Loading
Loading Artifacts

Qays Sarayra Artifacts Qays Sarayra Artifacts

Portfolio

JetBrains

Scenario

Lab Link: JetBrains

During a recent security incident, an attacker successfully exploited a vulnerability in our web server, allowing them to upload webshells and gain full control over the system. The attacker utilized the compromised web server as a launch point for further malicious activities, including data manipulation.

As part of the investigation, You are provided with a packet capture (PCAP) of the network traffic during the attack to piece together the attack timeline and identify the methods used by the attacker. The goal is to determine the initial entry point, the attacker's tools and techniques, and the compromise's extent.

Start

Q1

Identifying the attacker's IP address helps trace the source and stop further attacks. What is the attacker's IP address?

Answer Format: **.***.**.***
ubuntu@ip-172-31-30-63:~/Desktop/Start here$ tshark -r Artifacts/Capture.pcap -Y "frame.number == 24701" -T fields -e ip.src
23.158.56.196
ubuntu@ip-172-31-30-63:~/Desktop/Start here$

Answer:

23.158.56.196

Q2

To identify potential vulnerability exploitation, what version of our web server service is running?

Answer Format: ****.**.*

tshark -r Artifacts/Capture.pcap -Y "http.response and frame.number > 24700 and frame.number < 24750" -T fields -e frame.number -e http.file_data | head -5

ubuntu@ip-172-31-30-63:~/Desktop/Start here$ echo "3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d3822207374616e64616c6f6e653d22796573223f3e3c7365727665722076657273696f6e3d22323032332e31312e3320286275696c642031343735313229222076657273696f6e4d616a6f723d2232303233222076657273696f6e4d696e6f723d2231312220737461727454696d653d223230323430363330543037323335342b30303030222063757272656e7454696d653d223230323430363330543038303234392b3030303022206275696c644e756d6265723d2231343735313222206275696c64446174653d223230323430313239543030303030302b303030302220696e7465726e616c49643d2235653364363136342d353066382d343934312d386630392d3230616263336633333333372220726f6c653d226d61696e5f6e6f6465222077656255726c3d22687474703a2f2f6c6f63616c686f73743a38313131222061727469666163747355726c3d22223e3c70726f6a6563747320687265663d222f6170702f726573742f70726f6a65637473222f3e3c766373526f6f747320687265663d222f6170702f726573742f7663732d726f6f7473222f3e3c6275696c647320687265663d222f6170702f726573742f6275696c6473222f3e3c757365727320687265663d222f6170702f726573742f7573657273222f3e3c7573657247726f75707320687265663d222f6170702f726573742f7573657247726f757073222f3e3c6167656e747320687265663d222f6170702f726573742f6167656e7473222f3e3c6275696c64517565756520687265663d222f6170702f726573742f6275696c645175657565222f3e3c6167656e74506f6f6c7320687265663d222f6170702f726573742f6167656e74506f6f6c73222f3e3c696e7665737469676174696f6e7320687265663d222f6170702f726573742f696e7665737469676174696f6e73222f3e3c6d7574657320687265663d222f6170702f726573742f6d75746573222f3e3c6e6f64657320687265663d222f6170702f726573742f7365727665722f6e6f646573222f3e3c2f7365727665723e" | xxd -r -p | grep -o 'version="[^"]*"'
version="1.0"
version="2023.11.3 (build 147512)"
ubuntu@ip-172-31-30-63:~/Desktop/Start here$

Answer:

2023.11.3

Q3

After identifying the version of our web server service, what CVE number corresponds to the vulnerability the attacker exploited?

Answer Format: ***-****-*****
ubuntu@ip-172-31-30-63:~/Desktop/Start here$ tshark -r Artifacts/Capture.pcap -Y "http.request.uri contains hax" -T fields -e http.request.uri | head -1
/hax?jsp=/app/rest/server;.jsp
ubuntu@ip-172-31-30-63:~/Desktop/Start here$

Answer:

CVE-2024-27198

Q4

The attacker exploited the vulnerability to create a user account. What credentials did he set up?

Answer Format: ********:**********

TeamCity 2023.11.3 path traversal vulnerability exploited via /hax?jsp= pattern

Answer:

c91oyemw:CL5vzdwLuK

Q5

The attacker uploaded a webshell to ensure his access to the system. What is the name of the file that the attacker uploaded?

Answer Format: ********.***

Answer:

NSt8bHTg.zip

Q6

When did the attacker execute their first command via the web shell?

