Challenge 02 • Web Server Attack Detection

Understanding Web Server Logs

Web server logs are critical for detecting application-layer attacks, tracking user behavior, and investigating security incidents.

📄 /var/log/nginx/access.log (or Apache access.log)

Purpose: Records every HTTP request to the web server including client IP, timestamp, requested URL, HTTP method, status code, user agent, and referrer.

Why It's Critical: Reveals attacker reconnaissance, exploitation attempts, successful compromises, and post-exploitation activity. Essential for detecting SQL injection, XSS, file uploads, directory traversal, and other OWASP Top 10 attacks.

Format (Combined Log):
IP - - [TIMESTAMP] "METHOD URI VERSION" STATUS SIZE "REFERRER" "USER-AGENT"

Example:
192.0.2.45 - - [28/Nov/2025:10:34:22 +0000] "POST /upload.php HTTP/1.1" 200 523 "-" "curl/7.68.0"

Key Fields:
• 192.0.2.45 = Client IP address
• POST = HTTP method (GET, POST, PUT, DELETE)
• /upload.php = Requested URI/path
• 200 = HTTP status code (200=success, 404=not found, 500=error)
• User-Agent = Client software (often manipulated by attackers)

📄 /var/log/nginx/error.log

Purpose: Records server errors, PHP warnings, failed file operations, and application-level exceptions.

Why It's Critical: Shows what happened behind the scenes. If access.log shows a 200 OK response, error.log reveals whether malicious code actually executed, files were created, or errors occurred during exploitation.

Common Web Attack Indicators

🚨 File Upload Attacks (This Challenge)

POST requests to upload endpoints
Suspicious filenames (shell.php, cmd.php)
Status 200 with file write operations
Access to uploaded files immediately after
Web shell patterns in POST data

💉 SQL Injection

SQL keywords in URL parameters
UNION SELECT, OR 1=1, ' OR '1'='1
Multiple single quotes or comments (--)
Error messages revealing DB structure

📂 Directory Traversal

../ sequences in file paths
Access to /etc/passwd, /etc/shadow
Encoded traversal (%2e%2e%2f)
Null byte injection (%00)

🔍 Reconnaissance

Automated scanners (Nikto, sqlmap)
404s for admin panels, config files
Multiple requests in quick succession
Common vulnerability paths tested

Key Investigation Commands

# Show all POST requests
grep "POST" access.log

# Count requests by IP
awk '{print $1}' access.log | sort | uniq -c | sort -nr

# Find suspicious file access
grep -E "(\.php|\.sh|cmd)" access.log

# Show only successful requests (status 200)
grep " 200 " access.log

Evidence Review

📄 /var/log/nginx/access.log Click lines to tag as evidence

📄 /var/log/nginx/error.log

📌 Evidence Locker

No evidence tagged yet. Click log lines to add them.

Interactive Terminal

Run bash commands to analyze the logs. Available: cat, grep, wc, awk, sort, uniq, clear, help

analyst@blueteam:~$ Terminal ready. Type 'help' for available commands.

analyst@blueteam:~$

Investigation Tasks

Tasks Completed: 0 / 8

Task 1 — Identify the Attacker IP Address

✓ Correct Answer:

192.0.2.45

This IP appears in multiple POST requests to upload.php and subsequent access to the uploaded shell. Use grep "POST" access.log to see upload attempts.

Task 2 — Uploaded Web Shell Filename

✓ Correct Answer:

cmd.php

The attacker uploaded a file named "cmd.php" which is a common web shell name. Look for this filename in both access.log (GET request after upload) and error.log (file creation notice).

Task 3 — Upload Request Timestamp

✓ Correct Answer:

28/Nov/2025:10:34:22

The POST request to /upload.php at this timestamp successfully uploaded the malicious file. This is when the server was first compromised.

Task 4 — Upload HTTP Status Code

✓ Correct Answer:

200

Status code 200 means "OK" - the upload was successful. This confirms the application accepted the malicious file without proper validation.

Task 5 — Command Executed via Web Shell

✓ Correct Answer:

The attacker executed "id" command via the web shell (visible in the query parameter ?cmd=id). This reveals user privileges and is common first post-exploitation recon.

Task 6 — User-Agent of Attacker

✓ Correct Answer:

curl/7.68.0

The attacker used curl (command-line HTTP client) instead of a browser, indicating automated/scripted attack. Legitimate users rarely upload files via curl.

Task 7 — Directory Where Shell Was Uploaded

✓ Correct Answer:

/uploads/

The web shell was accessed at /uploads/cmd.php, meaning files are stored in the /uploads/ directory. This is a common misconfiguration allowing direct execution of uploaded files.

Task 8 — MITRE ATT&CK Technique ID

✓ Correct Answer:

T1505.003

T1505.003 = Server Software Component: Web Shell. This technique involves deploying malicious scripts on web servers for persistent access and remote command execution.

XP: 0 / 800

Attack Analysis & Incident Summary

This section auto-fills once all tasks are completed correctly.

Attack Chain

Complete all tasks to reveal the attack chain.

Incident Summary

Attacker IP: —
Web shell filename: —
Upload timestamp: —
Upload status: —
Post-exploitation command: —
Attacker tool: —
Attack vector: Unrestricted File Upload (OWASP A03:2021)
MITRE ATT&CK: —

Recommended Remediation

Immediate: Delete /uploads/cmd.php, block 192.0.2.45, terminate web sessions, scan for other shells
Short-term: Review all files in /uploads/, check for backdoor accounts, rotate secrets
Long-term: Implement file type validation, rename uploaded files, disable script execution in upload dirs, add WAF rules

Why This Attack Succeeded

The attacker successfully compromised the web server because:
1. No file type validation on upload.php (accepted .php files)
2. Uploaded files stored in web-accessible directory with execute permissions
3. No content inspection or malware scanning on uploads
4. Missing Web Application Firewall (WAF) or file upload restrictions

🛡️ Challenge 02 • Web Server Attack Detection

Mission Brief

Available Artifacts

Learning Objectives

Understanding Web Server Logs

📄 /var/log/nginx/access.log (or Apache access.log)

📄 /var/log/nginx/error.log

Common Web Attack Indicators

🚨 File Upload Attacks (This Challenge)

💉 SQL Injection

📂 Directory Traversal

🔍 Reconnaissance

Key Investigation Commands

Evidence Review

Interactive Terminal

Investigation Tasks

Attack Analysis & Incident Summary

Attack Chain

Incident Summary

Recommended Remediation

Why This Attack Succeeded