Extraterrestrial Persistence - Forensics Challenge

Summary

Analyzing a bash script that creates a malicious service!

Challenge Description

There is a rumor that aliens have developed a persistence mechanism that is impossible to detect. After investigating her recently compromised Linux server, Pandora found a possible sample of this mechanism. Can you analyze it and find out how they install their persistence?

Solving the Challenge

First, you will need to unzip the challenge .zip file & provide the password from the HacktheBox platform. When we unzip the archive, we find a script called persistence.sh which appears to create some sort of service, and enable it. Looking at the script, we can that base64 output is being decoded and used to create the service.

On the system that we are using to investigate, we can run the first part of line 10 above up through piping it to base64 –decode in order to see what exactly it is outputting to the /usr/lib/systemd/system/service.service. Note that line 8 makes it executable and line 12 enables the service to autostart.

And when we do this, we get the flag from the service description:

Conclusion

That’s it! From there, you can submit the flag. In the real world, you can disable this service, remove it, and remove associated files.