Persistence Pays Off

Challenge:

Luciafer might have just bit off more than she can chew! She has encountered an adversary that is counter-attacking her system!

Luciafer's Lytton Labs adversary executed a command to attain persistence on her computer. This command will allow the adversary to regain a connection to her computer again later, even if she reboots it.

What is the packet number where this command is executed. For example: flag{93721}.

Use the PCAP file from Monstrum ex Machina.

Solution:

We sort of stumbled upon this solution while completing the A Warning challenge. When searching the PCAP for the string "you have been warned" the first result is for packet #160789. When following that TCP stream (#73228) we observed the command whoami being executed. From there we simply decremented the stream# and reviewed the activity in each stream. In stream #73225 we identified a cron job being created:

sudo /bin/bash -c "echo '*/5 * * * * root /usr/bin/ll-connect.bin' > /etc/cron.d/da-ll-backup-job"

It was then a simple task of identifying the specific packet in the stream by changing the search term to "cron".

The accepted flag was, flag{160468}