Analyzing Log Files — Juicy Details

Published on 2022-01-22

Category: Incident Response

This is a write-up for GEEZET1's TryHackMe Juicy Details room. The main purpose of this room is to get familiar with analyzing log files, which is crucial when identifying cyber threats and vulnerabilities.

We are given a scenario where we are a SOC Analyst for one of the biggest juice shops in the world, and an attacker has infiltrated our network. We are provided with three log files and must identify the techniques used to breach our environment.

Juicy Details Banner

Reconnaissance

The three log files are briefly shown below:

Access Log
Figure: access.log

Auth Log
Figure: auth.log

vsftpd Log
Figure: vsftpd.log

After a brief glance at each log, it looks like access.log is a good starting point to find the information we need to determine the techniques used to penetrate our environment. Access logs are typically found on web servers and show all requests for files someone has requested from a website. auth.log holds information about authentication attempts, such as someone trying to log into an account using a password. vsftpd.log is an FTP server log for Unix systems (indicating we’re analyzing logs from a Unix system), containing events that occur on FTP.

Now, we can start scanning the access.log file for events that may indicate techniques used by the attacker.

Nmap Scan in Logs

From the beginning of the log file, as shown above, we can already tell that Nmap is being used. Nmap is a popular network scanner that can identify devices connected to a network. It can also provide deeper information on the services running on a network and more. It appears they have used it to scan our network, so we can include it as a tool used against us.

Hydra Attempts in Logs

After some scrolling and scanning for services, I found Hydra entries. Hydra is a tool used to brute-force usernames and passwords for different services. From the logs, there are a lot of occurrences of Hydra, indicating they were likely brute-forcing us.

SQLMap Usage in Logs

Continuing through the logs, I found entries related to sqlmap. SQL itself is a programming language used to create and manage databases. Sqlmap is a tool created to exploit SQL injection vulnerabilities. Since we are analyzing a server, it's common to have some sort of database located here.

Curl and Feroxbuster in Logs

In the log screenshot above, we identify two more techniques. The first one is curl, which is used to transfer data to and from a server. Since we are on a server, it's very likely they used it to transfer some data. The second technique is Feroxbuster, which is used to perform forced browsing on a web application.

We are now at the end of the log file and have discovered all of the techniques that have been used. We need to figure out which endpoint was vulnerable to a brute-force attack. We have already noted that Hydra was our brute-forcing tool, especially after scrolling through all those log events.

Hydra Brute-force Endpoint

As you can see above, Hydra was targeting /rest/user/login. We know that we have been exploited, and this was the only target that was brute-forced, so we can conclude that this was the vulnerable endpoint.

Next, we need to identify which endpoint was vulnerable to SQL injection. We know that sqlmap was the tool used for SQL injection, so let's look at it again.

SQLMap Target Endpoint

From the logs, /rest/products/search was the only intended target for sqlmap, so we can say that it is vulnerable to SQL injection. The parameter used for the SQL injection is indicated by the q parameter in the query string.

Now, we want to find the endpoint that the attacker exploited to retrieve files. The only tool used that can directly retrieve files is Feroxbuster.

Feroxbuster Discovery

Feroxbuster targeted several directories, but under /ftp, it seems two .bak files were located.

Stolen Data

After conducting reconnaissance on the log files, we now want to find what data was stolen. We need to look out for the attacker’s movement on the website, response codes, and abnormal query strings.

Product Reviews in Logs

We aim to find where a hacker could scrape user email addresses from our website. By scanning the logs, we find that product reviews are a common place where users would comment, as shown above.

We know that a brute-force attack was launched against us, but was it successful?

Successful Brute-force Entry

From the above log entries, there are many 400, 500, and 501 status codes, which are error messages indicating unsuccessful attempts. However, there is one 200 status code hiding in there, which means the attack was successful at that point. The time and date for the successful attack are 11/Apr/2021:09:16:31 +0000 (In TryHackMe, you may have to enter 32 seconds).

Since we know that we were hit by a SQL injection attack, we need to determine what information may have been stolen through it.

SQLMap Data Dump

At the very end of the SQL injection attack by sqlmap, we can see a section containing "email" and "password". This was also accessed using curl immediately afterward.

Previously, we found out that two .bak files (coupons_2013.md.bak and www-data.bak) were attempted to be downloaded using Feroxbuster. We also know that the FTP service was used to gain access to those files because they were in the /ftp directory. If you need a refresher, refer to the screenshot below.

FTP Access Log

We have all of this information, but now we want to know what account or username was used to access these files. Since FTP was the service used, let's check out our vsftpd.log file to look for login attempts.

vsftpd Log Access

In the vsftpd.log file, it appears that an anonymous user accessed those two .bak files.

For our final step in analyzing these log files to complete the room, we have to figure out what service and username were used to gain shell access to the server.

SSH Access Log

In the above screenshot, you can see that the SSH service (used for shell access) was accessed, and a password was accepted for a user named www-data.

Conclusion

This marks the end of the lab. Analyzing log files is a critical skill in cybersecurity, allowing us to uncover and understand malicious activities within a network. I want to thank GEEZET1 for creating an excellent log analysis room!