TryHackMe: Slingshot

Overview

Slingshot challenges us to investigate a compromised web server, using ELK, to discover a web-based attack. We’re tasked with determining vulnerability exploitation, account compromise, and data exfiltration.


Scenario

Slingway Inc., a leading toy company, has recently noticed suspicious activity on its e-commerce web server and potential modifications to its database. To investigate the suspicious activity, they’ve hired you as a SOC Analyst to look into the web server logs and uncover any instances of malicious activity.

To aid in your investigation, you’ve received an Elastic Stack instance containing logs from the suspected attack. Below, you’ll find credentials to access the Kibana dashboard. Slingway’s IT staff mentioned that the suspicious activity started on July 26, 2023.

By investigating and answering the questions below, we can create a timeline of events to lead the incident response activity. This will also allow us to present concise and confident findings that answer questions such as:

What vulnerabilities did the attacker exploit on the web server? What user accounts were compromised? What data was exfiltrated from the server?


Q1

What was the attacker’s IP?

We’ve been told that the suspicious activity began on July 26th, 2023, so we’ll start by filtering for any events that occurred on or after that date. We’ll also sort the events from Oldest -> Newest.

Filtering for events on/after August 26th

With our dates filtered and events sorted, we’ll look at the first event to get an idea of what fields were parsed by Elastic.

Event fields

We see that the User-Agent was parsed as “request.headers.User-Agent” and that the source IP addresses are recorded as “transaction.remote_address”.

Let’s check what User-Agents are present in the logs.

We can do this by typing user-agent into the field search and clicking the request.headers.User-Agent field that appears.

User-Agent values found in the current results

User-Agent values, viewed in a table

We can see that over 60% of User-Agents were recorded as Gobuster, 16% were Hydra, and 1% was from Nmap.

Let’s filter for events that contain any of these user-agents to confirm that they were all executed from a single IP.

Filtering for the tool user-agents

The IP address that ran nmap, gobuster, and hydra against the victim

Our results show that 100% of these events are associated with the IP address 10.0.2.15.

Answer 10.0.2.15

Q2

What was the first scanner that the attacker ran against the web server?

Our results are already filtered from Old -> New, so the oldest event is the first one we see in our results.

With that, we can see that Nmap was the first tool that was run against the endpoint.

Nmap activity

Answer Nmap Scripting Engine

Q3

What was the User Agent of the directory enumeration tool that the attacker used on the web server?

We discovered this earlier when we did our analysis in Q1.

Answer Mozilla/5.0 (Gobuster)

Q4

In total, how many requested resources on the web server did the attacker fail to find?

We’ll start by filtering for the malicious IP and checking the response code of the requests by checking the response.status field.

Response.status field

We’ll filter for only the results that contain a response code of 404.

Count of records with a response code of 404

Answer 1867

Q5

What is the flag under the interesting directory the attacker found?

We’re looking for successful enumeration, so we’ll change our filters to exclude response codes 404 and 401.

Filtering for successful response codes, malicious IP

To see the target of the requests we can use the Visualize tool on the request.request_line field.

request.request_line values

In the visualization, screen we’ll change the display to a Table and increase the number of values to any value greater than the total number of unique requests.

Visualization settings

Immediately we can see directory traversal in which the attacker attempted to access phpmyadmin/config-db.php.

Scrolling through the results we can see plenty of other malicious activity, including command execution.

Command execution in the web traffic

We also see requests to the “backups” directory and a flag parameter.

backups directory and flag parameter

Answer a76637b62ea99acda12f5859313f539a

Q6

What login page did the attacker discover using the directory enumeration tool?

Scrolling through the output we can see a login page request, but we’ll filter our results for requests from Gobuster just to be sure it is the correct one.

Results for the current filter

There doesn’t appear to be a login page within our current results, but perhaps it was a failed request.

Let’s include 401 status codes in our results to see if the requests were blocked.

Results including 401 response codes

And here we can see the login page.

Answer /admin-login.php

Q7

What was the user agent of the brute-force tool that the attacker used on the admin panel?

We know that one of the tools used by the attacker was Hydra, a brute-force tool, so we’ve already got the answer to this question.

Answer Mozilla/4.0 (Hydra)

Q8

What username:password combination did the attacker use to gain access to the admin page?

We’ll filter for Hydra requests and analyze the results.

We want to see successful results so we’ll filter for status codes that aren’t 401 or 404 again.

Successful hydra requests

Analyzing the data we can see an Authorization header with a base64 encoded string.

Base64 encoded authorization

A quick trip to cyberchef will give us the answer.

Answer admin:thx1138

Q9

What flag was included in the file that the attacker uploaded from the admin directory?

We can start by looking for POST requests.

We’ll use the visualization tool to look at a table of URLs again to see if we can spot anything interesting. Note: Though, really, we should have noted that there was a request to an upload URL when we analyzed the requests previously.

request to upload.php

We see a POST request to admin/upload.php, so we’ll apply that request as a filter and return to the Discover tool.

Looking through the event information we can see the request.body field contains the plaintext file.

We can see the filename is easy-simple-php-webshell.php.

malicious upload

Answer THM{ecb012e53a58818cbd17a924769ec447}

Q10

What was the first command the attacker ran on the web shell?

We already discovered command execution during our initial analysis, but we’ll refine the filter to make the commands more clear.

We’ll adjust our filter to include any requests to the shell script we identified previously.

Filtering for requests to the shell script

command execution on the shell script

Answer whoami

Q11

What file location on the web server did the attacker extract database credentials from using Local File Inclusion?

We discovered LFI exploitation at the start of our investigation, but we’ll filter again to make the results more easily readable and to enhance our evidence.

We’ll adjust our filter to include web requests that contain the string “../../”

filtering for LFI requests

LFI execution

Answer /etc/phpmyadmin/config-db.php

Q12

What directory did the attacker use to access the database manager?

We discovered access to a database previously, so we’ll pivot on our previous findings.

Back in Q5, we discovered GET requests to sql.php and tbl commands.

excerpt of findings in Q5

We can see that these commands' php scripts were run from the phpmyadmin directory.

Answer /phpmyadmin

Q13

What was the name of the database that the attacker exported?

Analyzing the same evidence we can see that the attacker exported a credit card database.

Answer customer_credit_cards

Q14

What flag does the attacker insert into the database?

Inserting an entry in a database would likely be a POST request, so we’ll filter for events with the http.method set as POST.

We can filter out some noise by removing results like the POST requests to ajax.php.

We’re left with only 5 requests to the export, tbl_replace, lint, and import.php files.

Filtered results

Looking through these events we can see the request to lint.php contains a SQL INSERT statement.

request.body of the POST request to lint.php

We’ll take the request body and URL decode it in CyberChef to make it easier to read.

URL Decode of the insert statement

The decoded results show us exactly what the attacker inserted into the database.

Answer c6aa3215a7d519eeb40a660f3b76e64c