Szczygielka's hacking notes
  • 🚀Welcome
  • 💻Hack The Box Writeups
    • Linux Machines
      • Busqueda
      • Zipping
      • Clicker
      • Pilgrimage
    • Windows Machines
      • Aero
      • Visual
  • 🚩CTFs Writeups
    • KnightCTF 2024
      • OS, Password, IP Addr, Note, Execution, Path of the Executable, Malicious - Forensics
      • Flag Hunt! - Steganography
      • Oceanic - Steganography
      • README - Web
    • TetCTF 2024
      • TET & 4N6 - Misc/Forensics
    • 0xL4ugh CTF 2024
      • Wordpress - 1 - Forensics
      • Wordpress - 2 - Forensics
      • Gamer - 5 - Forensics
    • 1753CTF 2024
      • Resume - Misc
    • UTCTF 2024
      • OSINT 1 - Forensics
      • OSINT 2 - Forensics
      • Contracts - Forensics
      • Survey - Forensics
      • simple signature - Crypto
      • Anti-dcode.fr - Crypto
      • bits and pieces - Crypto
    • RITSEC CTF 2024
      • Curiosity Helped the Cat - Forensics
      • Failed File Transfer - Crypto
      • Dastardly Evil Scientists - Crypto
      • Secret Door - Misc
      • Guess – Reversing
    • Cyber Apocalypse 2024: Hacker Royale
      • Russian Roulette - Blockchain
      • Recovery - Blockchain
      • Primary Knowledge - Crypto
Powered by GitBook
On this page
  • Task
  • Solution
  1. CTFs Writeups
  2. 0xL4ugh CTF 2024

Wordpress - 1 - Forensics

Previous0xL4ugh CTF 2024NextWordpress - 2 - Forensics

Last updated 1 year ago

Task

Our WordPress site has experienced a security breach, and the precise method of compromise remains undetermined at present. We need you help to investigate what actually happened.

Q1. There were two attackers attempting to compromise our environment. What is the IP address of the victim, and what is the IP address of the first attacker?

Q2. What are the versions of the Apache and PHP servers deployed in our environment?

Flag Format: 0xL4ugh{A1_A2}

Example: 0xL4ugh{IP1_IP2_apache1.2.3_php1.2.3}(no spaces)

Solution

We get Wordpress.pcapng file:

szczygielka@hacks$ file Wordpress.pcapng 
Wordpress.pcapng: pcapng capture file - version 1.0

Let's open it with Wireshark. First, we would like to identify the IP address of the WordPress website:

Based on the queries and the fact that we know that the webpage uses WordPress, we can see that that IP address 192.168.204.128 was queried many times. Based on this, we can identify the victim's IP address:

192.168.204.128

Now let's look for the attackers. Analyzing queries sent to the address 192.168.204.128, using the HTTP protocol, we can see that one of the hosts was enumerating the website:

Looking at the details of one of the packages, we can see that User-Agent is set toWPScan:

The WPScan is a WordPress security scanner that allows you to scan and test WordPress-based websites. So we have the IP address of the first attacker:

192.168.204.132

Now let's look for the IP address of the second attacker. Let's exclude the address of the first attacker from the search results to make it easier to browse through the requests. After excluding this address, there are left with only 26 packets, all sent from one IP address:

The remaining results indicate that someone tried to execute commands using the website, which is malicious behavior. So we can determine the IP address of the second attacker as:

192.168.204.1

Now we need to somehow determine the Apache server version and PHP version used by the website. By analyzing the content of the HTTP stream for the second attacker, we can determine what version of the Apache server is used on the website.

The Apache version used is:

2.4.58

By analyzing the same HTTP stream, we can also identify the PHP version used on the website:

The PHP version used is:

8.2.12

We have already collected all the information needed to obtain the flag.

Flag:

0xL4ugh{192.168.204.128_192.168.204.132_apache2.4.58_php8.2.12}
🚩