Data integrity
Before running any of the comments below check if checksums agree with the real sums, i.e.,:
- greenforestbank-router.pcap
$ diff <(openssl dgst -sha256 greenforestbank-router.pcap | cut -d' ' -f2) <(echo "4f341625b1538cb346c4802ce02c75dd55c4430c64cebfbed4a70216fff5bf95")
$ diff <(openssl dgst -ripemd160 greenforestbank-router.pcap | cut -d' ' -f2) <(echo "24b85f7e0be6b1abcd66fa7f2a883752a58c1c70")
- greenforestbank-serwer.pcap
$ diff <(openssl dgst -sha256 greenforestbank-serwer.pcap | cut -d' ' -f2) <(echo "e8fd832714507166dd558c9e6bbd300cee8a66a32f48e2db191488000402e5c0")
$ diff <(openssl dgst -ripemd160 greenforestbank-serwer.pcap | cut -d' ' -f2) <(echo "f77dabe77ff0390ff598ec96d706132b19537776")
- access.log
$ diff <(openssl dgst -sha256 access.log | cut -d' ' -f2) <(echo "30e325f69de2e37b96263fb59a9b8169cd6ea1a160ee9022f7d0a0c782616c75")
$ diff <(openssl dgst -ripemd160 access.log | cut -d' ' -f2) <(echo "4b3389fce7565727469c8c5f7715da3c023356be")
- auth.log
$ diff <(openssl dgst -sha256 auth.log | cut -d' ' -f2) <(echo "fc9195a33f274ac57ed236f5ff1abd462abb2ad3e290c91f799987291fa187d4")
$ diff <(openssl dgst -ripemd160 auth.log | cut -d' ' -f2) <(echo "1dfd36235e561815dd22cbdffad56cfa2a5f7d55")
and make working copies.
Dual checksums i.e., SHA256 and RIPMD-160 are used as an insurance against attacks on the single hash function.
Timeline
1) Scanning internal network
Attacker at 15:15:18 (here and below UTC+1) runs nmap in the machine with IP address 172.16.0.2 and discovers Apache2 and phpMyAdmin server with IP address 192.168.1.2. This can be proved by running following command on packets' capture on the router:
$ tcpdump -i any -r greenforestbank-router.pcap src host 172.16.0.2 | sed -n "1,100p"
gives output of:
reading from file greenforestbank-router.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
15:15:18.264158 wlp2s0 In IP 172.16.0.2 > 192.168.0.1: ICMP echo request, id 19245, seq 0, length 8
15:15:18.264159 wlp2s0 In IP 172.16.0.2 > 192.168.0.2: ICMP echo request, id 543, seq 0, length 8
15:15:18.264160 wlp2s0 In IP 172.16.0.2 > 192.168.0.3: ICMP echo request, id 29538, seq 0, length 8
15:15:18.264160 wlp2s0 In IP 172.16.0.2 > 192.168.0.4: ICMP echo request, id 34308, seq 0, length 8
15:15:18.264160 wlp2s0 In IP 172.16.0.2 > 192.168.0.5: ICMP echo request, id 35468, seq 0, length 8
15:15:18.264160 wlp2s0 In IP 172.16.0.2 > 192.168.0.6: ICMP echo request, id 11810, seq 0, length 8
15:15:18.264161 wlp2s0 In IP 172.16.0.2 > 192.168.0.7: ICMP echo request, id 30859, seq 0, length 8
15:15:18.264161 wlp2s0 In IP 172.16.0.2 > 192.168.0.8: ICMP echo request, id 16715, seq 0, length 8
...
From the above output, we can see that ICMP ping is used to locate the host in the internal network.
