Slingshot

Introduction

Slingway Inc., a leading toy company, suspected malicious activity on its e-commerce web server and enlisted the help of a SOC Analyst to investigate. This writeup documents the steps taken to uncover the attack timeline, identify vulnerabilities exploited, and reveal the attacker's actions.

Challenge Overview

• Scenario: Investigation of suspicious activity on Slingway Inc.'s web server.

• Date of Activity: July 26, 2023.

• Objective: Determine vulnerabilities exploited, compromised user accounts, and exfiltrated data.

• Navigate to the URL of the Elastic Stack instance and log in using the provided credentials.

• Once logged in, go to the "Discover" tab in Kibana.

• Adjust the timestamp range to cover the period from July 26, 2023, to the present.

• Notice the total hits, which represent the log entries within the specified timeframe.

Question 1: What was the attacker's IP?

• Filter the logs by selecting response.status: 404

• Identify the attacker's IP address.

Question 2: What was the first scanner that the attacker ran against the web server?

• Analyze the logs to identify unsuccessful attempts and potential scanning or enumeration activity.

• Search for the tool used by the attacker by filtering logs with request.headers.User-Agent

Question 3: What was the User Agent of the directory enumeration tool that the attacker used on the web server?

Question 4: In total, how many requested resources on the web server did the attacker fail to find?

• Identify the next tool used by searching for logs with request.headers.User-Agent: 

• Select logs with a response code of 404 to see unsuccessful attempts by the attacker.

Question 5: What is the flag under the interesting directory the attacker found?

• Filter logs with response.status: 200 to identify directories accessed by the attacker.

• Observe the number of directories and focus on those with a status code of 200.

• Identify the suspicious directory and you will find the flag.

Question 6: What login page did the attacker discover using the directory enumeration tool?

• Search for the keyword 'login' to identify the login page accessed by the attacker. 

Question 7: What was the user agent of the brute-force tool that the attacker used on the admin panel?

Question 8: What username:password combination did the attacker use to gain access to the admin page?

• Use the filter request.headers.User-Agent 

• Further filter the logs with response.status: 200 to see which login attempts were successful.

• If the credentials are not in clear text, use a tool like CyberChef to decode them. 

Question 9: What flag was included in the file that the attacker uploaded from the admin directory?

• Filter logs with http.method: POST to focus on HTTP POST requests.

• Search for logs containing the keyword "THM" to identify the flag uploaded by the attacker.

• Examine the logs to find information about the flag inserted into the database.

Question 10: What was the first command the attacker ran on the web shell?

• Search for the web shell filename, in this case, easy-simple-php-webshell.php, to identify logs related to its usage.

• Examine the commands used by the attacker within the logs.

Question 11: What file location on the web server did the attacker extract database credentials from using Local File Inclusion?

Question 12: What directory did the attacker use to access the database manager?

• Change the timestamp range from July 26, 2023, at 14:30 to the present.

• Search for the keyword 'admin' to identify any activity related to administrator accounts.

Question 13: What was the name of the database that the attacker exported?

• Search for the keyword 'db' to identify logs related to database interactions.

• Analyze the logs to find information about the database that was potentially compromised or stolen by the attacker.

Question 14: What flag does the attacker insert into the database?

• Search for the keyword 'insert' to identify logs related to database insertions.

• Examine the logs to determine what flag or information the attacker inserted into the database.

Congratulations on successfully completing the challenge! Remember, each challenge is an opportunity to enhance your expertise and contribute to a safer digital environment. Keep up the great work, and may you continue to excel in your cybersecurity journey!