Post

IronShade Write-up - TryHackMe

Performing a compromise assessment on a Linux host and identifying the attack footprints.

Posted
By Sarper AVCI
5 min read

Incident Scenario

Based on the threat intel report received, an infamous hacking group, IronShade, has been observed targeting Linux servers across the region. Our team had set up a honeypot and exposed weak SSH and ports to get attacked by the APT group and understand their attack patterns.

You are provided with one of the compromised Linux servers. Your task as a Security Analyst is to perform a thorough compromise assessment on the Linux server and identify the attack footprints. Some threat reports indicate that one indicator of their attack is creating a backdoor account for persistence.

Tasks

Here are the tasks and their solutions.

Task 1

What is the Machine ID of the machine we are investigating?

We can find the machine ID by running the hostnamectl command.

1
2
3
4
5
6
7
8
9
10

ubuntu@cybertees:~$ hostnamectl
   Static hostname: cybertees
         Icon name: computer-vm
           Chassis: vm
        Machine ID: dc7c8ac5c09a4bbfaf3d09d399f10d96
           Boot ID: efc07646572148a7a7d953f05e4943c1
    Virtualization: xen
  Operating System: Ubuntu 20.04.6 LTS
            Kernel: Linux 5.15.0-1066-aws
      Architecture: x86-64

Answer: dc7c8ac5c09a4bbfaf3d09d399f10d96

Task 2

What backdoor user account was created on the server?

In the /etc/passwd file, we can see the list of users on the system.

1
2
3
4

ubuntu@cybertees:~$ cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
mircoservice:x:1001:1001:,,,:/home/mircoservice:/bin/bash

Answer: mircoservice

Task 3

What is the cronjob that was set up by the attacker for persistence?

I run crontab -l as root and find out the cronjob set up by the attacker.

1
2
3
4
5
6
7
8

root@cybertees:/home/mircoservice# crontab -l
# Edit this file to introduce tasks to be run by cron.
#
[...]
# 
# m h  dom mon dow   command

@reboot /home/mircoservice/printer_app

Answer: @reboot /home/mircoservice/printer_app

Task 4

Examine the running processes on the machine. Can you identify the suspicious-looking hidden process from the backdoor account?

I run ps aux to list all running processes and grep for the backdoor account mircoservice.

1
2
3
4

root@cybertees:/home/mircoservice# ps aux | grep mircoservice
root         570  0.0  0.0   2364   516 ?        Ss   09:17   0:00 /home/mircoservice/.tmp/.strokes
root         879  0.0  0.0   2496    72 ?        S    09:17   0:00 /home/mircoservice/printer_app
root       16184  0.0  0.0   8172  2464 pts/3    S+   11:02   0:00 grep --color=auto mircoservice

Answer: .strokes

Task 5

How many processes are found to be running from the backdoor account’s directory?

From the previous output, we can see that there are two processes running from the backdoor account’s directory.

Answer: 2

Task 6

What is the name of the hidden file in memory from the root directory?

I check the root directory for hidden files.

1
2
3

root@cybertees:/# ls -lahp | grep -v /
total 100K
-rwxr-xr-x   1 root root  17K Jul  2 22:35 .systmd

Answer: .systmd

Task 7

What suspicious services were installed on the server? Format is service a, service b in alphabetical order.

I went to the /etc/systemd/system directory and grep files that contain the word mircoservice.

1
2
3
4

root@cybertees:/etc/systemd/system# grep -r mircoservice
strokes.service:ExecStart=/home/mircoservice/.tmp/.strokes
backup.service.save:/home/mircoservice/backup
backup.service:ExecStart=/home/mircoservice/backup/sys_backup

Answer: backup.service, strokes.service

Task 8

Examine the logs; when was the backdoor account created on this infected system?

To solve this question, I checked the /var/log/auth.log file.

1
2
3
4
5
6

root@cybertees://etc/systemd/system# cat /var/log/auth.log | grep -a mircoservice
Aug  5 22:05:33 cybertees groupadd[2061]: group added to /etc/group: name=mircoservice, GID=1001
Aug  5 22:05:33 cybertees groupadd[2061]: group added to /etc/gshadow: name=mircoservice
Aug  5 22:05:33 cybertees groupadd[2061]: new group: name=mircoservice, GID=1001
Aug  5 22:05:33 cybertees useradd[2067]: new user: name=mircoservice, UID=1001, GID=1001, home=/home/mircoservice, shell=/bin/bash, from=/dev/pts/0
[...]

Answer: Aug 5 22:05:33

Task 9

From which IP address were multiple SSH connections observed against the suspicious backdoor account?

We can use previous logs to find the IP address that made multiple SSH connections.

1
2
3
4
5

root@cybertees://etc/systemd/system# cat /var/log/auth.log | grep -a mircoservice | grep -a sshd
Aug  5 22:10:40 cybertees sshd[2115]: Accepted password for mircoservice from 10.11.75.247 port 56660 ssh2
Aug  5 22:10:40 cybertees sshd[2115]: pam_unix(sshd:session): session opened for user mircoservice by (uid=0)
Aug  5 23:54:31 cybertees sshd[3117]: Accepted password for mircoservice from 10.11.75.247 port 62606 ssh2
[...]

Answer: 10.11.75.247

Task 10

How many failed SSH login attempts were observed on the backdoor account?

Again, we can use the auth.log file to find the number of failed SSH login attempts.

1
2
3
4
5
6
7

root@cybertees://etc/systemd/system# cat /var/log/auth.log | grep -a mircoservice | grep -a sshd | grep -a Failed
Aug  6 01:16:43 cybertees sshd[2256]: Failed password for mircoservice from 10.11.75.247 port 54649 ssh2
Aug  6 01:17:14 cybertees sshd[2256]: Failed password for mircoservice from 10.11.75.247 port 54649 ssh2
Aug 13 22:15:08 cybertees sshd[2385]: Failed password for mircoservice from 10.11.75.247 port 64855 ssh2
Aug 13 22:15:16 cybertees sshd[2385]: message repeated 2 times: [ Failed password for mircoservice from 10.11.75.247 port 64855 ssh2]
Aug 13 22:15:44 cybertees sshd[2388]: Failed password for mircoservice from 10.11.75.247 port 64871 ssh2
Aug 13 22:16:12 cybertees sshd[2388]: message repeated 2 times: [ Failed password for mircoservice from 10.11.75.247 port 64871 ssh2]

Answer: 8

Task 11

Which malicious package was installed on the host?

I checked the /var/log/dpkg.log file to find the malicious package installed on the host.

1
2
3
4
5
6
7

root@cybertees://etc/systemd/system# grep " install " /var/log/dpkg.log
2024-06-26 17:50:09 install mlocate:amd64 <none> 0.26-3ubuntu3
2024-08-04 20:40:52 install linux-modules-5.15.0-1064-aws:amd64 <none> 5.15.0-1064.70~20.04.1
2024-08-04 20:41:01 install linux-image-5.15.0-1064-aws:amd64 <none> 5.15.0-1064.70~20.04.1
2024-08-04 20:41:03 install linux-aws-5.15-headers-5.15.0-1064:all <none> 5.15.0-1064.70~20.04.1
2024-08-04 20:41:18 install linux-headers-5.15.0-1064-aws:amd64 <none> 5.15.0-1064.70~20.04.1
2024-08-06 01:10:20 install pscanner:amd64 <none> 1.5

Answer: pscanner

Task 12

What is the secret code found in the metadata of the suspicious package?

I checked the metadata of the pscanner package.

1
2
3
4
5
6
7
8
9
10

ubuntu@cybertees:/home/mircoservice$ apt-cache show pscanner
Package: pscanner
Status: install ok installed
Priority: optional
Section: base
Maintainer: johnnyEng
Architecture: amd64
Version: 1.5
Description: Secret_code{_tRy_Hack_ME_}
Description-md5: ae666e4b1d47c1dcbf1858be7023e709

Answer: {_tRy_Hack_ME_}

Conclusion

Nice! We have successfully completed the room. That was great exercise to understand the attack patterns. Feel free to reach out to me if you have any questions or feedback. Twitter: @sarperavci

CTF, TryHackMe
CTF TryHackMe Linux SSH Cronjob Logs Forensics
This post is licensed under CC BY 4.0 by the author.