Juicy Details

Introduction

Reconnaissance

Lets unzip the files we downloaded

Lets read the access log

So we have to find what tools the attacker used, we can find this by looking at the Headers.

First we have nmap

Next we have hydra

We have Sqlmap, and the last two we have

Curl and Feroxbuster.

Hydra is the tool used for bruteforcing, so lets see what endpoint they were attacking with Hydra

To see what endpoint was vulnerable to sql injection , lets go see which endpoint they attacked with SQLi and were successful.

The parameter used for the SQL injection was q

The endpoint the attacker tried to use to retrieve flags can be seen in the end of the log file

Stolen Data

The section of the website the attacker used to scrape user email addresses can be seen in the log file. We usually do not find email addresses on all pages, but we can find them when people give reviews.

Their brute-force attack was successful as we can see in the logs

We know it was successful because after the request, the attacker was sent to the admin page.

Looking at the last request of Sqlmap we can see that the were able to retrieve the email and password.

The files they tried to download can be found at the end of the logs

To look at the services and account names that were used, we need to look at the service file, which is vsfptd.log.

The service is FTP and the account name is anonymous.

To see the username and service that were used to gain shell access to the server, we need to look at the Authentication logs, which is auth.log

The version is SSH and the username they were logged in as is www-data

Last updated