An unusual sighting
29th February 2024 / Document No. D24.102.XX
Prepared By: c4n0pus
Challenge Author(s): c4n0pus
Difficulty: Very Easy
Classification: Official
A very easy simple challenge around SSH logs and Bash history
- As the preparations come to an end, and The Fray draws near each day, our newly established team has started work on refactoring the new CMS application for the competition. However, after some time we noticed that a lot of our work mysteriously has been disappearing! We managed to extract the SSH Logs and the Bash History from our dev server in question. The faction that manages to uncover the perpetrator will have a massive bonus come the competition! Note: Operating Hours of Korp: 0900 - 1900
- Linux basics
- SSH Logs
- Bash History
From the SSH logs, we find any line that refers to an inbound connection: Connection from 101.111.18.92 port 44711 on 100.107.36.130 port 2221
[2024-02-13 11:29:50] Accepted password for root from 100.81.51.199 port 63172 ssh2
[2024-02-13 11:29:50] Starting session: shell on pts/2 for root from 100.81.51.199 port 63172 id 0We know the Korp's hours of operation are from 0900 - 1900 so an SSH login at 0400 in the morning is suspicious
[2024-02-19 04:00:14] Starting session: shell on pts/2 for root from 2.67.182.119 port 60071 id 0Taken from the logs: ECDSA SHA256:OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1
From the bash history file: [2024-02-19 04:00:18] whoami
From the bash history file: [2024-02-19 04:14:02] ./setup