TryHackMe | Linux Forensics
A write up of Linux Forensics room of TryHackMe. https://tryhackme.com/room/linuxforensics
Task 1: Introduction
(1). Go through the Learning Objectives
Answer:
Learning Objectives:
After completing this room, we will have learned:
- An introduction to Linux and its different flavours.
- Finding OS, account, and system information on a Linux machine
- Finding information about running processes, executed processes, and processes that are scheduled to run
- Finding system log files and identifying information from them
- Common third-party applications used in Linux and their logs
Task 2: Linux Forensics
(1). Can you tell which distribution is represented by which logo in the image?
Answer:
Yes, we can tell which distribution is represented by which logo in the image.
Task 3: OS and account information
Lets start the machine.
(1). In the attached VM, there is a user account named tryhackme. What is the uid of this account?
Answer:
We can simply use cat /etc/passwd to see the uid of all the accounts but to make it a bit more clear, we will use cat /etc/passwd | column -t -s :
(2). Which two users are the members of the group audio?
Answer:
We will grep the the entries against audio in /etc/group
(3). A session was started on this machine on Sat Apr 16 20:10. How long did this session last?
Answer:
To answer this question, we can grep all the last login entries against “Sat Apr 16 20:10” with last | grep “Sat Apr 16 20:10”
Task 4: System Configuration
(1). What is the hostname of the attached VM?
Answer:
To find the hostname, you can simply run cat /etc/hostname
(2). What is the timezone of the attached VM?
Answer:
To find the timezone, you can run cat /etc/timezone
(3). What program is listening on the address 127.0.0.1:5901?
Answer:
I used netstat -natp | grep “:5901” for this question
(4). What is the full path of this program?
Answer:
I used grep with ps aux for finding the complete path of program found in above question.
(5). Read about the flags used above with the netstat and ps commands in their respective man pages.
Answer:
You can read the manuals with man netstat and man ps respectively for both commands.
Task 5: Persistence mechanisms
(1). In the bashrc file, the size of the history file is defined. What is the size of the history file that is set for the user Ubuntu in the attached machine?
Answer:
we can grep HISTFILESIZE against .bashrc for ubuntu user for this question.
Task 6: Evidence of Execution
(1). The user tryhackme used apt-get to install a package. What was the command that was issued?
Answer:
I used grep “apt-get” against the .bash_history file of user tryhackme
(2). What was the current working directory when the command to install net-tools was issued?
Answer:
This question took some of my time but eventually I figured something out.
I used grep “net-tools” against files in /var/log/auth* and was able to find the PWD for that command
Task 7: Log files
(1). Though the machine’s current hostname is the one we identified in Task 4. The machine earlier had a different hostname. What was the previous hostname of the machine?
Answer:
I ran the cat command against files in /var/log/syslog* and used grep “hostname:” with it.
Task 8: Conclusion
(1). Check out the cheat sheet and social links
Linux Forensics cheat sheet:
TryHackMe Twitter:
TryHackMe Discord:
___________________________________________________________________
This is all for this room, hope you enjoyed it and learned something new.😇
___________________________Happy Hacking_________________________
