Digital Forensic — Ashemery Challenge#1 Web Server Case
Regarding to this challenge, here are the tasks should be completed for the first one. And we will be cover digital forensic in web log and memory file. In figure 1, I’ve already downloaded and extracted the two files, so lets start !
1. What type of attacks has been performed on the box?
Started by opening the s4a-challenge4 file with FTK Imager and get the access.log content file located in /root/xampp/apache/logs/ directory. That is the Apache web server recorded log file which collected any requests from any devices. By analyzing this file, hopefully we can get some information about the attacker and what type of attack was happen.
By extracted the access.log file content into a new file, named apache-access-log, here is I get from string filtering commands
cat apache-access-log|awk ‘{print $1}’|sort|uniq -c|sort -nr
Explanation: awk to print the first column value, sort the result, uniq to show distinct result with count tag, then sort again by numeric and reversing the result to list from the bigger to the smallest one.
Here we got 192.168.56.102 IP address accessing the Apache web server 4398 times. Save the IP access log separately for further analyze
grep “192.168.56.102” apache-access-log > rec2/ip-192–168–56–102-log
By filtering the user agent column in position 6, we get the result of most uses agent in accessing the web server by the IP and indicate that it is an SQL Injection type of attack shows in figure 4. It is sqlmap/1.0-dev-nongit-20150902 (http://sqlmap.org) accessed 3621 times.
Found several temporary file created, tried to list the files by grep command and get file name tmpbrjvl.php, but the last string seems like it injected a command to delete it self.
Summary for the first answer is: SQL Injection, Command Injection, Brute Force, Unrestricted File Upload/Webshell.
2. How many users has the attacker(s) added to the box, and how were they added?
According to our evidences, given a file named memdumpl.mem, it size about 1 Gb. Analyze the file by volatility tool based on python2
python2 /opt/volatility/vol.py -f memdump.mem imageinfo
Refer to Suggested Profile(s) in Figure 7, we can use VistaSP1x86 to extract some strings.
python2 /opt/volatility/vol.py -f memdump.mem — profile=VistaSP1x86 pslist
python2 /opt/volatility/vol.py -f memdump.mem — profile=VistaSP1x86 psscan
python2 /opt/volatility/vol.py -f memdump.mem — profile=VistaSP1x86 pstree
By using cmdscan command, we found list of command entered by attacker
python2 /opt/volatility/vol.py -f memdump.mem — profile=VistaSP1x86 cmdscan
It shows that the attacker successfully get into the system and create new user named user1 and added into Remote Desktop User and set machine Firewall for the remote access.
By filtering the Apache web service (httpd.exe) we found two Process ID 2796 and 2880. So, lets dump the memory with volatility tool.
Extract each dump files string with strings command and analyze the content
By analyze the string, we found interesting result by using hacker keyword and dig deep into and discover a command injected by the attacker to add another user named hacker, we parse the value and get the clear result.
Summary for the second answer is: Attacker created two user in the system which is user1 and hacker.
3. What leftovers (files, tools, info, etc) did the attacker(s) leave behind? (assume our team arrived in time and the attacker(s) couldn’t clean and cover their tracks)
Summary for the third answer: From FTK Imager, we can get an archive file named webshell.zip located in /root/xampp/htdocs/DVWA it contain two files, c99.php and webshell.php extrated into the directory. Which webshell.php used for command injection and c99.php is another popular web shell.
4. What software has been installed on the box, and were they installed by the attacker(s) or not?
From Setup.evtx we fount no any informatin about additional file installed. The file located in /root/c/system32/winevt/logs/
5. Using memory forensics, can you identify the type of shell-code used?
It is c99-shell, a PHP based shell. Detail about it can be found in the following web http://www.topshellv.com/shell/c99-shell
6. What is your hypothesis for the case, and what is your approach in solving it?
DVWA is a vulnerable designed web platform for penetration testing practical, consider not to put it in public production server because it can open opportunity for attacker to easily gain access to the machine. For the worse scenario, to prevent attacker on gaining access to the machine is by maximizing httaccess configuration for access limitation and user management to prevent public access to write and modify file in web server.
