In this challenges, i would experience how Security Event been analysis by Security Analyst.
Our first task to download the pcap file into your machine and analysis it. For this activity, you will need to install and use wireshark to analysis.
Once it have completed, you will need to open the file via wireshark and the interface will look exactly such as follows:
The first thing that the Security Analyst need to look into will anything that suspicious.
What was the URL of the page they used to upload a reverse shell?
To answer the question above, you should be able to see the packet such as follows:
Got it. Security Analyst will need to follow HTTP Stream in order to see in HTTP mode like below:
The answer is /development
Let work on the next question for the first task.
What payload did the attacker use to gain access?
Let’s check again the packet and i found something suspicious such as POST /development/upload.php
For those are not familiar, POST is a method that normally used whenever you want to upload something to the server or web application. As a result, let’s start analysis that packet for confirmation
While analysis of the packet stream, I have found the payload that been used by the attackers.
It also show that the file payload.php has been uploaded to /development/uploads.
The packets below show the TCP communication which the result mention that can’t access and we need to analysis the packet just in case any details provided.
As i suspected, we can see everything that the attackers have try to compromise the server. We also found the password that the attacker use to privsec into the system.
Let’s analysis further this packet. Who knows we might stumble into other interesting details. Wow, we found the username and password hashes and we also found the tools that have been used by the attacker to gains access to the system.
Let try to download the tools that been used to the machine. Don’t worry, the tools link are valid.
I would like to say thanks and all the credit to James for the wonderful tools
When the tools have completed, you will need to open main.go by using any editor (for me, it’s atom)
Wow! We have found the hash for the default backdoor that resides within the ssh backdoor tools. If you analysis to the end, you also found the hardcoded salt for the backdoor
The screenshot above shown on the hashes that attacker been used for this attack.
Another question will require us to crack the password of Username=James
To obtain the answer on that, you will need to run the command
hashcat -m 1710 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed:1c362db832f3f864c8c2fe05f2002a05
If not mistaken, you will be provided november16 as the result of password cracking
For the last task, we are required to hack back the system (just hacking mock, not a real hacking!)
Let go check the website first before process further
What! The website have been hacked. So, how to analysis the website? Let’s start deploying the machine.
Firstly, we need to scanning the IP address to see what open port available on the system. I notice that ssh is open with 2222 and let run the command like ssh -p 2222 email@example.com. We have obtained the password for James previously via hashcat
*IP address is not the same for a different player. As a result, you need to ssh the system using the IP address provided to you
We successfully login into the system. Once you are inside the server/system, you need to go James home directory where the files are stored over there.
For us to gain the flag, we need to open the user.txt
While opening the user.txt file, I have noticed that there is a bash file that highlighted red and park under root privileged access.
Let try running the bash and see what happen later.
I have successful login as root and there is root.txt which might contain root flag inside.
Happy Learning guys!