# Analyzing Logs of a Breach
## JUICY DETAILS WRITEUP
#### *By Jacvbtaylor*
```
Used Kali Linux
https://tryhackme.com/room/juicydetails
completed June 5, 2023
```
## Introduction:
One of the biggest Juice Shops in the world has been compromised by a bad actor and the attacker has made their way into the network.
As the SOC Analyst on duty:
* Figure out what techniques and tools the attacker used
* What endpoints were vulnerable
* What sensitive data was accessed and stolen from the environment
## Reconnaissance:
Logs
Using the provided logs adding up to almost 1000 lines of data, there are a few questions that can be answered:\
\
\&#xNAN;***What tools did the attacker use?***
Using the access logs, there are 5 tools that can noted, or traced
* nmap, Hydra, sqlmap, curl, feroxbuster
nmap
Hydra
sqlmap
curl
feroxbuster
***What endpoint was vulnerable to a brute-force attack?***
For the Brute Force, Hydra would be the best tool for this. Tracking Hydra in the logs indicates the following as the endpoint
* "GET /rest/user/login HTTP/1.0" 500 - "-" "Mozilla/5.0 (Hydra)"
/rest/user/login
***What endpoint was vulnerable to SQL injection?***
* "GET /rest/products/search?q=1 HTTP/1.1"
/rest/products/search
***What parameter was used for the SQL injection?***
* "GET /rest/products/search?q=1 HTTP/1.1"
q
***What endpoint did the attacker try to use to retrieve files?***
/ftp
## Stolen data:
Now that the tactics and point of failures are determined, the next step is to determine the scope and impact. To do this, the following questions were asked:
***What section of the website did the attacker use to scrape user email addresses?***
Product Review
***Was their brute-force attack successful? If so, what is the timestamp of the successful login?***
The attack was successful and it ended at *11/Apr/2021:09:16:32 +0000* which is when the user was granted access.
11/Apr/2021:09:16:32 +0000
***What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?***
The attacker was able to user SQL injection to dump the email and password of select users:
email, password
***What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)***
/coupons_2013.md.bak,/www-data.bak
***What service and account name were used to retrieve files from the previous question? (service, username)***
ftp, anonymous
***What service and username were used to gain shell access to the server? (service, username)***
