Original Post: LetsDefend Challenge: Malicious Web Traffic Analysis | by Praj Shete | Sep, 2024
The document is an analysis of a malicious web traffic incident, detailing the steps and techniques used to identify key information about the attack. Here’s a summary of the contents:
-
Identifying the Web Server’s IP Address: By filtering Wireshark packet captures for HTTP traffic, the web server’s public IP address is found to be 10.1.0.4.
-
Identifying the Attacker’s IP Address: By analyzing interactions, the attacker’s IP address is differentiated from other IPs contacting the server.
-
Discovering the Vulnerability: The attacker identified an XML External Entity (XXE) vulnerability by attempting to sign up and read the source code.
-
Recovering the Note in the Source Code: The attacker viewed the source code, which was returned in a Base64-encoded format, to extract a note.
-
Finding a Possible Username: After decoding the source code response, the attacker found a possible username “admin” through the exploited vulnerability.
-
Brute-forcing the Password: The attacker brute-forced the password using behavior analysis of HTTP response lengths, leading to a successful attempt identified by a different response length.
-
Further Exploitation: The attacker used a directory traversal vulnerability to read internal files on the server, evident from logs of unusual URL patterns.
-
Identifying the Most Recent User: The attacker identified the last created user on the server by examining the content of internal files.
- Exploiting Open Redirect Vulnerability: An open redirect vulnerability was tested, where the attacker used controlled input to redirect to a specified URL.
The analysis links to the challenge on Let’s Defend and provides references to the vulnerabilities and techniques used.
Go here to read the Original Post