# An Unusual Sighting

## OVERVIEW

---

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759299128997/a22cfa7e-f518-4c92-9b0d-917d5b751946.png align="center")

Start the Instance and Download the given files . We were given two files **sshd and bash\_history**

Now First Let’s see what is there in the instance

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759299324958/0f8bc445-6543-47be-b656-865917f8e89d.png align="center")

So We were asked a question  
Ques 1) What is the IP Address and Port of the SSH Server (IP:PORT) ?

Let’s search it up in **sshd** file

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759299420637/fdf009e8-58b5-4a4e-b93c-ff788ef9a853.png align="center")

There we go we can see the IP and port is given in the logs which is **100.107.36.130:2221**

Now Second question is asked

Ques 2) What time is the first successful Login ?

Again Let’s see the **sshd logs**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759299657414/9e27c180-0587-4350-bca2-b39773856f91.png align="center")

And we found it which is **2024-02-13 11:29:50**

Next Question is

Ques 3) What is the time of the unusual Login ?

Now Do you remember we were given a specific operational time in description of challenge

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759299747283/8e802243-91ad-4a79-92d6-00203376f0d4.png align="center")

So let’s search about the time after or before this operational time

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759299781812/aa39c688-66c4-4de7-8ffb-365a972a9548.png align="center")

Yep we found it which is **2024-02-19 04:00:14**

Now next question

Ques 4) What is the Fingerprint of the attacker's public key ?

Now lets search it in the attacker time slot in sshd logs

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759299859742/09517c3a-bd14-4c0f-9b09-95b7b157a23d.png align="center")

And Here We go got the finger print which is **OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4**

Move on to the next question

Ques 5) What is the first command the attacker executed after logging in ?

To see it we will now search up the attacker time slot in **bash\_history** file

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759299948970/cf127857-b204-4884-85c8-82fa0a0d5ccd.png align="center")

And we found the command which is **whoami**

Now next question

Ques 6) What is the final command the attacker executed before logging out ?

Similarly as above question let’s search the bash history file

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759300040801/cc8fbb2f-2881-41d1-941a-7d51a8632767.png align="center")

And it is **./setup**

**Now submitting all these answers one by one in the shell will gives you the flag**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759300116352/e285dd30-ceec-4f2d-934d-b5129227ea51.png align="center")

## **WE FINALLY DID IT !!!! CHALLENGE SOLVED !!**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759300158104/fe2898e7-d67e-470b-905f-37570893e164.png align="center")

For Any Query Or Problem Either Leave A Comment Or Contact At [**reapsec.com**](http://reapsec.com/)

**THANKS FOR READING !!!**