Web Investigation Lab
CyberDefenders Network Forensics Lab
Scenario
You are a cybersecurity analyst working in the Security Operations Center (SOC) of BookWorld, an expansive online bookstore renowned for its vast selection of literature. BookWorld prides itself on providing a seamless and secure shopping experience for book enthusiasts around the globe. Recently, you’ve been tasked with reinforcing the company’s cybersecurity posture, monitoring network traffic, and ensuring that the digital environment remains safe from threats. Late one evening, an automated alert is triggered by an unusual spike in database queries and server resource usage, indicating potential malicious activity. This anomaly raises concerns about the integrity of BookWorld’s customer data and internal systems, prompting an immediate and thorough investigation. As the lead analyst in this case, you are required to analyze the network traffic to uncover the nature of the suspicious activity. Your objectives include identifying the attack vector, assessing the scope of any potential data breach, and determining if the attacker gained further access to BookWorld’s internal systems.
Question 1
By knowing the attacker’s IP, we can analyze all logs and actions related to that IP and determine the extent of the attack, the duration of the attack, and the techniques used. Can you provide the attacker’s IP?
Answer 1
Looking through the various IP address that show up in the log file, it was clear that the IP address 111.224.250.131 was the attackers IP address. A series of rather suspicious attempts to directory traverse using the search bar was the first but not last indicator.
Press enter or click to view image in full size
Question 2
If the geographical origin of an IP address is known to be from a region that has no business or expected traffic with our network, this can be an indicator of a targeted attack. Can you determine the origin city of the attacker?
Answer 2
A quick search using their IP address showed the city Shijuazhuang.
Press enter or click to view image in full size
Question 3
Identifying the exploited script allows security teams to understand exactly which vulnerability was used in the attack. This knowledge is critical for finding the appropriate patch or workaround to close the security gap and prevent future exploitation. Can you provide the vulnerable PHP script name?
Answer 3
As noted the question 1’s answer. They were trying to exploit the search function of the website, specifically the search.php script.
Question 4
Establishing the timeline of an attack, starting from the initial exploitation attempt, what is the complete request URI of the first SQLi attempt by the attacker?
Answer 4
Looking through the requests sent to search.php, the first attempt appeared to use the following:
/search.php?search=book and 1=1; -- -
The attacker was trying to illicit a response from the database to see if the inputs were being sanitized.
Question 5
Can you provide the complete request URI that was used to read the web server’s available databases?
Answer 5
For this, I needed to narrow down the large amounts of requests the attacker was making to the server. Using the filter:
ip.dst == 111.224.250.131 && http.response.code == 200Then after trawling through the responses, I was able to find a response from the web server that included the SQL database.
Press enter or click to view image in full size
A quick decode later:
/search.php?search=book' UNION ALL SELECT NULL,CONCAT(0x7178766271,JSON_ARRAYAGG(CONCAT_WS(0x7a76676a636b,schema_name)),0x7176706a71) FROM INFORMATION_SCHEMA.SCHEMATA-- -Question 6
Assessing the impact of the breach and data access is crucial, including the potential harm to the organization’s reputation. What’s the table name containing the website users data?
Answer 6
Using the same filter as the above question, I was able to find more requests made by the attacker. One of which queried the database attached to the website, looking for table names. Giving me the answer, customers.
Press enter or click to view image in full size
Question 7
The website directories hidden from the public could serve as an unauthorized access point or contain sensitive functionalities not intended for public access. Can you provide the name of the directory discovered by the attacker?
Answer 7
The attacker logged into the admin panel via login.php. Prior to this the attacker had managed to find the /admin/ directory which contained a login page titled login.php.
Question 8
Knowing which credentials were used allows us to determine the extent of account compromise. What are the credentials used by the attacker for logging in?
Answer 8
Filtering to find various POST requests, I was able to determine the username and password used was the following:
Form item: "username" = "admin"
Form item: "password" = "admin123!"Press enter or click to view image in full size
Question 9
We need to determine if the attacker gained further access or control of our web server. What’s the name of the malicious script uploaded by the attacker?
Answer 9
Using the upload function within the admin panel, the attacker uploaded a script called NVri2vhp.php to gain further and potentially persistent access.
Last updated