1. Identify the URI of the admin login panel that the attacker gained access to (include the token)
If we search the access.log file after token:
grep -i “token=” access.logWe see a bunch of POST requests made to this URI /wp-login.php?itsec-hb-token=adminlogin which is a strong indicator of a brute force attack made on the admin login.
Answer → /wp-login.php?itsec-hb-token=adminlogin
2. Can you find two tools the attacker used?
One way to get this answer is to just look at what the most popular vulnerbality tools for web and wordpress generelly are:
grep -iE “curl|wget|python|go-http|sqlmap|nikto|nmap|hydra|wpscan|openvas”
access.logAnswer → wpscan, nikto
3. The attacker tried to exploit a vulnerability in ‘Contact Form 7’. What CVE was the plugin vulnerable to? (Do some research!)
Search Google — https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489
“The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.”
Answer → CVE-2020–35489
4. What plugin was exploited to get access?
Search for either uploads or POST, as we know we are dealing with a file upload vulnerability:
grep -i “uploads” access.logAnswer → simple-file-list 4.2.2
5. What is the name of the PHP web shell file?
Search after .php, upload or POST:
grep -E “.php.*upload” access.logThe answer also just appeared in the previous question.
Answer → fr34k.php
6. What was the HTTP response code provided when the web shell was accessed for the final time?
Search after fr34k.php:
grep -E “fr34k.php” access.logAnswer → 404
