Introduction

In this lab, we delve into the forensic investigation of a suspicious activity detected on a company web server, captured and provided in the form of a PCAP file for analysis. The scenario highlights a critical security incident involving the unauthorized upload of a malicious web shell, subsequent command execution, and an attempt to exfiltrate sensitive data. Through this analysis, we will uncover the methods employed by the attacker, the vulnerabilities exploited, and the techniques used to maintain unauthorized access to the server.

Using Wireshark, a powerful network analysis tool, we systematically examine the captured traffic to answer key questions about the attack. We begin by identifying the attacker’s geographical origin and their initial interactions with the server. Following this, we analyze the malicious payload and uncover how the attacker successfully bypassed upload validation mechanisms to deploy a web shell. We then investigate the attacker’s reverse shell communications, including the port used for outbound traffic and their commands executed on the compromised server. Finally, we identify the sensitive file targeted for exfiltration, revealing the full scope of the incident.

This walkthrough serves to illustrate not only the attacker’s methodology but also the forensic techniques used to trace their actions and mitigate the damage. By understanding these steps, we can better prepare for and respond to similar incidents in the future, reinforcing the importance of network forensics in incident response and cybersecurity defense.