Tags: forensics 

Rating:

[Return of the Sith - Part 3]
---
Question:
---
Ok, great. They had full root access, did they leave anything else behind? Any other backdoor?

Answer
---
1. After some research in the bash_history, i was able to spot something weird.

![alt text](https://i.imgur.com/ILWmCs6.png)

2. Looks like the user mysql has been turned to root
3. SSH has been enabled, and mysql user is allowed with sh-shell.

Flag:
---
mysql

Original writeup (https://github.com/str0nkus/NeverlanCTF-2019-Writeups/tree/master/Forensic/Return%20of%20the%20Sith%20-%20Part%203).