Web Investigation Lab

I hope everyone is doing great. So today

we have a quick lab by cyber defenders

which called the web investigation lab

and this lab is really good to test your

you know network forensics skills and

the usage of tools like wire sharkark

and network miner. So let's start by

reading the scenario and answering the

questions. So the scenario says you're a

cyber security analyst working in the

security operation center of a book

world an expansive online bookstore you

owned for his vast selective literature.

Bookw world pride itself of providing

seamless and secure shopping experience

for book enthusiasts around the globe.

So recently you have been tasked with

reinforcing the company's cyber security

posture, monitoring network traffic and

ensuring their digital environment

remains safe from threats. So late one

evening an automated alert is triggered

you know from the same tool maybe by an

unusual spike in database queries and

server resource usage indicating

potential malicious activity. This

anomaly raises concerns about the

integrity of the book, book walls,

customer data, internet systems,

prompting an immediate and thorough

investigation. As the lead analyst in

this case, you are required to analyze

the network traffic to uncover the

nature of the suspicious activity. The

objective include identifying the

attacker vector, assessing the scope of

any potential data breach and

determining if the attacker gain further

access to the bookwor

systems. All right. So you can download

the pickup file uh from here and you

you'll be provided by the password here

cyber defenses.org. I already downloaded

it. You need to unzip it.

As you can see, this is the pickup file.

So, okay, we'll close this one and start

by answering the questions. So, question

number one says, by knowing the

attacker's IP, we can analyze all the

logs and actions related to the IP and

determine the extent of the attack,

duration of the attack, and the

technique used. Can you provide the

attacker's IP? All right. So, normally

what we do when we analyze uh pickup

files, we look at the conversations,

right? So we have here around 88,000

packets. So we can go to statistics

conversation IPv4 and you know to find

the attacker normally um we can look for

the most sent packets right so here we

can see 88 packets exchange between this

IP and this IP one of them of course

will be our server or the bookstore

server. So let's you know it says from

this IP A to B there's around 44,000

packet and 7 mgaby of data and B2A we

have around 21 megabyte of data. So just

let's filter by

select A to B

and as you can see here

this is the communication you can see uh

you can see here for example

send send packet and then it responded

responded act this means this IP

responded with synak okay send send

you Well, there's some lot of sin

packets. Okay. So, what we can also do,

we can filter by sin flags, right? So,

TCP

flags.

Okay. That's Yeah, this is the filter.

So, we're filtering for sin of one and

an an acknowledgement of zero to filter,

you know, uh if there's was any

suspicious reconnaissance activity or

scanning activity related to sin

scanning. So if we filter by that as you

can see that this IP 101 224 2512 131 is

sending a lot of uh syn packets

consecutively to this IP. So let's

follow you know just follow TCP stream

and as you can see here

okay nothing provided wait

okay just uh

let's just uh yep

again

so you can see this is the

this is the flags 111 273 okay what you

can do just follow TCP stream. All

right. So, as you can see here,

um, here's suspicious user agent which

is used for SQL injection. Let's see

trying to get search.php.

All right. So, just to confirm our our

thoughts what we can do just come to a

random packet and look follow the TCP

stream.

Okay. As you can see here the user agent

of the of the this IP is of this IP 111

is SQL map. So for those who don't know

SQL map is an a tool used you know in

SQL injection attacks which is really

famous attack.

Okay. And you can see here the host is

bookworld store. All right. So this host

this is our uh company

uh server and this is the attacker's IP.

So the answer will be indeed this

uh IP. Let's just copy it.

Yeah. So it will be 111.224

11.224.250

131.

All right. Perfect. So question number

two says, if if the geographical origin

of an IP is known to be from a region

that has no business or expected traffic

with our network, this can be an

indicator of targeted attack. Can you

determine the region city of the

attacker? All right, we can just you

know use some threatel platforms like

abuse IP maybe geo

geol location

IP or IP lookup. These are all good wip

uh you know ser all good sites.

