Episode 3 of retrying challenges attempted on my dead laptop : analysing access logs

https://github.com/dakshita-joshi/BlueTeamLabsOnline/blob/main/Wordpress%20Compromise

live solving - trial to direct blog. no middle management. no filtering. RAW!

tried downloading goaccess. the btlo website says to use grep, sort, uniq and apache log analyser. i found goaccess, for a log analyser. i decided to first use goaccess and get an overview of the log and then use grep, sort and uniq etc. could I potentially only solve this using goaccess? i don't know. I've never used goaccess. but I think I could. i could drill a hole into the moon if I wanted to tbh. 

here's the thing tho. scrolling thru cybersec twitter one day I saw a lot of fandom elders being concerned that due to the easy availability of a lot of tools, newbies in the field are quick to achieve results and not put a lot of effort or thought into the process of how the results were achieved. granted this discussion was around bug bounties but still, I kinda agree with them. for eg. wireshark makes packet capturing very easy and intuitive and so I never really bothered to put effort into tcpdump. there are a lot of step by step tutorials on how to get ftp/http objects transferred through the stream so all you have to do is follow the steps mindlessly and solve a lot of questions. which meant that when I decided to try tcpdump I was completely and utterly lost because I was so used to pointing and clicking :). so I wont repeat the same mistake this time. now on to learning goaccess. too much lecturing.

right so goaccess access.log opens up the terminal with the analysed logs. photo for referral -

/wp-login.php?itsec-hb-token=adminlogin is right there in the screenshot and is the answer to the first question. it was an HTTP POST request to a login shell made with the adminlogin token. 

Now I wanted to see what admin-ajax.php was so I looked what ajax was. its basically used to asynchronously update java and XML requests like when not all of a page reloads but only some. 

next the Post request that was made was to upload fr34k.php web shell file so I guessed that to be the answer to question 5.  fr34k.php was uploaded with simple-file-list so that would be the answer to what plugin was exploited to gain access. i couldn't find the version anywhere in the log so i looked up online on exploit database and its 4.2.2

For question 3 to answer What CVE was the plugin vulnerable to?  i looked up contact form 7 to find out what the vulnerability was. so its CVE-2020-35489 which allows Contact form 7 plug in to upload malicious files to a Wordpress site. so that's the answer. 

For the last question i scrolled right to the end of the log and the last request failed with error code 404. so that's the answer. Now the question that asks the tools that the attacker used is really vague to me. What tools? For what? i did a grep search for tool and i don't think the answers received would really fit in here. hmmmmmm.

right after a lot of bruteforcing and entering many strings that i found scrolling through the logs, one was sqlmap on web browsers in crawlers and the other in the request URL called wpscan. ok I'm done goodnight its Christmas lets go home.