Juicy Details
Introduction
Reconnaissance
Lets unzip the files we downloaded
Lets read the access log
So we have to find what tools the attacker used, we can find this by looking at the Headers
.
First we have nmap
Next we have hydra
We have Sqlmap
, and the last two we have
Curl
and Feroxbuster
.
Hydra is the tool used for bruteforcing, so lets see what endpoint they were attacking with Hydra
To see what endpoint was vulnerable to sql injection , lets go see which endpoint they attacked with SQLi and were successful.
The parameter used for the SQL injection was q
The endpoint the attacker tried to use to retrieve flags can be seen in the end of the log file
Stolen Data
The section of the website the attacker used to scrape user email addresses can be seen in the log file. We usually do not find email addresses on all pages, but we can find them when people give reviews.
Their brute-force attack was successful as we can see in the logs
We know it was successful because after the request, the attacker was sent to the admin page.
Looking at the last request of Sqlmap we can see that the were able to retrieve the email and password.
The files they tried to download can be found at the end of the logs
To look at the services and account names that were used, we need to look at the service file, which is vsfptd.log
.
The service is FTP and the account name is anonymous
.
To see the username and service that were used to gain shell access to the server, we need to look at the Authentication logs, which is auth.log
The version is SSH and the username they were logged in as is www-data
Last updated