Log analysis — Wordpress (IncidentResponse)BlueTeamLabsOnline

CyberJunnkie
4 min readApr 26, 2022

--

Hello geeks. Today we will do log analysis of a compromised wordpress website challenge from BTLO. This is incidence response challenge with medium level of difficulty.We will try to solve all the questions direct from command line using utilities like grep,cut,sort ,pipe etc. We will need to add some analytical context to the logs to find correct answers.This challenge will try to explain how much important contextual analysis is important because one thing can mean any useless thing until its enriched with context from the usecase.

Scenario : One of our WordPress sites has been compromised but we’re currently unsure how. The primary hypothesis is that an installed plugin was vulnerable to a remote code execution vulnerability which gave an attacker access to the underlying operating system of the server.

We start by downloading the challenge file

Q1 Identify the URI of the admin login panel that the attacker gained access to (include the token)

since wordpress logins using the php file wp-login.php

i grepped all the logs of url wp-login.php to filter down the logs only related to logins to further analyse it

The POST request looks like it is for logging in an admin because of the token

Login Post Request

Answer : /wp-login.php?itsec-hb-token=adminlogin

Q2 Can you find two tools the attacker used?

Since the website under attack is an wordpress , wpscan is a famous tool used to enumerate wordpress plugins and website

so i tried searching for it and got its user agent . Automated tools by default have their own custom user agent

WPscan left its traces in logs

We also find the sqlmap user agent

SQLmap left its traces in logs

Its a good practice to specify a user agent yourself when using automated tools and most of them has this capability. If we craft user agent like what we would expect from a normal user’s user agent header , then we can try to blend in with legitimate requests.

Answer: wpscan sqlmap

Q3 The attacker tried to exploit a vulnerability in ‘Contact Form 7’. What CVE was the plugin vulnerable to? (Do some research!)

We need only the contact forms urls so we filter down the logs

I researched the cve related to this specific plugin

Answer: CVE-2020–35489

Q4 What plugin was exploited to get access?

In previous question we created a log file containing only contact-form 7 urls , so it is possible that contact form 7 was exploited since a vulneribility exists for that
When looking thorugh forms.log

we can see that this plugin is not working properly on this webserver , hence it wasnt exploited

contact-form-7 exploit unable to be served on webserver

To filter out the plugins in use and excluding contact-form 7 since we know its no working and makes lots of noise in our logs

Now we analyze plugins.log
The only working plugin is simple-file-list plugin

We research if theres any vulneribility regarding this plugin and there sure is
This blog explains the vulnerability.

Answer:simple file list 4.2.2

Q5 What is the name of the PHP web shell file?

I researched about the vulneribility from following blog. The vulneribility allows unrestricted file upload under /wp-content/uploads/plugin-name path

So i again filtered the logs by first filtering only the uploads urls and then again looking for the string under “/*/*php” which means any directory followed by /uploads and then that directory followed by *php meaning the file name ending with php extension.

Finding webshell-backdoor direct from terminal

Answer: fr34k.php

Q6 What was the HTTP response code provided when the web shell was accessed for the final time?

We know the webshell file name so we will now filter by file name. Then that output was piped to tail with parameter of -n 1 which means tail only 1 line . Since tail stdout from bottom of file or stdin this will give us only the last log containing the webshell name

The http code is 404 as we can see

Answer: 404

--

--

CyberJunnkie
CyberJunnkie

Written by CyberJunnkie

Senior Defensive Content Engineer @HackTheBox 🖥️ 🐱‍💻 DFIR Analyst @ ProvenData

No responses yet