APIWizards Breach

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1Preparation

You were hired as a dedicated external DFIR specialist to help the APIWizards Inc. company with a security incident in their production environment. APIWizards develop REST APIs on demand and hosts them on separate Ubuntu servers. The company suspects that one of its servers is compromised.

APIWizards CISO:
"This is our third breach for this year: we see strange web requests in Nginx logs, then some unexpected changes in system files, and after a few days, we see our data in Telegram! We tried cleaning infected files, but hackers are always one step forward.”

“Yesterday, we observed a similar web scan on our newly deployed API server, and suspect it might be the same threat actors. We quickly isolated the server from the network and desperately hope for your help!”

SSH credentials:

IP Address: MACHINE_IP
Username: dev
Password: d3v-p455w0rd

Answer the questions below

Start the Incident Response!

Task 2Initial Access

“We host our applications in home user directories and serve them via Nginx. This time, we deployed a simple API to get the date and time by specifying a timezone. Is there anything strange going on?”

Answer the questions below

Which programming language is a web application written in?

What is the IP address that attacked the web server?

Which vulnerability was found and exploited in the API service?

Which file contained the credentials used to privesc to root?

What file did the hacker drop and execute to persist on the server?

Which service was used to host the “rooter2” malware?

Task 3Further Actions

“No way it was so easy to exploit! While we are calling the developer, please check if there are any backdoors left by the hackers. They were extremely clever the previous two times, so be vigilant!”

Answer the questions below

Which two system files were infected to achieve cron persistence?

What is the C2 server IP address of the malicious actor?

What port is the backdoored bind bash shell listening at?

How does the bind shell persist across reboots?

What is the absolute path of the malicious service?

Task 4Even More Persistence

“We finally reached the developer and he said he would need two weeks to fix the vulnerability! Meanwhile, can you please proceed with the DFIR? We need every malicious indicator you can find to hunt for them on other APIWizards servers.”

Answer the questions below

Which port is blocked on the victim's firewall?

How do the firewall rules persist across reboots?

How is the backdoored local Linux user named?

Which privileged group was assigned to the user?

What is the strange word on one of the backdoored SSH keys?

Can you spot and name one more popular persistence method? Not a MITRE technique name.

What are the original and the backdoored binaries from question 6?

What technique was used to hide the backdoor creation date?

Task 5Final Target

“That’s a lot of persistence! But why would the hackers reveal all their techniques? Maybe to use the server as an entry point to our cardholder data environment? Please check for any traces of lateral movement or data exfiltration; perhaps dumps are still there.”

Answer the questions below

What file was dropped which contained gathered victim information?

According to the dropped dump, what is the server’s kernel version?

Which active internal IPs were found by the “rooter2” network scan?

How did the hacker find an exposed HTTP index on another internal IP?

What command was used to exfiltrate the CDE database from the internal IP?

What is the most secret and precious string stored in the exfiltrated database?

Created by

tryhackme

maxvarm

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

3,228

Created

379 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in