Post

Brains

Brains

Brains

image.png

🔍 Initial Reconnaissance

💻 First, I navigated to the web interface:

image 1.png

image 2.png

image 3.png

image 4.png

image 5.png

image 6.png

image 7.png

image 8.png

image 9.png

image 10.png

1
source="/var/log/auth.log" useradd "new user”

🕵️ Analyzing the Logs

📌 For this step, I had to dig a bit deeper:

Screenshot_From_2026-05-22_12-26-33.png

Screenshot_From_2026-05-22_12-26-39.png

💡 I filtered using the same time the attack occurred:

image 11.png

⚡ It looks like datacollector is the one:

7/4/24
10:32:37.000 PM

image 12.png

image 13.png

1
source="/opt/teamcity/TeamCity/logs/teamcity-activities.log" "plugin”

🏁 Finding the Plugin Activity

🔌 I used the same method. I think the next string is also a search query, although I have never used Splunk before:

  
7/4/2410:08:31.921 PM[2024-07-04 22:08:31,921] INFO - s.buildServer.ACTIVITIES.AUDIT - plugin_uploaded: Plugin “AyzzbuXY” was updated by “user with id=11” with comment “Plugin was uploaded to /home/ubuntu/.BuildServer/plugins/AyzzbuXY.zip”
This post is licensed under CC BY 4.0 by the author.