Can you do this assignment
Part A: Preparing the lab Import the VM provided in blog.mysportclub.ex.ova into Virtual Box. This is a webserver for which you do not have the credentials, so you will need to use an ISO file for Kali Linux to boot from. You can download the Kali installer from https://www.kali.org/get-kali/#kali-bare-metal. 1. In the VM settings, configure the optical drive to use the Kali Linux ISO file. Capture a screenshot. 2. Make sure the VM will boot first from the DVD. Capture a screenshot of the proper setting. 3. Boot the VM. In Kali’s booting menu, choose Advanced options → Rescue mode. Later, you are asked about the root filesystem. Choose “Do not use a root file system”. Then, “Execute a shell in in the installer environment”. You will need to mount the webserver’s disk partitions somewhere in the filesystem. Execute “fdisk -l /dev/sda” to see all partitions in the webserver’s disk. Capture a screenshot. IMPORTANT NOTE: If you restart at some point, this and next steps must be repeated. 4. Execute “vgdisplay” to show all volume groups. Then, “lvdisplay” to show all logical volumes and what group they belong to. As you probably noticed, you cannot scroll the output, so it is more convenient to paginate the output with “lvdisplay | more”. Enumerate the 5 volumes you found (just write down the names, no screenshot). 5. Create a directory /mnt/blog and mount the root volume there using the device file shown in “LV Path”. Then, show the content of the mount point, which should be the standard root directory. Capture a screenshot of the successful commands. Tip: you need a mount command would be based on “mount -o ro DEVICE MOUNT_POINT”. 6. The webserver’s logs were stored originally in the standard directory /var/log. Therefore, to access them you need to mount the corresponding logical volume in /mnt/blog/var and access them using the new path /mnt/blog/var/log. Capture a screenshot of the corresponding mount and ls commands. 7. Execute “mount” without parameters and double check that both filesystems are mount as read-only. Why do we need to make sure? What would happen if forensic evidence is altered somehow? Part B: Logs analysis Based on the information in ENISA_Webserver_Analysis.pdf, provided with the lab, you need to analyze the webserver logs as part of your forensic investigation. The server with IP 195.251.97.97, which runs WordPress and hosts http://blog[.]mycompany[.]ex, was compromised on August 19th, 2016. Refer to the section 3.4.1 as a guideline, but you do not need to perform all tasks. 8. Move to /mnt/blog/var/log/apache2 to find Apache’s logs. Execute “tail -5 access.log” to get identified with the fields found in every single entry. What browser was used in the last log entry? 9. The first field is the IP address of the system that accessed the webserver. As you can see, the last entries show the server itself. To avoid them, use the parameter -v in grep. Show the last 3 lines that do not relate to the server itself, either by 195.251.97.97 or ::1. 10. You can observe the IP address in these lines is 10.0.0.15, but there could be other IP addresses. Obtain them all using the command-line example in the PDF that combines cat, awk, sort and uniq. 11. Nonetheless, most connections are originated in this local IP address. Execute “grep ^10.0.0.15 access.log | tail -5”. It seems the attacker uploaded a file c99.php somewhere in the WordPress document root. Usually WP’s document root is under /var/www/html. However, we are working with all mounted under /mnt/blog. Therefore, the full path is /mnt/blog/var/www/html. Move there, then to the wordpress directory. From this point on, you need to move to where the file c99.php is, as per the information you observed in the log. What is the full path of this file? 12. Move to the folder (you can press TAB to complete the directories’ names). Execute “head -20 c99.php”. What is suspicious? 13. What kind of file is it (other than a PHP script), used by attackers to gain persistence? 14. What are 3 ways of mitigating vulnerabilities in jQuery-File-Upload? Part C: Computer hacking Read the article, then answer the questions. Feel free to research further on the topic. https://nationalpost.com/news/politics/a-nova-scotia-teen-found-a-big-security-hole-on-a-government-server-should-he-be-jailed-or-rewarded 1. The police charged the teen with “unauthorized use of a computer”. What is the exact offense as per the Canadian Criminal Code? 2. What was the vulnerability the teen exploited? Name it, then explain. 3. What should the teen have done after discovering the vulnerability instead of automating the exploit? 4. What kind of program offers a reward for a reported vulnerability? What company is named in the article regarding such a program? 5. Pretend you own an iPhone and discover a vulnerability. How would you report it to Apple? Part D: Identity theft Read the article, then answer the questions. Feel free to research further on the topic. https://www.justice.gov/usao-nv/pr/reno-man-pleads-guilty-creating-over-8000-fraudulent-online-accounts-stolen-identities 6. If Gibson’s company had caught him early in his crime and had decided to fire him, what kind of document would have helped Gibson’s company in case he had decided to sue them? 7. What can people do to verify if a criminal has opened a credit card in their name? 8. What would be the next steps if someone in Canada confirms they are a victim of identity theft? 9. What service is usually offered by financial institutions and/or credit bureaus to identity theft victims? How can it help the victims? Part E: Supply chain attacks Read the article, then answer the questions. Feel free to research further on the topic. https://www.techrepublic.com/article/kaseya-supply-chain-attack-impacts-more-than-1000-companies/ 10. Why the attack against Kaseya impacted more than 1000 companies? 11. Did the attack impact users of Kaseya that kept the application updated? Why? 12. What was Kaseya’s recommendation to contain the incidents?