Investigate Web Attacks - busbeetech.com

Challenge Link: https://app.letsdefend.io/challenge/investigate-web-attack Challenge File: /root/Desktop/ChallengeFile/access.log

Question 1

Which automated scan tool did attacker use for web reconnaissance?

The file for this challenge was an access.log file full of network events. I scanned through this file in the text editor, paying attention to the user-agent section of the logs. Here I found several references to Nikto which can be used to scan networks.

Answer:

Nikto

Question 2

After web reconnaissance activity, which technique did attacker use for directory listing discovery?

I had to scroll down a long ways to stop seeing references to Nikto. Then I started noticing it brute-forcing common files and directories in this /bwapp/ directory.

Answer:

directory brute force

Question 3

What is the third attack type after directory listing discovery?

After running through possible directories, it seemed the attacker found a login page at /bWAPP/login.php. I could see them attempting the login several different times in rapid succession indicating a brute force attack.

Answer:

brute force

Question 4

Is the third attack successful?

It appears the third attack was successful because eventually the logs go from accessing /bWAPP/login.php to seeing /bWAPP/portal.php, indicating a successful login.

Answer:

Yes

Question 5

What is the name of fourth attack?

Further down in the logs I saw that the attacker discovered the /bWAPP/phpi.php page had a variable called message that accepted input through the GET request: /bWAPP/phpi.php?message=