Webstrike Lab
CyberDefenders Network Forensics Lab
Scenario
A suspicious file was identified on a company web server, raising alarms within the intranet. The Development team flagged the anomaly, suspecting potential malicious activity. To address the issue, the network team captured critical network traffic and prepared a PCAP file for review. Your task is to analyze the provided PCAP file to uncover how the file appeared and determine the extent of any unauthorized activity.
Question 1
Identifying the geographical origin of the attack facilitates the implementation of geo-blocking measures and the analysis of threat intelligence. From which city did the attack originate?
Answer 1
Looking at the source and destinations IP addresses gives you the answer here. There are only 2 IP addresses in the PCAP log file, looking at the both of them and looking them up using a Geo Location website gives the answer, Tianjin.
Question 2
Knowing the attacker’s User-Agent assists in creating robust filtering rules. What’s the attacker’s Full User-Agent?
Answer 2
Looking at a GET request packet from the attackers IP address give a you a User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Question 3
We need to determine if any vulnerabilities were exploited. What is the name of the malicious web shell that was successfully uploaded?
Answer 3
Looking for suspicious file names was key here to finding, the target uploaded a file named: image.jpg.php. Which gave me the answer.
Question 4
Identifying the directory where uploaded files are stored is crucial for locating the vulnerable page and removing any malicious files. Which directory is used by the website to store the uploaded files?
Answer 4
Digging deeper into the previous packet that uploaded the malcious file, you can find the location inside the HTTP header. /reviews/uploads/
Question 5
Which port, opened on the attacker’s machine, was targeted by the malicious web shell for establishing unauthorized outbound communication?
Answer 5
After the file was uploaded it almost immediately started to communicate back via port 8080.
Question 6
Recognizing the significance of compromised data helps prioritize incident response actions. Which file was the attacker attempting to exfiltrate?
Answer 6
Using a simple filter in WireShark: http.request.method == “POST”, I can look for files that might be being exfiltrated.
Last updated