TryHackMe: Advent of Cyber 2023 (Day 19) CrypTOYminers Sing Volala-lala-latility

“The elves are hard at work inside Santa’s Security Operations Centre (SSOC), looking into more information about the insider threat. While analysing the network traffic, Log McBlue discovers some suspicious traffic coming from one of the Linux database servers.

Quick to act, Forensic McBlue creates a memory dump of the Linux server along with a Linux profile in order to start the investigation.”

Q1: What is the exposed password that we find from the bash history output?

To start out I loaded and confirmed that there was an Ubuntu profile for Volatility to use.

Next, I checked the command history on the device and I did notice someone using a password.

It also looks like they downloaded something called toy_miner and then ran it.

Q2: What is the PID of the miner process that we find?

Next, I took a look at the running processes to get the PID from toy_miner.

Also of interest is the “mysqlserver” process below that, because the REAL process name for SQL is usually “mysqld”

Q3: What is the MD5 hash of the miner process?

In order to get the MD5 hash I am going to extract the binaries of those two processes to a special directory.

Then I can extract the hashes.

Q4: What is the MD5 hash of the mysqlserver process?

Q5: Use the command strings extracted/miner.<PID from question 2>.0x400000 | grep http://. What is the suspicious URL? (Fully defang the URL using CyberChef)

I was able to find the URL below:

And then defang using CyberChef.

Q6: After reading the elfie file, what location is the mysqlserver process dropped in on the file system?

In order to search for persistence mechanisms, we can check the cronjobs. The analyst named elfie mentioned they have no cronjobs on this server, so this seems suspicious.

I extracted that to my special directory so I could examine it.

After that I could read the file to see where it was placed on the system.

❤