JetBrains

Introduction

The PhishStrike lab presents a compelling scenario that simulates a real-world network breach, where an attacker exploits a vulnerability in a web server. By successfully uploading a malicious webshell, the attacker gains unauthorized control of the server, utilizing it as a platform for launching further malicious activities, including data manipulation. This hands-on investigation challenges participants to analyze the provided network capture (PCAP) to unravel the attack timeline, identify the initial entry point, understand the tools and techniques used, and assess the scope of the compromise. Using tools like Wireshark, NetworkMiner, and Brim, participants explore tactics including initial access, command and control, and execution while honing their skills in network forensics and incident response.

Q1 Identifying the attacker's IP address helps trace the source and stop further attacks. What is the attacker's IP address?

To identify the attacker's IP address, it is essential to examine the network traffic captured in the PCAP file, focusing on HTTP communications. In web-based attacks, such as this one, vulnerabilities in web servers often serve as the initial access vector. Exploiting these vulnerabilities enables attackers to bypass security mechanisms and execute their malicious payloads. Using Wireshark, we can begin our analysis by applying an HTTP filter to isolate web traffic and utilizing statistics ➝ endpoints to identify the IPs involved in the HTTP communication.

The endpoint with IP address 23.158.56.196