Tags: forensics
Rating:
## Alpine 1:
### Description:
```
In this challenge you need to find the file and its path that is giving access to the attacker. The system administrator (root:strongpassword) created a user for a local user, Matt Johnson (mjohnson:hardpassword). An attacker was able to brute force Matt’s password and login. The system administrator changed Matt’s password (mjohnson:secretpassword), however the attacker is still able to SSH into the machine.
Provide the path and file name that is allowing the attacker to still have access (persistence): byuctf{/full/path/to/file}.
```
Alpine is a 3 challenges linux forensics series though i only solved 2 of them, the whole idea is an attacker have hacked the system and we have to investigate the virtual box machine(.ova) and find more information about what the attacker did on the system.
Solution:
Alpine 1 is an easy forensics challenge, we need to log in into the vm and find the file that gives the attacker an access, we are given 2 accounts i went ahead and logged in using the root account, clearly by the challenge description the attacker now have a persistence access to the machine so first thing i did was head to /home/mjohnson and wrote ls -la to list all the files and found some stuff that can lead us the right way or even solve the whole challenge
so i decided to check the .ash_history for commands made by the attacker
great thats the file giving the attacker access `/home/mjohnson/.ssh/authorized_keys`
## Flag: `byuctf{/home/mjohnson/.ssh/authorized_keys}`