TryHackMe – IronShade

Walkthrough of the IronShade TryHackMe challenge. https://tryhackme.com/room/ironshade

Linux Challenge

Incident Scenario

Based on the threat intel report received, an infamous hacking group, IronShade, has been observed targeting Linux servers across the region. Our team had set up a honeypot and exposed weak SSH and ports to get attacked by the APT group and understand their attack patterns.

You are provided with one of the compromised Linux servers. Your task as a Security Analyst is to perform a thorough compromise assessment on the Linux server and identify the attack footprints. Some threat reports indicate that one indicator of their attack is creating a backdoor account for persistence.

Challenge

Investigate the server and identify the footprints left behind after the exploitation.

What is the Machine ID of the machine we are investigating?

What backdoor user account was created on the server?
root@cybertees:/home/ubuntu# cat /etc/shadow
root::18561:0:99999:7::: daemon::18561:0:99999:7:::
bin::18561:0:99999:7::: sys::18561:0:99999:7:::
sync::18561:0:99999:7::: games::18561:0:99999:7:::
man::18561:0:99999:7::: lp::18561:0:99999:7:::
mail::18561:0:99999:7::: news::18561:0:99999:7:::
uucp::18561:0:99999:7::: proxy::18561:0:99999:7:::
www-data::18561:0:99999:7::: backup::18561:0:99999:7:::
list::18561:0:99999:7::: irc::18561:0:99999:7:::
gnats::18561:0:99999:7::: nobody::18561:0:99999:7:::
systemd-network::18561:0:99999:7::: systemd-resolve::18561:0:99999:7:::
systemd-timesync::18561:0:99999:7::: messagebus::18561:0:99999:7:::
syslog::18561:0:99999:7::: _apt::18561:0:99999:7:::
tss::18561:0:99999:7::: uuidd::18561:0:99999:7:::
tcpdump::18561:0:99999:7::: sshd::18561:0:99999:7:::
landscape::18561:0:99999:7::: pollinate::18561:0:99999:7:::
ec2-instance-connect:!:18561:0:99999:7:::
systemd-coredump:!!:19050::::::
ubuntu:!$6$dLobQ2F0caobSv1W$xeAAh1v5GE7irQ3fFFMjZtV.P83VQL0yiJKLkebZ63hUqs2dVJF6ub35xNDjG08Aq6f3MPxH7lnuCpc.gQBxb.:19769:0:99999:7:::
lxd:!:19050::::::
kernoops::19050:0:99999:7::: lightdm::19050:0:99999:7:::
whoopsie::19050:0:99999:7::: dnsmasq::19050:0:99999:7:::
avahi-autoipd::19050:0:99999:7::: usbmux::19050:0:99999:7:::
rtkit::19050:0:99999:7::: avahi::19050:0:99999:7:::
cups-pk-helper::19050:0:99999:7::: geoclue::19050:0:99999:7:::
pulse::19050:0:99999:7::: speech-dispatcher:!:19050:0:99999:7::: saned::19050:0:99999:7:::
nm-openvpn::19050:0:99999:7::: colord::19050:0:99999:7:::
hplip::19050:0:99999:7::: gdm::19050:0:99999:7:::
fwupd-refresh:*:19769:0:99999:7:::
mircoservice:$6$mEUXWPTdSz8Epwbf$aNeUyqOBPXuhkIx50hPMA3q07kjnZh8g7jcwxt2KR/IBEmMaGgxBFc8DLH2DIkgSqAWTAmAKLYOh.AotTTrP7.:19940:0:99999:7::: <— Correct answer

3. What is the cronjob that was set up by the attacker for persistence?

Examine the running processes on the machine. Can you identify the suspicious-looking hidden process from the backdoor account?

How many processes are found to be running from the backdoor account’s directory?

If you count the running processes in the figure above, we see 2 running processes.

What is the name of the hidden file in memory from the root directory?

What suspicious services were installed on the server? Format is service a, service b in alphabetical order.

Examine the logs; when was the backdoor account created on this infected system?

There’s also a new user named “badactor” that seems suspicious.

From which IP address were multiple SSH connections observed against the suspicious backdoor account?

How many failed SSH login attempts were observed on the backdoor account?

Which malicious package was installed on the host?

What is the secret code found in the metadata of the suspicious package?