--- title: 'CyberDefenders — Web Investigation Blue Team Lab Writeup' --- # CyberDefenders — Web Investigation Blue Team Lab Writeup Welcome to my blog! in this writeup, I will explain the approach I followed to solve this challenge. <div class="two-column-layout">  Challenge Link: https://cyberdefenders.org/blueteam-ctf-challenges/web-investigation/ ### `Tools:` - Wireshark - Network Miner ## <div class="two-column-layout"> ### **Q1. By knowing the attacker’s IP, we can analyze all logs and actions related to that IP and determine the extent of the attack, the duration of the attack, and the techniques used. Can you provide the attacker’s IP?** From the scenario, I knew that there was an unusual spike in database queries. So, I went to the statistics tab in Wireshark and then to the conversations, where I observed that the IP address `xxx.xxx.xxx.xxx` was sending a lot of packets to `73.124.22.98`. This indicates that the IP address `xxx.xxx.xxx.xxx` is likely the attacker.  *Answer:*  ### **Q2. If the geographical origin of an IP address is known to be from a region that has no business or expected traffic with our network, this can be an indicator of a targeted attack. Can you determine the origin city of the attacker?** To determine the origin city of the attacker, I used Instant IP Address Lookup (whatismyipaddress.com). *Answer:*  </div> <div class="two-column-layout"> ### **Q3. Identifying the exploited script allows security teams to understand exactly which vulnerability was used in the attack. This knowledge is critical for finding the appropriate patch or workaround to close the security gap and prevent future exploitation. Can you provide the vulnerable script name?** Through my manual analysis of the traffic, I found attempts to perform SQL injection on a parameter named “search” in a specific endpoint. This endpoint is the vulnerable one. *Answer:*  ### **Q4.Establishing the timeline of an attack, starting from the initial exploitation attempt, What’s the complete request URI of the first SQLi attempt by the attacker?** I used this filter [`ip.src == 111.224.250.131 and http.request.method == GET`] to display only the GET requests made by the attacker. I then started analyzing the value of the "`search`" parameter and found that the first attempt at SQL injection occurred in packet number 357. *Answer:*  ### **Q5.Can you provide the complete request URI that was used to read the web server available databases?** Based on Q3 and Q4, I found that the attacker is trying to perform SQL injection on the IP address“`73.124.22.98`". As a result, I filtered the traffic in Wireshark to show the responses sent from the IP address “`73.124.22.98`” to the attacker using this filter:[`ip.dst==111.224.250.131 and ip.src==73.124.22.98 and http`]. However, I found many HTTP response codes of 404, 500, and 301. I tried to narrow down the results to show only the response code of 200. After that, I searched the responses for any request URIs containing a parameter named “`search`”, and upon analyzing the results, I found the answer in packet number 1525. *Answer:*  ### **Q6.Assessing the impact of the breach and data access is crucial, including the potential harm to the organization’s reputation. What’s the table name containing the website users data?** Using the same steps I followed in Q5, I found that packet number 1553 contains the following : [“admin”, “books”, “customers”]. As a result, I looked at the request corresponding to this response and found that the request URI contains the following: > /search.php?search=book%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x7178766271%2CJSON_ARRAYAGG%28CONCAT_WS%280x7a76676a636b%2Ctable_name%29%29%2C0x7176706a71%29%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema%20IN%20%280x626f6f6b776f726c645f6462%29--%20- I performed a URL decode on the request URI and found that [“admin”, “books”, “customers”] are the names of the tables in the database. From the names, I identified which table contains the user data. ### **Q7.The website directories hidden from the public could serve as an unauthorized access point or contain sensitive functionalities not intended for public access. Can you provide name of the directory discovered by the attacker?** Before solving this question, I completed Q8 and Q9. Through solving them, I discovered which folder the attacker had accessed. *Answer:*  ### **Q8.Knowing which credentials were used allows us to determine the extent of account compromise. What’s the credentials used by the attacker for logging in?** To solve this question, I first used NetworkMiner and then Wireshark. ***NetworkMiner:*** I found many credentials in the credentials tab.  ***Wireshark:*** I used this filter: [`ip.src==111.224.250.131 and http.request.method==POST`] to retrieve all the POST requests made by the attacker, and I found five packets.  I started searching for the credentials I obtained from NetworkMiner, and I found that the credentials used in packet number 88699 were valid, and the attacker was able to log in successfully. *Answer:*  ### **Q9.We need to determine if the attacker gained further access or control on our web server. What’s the name of the malicious script uploaded by the attacker?** Using the same filter as in Q8: [`ip.src==111.224.250.131 and http.request.method==POST`], I found that the attacker in packet number 88757 attempted to upload a malicious script and succeeded in doing so. *Answer:*  </div> # Finally🥳 I hope my approach has been helpful to you.