2) Connecting to phpMyAdmin
At 15:24:16 nmap discovers IP of 192.168.1.2 of the host where Apache2 server is running. Attacker establishes connection to the host and tries to find proper URL for phpMyAdmin - /webadmin, /admin and /phpMyAdmin in order:
$ tcpdump -i -any -r greenforestbank-serwer.pcap src host 172.16.0.2 and dst host 192.168.1.2 and tcp port 80 | grep 'Flags \[P.\]' | sed -n "1,4p"
command filters out HTTP push packets between attacker and the server and gives the following output:
reading from file greenforestbank-serwer.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
15:24:16.812035 enp0s25 In IP 172.16.0.2.36014 > 192.168.1.2.http: Flags [P.], seq 0:414, ack 1, win 502, options [nop,nop,TS val 4079352240 ecr 1050478194],
length 414: HTTP: GET / HTTP/1.1
15:24:29.976437 enp0s25 In IP 172.16.0.2.36016 > 192.168.1.2.http: Flags [P.], seq 0:330, ack 1, win 502, options [nop,nop,TS val 4079365404 ecr 1050491358],
length 330: HTTP: GET /webadmin HTTP/1.1
15:24:35.055238 enp0s25 In IP 172.16.0.2.36018 > 192.168.1.2.http: Flags [P.], seq 0:327, ack 1, win 502, options [nop,nop,TS val 4079370483 ecr 1050496437],
length 327: HTTP: GET /admin HTTP/1.1
15:24:42.634713 enp0s25 In IP 172.16.0.2.36020 > 192.168.1.2.http: Flags [P.], seq 0:575, ack 1, win 502, options [nop,nop,TS val 4079378062 ecr 1050504017],
length 575: HTTP: GET /phpMyAdmin/ HTTP/1.1
3) Logging into phpMyAdmin
Attacker between 15:25:04 and 15:26:30 tries different username password pairs to gain access to the bank database. Finally, logs in to the phpMyAdmin panel by using szef-szef pair.
$ tcpdump -A -s 0 -i -any -r greenforestbank-serwer.pcap host 192.168.1.2 and host 172.16.0.2 and tcp port 80 | grep username
gives output:
reading from file greenforestbank-serwer.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
set_session=gnunb0qcljqgb6atakglfj5ei7&pma_username=root&pma_password=root&server=1&route=%2F&token=7126656a573c7b38547828784f256f3c
set_session=6fkh05uvoemqs74cloabsahsc6&pma_username=admin&pma_password=admin&server=1&route=%2F&token=6045232e5f266c372452324459426f53
set_session=910dj2c5moabbu5cnoauc1cad6&pma_username=guest&pma_password=guest&server=1&route=%2F&token=3977452f612f426a2a6a267e5e493579
set_session=4bpu022mhmbfvom4ledfocmolo&pma_username=administrator&pma_password=administrator&server=1&route=%2F&token=7e63335d2d55514d3c5f232a6a6d4d39
set_session=mvl2q5vs5kfdhefb41gc06jh61&pma_username=root&pma_password=&server=1&route=%2F&token=5b752e6070305546285722494b76757b
set_session=i060g1rk3aq2mqts175ee16aum&pma_username=root&pma_password=1234567890&server=1&route=%2F&token=49565a3843626f7a6f56445d4562497b
set_session=n0dcv72rmjaakd6k649frjbbgr&pma_username=root&pma_password=0123456789&server=1&route=%2F&token=4c2237276c6e3822564d6e4958612555
set_session=ru5m7363u1cggrq450tnhnb7o9&pma_username=root&pma_password=1234&server=1&route=%2F&token=2277435677245334786e2d2a2e25344c
set_session=5nojjhbi0jb75evnb2p9fr02ep&pma_username=root&pma_password=12345678&server=1&route=%2F&token=5f6f7e2269253b65476c2f2b3e316135
set_session=ht79vgjo9vc6v9cm6a5ap65nf7&pma_username=root&pma_password=abcdefghijk&server=1&route=%2F&token=7d25606053685159577c4f2e345a4938
set_session=embhs92a8s1m4cc6odshu92gd3&pma_username=root&pma_password=abcd&server=1&route=%2F&token=526343643a306c53377050736c5b6261
