Linux Forensics Investigation | TryHackMe Linux Forensics

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on youtube today we're doing the room linux forensics from tri hackme i'm going to show you guys the various system commands that are used to perform linux forensics of course the comments that will be shown in this video are not the only exhaustive list of all the commands uh linux 46 is much bigger than only performing uh a couple commands right so basically in this video we're going to go over a couple of couple comments categories and taking specific examples to show how to do linux forensics as part of this room so let's get started now this one contains a couple questions as you can see for every task we're gonna answer the questions after we show the related comments that help you find the answers so deploy the machine and access the machine using the terminal from the attached as you can see you can click on split view and you will be able to interact with the machine linux four and six okay then all right some commands that we perform or we execute during linux forensics are actually the same when we conduct manual privilege escalation for example if we want to learn information about the system installed there are a couple commands that we issue that are actually the same when we perform linux privilege escalation to understand what i mean let's take an example so if you want to see system and kind of information on my tab u name dash a or we can cut the version or we can issue this command or os release there are multiple commands performed the same object to get the same objective so we can use the following command to get information about the system and the kernel so cat etc os release you see we have now release information or system information as you can see the ubuntu divergent other information about the operating system and installed so these are we call them os release information now if we use unnamed a you name a again we see similar but of course shorter content than the content released by etc os dash release we can also use cat brooke version now the above two commands are to get the version the type and the version of the current system installed os release to get information about system release another useful information such as the version the name and other details about the system and installed now the after learning information about the system we aim to learn what are the users installed or what are the users added on the system so viewing the users isn't that difficult we just use cat etc slash pass wt okay so this file contains information about user accounts that exist on the next system okay now the output as you can see contains entries separated by column as you can see the column separates between um items on every line so basically what these represent let's take an example so this is the username troy hackme right and then we have the x the x means that the password information for the user troy hackme exists in a file called etc slash shadow and then we have the uid which is 1001 and we have again the gid 1001 the description of the account and lastly we have the not lastly actually the item before the last item is slash home slash try hack me which is the home path of the user try hack me and then we have the default shell so when you see slash bin slash bash it means that we can ssh or log in as troy hackme but if you take the case for example the case of gtm gtm if you see the default shell is set to slash bin slash false which means that gdm you cannot log in using gdm it doesn't have shell so why do some accounts have slash bin slash false and some other accounts like try hack may have slash bin bash it means simply simply because some accounts are configured so that you can log in with them such as try acme gdm is an account that's configured so you cannot log in as gtm right so this is useful right for security purposes for example when a wordpress website is compromised after compromising the control panel you seek to get a limited shell on the system most of the time the limited shell is achieved as dub dub data which is the web server user now why you are able to log in as dub dub data this is because the user is configured to have a shell you should set dubbed up data and other service accounts to have slash pin slash false so you someone cannot log in as these accounts if a system compromise or a vulnerability is exploited nevertheless now let's see how we can view information about the groups so cat etc groups okay so you can see information about the groups for example let's take an example here okay take this um take this one net dev so net dev is a group where ubuntu is part of it right and we see again block dev a group where ubuntu is part of it so ubuntu is the user and plug dev is the group so we see the group and the users that are part of it as you can see this one adm so edm is a group where syslog and your point users are part of it now sometimes we want to issue a command as sudo in a in elevated mode but we can't why because the current user doesn't exist in the sudowers list to view the sudowers list means we need to view who are the users that can issue a command as sudo so cat ppc suitors you see it's permission denied let's try this okay let's go over the file as you can see root is configured as a sudo user admin as well so here we see all of the users that can issue commands as sudo if you want a user to be able to issue a command as studio or in elevated mode you can add them to this hoodwords list okay let's see here now let's go and answer a couple questions on the first task first task is introduction the next one doesn't have questions the third one okay in the dashed vm there is an account named try hack me what's the id of this account let's take a look so cat so try hack me the uid of the account comes after the x which is one thousand one