HTB: Intro to Blue Team: Chase
3 min readSep 27, 2021
Description
One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We’ve taken a network capture before shutting the server down to make a clone of the disk. Can you take a look at the PCAP and see if anything is up?
Attack Analysis
Filtering for HTTP traffic to make it clear.
First GET HTTP Requests and Responses from webserver 22.22.22.5
An attacker uploaded a webshell first (authKey=admin).