We are going to solve two labs in this blog. Go to Blue teams Labs online website, open our first lab & Download the file: Log Analysis - Compromised Wordpress
Let me tell you I am using Splunk here.

1. Identify the URI of the admin login panel that the attacker gained access to (include the token)
Use filter: source="access.log" | stats count by uri

answer: /wp-login.php/?itsec-hb-token=adminlogin

2. Can you find two tools the attacker used?
Use filter: source="access.log" | stats count by useragent

answer: sqlmap WPScan

3. The attacker tried to exploit a vulnerability in ‘Contact Form 7’. What CVE was the plugin vulnerable to? (Do some research!)
You can search this online

answer: CVE-2020-35489

4. What plugin was exploited to get access?
If you see requests to plugin directories that seem out of place, it could indicate an attempt to exploit a vulnerability in that plugin.
syntax: /wp-content/plugins/plugin_name/...
you can checkout this website and search specific plugin to find if it's associated with any vulnerability.
Exploit-DB www.exploit-db.com/

filter: source="access.log" method=POST | stats count by uri

ee-file-engine.php and ee-upload-engine.php, these files are part of the Simple File List plugin. Typically, the upload functionality within plugins can be targeted by attackers who want to upload malicious files.

The fr34k.php file located in the /uploads directory is highly suspicious. Typically, files in the uploads directory should contain user-generated media (like images, PDFs, etc.), not PHP scripts.

answer: simple file list 4.2.2

5. What is the name of the PHP web shell file?
answer: fr34k.php

6. What was the HTTP response code provided when the web shell was accessed for the final time?
filter: source="access.log" "fr34k.php" | stats count by _time method uri status

answer : 404

2nd Lab, Open & Download the file Log Analysis - Priviledge Escalation You can open the file in any Text Editor

1. What user (other than ‘root’) is present on the server?
you can see the command used, "cd /home/daniel/" in the given file
answer: daniel

2. What script did the attacker try to download to the server?
everything is pretty straight forward mentioned in the file
answer: linux-exploit-suggester.sh

3. What packet analyzer tool did the attacker try to use?
answer: tcpdump

4. What file extension did the attacker use to bypass the file upload filter implemented by the developer?
there is a mention of the removal of a file with .phtml extension. .phtml files are often treated as PHP scripts by web servers configured to recognize them as executable.
If the file upload filter was set to block common PHP file extensions like .php, .php3, .php5, or .phps, the attacker might have used .phtml as an alternate extension to evade these filters. After uploading the .phtml file, the attacker could access it through the server, and the server would execute it as PHP code. This allows the attacker to run arbitrary commands or use it as a web shell. The attacker deleted the uploaded .phtml file at the end to clean up traces of their activities and reduce the risk of detection.
answer: .phtml

5. Based on the commands run by the attacker before removing the php shell, what misconfiguration was exploited in the ‘python’ binary to gain root-level access? 1- Reverse Shell ; 2- File Upload ; 3- File Write ; 4- SUID ; 5- Library load

Commands like sudo -l and using Python to spawn a shell (./usr/bin/python -c ...) point toward attempts to elevate privileges.
answer: 4