We can just paste the IP here.

Okay, it's just loading. Okay. So as you

can see it says the IP belongs to China

from a region called Hibby and the city

called Shaz Hung. Okay. So this must be

the answer.

Okay. So here

just copy

close this one. And indeed

it's the answer. All right. Let's close

this one.

Question number three says, "Identifying

the exploited scripts allow security

teams to understand exactly which

vulnerability was used

in the attack. The knowledge of critical

finding appropriate patch on work around

close activity and prevent future

exploit. Can I provide the vulnerable

PHP script name? All right. So as you

may have noticed, we found some

suspicious PHP scripts. So what we can

do here? We can filter for frame

contains

PHP

you know and look for some PHP you know

search as you can see we have about

style contact nothing suspicious you can

contact search okay as you can see here

this search php you can see some

suspicious encoded like commands or

injection as you can see here select

So this is like it's trying to select

from a table in the database which is

like famously like used in SQL injection

attacks. You can see here um

wait for delay. This is time based SQL

injection. Yeah. So yeah. So this this

all is related to SQL injection. So the

vulnerable PHP field is actually this

one search.php. So just if you follow

the TCP stream as you can see the

request was accepted as you can see the

host accepted it's not like server

error. So so this is the parameter that

has been uh you know abused and this is

the PHP search php. So you can see here

search dotphp

correct right. Question number five says

can you provide the complete request URL

that was used to read the web server

available databases. All right so we

have already found um the the first

abused SQL injection the search.php. So

for for for this uh question for this

question we can use the same approach

which is to filter the h the frame that

contains PHP and look for anything

related to databases right. So

okay we have started here you know uh

the first PHP script was this is the

first SQL injunction attempt in the

search.php.

So we want something related to uh you

know database here table name. Okay you

can see select where book okay so we

want something that's related because

usually in SQL injection the attack is

trying to dump database from the website

or the web application. So this could

include you know something related to um

you know information schema. So if you

if you're not familiar maybe if you do

an SQL injection attempt you'll have a

better understanding. So here for

example you can see selection

select go calculate union. Okay.

Okay. Union.

So okay union. Okay. You can see here

something to from select from union. All

right. So there's actually a lot of uh

you know options but we want something

related to databases like uh info we

have schema name information schema

data.

Okay

concatenate

search name array concate. So all right

so you can see that this user is trying

to look for something related to can see

here table name. So here he access the

table here column here the password

username here the table fields here the

column here the table name so this is

the information schema which might be

related to the database we can just

follow the TCB stream

and then copy this one from here to here

and decode it.

All right. Uh,

cyer

chief.

Sorry.

Chief.

All right. Okay. Cyber chief

URL

decode. All right. So, we have already

decoded it. So, this is the decoded

version.

Copy and go to cyber defenders.

Paste it.

All right. Luckily, it's the answer. So,

question number six says, assessing the

impact of the breach of the data access

is crucial, including the potential harm

to organization reputation. What's the

table name containing the website's

users data? Right. So as you may have

seen we found some interesting table

colments. Uh just let's return to the

let's return to the frame contains PHP

we found something related to users if

you have noticed columns.

Yeah. So as you can see here this is the

information schema the schema and here

the table name. Okay. So they're looking

for table related to user information.

So here column type. Okay. We have

something here called uh password

username.

All right.

Admin. We have also here a table name.

Table name. All right. We have table

schema table name. We have also here

something interesting. You can see email

first name. Okay. C phone. So this might

this might be related to user

information, right? So follow TCP

stream. So yes. So this is trying to

okay

look for the email column, the first

name, last name and the phone number and

from the book world database customer.

So as you can see even from the

highlighted we can guess it it is most

probably the customer's table.

