This is my experience with THM room Slingshot
Room URL : https://tryhackme.com/room/slingshot
First thing first,
1. Start the machine.
2. Use attackbox or OpenVPN.
After Everything booted up, Navigate to http://targetip
Enter Elastic Credentials :
Username : elastic
Password : raCK0W**BLlW66oNlKAk
Now head to Discover
Set the date to July 26, 2023 as it was when the suspicious activity started (Mentioned in the task).
Now add below mentioned Fields.
1. response.status
2. http.url
3. request.headers.User-Agent
4. transactions.remote_address
Now let’s get on with questions.
Q1. What was the attacker’s IP?
When we click on transaction.remote_address, we can see an unusual amount of traffic from a certain IP.
Let’s add it to filter.
See, that’s an unusual amount of traffic from one IP in one day.
This gotta be the attacker’s IP.
A2. 10.0.2.15
Q2. What was the first scanner that the attacker ran against the web server?
Question is to find the 1st scanner, so sort the timestamp to Old to New
You can see NMAP Scripting Engine in Request headers.
A2. NMAP Scripting Engine
Q3. What was the User Agent of the directory enumeration tool that the attacker used on the web server?
As its a directory enumeration, there is gonna be a lot of 404 in response.
So let’s filter it out.
(Hover your mouse on any 404 response and click + to easily put to filter.)
Now look the request headers and http.url to find dir enum requests.
From looking at Respose and http.url fields, we can confirm that is dir enumeration.
We’ll get the answer by checking the User-Agent field.
A3. Mozilla/5.0 (Gobuster)
Q4. In total, how many requested resources on the web server did the attacker fail to find?
Failed to find = Not found
ie 404.
So no. of failed to find requests equals no. of 404 responses.
We already filtered 404 previously so we can see no. of requests in the same page itself.
A4. 1867
Q5. What is the flag under the interesting directory the attacker found?
So a flag is present in one of the directories founded by attacker.
Since the directory is found, the response status would be 200.
Edit the response.status filter from 404 to 200
Add Mozilla/5.0 (Gobuster) to filter by clicking the + sign we get when hovering above it.
Now check the http.url field for interesting directory
Voila. Got the flag.
A5. a766*************************539a
Q6. What login page did the attacker discover using the dir enumeration tool?
Now for find the login page.
Page was discovered using dir enum tool, so we don’t have to change User-Agent filter.
Since we have no found any login page while filtering using 200,
We can include it to exception. Also the 404 obviously
After adding these to filter we can go through http.url field to find our login page.
There you go, our login page with response code 401.
A6. /admin-login.php
Q7. What was the user agent of the brute-force tool that the attacker used on the admin panel?
Now to find brute-force tool used in admin panel.
We can clear the User-Agent and Resp.status filters.
Since it is a Login brute-force, there would be lot of 401(Unauthorized) Response code.
We can add it to the filter.
Now observe the User-Agent field.
There you go, the user agent of the brute-force tool.
A7. Mozilla/4.0 (Hydra)
Q8. What username:password combination did the attacker use to gain access to the admin page?
We know the User-Agent of brute-force tool, add it to filter.
Since the attacker gained access, we know the response won’t be 401,
So add that to the filter.
We got one hit with 200 status code.
Now click on the button marked in above image to view details of that request.
We got YWRtaW46dGh4MTEzOA==
Which is Base64 encoded. Decode it for the answer.
A8. admin:thx1138
Q9. What flag was included in the file that the attacker uploaded from the admin directory?
So attacker uploaded a file from admin directory. 1st we can check the admin directory.
For that go to search bar to filter then type http.url : /admin/*
Which means http.url is equal to /admin/* and because of our wildcard(*) it consider what comes after /admin too.
We got upload.php and action from admin directory, let’s see more details about that.
By enlarging the request body, we’ll get the flag.
A9. THM{ecb****************************447}
Q10. What was the first command the attacker ran on the web shell?
So while doing last question we noticed the name of uploaded file.
ie easy-simple-php-webshell.php
Now just put that filename in search bar within single quotes( ‘ ) to filter all requests with that keyword.
Also add 200 status code to filter.
Since we need the 1st command, we can sort the timestamp to Old to New.
As we previously did.
Now observe the http.url field for our answer.
We can see the first command the attacker used.
A10. whoami
Q11. What file location on the web server did the attacker extract database credentials from using Local File Inclusion?
While we filtered /admin/* , we noticed some path traversal requests.
Let’s check that again.
And we got some repeating file path in http.url and since attacker extracted database credentials, we can confirm the the file.
A11. /etc/phpmyadmin/config-db.php
Q12. What directory did the attacker use to access the database manager?
Easy one right.
A12. /phpmyadmin
Q13. What was the name of the database that the attacker exported?
Since we know attacker used phpmyadmin directory access database, we can add that to filter with a wildcard(*) of course.
Also we put the timestamp to New to Old as attacker would be accessing this db more at the end I think.
There was a lot of requests than I expected.
But few of them got my attention.
[export.php , import.php , tbl_replace.php]
Since our attacker exported the database, let’s check export.php first.
By enlarging the message body, we got mostly URL encoded message.
In that we can observe the database name.
We can also URL decode the entire message for more readability.
A13. customer_credit_cards
Q14. What flag does the attacker insert into the database?
Now to find the flag that the attacker inserted.
So my 1st thought was to check the previously found import.php then tbl_replace.php
By expanding message in import.php, we can see some sql queries, success messages and stuff (Marked in Red box above).
As it mostly url encoded, we can decode it.
"body":["is_js_confirmed=0&db=customer_credit_cards&table=credit_cards&token=302e562342217c5d6258344222294172&pos=0&goto=tbl_sql.php
&message_to_show=Your+SQL+query+has+been+executed+successfully.&
prev_sql_query=INSERT+INTO+%60credit_cards%60+(%60card_number%60%2C+%60cardholder_name%60%2C+%60expiration_date%60%2C+%60cvv%60)
+VALUES+
('000'%2C+'c6aa3215a7d519eeb40a660f3b76e64c'%2C+'000'%2C+'000')%3B
&sql_query=INSERT+INTO+%60credit_cards%60+(%60card_number%60%2C+%60cardholder_name%60%2C+%60expiration_date%60%2C+%60cvv%60)+VALUES+
('000'%2C+'c6aa3215a7d519eeb40a660f3b76e64c'%2C+'000'%2C+'000')%3B&ur👆This is the url encoded message. Cleaned up a bit 😅
Now, 👇 This is the decoded one.
"body":["is_js_confirmed=0&db=customer_credit_cards&table=credit_cards&token=302e562342217c5d6258344222294172&pos=0&goto=tbl_sql.php
&message_to_show=Your+SQL+query+has+been+executed+successfully.&
prev_sql_query=INSERT+INTO+`credit_cards`+(`card_number`,+`cardholder_name`,+`expiration_date`,+`cvv`)
+VALUES+
('000',+'c6aa3215a7d519eeb40a660f3b76e64c',+'000',+'000');
&sql_query=INSERT+INTO+`credit_cards`+(`card_number`,+`cardholder_name`,+`expiration_date`,+`cvv`)+VALUES+
('000',+'c6aa3215a7d519eeb40a660f3b76e64c',+'000',+'000');&From this we can understand the attacker added a credit card credentials.
But we can see only carldholder_name field has value and it’s just a random alphanumeric word. It would be our flag.
And it Indeed is our flag☺️.
A14. c6aa**************************e64c
And that’s the end of this room. It was quite fun doing it.
It’ll give you basic knowledge in using Elastic Stack as SIEM.
Thank you for following up with me.
See you again with another post.
Bye👋.
