Boss of the SOC v1 (2015) Website Defacement

By on

 




Question #1

Based on the first question, the task is to identify the IP address of an individual conducting 
reconnaissance using a scanning technique. I began my investigation with the search parameter 
index=botv1, as provided in the instructions, and incorporated imreallynotbatman.com as 
specified in question number 1.



After running the search parameters, I identified the dest_header field in the left-side panel. 
Upon expanding it, I analyzed the details within and discovered references to the Acunetix 
Web Vulnerability Scanner, indicating its use in the reconnaissance activity.


To enhance visibility and identify the IP address scanning the web server, I created a table that 
included the fields src_ip, dest_ip, and dest_header. I then filtered the results by searching 
for the keyword 'scan' within the dest_header field and applied a dedup command to the src_ip 
field to remove duplicate entries, effectively narrowing down the source IP addresses involved 
in the scanning activity.





Question #2

The answer can be derived from the steps we executed to address question #1.

Question #3

I successfully answered this question by applying a filter to narrow down the data. Specifically, 
I added the sourcetype as http:stream and browsed through the available fields. Upon identifying 
the uri_path field, I noticed references to 'joomla'. To gather more information, 
I conducted OSINT (Open Source Intelligence) research using Google to further analyze the 
findings.







Question #4

Based on the question, we are analyzing a scenario involving a file transfer, which could involve 
either a GET method (user downloading) or a POST method (user uploading a file to the web server).
 As shown in the image below, we added two IP addresses as sources: 40.80.148.42, which was 
identified as performing scanning activity, and another IP address responsible for brute force 
attempts. This step was taken after skipping this question initially and addressing question 
number 8 first.


The next step I took was to analyze both POST and GET requests. During this process, 
I identified the file in question under the GET method. Below are the detailed steps I followed.




Click this to add to our filter




And head over to sourcetype field wherein we can see the suricata.







port 1337 --> or LEET and this is definitely an odd port number website traffic, and leet is similar to 4444. 

this jpeg file name here, that's being accessed by the attacker onto the web server. 

Question #5










To gather threat intelligence, I utilized the Open Threat Exchange (OTX) platform to analyze 
and investigate potential threats associated with this link. And we can see that is is a Dynamic DNS Service as well.

Question #6

we can use the open threat exchange to answer this question as well. 
we need to think about the malicious IPs that we've already identified. 





if we scroll down to passive DNS here, we can identify some host names or domain names that are associated w/ this IP Address. 

Question #7



Initially, I examined the http_method/Status field but did not observe any status code 401, which 
typically indicates failed login attempts. As a result, I determined that an alternative 
approach was necessary to proceed with the investigation.



was able to check the src ip after doing filter below, and found only 2 ip address.




i included the form_data also since usually we can see some parameters or like a username something like key and value pairs.





Question #8



Based on the question, our objective is to identify the executable file uploaded by the adversary.
To achieve this, we will search for files with the .exe extension, using the */ wildcard to 
account for any characters before .exe. Additionally, we will include the POST method in our 
search, as the file was uploaded to the server, as specified in the question.





Question #9



I successfully identified the file hash by setting the sourcetype to fgt_utm and applying a 
filter to search for 3791.exe






Now, let’s expand and analyze the single result returned based on the search parameters we 
defined earlier.


And now let's utilized the virustotal to check the MD5 information.





Question #10


since we know it is tied to the IP address that the Po1s0n1vy tied to domains that are pre stage to attack wayne enterprises is 23.22.63.114


we can correlate this as well between virustotal output and from hybrid analysis




Question #11


we can find this under community.



Question #12

We can use the search parameter that we made for Question number 7 above. And perform another table for better visualization.




click this to make reverse of the time then
it will show the first brute force attempt login credentials


But we can perform also below steps to have a better result wherein we can only see the password that was used.




Since we are looking for the administrator page and usually it is the index page, we need to go to the uri path and click it to add it to our first filter.

Recall that we previously discovered credentials within the form_data field, specifically 
identifying the use of the keyword 'passwd'. We can now incorporate this into our search 
parameters to refine our investigation.



what we need to do since the other questions are about the login credentials,
we will  extract this username field and this password field into their own columns and set them up in a table so that we can then filter and sort through them individually. 



to do that we can  the "rex"
w/c stands for regular expressions. 
so we can sort of think of this like pattern matching.

and point it to the field form_data 
and this will actually extract the password and put it into a column called password.

\w+ --> going to match 1 or more words characters and so anything like letters or digits, underscore which typically made up of a password.


and "Password" will appear on the left side.




and from here, we will create a table for visualization.



just click the time, since we need to check the first brute force credentials use as per the question.


Question #13

For this question we just need to do an OSINT to identify the James brodsky's favorite coldplay song.
And run through the results that we got from Question #12.

Question #14


If an attacker performs a password spray attack and successfully logs in, they’re unlikely to 
continue attempts. Therefore, we can infer that the last password in the list is likely the 
correct one.

Question #15


Question #16


we know that the correct password was batman.





We will use the transaction command, and it will tell us the information about the 2 different entries. 





Question #17




sum to add this all up. add the count field or the column and will  just call it Total.
413 attempts 
remember there is a duplicate earlier which is the batman



we can insert the "dedup" to remove duplicate.




"Blending years of Network Engineering with a passion for Cybersecurity."

Comments

Post a Comment

Popular posts from this blog

Deploying Sysmon on Windows and Integrating with Elasticsearch SIEM

By on
Image
  First, let's install Sysmon on our Windows host by opening this link in a browser and downloading it: Sysmon - Sysinternals | Microsoft Learn . As of this writing, the latest version of Sysmon is 15.5 Once the download is complete, go ahead and unzip the file. Sysmon configurations or rules are available on GitHub, with a well-known repository being SwiftOnSecurity's Sysmon config: 🔗 https://github.com/SwiftOnSecurity/sysmon-config We will download this configuration for our setup. We can place the downloaded configuration file in the same directory as Sysmon, then open PowerShell and follow the steps below. We can use net start to start Sysmon64, and it will list all services that start afterward. To further verify, go to Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon > Operational , where you should see the corresponding event IDs. And now let's ingest Sysmon and Windows Defender logs into elasticsearch. Click the Add integ...
Read more

Installing Suricata IDS/IPS and Triggering Rules with an Nmap Stealth Scan and XSS Attack on bWAPP Using Burp Suite

By on
Image
  We are enabling the IDS/IPS functionality on our OPNsense firewall to detect and alert on potential threats by analyzing incoming traffic against predefined rules. These rules act as "fingerprints" to identify known attacks and suspicious behaviors across the network. In this Lab, i will be using Suricata, a free and open-source cybersecurity tool that functions as both an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS). Widely adopted by organizations worldwide, Suricata monitors networks for suspicious activity and detects cyber threats. Suricata's rules analyze network packets for specific characteristics, such as source and destination IP addresses, ports, protocol types, and even packet content, to identify potential threats. When traffic matches a rule, Suricata generates an alert, notifying administrators of potential security incidents. Based on my research, it is essential to disable offloading features before enabling the IDS/IPS capa...
Read more