WebStrike

Lab Link

Category: Network Forensics

Tactics: Initial Access Execution Persistence Command and Control Exfiltration

Tool: Wireshark

Scenario

A suspicious file was identified on a company web server, raising alarms within the intranet. The Development team flagged the anomaly, suspecting potential malicious activity. To address the issue, the network team captured critical network traffic and prepared a PCAP file for review. Your task is to analyze the provided PCAP file to uncover how the file appeared and determine the extent of any unauthorized activity.

Questions

Q1: Identifying the geographical origin of the attack helps in implementing geo-blocking measures and analyzing threat intelligence. From which city did the attack originate?

After starting the lab machine and opening the .pcap file successfully, We can see from the statistics the only 2 sources IPs in that traffic, And apparently 117.11.88.124 has more requests.

So, Let's look it up using https://whatismyipaddress.com/ or any IP lookup tool.

Q2: Knowing the attacker's User-Agent assists in creating robust filtering rules. What's the attacker's Full User-Agent?

Follow TCP or HTTP stream from any packet of the http traffic for more details including the attacker's user-agent

Q3: We need to determine if any vulnerabilities were exploited. What is the name of the malicious web shell that was successfully uploaded?

filter for: ip.src == 117.11.88.124 && http.request.method == "POST"

to get all the POST requests by the attacker's IP.

Follow HTTP stream for these 2 packets,

So, the answer is image.jpg.php since we were searching for the web shell that was successfully uploaded.

Q4: Identifying the directory where uploaded files are stored is crucial for locating the vulnerable page and removing any malicious files. Which directory is used by the website to store the uploaded files?

Since we already know the name of the malicious file uploaded, we can filter by: http.request.uri contains image.jpg.php

We don't even need to open the packet itself, the directory is shown in the info field.

Q5: Which port, opened on the attacker's machine, was targeted by the malicious web shell for establishing unauthorized outbound communication?

Using the same filter used in Q3, and from any of the 2 packets HTTP stream we can see the port number targeted by the malicious shell.

Q6: Recognizing the significance of compromised data helps prioritize incident response actions. Which file was the attacker attempting to exfiltrate?

Filter with the compromised machine's IP as the source IP with POST method

Follow HTTP stream

PreviousCyberDefenders NextOski

Last updated 8 months ago

hashtagLab Linkarrow-up-right

hashtagScenario

hashtagQuestions

hashtagQ1: Identifying the geographical origin of the attack helps in implementing geo-blocking measures and analyzing threat intelligence. From which city did the attack originate?

hashtagQ2: Knowing the attacker's User-Agent assists in creating robust filtering rules. What's the attacker's Full User-Agent?

hashtagQ3: We need to determine if any vulnerabilities were exploited. What is the name of the malicious web shell that was successfully uploaded?

hashtagQ4: Identifying the directory where uploaded files are stored is crucial for locating the vulnerable page and removing any malicious files. Which directory is used by the website to store the uploaded files?

hashtagQ5: Which port, opened on the attacker's machine, was targeted by the malicious web shell for establishing unauthorized outbound communication?

hashtagQ6: Recognizing the significance of compromised data helps prioritize incident response actions. Which file was the attacker attempting to exfiltrate?