Scenario

A suspicious file was identified on a company web server, raising alarms within the intranet. The Development team flagged the anomaly, suspecting potential malicious activity. To address the issue, the network team captured critical network traffic and prepared a PCAP file for review.

Your task is to analyze the provided PCAP file to uncover how the file appeared and determine the extent of any unauthorized activity.

**https://cyberdefenders.org/blueteam-ctf-challenges/webstrike/**

1- Identifying the geographical origin of the attack helps in implementing geo-blocking measures and analyzing threat intelligence. From which city did the attack originate?

Tianjin

https://ipgeolocation.io/what-is-my-ip/117.11.88.124 once you open the pcap you find only 2 ips one is the attacker and one is the webserver we know which is which from the first http packet then use iplocation to get the answer

2- Knowing the attacker's User-Agent assists in creating robust filtering rules. What's the attacker's Full User-Agent?

Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

follow any tcp or http stream and you will find the answer

3- We need to determine if any vulnerabilities were exploited. What is the name of the malicious web shell that was successfully uploaded?

image.jpg.php

after browsing the website the attacker found the upload page and used post to upload a php reverse shell

4- Identifying the directory where uploaded files are stored is crucial for locating the vulnerable page and removing any malicious files. Which directory is used by the website to store the uploaded files?

/reviews/uploads/