BTLO: Log Analysis — Privilege Escalation

This challenge is from Blue Team Labs Online. The challenge has Easy difficulty. In this challenge you get a bash_history file and have to analyse what the attacker has done.

What user (other than ‘root’) is present on the server?

The attacker tried to navigate to Daniel’s home folder. Hence there is another user called “daniel” on the machine

What script did the attacker try to download to the server?

Inside the bash_history file we can spot a wget command. Wget can be used to download files. In this case the attacker tried to download the Script from GitHub

What packet analyzer tool did the attacker try to use?

We can see that the attacker called the command “tcpdump”. Tcpdump is a tool which can be used to capture network packets.

What file extension did the attacker use to bypass the file upload filter implemented by the developer?

In the end the attacker tried to delete a file inside the uploads directory. We can conclude, this might be the web shell used during the attack. The web shell has the extension .phtml

Based on the commands run by the attacker before removing the php shell, what misconfiguration was exploited in the ‘python’ binary to gain root-level access?

Inside the logs we can see that the attacker tried to find binaries with SUID bit set. This permissions allows to execute a file with the effective permissions of the owner of that file. After that the attacker executed “sh” with the “-p” Parameter. This indicates that the sh file had the SUID bit set and the attacker was able to escalate his privileges to root. Because sh is owned by root

So the correct answer is 4, because the attacker used SUID to escalate permissions.




Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Showcase $SHO utility overview

Unikname C.A.R.E™, a protocol for a successful end to the coronavirus lockdown

The Real Life National Treasure Hunt — The Beale Papers | Adhocra

UFOs — Documenting The Evidence

The Current State of Cybersecurity Performance

Bypassing Linux Firewalls with IPv6

Apple’s War for Digital Marketing Privacy — The Dawn of Blockchain Marketing?

[RedDev Series #1] PE Injection Trick

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

More from Medium

[RedDev Series #4] Experimenting SysWhisper2 with LLVM Obfuscator

Boss of the SOC v1

Malware Analysis —Banking Trojan: Dyre

Threat Intelligence on Sentinel (Anomali & IBM X-Force)