Digital Forensics Write-up — Web Server Case by Ali Hadi

A company’s web server has been breached through their website.

Questions

Tool-set

Let’s Seek Some Solutions!

NTFS formatted filesystem with Windows
C:\xampp\apache\logs
Apache Logs
Installing Apache HTTP Server 2.x withDomainName = example.com
ServerName = www.example.com
ServerAdmin = admin@example.com
ServerPort = 80
ServerSslPort = 443
ServerRoot = c:/Apache24
cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr
IP addresses communicating with the server
 grep "192.168.56.102" access.log >> 192-168-56-102-access_log.log
cat 192-168-56-102-access_log.log | awk -F\" {print $6} | sort | uniq -c | sort -nr
Usage of SQLMAP

Exploit Public-Facing Application (T1190)

SQL Injection attempts
A file being sent over exploiting SQL injection vulnerabilities — /tmpukudk.php
Four tmp files being created and then deleted via the command prompt
XSS Vulnerabilities
Unrestricted file upload vulnerabilities shows PHP based web shells
Commands executed
Proof the commands were executed by the attacker
Local File Inclusion
‘exec’ endpoint — POST requests show the attacker must’ve sent some input here
“cmd” spawned using the webshell
volatility -f memdump.mem imageinfo
...
Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86
Number of Processors : 1
Image Type (Service Pack) : 1
Image date and time : 2015–09–03 10:04:05 UTC+0000
Image local date and time : 2015–09–03 03:04:05 -0700
...
volatility -f memdump.mem --profile=VistaSP1x86 pslistvolatility -f memdump.mem --profile=VistaSP1x86 psscanvolatility -f memdump.mem --profile=VistaSP1x86 pstree
‘cmd.exe’ processes under explorer.exe
. 0x83e7b7f8:cmd.exe 612 816 1 72 2015–08–23 10:30:44 UTC+0000. 0x84259100:cmd.exe 1972 816 1 19 2015–09–02 09:28:30 UTC+0000
volatility -f memdump.mem --profile=VistaSP1x86 cmdlinevolatility -f memdump.mem --profile=VistaSP1x86 consolesvolatility -f memdump.mem --profile=VistaSP1x86 cmdscan
CommandProcess: csrss.exe Pid: 524
CommandHistory: 0x5a24708 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 17 LastAdded: 16 LastDisplayed: 16
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x2d8
Cmd #0 @ 0xe907c8: ipconfig
Cmd #1 @ 0xe91af8: cls
Cmd #2 @ 0xe91db0: ipconfig
Cmd #3 @ 0x5a34bd0: net user user1 user1 /add
Cmd #4 @ 0x5a34eb8: net user user1 root@psut /add
Cmd #5 @ 0x5a34c10: net user user1 Root@psut /add
Cmd #6 @ 0x5a24800: cls
Cmd #7 @ 0x5a34c58: net /?
Cmd #8 @ 0x5a34d88: net localgroup /?
Cmd #9 @ 0x5a34f48: net localgroup “Remote Desktop Users” user1 /add
Cmd #10 @ 0x5a34c70: net /?
Cmd #11 @ 0xe911b0: netsh /?
Cmd #12 @ 0xe907e8: netsh firewall /?
Cmd #13 @ 0xe91218: netsh firewall set service type = remotedesktop /?
Cmd #14 @ 0xe91288: netsh firewall set service type = remotedesktop enable
Cmd #15 @ 0xe91300: netsh firewall set service type=remotedesktop mode=enable
Cmd #16 @ 0xe91380: netsh firewall set service type=remotedesktop mode=enable scope=subnet

Command and Scripting Interpreter (T1059) — Execution

Account Creation (T1136) — Persistence

Shows two users added at the same time — ‘hacker and user1' — we have proof of the user ‘user1’
httpd.exe   2796   2768     1     92 2015-08-23 10:32:21 UTC+0000
httpd.exe 2880 2796 155 483 2015-08-23 10:32:26 UTC+0000
volatility -f mempdump.mem --profile=VistaSP1x86 memdump -p 2796 --dump-dir E:\
volatility -f mempdump.mem --profile=VistaSP1x86 memdump -p 2880 --dump-dir E:\
Same commands being executed for the second account — hacker
Output from the second process’ dump
Command Injection
Exploitation of SQLi using SQLMAP
tmpukdk.php — the dropper

Let’s Summarize it All

Output extracted from Mft2Csv

Conclusion

--

--

--

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Brad Garlinghouse to resolve the Legal Disputes with Youtube over XRP Scams

Hacking Wi-Fi with Kali Linux

Have you ever wondered how 2 trillion of dollars are secured by 12 words ? Mnemonics | Bip39

Synapsint, OSINT easily

Launching Hacken liquidity mining campaign on KuCoin

XT Will List CPH

A short summary of GDPR individual (User) rights

Freedom Protocol Airdrop

freedom protocol airdrop

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

More from Medium

Root me: Bash — System 1

Bounty Hacker THM Writeup

Hacking the Margheriti-Server — PwntillDawn

Space Heroes CTF - OSINT Section Writeup