TryHackMe : Linux Server Forensics

5 min readJun 29, 2023

Intro : It is not a type of CTF but it is about Investigating a Breached Linux Server. You have been hired to investigate a data breach at ACME web design. All we have to grab the credentials and drive into the Machine. There are 3 Machine to solve. It is a part of Blue Teaming. So let’s start.

Apache Log Analysis I :

Credentials are following:

MACHINE_IP
Username — ‘fred’
Password — ‘FredRules!’

1> Navigate to /var/log/apache2 → cd /var/log/apache2

Here you find 3 log Files. But we have to Investigate only the ‘access.log’ file.

2> How many different tools made requests to the server?

If you cat out the file you can’t find it because it is too long to find. So let’s use bash skill as a Solution.

Tip : cat access.log | grep -oi ‘nmap\|nikto\|gobuster\|dirbuster\|dirb’ | sort -u

Here you will find 2 Tools are used.

3> Name a path requested by Nmap.

To find the path type the following command :

Tip : cat access.log | grep -i ‘nmap’

Last one [GET Req]is the Answer : /nmaplower**********

Web Server Analysis :

Web scanners are run against servers pretty much all the time, so this traffic is not out of the ordinary.

Have a look around the site for potential attack vectors.

1> What page allows users to upload files?

After visiting the Web Page in Browser I found few Tabs from them I found ‘contact.php’ where you find the upload functionality.

Ans : contact.php

2> What IP uploaded files to the server?

Tip : cat access.log | grep -i ‘contact’

Because whenever an attacker try to upload something in that page it will store his IP. So they have to clear the log file. :)

Ans : 192.168.56.24

3> Who left an exposed security notice on the server?

Tip : cat access.log | grep -i ‘security’

Paste the path in Browser and it will download a ‘SECURITY.md’ file And see the file content.

Ans : Fred

Persistence Mechanisms I :

1> What command and option did the attacker use to establish a backdoor?

So as a hint in tryhackme let’s view the crontab for anything Interesting.

Tip : cat /etc/crontab

See that last one executing a Shell Script.

Ans : sh -i

User Accounts :

1> What is the password of the second root account?

Tip : cat /etc/passwd

Here is a root2 Account. In the hint it tell us we can found the password in ‘Google’. So let’s search.

Ans : mrcake

Apache Log Analysis II :

Same Credentials; IP different.

1> Name one of the non-standard HTTP Requests.

Non Standard means behind the common http method like : GET, POST, TRACE etc.

Ans : GXWR

2> At what time was the Nmap scan performed? (format: HH:MM:SS)

It is the time of last Non-Standard Request.

Ans : 13:30:15

Persistence Mechanisms II :

1 > What username and hostname combination can be found in one of the authorized_keys files? (format: username@hostname)

We can find it in Root Folder. For that U have to switch into Root User using the given password of ‘fred’.

Tip : sudo su (Use Password), cd /root, cd .ssh, cat authorized_keys

Ans : kali@kali

Program Execution History :

1> What is the first command present in root’s bash_history file?

Tip : cat .bash_history

Ans : nano /etc/passwd

Persistence Mechanisms III :

1> Figure out what’s going on and find the flag.

Here you have to solve 1 question. Here you have to play with ‘systemctl’ command to list all service and find 1 service that contains the flag.

But when you first login with ssh you will find some Sentence, Shell, command will pop up and will disturb you to type the all commands. But you have to ignore all the things and have to type proper command to find the running services.