YYYY-MM-DD HH:MM
ubuntu@ip-172-31-30-63:~/Desktop/Start here$ tshark -r Artifacts/Capture.pcap -Y "http.request.uri contains jsp and frame.number > 24825" -T fields -e frame.time -e http.request.uri | head -10
Jun 30, 2024 08:03:57.620161000 UTC /plugins/NSt8bHTg/NSt8bHTg.jsp
Jun 30, 2024 08:03:57.620203000 UTC /plugins/NSt8bHTg/NSt8bHTg.jsp
Jun 30, 2024 08:04:24.356908000 UTC /plugins/NSt8bHTg/NSt8bHTg.jsp
Jun 30, 2024 08:04:24.356938000 UTC /plugins/NSt8bHTg/NSt8bHTg.jsp
Jun 30, 2024 08:04:26.637911000 UTC /plugins/NSt8bHTg/NSt8bHTg.jsp
Jun 30, 2024 08:04:26.637936000 UTC /plugins/NSt8bHTg/NSt8bHTg.jsp
Jun 30, 2024 08:04:33.300166000 UTC /plugins/NSt8bHTg/NSt8bHTg.jsp
Jun 30, 2024 08:04:33.300199000 UTC /plugins/NSt8bHTg/NSt8bHTg.jsp
Jun 30, 2024 08:04:44.764683000 UTC /plugins/NSt8bHTg/NSt8bHTg.jsp
Jun 30, 2024 08:04:44.764708000 UTC /plugins/NSt8bHTg/NSt8bHTg.jsp
ubuntu@ip-172-31-30-63:~/Desktop/Start here$

Answer:

2024-06-30 08:03

Q7

The attacker tampered with a text file that contained the credentials of the admin user of the webserver. What new username and password did the attacker write in the file?

Answer Format: *****:*****************
ubuntu@ip-172-31-30-63:~/Desktop/Start here$ tshark -r Artifacts/Capture.pcap -Y "frame.number > 25000" -T fields -e http.file_data | xxd -r -p 2>/dev/null | grep -a "echo" | head -20

ubuntu@ip-172-31-30-63:~/Desktop/Start here$ echo "cmd=bash+-c+%27echo+%22username%3Aa1l4m%2Cpassword%3Ayouarecompromised%22+%3E+%2Ftmp%2FCreds.txt%27" | sed 's/+/ /g' | sed 's/%3A/:/g' | sed 's/%2C/,/g' | sed 's/%22/"/g' | sed 's/%27/'\''/g'
cmd=bash -c 'echo "username:a1l4m,password:youarecompromised" %3E %2Ftmp%2FCreds.txt'
ubuntu@ip-172-31-30-63:~/Desktop/Start here$

Answer:

a1l4m:youarecompromised

Q8

What is the MITRE Technique ID for the attacker's action in the previous question (Q7) when tampering with the text file?

Answer Format: *****.***

Answer:

T1565.001

Q9

The attacker tried to escape from the container but he didn't succeed, What is the command that he used for that?

Answer Format: ****** *** --** -** -* /:/**** ****** ****** /****
ubuntu@ip-172-31-30-63:~/Desktop/Start here$ tshark -r Artifacts/Capture.pcap -Y "http.file_data" -T fields -e http.file_data | xxd -r -p 2>/dev/null | strings | grep -E "docker run|nsenter|chroot" | head -20
cmd=docker+run+--rm+-it+-v+%2F%3A%2Fhost+ubuntu+chroot+%2Fhostcmd=docker+run+--rm+-it+-v+%2F%3A%2Fhost+ubuntu+chroot+%2Fhost
ubuntu@ip-172-31-30-63:~/Desktop/Start here$ 

ubuntu@ip-172-31-30-63:~/Desktop/Start here$ echo "cmd=docker+run+--rm+-it+-v+%2F%3A%2Fhost+ubuntu+chroot+%2Fhost" | sed 's/+/ /g' | sed 's/%2F/\//g' | sed 's/%3A/:/g'
cmd=docker run --rm -it -v /:/host ubuntu chroot /host

Answer:

docker run --rm -it -v /:/host ubuntu chroot /host

All Content

Lockdown

TechNova Systems' SOC has detected suspicious outbound traffic from a public-facing IIS server in its cloud platform—activity suggestive of a web-shell drop and covert connections to an unknown host.

Network Forensics
0/1000
Loading comments...