Slingshot

Slingway Inc., a leading toy company, has recently detected suspicious activity on its e-commerce web server and potential unauthorized modifications to its database. To investigate the incident, you have been brought in to analyze the available logs and determine the scope and impact of the attack. To aid in your investigation, you've been provided with access to an Elastic Stack instance containing logs from the suspected compromise. Below are the credentials required to access the Kibana dashboard. Slingway's IT team noted that the suspicious activity began on July 26, 2023.

Objectives

By investigating and answering the questions in the next task, you will build a timeline of events to support the incident response process and deliver clear, evidence-based findings. In your investigation, you seek to answer the following questions.

• What reconnaissance and enumeration techniques were used?
• What vulnerabilities were exploited on the web server?
• How did the attacker gain administrative access?
• What sensitive data was accessed or exfiltrated?

Prerequisites

Some familiarity with the Elastic architecture and query creation will be useful in this challenge room. Check out the rooms below!

• Go over Elastic Stack: The Basics for an overview of Elastic architecture and queries
• Cover Elastic: Query Languages to develop an understanding of advanced queries

Lab Access

Click the Start Machine button below. Please give Elastic 5 minutes to start, then access the dashboard using the link and the following credentials.

• https://LAB_WEB_URL.p.thmlabs.com/ (opens in new tab)
• username: elastic
• password: raCK0W**BLlW66oNlKAk

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting the Target Machine, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.

Target machine

Status:Off

Start Machine