Introduction
Riding off of the high of recently passing my SC-200 I decided to find some free, self-paced training resources while I decide what exam I’ll go for next. Having a quick look around on LinkedIn I stumbled across Deloitte’s Cyber Job Simulator. From the overview of the course:
A risk-free way to experience work on the job with us at Deloitte Australia. Practise your skills with example tasks and build your confidence to ace your applications.
We designed this Job Simulation to help you build the skills and confidence to pursue a career in STEM. It’s a great chance to uncover the exciting opportunities we have for you at Deloitte. It’s your time to explore and advance in the areas you find inspirational.
I’m not looking for a job at Deloitte (Especially in Australia, having just moved away from that hemisphere), but any experience is nice to have!
Overview
So, what is this thing?
As detailed in the overview for this simulator;
Complete tasks guided by pre-recorded videos and example answers from our team at Deloitte Australia. No live sessions, all self-paced. Earn a certificate and add it to your resume and LinkedIn as an extracurricular activity. Stand out in applications. Confidently answer interview questions and explain why you’re a good fit for our team.
Those last two points are a bit too HR-y for my liking, but the first point is a definite plus. I love a self-paced learning environment. We’re given one task with the objective of ‘Identify[ing] the security issue that led to a leak of private company information’.
Sounds like fun!
The task
Here’s the background we’re given after completing the sign-up process and watching a quick overview video from the team at Deloitte:
A major news publication has revealed sensitive private information about Daikibo Industrials, our client. A production problem has caused its assembly lines to stop, threatening the smooth operation of supply chains relying on Daikibo’s products. The client suspects the security of their new status board may have been breached.
It gives me a similar vibe to the introductionary text seen in some of the CTF’s that I’ve written write-ups for previously. They usually have some flavor-text with background information and possible hints at what is coming next. It’s a nice way to build a story and keep people (me) entertained.
We get a direct task given in the next page:
In this task you will be joining our cyber security team. Your job is to:
Determine if the alleged breach could have happened from an attacker on the internet directly (i.e. no access to Daikibo's VPN).
Inspect a web_requests.log file (listing only data from a period when the alleged attack has to have happened):
Try to spot suspicious requests
Hint: In the Resources section, you can find a diagram example of how to read the logs file
Hint: Look for longer sequences of user requests
Hint: Notice the order of requests from Login → to requests for the dashboard page's resources (styles, scripts, images, etc.) → to API requests for the actual statuses of the machines
Hint: How would you recognise if an automated request to the API happens at an exact interval of time (assume no such functionality is available in the dashboard)?
If you've identified such requests make sure to write down the ID of the user (it's part of the requests)
Here is how the web_requests.log file is structured:
There is a sequence of blocks of text divided by empty lines
Each block represents the activity of a unique IP address (no 2 blocks have the same IP)
The block starts with the IP address followed by a table of the requests made to Daikibo's telemetry dashboard (the dashboard lives in Daikibo's intranet) by the device with this IP address, sorted by time
The IP addresses are from the internal Daikibo network and are static
1 block can represent 1 or multiple browsing sessions
Sessions made on different dates require new logins
There is no continuous polling/pushing of data between client and server - the users need to refresh the page to get the latest data
Hint: For an easier visual inspection, open up the file in a code editor like Sublime Text or Visual Studio Code, expand the window to the full width of your screen and decrease font size until no text breaks on a new line
Alright. Usually I’d be comfortable with a .pcap file but it seems we get a .log file instead. Oh well, let’s look into the web_requests.log file! Here’s a quick sample from the file - Bare in mind there are 2151 lines, so these are just logs for two of the IPs:
192.168.0.50:
TIME METHOD REQUEST STATUS
2021-06-25T07:23:00.000Z GET "/" 401 (UNAUTHORIZED)
2021-06-25T07:23:00.000Z GET "/login" 200 (SUCCESS)
2021-06-25T07:23:00.000Z GET "/login.css" 200 (SUCCESS)
2021-06-25T07:23:00.000Z GET "/login.js" 200 (SUCCESS)
2021-06-25T07:23:44.000Z POST "/login" 200 (SUCCESS)
2021-06-25T07:23:45.000Z GET "/" {authorizedUserId: "5Eckr4DTaLLDaDMGqmMJ3g"} 200 (SUCCESS)
2021-06-25T07:23:45.000Z GET "/index.css" {authorizedUserId: "5Eckr4DTaLLDaDMGqmMJ3g"} 200 (SUCCESS)
2021-06-25T07:23:45.000Z GET "/index.js" {authorizedUserId: "5Eckr4DTaLLDaDMGqmMJ3g"} 200 (SUCCESS)
2021-06-25T07:23:46.000Z GET "/api/factory/status?factory=*" {authorizedUserId: "5Eckr4DTaLLDaDMGqmMJ3g"} 200 (SUCCESS)
2021-06-25T07:24:01.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "5Eckr4DTaLLDaDMGqmMJ3g"} 200 (SUCCESS)
192.168.0.73:
TIME METHOD REQUEST STATUS
2021-06-25T07:47:00.000Z GET "/" 401 (UNAUTHORIZED)
2021-06-25T07:47:01.000Z GET "/login" 200 (SUCCESS)
2021-06-25T07:47:02.000Z GET "/login.css" 200 (SUCCESS)
2021-06-25T07:47:03.000Z GET "/login.js" 200 (SUCCESS)
2021-06-25T07:48:01.000Z POST "/login" 200 (SUCCESS)
2021-06-25T07:48:02.000Z GET "/" {authorizedUserId: "1FtyZHWX9c8JJTZiYqq4Bs"} 200 (SUCCESS)
2021-06-25T07:48:03.000Z GET "/index.css" {authorizedUserId: "1FtyZHWX9c8JJTZiYqq4Bs"} 200 (SUCCESS)
2021-06-25T07:48:04.000Z GET "/index.js" {authorizedUserId: "1FtyZHWX9c8JJTZiYqq4Bs"} 200 (SUCCESS)
2021-06-25T07:48:04.000Z GET "/api/factory/status?factory=*" {authorizedUserId: "1FtyZHWX9c8JJTZiYqq4Bs"} 200 (SUCCESS)
2021-06-25T07:48:14.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "1FtyZHWX9c8JJTZiYqq4Bs"} 200 (SUCCESS)
2021-06-25T07:48:17.000Z GET "/api/factory/machine/status?factory=meiyo&machine=LaserWelder" {authorizedUserId: "1FtyZHWX9c8JJTZiYqq4Bs"} 200 (SUCCESS)
2021-06-25T07:49:12.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "1FtyZHWX9c8JJTZiYqq4Bs"} 200 (SUCCESS)
2021-06-25T07:49:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=LaserCutter" {authorizedUserId: "1FtyZHWX9c8JJTZiYqq4Bs"} 200 (SUCCESS)
2021-06-25T07:51:20.000Z GET "/api/factory/machine/status?factory=berlin&machine=MetalPress" {authorizedUserId: "1FtyZHWX9c8JJTZiYqq4Bs"} 200 (SUCCESS)
2021-06-25T07:52:15.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "1FtyZHWX9c8JJTZiYqq4Bs"} 200 (SUCCESS)
2021-06-25T07:52:53.000Z GET "/api/factory/machine/status?factory=meiyo&machine=HeavyDutyDrill" {authorizedUserId: "1FtyZHWX9c8JJTZiYqq4Bs"} 200 (SUCCESS)
We can see the usual flow of expected activity in the sample above. There will be some GET requests to the login page - Which loads the css and js resources that’s expected when loading a webpage. After these requests they will access the API endpoints and query a factory by it’s name (Usually a location) and a specific machine.
I scoured through and looked for any UNAUTHORIZED requests. One IP jumped out to me immediately: 192.168.0.101. Here’s the log for that IP:
192.168.0.101:
TIME METHOD REQUEST STATUS
2021-06-25T16:14:00.000Z GET "/" 401 (UNAUTHORIZED)
2021-06-25T16:14:01.000Z GET "/login" 200 (SUCCESS)
2021-06-25T16:14:01.000Z GET "/login.css" 200 (SUCCESS)
2021-06-25T16:14:02.000Z GET "/login.js" 200 (SUCCESS)
2021-06-25T16:14:54.000Z POST "/login" 200 (SUCCESS)
2021-06-25T16:14:54.000Z GET "/" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T16:14:55.000Z GET "/index.css" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T16:14:56.000Z GET "/index.js" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T16:14:57.000Z GET "/api/factory/status?factory=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T16:15:18.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T16:16:09.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=Furnace" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T16:16:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T16:17:30.000Z GET "/api/factory/machine/status?factory=meiyo&machine=AirWrench" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T16:18:39.000Z GET "/api/factory/machine/status?factory=meiyo&machine=HeavyDutyDrill" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T17:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T17:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T17:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T17:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T18:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T18:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T18:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T18:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T19:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T19:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T19:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T19:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T20:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T20:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T20:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T20:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T21:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T21:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T21:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T21:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T22:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T22:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T22:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T22:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T23:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T23:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T23:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-25T23:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T00:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T00:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T00:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T00:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T01:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T01:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T01:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T01:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T02:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T02:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T02:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T02:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T03:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T03:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T03:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T03:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T04:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T04:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T04:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T04:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T05:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T05:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T05:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T05:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T06:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T06:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T06:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T06:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T07:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T07:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T07:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T07:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T08:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T08:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T08:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T08:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T09:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T09:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T09:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T09:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T10:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T10:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T10:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T10:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T11:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T11:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T11:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T11:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T12:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T12:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T12:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T12:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T13:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T13:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T13:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T13:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T14:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T14:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T14:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T14:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T15:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T15:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T15:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T15:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T16:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T16:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T16:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T16:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 401 (UNAUTHORIZED)
2021-06-26T16:04:00.000Z GET "/" 401 (UNAUTHORIZED)
2021-06-26T16:04:01.000Z GET "/login" 200 (SUCCESS)
2021-06-26T16:04:01.000Z GET "/login.css" 200 (SUCCESS)
2021-06-26T16:04:02.000Z GET "/login.js" 200 (SUCCESS)
2021-06-26T16:04:54.000Z POST "/login" 200 (SUCCESS)
2021-06-26T16:04:54.000Z GET "/" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T16:04:55.000Z GET "/index.css" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T16:04:56.000Z GET "/index.js" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T17:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T17:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T17:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T17:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T18:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T18:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T18:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T18:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T19:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T19:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T19:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T19:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T20:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T20:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T20:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T20:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T21:00:48.000Z GET "/api/factory/machine/status?factory=meiyo&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T21:00:48.000Z GET "/api/factory/machine/status?factory=seiko&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T21:00:48.000Z GET "/api/factory/machine/status?factory=shenzhen&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
2021-06-26T21:00:48.000Z GET "/api/factory/machine/status?factory=berlin&machine=*" {authorizedUserId: "mdB7yD2dp1BFZPontHBQ1Z"} 200 (SUCCESS)
Quite a lengthy log for that one IP. We can see that they try to access the API a few times (with a few Successes) - But a whole load of 401’s for UNAUTHORIZED requests. It looks like they’re enumerating through the factories and machines.
Looking at the timestamps we can see that there are near-hourly requests to the API endpoint to check on the factories and machines. This looks like the use of an automated tool/script over legitimate user activity. If we had user-agents available then we might even be able to tell what tool they used!
This request was only about halfway through the log, so I searched through to find any other IPs with similar signs of enumeration.
After looking through the rest of the log the above IP was the only one that had a mass amount of UNAUTHORIZED requests. The authorizedUserId for these requests was mdB7yD2dp1BFZPontHBQ1Z.
Answering Questions
Looks like we found the suspicious user and IP! Let’s remind ourselves what the objectives are before we answer the questions:
Determine if the alleged breach could have happened from an attacker on the internet directly (i.e. no access to Daikibo’s VPN).
Well - given that the IP is local (192.168.0.101) it does appear that the breach has come from a VPN connection. That’s not good.
Inspect a web_requests.log file (listing only data from a period when the alleged attack has to have happened). Try to spot suspicious requests.
We’ve done that. Let’s answer the questions.
1/2: Is there a way for a hacker to access Daikibo’s manufacturing status dashboard directly from the internet?
We’re given four options. We know that there aren’t any brute force attempts (as there aren’t any failures in the log when accessing the login form). The IP we have is also using the VPN so we know it’s not directly accessible from the internet.
2/2: Looking at the web_requests.log, what is the user ID with the most suspicious activity?
We have that from the log above. So we can just choose that option.
When I select the correct user ID we get some more info (and something I should’ve spotted):
Nailed it! It starts off with a regular login -> browsing of the dashboard. But then it turns into a regular, once-per-hour (see the time stamps) automated check of the statuses in all 4 factories with no page resources being loaded and with an obviously non-human punctuality.
Conclusion
That was fun. Like I mentioned - I expected a .pcap file, as that’s usually what you get from tools like tcpdump or wireshark. I understand this is just a free, entry-level certificate, but it’s something I would’ve liked to see.
Oh well! It’s done and dusted, and I got a free certificate to show off on my LinkedIn because of it.
InfoSec is a pretty fun field. Unlike other fields like Law or Medicine, you can just go and try out new techniques and methods without worrying about breaking anything. Platforms like TryHackMe and HackTheBox offer a safe place to try out exploits and red-teaming methods without worrying about the law coming down on you for bricking a corporate network.
Brain Surgeons can’t hear about a fun new method for cutting open a skull and try it out in their bedroom, but in InfoSec you can read about EternalBlue and quickly find a resource to test it out (Like here!)
It’s not just red-teaming either. There are plenty of blue-team focused challenges and scenarios that you can find online - Like this whole Deloitte simulator.
Thanks for reading!