Advent of Cyber 2024: Day 3: Even if I wanted to go, their vulnerabilities wouldn’t allow it.

Learning Objectives

• Learn about Log analysis and tools like ELK.
• Learn about KQL and how it can be used to investigate logs using ELK.
• Learn about RCE (Remote Code Execution), and how this can be done via insecure file upload.

Log Analysis & Introducing ELK

Log analysis is crucial to blue-teaming work, as you have likely discovered through this year’s Advent of Cyber.

Analysing logs can quickly become overwhelming, especially if you have multiple devices and services. ELK, or Elasticsearch, Logstash, and Kibana, combines data analytics and processing tools to make analysing logs much more manageable. ELK forms a dedicated stack that can aggregate logs from multiple sources into one central place.

Explaining how ELK collates and processes these logs is out of the scope of today’s task. However, if you wish to learn more, you can check out the Investigating with ELK 101 room. For now, it’s important to note that multiple processes behind the scenes achieve this.

The first part of today’s task is to investigate the attack on Frosty Pines Resort’s Hotel Management System to see what it looks like to a blue teamer. You will then test your web app skills by recreating the attack.

Using ELK

Upon loading the URL http://10.10.123.180:5601/ within your AttackBox’s browser, you will be greeted with the ELK Home page.

For today’s task, we will use Kibana’s Discover interface to review Apache2 logs. To access this, simply click on the three lines located at the top left of the page to open the slide-out tray. Under the Analytics heading, click on Discover.

Now that we can see some entries, let’s go over the basics of the Kibana Discover UI.

1. Search Bar: Here, we can place our search queries using KQL
2. Index Pattern: An index pattern is a collection of logs. This can be from a specific host or, for example, multiple hosts with a similar purpose (such as multiple web servers). In this case, the index pattern is all logs relating to “wareville-rails”
3. Fields: This pane shows us the fields that Elasticsearch has parsed from the logs. For example, timestamp, response type, and IP address.
4. Timeline: This visualisation displays the event count over a period of time
5. Documents (Logs): These entries are the specific entries in the log file
6. Time Filter: We can use this to narrow down a specific time frame (absolute). Alternatively, we can search for logs based on relativity. I.e. “Last 7 days”.

Practical

Your task today is two-fold. First, you must access Kibana on 10.10.123.180:5601 to investigate the attack and answer the blue questions below. Then, you will proceed to Frosty Pines Resort’s website at http://frostypines.thm and recreate the attack to answer the red questions and inform the developers what element of the website was vulnerable.

Please note, to access http://frostypines.thm, you will need to reference it within your hosts file. On the AttackBox, this can be done by executing the following command in a terminal: echo "10.10.123.180 frostypines.thm" >> /etc/hosts

If you do not see an IP address (i.e. 10.10.x.x) and only MACHINE IP, ensure that you have started the target machine by pressing on the green “Start Machine” button further up the task, within the heading “Connecting to the Machine”.

To review the logs of the attack on Frosty Pines Resorts, make sure you select the “frostypines-resorts” collection within ELK. Such as below:

The date and time that you will need to use when reviewing logs will be between 11:30 and 12:00 on October 3rd 2024.

Remember, to access the Frosty Pines Resorts website (http://frostypines.thm), you will need to reference it in your hosts file. On the AttackBox, this can be done by executing the following command in a terminal: echo "10.10.123.180 frostypines.thm" >> /etc/hosts

Questions:

#1. BLUE: Where was the web shell uploaded to?

Answer format: /directory/directory/directory/filename.php

Answer: /media/images/rooms/shell.php

#2. BLUE: What IP address accessed the web shell?

Answer: 10.11.83.34

#3. RED: What is the contents of the flag.txt?

Answer: THM{Gl1tch_Was_H3r3}

#4. If you liked today’s task, you can learn how to harness the power of advanced ELK queries.

No answer needed.

Wrapping Up

This blog explored defensive log analysis and offensive RCE techniques. Understanding both perspectives strengthens cybersecurity skills, enabling better defense strategies and awareness of attack vectors.

For hands-on practice, TryHackMe offers an excellent platform to hone these skills ethically and safely.

Thank you!