Blue Team Labs Online - Network Analysis (Web Shell)

This is a solution to the Network Analysis - Web Shell.

Table of contents

• Blue Team Labs Online - Network Analysis (Web Shell)
• Table of contents
• Overview
  • The challenge
• My process
  • My Analysis
  • What I learned
  • Continued development
  • Tools & Resources
• Acknowledgments
• Full Report Documentation

Overview

The challenge

The SOC received an alert in their SIEM for ‘Local to Local Port Scanning’ where an internal private IP began scanning another internal system. Can you investigate and determine if this activity is malicious or not? You have been provided a PCAP, investigate using any tools you wish.

My process

My Analysis

I used Wireshark to analyzed the pcap provided. An internal ip of 10.251.96.4 (active worker) was scanning another ip of 10.251.96.5 (Apache/2.4.29 - Ubuntu).

At 16:34:05 GMT 07 Feb 2021 gobuster/3.0.1 was used to scan vulnerable directory
At 16:36:51 GMT 07 Feb 2021 sqlmap/1.4.7 was used to bruteforce a login
At 16:40:39 GMT 07 Feb 2021 the attacker uploaded dbfunctions.php
At 16:40:43 GMT 07 Feb 2021 the attacker made http get request to dbfunctions.php to be executed, it return the server directory index of uploaded files.

The attacker run id and whoami commands

What I learned

I learnt that when investigating packet traffic:

• you check what protocols are used, to know the type of conversation that place
• the high communicated ips, to know who is suspicious and who is a victim

I also learnt that the attacker was able to compromised the server through Editprofile.php file, by uploading a dbfunctions.php. This can be prevented by setting who can upload least privilege.

Continued development

I will continue to take more challenges and practice until I become professional

Tools & Resources

• Wireshark

Acknowledgments

To steven - MyDFIR

I wanted to sincerely thank you for volunteering your time to share your SOC analysis expertise with the public. Your training was exceptionally educative and provided practical skills that are immediately applicable.
I truly appreciate your generosity in providing such high-quality mentorship for free. This has add to my professional growth.

Full Report Documentation

read the full report or downlown the full report on my-soc-report github account.