Magnet Weekly CTF — Week 8

Part 1

The first part of the question was asking what package was installed by the attacker. Considering some of the previous questions, I immediately went to a previous file /var/log/apt/history.log and found the following:

Part 2

The question only said “Why?” with a multiple choice question. So at this point I thought I was supposed to try and map the whole attack which I was a little worried about, but based on the multiple choice question, I knew I only had to narrow my search to what they did with the PHP install. I tried a few things until I thought about doing some timeline analysis. Since the gap between what appeared to be the latest update and the PHP install was 2 years, it felt safe to find any files modified after that log file was modified. Using my trusty find command:

find ./ -type f -newercm ./var/log/apt/history.log
This command finds the files newer than the history.log’s last modified time

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store