Kernel Exploit

Level: Easy

Challenge: Kernel Exploit

Tool

Autospy

Q1: What is the name of the key file the intruder downloaded to elevate their privileges after gaining unauthorized access?

Image 1

Upon inspecting the /tmp directory, we discovered a suspicious file named exploit. Upon analyzing it using VirusTotal, it was confirmed to be a malicious executable file.

Image 2

Q2: When was the file used for privilege escalation first submitted on Virus Total?

Image 3

By reviewing the History section on VirusTotal, we identified the first submission date of this file.

Q3: What is the Process ID (PID) of the operation launched by the attacker?

Image 4

Using the Keyword Search, I found an interesting file named lsof_-nPl.txt, which corresponds to a Linux command. Upon opening it, we can see a list of files currently opened by Linux processes.

The lsof command, short for "List Open Files," is used in Linux to determine which files are currently open and which processes are accessing them.

Image 5

Q4: What username was the malicious process running under?

Image 6

Image 7

By examining the running_processes_full_paths.txt file, we can identify the username associated with the execution of this file.

Q5: What is the Parent Process ID (PPID) associated with the malicious process?

Image 8

By examining the pstree_-p_-n.txt file, we can identify the PID of the exploit file and the PPID of its parent process.

Q6: What are the operating system and its version on the compromised server?

Image 9

Image 10

By reviewing the lsb-release file, we can determine the operating system and its version. However, there seems to be a discrepancy because the release version in the uname output differs. This mismatch likely indicates that the kernel version reported by uname hasn't been updated to align with the OS version shown in lsb-release.

Image 11

This difference occurs because lsb-release reflects the OS distribution version, including updates and patches, while uname displays the kernel version, which may not always match the OS release version if the kernel has not been updated alongside the distribution. This suggests that the kernel might not have been updated to the latest version provided by the OS.

Q7 : What is the kernel version of the compromised system?

Image 12

Image 13

Another file worth checking is hostnamectl.txt. This file contains information about the operating system and the kernel version.

Q8: What is the most recent CVE number associated with the vulnerabilities exploited in this attack?

Image 14

By reviewing the Community section on VirusTotal, we can find reports and discussions, including references to CVEs related to the vulnerabilities exploited by this file.