Reverse Shell Cleanup

In this lab, you’ll face a live incident response scenario. A production Ubuntu server has been compromised, and it is suspected that the attackers have left behind persistent access mechanisms.

Your role as a Blue Team analyst is to inspect the environment, identify all malicious access points, and help restore control of the server.

In this lab, you will practice:

• Post-exploitation behavior analysis
• Using Linux commands to trace processes and files

🌱 How to start this lab

👉 This challenge uses a virtual machine designed for post-exploitation scenarios.

1. If you don't have it yet, download the virtual machine from this link:

1https://storage.googleapis.com/cybersecurity-machines/emergency-lab.ova

1. Import the virtual machine into VirtualBox or VMware.
2. Start the VM and log in as the default user analyst:4geeks-lab. The terminal will already be active at the beginning of the exercise.

Your Mission

You have logged into a production Ubuntu server after the monitoring team detected suspicious outbound traffic. All signs suggest that the attacker has established persistence mechanisms that remain active.

Your task is to thoroughly inspect the system, identify any malicious artifacts that keep the attacker in control, and neutralize them. Evidence indicates that the access points are carefully hidden.

Validation

Once you believe you’ve identified all four persistence mechanisms, run the following command in the terminal:

1validate_lab

The system will prompt you to enter the absolute paths of the malicious files, one by one. If all paths are correct, you’ll get what you’re looking for.

Now it's your turn to think like a true Blue Team analyst. Recovering the server depends on you!

Good luck, Analyst!