Scenario
Slingway Inc., a leading toy company, has recently noticed suspicious activity on its e-commerce web server and potential modifications to its database. To investigate the suspicious activity, they’ve hired you as a SOC Analyst to look into the web server logs and uncover any instances of malicious activity.
To aid in your investigation, you’ve received an Elastic Stack instance containing logs from the suspected attack. Below, you’ll find credentials to access the Kibana dashboard. Slingway's IT staff mentioned that the suspicious activity started on July 26, 2023.
By investigating and answering the questions below, we can create a timeline of events to lead the incident response activity. This will also allow us to present concise and confident findings that answer questions such as:
1
2
3
1. What vulnerabilities did the attacker exploit on the web server?
2. What user accounts were compromised?
3. What data was exfiltrated from the server?
Question and Answers section:
Set the time range first:
![]()
What was the attacker’s IP?
![]()
Answer:
1
10.0.2.15
- What was the first scanner that the attacker ran against the web server?
![]()
Answer:
1
NMAP Scripting Engine
- What was the
User Agentof the directory enumeration tool that the attacker used on the web server?![]()
Answer:
1
Gobuster is the only directory enumeration tool that seems to be used extensively.
In total, how many
requested resourceson the web server did the attacker fail to find?![]()
- Since we want to know the failed requests, we want the
404HTTP status code.
- Since we want to know the failed requests, we want the
Here's an example of an event entry:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
{
"_index": ".ds-filebeat-8.8.2-2023.07.26-000001",
"_id": "fh6YkokBFYsRLQlCtprK",
"_version": 1,
"_score": 0,
"_source": {
"@timestamp": "2023-07-26T14:27:08.138Z",
"input": {
"type": "log"
},
"agent": {
"name": "slingwayweb",
"type": "filebeat",
"version": "8.8.2",
"ephemeral_id": "ceecb9b4-2c4b-472b-96ca-e27ca9358fcb",
"id": "2e8f766e-fd18-4a7e-b709-f730de06b7b4"
},
"transaction": {
"remote_address": "10.0.2.15",
"remote_port": 43442,
"local_address": "10.0.2.4",
"local_port": 80,
"time": "26/Jul/2023:14:27:07 +0000",
"transaction_id": "ZMEtOztcHeWClKRTMN1f3AAAAAA"
},
"request": {
"request_line": "GET /.git/HEAD HTTP/1.1",
"headers": {
"User-Agent": "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)",
"Connection": "close",
"Host": "slingway.thm"
}
},
"response": {
"protocol": "HTTP/1.1",
"status": 404, <-- Important Part
"headers": {
"Content-Length": "274",
"Connection": "close",
"Content-Type": "text/html; charset=iso-8859-1"
}
},
"audit_data": {},
"http": {
"version": "HTTP/1.1",
"method": "GET",
"url": "/.git/HEAD"
},
"message": "{\"transaction\":{\"time\":\"26/Jul/2023:14:27:07 +0000\",\"transaction_id\":\"ZMEtOztcHeWClKRTMN1f3AAAAAA\",\"remote_address\":\"10.0.2.15\",\"remote_port\":43442,\"local_address\":\"10.0.2.4\",\"local_port\":80},\"request\":{\"request_line\":\"GET /.git/HEAD HTTP/1.1\",\"headers\":{\"User-Agent\":\"Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)\",\"Connection\":\"close\",\"Host\":\"slingway.thm\"}},\"response\":{\"protocol\":\"HTTP/1.1\",\"status\":404,\"headers\":{\"Content-Length\":\"274\",\"Connection\":\"close\",\"Content-Type\":\"text/html; charset=iso-8859-1\"}},\"audit_data\":{}}",
"ecs": {
"version": "8.0.0"
},
"host": {
"name": "slingwayweb"
},
"log": {
"offset": 16947,
"file": {
"path": "/var/log/apache2/modsec_audit.log"
}
}
},
"fields": {
"request.request_line": [
"GET /.git/HEAD HTTP/1.1"
],
"request.headers.User-Agent": [
"Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
],
"transaction.local_port": [
80
],
"response.headers.Content-Type": [
"text/html; charset=iso-8859-1"
],
"response.headers.Connection": [
"close"
],
"http.url": [
"/.git/HEAD"
],
"request.headers.Connection": [
"close"
],
"transaction.local_address": [
"10.0.2.4"
],
"agent.type": [
"filebeat"
],
"response.headers.Content-Length": [
"274"
],
"agent.name": [
"slingwayweb"
],
"host.name": [
"slingwayweb"
],
"request.headers.Host": [
"slingway.thm"
],
"http.version": [
"HTTP/1.1"
],
"http.method": [
"GET"
],
"response.protocol": [
"HTTP/1.1"
],
"transaction.transaction_id": [
"ZMEtOztcHeWClKRTMN1f3AAAAAA"
],
"input.type": [
"log"
],
"log.offset": [
16947
],
"message": [
