https://tryhackme.com/room/linuxthreatdetection1
Created by: tryhackme, TactfulTurtle
“When did the ubuntu user log in via SSH for the first time?
Answer Example: 2023-09-16.”
“Did the ubuntu user use SSH keys instead of a password for the above found date? (Yea/Nay)”
Yea!
On to Task 3, Detecting SSH Attacks!
“When did the SSH password brute force start?
Answer Format: 2023-09-15.”
“Which four users did the botnet attempt to breach?
Answer Format: Separate by a comma, in alphabetical order.”
“Finally, which IP managed to breach the root user?”
On to Task 4, Initial Access via Services!
Thanks to THM, we know that the IP address of 10.14.105.255 is likely the attackers. We can confirm that by looking at the log.
“What is the path to the Python file the attacker attempted to open?”
I used grep to help with this. If you didn’t know, Python files end in .py.
“Looking inside the opened file, what’s the flag you see there?”
On to Task 5, Building Process Tree!
“What is the PPID of the suspicious whoami command?”
“Moving up the tree, what is the PID of the TryPingMe app?”
“Which program did the attacker use to open a reverse shell?”
On to Task 6, Advanced Initial Access! We are completed with the VM tasks(Good job!), and THM now covers Human-Led Attacks. Initially, you would think of USB and phishing, but as they point out, Linux is primarily a server OS run by technical people(humble brag). Below are examples, and they also bring up supply chain compromises.
