Hey, kid! Good, you’re here!
Not sure if you’ve seen the news, but an employee from the IT department of one of our clients (CyberT) got arrested by the police. The guy was running a successful phishing operation as a side gig.
CyberT wants us to check if this person has done anything malicious to any of their assets. Get set up, grab a cup of coffee, and meet me in the conference room.
Here’s the machine our disgruntled IT user last worked on. Check if there’s anything our client needs to be worried about.
My advice: Look at the privileged commands that were run. That should get you started.
The user installed a package on the machine using elevated privileges. According to the logs, what is the full COMMAND?
cat /var/log/auth.log | grep "sudo" #to read the content of auth.log and filter with "sudo" keyword
What was the present working directory (PWD) when the previous command was run?
Keep going. Our disgruntled IT was supposed to only install a service on this computer, so look for commands that are unrelated to that.
Which user was created after the package from the previous task was installed?
cat /var/log/auth.log | grep "adduser"
A user was then later given sudo privileges. When was the sudoers file updated? (Format: Month Day HH:MM:SS)
cat /var/log/auth.log | grep "visudo"
A script file was opened using the "vi" text editor. What is the name of this file?
cat /var/log/auth.log | grep "vi"
That bomb.sh file is a huge red flag! While a file is already incriminating in itself, we still need to find out where it came from and what it contains. The problem is that the file does not exist anymore.