BTLO: Log Analysis — Privilege Escalation

This challenge is from Blue Team Labs Online. The challenge has Easy difficulty. In this challenge you get a bash_history file and have to analyse what the attacker has done.

What user (other than ‘root’) is present on the server?

The attacker tried to navigate to Daniel’s home folder. Hence there is another user called “daniel” on the machine

What script did the attacker try to download to the server?

Inside the bash_history file we can spot a wget command. Wget can be used to download files. In this case the attacker tried to download the linux-exploit-suggester.sh Script from GitHub

What packet analyzer tool did the attacker try to use?

We can see that the attacker called the command “tcpdump”. Tcpdump is a tool which can be used to capture network packets.

What file extension did the attacker use to bypass the file upload filter implemented by the developer?

In the end the attacker tried to delete a file inside the uploads directory. We can conclude, this might be the web shell used during the attack. The web shell has the extension .phtml

Based on the commands run by the attacker before removing the php shell, what misconfiguration was exploited in the ‘python’ binary to gain root-level access?

Inside the logs we can see that the attacker tried to find binaries with SUID bit set. This permissions allows to execute a file with the effective permissions of the owner of that file. After that the attacker executed “sh” with the “-p” Parameter. This indicates that the sh file had the SUID bit set and the attacker was able to escalate his privileges to root. Because sh is owned by root

So the correct answer is 4, because the attacker used SUID to escalate permissions.