So yeah

so it's the answer indeed. Question

number seven says the website

directories hidden from the public could

serve an authorized access point or

contain sit functionality not intended

for public access. It's going to provide

the name of the directory discovered by

attackers. Yeah. So what attackers

normally do that they try to find for

hidden pages you know that let's say

admins or uh websites owners try to

access to login right so what we can

look for we can see look for HTTP

request

no rel yeah HTTP request method related

to post. So,

and we filter.

So, it's not working.

All right. So, as you can see here, this

is the attacker's IP. This is the

server. He accessed a portal or a page

called admin/lo.php.

So we can just follow CP stream

and as you can see yeah he indeed

accessed this admin.lophp

admin login.php.

Yeah. So this is the answer. And here

you can see he supplied the username

admin and the password admin. So yeah.

So since they're asking for the

directory this is the answer.

We'll just

Okay. So,

all right.

Coming to question number eight says,

"Knowing which credential were used

allow us to determine the extent of the

account compromise. What are the

credential used by the attacker after

logging in?" All right. So after he

logged in uh so we have one of the

packet we already seen the TCP stream of

it as you can see this is the directory

he accessed admin all right and you can

see he here he he submitted admin and

the password admin however if you look

at here we cannot supply admin admin so

this means that after he logged in he

supplied another password so what What

we can do is just look for the for the

same post requests to the admin

directory which is

um HTTP request method post. All right.

Okay. We analyze the first one. Let's

look at the second packet. Okay. Follow

TCB stream. And as you can see here, it

says also the same admin login. We know

that the first username was admin admin

but here we have admin and the password

called change me accepted. So let's look

at it.

Admin

change me.

All right. So says admin change me.

All right. So c h a n g e. All right. So

this is not also the password.

Uh just let me copy it. So

just in case.

All right. So this is not the answer.

Let's look for another packets related

to the credentials.

All right. We analyze the first two.

Let's look at this one. follow TCP

stream.

Okay. The same thing admin password

change me.

Okay. So again we'll use the we analyze

the fourth packet. Analyze this one and

let's look at this one. Followp

stream. Okay. Here we have another

username and password here. Admin and

password.

uh admin 1 to three. So let's let's try

this one

here. Admin

and the password

admin 1 2 3.

Oh, still

okay.

All right. So still it's not the answer.

All right. Uh

let's look at the last packet.

The last bucket provided.

Okay. Here

follow TCP stream. Okay. In this one as

you can see here there's no credential

uh submitted but we we can see a file

name called nv.php.

So he uploaded file name. However, we're

looking for credentials right. So

uh just let's me try uh might be an

admin

and then

admin one to three. All right. So

change me the first one.

Change me.

All right. Maybe

see change.

All right. So for some reason um cannot

find the password here even though it's

this the one submitted.

Um let me analyze it again. Admin.

Okay. So let's look at this one for

instance.

Uh sorry.

Okay. Let's look at

admin. Admin.

Admin. admin.

Okay,

for this one we have admin and change

me. C H N G E me. So I tried it but

still

all right that's credential.

All right. So

change me. All right. So this packet the

password is

username default. Here is

change me. Admin. Okay. Here is admin.

Yeah. Okay. We have here admin. Okay.

Admin 1 to three with this hash. Okay.

That's why. So admin and admin 1 2 3

with this exclamation mark. So my bad,

my bad, my bad, my bad. Admin one, two,

three and exclamation.

All right, this is the correct answer.

So

last question says, we need to determine

if the attacker gained further access to

control of our website. What's the name

of the malicious script uploaded by the

attacker? So we already found this one

actually and the malicious script

uploaded by the attacker can be traced

by looking here at the last packet

related to the post request

of just followed TCP stream. We can see

here a file name called NVR.php.

Yeah. So this is uploaded as you can see

the host the server accepted the

request. So yeah. So hopefully this is

the answer.

All right. So nice. We solved the lab.

Hope you enjoyed this video just, you

know, for the sake of practice. And

yeah, see you in the next