PersistencelsFutile

Technical Walkthrough

Writeup

Challenge

• Name: PersistencelsFutile
• Category: Forensics
• Difficulty: Medium
• Mode: remote

Summary

PersistencelsFutile was a remote Linux incident-response challenge. The goal was to identify and remove eight persistence/backdoor issues on a production-like server, then run /root/solveme as root.

The solve was evidence-driven: collect a sudo-backed persistence inventory, group related artifacts into checker issues, remove only validated malicious files/config lines, and use /root/solveme as the final source of truth. The last partial issue was caused by a leftover MOTD launcher after the reverse-shell payload itself had already been deleted.

Artifact Inventory

This was a remote-only challenge with no provided local archive. The initial artifact inventory in analysis/artifact-inventory.json records the empty files/ set and the live SSH target.

Analysis

The read-only inventory in analysis/remote/read-only-inventory-1.txt and deeper triage in analysis/remote/suspect-deep-dive-1.txt / analysis/remote/suspect-deep-dive-2.txt exposed the persistence set:

• Root SSH persistence: extra root authorized key, a Python helper that restored it, a cron runner for that helper, and permissive PermitRootLogin.
• User crontab command execution through a DNS TXT lookup.
• Cron-based SUID shell dropper.
• Existing SUID shell copies in user and system paths.
• Fake SUID ppppd binary.
• Modified gnats account with root-group/login access and an active password hash.
• Root shell startup bind shell through a fake alertd binary.
• User shell startup reverse shell hidden behind a cat alias.
• Private reverse-shell loop under /var/lib/private/connectivity-check.

The cleanup plan in analysis/cleanup/backdoor-plan.md grouped those artifacts into the checker-facing issues. analysis/cleanup/cleanup-run-1.txt remediated most items but failed to remove the private reverse-shell loop because of a shell expansion bug in the process-kill loop. analysis/cleanup/cleanup-run-2.txt removed the payload file and killed matching processes, leaving Issue 5 only partially remediated.

The decisive follow-up was analysis/cleanup/issue5-deep-dive-1.txt, which found /etc/update-motd.d/30-connectivity-check still launching /var/lib/private/connectivity-check on login. Removing that launcher in analysis/cleanup/cleanup-run-3.txt made /root/solveme report Issues 1-8 fully remediated.

Solve

The reproducible cleanup script is solve/solve.py. It accepts host, port, and user arguments and reads the SSH/sudo password from <secret redacted> or an interactive prompt. It removes only the validated malicious artifacts and then runs /root/solveme.

Example:

cd <local workspace>
<secret redacted>='<challenge password>' python3 solve/solve.py --host <TARGET> --port 31754 --user user

The final successful verifier output is preserved in analysis/cleanup/cleanup-run-3.txt, with the raw flag redacted from analysis.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• When a checker says an issue is partially remediated, search for both payload and launcher. Here, the reverse-shell script was gone, but the MOTD startup trigger remained.
• Group related artifacts by persistence mechanism rather than counting files one by one.
• Redact raw flags and private material from analysis outputs after capture; keep raw values in loot/ only.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: PersistencelsFutile
• Category: Forensics
• Difficulty: Medium
• Mode: remote
• Remote instance: <TARGET>:31754
• Start time: 2026-06-13T10:43:55Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• The challenge required removing eight checker issues, but several issues contained multiple related artifacts.
• Issue 1 grouped root SSH persistence: an extra authorized key, a key-restoring Python helper, a cron runner, and permissive root SSH login.
• Issue 5 grouped a reverse-shell payload under /var/lib/private plus the login-triggered MOTD launcher under /etc/update-motd.d/.
• The final blocker was not a running process; it was the stale MOTD launcher that survived after the payload file was removed.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Forensics
• Challenge: PersistencelsFutile
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Treat the remote Linux host as an incident-response cleanup target.
2. Run read-only persistence triage across SSH configuration, cron, shell startup files, SUID/capability surfaces, users/groups, and running processes.
3. Group related artifacts into checker-facing issues instead of counting every file separately.
4. Remove validated root SSH persistence, user crontab command execution, cron SUID droppers, SUID shell copies, fake SUID service binaries, account tampering, shell startup bind/reverse shells, and private reverse-shell loop artifacts.
5. When /root/solveme reports a partial remediation, search for launchers/triggers as well as payload files.
6. Final missing trigger was a MOTD script that launched a now-removed private reverse-shell payload.

Reusable Lessons

• Linux persistence cleanup challenges often combine payloads, launchers, and configuration weakening into one checker issue.
• update-motd.d is a valid login-triggered persistence location and should be included in shell/login persistence triage.
• A removed payload can still leave a challenge issue partially remediated if a startup trigger remains.
• Keep raw checker flags in loot/ only and redact analysis copies after capture.

Dead Ends

• Killing/removing /var/lib/private/connectivity-check alone did not fully close Issue 5 because /etc/update-motd.d/30-connectivity-check still referenced it.
• Process-table checks alone were insufficient after the payload disappeared; filesystem reference search found the remaining trigger.

Tool Quirks

• strace was unavailable on the remote target, so /root/solveme behavior had to be inferred from status output and validated live cleanup.
• A shell expansion mistake in the first process-kill loop left the private reverse-shell payload in place; later cleanup used narrower process and file checks.

Evidence Paths

• analysis/remote/read-only-inventory-1.txt
• analysis/remote/suspect-deep-dive-1.txt
• analysis/remote/suspect-deep-dive-2.txt
• analysis/cleanup/backdoor-plan.md
• analysis/cleanup/cleanup-run-1.txt
• analysis/cleanup/cleanup-run-2.txt
• analysis/cleanup/issue5-deep-dive-1.txt
• analysis/cleanup/cleanup-run-3.txt
• solve/solve.py

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches