Hacking a Vulnerable VM: Unmasking Vulnerabilities and Analyzing Incidents in Kibana
Tools
Firefox, Hydra, Nmap, John the Ripper, Metasploit, curl, MSVenom
Network Topology
![](https://cdn-images-1.medium.com/max/800/1*xk13THmFxfgd69muy0-QSA.png)
Red Team Security Assessment
Recon
Nmap identified the following hosts on the network:
![](https://cdn-images-1.medium.com/max/800/1*oW85RtFLMYwSrcjNcG0a2A.png)
Vulnerability Assessment
The assessment uncovered the following critical vulnerabilities in the target:
![](https://cdn-images-1.medium.com/max/800/1*diSq9LMTQKaCqcmBzVmw8Q.png)
Exploitation: Sensitive Data Exposure
![](https://cdn-images-1.medium.com/max/800/1*xPzR61QwZEy4Y6OlcG-r-g.png)
NMAP scan detected IP address of 192.168.1.105 to an open port 80.
![](https://cdn-images-1.medium.com/max/800/1*3yWCgoLcKXXxScd4PCGCGg.png)
Checked and verified that there was a webserver up and running at http://192.168.1.105 using Firefox web browser
![](https://cdn-images-1.medium.com/max/800/1*CzDjFO0OSjhahtOyx8rzyw.png)
Discovered information about a /secret_folder/ as well as information about the team that led to determining usernames and roles. Specifically Ashton and the company_folders/secret_folder directory.
![](https://cdn-images-1.medium.com/max/800/1*XT9Osu6sWD_kuDKs19ZfdQ.png)
![](https://cdn-images-1.medium.com/max/800/1*gDXu8KLD7FxLvvr2kyibyg.png)
Exploitation: Brute Force
Hydra was used to successfully perform a dictionary attack against the login portal for the secret_folder
hydra -l ashton -P /usr/share/wordlists/rockyou.txt.gz -s 80 -f -vV 192.168.1.105 http-get /company_folders/secret_folder
![](https://cdn-images-1.medium.com/max/800/1*v19zfmEsuJU9IpYMdyV3LA.png)
![](https://cdn-images-1.medium.com/max/800/1*hmp1ZUz7DnlVy-cPqTFUvg.png)
![](https://cdn-images-1.medium.com/max/800/1*szU8cgogvf--XJ5tplz2cA.png)
Hash of Ryan’s password
Exploitation: Unauthorized File Upload
![](https://cdn-images-1.medium.com/max/800/1*DPuE-ASRF-0ezZKEY5o3XQ.png)
Exploitation: Brute Force
Used CrackStation to crack the password hash and access Ryans account
![](https://cdn-images-1.medium.com/max/800/1*7MHV1zRo5xfW5Cn9LUdzgg.png)
![](https://cdn-images-1.medium.com/max/800/1*z7Lm2yItuQqQHsk63x1sSw.png)
![](https://cdn-images-1.medium.com/max/800/1*SoHHXKmjvIyeUqeiiRjjhA.png)
Exploitation: Unauthorized File Upload
Used MSFVenom to create a malicious payload designed to give a reverse shell.
![](https://cdn-images-1.medium.com/max/800/1*ocXVQ4ldP0yyQrwL66mxKw.png)
![](https://cdn-images-1.medium.com/max/800/1*GwL3MjxxxMGBbBlklyr4Tg.png)
![](https://cdn-images-1.medium.com/max/800/1*wCOGQPdj8WeyfvI6aLA-Fw.png)
![](https://cdn-images-1.medium.com/max/800/1*kqxK3xVUfk_HqRZq7BFPQA.png)
![](https://cdn-images-1.medium.com/max/800/1*bqafg2vTbNMoLBW-gNGsXw.png)
Exploitation: Remote Code Execution
![](https://cdn-images-1.medium.com/max/800/1*BGGocFQDYs0mOIu6n8z_Kg.png)
Reverse Shell Backdoor
Activated the shell.php on the web server
![](https://cdn-images-1.medium.com/max/800/1*8HYVHMOpQFZp1IfhoyYhsQ.png)
Got in on a meterpreter shell and found the flag
![](https://cdn-images-1.medium.com/max/800/1*Av0c2jE8Wtq6bnF094nj4w.png)
![](https://cdn-images-1.medium.com/max/800/1*iAojGOtNUozJSMkX70G_ww.png)
Blue Team Log Analysis and Attack Characterization
Kibana Panels are as follows:
- HTTP status codes for the top queries [Packetbeat] ECS
- Top 10 HTTP requests [Packetbeat] ECS
- Network Traffic Between Hosts [Packetbeat Flows] ECS
- Top Hosts Creating Traffic [Packetbeat Flows] ECS
- Connections over time [Packetbeat Flows] ECS
- HTTP error codes [Packetbeat] ECS
- Errors vs successful transactions [Packetbeat] ECS
- HTTP Transactions [Packetbeat] ECS
![](https://cdn-images-1.medium.com/max/800/1*wyBqadknWPj1rOduhmXw4A.png)
Analysis: Identifying the Port Scan
What time did the port scan occur?
● 23:05
![](https://cdn-images-1.medium.com/max/800/1*qgzHHCH4cwCMWoK5yjjOkg.png)
How groups of many packets were sent and from which IP?
● 1,379.
![](https://cdn-images-1.medium.com/max/800/1*UZ2yQhmer3XqI3kdBrm8qA.png)
From IP address 192.168.1.90. We can observe that the victim responded back with 401 (Unauthorized), 207 (Multi-Status), 200 (OK), and 404 (Not found) responses.
What responses did the victim send back?
● We can see 401, 301, 207, 404 and 200 as the top responses.
![](https://cdn-images-1.medium.com/max/800/1*ED_D5rPm4bMruqZbie_v1A.png)
What data is concerning from the Blue Team perspective?
● We can see a connection spike in the Connections over time [Packetbeat Flows] ECS
● We can also see a spike in errors in the Errors vs successful transactions [Packetbet] ECS
![](https://cdn-images-1.medium.com/max/800/1*emUF08i-R5izShTjelOK_w.png)
Analysis: Finding the Request for the Hidden Directory
What time did the request occur? How many requests were made?
● 16,619 requests.
Which files were requested? What did they contain?
● The top three hits for directories and files that were requested were: http://192.168.1.105/company_folder/secret_folder http://192.168.1.105/company_folder/webdav http://192.168.1.105/webdav/shell.php
![](https://cdn-images-1.medium.com/max/800/1*7N0S54n97YQKK0iWi3pkHA.png)
Analysis: Finding the WebDAV Connection
The secret_folder directory was requested 16,619 times.
The shell.php file was requested 22 times
![](https://cdn-images-1.medium.com/max/800/1*W0WCSlVe-uk0lwlttCxqgQ.png)
Analysis: Uncovering the Brute Force Attack
The logs contain evidence of a large number of requests for the sensitive data. Only 1 request was successful. This is a telltale signature of a brute-force attack.
![](https://cdn-images-1.medium.com/max/800/1*7N0S54n97YQKK0iWi3pkHA.png)
![](https://cdn-images-1.medium.com/max/800/1*RDhwuRrdOGMY7Jd4MHcsDQ.png)
Chart of Successful vs. Unsuccessful Requests
401 = Unsuccessful 301= Successful
![](https://cdn-images-1.medium.com/max/800/1*b9wtiXtxtnIiW_x58JL6PA.png)
Blue Team Proposed Alarms and Mitigation Strategies
![](https://cdn-images-1.medium.com/max/800/1*9m3n49cLvL2E27fQbohT3g.png)
![](https://cdn-images-1.medium.com/max/800/1*-Z8gBIz8l7pX9H4lQwnjcQ.png)
![](https://cdn-images-1.medium.com/max/800/1*kmG663iufxh8p5TCaTx1_Q.png)
![](https://cdn-images-1.medium.com/max/800/1*5VXwtJrX2bzmpISYNO3Nbw.png)
![](https://cdn-images-1.medium.com/max/800/1*A4YOm2yWgE4A825-GWGq1w.png)