# Red Team Activity 2

\- 90 Points / 161 Solves

## Background

Q2: Name of the malicious service?

Note: Flag format is `RS{MD5sum(<answer string>)}`

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/RITSEC-
CTF-2023/images/Pasted%20image%2020230401175855.png)

## Find the flag

**In this challenge we can download a file:**  
```shell  
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-
Activity-2)-[2023.04.01|17:59:09(HKT)]  
└> file auth.log  
auth.log: ASCII text, with very long lines (1096)  
```

As you can see, it's the `auth.log`, which is a Linux log file that stores
**system authorization information, including user logins and authentication
machinsm that were used.**

**Since the challenge's question is asking "service", we can use `grep` to
find `.service` file:**  
```shell  
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-
Activity-2)-[2023.04.01|18:03:05(HKT)]  
└> grep '\\.service' auth.log | grep 'systemctl enable'  
Mar 25 20:10:40 ctf-1 sudo: root : (command continued) launchd (after
installing config)#012start_teleport_launchd() {#012 log "Starting Teleport
via launchctl. It will automatically be started whenever the system
reboots."#012 launchctl load
${LAUNCHD_CONFIG_PATH}/com.goteleport.teleport.plist#012 sleep
${ALIVE_CHECK_DELAY}#012}#012# start teleport via systemd (after installing
unit)#012start_teleport_systemd() {#012 log "Starting Teleport via systemd. It
will automatically be started whenever the system reboots."#012 systemctl
enable teleport.service#012 systemctl start teleport.service#012 sleep
${ALIVE_CHECK_DELAY}#012}#012# checks whether teleport binaries exist on the
host#012teleport_binaries_exist() {#012 for BINARY_NAME in teleport tctl tsh;
do#012 if [ -f ${TELEPORT_BINARY_DIR}/${BINARY_NAME} ]; then return 0; else
return 1; fi#012 done#012}#012# checks whether a teleport config exists on the
host#012teleport_config_exists() { if [ -f ${TELEPORT_CONFIG_PATH} ]; then
return 0; else return  
Mar 25 20:51:39 ctf-1 snoopy[2530]: [login:ubuntu ssh:((undefined)) sid:2393
tty:/dev/pts/2 (0/root) uid:root(0)/root(0) cwd:/root/.ssh]: systemctl enable
bluetoothd.service  
```

Found it! The `bluetoothd.service` looks sussy!

**MD5 hash the answer:**  
```shell  
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-
Activity-2)-[2023.04.01|17:59:10(HKT)]  
└> echo -n 'bluetoothd.service' | md5sum  
a9f8f8a0abe37193f5b136a0d9c3d869 -  
```

> Note: The `-n` flag is to ignore new line character at the end. Otherwise
> it'll generate a different MD5 hash.

\- Flag: `RS{a9f8f8a0abe37193f5b136a0d9c3d869}`

Original writeup (https://siunam321.github.io/ctf/RITSEC-
CTF-2023/Forensics/Red-Team-Activity-1-4/#red-team-activity-2).