What is the exposed password that we find from the bash history output?
NEhX4VSrN7sVWhat is the PID of the miner process that we find?
10280What is the MD5 hash of the miner process?
153a5c8efe4aa3be240e5dc645480deeWhat is the MD5 hash of the mysqlserver process?
c586e774bb2aa17819d7faae18dad7d1
Use the command strings extracted/miner.<PID from question 2>.0x400000 | grep http://. What is the suspicious URL? (Fully defang the URL using CyberChef)
hxxp[://]mcgreedysecretc2[.]thmAfter reading the elfie file, what location is the mysqlserver process dropped in on the file system?
/var/tmp/.system-python3.8-Updates/mysqlserver