set_session=abuv2cbk4bcs6jtnoo222mh4sc&pma_username=szef&pma_password=szef&server=1&route=%2F&token=543b216d7d6b6d7f526f7956285b7c6b
Above in the first line, we can also spot that one of the bank workers who knew the correct pair was also using phpMyAdmin. We can use editcap CLI tool from wireshark family to capture only packets between 15:25:04 and 15:26:30, which will print exact same lines except the first one since it doesn't belong to the attacker:
$ editcap -A 2021-12-08T15:25:04 -B 2021-12-08T15:26:30 -F pcap greenforestbank-serwer.pcap - | sudo tcpdump -A -s 0 -i -any -r - host 192.168.1.2 and host 172.16.0.2 and tcp port 80 | grep username
We can further confirm this assumption by looking at auth.log:
$ cat auth.log | grep 'user denied'
Dec 8 15:25:04 serwer phpMyAdmin[3933]: user denied: admin (mysql-denied) from 172.16.0.2
Dec 8 15:25:20 serwer phpMyAdmin[3929]: user denied: guest (mysql-denied) from 172.16.0.2
Dec 8 15:25:34 serwer phpMyAdmin[3936]: user denied: administrator (mysql-denied) from 172.16.0.2
Dec 8 15:25:41 serwer phpMyAdmin[3931]: user denied: root (empty-denied) from 172.16.0.2
Dec 8 15:25:52 serwer phpMyAdmin[4137]: user denied: root (mysql-denied) from 172.16.0.2
Dec 8 15:26:01 serwer phpMyAdmin[3932]: user denied: root (mysql-denied) from 172.16.0.2
Dec 8 15:26:05 serwer phpMyAdmin[3932]: user denied: root (mysql-denied) from 172.16.0.2
Dec 8 15:26:10 serwer phpMyAdmin[3932]: user denied: root (mysql-denied) from 172.16.0.2
Dec 8 15:26:17 serwer phpMyAdmin[3930]: user denied: root (mysql-denied) from 172.16.0.2
Dec 8 15:26:21 serwer phpMyAdmin[3930]: user denied: root (mysql-denied) from 172.16.0.2
4) Export database
By looking at HTTP packets which contain data (not SYN, FIN or ACK) between attacker and the server we can confirm that the attacker downloads GreenForestBank.sql at 15:26:57 :
$ tcpdump -A -s 0 -i -any -r greenforestbank-serwer.pcap host 192.168.1.2 and host 172.16.0.2 and tcp port 80 and '(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'export_type=database' -B 15 -A 20
Outputs:
reading from file greenforestbank-serwer.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
15:26:57.507278 enp0s25 In IP 172.16.0.2.36054 > 192.168.1.2.http: Flags [P.], seq 1746:5137, ack 20610, win 501, options [nop,nop,TS val 4079512929 ecr 1050636743], length 3391: HTTP: POST /phpMyAdmin/index.php?route=/export HTTP/1.1
E..sf.@.?.ZE...........PV.k..-.P....{".....
.(ma>.q.POST /phpMyAdmin/index.php?route=/export HTTP/1.1
(... headers omitted)
db=GreenForestBank&table=&export_type=database&export_method=quick&template_id=&token=7027675c37772f5c662a3e6e75375f25&quick_or_custom=quick&what=sql&structure_or_data_forced=0&table_select%5B%5D=Klienci&table_structure%5B%5D=Klienci&table_data%5B%5D=Klienci&table_select%5B%5D=Lokaty&table_structure%5B%5D=Lokaty&table_data%5B%5D=Lokaty&table_select%5B%5D=Pracownicy&table_structure%5B%5D=Pracownicy&table_data%5B%5D=Pracownicy&aliases_new=&output_format=sendit&filename_template=%40DATABASE%40&remember_template=on&charset=utf-8&compression=none&maxsize=&codegen_structure_or_data=data&codegen_format=0&csv_separator=%2C&csv_enclosed=%22&csv_escaped=%22&csv_terminated=AUTO&csv_null=NULL&csv_structure_or_data=data&excel_null=NULL&excel_columns=something&excel_edition=win&excel_structure_or_data=data&json_structure_or_data=data&json_unicode=something&latex_caption=something&latex_structure_or_data=structure_and_data&latex_structure_caption=Structure+of+table+%40TABLE%40&latex_structure_continued_caption=Structure+of+table+%40TABLE%40+%28continued%29&latex_structure_label=tab%3A%40TABLE%40-structure&latex_comments=something&latex_columns=something&latex_data_caption=Content+of+table+%40TABLE%40&latex_data_continued_caption=Content+of+table+%40TABLE%40+%28continued%29&latex_data_label=tab%3A%40TABLE%40-data&latex_null=%5Ctextit%7BNULL%7D&mediawiki_structure_or_data=structure_and_data&mediawiki_caption=something&mediawiki_headers=something&htmlword_structure_or_data=structure_and_data&htmlword_null=NULL&ods_null=NULL&ods_structure_or_data=data&odt_structure_or_data=structure_and_data&odt_comments=something&odt_columns=something&odt_null=NULL&pdf_report_title=&pdf_structure_or_data=structure_and_data&phparray_structure_or_data=data&sql_include_comments=something&sql_header_comment=&sql_use_transaction=something&sql_compatibility=NONE&sql_structure_or_data=structure_and_data&sql_create_table=something&sql_auto_increment=something&sql_create_view=something&sql_procedure_function=something&sql_create_trigger=something&sql_backquotes=something&sql_type=INSERT&sql_insert_syntax=both&sql_max_query_size=50000&sql_hex_for_binary=something&sql_utc_time=something&texytext_structure_or_data=structure_and_data&texytext_null=NULL&xml_structure_or_data=data&xml_export_events=something&xml_export_functions=something&xml_export_procedures=something&xml_export_tables=something&xml_export_triggers=something&xml_export_views=something&xml_export_contents=something&yaml_structure_or_data=data
15:26:57.547201 enp0s25 Out IP 192.168.1.2.http > 172.16.0.2.36054: Flags [P.], seq 20610:24444, ack 5137, win 501, options [nop,nop,TS val 1050638930 ecr 4079512929], length 3834: HTTP: HTTP/1.1 200 OK
E....%@.@............P...-.PV.y ....|......
>.zR.(maHTTP/1.1 200 OK
Date: Wed, 08 Dec 2021 14:26:57 GMT
Server: Apache/2.4.51 (Debian)
Set-Cookie: phpMyAdmin=dtselt7ctgufg3b3207ue23sii; path=/phpMyAdmin/; HttpOnly
Expires: Wed, 08 Dec 2021 14:26:57 +0000
Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0
Last-Modified: Wed, 08 Dec 2021 14:26:57 +0000
Set-Cookie: pmaUser-1=%7B%22iv%22%3A%22woqhfIzmadv%5C%2FZuYnoOpfdg%3D%3D%22%2C%22mac%22%3A%22810ce1aa82049bb45d7080e675aa7d6ea31be6d6%22%2C%22payload%22%3A%22wYpeY8yxVXub7FCKGPFDoA%3D%3D%22%7D; expires=Fri, 07-Jan-2022 14:26:57 GMT; Max-Age=2592000; path=/phpMyAdmin/; HttpOnly; SameSite=Strict
Set-Cookie: pmaAuth-1=%7B%22iv%22%3A%22URblkUBEpYxk5llT%2BRY0uw%3D%3D%22%2C%22mac%22%3A%223d4f0f3c7d7e7929e6149cca049e0f273266afb3%22%2C%22payload%22%3A%223NDKv4zytuUuRWuYhTWZgxeOVaoB9ndGjnlXCXdY5Ok%3D%22%7D; path=/phpMyAdmin/; HttpOnly; SameSite=Strict
X-ob_mode: 1
Pragma: no-cache
Content-Description: File Transfer
Content-Disposition: attachment; filename="GreenForestBank.sql"
Content-Transfer-Encoding: binary
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/x-sql;charset=utf-8
Above by increasing -A option in grep command we can also see contents of GreenForestBank.sql.
This activity can also be observed in the Apache2 server logs:
$ cat access.log | grep export
172.16.0.2 - - [08/Dec/2021:15:26:47 +0100] "GET /phpMyAdmin/index.php?route=/database/export&db=GreenForestBank&ajax_request=true&ajax_page_request=true&_nocache=1638973607439234626&token=7027675c37772f5c662a3e6e75375f25 HTTP/1.1" 200 14070 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
172.16.0.2 - - [08/Dec/2021:15:26:47 +0100] "GET /phpMyAdmin/js/dist/export.js?v=5.1.1 HTTP/1.1" 200 7049 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
172.16.0.2 - - [08/Dec/2021:15:26:55 +0100] "GET /phpMyAdmin/index.php?route=/database/export&db=GreenForestBank&ajax_request=true&ajax_page_request=true&_nocache=1638973615289283779&token=7027675c37772f5c662a3e6e75375f25 HTTP/1.1" 200 14070 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
172.16.0.2 - - [08/Dec/2021:15:26:57 +0100] "POST /phpMyAdmin/index.php?route=/export HTTP/1.1" 200 3839 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
5) Deleting database
At 15:27:53 attacker makes first attempt to delete the bank's database. For that purpose makes use of SQL query panel in phpMyAdmin with auto-complete:
$ tcpdump -A -s 0 -i -any -r greenforestbank-serwer.pcap host 192.168.1.2 and host 172.16.0.2 and tcp port 80 | grep 'autocomplete'
Gives output:
reading from file greenforestbank-serwer.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
15:27:49.504059 enp0s25 In IP 172.16.0.2.36060 > 192.168.1.2.http: Flags [P.], seq 1751:2758, ack 12306, win 501, options [nop,nop,TS val 4079564921 ecr 1050688424], length 1007: HTTP: POST /phpMyAdmin/index.php?route=/database/sql/autocomplete HTTP/1.1
.)8y>.;.POST /phpMyAdmin/index.php?route=/database/sql/autocomplete HTTP/1.1
First query tried by the attacker:
$ tcpdump -A -s 0 -i -any -r greenforestbank-serwer.pcap host 192.168.1.2 and host 172.16.0.2 and tcp port 80 | grep "sql_query" -B 15 | sed -n "1,16p"
Output:
reading from file greenforestbank-serwer.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
15:27:53.585682 enp0s25 In IP 172.16.0.2.36060 > 192.168.1.2.http: Flags [P.], seq 2758:3757, ack 15265, win 501, options [nop,nop,TS val 4079569002 ecr 1050690916], length 999: HTTP: POST /phpMyAdmin/index.php?route=/lint HTTP/1.1
E.....@.?..B...........P@..pF..............
.)Hj>.EdPOST /phpMyAdmin/index.php?route=/lint HTTP/1.1
(... headers omitted)
sql_query=drop+data&server=1&no_history=true&_nocache=1638973673564353845&token=7027675c37772f5c662a3e6e75375f25
On the system SQL syntax check is enabled therefore it is possible to encounter attacker's failed attempts before finding the right command from the captures:
$ tcpdump -A -s 0 -i -any -r greenforestbank-serwer.pcap host 192.168.1.2 and host 172.16.0.2 and tcp port 80 | grep 'sql_query' -A 3
Output as following:
reading from file greenforestbank-serwer.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
sql_query=drop+data&server=1&no_history=true&_nocache=1638973673564353845&token=7027675c37772f5c662a3e6e75375f25
15:27:53.585736 enp0s25 Out IP 192.168.1.2.http > 172.16.0.2.36060: Flags [.], ack 3757, win 501, options [nop,nop,TS val 1050694969 ecr 4079569002], length 0
E..4.^@.@............P..F...@..W....m......
>.U9.)Hj
--
sql_query=drop+DATABASE&server=1&no_history=true&_nocache=1638973674809851646&token=7027675c37772f5c662a3e6e75375f25
15:27:54.844615 enp0s25 Out IP 192.168.1.2.http > 172.16.0.2.36060: Flags [P.], seq 16429:17694, ack 4758, win 501, options [nop,nop,TS val 1050696228 ecr 4079570245], length 1265: HTTP: HTTP/1.1 200 OK
E..%.`@.@............P..F...@..@....r......
>.Z$.)MEHTTP/1.1 200 OK
--
sql_query=drop+DATABASE+&server=1&no_history=true&_nocache=1638973676642789704&token=7027675c37772f5c662a3e6e75375f25
15:27:56.679999 enp0s25 Out IP 192.168.1.2.http > 172.16.0.2.36060: Flags [P.], seq 17694:18978, ack 5758, win 501, options [nop,nop,TS val 1050698063 ecr 4079572080], length 1284: HTTP: HTTP/1.1 200 OK
E..8.a@.@............P..F..y@..(....r......
>.aO.)TpHTTP/1.1 200 OK
--
sql_query=drop+DATABASE+GreenForest&server=1&no_history=true&_nocache=1638973679706390668&token=7027675c37772f5c662a3e6e75375f25
15:27:59.744154 enp0s25 Out IP 192.168.1.2.http > 172.16.0.2.36060: Flags [P.], seq 18978:20142, ack 6788, win 501, options [nop,nop,TS val 1050701127 ecr 4079575144], length 1164: HTTP: HTTP/1.1 200 OK
E....b@.@............P..F..}@.......ro.....
