# 5_persistence

It looks like the attacker has somehow found a way to set up persistence. We need to find out how.

Perhaps the most common tactic that attackers use to set up persistence on a *NIX machine is through cron, a time-based job scheduler. All we need to do is check out what cron tabs are running.

First, let's mount the filesystem.

```
$ sudo mkdir /mnt/5_persistence
$ sudo mount -o loop filesystem.image /mnt/5_persistence
$ cd /mnt/5_persistence
```


Now, let's go ahead and check for cron tabs. We need to access the root shell to navigate inside of it. No worries. We can run `sudo` with the `-i` switch.

```
$ sudo -i
# cd /mnt/5_persistence/var/spool/cron/contabs
# ls
# cat root
```


The first two columns tell us the time that this job runs. This job runs at `0230`. The last bit of the row tells us what's being run. Looks like it's a script in `/root`. Let's go ahead and navigate to that.

```
# cd /mnt/5_persistence/root/
# ls
# cat backup.sh
```


It adds a new user called `devtest2`. This user is added to the group `sudoers`. The md5sum of this script is `29ff58b6607c824451349183a570cc6c`.

Original writeup (https://github.com/shawnduong/ctf-writeups/blob/master/2019-TAMU/DriveByInc/5_persistence.md).