Original Post: LetsDefend Challenge: Malicious Web Traffic Analysis | by Praj Shete | Sep, 2024
The article provides a step-by-step analysis of a malicious web traffic challenge using Wireshark:
-
Identifying the Web Server’s IP: By filtering for HTTP packets in Wireshark, it is determined that the server’s public IP is 10.1.0.4.
-
Identifying the Attacker’s IP: Analyzing the packet capture, the attacker is identified by their IP address due to their interaction pattern with the webserver.
-
Exploit Identification: The attacker used XML external entity (XXE) injection to read the web application’s source code.
-
Note in the Source Code: The attacker read the source code’s note by sending a specific request, which returned the source code in a Base64-encoded format.
-
Username Discovery: The attacker identified a username ("admin") in the returned source code.
-
Password Discovery: By filtering for specific HTTP responses, the attacker determined the password for the discovered username through the abnormality in packet lengths.
-
Directory Traversal: The attacker exploited a directory traversal vulnerability to read server files, like the password file, by manipulating URL paths.
-
Last User Created: The captured information revealed the most recently created user on the server.
- Open Redirect Vulnerability: The attacker found an open redirect vulnerability by testing URLs containing specific keywords in user inputs.
The challenge link provided helps users practice analyzing malicious web traffic.
Go here to read the Original Post