# Write-Up CyberDefender : Web Investigation

This is write up CyberDefender Labs : Web Investigation

You are a cybersecurity analyst working in the Security Operations Center (SOC) of BookWorld, an expansive online bookstore renowned for its vast selection of literature. BookWorld prides itself on providing a seamless and secure shopping experience for book enthusiasts around the globe. Recently, you've been tasked with reinforcing the company's cybersecurity posture, monitoring network traffic, and ensuring that the digital environment remains safe from threats.

Late one evening, an automated alert is triggered by an unusual spike in database queries and server resource usage, indicating potential malicious activity. This anomaly raises concerns about the integrity of BookWorld's customer data and internal systems, prompting an immediate and thorough investigation.

As the lead analyst in this case, you are required to analyze the network traffic to uncover the nature of the suspicious activity. Your objectives include identifying the attack vector, assessing the scope of any potential data breach, and determining if the attacker gained further access to BookWorld's internal systems.

First, we need a tool to analyze the captured packets (.pcap), which is [**Wireshark**](https://www.wireshark.org/download.html).

In the Wireshark application, since this is an attack against a website, we'll filter by "http" to display packets with HTTP protocol transactions.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749641925173/cdac3405-ec1d-45f0-b623-e45a7ec8c1dc.png align="center")

### **Question 1 : By knowing the attacker's IP, we can analyze all logs and actions related to that IP and determine the extent of the attack, the duration of the attack, and the techniques used. Can you provide the attacker's IP?**

To identify the attacker's IP, we first need to determine **when and where the attack occurred**. This involves analyzing the attacker's step-by-step process, starting from their attempts to gain access, all the way to **identifying vulnerabilities (scanning)**. One common attack method against websites is **SQL Injection**, where user-inputted queries can directly interact with the database or data on the server.

In Wireshark, the **Source** IP is the sender of the packet, and the **Destination** IP is the receiver. The web operates on a **Request and Response** model; every time a user makes a request, the server responds. **Unusual request packets** (for example, those containing operators like `AND` or `OR`, and symbols such as `'` ) often indicate an attempted attack.

### **Question 2: If the geographical origin of an IP address is known to be from a region that has no business or expected traffic with our network, this can be an indicator of a targeted attack. Can you determine the origin city of the attacker?**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749642662538/945277a0-ca44-48bd-9bc9-ccd690c5b59a.png align="center")

Once the attacker's IP address (typically a **public IP**) is identified, we can use public services like **IP Address Lookup**, [**WhatIsMyIP**](https://whatismyipaddress.com/), or similar tools to pinpoint its location. These services will provide details such as the **country, province, city,** and other registered information associated with that IP address.

### **Question 3: Identifying the exploited script allows security teams to understand exactly which vulnerability was used in the attack. This knowledge is critical for finding the appropriate patch or workaround to close the security gap and prevent future exploitation. Can you provide the vulnerable PHP script name?**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749643199225/2b0e7411-9868-4562-b29c-7c780c8d5966.png align="center")

When an attacker attempts to breach a website's system, their requests will be directed at a specific URL. This URL is often where the security vulnerability lies. In cases involving **SQL Injection**, particularly when tools like **SQLMap** are likely used, you'll observe numerous requests to unusual URLs, with SQL commands embedded within them.

Here are some examples of SQL Injection attempts commonly inserted into a request URL:

Let's assume the legitimate URL for a product page is: `https://example.com/products.php?id=123`

The attacker manipulates the `id` parameter to inject malicious SQL queries:

https://example.com/products.php?id=123%20AND%201=1

https://example.com/products.php?id=123%20UNION%20SELECT%201,2,database(),4--

https://example.com/products.php?id=123%20%27%20AND%20(SELECT%201%20FROM%20(SELECT%20COUNT(\*),CONCAT(0x71716b6b71,(SELECT%20(ELT(2836=2836,1))),0x7170707871,FLOOR(RAND(0)\*2))x%20FROM%20INFORMATION\_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20--%20

### **Question 4: Establishing the timeline of an attack, starting from the initial exploitation attempt, what is the complete request URI of the first SQLi attempt by the attacker?**

In Wireshark, packet captures are presented **sequentially** with clear source and destination information. When an attacker attempts to compromise a website using SQL Injection, there will be a **first suspicious request** that stands out. This initial unusual request is what indicates the very beginning of the attack attempt. By identifying this first anomalous packet, analysts can trace the start of the attacker's activities.

