An Unusual Sighting

Personal Rating: Medium

We have a bash history, an sshd log and a website that we can connect to with netcat to answer some questions about the incident.

What is the IP Address and Port of the SSH Server (IP:PORT)

100.107.36.130:2221

  • Can be seen in the sshd log

  • [2024-01-28 15:24:23] Connection from 100.72.1.95 port 47721 on 100.107.36.130 port 2221 rdomain ""

What time is the first successful Login

2024-02-13 11:29:50

  • Can be seen in the sshd log

  • [2024-02-13 11:29:50] Starting session: shell on pts/2 for root from 100.81.51.199 port 63172 id 0

What is the time of the unusual Login

2024-02-19 04:00:14

  • Can be seen in the sshd log at the first login outside the office hours

  • [2024-02-19 04:00:14] Starting session: shell on pts/2 for root from 2.67.182.119 port 60071 id 0

What is the Fingerprint of the attacker's public key

OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4

  • Can be seen in the sshd log at the logs of the suspicious login

  • [2024-02-19 04:00:14] Failed publickey for root from 2.67.182.119 port 60071 ssh2: ECDSA SHA256:OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4

What is the first command the attacker executed after logging in

whoami

  • Can be seen in the bash history at the time just after the suspicous login

  • [2024-02-19 04:00:18] whoami

What is the final command the attacker executed before logging out

./setup

  • Can be seen in the bash history at the last command after a larger time jump in the history

  • [2024-02-19 04:14:02] ./setup

HTB{B3sT_0f_luck_1n_th3_Fr4y!!}

PreviousHacker RoyaleNextBoxCutter

Last updated