Post

HackTheBox An unusual sighting Writeup

Posted
By x3ric
2 min read

Explore the basics of cybersecurity in the An unusual sighting Challenge on Hack The Box. This very-easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/673

Description

As the preparations come to an end, and The Fray draws near each day, our newly established team has started work on refactoring the new CMS application for the competition. However, after some time we noticed that a lot of our work mysteriously has been disappearing! We managed to extract the SSH Logs and the Bash History from our dev server in question. The faction that manages to uncover the perpetrator will have a massive bonus come the competition! Note: Operating Hours of Korp: 0900 - 1900

Solutions

What is the IP Address and Port of the SSH Server (IP:PORT)

100.107.36.130:2221
This is confirmed from the SSH logs:
Connection from 101.111.18.92 port 44711 on 100.107.36.130 port 2221.

What time is the first successful Login

2024-02-13 11:29:50

What is the time of the unusual Login

2024-02-19 04:00:14
The login at 04:00 AM is suspicious, as the Korp’s operating hours are from 09:00 to 19:00.

What is the Fingerprint of the attacker’s public key

OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4
This fingerprint is found in the logs as:
ECDSA SHA256:OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1.

What is the first command the attacker executed after logging in

whoami
This is recorded in the bash history:
[2024-02-19 04:00:18] whoami.

What is the final command the attacker executed before logging out

./setup
This is found in the bash history:
[2024-02-19 04:14:02] ./setup.

Summary

The An Unusual Sighting Challenge on Hack The Box is a very-easy-level forensic exercise that involves investigating suspicious activity on a development server. Participants analyze SSH logs and Bash history to trace unauthorized access and actions. Key discoveries include identifying the SSH server’s IP and port (100.107.36.130:2221), pinpointing an unusual login time (2024-02-19 04:00:14) outside of normal operating hours, and verifying the fingerprint of the attacker’s public key (OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4). Participants also track the first (whoami) and final (./setup) commands executed by the intruder, adding crucial details to understanding the breach. This challenge serves as an introductory task for learners to apply forensic analysis skills in a controlled cybersecurity environment.

challenge
htb challenge writeup linux forensics
This post is licensed under CC BY 4.0 by the author.