which users are the members of the group audio okay now we go back and get btc groups grab audio oh so the s here you have to remove it so the audio group contains you ponto and pulse so you want to and pulse are part of it a session was started on this machine on saturday april 16. how long did this session last now this question is related to viewing the logs we're gonna view the logs or we're gonna deal with the logs at the very end of the video i'm gonna put this at the very last so let's go now to task two and see what kind of questions we have to answer so what's the hostname of the attached vm okay so cat etc host name so it is linux four and six what is the time zone of the attached vm now viewing the time zone is very important guys especially if you're performing forensics cat etc time zone so it is asia karachi okay what program is listening on the address one two seven zero zero five nine zero one okay so now we interview the network information or we need to view the active network connections we can achieve that using the netstat utility so net stat an atp okay as you can see now we have the current machine is listening on port 5901 and the service that is using that port is x tiger v and c so this is the answer for your question okay what is the full path of this program okay so the full path can be found by typing which and the program name tiger vnc so it is slash user slash pin slash x tiger v and c read about the flags used above with the netstat and the ps commands in their perspective man pages now apart from the questions let's go over other couple commands used as part of linux forensics okay then so we know how to give you the host name the time zone let's see how we can view the network information of a host okay apart from that let's see how we can uh list information about the ip of the machine the current network interfaces it's connected to so we can do that using ifconfig okay or we can see we can say rp address show so we see we have two interfaces the loopback and ethernet 0 ethernet 0 has the ip 10 10 29 129 4. viewing network interfaces and be able to and being able to view the ip addresses connected to them is very tremendously important while conducting privileged escalation as well since sometimes we may intend to pivot from one machine into another so if you want to pivot into another machine you have to be able to view its ip address or at least the network that's part of so sometimes this machine is connected to other machine on an entirely different subnet or different network so you can find that by using ip address show or ifconfig you'll be able to see the network interfaces and the associated ip addresses okay now let's see how we can view the running processes i think all of you know that ps aux here will be able to see all electronic processes the pid of each process the full path of it tremendously important information now about dns information got etc hosts here we see all the dns assignments for example as you can see the loopback address is assigned to localhost that's it now sometimes when you do ctf machines you may need to assign the ip address a name so you build you can do you can put the availables of the machine here and in the dns name also if you want to configure a specific name or a specific match for a specific host or ip address you can just set the ip address here and the corresponding name which you will use in for accessing that service or that page okay then now let's go over the other task and see what kind of questions we have to answer so task 3 is done for now 5. in the bashrc file the size of the history file is defined what is the size of the history file that is set for the user reports and attached vm okay now here we go over the history of commands executed okay and also cron jobs as well as startup services so if we clear this the first thing that we will do guys is viewing the chrome jobs so cat ptc crown tab as can be seen guys this file contains information about the time interval after which the command the specified command has to run so we see the username that runs the command and we see the command itself for example this one sometimes in a fully configured or in a fully productive system we see several other entries for other chrome jobs it also contains scripts right to run where the script that needs to be run will be placed on the disk and the command to run it will be added to this file so you specify the files or the scripts and the commands that will run after specific time or during each interval for example commands that will be run on a daily basis on a specific time midnight or midday whatever and we specify the user that will run the command okay now let's see how we can let's scroll down lock files will be postponed to the last very end of the video network interfaces startup commands okay startup services what about startup services so ls etc okay so here like in windows guys services can be set up in linux that will that will start and run in the background after every system boot just like in windows we can find the list of services that run once the system boots up under slash etc slash initialize dot d very important during forensics so you got the startups the startup services you got the clone jobs and another important piece of information is the commands that run after the system starts up so in the next we can also configure commands to run in the background when the shell is spawned so what we can do guys we can go to cd home see the to this changes for every user profile for ribbon so we can see the bash rc file so cat rc here we are able to see the configurations and the commands that will run in the background after the shell is respond for the user reponto of course we're talking about user reponto this changes for every single user so in the question that we saw let's go back to the question in the rc file the size of