The Perfect Survey lab presents a multi-stage cyberattack investigation targeting the Wowza Sport organization, a company whose online presence was recently disrupted by a suspected rival competitor. On the day of the incident, monitoring systems flagged a sudden and abnormal surge in incoming web requests that overwhelmed the company’s online services. What initially appeared to be aggressive reconnaissance activity quickly escalated into a full-scale compromise, chaining together web application exploitation, credential theft, Active Directory abuse, and domain-wide privilege escalation.
In this lab you are tasked with analyzing logs from the compromised web server, which also functions as the domain controller for the Wowza Sport environment. The investigation spans two primary data sources: Apache access.log entries ingested into Splunk for web traffic analysis, and Windows Security.json event logs for tracking authentication events, Kerberos activity, and Active Directory modifications. Through these artifacts, analysts will reconstruct the full attack chain, from the initial Nmap service enumeration and WPScan plugin discovery, through the exploitation of a known SQL injection vulnerability in a WordPress plugin, to the sophisticated Active Directory attacks that ultimately led to domain compromise.
The attack chain demonstrates a realistic escalation path commonly observed in modern intrusions: leveraging a web application vulnerability to extract credentials, using those credentials to authenticate to the domain, performing Kerberoasting to compromise a service account, abusing Resource-Based Constrained Delegation (RBCD) for lateral movement, and finally exploiting a misconfigured Active Directory Certificate Services (AD CS) template to impersonate the Domain Administrator.