HTB: Intro to Blue Team: Chase

Hack The Box

Description

One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We’ve taken a network capture before shutting the server down to make a clone of the disk. Can you take a look at the PCAP and see if anything is up?

Attack Analysis

22.22.22.7 is an attacker and 22.22.22.5 is the webserver

Filtering for HTTP traffic to make it clear.

HTTP Traffic

First GET HTTP Requests and Responses from webserver 22.22.22.5

An attacker uploaded a webshell first (authKey=admin).