Blue Team Labs - MiddleMayhem Investigation Lab Writeup

--- title: 'Blue Team Labs - MiddleMayhem Investigation Lab Writeup' --- # Blue Team Labs - MiddleMayhem Investigation Lab Writeup **Scenario:** > The security team at MiddleMayhem Inc. has detected unusual network traffic to their **admin portal**, but no security breaches have been confirmed. Your SOC team has been provided with SIEM logs from the incident. Analyze the attack pattern to determine how attackers bypassed authentication, gained remote code execution, and moved laterally through the network. The scenario indicates a web application admin endpoint is being targeted by an attacker. Let's open our lab and analyze SIEM logs. When we open our lab, we will find the web application and Splunk logs. ![Annotation 2025-11-04 121213](https://hackmd.io/_uploads/ryFAW8vkbe.png) First, let's explore this web application to investigate its functionality. ![Annotation 2025-11-04 121213](https://hackmd.io/_uploads/B1o1E8Dybx.png) *<center> Figure 1</center>* We found some interesting information and endpoints that may be relevant for further analysis. Our next step is to move to Splunk for log analysis.Let's go☺️ We opened Data Summary in Splunk to identify the sources of these logs and found two sources:**`webapp`** and **`dbserver`**. Since our previous analysis indicated that the primary target was web application, we chose **`webapp`**. ![2](https://hackmd.io/_uploads/SkZyiuPyZg.png) Ok,it's great.What should we do next?🤔 Do you remember what we found on the web application and the scenario we are investigating? 1) We discovered a lot of information, including what the application is built on and its version: **`Next.js 15.0.0.0`**. 2) We also knew from the scenario that the attacker was attempting to exploit **`admin portal`**. Let’s search Google for any CVEs that would allow an attacker to do this. ![Annotation 2025-11-04 160559](https://hackmd.io/_uploads/rJ_0uYP1Ze.png) *<center> Figure 2</center>* Great,we actually found one!👀 **`CVE‑2025‑29927`** This vulnerability allows attackers to bypass middleware protections (including authorization checks) by sending a crafted **`x-middleware-subrequest`** header. By exploiting this, attackers can access protected endpoints. (**Reference:** [Next.js and the corrupt middleware](https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware?ref=traefik.io)) Let's come back to Splunk and search for any event including: **`x-middleware-subrequest`** header. ![2.2](https://hackmd.io/_uploads/r1j1gqDkWx.png) ![2.1](https://hackmd.io/_uploads/Sy-sJcwkWl.png) *<center> Figure 3:Two crafted requests from 218.92.0.204 targeting admin endpoints</center>* We found that **`218.92.0.204`** sent two http requests with crafted **`x-middleware-subrequest`**: 1. Get request to **`/admin`** 2. Post request with reverse shell to **`/api/upload`** After that, we adjusted **`Date & Time Range`** to see what happened after those requests: ![2.3](https://hackmd.io/_uploads/SJ6BLcwk-e.png) We found a brute-force attempts on SSH, which eventually succeeded. ![2.6](https://hackmd.io/_uploads/SkE4p5P1bx.png) ![2.5](https://hackmd.io/_uploads/S1sATqPyZx.png) # **Lab Questions:** **Q1:Access the Website in the browser, present it in the bookmark, and identify the JavaScript framework and version used.** `Next.js, 15.0.0` **Q2:Using Splunk, Find the attacker’s IP address.** `218.92.0.204` **Q3:Analyze the SIEM logs to determine how many unique URIs were accessed by the attacker.** ![3](https://hackmd.io/_uploads/r1mELswJWg.png) **Q4:Explore the site and identify two specific locations that could reveal internal structures or potential access points not meant for public eyes. Provide the two relative URLs.** As shown in **Figure 1**, we found them listed in the robots.txt file: `/admin,/admin/file-upload` **Q5:Based on the Framework and Version, what recent CVE could be used to bypass authorization?** See Figure 2 **Q6:Find the relevant HTTP header in the SIEM logs that indicates CVE exploitation. Provide the header name.** The relevant HTTP header is `x-middleware-subrequest`. **Q7:What interesting URI did the attacker access after exploiting the CVE?** See Figure 3 — the attacker accessed the endpoint **`/api/upload`** after exploiting the CVE. **Q8:The attacker tried uploading a reverse shell. Find out the IP and port to which the target would connect once the connection is established.** See Figure 3 — the target would connect to **`133.89.232.157:31337`**. **Q9:After compromising the WebApp server, the attacker attempted lateral movement. Identify the technique used, as recorded in the SIEM logs.** our analysis shows the attacker carried out SSH brute-force attempts. **Q10:Identify the user account that achieved successful lateral movement to another server.** Our analysis shows a successful SSH session for the user **`dbserv`**, indicating lateral movement to another server. #