Log analysis — Wordpress (IncidentResponse)BlueTeamLabsOnline
Hello geeks. Today we will do log analysis of a compromised wordpress website challenge from BTLO. This is incidence response challenge with medium level of difficulty.We will try to solve all the questions direct from command line using utilities like grep,cut,sort ,pipe etc. We will need to add some analytical context to the logs to find correct answers.This challenge will try to explain how much important contextual analysis is important because one thing can mean any useless thing until its enriched with context from the usecase.
Scenario : One of our WordPress sites has been compromised but we’re currently unsure how. The primary hypothesis is that an installed plugin was vulnerable to a remote code execution vulnerability which gave an attacker access to the underlying operating system of the server.
We start by downloading the challenge file
Q1 Identify the URI of the admin login panel that the attacker gained access to (include the token)
since wordpress logins using the php file wp-login.php
i grepped all the logs of url wp-login.php to filter down the logs only related to logins to further analyse it
The POST request looks like it is for logging in an admin because of the token
Answer : /wp-login.php?itsec-hb-token=adminlogin
Q2 Can you find two tools the attacker used?
Since the website under attack is an wordpress , wpscan is a famous tool used to enumerate wordpress plugins and website
so i tried searching for it and got its user agent . Automated tools by default have their own custom user agent
We also find the sqlmap user agent
Its a good practice to specify a user agent yourself when using automated tools and most of them has this capability. If we craft user agent like what we would expect from a normal user’s user agent header , then we can try to blend in with legitimate requests.
Answer: wpscan sqlmap
Q3 The attacker tried to exploit a vulnerability in ‘Contact Form 7’. What CVE was the plugin vulnerable to? (Do some research!)
We need only the contact forms urls so we filter down the logs
I researched the cve related to this specific plugin
Q4 What plugin was exploited to get access?
In previous question we created a log file containing only contact-form 7 urls , so it is possible that contact form 7 was exploited since a vulneribility exists for that
When looking thorugh forms.log
we can see that this plugin is not working properly on this webserver , hence it wasnt exploited
To filter out the plugins in use and excluding contact-form 7 since we know its no working and makes lots of noise in our logs
Now we analyze plugins.log
The only working plugin is simple-file-list plugin
We research if theres any vulneribility regarding this plugin and there sure is
This blog explains the vulnerability.
Answer:simple file list 4.2.2
Q5 What is the name of the PHP web shell file?
I researched about the vulneribility from following blog. The vulneribility allows unrestricted file upload under /wp-content/uploads/plugin-name path
So i again filtered the logs by first filtering only the uploads urls and then again looking for the string under “/*/*php” which means any directory followed by /uploads and then that directory followed by *php meaning the file name ending with php extension.
Q6 What was the HTTP response code provided when the web shell was accessed for the final time?
We know the webshell file name so we will now filter by file name. Then that output was piped to tail with parameter of -n 1 which means tail only 1 line . Since tail stdout from bottom of file or stdin this will give us only the last log containing the webshell name
The http code is 404 as we can see