Forensic
The famous company dev.corp was hack last week..
They don't understand because they have followed the security standards to avoid this kind of situation. You are mandated to help them understand the attack.
For this first step, you're given the logs of the webserver of the company.
Could you find :
- The CVE used by the attacker ?
- What is the absolute path of the most sensitive file recovered by the attacker ?
Format : Hero{CVE-XXXX-XXXX:/etc/passwd}
Author : Worty
Here is a diagram representing the company's infrastructure:
When we dig through the logs, we see that we cant sort by ip because they're not logged.
But if we look closer, we see that a path traversal has been exploited, the first one is :
/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../../etc/passwd
If we google the "duplicator_download", we see that this path traversal has been assigned the CVE CVE-2020-11738.
Moreover, the attacker exfiltrate various files, but the most sensitive one is ../../../../../../../../../home/webuser/.ssh/id_rsa_backup (we can see that because the id_rsa one answer with a 500 code (maybe permission denied))
Hero{CVE-2020-11738:/home/webuser/.ssh/id_rsa_backup}