We covered investigating a cyber incident scenario ,where PhpMyAdmin database was hacked along with its e-commerce website, using the elastic stack (logstash, Kibana and elastic search) and KQL queries. We uncovered the scanner the attacker used to fingerprint the database, the directory enumeration tool and the credential brute-force tool used to gain access to the admin panel of the website. This was part of TryHackMe Slingshot room.
TryHackMe Slingshot Challenge Description
Slingway Inc., a leading toy company, has recently noticed suspicious activity on its e-commerce web server and potential modifications to its database. To investigate the suspicious activity, they’ve hired you as a SOC Analyst to look into the web server logs and uncover any instances of malicious activity.
To aid in your investigation, you’ve received an Elastic Stack instance containing logs from the suspected attack. Below, you’ll find credentials to access the Kibana dashboard. Slingway’s IT staff mentioned that the suspicious activity started on July 26, 2023.
By investigating and answering the questions below, we can create a timeline of events to lead the incident response activity. This will also allow us to present concise and confident findings that answer questions such as:
- What vulnerabilities did the attacker exploit on the web server?
- What user accounts were compromised?
- What data was exfiltrated from the server?
Höhepunkte
Was ist Elastic Stack?
Elastic Stack ist eine Sammlung verschiedener, miteinander verknüpfter Open-Source-Komponenten, die es Benutzern ermöglichen, Daten aus beliebigen Quellen und in beliebigen Formaten zu erfassen und in Echtzeit zu suchen, zu analysieren und zu visualisieren.
Elastische Suche
Elasticsearch ist eine Volltextsuch- und Analyse-Engine zum Speichern von Dokumenten im JSON-Format. Elasticsearch ist eine wichtige Komponente zum Speichern, Analysieren, Korrelieren von Daten usw.
Es basiert auf Apache Lucene und bietet eine skalierbare Lösung für Volltextsuche, strukturierte Abfragen und Datenanalyse.
Elasticsearch unterstützt RESTFul API zur Interaktion mit den Daten.
Protokoll-Vorrat
Logstash ist eine Datenverarbeitungs-Engine, mit der Daten aus verschiedenen Quellen abgerufen, gefiltert oder normalisiert und dann an das Ziel gesendet werden. Dies kann Kibana oder ein Abhörport sein.
Kibana
Kibana ist eine webbasierte Datenvisualisierung, die mit Elasticsearch arbeitet, um den Datenstrom in Echtzeit zu analysieren, zu untersuchen und zu visualisieren. Es ermöglicht den Benutzern, mehrere Visualisierungen und Dashboards für eine bessere Sichtbarkeit zu erstellen.
Raumantworten
What was the attacker’s IP?
10.0.2.15
WWhat was the first scanner that the attacker ran against the web server?
NMAP Scripting Engine
What was the User Agent of the directory enumeration tool that the attacker used on the web server?
Mozilla/5.0 (Gobuster)
In total, how many requested resources on the web server did the attacker fail to find?
1867
What is the flag under the interesting directory the attacker found?
a76637b62ea99acda12f5859313f539a
WhWhat login page did the attacker discover using the directory enumeration tool?
/admin-login.php
What was the user agent of the brute-force tool that the attacker used on the admin panel?
Mozilla/4.0 (Hydra)
HWhat username:password combination did the attacker use to gain access to the admin page?
admin:thx1138
WWhat flag was included in the file that the attacker uploaded from the admin directory?
THM{ecb012e53a58818cbd17a924769ec447}
What was the first command the attacker ran on the web shell?
Wer bin ich
WhicWhat file location on the web server did the attacker extract database credentials from using Local File Inclusion?
/etc/phpmyadmin/config-db.php
Was directory did the attacker use to access the database manager?
/phpmyadmin
Look at the file input plugin documentationWhat was the name of the database that the attacker exported?
customer_credit_cards
LoWhat flag does the attacker insert into the database?
c6aa3215a7d519eeb40a660f3b76e64c
Video-Komplettlösung
