Skip to main content
HashnodeSOC Analyst LabsSOC Analyst Labs

Command Palette

Search for a command to run...

Juicy Details – Log Analysis & Full Attack Reconstruction (TryHackMe Walkthrough)

Log Analysis and correlation

Updated
5 min read
Juicy Details – Log Analysis & Full Attack Reconstruction (TryHackMe Walkthrough)
U
Umamaheswari B
👋Hi, I’m Umamaheswari Through this blog, I share visual walkthroughs and hands-on investigations on PCAP, phishing, Splunk, ELK, malware, and digital forensics—based on labs from TryHackMe, HackTheBox and CyberDefenders. Feel free to connect or ask questions — I am more happy to help.

Introduction

You were hired as a SOC Analyst for one of the biggest Juice Shops in the world and an attacker has made their way into your network.

Your tasks are:

  • Figure out what techniques and tools the attacker used

  • What endpoints were vulnerable

  • What sensitive data was accessed and stolen from the environment

An IT team has sent you a zip file containing logs from the server. Download the attached file.

  • access.log – Web server access logs

  • auth.log – Linux authentication (SSH) logs

  • vsftpd.log – FTP server logs

The objective was to analyze these logs to determine:

  • Tools used by the attacker

  • Endpoints targeted and exploited

  • Vulnerable application functionality

  • Attacker movement within the web application

  • HTTP response patterns

  • Abnormal or malicious query strings

Web Server Log Analysis (access.log)

The first request made by the attacker was: GET /nice%20ports%2C/Tri%6Eity.txt%2ebak

When URL-decoded (using CyberChef), this resolves to:/nice ports,/Trinity.txt.bak

This request is a well-known Nmap NSE probe used to test for exposed or backup files, indicating the attacker was attempting to identify misconfigurations or sensitive files on the server.

Following this, the attacker began using Nmap NSE scripts for vulnerability checking and active reconnaissance against the web server.

Next, the attacker transitioned to manual interaction and started exploring multiple application paths

Brute-Forcing Using Hydra

Logs indicate a Hydra-based brute-force attack against the /rest/user/login endpoint. The attacker generated a high volume of automated authentication attempts, resulting in multiple 401 Unauthorized responses and intermittent 500 Internal Server Errors using both GET and POST methods.

One request returned HTTP 200, confirming successful authentication and credential compromise. This represents a critical security incident involving valid account compromise.

A total of 287 failed login attempts were observed followed by one successful authentication

After a successful brute-force attack, the attacker switched to manual browsing, as indicated by a real browser User-Agent.

The attacker then validated the session using:

  • GET /rest/user/whoami

confirming which user account was logged in.

Subsequent requests to:

  • /rest/admin/application-configuration

  • /rest/basket/1

  • /rest/products/search?q=

  • /api/Quantitys/

indicate application mapping, object enumeration, and potential IDOR testing.

The POST /rest/user/data-export request represents a high-risk action, likely triggering sensitive data export and possible exfiltration.

The attacker repeatedly targeted authentication-related endpoints (/rest/user/login and /rest/user/whoami) to obtain, validate, and potentially manipulate authenticated sessions.

SQLMap

The logs show automated SQL injection exploitation using sqlmap against the /rest/products/search endpoint through the q parameter.

Many different SQL injection techniques appear in the requests, including boolean-based, error-based, UNION-based, and time-based payloads. The repeated HTTP 200 responses to crafted SQL injection payloads confirm successful exploitation of the q parameter.

I used the following filter to isolate only q= parameter payloads and correlated them with returned HTTP status codes to identify which inputs produced successful responses.

I extracted all SQL injection payloads generated by sqlmap and decoded them using CyberChef.

The results confirm successful SQL injection exploitation, including column enumeration and data extraction from the Users table. The attacker was able to retrieve sensitive information such as user IDs, email addresses, and password fields

Feroxbuster

The logs also show activity from feroxbuster, which is a directory brute-forcing tool used to discover hidden files and folders on websites.

This tells us that the attacker was performing web content discovery, looking for admin panels, backup locations, and other sensitive directories. This type of activity usually happens after an attacker has already gained some access and is trying to expand their foothold.

FTP on web

The attacker also tried to access the FTP directory through the web interface and attempted to open two files: www-data.bak and coupons_2013.md.bak. Both requests returned 403 Forbidden, meaning the web server blocked access. However, the fact that these paths exist suggests that backup files are present on the system.

Authentication Log Analysis (auth.log)

Looking at auth.log, we can see that the attacker also brute-forced SSH credentials for the user www-data from the same IP address.

To identify failed SSH attempts: cat auth.log | grep "Failed password"

and cat auth.log | grep "Accepted password" | grep "IP" to check if the attacker succeeded in getting access

there is log showing “Accepted password”, which confirms that the attacker successfully logged into the system via SSH twice.

FTP Server Log Analysis (vsftpd.log)

Analyzing ftp server logs, OK LOGIN indicates successful login, attacker first tried to log in using common usernames like anonymous and ftp, which are often used to test whether anonymous FTP access is enabled with the password IEUser@

Later, the FTP logs show that the attacker successfully downloaded two files using FTP: www-data.bak and coupons_2013.md.bak. Earlier in access.log, we saw that the attacker tried to access these same files through the web application but received 403 Forbidden, meaning the attempt failed. However, even though the files were blocked on the website, they were still accessible through the FTP service.

Reconnaissance

Answer the questions below

What tools did the attacker use? (Order by the occurrence in the log)

Ans: nmap, hydra, sqlmap, curl, feroxbuster

What endpoint was vulnerable to a brute-force attack?

Ans: /rest/user/login

What endpoint was vulnerable to SQL injection?

Ans: /rest/products/search

What parameter was used for the SQL injection?

Ans: q

What endpoint did the attacker try to use to retrieve files? (Include the /)

Ans: /ftp

Stolen data

Answer the questions below

What section of the website did the attacker use to scrape user email addresses?

Ans: product reviews

Was their brute-force attack successful? If so, what is the timestamp of the successful login? (Yay/Nay, 11/Apr/2021:09:xx:xx +0000)

Ans: Yay, 11/Apr/2021:09:16:31 +0000

What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?

Ans: email, password

What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, question #5)

Ans: coupons_2013.md.bak, www-data.bak

What service and account name were used to retrieve files from the previous question? (service, username)

Ans: ftp, anonymous

What service and username were used to gain shell access to the server? (service, username)

Ans: ssh, www-data

Thank you for Reading. I hope you enjoyed this walkthrough

Keep HUNTING!

#loganalysis#manual

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

S

SOC Analyst Labs

39 posts

Hands-on blue team journey covering phishing analysis, threat detection, threat intelligence, network and endpoint log analysis, web traffic analysis, and SIEM monitoring on TryHackMe and Let’s Defend