings from binary files to identify potential malicious activity.

    • Main Command: strings [binary_file]
  1. Debsums
  • Verify the integrity of installed package files on Debian-based Linux systems.

    • Main Command: sudo debsums -e -s
  1. Binary Permissions
  • SetUID (SUID) and SetGID (SGID) are special permission bits in Unix systems.

  • Check for SUID binaries to identify potential privilege escalation vectors.

    • Main Command: find / -perm -u=s -type f 2>/dev/null
  • Investigate suspicious commands in user history files.

    • Main Command: sudo cat /home/[username]/.bash_history | grep -B 2 -A 2 "[command]"
  • Perform integrity checks on suspicious binaries.

    • Main Command: md5sum [binary_file]

Question and answer

  1. Run the debsums utility on the compromised host to check only configuration files. Which file came back as altered?

/etc/sudoers

  1. What is the md5sum of the binary that the attacker created to escalate privileges to root?

7063c3930affe123baecd3b340f1ad2c

Task 7: Rootkits

  1. Rootkits Overview
  • Rootkits are malicious tools designed to gain administrator-level control of a system while remaining undetected.

  • They can hide their presence, allowing attackers to maintain long-term access without detection.

  1. Chkrootkit
  • Function: Examines the filesystem for rootkits using common Linux binaries like grep and strings.

  • Usage: Good for a first-pass check to identify potential compromise, but may not catch all types of rootkits.

  • Example Command: sudo chkrootkit

  1. RKHunter (Rootkit Hunter)
  • Function: Detects and removes rootkits on Unix-like operating systems.

  • Features: Offers a more comprehensive rootkit detection check compared to chkrootkit.

  • Checks: Compares SHA-1 hashes of core system files with known good ones, searches for common rootkit locations, wrong permissions, hidden files, and suspicious strings in kernel modules.

  • Usage: Recommended for a more thorough assessment of the affected system.

  • Example Command: sudo rkhunter -c -sk

Question and answer

  1. Run chkrootkit on the affected system. What is the full path of the .sh file that was detected?

/var/tmp/findme.sh

  1. Run rkhunter on the affected system. What is the result of the (UID 0) accounts check?

warning