Sherlock Ultimatum write-up

Posted on By Sagahiko
HackTheBox, Sherlocks

Which security scanning tool was utilized by the attacker to fingerprint the blog website?

Check the access log file in /Logs/var/log/apache2

cat access.log | head -n 30


23.106.60.163 – – [08/Aug/2023:08:21:33 +0000] “GET /index.php/register/ HTTP/1.1” 200 11312 “http://3.110.136.25/” “WPScan v3.8.24 (https://wpscan.com/wordpress-security-scanner)”
23.106.60.163 – – [08/Aug/2023:08:21:33 +0000] “GET /wp-content/uploads/ HTTP/1.1” 200 680 “http://3.110.136.25/” “WPScan v3.8.24 (https://wpscan.com/wordpress-security-scanner)”
23.106.60.163 – – [08/Aug/2023:08:21:33 +0000] “HEAD /wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip HTTP/1.1” 404 140 “http://3.110.136.25/” “WPScan v3.8.24 (https://wpscan.com/wordpress-security-scanner)”
23.106.60.163 – – [08/Aug/2023:08:21:34 +0000] “HEAD /wp-content/uploads/dump.sql HTTP/1.1” 404 140 “http://3.110.136.25/” “WPScan v3.8.24 (https://wpscan.com/wordpress-security-scanner)”
23.106.60.163 – – [08/Aug/2023:08:21:34 +0000] “HEAD /emergency.php HTTP/1.1” 404 140 “http://3.110.136.25/” “WPScan v3.8.24 (https://wpscan.com/wordpress-security-scanner)”
23.106.60.163 – – [08/Aug/2023:08:21:34 +0000] “GET /wp-cron.php HTTP/1.1” 200 240 “http://3.110.136.25/” “WPScan v3.8.24 (https://wpscan.com/wordpress-security-scanner)”
23.106.60.163 – – [08/Aug/2023:08:21:34 +0000] “HEAD /wp-includes/version.php HTTP/1.1” 200 128 “http://3.110.136.25/” “WPScan v3.8.24 (https://wpscan.com/wordpress-security-scanner)”

Which CVE was exploited by the attacker?

CVE-2023-3460

What was the IP Address utilized by the attacker to exploit the CVE?

23.106.60.163

What is the name of the backdoor user added to the blog as part of the exploitation process?

Also from the access log file.

cat access.log | grep “23.106.60.163” | tail -n 10

secragon

After the exploit, the SOC team observed that the attacker’s IP address changed and from the logs, it seems that the attacker manually explored the website after logging in. The SOC team believes that the previous IP seen during exploitation was a public cloud IP. What is the IP Address the attacker used after logging in to the site?

According to this post a theme file is used for backdoor.

198.16.74.45 – – [08/Aug/2023:09:01:53 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 576 “http://3.110.136.25/wp-admin/theme-editor.php?file=patterns%2Fhidden-comments.php&theme=twentytwentythree” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0”

198.16.74.45

The SOC team has suspicions that the attacker added a web shell for persistent access. Confirm the full path of the web shell on the server.

In the ip-172-31-11-131-20230808-0937-pot-webshell-first-1000.txt file there is the clue.

/var/www/html/wp-content/themes/twentytwentythree/patterns/hidden-comments.php

What was the value of the $shell variable in the web shell?

the variable is defined in the same log file.

What is the size of the webshell in bytes?

copy and save the webshell part and see the file size.

2592

The SOC team believes that the attacker utilized the webshell to get RCE on the server. Can you confirm the C2 IP and Port?

43.204.24.76:6969

What is the process ID of the process which enabled the Threat Actor (TA) to gain hands-on access to the server?

in the ip-172-31-11-131-20230808-0937-processes-axwwSo.txt file, you can see the command executed by the reverse shell.

234521

What is the name of the script/tool utilized as part of internal enumeration and finding privilege escalation paths on the server?

Check the ip-172-31-11-131-20230808-0937-dev-dir-files.txt file.

You may also like

HackTheBox
Hack the box : Codify[easy] write up
Challenge
Hack the box – Urgent write up
HackTheBox
Easy walkthrough for Nibbles
HackTheBox
OSCP series – Sau writeup