"{\"transaction\":{\"time\":\"26/Jul/2023:14:27:07 +0000\",\"transaction_id\":\"ZMEtOztcHeWClKRTMN1f3AAAAAA\",\"remote_address\":\"10.0.2.15\",\"remote_port\":43442,\"local_address\":\"10.0.2.4\",\"local_port\":80},\"request\":{\"request_line\":\"GET /.git/HEAD HTTP/1.1\",\"headers\":{\"User-Agent\":\"Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)\",\"Connection\":\"close\",\"Host\":\"slingway.thm\"}},\"response\":{\"protocol\":\"HTTP/1.1\",\"status\":404,\"headers\":{\"Content-Length\":\"274\",\"Connection\":\"close\",\"Content-Type\":\"text/html; charset=iso-8859-1\"}},\"audit_data\":{}}"
],
"agent.hostname": [
"slingwayweb"
],
"@timestamp": [
"2023-07-26T14:27:08.138Z"
],
"agent.id": [
"2e8f766e-fd18-4a7e-b709-f730de06b7b4"
],
"ecs.version": [
"8.0.0"
],
"transaction.remote_address": [
"10.0.2.15"
],
"log.file.path": [
"/var/log/apache2/modsec_audit.log"
],
"agent.ephemeral_id": [
"ceecb9b4-2c4b-472b-96ca-e27ca9358fcb"
],
"transaction.time": [
"26/Jul/2023:14:27:07 +0000"
],
"transaction.remote_port": [
43442
],
"agent.version": [
"8.8.2"
],
"response.status": [
404 <-- Important Part!
]
}
}
Answer:
1
1867
- What is the
flagunder the interesting directory the attacker found?
Filter:
1
2
3
transaction.remote_address: 10.0.2.15
response.status: 200
request.headers.User-Agent: Mozilla/5.0 (Gobuster)
Entries:
1
2
3
4
5
6
7
8
9
- /cart.php
- /about.php
- /
- /careers.php
- /contact.php
- /checkout.php
- /index.php
- /register.php
- /backups/?flag=a76637b62ea99acda12f5859313f539a
Answer;
1
a76637b62ea99acda12f5859313f539a
- What login page did the attacker discover using the
directory enumeration tool?Discover -> doesnt always mean attackers have access?
Directory attackers didn’t have access because it has been relocated: 
Webpage attacker didn’t have access completely but was discovered: 
Answer:
1
/admin-login.php
What was the user agent of the brute-force tool that the attacker used on the admin panel?
![]()
- Attacker used hydra to bruteforce the php site
Answer:
1
Mozilla/4.0 (Hydra)
- What
username:passwordcombination did the attacker use to gain access to the admin page?![]()
There are TWO event hits one for Hydra to check if the username:password combination is possible and one from Mozilla on Linux for actually logging in: 
Note: It says admin page: 
Full filter: 
Answer:
1
admin:thx1138
What flag was included in the file that the attacker
uploadedfrom theadmindirectory?![]()
- This is the file uploaded
-> How can I see the contents of the file uploaded by the attacker?
- From the
POSTrequest that the attacker made, you can see the contents but NOT the actual file uploaded. - Made a mistake of targeting the GET request shooting for the name of the file uploaded instead of the attacker’s action of uploading it to the web server with the POST request.
![]()
As you can see, there are THREE filters:
1
2
3
1) transaction.remote_address: 10.0.2.15
2) http.method : POST
3) message : "*THM{*"
Answer:
1
THM{ecb012e53a58818cbd17a924769ec447}
- What was the
first commandthe attacker ran on the web shell?1
whoami - What file location on the web server did the attacker extract database credentials from using Local File Inclusion?
![]()
Answer:
1
/etc/phpmyadmin/config-db.php
- What
directorydid the attacker use to access thedatabase manager?![]()
Answer:
1
/phpmyadmin
- What was the name of the database that the attacker exported?
![]()
Answer:
1
customer_credit_cards
- What flag does the attacker insert into the database?
Get the URIs for all possible mysql insert command: 
Use a URL Decoder: 
Find something that sticks out that doesn’t seem to be related to credit cards:
1
c6aa3215a7d519eeb40a660f3b76e64c
Further Actions
After completing the log investigation, you can present confident findings that an attacker compromised the web server and database. You managed to follow the timeline of events, allowing for a clearer understanding of the incident and actions performed.
In response to this incident, Slingway Inc. should address the identified vulnerabilities promptly to enhance the security of its web server. Furthermore, the company should take appropriate steps to notify affected customers about the data breach and implement proactive security measures to mitigate future attacks.
Your investigation’s comprehensive findings and actionable insights will enable Slingway Inc. to mitigate the damage caused by the compromised server, bolster its cyber security posture, and safeguard its customers’ trust. Well done!