Introduction

This post is a cybersecurity investigation tutorial focusing on analyzing a security alert related to a web exploitation attempt on a Checkpoint Security Gateway. This is part of Let’s Defend SOC287 Case, aimed at guiding viewers through real-world cybersecurity incident response scenarios.

Certified Security Blue Team Level 1 Study Notes

HackTheBox CDSA Study Notes

Introduction to the Case (LetsDefend SOC287)

  • The alert was triggered by a rule detecting a possible web exploitation attempt.
  • Specifically, it involved an arbitrary file read vulnerability in the Checkpoint Security Gateway, associated with CVE-2024-24918.
  • Checkpoint Security Gateway serves as a next-generation firewall for corporate networks.

Attack Analysis:

  • The attacker sent a POST request aiming to exploit the vulnerability.
  • The URL in the request contained directory traversal (../) patterns, targeting the sensitive /etc/passwd file.
  • The system detected this attempt due to recognizable exploitation patterns.

Vulnerability Details

  • This vulnerability could allow attackers to read system files on the security gateway when it’s connected to the internet with Remote Access VPN or Mobile Access enabled.
  • A security patch is available, emphasizing the importance of updating firmware.

Proof of Concept (PoC):

  • An active proof-of-concept exploit for this vulnerability exists on GitHub, demonstrating how attackers can execute the exploit.

Log Analysis

  • Investigation into logs revealed two POST requests from the attacker:
    • The first successfully accessed the /etc/passwd file (response code 200).
    • The second attempt to access /etc/shadow was blocked (403 Forbidden response).
  • The attacker used Local File Inclusion (LFI) and Directory Traversal techniques.

Investigation Steps:

  • Ownership of the case was taken, and a Playbook was initiated to guide the investigation.
  • Log management tools were used to search for the attacker’s IP and assess network traffic.
  • No evidence was found suggesting this was a planned penetration test.
  • Threat intelligence tools like VirusTotal and ANY.RUN were used to assess the attacker’s IP.

Attack Direction & Outcome:

  • The traffic originated from the internet to the company network (external to internal).
  • The attack was partially successful, as the attacker accessed sensitive files.

Containment & Response

  • Steps were initiated to contain the incident by isolating affected endpoints and applying security patches.
  • Emphasis was placed on keeping systems updated and monitoring for similar threats.

Video Walkthrough

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles