Open in app

Sign in

Write

Sign in

TryHackMe | Linux Process Analysis | WriteUp | Q&A

Mohamed Ali
2 min readJul 14, 2024

--

Perform thorough process and application analysis to identify an attacker’s persistence methods.

↓↓↓ Click here and earn $5 TryHackMe credit ↓↓↓

TryHackMe | Cyber Security Training

TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your…

tryhackme.com

TryHackMe | Linux Process Analysis | WriteUp

Task 1 : Introduction

I’m ready to continue!

No Answer Needed

Task 2 : Investigation Setup

Q : After updating the PATH and LD_LIBRARY_PATH environment variables, run the command check-env. What is the flag that is returned in the output?

A : THM{8c860435f00c943c21f6b6e0f1b2f854}

Task 3 : Processes

Q : Which command lists all open files and the processes that opened them?

A : lsof

Q : Use pstree to list out the process hierarchies. What is the name of the nc processes parent?

A : abzkd83o4jakxld

Task 4 : Cronjobs

Q : Search around the system for suspicious system-level cronjob entries. What is the full URL of the C2 server?

A : http://c2.intelligent-software.thm:8310/beacon

Q : List the user-level cronjobs in the system. What is the hidden flag in one of the scripts?

A : THM{4682786cf2d92f01c4d30a2bbf4621f7}

Q : Use pspy64 to monitor executions occurring through the system. What is the decoded flag value that is echoed every 15 seconds?

A : THM{851a981445dbfb9485c3771510a53568}

Task 5 : Services

Q : List all running services on the system. What is the flag you discover in the backdoor service’s description?

A : THM{4922066dc6494e8d4d507eef2205c262}

Q : View the journalctl logs associated with the backdoor service. What is the flag you discover?

A : THM{053c12e620acea8a77b4bdcba578ca19}

Task 6 : Autostart Scripts

Q : Identify and investigate the remaining .desktop files on the system. What is the command that executes with the Show Network Interfaces autostart script?

A : http://aabab.best-it-services.thm/id_rsa

Q : Identify and investigate the remaining .desktop files on the system. What is the command that executes with the Show Network Interfaces autostart script?

A : ifconfig

Task 7 : Application Artefacts

Q : Analyse Janice’s .viminfo log. What flag do you find within the Vim search history?

A : THM{4a8fd984228d89999342d189e6b916de}

Q: Use DumpZilla to investigate Eduardo’s Firefox bookmarks. What flag do you find in one of the entries?

A : THM{5d5cb0ffe8369ab08f1e90aa9e9bc24e}

Task 8 : Conclusion

Click and continue learning!

No Answer Needed

↓↓↓ Click here and earn $5 TryHackMe credit ↓↓↓

TryHackMe | Cyber Security Training

TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your…

tryhackme.com

Cybersecurity
Information Security
Tryhackme
Tryhackme Walkthrough
Tryhackme Writeup

--

--

Mohamed Ali
Mohamed Ali

Written by Mohamed Ali

47 Followers
5 Following

Security Researcher

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams