THM AOC2024 Day 3: Logging the Intrusion – Decoding Events and Exploiting Gaps
Every December, TryHackMe's Advent of Cyber delivers 24 free daily cybersecurity challenges, offering hands-on scenarios that simulate real-world attacks and defenses. Designed for beginners and professionals alike, it's an exciting, gamified way to explore topics like threat hunting, penetration testing, cryptography, and more. This event is perfect for building skills, gaining practical experience, and spreading some cybersecurity cheer during the festive season!
Learning Objectives
- Understand log analysis using ELK (Elasticsearch, Logstash, and Kibana).
- Learn to query effectively with Kibana Query Language (KQL) to investigate logs.
- Gain insights into Remote Code Execution (RCE) and its exploitation via insecure file uploads.
Tools of the Day
- ELK Stack: A platform for centralized log aggregation and visualization.
- KQL (Kibana Query Language): A query syntax for filtering and analyzing logs.
- Web Shells: Tools attackers use to gain remote control over vulnerable servers.
Deep Dive Into the Tools
1. ELK Stack
The ELK stack combines Elasticsearch, Logstash, and Kibana to centralize logs and make analysis efficient. By aggregating logs into a single location, ELK empowers teams to quickly identify patterns, trace incidents, and investigate anomalies.
2. KQL (Kibana Query Language)
KQL is a user-friendly query syntax that simplifies the search and analysis of logs. Whether filtering for specific IPs, error codes, or suspicious activity, KQL allows analysts to pinpoint critical data with ease.
3. Web Shells
Web shells are scripts that provide attackers with remote control of a compromised server. Once uploaded, they allow command execution, data exfiltration, and lateral movement. Understanding how web shells work is essential for recognizing their use in attacks and mitigating their impact.
Operation Blue: Investigating an Intrusion
The first task focused on using ELK to investigate a potential breach of Frosty Pines Resort's hotel management system. Logs revealed an attack that occurred on October 3, 2024, between 11:30 and 12:00.
- Access ELK
Opened the Discover interface in Kibana and selected the "frostypines-resorts" index to narrow the investigation. - Set the Time Range
Filtered the logs to display events between 11:30 and 12:00 on October 3, 2024. - Filter by Activity
Focused on the IP address10.11.83.34to isolate the attacker's actions. - Identify Malicious Behavior
Discovered that a malicious file namedshell.phpwas uploaded to/media/images/rooms/. Logs confirmed that the attacker accessed the shell and executed commands.
Operation Red: Exploiting the Vulnerability
The second part of the task explored how the attack was executed to better understand the exploited vulnerability.
- Unrestricted File Upload
The application's file upload feature failed to validate file types, allowing the upload of a maliciousshell.phpfile. - Deploy the Web Shell
The shell was uploaded through the profile image feature and stored in/admin/assets/img/profile/shell.php. - Command Execution
Accessed the web shell and ran commands directly on the server, demonstrating the potential impact of the vulnerability. - Capture the Flag
Extracted the flagTHM{Gl1tch_Was_H3r3}from the compromised system.
Recap of Learning Objectives
1. Log Analysis with ELK
Log analysis is a cornerstone of cybersecurity operations. Tools like ELK streamline the process by centralizing data from multiple sources and providing robust visualization options. Beyond security, ELK is invaluable in IT and business analytics for monitoring performance and resolving issues.
2. Querying Logs with KQL
KQL makes it easy to search and filter vast datasets without needing advanced scripting knowledge. It is a critical skill for SOC analysts and anyone involved in threat hunting or incident response.
3. Remote Code Execution (RCE)
RCE vulnerabilities pose a significant risk to organizations by granting attackers full control of compromised systems. Understanding how RCE attacks work is vital for both offensive and defensive security practices. Proper input validation and secure file handling are essential to prevent these exploits.