When analyzing URLs in captured packets, you'll notice that their format isn't always straightforward. They often contain **special symbols that have been URL-encoded**, meaning they are represented by specific codes. For instance, a space character is commonly encoded as `%20`, and a single quote (`'`) becomes `%27`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749644823483/35d418c2-d084-40ef-bdde-40a02b545342.png align="center")

Manually decoding these characters can be incredibly tedious and time-consuming, especially when dealing with numerous or complex requests, such as those found during SQL Injection attempts. To streamline this process and make the URLs readable, we can use a tool like [CyberChef](https://cyberchef.io/). Specifically, the **"URL Decode" operation within CyberChef** can automatically detect and convert these encoded formats back into their normal, human-readable form, significantly simplifying the analysis.

### **Question 5: Can you provide the complete request URI that was used to read the web server's available databases?**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749643944557/8031fe11-2547-46e8-8052-72bee1f0c740.png align="center")

When an SQL Injection attempt is successful, the server will typically respond with an **HTTP status code 200 (OK)**, while simultaneously delivering the leaked data. In Wireshark, this can be observed in the **response packet** or the **data-text-lines**, which contain the server's transmission back to the requesting user. When database information is leaked, the server will often present this information, usually in the form of a **vardump** or a **JSON response**, displayed directly on the web page that was supposed to render.

### **Question 6: Assessing the impact of the breach and data access is crucial, including the potential harm to the organization's reputation. What's the table name containing the website users data?**

Similarly, upon a successful SQL Injection, not only the database name but also its entire **contents can be leaked**. When SQL Injection succeeds, the server's response will visibly provide this data leakage, often accompanied by the **XML structure of the page** that was supposed to appear. This allows the attacker to view and potentially extract sensitive information directly from the database through the web application's response.

### **Question 7: The website directories hidden from the public could serve as an unauthorized access point or contain sensitive functionalities not intended for public access. Can you provide the name of the directory discovered by the attacker?**

A **directory** on a website functions much like a folder in a file system, containing files grouped together based on shared characteristics, features, or access permissions. Often, sensitive parts of a website, such as **administration panels** or configuration files, are intentionally hidden within specific directories. Within these directories, various URL endpoints are used to manage the website comprehensively.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749645302905/ae92bacb-708e-4673-9370-8cd01a93c537.png align="center")

These hidden directories are prime targets for attackers who aim to gain unauthorized access to the system. During an automated website directory search (often called "directory brute-forcing" or "enumeration"), the server commonly responds with a **404 (Not Found)** status code if the directory or URL does not exist. However, if the attacker successfully finds a hidden directory or a valid endpoint, the server will abruptly respond with a **200 (OK)** status code, indicating its presence and allowing the attacker to proceed further into the system.

Furthermore, if a website is highly vulnerable, it might directly display a **directory listing** if it lacks an index page (e.g., `index.html` or `index.php`). This scenario can sometimes be observed with a **302 (Found)** HTTP response, redirecting the attacker to the directory's content instead of a 404 error or a rendered web page.

### **Question 8: Knowing which credentials were used allows us to determine the extent of account compromise. What are the credentials used by the attacker for logging in?**

Once SQLMap successfully injects code and causes a database leak, the attacker can then easily attempt to log in to the website's administrative URL. In Wireshark, these login attempts can also be observed. The transmission data can be inspected by looking at packets sent to the admin URL, which will often show clear indications of **username and password variables** within the request payload. This allows analysts to identify the credentials the attacker is attempting to use.

### **Question 9: We need to determine if the attacker gained further access or control of our web server. What's the name of the malicious script uploaded by the attacker?**

After an attacker successfully gains control or administrative access to a website, they will often discover even more vulnerabilities, such as **data upload functionalities** and opportunities to establish **backdoors**. However, these actions are also observable through Wireshark analysis.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749645985721/03f8f921-9919-442e-9803-3e2dc7bf12b9.png align="center")

In the packet capture, we can see the attacker successfully entering the admin system. Subsequent actions like **uploading a backdoor** will typically be visible as HTTP requests using the **POST method** to a relevant upload endpoint. Following the upload, the attacker will often attempt to execute the backdoor. This execution is usually evident as a subsequent **GET method** request to a URL containing the malicious file, often identifiable by its unusual name or a suspicious file extension (e.g., `.php`). Observing these patterns allows analysts to pinpoint when and how the backdoor was deployed and activated.

[CyberDefenders : Web Investigation](https://cyberdefenders.org/blueteam-ctf-challenges/web-investigation/)