Malicious Web Traffic Analysis
Level: Medium
Challenge: Malicious Web Traffic Analysis
Q1: What is the IP address of the web server?
In the "Conversation" section of Wireshark's Analyst view, we observe a significant number of requests and responses exchanged between two IP addresses. This activity suggests that one IP might belong to an attacker while the other corresponds to a compromised web server.
Q2: What is the IP address of the attacker?
As mentioned earlier.
Q3: The attacker first tried to sign up on the website, however, he found a vulnerability that he could read the source code with. What is the name of the vulnerability?
Initially, it was challenging to identify, but after completing the lab, I discovered a way to simplify the process. I created a filter based on the two identified IPs and, following the hint, recognized it as behavior associated with signing up for an account on a website. This is likely a POST request sent by the attacker, allowing me to refine the filter and reduce the volume of data I need to analyze.
Q4: There was a note in the source code, what is it?
By tracing the stream, I found the request's response. To answer this question, I only need to review the content of the response.
Q5: After exploiting the previous vulnerability, the attacker got a hint about a possible username. What is the username that the attacker found?
After a successful exploit, numerous login requests appear. By analyzing the sent content, we can identify brute-force behavior targeting a specific username.
Q6: The attacker tried to brute-force the password of the possible username that he found. What is the password of that user?
If an account logs in successfully, the status code returned will be 302 (Found). By filtering for this status code, we can significantly reduce unnecessary data.
Q9: Once the attacker gained admin access, they exploited another vulnerability that led the attacker to read internal files that were located on the server. What payload did the attacker use?
After removing unnecessary URLs, it becomes easier to identify a malicious payload being sent to the server.
Q10: The attacker was able to view all the users on the server. What is the last user that was created on the server?
By examining the returned content, I can observe a list of users on the web server. Since these are user accounts rather than service accounts, they likely have shell access. Here, we can see a Bash shell.
Q11: The attacker also found an open redirect vulnerability. What is the URL the attacker tested the exploit with?
At the end of the filtered results, we can observe another payload being sent.
Last updated
Was this helpful?