Slingshot

Slingway Inc., a leading toy company, has recently noticed suspicious activity on its e-commerce web server and potential modifications to its database. To investigate the suspicious activity, they've hired you as a SOC Analyst to look into the web server logs and uncover any instances of malicious activity.

To aid in your investigation, you've received an Elastic Stack instance containing logs from the suspected attack. Below, you'll find credentials to access the Kibana dashboard. Slingway's IT staff mentioned that the suspicious activity started on July 26, 2023.

By investigating and answering the questions below, we can create a timeline of events to lead the incident response activity. This will also allow us to present concise and confident findings that answer questions such as:

• What vulnerabilities did the attacker exploit on the web server?

• What user accounts were compromised?

• What data was exfiltrated from the server?

1) What was the attacker's IP?

Answer: 10.0.2.15

2) What was the first scanner that the attacker ran against the web server?

"I filtered by the attacker’s IP address and included request.headers.User-Agent as a column. Then, I sorted the timestamp from oldest to newest."

Answer: Nmap Scripting Engine

3) What was the User Agent of the directory enumeration tool that the attacker used on the web server?

Let’s filter by the attacker’s IP address and status code 404. Since it’s an enumeration tool, there will likely be a high number of 404 status codes.

Answer: Mozilla/5.0 (Gobuster)

4) In total, how many requested resources on the web server did the attacker fail to find?

Answer: 1867

5) What is the flag under the interesting directory the attacker found?

I filtered by the attacker’s IP address, status code 200, and the user agent of the enumeration tool.

Answer: a76637b62ea99acda12f5859313f539a

6) What login page did the attacker discover using the directory enumeration tool?

I filtered by the attacker’s IP address, ensuring that the status code was not 404, and the user agent of the enumeration tool.

Answer: /admin-login.php

7) What was the user agent of the brute-force tool that the attacker used on the admin panel?

Answer: Mozilla/4.0 (Hydra)

8) What flag was included in the file that the attacker uploaded from the admin directory?

I initially filtered by the admin directory and obtained several endpoints.

I followed the link provided above and accessed the message field.

Answer: THM{ecb012e53a58818cbd17a924769ec447}

9) What was the first command the attacker ran on the web shell?

Based on the photo above, we can identify the uploaded file’s name, so let’s filter by this filename.

Answer: whoami

10) What file location on the web server did the attacker extract database credentials from using Local File Inclusion?

Answer: /etc/phpmyadmin/config-db.php

11) What directory did the attacker use to access the database manager?

Answer: /phpmyadmin

12) What was the name of the database that the attacker exported?

I narrowed down the results by filtering for files within the phpmyadmin directory and excluding any with a ‘.png’ extension. As a result, I identified a file named export.php

Answer: customer_credit_cards

13) What flag does the attacker insert into the database?

Answer: c6aa3215a7d519eeb40a660f3b76e64c