Hero Image of content
Is Linux Secure ? - Part 2
Lab Author
TheDeadThinker
DFIR | Security Researcher

Lab Description:

A developer linux server has been compromised, and you have been assigned as the forensic investigator to determine exactly what happened. You have access to the both Linux machine developer & vpn linux servers that may reveal how the attacker accessed the environment. Your goal is to analyze the available evidence, reconstruct the attack timeline, identify the attacker’s actions after gaining access, and determine how they maintained control of the system. Throughout the investigation, correlate artifacts from the Linux system and VPN logs to uncover the complete attack chain.

Lab Objectives:

  • Initial Access : Discover how the attacker initially compromised the server through misconfigurations.

  • Persistence : Discover how the attacker maintained access to the compromised system.

  • Privilege Escalation: Identify the techniques used by the attacker to escalate privileges on the Linux system.

  • Discovery : Identify how the attacker gathered information about the system and environment.

  • Lateral Movement : Investigate whether the attacker used remote access to move within the environment.

  • Collection : Determine what information or files were collected by the attacker.

  • Command and Control : Identify how the compromised system communicated with the attacker’s infrastructure.

  • Exfiltration : Determine whether any data was transferred outside the environment.

  • Malware Analysis: Examine how the malware was deployed by the attacker on the system.

  • Log Analysis: Analyze system logs to trace the attacker’s actions and timeline.

  • Remediation: Learn best practices to secure the system and prevent similar breaches in the future.

Tools and Techniques:

  • Disk Forensic: FTK Imager, Sleuth Kit
  • Log Analysis : Any Preferred Tool or SIEM
  • Network Forensic: Zeek, Suricata, Wireshark, Network Miner
  • Database Analysis: sqlitebrowser

Lab Evidence:

You will get access to all the evidence collected from the breached servers.

Password: threatbreach.io

Link To Evidence SHA256
🔗 Developer-machine.tar 9d0f00ce6ec63b478333cfd6fdf9bc320449f1ebf84b503c3ec953ad2863861b
🔗 Developer-machine-tcpdump.pcap 21b331c4f5fe40924ae7994f428c575e2b60c423fab9849aa402e467fe406621
🔗 VPN-Server.tar b3be75dfec6b0e5ad4323f98192fd9e9ed84f62d52e3cdaace0bc5f68a674972
🔗 VPN-Server-tcpdump.pcap 968b200b134f041a8fe7683ce6f848d49872f5aaa89eaffcb940a35c576d2f3e

Writeup

Writeup will be published soon, If you want to send your writeup to be evaluated share it on labs[@]threatbreach.io