TryHackMe - Juicy Details - Writeup
A popular juice shop has been breached! Analyze the logs to see what had happened…
Introduction
You were hired as a SOC Analyst for one of the biggest Juice Shops in the world and an attacker has made their way into your network.
Your tasks are:
- Figure out what techniques and tools the attacker used
- What endpoints were vulnerable
- What sensitive data was accessed and stolen from the environment
An IT team has sent you a zip file containing logs from the server. Download the attached file, type in “I am ready!” and get to work! There’s no time to lose!
Are you ready?
Answer: I am ready!
Reconnaissance
Analyze the provided log files.
Look carefully at:
- What tools the attacker used
- What endpoints the attacker tried to exploit
- What endpoints were vulnerable
Answer the questions below
root@ip-10-10-206-227:~# cat access.log | cut -d '"' -f 6 | uniq
-
Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Mozilla/5.0 (Hydra)
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
sqlmap/1.5.2#stable (http://sqlmap.org)
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
curl/7.74.0
feroxbuster/2.2.1
What tools did the attacker use? (Order by the occurrence in the log)
Answer: nmap, hydra, sqlmap, curl, feroxbuster
root@ip-10-10-206-227:~# cat access.log | grep -i hydra | sort -u
::ffff:192.168.10.5 - - [11/Apr/2021:09:16:27 +0000] "GET /rest/user/login HTTP/1.0" 500 - "-" "Mozilla/5.0 (Hydra)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:16:28 +0000] "GET /rest/user/login HTTP/1.0" 500 - "-" "Mozilla/5.0 (Hydra)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:16:28 +0000] "POST /rest/user/login HTTP/1.0" 401 26 "-" "Mozilla/5.0 (Hydra)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:16:29 +0000] "GET /rest/user/login HTTP/1.0" 500 - "-" "Mozilla/5.0 (Hydra)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:16:29 +0000] "POST /rest/user/login HTTP/1.0" 401 26 "-" "Mozilla/5.0 (Hydra)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:16:30 +0000] "GET /rest/user/login HTTP/1.0" 500 - "-" "Mozilla/5.0 (Hydra)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:16:30 +0000] "POST /rest/user/login HTTP/1.0" 401 26 "-" "Mozilla/5.0 (Hydra)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:16:31 +0000] "GET /rest/user/login HTTP/1.0" 500 - "-" "Mozilla/5.0 (Hydra)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:16:31 +0000] "POST /rest/user/login HTTP/1.0" 200 831 "-" "Mozilla/5.0 (Hydra)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:16:31 +0000] "POST /rest/user/login HTTP/1.0" 401 26 "-" "Mozilla/5.0 (Hydra)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:16:32 +0000] "POST /rest/user/login HTTP/1.0" 401 26 "-" "Mozilla/5.0 (Hydra)"
What endpoint was vulnerable to a brute-force attack?
Answer: /rest/user/login
root@ip-10-10-206-227:~# cat access.log | grep -i sqlmap | sort -u | head
::ffff:192.168.10.5 - - [11/Apr/2021:09:29:14 +0000] "GET /rest/products/search?q=1 HTTP/1.1" 200 - "-" "sqlmap/1.5.2#stable (http://sqlmap.org)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:29:15 +0000] "GET /rest/products/search?q=1%20AND%206384%3D1910 HTTP/1.1" 200 30 "-" "sqlmap/1.5.2#stable (http://sqlmap.org)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:29:15 +0000] "GET /rest/products/search?q=1%20AND%206826%3D9654--%20qXOs HTTP/1.1" 200 30 "-" "sqlmap/1.5.2#stable (http://sqlmap.org)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:29:15 +0000] "GET /rest/products/search?q=1%20AND%209700%3D9700--%20jEIr HTTP/1.1" 200 30 "-" "sqlmap/1.5.2#stable (http://sqlmap.org)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:29:15 +0000] "GET /rest/products/search?q=1%20AND%209700%3D9700 HTTP/1.1" 200 30 "-" "sqlmap/1.5.2#stable (http://sqlmap.org)"
::ffff:192.168.10.5 - - [11/Apr/2021:09:29:15 +0000] "GET /rest/products/
What endpoint was vulnerable to SQL injection?
Answer: /rest/products/search
In the search endpoint q parameter is vulnerable SQL injection.
What parameter was used for the SQL injection?
