Analyzing Logs of a Breach

https://tryhackme.com/room/juicydetails

JUICY DETAILS WRITEUP

By Jacvbtaylor

           Used Kali Linux 
                     https://tryhackme.com/room/juicydetails
             completed June 5, 2023

Introduction:

One of the biggest Juice Shops in the world has been compromised by a bad actor and the attacker has made their way into the network.

As the SOC Analyst on duty:

• Figure out what techniques and tools the attacker used

• What endpoints were vulnerable

• What sensitive data was accessed and stolen from the environment

Reconnaissance:

Logs

Using the provided logs adding up to almost 1000 lines of data, there are a few questions that can be answered: What tools did the attacker use?

Using the access logs, there are 5 tools that can noted, or traced

• nmap, Hydra, sqlmap, curl, feroxbuster

nmap

Hydra

sqlmap

curl

feroxbuster

What endpoint was vulnerable to a brute-force attack?

For the Brute Force, Hydra would be the best tool for this. Tracking Hydra in the logs indicates the following as the endpoint

• "GET /rest/user/login HTTP/1.0" 500 - "-" "Mozilla/5.0 (Hydra)"

/rest/user/login

What endpoint was vulnerable to SQL injection?

• "GET /rest/products/search?q=1 HTTP/1.1"

/rest/products/search

What parameter was used for the SQL injection?

• "GET /rest/products/search?q=1 HTTP/1.1"

q

What endpoint did the attacker try to use to retrieve files?

/ftp

Stolen data:

Now that the tactics and point of failures are determined, the next step is to determine the scope and impact. To do this, the following questions were asked:

What section of the website did the attacker use to scrape user email addresses?

Product Review

Was their brute-force attack successful? If so, what is the timestamp of the successful login?

The attack was successful and it ended at 11/Apr/2021:09:16:32 +0000 which is when the user was granted access.

11/Apr/2021:09:16:32 +0000

What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?

The attacker was able to user SQL injection to dump the email and password of select users:

email, password

What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)

/coupons_2013.md.bak,/www-data.bak

What service and account name were used to retrieve files from the previous question? (service, username)

ftp, anonymous

What service and username were used to gain shell access to the server? (service, username)

ssh, www-data