cat access.log| awk -F " " '{print $12,$13,$14}'
Ans: nmap, hydra, sqlmap, curl, feroxbuster
2. What endpoint was vulnerable to a brute-force attack?
Ans: /rest/user/login
3. What endpoint was vulnerable to SQL injection?
Ans: /rest/products/search
4. What parameter was used for the SQL injection?
Ans: q
5. What endpoint did the attacker try to use to retrieve files? (Include the /)
cat access.log | grep “feroxbuster” | awk -F “/” ‘{print $4}’
Ans: ftp
Hint: Where can customers usually comment on a shopping website?
Ans: product review
2. Was their brute-force attack successful? If so, what is the timestamp of the successful login? (Yay/Nay, 11/Apr/2021:09:xx:xx +0000)
cat access.log | grep “Hydra”
Ans: Yay, 11/Apr/2021:09:16:31 +0000
3. What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?
Using the information gathered from the previous task we get to know that the attacker’s endpoint was /rest/products/search. So Analyze the log file, we found that the attacker gathered information on the users email and password.
Ans: email,password
4. What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)
Using the information gathered from the previous question the attacker successfully downloaded backup files (.bk) form the server.
The files are coupons_2013.md.bak and www-data.bak
Ans: coupons_2013.md.bak,www-data.bak
5. What service and account name were used to retrieve files from the previous question? (service, username)
Using data obtained from vsftpd.log the attacker used FTP and anonymous to retrieve the backup files.
Ans: ftp,anonymous
6. What service and username were used to gain shell access to the server? (service, username)
After multiple attempts, the attacker gained access to the server using ssh and www-data for the username
Ams: ssh,www-data