Identify any suspicious activity and extract flag

The first step was to identify the types of network traffic present using the Protocol Hierarchy feature:

• Significant amount of HTTP traffic

This suggested that the web server might have been accessed maliciously.

Filter HTTP

The HTTP request logs showed:

1. A GET request for welcome.png (benign)
2. A POST request to /upload.aspx, indicating a potential file upload
3. A GET request for cmd.aspx, suggesting that the uploaded file was accessed

• 22.22.22.5 (Likely the web server)
• 22.22.22.7 (Attacker's machine)

The attacker then used cmd.aspx to execute netcat on the webserver which can be seen on packet 141:

From here, I decided to look into the netcat TCP stream to get a better look of what’s going on.

Once the attacker got a callback, they ran a whoami to check which user they are running as and ipconfig to see the IP configuration (check the IP they’re executing remote commands on). Scrolling down, a couple interesting commands were ran: