type
status
date
slug
summary
tags
category
icon
password
Catagory
Materials
Retired
Retired
Due date
Oct 16, 2024 02:44 AM
Status
Belong in
attack time:2024/05/07 17:00-19:00
hacker:10.101.0.0/24
DMZ:
- 192.168.0.0/24
- 10.88.0.0/24
Exchnge-server
- 192.168.0.25
- 10.88.0.25
Portal
- 192.168.0.80
- 10.88.0.80
Intranet 192.168.1.0/24
HR-1
- 192.168.1.103
IT-1
- 192.168.1.101
RD-1
- 192.168.1.102
Console
- offline
AD
- 192.168.1.10
FS
- 192.168.1.21
WordPress Bruteforce Password
WordPress Plugin Scan
Time-based SQL Injection
Database Leakage
Malicious IP Login Success
Upload Webshell
System File Leakage
Web Config File Leakage
DMZ-Intranet Network Scan
Phishing Mail
Privilege Escalation
HR-1 Credential Dump
Lateral Movement - Pass the Hash
✅Malicious IP Login Success
Attacker IP:10.101.0.231
Login Time:2024-05-07 18:34:47
Username:admin
pwd=webadmin
✅WordPress Plugin Scan
Attacker IP:10.101.0.231
Start Time:2024-05-07T18:25:56.000+08:00
User Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Time-based SQL Injection
Attacker IP:10.101.0.231
Table Name:
URI:
✅WordPress Bruteforce Password
Attacker IP:10.101.0.22
Start Time:2024-05-07T18:25:45.000+08:00
URI:/wp-login.php
Username:admin
跟time-based sql injection一起確認
✅Upload Webshell
Attacker IP:10.101.0.231
Time(the event time):2024-05-07T18:34:47.000+08:00
URI: /wp-admin/update.php
webshell Path:/wp-content/plugins/vOWwQPBA/vOWwQPBA.php
✅Database Leakage
Attacker IP:10.101.0.231
Database Password:
Filename(the filename of dumped database):db.dump
Time(the time of the database was downloaded):2024-05-07 18:34:47
✅System File Leakage
Attacker IP:10.101.0.231
Bytesout:968
File Path:/etc/passwd
Time:2024-05-07 18:34:47
✅Web Config File Leakage
Attacker IP:10.101.0.231
Bytesout:2041
File Path:wp-config.php
Time:2024-05-07 18:34:47
✅DMZ-Intranet Network Scan
Max Port:3389
Min Port:22
Source IP:192.168.0.80
Target Subnet:192.168.1.0/24
✅Privilege Escalation - HR-1
Executable Name:EGOweKUvrq.exe
Origin User:hruser
Privileged Execution File:egrzLMGHLi.exe
Privileged User:SYSTEM
✅HR-1 Credential Dump
Process ID:5868
Process Name:egrzLMGHLi.exe
Time:2024-05-07 18:39:11
User(the user name of process):system
✅Lateral Movement
Login Host:IT-1
LogonType:3
Source IP:192.168.1.103
Time:2024-05-07 18:39:15
User(the login user):Administrator
LogonType:0、3、6、9
✅Phishing Mail - HR-1
cve-2017-0262
cve-2017-0263
pid 812→ ppid 2152
wcmyvtTSeL.rar
Attachment Name:wcmyvtTSeL.rar
Callback FQDN:webshop.xyz.com
Callback Port:20426
Mail To:hruser@enterprise.com
Message Id:20240507103740.002305@Attacker
User:hruser
- 作者:ji3g4gp
- 連結:https://gpblog.vercel.app//article/2024-CyberArena-Writeup
- 著作權:本文採用 CC BY-NC-SA 4.0 許可協議,轉載請註明出處。