Log Analysis - Privilege Escalation

What user (other than ‘root’) is present on the server?

We can see the user move to a directory called /home/daniel/.

Answer

daniel

What script did the attacker try to download to the server?

The attacker used the wget utility to download a Github script.

Answer

linux-exploit-suggester.sh

What packet analyzer tool did the attacker try to use?

We can see the command tcpdump which is used for packet analysis on the command line.

Answer

tcpdump

What file extension did the attacker use to bypass the file upload filter implemented by the developer?

The attacker tried to delete a file named x.phtml.

The PHTML files contain PHP code that is parsed by a PHP engine which allows the web server to generate dynamic HTML that is displayed in a web browser.

Answer

.phtml

Based on the commands run by the attacker before removing the php shell, what misconfiguration was exploited in the ‘python’ binary to gain root-level access? 1- Reverse Shell ; 2- File Upload ; 3- File Write ; 4- SUID ; 5- Library load

We can see that the attacker tried to find binaries with the SUID bit set.

On executing a binary with the SUID bit set, the file executes with the effective permissions of the owner of the file instead of the person executing. This allows for temporary privilege escalation.

Then the attacker executes sh.

Answer

4