>.mG.)`hHTTP/1.1 200 OK
--
sql_query=drop+DATABASE+GreenForestBank&server=1&no_history=true&_nocache=1638973680923280497&token=7027675c37772f5c662a3e6e75375f25
15:28:00.962132 enp0s25 Out IP 192.168.1.2.http > 172.16.0.2.36060: Flags [P.], seq 20142:21309, ack 7805, win 501, options [nop,nop,TS val 1050702345 ecr 4079576361], length 1167: HTTP: HTTP/1.1 200 OK
E....c@.@............P..F.. @..'....rr.....
>.r .)e)HTTP/1.1 200 OK
--
...
Similar logs can be also found in the access.log:
lint - syntax checker add-on
$ cat access.log | grep lint
172.16.0.2 - - [08/Dec/2021:15:27:53 +0100] "POST /phpMyAdmin/index.php?route=/lint HTTP/1.1" 200 1164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
172.16.0.2 - - [08/Dec/2021:15:27:54 +0100] "POST /phpMyAdmin/index.php?route=/lint HTTP/1.1" 200 1265 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
172.16.0.2 - - [08/Dec/2021:15:27:56 +0100] "POST /phpMyAdmin/index.php?route=/lint HTTP/1.1" 200 1284 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
172.16.0.2 - - [08/Dec/2021:15:27:59 +0100] "POST /phpMyAdmin/index.php?route=/lint HTTP/1.1" 200 1164 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
172.16.0.2 - - [08/Dec/2021:15:28:00 +0100] "POST /phpMyAdmin/index.php?route=/lint HTTP/1.1" 200 1167 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
Therefore, attacker's last query made at 15:28:00 let's him to erase the database:
$ tcpdump -A -s 0 -i -any -r greenforestbank-serwer.pcap host 192.168.1.2 and host 172.16.0.2 and tcp port 80 | grep 'executed+successfully'
reading from file greenforestbank-serwer.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
db=GreenForestBank&token=7027675c37772f5c662a3e6e75375f25&is_js_confirmed=0&pos=0&goto=index.php%3Froute%3D%2Fdatabase%2Fsql&message_to_show=Your+SQL+query+has+been+executed+successfully.&prev_sql_query=&sql_query=drop+DATABASE+GreenForestBank&sql_delimiter=%3B&fk_checks=0&fk_checks=1&SQL=Go&ajax_request=true&ajax_page_request=true&_nocache=1638973683600735280&token=7027675c37772f5c662a3e6e75375f25
System time
By looking at GreenForestBank.sql exported by the attacker;
$ tcpdump -A -s 0 -i -any -r greenforestbank-serwer.pcap host 192.168.1.2 and host 172.16.0.2 and tcp port 80 | grep 'time_zone' -B 5
Output is the following:
...
-- Server version: 10.5.12-MariaDB-0+deb11u1
-- PHP Version: 7.4.25
SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
START TRANSACTION;
SET time_zone = "+00:00";
we can see that time zone for phpMyAdmin is "+00:00". Similarly, looking at HTTP responses sent by the server we can discover GMT i.e., +00:00 timezone:
$ tcpdump -A -i -any -c 10 -r greenforestbank-serwer.pcap src host 192.168.1.2 | grep Date
reading from file greenforestbank-serwer.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
Date: Wed, 08 Dec 2021 14:24:16 GMT
Date: Wed, 08 Dec 2021 14:24:29 GMT
However, the host's time zone is "+01:00" which we can observe from any log entry in access.log
$ cat access.log | head -n 1
172.16.0.2 - - [08/Dec/2021:15:07:57 +0100] "GET / HTTP/1.1" 200 3380 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
Privillage level
$ cat auth.log | grep useradd
Dec 8 13:56:17 serwer useradd[1334]: new user: name=mysql, UID=109, GID=116, home=/nonexistent, shell=/bin/false, from=none
Since, attacker successfully penetrates phpMyAdmin, he obtaines all the privillages of the user with UID=109 and GID=116.