Overview
This writeup covers a comprehensive digital forensics and incident response (DFIR) investigation from the OffSec Gauntlet challenge. The scenario involves analyzing a phishing attack that led to credential harvesting, Azure compromise, and database exfiltration at NGO-Hub, a humanitarian organization.
Attack Summary
The adversary executed a sophisticated multi-stage attack:
- Initial Access: Phishing email with QR code attachment
- Credential Harvesting: Typosquatted Microsoft login page
- Cloud Access: Azure authentication bypass
- Persistence: Azure Cloud Shell access
- Lateral Movement: SSH to database server
- Data Exfiltration: MySQL database dump
Available Artifacts
The investigation provided the following evidence:
- Network packet captures
- Email messages (.eml files)
- Azure/Entra ID sign-in logs
- Chrome browser cache
- Windows Event Logs (EVTX)
- Cloud Shell session logs
Question-by-Question Analysis
Question 1: Which file was attached to the phishing email that started the compromise?
Methodology: Email Analysis
- Examine all .eml files for attachments
- Look for MIME headers indicating attachments
- Check
Content-Disposition: attachmentheaders
Solution:
# Examine email files for attachment headers
grep -n "Content-Disposition: attachment" *.eml
In the "Urgent Updated Access Required" email (timestamp 00:48:29), we find:
Content-Type: image/png;
name="ngo_update.png"
Content-Disposition: attachment; filename="ngo_update.png"
Answer: ngo_update.png
Question 2: What was the entire URL associated with the phishing page?
Methodology: Network Traffic Analysis
- Analyze packet capture for HTTP requests
- Look for suspicious domains and URLs
- Examine browser Referer headers
Solution:
# Extract HTTP traffic from packet capture
strings network_capture.pcapng | grep -i "http\|GET\|POST\|Host:"
# Look for suspicious domains
strings network_capture.pcapng | grep -E "login|microsoft|azure"
Key findings in the packet capture:
Referer: http://login.mcrosoft.com/login.htmlHost: login.mcrosoft.com
Notice the typosquatting: "mcrosoft.com" (missing 'i') instead of "microsoft.com"
Answer: http://login.mcrosoft.com/login.html
Question 3: What is likely the PHP attacker file name responsible for intercepting the credentials?
Methodology: Network Traffic Analysis
- Search for PHP file requests in packet capture
- Analyze POST requests to identify credential handlers
Solution:
# Look for PHP files in network traffic
strings network_capture.pcapng | grep -i "\.php"
Found POST requests to:
/login.php- handles username submission/password.php- handles password submission
The credential interception flow:
- User submits username → POST to
/login.php - User submits password → POST to
/password.php
Since login.php is the first point where credentials are intercepted and the attack flow is initiated:
Answer: login.php