1. IP Address of the SSH Attack Hacker
Using the command `cat /var/log/secure | grep Failed | cut -d ‘ ‘ -f 11 | sort | uniq -c | sort -nr`, it was found that 192.168.75.129 attempted a SSH Attack by trying to brute force the SSH password 91 times. The command `cat /var/log/secure | grep Accepted` revealed that 192.168.75.129 eventually succeeded in logging in to the SSH service.
The lastb command showed a large number of failed login attempts from 192.168.75.129.
Thus, it is determined that the hacker’s IP address is 192.168.75.129.
2. The Three Remaining Flags in an SSH Attack
First Flag
Conduct a backdoor investigation. By using the commands cat /etc/passwd and cat /etc/passwd | grep -v nologin, no hacker-created backdoor accounts were found.
The commands find /var/spool/cron -type f -exec ls -lctr --full-time {} \+ 2>/dev/null and find /etc/*cron* -type f -exec ls -lctr --full-time {} \+ 2>/dev/null showed no scheduled tasks created by the attacker.
Using the command find /etc/rc*d -type f -exec ls -lctr --full-time {} \+ 2>/dev/null, a startup item created by the hacker at /etc/rc.d/rc.local was found, which includes the flag: flag{kfcvme50}.
Second Flag
By using the history command to check command history, it was found that the hacker once printed the flag: flag{thisismybaby}.
Third Flag
Using the command find / -newerct '2024-03-18 20:20:00' ! -newerct '2024-03-18 20:30:00' ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/private/*" -type f 2>/dev/null | sort, files uploaded or modified during the hacker attack were investigated, finding an SSH key in /var/lib/redis/dump.rdb, suspected to be uploaded by the attacker via a Redis weak password vulnerability.
The cat /var/log/redis/redis.log command checked the Redis logs, revealing the hacker’s IP as 192.168.75.129.
The cat /etc/redis.conf command revealed the Redis configuration, containing the flag: flag{P@ssW0rd_redis}.
