In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We'll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution.
https://app.hackthebox.com/sherlocks/Brutus
we are provided with 2 files auth.log and WTMP
auth.log is used to track every authentication whether its user attempt to login or perform any task the requires authentication.
wtmp file logs all login and logout events (successful)
To spot a brute force you look at repeated failed logins (invalid user - failed password) with short period so we grep with Failed
we can see that the attacker was able to authenticate as root account the most privileged user on the system