# Red Team Activity 3

\- 193 Points / 96 Solves

## Background

Q3: What is the location (the full path) responsible having run the malicious
script repeatedly?

Note: Flag format is `RS{MD5sum(<answer string>)}`

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/RITSEC-
CTF-2023/images/Pasted%20image%2020230401181719.png)

## Find the flag

**In this challenge, we can download a file:**  
```shell  
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-
Activity-3)-[2023.04.01|18:09:30(HKT)]  
└> file auth.log  
auth.log: ASCII text, with very long lines (1096)  
```

As you can see, it's the `auth.log`, which is a Linux log file that stores
**system authorization information, including user logins and authentication
machinsm that were used.**

In Red Team Activity 1, we found **the malicious script is `_script2980.sh` in
`/dev/shm/`**.

Now, the challenge's question is asking "repeatedly". Which technique in red
teaming is to repeatedly executing something?

You guessed! "***Persistence***"!

How to implement persistence in Linux? ***Cronjob***!

**With that said, let's see any cronjobs has been modified/added!**  
```shell  
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-
Activity-3)-[2023.04.01|18:15:10(HKT)]  
└> grep 'crontabs' auth.log  
Mar 25 20:56:56 ctf-1 snoopy[14959]: [login:ubuntu ssh:((undefined)) sid:14897
tty:/dev/pts/3 (0/root) uid:root(0)/root(0) cwd:/root]: vim
/var/spool/cron/crontabs/root  
```

Found it! `/var/spool/cron/crontabs/root` is the new cronjob!

**MD5 hash the answer:**  
```shell  
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-
Activity-3)-[2023.04.01|18:10:48(HKT)]  
└> echo -n '/var/spool/cron/crontabs/root' | md5sum  
c1da8fd57f17c95c731c38ee630f6aea -  
```

\- **Flag: `RS{c1da8fd57f17c95c731c38ee630f6aea}`**

Original writeup (https://siunam321.github.io/ctf/RITSEC-
CTF-2023/Forensics/Red-Team-Activity-1-4/#red-team-activity-3).