Answer: q
root@ip-10-10-206-227:~# cat access.log | cut -d '"' -f 2 | uniq
GET /3e72ead66df04ca5bff7c9b741883cfbd3044c03e5114f7589804da12c36e5bafa6807b272cf4288ae1316f157b1fab2 HTTP/1.1
GET /api HTTP/1.1
GET /administartion HTTP/1.1
GET /login HTTP/1.1
GET /admin HTTP/1.1
GET /backup HTTP/1.1
GET /promotion HTTP/1.1
GET /ftp HTTP/1.1
GET /ftp/www-data.bak HTTP/1.1
GET /ftp/coupons_2013.md.bak HTTP/1.1
GET /favicon.ico HTTP/1.1
In this output we see that from /ftp retrive .bak file.
What endpoint did the attacker try to use to retrieve files? (Include the /)
Answer: /ftp
Stolen data
Analyze the provided log files.
Look carefully at:
- The attacker’s movement on the website
- Response codes
- Abnormal query strings
root@ip-10-10-206-227:~# cat access.log | cut -d '"' -f 2 | cut -d "?" -f 1 | sort | uniq
GET /rest/products/4/reviews HTTP/1.1
GET /rest/products/5/reviews HTTP/1.1
GET /rest/products/6/reviews HTTP/1.1
GET /rest/products/7/reviews HTTP/1.1
GET /rest/products/8/reviews HTTP/1.1
GET /rest/products/9/reviews HTTP/1.1
What section of the website did the attacker use to scrape user email addresses?
Answer: product reviews
root@ip-10-10-206-227:~# cat access.log | grep -i hydra | grep 200
::ffff:192.168.10.5 - - [11/Apr/2021:09:16:31 +0000] "POST /rest/user/login HTTP/1.0" 200 831 "-" "Mozilla/5.0 (Hydra)"
Was their brute-force attack successful? If so, what is the timestamp of the successful login? (Yay/Nay, 11/Apr/2021:09:xx:xx +0000)
Answer: Yay, 11/Apr/2021:09:16:31 +0000
root@ip-10-10-206-227:~# cat access.log | grep "email"
::ffff:192.168.10.5 - - [11/Apr/2021:09:31:04 +0000] "GET /rest/products/search?q=qwert%27))%20UNION%20SELECT%20id,%20email,%20password,%20%274%27,%20%275%27,%20%276%27,%20%277%27,%20%278%27,%20%279%27%20FROM%20Users-- HTTP/1.1" 200 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
::ffff:192.168.10.5 - - [11/Apr/2021:09:32:51 +0000] "GET /rest/products/search?q=qwert%27))%20UNION%20SELECT%20id,%20email,%20password,%20%274%27,%20%275%27,%20%276%27,%20%277%27,%20%278%27,%20%279%27%20FROM%20Users-- HTTP/1.1" 200 3742 "-" "curl/7.74.0"
What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?
Answer: email, password
root@ip-10-10-206-227:~# cat access.log | cut -d '"' -f 2 | uniq
GET /3e72ead66df04ca5bff7c9b741883cfbd3044c03e5114f7589804da12c36e5bafa6807b272cf4288ae1316f157b1fab2 HTTP/1.1
GET /api HTTP/1.1
GET /administartion HTTP/1.1
GET /login HTTP/1.1
GET /admin HTTP/1.1
GET /backup HTTP/1.1
GET /promotion HTTP/1.1
GET /ftp HTTP/1.1
GET /ftp/www-data.bak HTTP/1.1
GET /ftp/coupons_2013.md.bak HTTP/1.1
GET /favicon.ico HTTP/1.1
From the out put as we see that from the FTP directory they attacker downloaded two .bak file
What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)
Answer: coupons_2013.md.bak, www-data.bak
From the vsftpd.log attacker tried to login with username anonymous
What service and account name were used to retrieve files from the previous question? (service, username)
Answer: ftp, anonymous
root@ip-10-10-206-227:~# cat auth.log| grep -i accepted -A 2
Apr 11 09:41:19 thunt sshd[8260]: Accepted password for www-data from 192.168.10.5 port 40112 ssh2
Apr 11 09:41:19 thunt sshd[8260]: pam_unix(sshd:session): session opened for user www-data by (uid=0)
Apr 11 09:41:19 thunt systemd-logind[737]: New session 12 of user www-data.
--
Apr 11 09:41:32 thunt sshd[8494]: Accepted password for www-data from 192.168.10.5 port 40114 ssh2
Apr 11 09:41:32 thunt sshd[8494]: pam_unix(sshd:session): session opened for user www-data by (uid=0)
Apr 11 09:41:32 thunt systemd-logind[737]: New session 14 of user www-data.
What service and username were used to gain shell access to the server? (service, username)
Answer: ssh, www-data
Room link: Juicy Details