Linux Server Forensics
文章目录
- Linux Server Forensics
- task1 Deploy the first VM
- task2 Apache Log Analysis I
- task3 Web Server Analysis
- task4 Persistence Mechanisms I
- task5 User Accounts
- task6 Deploy the second VM
- task7 Apache Log Analysis II
- task8 Persistence Mechanisms II
- task9 Program Execution History
- task10 Deploy The Final VM
- task11 Persistence Mechanisms III
- Username - ‘fred’
- Password - ‘FredRules!’
task1 Deploy the first VM
Q1 Deploy the machine and log in to the VM using the provided credentials.
task2 Apache Log Analysis I
1.Navigate to /var/log/apache2
2.How many different tools made requests to the server?
2
3.Name a path requested by Nmap.
/nmaplowercheck1618912425
task3 Web Server Analysis
1.What page allows users to upload files?
contact.php
2.What IP uploaded files to the server?
192.168.56.24
3.Who left an exposed security notice on the server?
Fred
task4 Persistence Mechanisms I
- cron
- Services/systemd
- bashrc
- Kernel modules
- SSH keys
What command and option did the attacker use to establish a backdoor?
sh -i
task5 User Accounts
What is the password of the second root account?
mrcake
提权原因:
提权方法:
echo “root3:Vh7tgs3zHGuMA:0:0:root:root:/bin/bash” >> /etc/passwd
task6 Deploy the second VM
Deploy the second machine and log in to the VM using the provided credentials.
task7 Apache Log Analysis II
1.Name one of the non-standard HTTP Requests.
GXWR
2.At what time was the Nmap scan performed? (format: HH:MM:SS)
13:30:15
task8 Persistence Mechanisms II
What username and hostname combination can be found in one of the authorized_keys files? (format: username@hostname)
kali@kali
.ssh文件在攻击发生日志被修改
task9 Program Execution History
What is the first command present in root’s bash_history file?
nano /etc/passwd
1.bash_history - bash中运行的命令的记录
2.auth.log - /var/log/auth.log 使用sudo运行的命令的历史记录
3.history.log - /var/log/apt/history.log 使用apt执行的所有任务的历史记录
task10 Deploy The Final VM
Deploy the final machine and log in to the VM using the provided credentials.
task11 Persistence Mechanisms III
Figure out what’s going on and find the flag.
gh0st_1n_the_machine
systemctl --type=service --state=active
systemctl status IpManager
ps -aux
如何关闭?
systemctl stop IpManager