Jacob Taylor Portfolio
Analyzing Logs of a Breach
Analyzing Logs of a Breach
  • Analyzing Logs of a Breach
  • Page 1
Powered by GitBook
On this page
  • JUICY DETAILS WRITEUP
  • Introduction:
  • Reconnaissance:
  • Stolen data:

Was this helpful?

Analyzing Logs of a Breach

https://tryhackme.com/room/juicydetails

NextPage 1

Last updated 1 year ago

Was this helpful?

JUICY DETAILS WRITEUP

By Jacvbtaylor

           Used Kali Linux 
                     https://tryhackme.com/room/juicydetails
             completed June 5, 2023

Introduction:

One of the biggest Juice Shops in the world has been compromised by a bad actor and the attacker has made their way into the network.

As the SOC Analyst on duty:

  • Figure out what techniques and tools the attacker used

  • What endpoints were vulnerable

  • What sensitive data was accessed and stolen from the environment

Reconnaissance:

Using the provided logs adding up to almost 1000 lines of data, there are a few questions that can be answered: What tools did the attacker use?

Using the access logs, there are 5 tools that can noted, or traced

  • nmap, Hydra, sqlmap, curl, feroxbuster

What endpoint was vulnerable to a brute-force attack?

For the Brute Force, Hydra would be the best tool for this. Tracking Hydra in the logs indicates the following as the endpoint

  • "GET /rest/user/login HTTP/1.0" 500 - "-" "Mozilla/5.0 (Hydra)"

What endpoint was vulnerable to SQL injection?

  • "GET /rest/products/search?q=1 HTTP/1.1"

What parameter was used for the SQL injection?

  • "GET /rest/products/search?q=1 HTTP/1.1"

What endpoint did the attacker try to use to retrieve files?

Stolen data:

Now that the tactics and point of failures are determined, the next step is to determine the scope and impact. To do this, the following questions were asked:

What section of the website did the attacker use to scrape user email addresses?

Was their brute-force attack successful? If so, what is the timestamp of the successful login?

The attack was successful and it ended at 11/Apr/2021:09:16:32 +0000 which is when the user was granted access.

What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?

The attacker was able to user SQL injection to dump the email and password of select users:

What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)

What service and account name were used to retrieve files from the previous question? (service, username)

What service and username were used to gain shell access to the server? (service, username)

Logs
nmap
Hydra
sqlmap
curl
feroxbuster
/rest/user/login
/rest/products/search
q
/ftp
Product Review
11/Apr/2021:09:16:32 +0000
email, password
/coupons_2013.md.bak,/www-data.bak
ftp, anonymous
ssh, www-data