# Analyzing Logs of a Breach

## JUICY DETAILS WRITEUP

#### *By Jacvbtaylor* <a href="#by_jacvbtaylor__1" id="by_jacvbtaylor__1"></a>

```
           Used Kali Linux 
                     https://tryhackme.com/room/juicydetails
             completed June 5, 2023
```

## <mark style="color:red;">Introduction:</mark> <a href="#step_1_12" id="step_1_12"></a>

One of the biggest Juice Shops in the world has been compromised by a bad actor and the attacker has made their way into the network.

As the SOC Analyst on duty:

* Figure out what techniques and tools the attacker used
* What endpoints were vulnerable
* What sensitive data was accessed and stolen from the environment

## <mark style="color:red;">Reconnaissance:</mark> <a href="#step_1_12" id="step_1_12"></a>

<figure><img src="/files/EzWWFyVlQ4QgmFmmuN4T" alt=""><figcaption><p>Logs</p></figcaption></figure>

Using the provided logs adding up to almost 1000 lines of data, there are a few questions that can be answered:\
\
\&#xNAN;*<mark style="color:green;">**What tools did the attacker use?**</mark>*&#x20;

Using the access logs, there are 5 tools that can noted, or traced

* nmap, Hydra, sqlmap, curl, feroxbuster

<figure><img src="/files/lsP76wydrxNY3KY5ch9l" alt=""><figcaption><p>nmap</p></figcaption></figure>

<figure><img src="/files/X9Rhlm2Zk5nL1wuaV6Z8" alt=""><figcaption><p>Hydra</p></figcaption></figure>

<figure><img src="/files/QBW09fFyN6cvh5IMggaP" alt=""><figcaption><p>sqlmap</p></figcaption></figure>

<figure><img src="/files/uAVoTgiVsPGhVobfgNK2" alt=""><figcaption><p>curl</p></figcaption></figure>

<figure><img src="/files/CgcgKuGHpynTfEKTbECF" alt=""><figcaption><p>feroxbuster</p></figcaption></figure>

*<mark style="color:green;">**What endpoint was vulnerable to a brute-force attack?**</mark>*

For the Brute Force, Hydra would be the best tool for this. Tracking Hydra in the logs indicates the following as the endpoint

* "GET <mark style="color:orange;">/rest/user/login</mark> HTTP/1.0" 500 - "-" "Mozilla/5.0 (Hydra)"

<figure><img src="/files/xPBte4LlZeUBOm0FVzFE" alt=""><figcaption><p>/rest/user/login</p></figcaption></figure>

*<mark style="color:green;">**What endpoint was vulnerable to SQL injection?**</mark>*

* "GET <mark style="color:orange;">/rest/products/search</mark>?q=1 HTTP/1.1"

<figure><img src="/files/6Vl421DOwmN4X7unsGRX" alt=""><figcaption><p>/rest/products/search</p></figcaption></figure>

*<mark style="color:green;">**What parameter was used for the SQL injection?**</mark>*

* "GET /rest/products/search?<mark style="color:orange;">q</mark>=1 HTTP/1.1"

<figure><img src="/files/FAaUiAiZz3ittI36H9L4" alt=""><figcaption><p>q</p></figcaption></figure>

*<mark style="color:green;">**What endpoint did the attacker try to use to retrieve files?**</mark>*&#x20;

<figure><img src="/files/pUfbw0uj7M1eilZWxL9Q" alt=""><figcaption><p>/ftp</p></figcaption></figure>

## <mark style="color:red;">Stolen data:</mark>

Now that the tactics and point of failures are determined, the next step is to determine the scope and impact. To do this, the following questions were asked:

*<mark style="color:green;">**What section of the website did the attacker use to scrape user email addresses?**</mark>*

<figure><img src="/files/3mfUQJTww3v2CrFi2EbR" alt=""><figcaption><p>Product Review</p></figcaption></figure>

*<mark style="color:green;">**Was their brute-force attack successful? If so, what is the timestamp of the successful login?**</mark>*

The attack was successful and it ended at *<mark style="color:purple;">11/Apr/2021:09:16:32 +0000</mark>* which is when the user was granted access.

<figure><img src="/files/sMVBMRh0G5heV3XhMBzl" alt=""><figcaption><p>11/Apr/2021:09:16:32 +0000</p></figcaption></figure>

*<mark style="color:green;">**What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?**</mark>*

The attacker was able to user SQL injection to dump the email and password of select users:

<figure><img src="/files/Ftl44x5Fdd1ditZJPm3M" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/VMLw9fG8EeZTCmw7C5yK" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ySTYptqivzzgXBgr2wtl" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ortErA36jmUf5jLETkNT" alt=""><figcaption><p>email, password</p></figcaption></figure>

*<mark style="color:green;">**What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)**</mark>*

<figure><img src="/files/GRT5Jgmp2q5KVlVqh231" alt=""><figcaption><p>/coupons_2013.md.bak,/www-data.bak</p></figcaption></figure>

*<mark style="color:green;">**What service and account name were used to retrieve files from the previous question? (service, username)**</mark>*

<figure><img src="/files/dIFrzXmc9xb7UEpRRarC" alt=""><figcaption><p>ftp, anonymous</p></figcaption></figure>

*<mark style="color:green;">**What service and username were used to gain shell access to the server? (service, username)**</mark>*

<figure><img src="/files/dlFbYnQDru0c9BmzuzWH" alt=""><figcaption><p>ssh, www-data</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jacob-taylor.gitbook.io/jacvbtaylor/analyzing-logs-of-a-breach/analyzing-logs-of-a-breach.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.