ShellShock Attack: Let’s Defend Challenge

Shellshock attack evidence analysis

Hello, blue teamers. Today I am going to try my hand on another short and easy blue team exercise from Let’s Defend, titled Shellshock Attack

Let's go for it!

NOTE: Always remember to investigate challenges from Let's Defend, on a VM.

Gist of the challenge

You must to find details of shellshock attacks

Log file: https://app.letsdefend.io/download/downloadfile/shellshock.zip Pass: 321

Note: pcap file found public resources.

What is the Shellshock Vulnerability?

Quoting Wikipedia, Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

In fact, Vulnhub has a boot2root VM called Troll2, which is based upon the same vulnerability

Challenge Questions

Q) What is the server operating system?

Analyzing HTTP Packets give this answer (remember to expand them)

A) Ubuntu

Q) What is the application server and version running on the target system?

Analyzing the HTTP packet with the Internal Server error gives us our answer

A) Apache/2.2.22

Q) What is the exact command that the attacker wants to run on the target server?

A) /bin/ping -c1 10.246.50.2

Conclusion

This challenge was a breeze!

Thank you for reading this entry. Stay tuned, as I try to close down some more SOC alerts....

Your opinion matters

My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day

Let your opinion about this write-up be known, by selecting any one of the emojis below!.