Rating:
# Red Team Activity 3
- 193 Points / 96 Solves
## Background
Q3: What is the location (the full path) responsible having run the malicious script repeatedly?
Note: Flag format is `RS{MD5sum(<answer string>)}`
## Find the flag
**In this challenge, we can download a file:**
```shell
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-Activity-3)-[2023.04.01|18:09:30(HKT)]
└> file auth.log
auth.log: ASCII text, with very long lines (1096)
```
As you can see, it's the `auth.log`, which is a Linux log file that stores **system authorization information, including user logins and authentication machinsm that were used.**
In Red Team Activity 1, we found **the malicious script is `_script2980.sh` in `/dev/shm/`**.
Now, the challenge's question is asking "repeatedly". Which technique in red teaming is to repeatedly executing something?
You guessed! "***Persistence***"!
How to implement persistence in Linux? ***Cronjob***!
**With that said, let's see any cronjobs has been modified/added!**
```shell
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-Activity-3)-[2023.04.01|18:15:10(HKT)]
└> grep 'crontabs' auth.log
Mar 25 20:56:56 ctf-1 snoopy[14959]: [login:ubuntu ssh:((undefined)) sid:14897 tty:/dev/pts/3 (0/root) uid:root(0)/root(0) cwd:/root]: vim /var/spool/cron/crontabs/root
```
Found it! `/var/spool/cron/crontabs/root` is the new cronjob!
**MD5 hash the answer:**
```shell
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-Activity-3)-[2023.04.01|18:10:48(HKT)]
└> echo -n '/var/spool/cron/crontabs/root' | md5sum
c1da8fd57f17c95c731c38ee630f6aea -
```
- **Flag: `RS{c1da8fd57f17c95c731c38ee630f6aea}`**
