arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
CyberDefenders - CTF01 Writeup
6 min read

CyberDefenders - CTF01 Writeup

CyberDefenders - CTF01 Writeup


Sometime around August 2021, I started my journey to study the side of Blue Teaming by enrolling myself in my teammates' company, GuideM. GuideM offers Red and Blue Team training, Ethical Hacking VAPT for Red and Cyber Defense & Threat Hunting for Blue.

Fast Forward to September 2021 and after reading bunch of reviews, I decided to take the eLearnSecurity Certified Digital Forensics Professionals (eCDFP). I passed the exam and now preparing for eCTHPv2 examination.

Days after passing the exam, I noticed that there was an ongoing live CTF in CyberDefenders.


I found the CTF challenging and interesting, so I decided to make a writeup.

Challenge Description
You have been called to analyze a compromised Linux server. Figure out how the threat actor gained access, what modifications were applied to the system, and what persistent techniques were utilized. (e.g. backdoors, users, sessions, etc).

Challenge File

Inside the challenge file, we found a file named 02.E01.

Commands I used for mounting:

sudo mkdir rawimage
sudo ewfmouunt 02.E01 rawimage
sudo mkdir mountpoint
sudo mount ./rawimage/ewf1 ./mountpoint


  1. What is the RHEL version of the operating system?

    Command to get the solution: cat etc/redhat-release

    It will return the version of redhat.
  2. How many users had a login shell?

    Command: cat etc/passwd | grep "/bin/bash"

    It will return the users with shell.
  3. How many users were allowed to run the SUDO command on the system?

    1. To get the sudoers: cat etc/sudoers
    2. To get the users: cat etc/group

    First, need to read the sudoers and find the group name then search that group in etc/group to get the number of users.
  4. What was the password of rossatron account?

    1. To get the hashed password: cat etc/shadow
    2. Save the hashed password into a text file
    3. To crack the hashed password: john --wordlist=/usr/share/wordlists/rockyou.txt rossatron.txt
  5. What was the victim's IP address?

    Command: cat var/log/messages | grep "Registering new address" | grep "192.168"

    I used the message "Registering new address" to identify the IP address.
  6. What service did the attacker use to gain access to the system?

    Command: cat var/log/secure | grep "Accepted password"

    This command will help us identify the service used by the attacker to access the system.
  7. What was the attacker's IP address?

    Command: cat var/log/secure | grep "Accepted password"

    You will get here the most used IP used by the attacker.
  8. What authentication attack did the attacker use to gain access to the system?

    Command: cat var/log/secure | grep "exceeded"

    It will validate our theory that the attacker performed beep attack to compromise accounts.
  9. How many accounts was the attacker able to get their password?

    Command: cat var/log/secure | grep "Accepted password" | awk '{print $9}' | sort | uniq

    It will return the number of accounts with 'Accepted password' log.
  10. When did the attack start?

    Command: cat var/log/secure | grep "" | head

    It will return the date.
  11. What is the compromised user account used to gain initial access to the system?

    Command: cat var/log/secure | grep "Accepted password" | awk '{print $9}' | sort | uniq

    The first user in the result is the answer
  12. What is the MITRE ID of the technique used to achieve persistence after the initial access?

    Command: cat home/chandler/.bash_history

    You will get the technique used by the attacker and search for that technique on Google.
  13. What is the CVE number used by the attacker to escalate privileges?

    Command: cat home/chandler/.bash_history

    You will find dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply then search that on Google and you will get the privilege escalation attack used by the attacker.
  14. The attacker dropped a backdoor to achieve persistence. The backdoor received commands from a Gmail account. What is the email used to send commands?

    Command: cat var/spool/cron/root

    This will give you the cron for root and you will see the backdoor used by the attacker to achieve persistence.

    Command: cat usr/bin/

    Read the backdoor to identify the email of the attacker.
  15. The attacker downloaded a keylogger to capture users' keystrokes. What is the secret word the attacker was able to exfiltrate?

    1. cat home/rachel/.bash_history - Checking rachel's history, we noticed that the attacker used wget to download a malicious shell script.
    2. cat etc/ - Found a file name that contains the keylogger by the attacker to exfiltrate data.
    3. ls -la home/rachel - There was a file named xfil.txt in rachel's folder and based on the file, the attacker is using to upload the keystrokes then the attacker's script stripped the path part of the generated link.
    4. cat home/rachel/xfil.txt - You will see 4 letters inside the file.
    5. Visit the link: but the link is no longer working.
    6. Used the wayback machine to check for possible mirror and we found 1 capture in August 25, 2021.

7. We reviewed the attacker's python script once again and he is reading the /dev/input/event1 which is for keyboard. So we saved the exfiltrated data from termbin and saved it in xfil file.
8. We then converted it into hex using this command: cat xfil | xxd -r -p > decoded-xfil
9. Searching for a script to decode the decoded-xfil file via Google gave us this

10. We used the script and modified it by changing the value of DEVICE
parameter in the script.

Script used:

# Read keyboard presses / release / holds on Linux
# Released under the MIT License

# Use binary_struct to process blobs

# Device to READ
DEVICE = '/home/kali/Downloads/ctf/decoded-xfil'

# Keymappings, more can be found at
KEYS = {
  1  => "ESC",
  2  => "1",
  3  => "2",
  4  => "3",
  5  => "4",
  6  => "5",
  7  => "6",
  8  => "7",
  9  => "8",
  10 => "9",
  11 => "0",
  16 => "Q",
  17 => "W",
  18 => "E",
  19 => "R",
  20 => "T",
  21 => "Y",
  22 => "U",
  23 => "I",
  24 => "O",
  25 => "P",
  30 => "A",
  31 => "S",
  32 => "D",
  33 => "F",
  34 => "G",
  35 => "H",
  36 => "J",
  37 => "K",
  38 => "L",
  44 => "Z",
  45 => "X",
  46 => "C",
  47 => "V",
  48 => "B",
  49 => "N",
  50 => "M"

# Define struct input_event
# Note!!!: make sure the byte lengths here are aligned with your system architecture:
InputEvent =['Q', :sec,
                               'Q', :usec,
                               'S', :type,
                               'S', :code,
                               'l', :value])

dev =, 'rb')

# Read input events from stream, decode, and output to stdout
while bin =
  evnt = InputEvent.decode(bin)
  if evnt[:type] == 1
       key = evnt[:code]
       if KEYS.key?(key)
            key = KEYS[key]
         action = case evnt[:value]
                  when 0 then
                  when 1 then
                  when 2 then
         puts "Key: #{key} #{action}"

# fin!

Final Words

Overall, I had fun solving the challenges and I did this live in our InfoSec Philippines server with many people watching me solving this CTF.

I also talked to one of the admin of CyberDefenders and they asked me not to include the answers in the writeup as they will publish it to the public via

That's all. Thanks for reading.