Magnet Weekly CTF Challenge Week #8

Part 1

What package(s) were installed by the threat actor? Select the most correct answer!

Part 2

Why?

- hosting a database

- serving a webpage

- to run a php webshell

- create a fake systemd service

Part 1

Especially considering last weeks question, we know where to look when we are investigating packages! Jumping into /var/log/apt/history.log there is an entry at the bottom for php. There is a significant jump in the timestamps so this potentially could be the attacker.

I tried php and it was correct!

Answer: php

Part 2

If I had to take a guess from the get go, the multiple choice answer for web shell makes the most sense, but I wanted to make sure.

In a previous week, I had noticed a suspicious service installed on the host that refered tp php in /etc/systemd/system/cluster.service

Here you can see the service is running php on a file called cluster.php

The file cluster.php does look like a reverse shell when inspecting it.

From the infomation we have discovered, it will be one of the bottom two answers

  • hosting a database
  • serving a webpage
  • to run a php webshell
  • create a fake systemd service

I first tried “to run a php webshell” because it was the end goal of the service but it was wrong. Luckily there were two chances!

Answer: create a fake systemd service