[LetsDefend Write-up] PHP-CGI (CVE-2024–4577)
Created: 17/06/2024 23:26 Last Updated: 18/06/2024 00:51
You will confront an attempted exploitation of a newly discovered and unpatched vulnerability (CVE-2024-XXXX) in a critical software component within your organization’s infrastructure. The CVE allows for remote code execution, posing a significant threat if successfully exploited. At 12:05 PM UTC, an alert is generated by the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS), indicating an attack on one of your web servers. Your task is to analyze the provided artifacts, confirm the exploitation attempt, and answer the provided questions.
File Location: C:\Users\LetsDefend\Desktop\ChallengeFile\artifacts.7z
Start Investigation
This vulnerability was discovered by DEVCORE so it would be the best to read this first to understand how this vulnerability could be exploited and then you can read this blog posted by Aliz Hammond from Watchtowr Labs to understand how an attacker can exploit this vulnerability
And here is POC script written by Watchtowr Labs to demonstrate it
What version of PHP was running on the server during the incident?
I found 2 ways to solve this, First is to read news.txt that stored all php update news.
another way to solve this is to run php.exe -v to print out version of this php executable file directly
8.2.19When PHP is configured to run as CGI, which directive in httpd.conf specifies the scripts that handle requests for PHP files?
httpd.conf is in /Apache24/conf folder
Find for php-cgi.exe then you can see that this action will allow this vulnerability to be exploited directly by sending HTTP request to php-cgi.exe
ActionWhat is the IP address of the attacker who attempted to exploit our server?
Go to \Apache24\logs folder then you can see that we have access.log to investigate
After investigating this log file then you can see that “192.168.110.1” sent multiple HTTP POST requests that match payload designed to exploit this vulnerability
192.168.110.1The attacker targeted a specific page on the server with malicious payloads. Which page did the attacker target with malicious payloads?
The main functionality of the application targets the /upload.php page. However, for testing purposes, an /index.html file may be utilized.
upload.phpWhat version of Apache is running on the server?
We can open error.log to obtain the answer of this question.
2.4.59The attacker managed to execute commands on the server. What was the first process initiated by the attacker’s commands during their successful attempt?
They gave us Prefetch folder and PECmd from Eric Zimmerman tools to work with so we will have this use it to determine which executable was executed after payload was sent by an attacker
Here is the command I used PECmd.exe -d "C:\Users\LetsDefend\Desktop\ChallengeFile\artifacts\Prefetch" --csv output
After we got an output as csv file then open it in Timeline Explorer
But I didn’t find any suspicious executable was executed during this time
So I went back to access.log and also correlate time to error.log then I came the the conclusion that those request we found results in error
So I scrolled down a little bit more and found these HTTP requests that were not triggered any error which mean these attacks are successful
Go back to timeline explorer, We can see that these 2 executable files were executed after an attacker successfully sent payload to apache server.
whoami.exeBefore the attacker was detected and blocked, they executed another command, launching a new process. What process was launched by this command?
calc.exeWhat is the CVE number of the exploit used by the attacker?
CVE-2024-4577Summary
On this challenge, we learned about CVE-2024–4577 and
- find php and apache version
- find out how php that were given is vulnerable
- how an attacker exploit this vulnerability
- using prefetch to detect commands that were executed by this vulnerability
