Web Ring - Boria PCAP Mining Walkthrough
As we progress through the web ring tunnel within 2022 Kringlecon CTF, we come across Alabaster Snowball who provides us the Victim.pcap file and weberror.log file. After which we are being asked a series of question to be analysed from the pcap and the log file to answer those questions. In the below answers for all of them have used the pcap to answer the questions and I have shown commands+output of log file analysis too
Naughty IP - Difficulty Level 1/5
Use the artifacts from Alabaster Snowball to analyse this attack on the Boria mines. Most of the traffic to this site is nice, but one IP address is being naughty! Which is it? Visit Sparkle Redberry in the Tolkien Ring for hints.
To answer this question based on the hints provided on looking for top talkers, we can open up the pcap file within Wireshark and choose Statistics from menu bar and choose conversation options and choose IPv4 tab within the open window. Which presents to us that the IP that talks more the server is 18.222.86.32.
inspecting further in the traffic by applying the following display filter “http && ip.src==18.222.86.32 && ip.dst==10.12.42.16” in Wireshark we are able to see bruteforce attempt towards the server. To ease the analysis within Wireshark, expand the HTTP layer within which the HTML form URL encoded holds the value for username and password used towards the server request. Right click and apply as column which can make it easy for quick visual grep.
We can also find the naughty IP by grepping the “webserver.log” file with the keyword “login”, which will show address 18.222.232.221 has been behaving naughty based on the /etc/passwd output being queried
>> cat webserver.log | grep login
Credential Mining - Difficulty Level 1/5
The first attack is a brute force login. What's the first username tried?
Using the same Wireshark analysis for previous question, we can identify that “alice” is the first username used in this bruteforce login attempt
Can use the following Wireshark display filter http.request.method=”POST” && ip.src==18.222.86.32
404 FTW - Difficulty Level 1/5
The next attack is forced browsing where the naughty one is guessing URLs. What's the first successful URL path in this attack?
Forced browsing tend to generate more 404 traffic and being asked for the first successful URL we can apply a display filter that lists all http.response.code==200 && ip.addr=18.222.232.221
Which we can verify by using display filter for 404 status code and note down the packet numbers, Where we can see /Proc has an HTTP response code 200 after several attempts that landed in a 404.
IMDS, XXE, and Other Abbreviations - Difficulty Level 2/5
The last step in this attack was to use XXE to get secret keys from the IMDS service. What URL did the attacker force the server to fetch?
Now to look for a secret key hidden within the Wireshark capture, clear all the display filters, press (Crtl or Command ) +F. Then in the search toolbar that has appeared select packet details, choose String and input the value secret and hit find. Which highlights packet that has the keyword secret and to be further inspected
Now if we rightclick on this packet and select follow TCP stream, the URL packet details reveals the attacker force browing the url http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"
That display the AWS access keys used.
Comments
Post a Comment