the history file is defined what's the size of the history file that's set for the user viewpoint so in the attached vm to view that you need to view the value of the variable hist file or hist file size something like that so cat rc and grip okay so we see it's set history file size is 2000 which marks the answer for this question okay next task the user try hackme used apt-get to install a package what was the command that was issued and what was the current working directory when the command to install net tools was issued so here again we need to view the history of commands executed but in the first question we have to see the privileged commands where the sudo was used in the command on the other hand in the next command and next question what was the current working directory when the command to install net tools was issued so this one could be elevated where pseudo was used or could be not could be non-elevated so in the first question to answer the question we have to find out the history of the commands or the elevated commands okay cat for log so we can view the cat var log and the file will be authentication log this is where we see the history of the elevated commands rep dash i let's say the command is apt get sale binary file standard input matches okay we change this to a okay so we see the command slash user slash pin slash update and install net tools was issued as root and the current working directory was home slash home slash ubuntu so this is one of the commands that were issued with sudo and it is actually or the command actually contains the answer of the question that we have here so if we go what was the current working directory when the command to uninstall net tools was issued is it is slash home slash ubuntu as shown here but we can't see the command sudo apt-get and install apache 2 although it is elevated command but i cannot see it here no it is actually here so slash user slash win apt-get and install apache 2. this also contains the answer for the the first question so here so the apt-get and install apache 2 you can find it here okay now to the log files okay so for the log file all the log files are stored under cd here you see all kinds of logs system logs authentication logs failed logins successful logins service logs for example let's take an example b temp contains the failed logins we have also the wtm contains the history of logins authentication log contains the history of all of the authentication operations ssh authentications ftp authentication system authentication uh we have also the syslog contains information about the system activity so when it comes to logs you can find all the logs under slash var slash log some of these logs can be viewed can be viewed with cat utility or v but some of them need to be viewed using other utilities for example the b temp and w temp these both files cannot be viewed with cat so you have to use them with a tool called the last so if we go to the lock section of this file okay so the b temp can be viewed with the command last let's take an example [Music] so last dash f b10 yep we will have to use as you can see it's opened if we try with wt you will see all of the successful or the history of the loggers along with the time these are very important when performing forensics as you know okay so let's go to the look files here and answer the last question i think we have another other questions here evidence of execution okay log files oh okay i remembered so it is in task three we had couple questions about the logs we didn't answer them okay it's here a session was started on this machine on saturday april 16 2010 how long did this session last so here we want to take a look at the history of the sessions right it means successful logins so to be successful logins or sessions we go to ww10 and we already viewed this file so we're looking to find out the entry at april 16 saturday so april 16 saturday 2010 and it lasted for one minute and 32 seconds okay now task 7 though the machine's current host name is the one we identified in task 4 the machine earlier had a different host name what was the previous hostname of the machine and this one could be confusing so you might be telling me that yep we can find the host name or the old host name by viewing the system commands or the commands that were executed the history of the commands in bash rc file or the batch storify and this could be the answer to the question as well or we can view the syslog syslog contains all of the activity that happened on the system so we can go this path or the other path let's first go with the syslog by viewing this is log five so cat dtc var says log and then we grab hostname [Music] okay let's see here so host name change from none to linux four and six other than that so it sounds clear here where whether the old hostname is found so let's try with the bash history file so cd home see the ubuntu bash history let's see if it's here so bash is certified nope nothing going back okay permission denied so in the history of the command history we haven't found anything let's go back to the syslog then and we might be we need to look we may need to look at other syslog files the rotated ones such as syslog.1 so cat [Music] now we're talking let's see so from none to troy hackme that was the first assigned host name as you can see and then it was changed again let's see go back go down so from try hack me from none to try hack me and then from try hack me to the next four and six so that was the old host name of the machine which marks the answer for this question so this way guys we finished the room i hope you like that and i will definitely see you in the next video [Music]

Info

Channel: Motasem Hamdan

Views: 6,227

Rating: undefined out of 5

Keywords: Linux, Forensics

Id: gOg_h9fdgZE

Channel Id: undefined

Length: 28min 18sec (1698 seconds)

Published: Fri Jun 24 2022