Profiles
No profile? No problem.
medium
120 min
4,143
To access material, start machines and answer questions login.
The incident response team has alerted you that there was some suspicious activity on one of the database servers.
A memory dump of the server was taken and provided to you for analysis. You advise the team that you are missing crucial information from the server, but it has already been taken offline. They just made your job a little harder, but not impossible.
Click on the Download Task Files button at the top of this task. You will be provided with an evidence.zip file.
Extract the zip file's contents and begin your analysis in order to answer the questions.Note: The challenge is best done using your own environment. I recommend using Volatility 2.6.1 to handle this task and strongly advise using this article by Sean Whalen (opens in new tab) to aid you with the Volatility installation.
And what time was the users.db file approximately accessed? Format is YYYY-MM-DD HH:MM:SS
What is the MD5 hash of the malicious file found?
What is the IP address and port of the malicious actor? Format is IP:Port
What is the full path of the cronjob file and its inode number? Format is filename:inode number
What command is found inside the cronjob file?
Ready to learn Cyber Security?
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in