Digital Forensics Write-up — Web Server Case by Ali Hadi

A company’s web server has been breached through their website.

Questions

Tool-set

Let’s Seek Some Solutions!

NTFS formatted filesystem with Windows
C:\xampp\apache\logs
Apache Logs
Installing Apache HTTP Server 2.x withDomainName = example.com
ServerName = www.example.com
ServerAdmin = admin@example.com
ServerPort = 80
ServerSslPort = 443
ServerRoot = c:/Apache24
cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr
IP addresses communicating with the server
 grep "192.168.56.102" access.log >> 192-168-56-102-access_log.log
cat 192-168-56-102-access_log.log | awk -F\" {print $6} | sort | uniq -c | sort -nr
Usage of SQLMAP

Exploit Public-Facing Application (T1190)

SQL Injection attempts
A file being sent over exploiting SQL injection vulnerabilities — /tmpukudk.php
Four tmp files being created and then deleted via the command prompt
XSS Vulnerabilities
Unrestricted file upload vulnerabilities shows PHP based web shells
Commands executed
Proof the commands were executed by the attacker
Local File Inclusion
‘exec’ endpoint — POST requests show the attacker must’ve sent some input here
“cmd” spawned using the webshell
volatility -f memdump.mem imageinfo
...
Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86
Number of Processors : 1
Image Type (Service Pack) : 1
Image date and time : 2015–09–03 10:04:05 UTC+0000
Image local date and time : 2015–09–03 03:04:05 -0700
...
volatility -f memdump.mem --profile=VistaSP1x86 pslistvolatility -f memdump.mem --profile=VistaSP1x86 psscanvolatility -f memdump.mem --profile=VistaSP1x86 pstree
‘cmd.exe’ processes under explorer.exe
. 0x83e7b7f8:cmd.exe 612 816 1 72 2015–08–23 10:30:44 UTC+0000. 0x84259100:cmd.exe 1972 816 1 19 2015–09–02 09:28:30 UTC+0000
volatility -f memdump.mem --profile=VistaSP1x86 cmdlinevolatility -f memdump.mem --profile=VistaSP1x86 consolesvolatility -f memdump.mem --profile=VistaSP1x86 cmdscan
CommandProcess: csrss.exe Pid: 524
CommandHistory: 0x5a24708 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 17 LastAdded: 16 LastDisplayed: 16
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x2d8
Cmd #0 @ 0xe907c8: ipconfig
Cmd #1 @ 0xe91af8: cls
Cmd #2 @ 0xe91db0: ipconfig
Cmd #3 @ 0x5a34bd0: net user user1 user1 /add
Cmd #4 @ 0x5a34eb8: net user user1 root@psut /add
Cmd #5 @ 0x5a34c10: net user user1 Root@psut /add
Cmd #6 @ 0x5a24800: cls
Cmd #7 @ 0x5a34c58: net /?
Cmd #8 @ 0x5a34d88: net localgroup /?
Cmd #9 @ 0x5a34f48: net localgroup “Remote Desktop Users” user1 /add
Cmd #10 @ 0x5a34c70: net /?
Cmd #11 @ 0xe911b0: netsh /?
Cmd #12 @ 0xe907e8: netsh firewall /?
Cmd #13 @ 0xe91218: netsh firewall set service type = remotedesktop /?
Cmd #14 @ 0xe91288: netsh firewall set service type = remotedesktop enable
Cmd #15 @ 0xe91300: netsh firewall set service type=remotedesktop mode=enable
Cmd #16 @ 0xe91380: netsh firewall set service type=remotedesktop mode=enable scope=subnet

Command and Scripting Interpreter (T1059) — Execution

Account Creation (T1136) — Persistence

Shows two users added at the same time — ‘hacker and user1' — we have proof of the user ‘user1’
httpd.exe   2796   2768     1     92 2015-08-23 10:32:21 UTC+0000
httpd.exe 2880 2796 155 483 2015-08-23 10:32:26 UTC+0000
volatility -f mempdump.mem --profile=VistaSP1x86 memdump -p 2796 --dump-dir E:\
volatility -f mempdump.mem --profile=VistaSP1x86 memdump -p 2880 --dump-dir E:\
Same commands being executed for the second account — hacker
Output from the second process’ dump
Command Injection
Exploitation of SQLi using SQLMAP
tmpukdk.php — the dropper

Let’s Summarize it All

Output extracted from Mft2Csv

Conclusion

--

--

--

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

This iPhone update isn’t fun, but you’re gonna need it

This iPhone update isn’t fun, but you’re gonna need it

[Windows] How To Block Application in Firewall

#FJT #Fujicompany #crypto #cryptocurrency #blockchain #bounty #eth #token #azbit

{UPDATE} Pháp Thu?t 3D Hack Free Resources Generator

Cybersecurity in 2021

Machine Learning and its use cases in Cybersecurity

Uncloak’s Threat Bounty Program: protecting companies from cyber-attack

Angler Exploitation Kit Infection 1 — Malware Traffic Analysis

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

More from Medium

Privilege Escalation (Linux) — Part 1

Overpass CTF Walkthrough

BOUNTYHUNTER — HackTheBox WriteUp

Lets breakdown a HTTP request — line by line (med-advanced)