Summary
An anomaly was discovered within our company’s intranet as our Development team found an unusual file on one of our web servers. Suspecting potential malicious activity, the network team has prepared a pcap file with critical network traffic for analysis for the security team, and you have been tasked with analyzing the pcap.
Q1 - Understanding the geographical origin of the attack aids in geo-blocking measures and threat intelligence analysis. What city did the attack originate from?
IPinfo on the attacker’s IP reveals that the attack is from Tianjin, China.
Q2 - Knowing the attacker’s user-agent assists in creating robust filtering rules. What’s the attacker’s user agent?
Getting that information on a HTTP request and looking at the User-Agent field, I retrieve the one below :
|
|
Q3 - We need to identify if there were potential vulnerabilities exploited. What’s the name of the malicious web shell uploaded?
On packet 63, I can see some uploading on the server as below :
|
|
This is a simple reverse shell to the attacker IP
Q4 - Knowing the directory where files uploaded are stored is important for reinforcing defenses against unauthorized access. Which directory is used by the website to store the uploaded files?
Looking on the TCP stream n*9, I got some information where the webshell is uploaded :
|
|
Q5 - Identifying the port utilized by the web shell helps improve firewall configurations for blocking unauthorized outbound traffic. What port was used by the malicious web shell?
Looking at the reverse shell found in Q3, the reverse shell is communicating on the port 8080.
|
|
Q6 - Understanding the value of compromised data assists in prioritizing incident response actions. What file was the attacker trying to exfiltrate?
Looking through the TCP streams, I found the moment the attacker is accessing the system and trying to get the passwd
file via POST request.
|
|