OpenWire Blue Team Lab

Network Forensics Lab

1-To Identify the IP i usually used Statistics tab in wire shark and here we go

2- To identify The port of the infection i see in the traffic Open-wire from The malicious IP so can easily get it

3- Following the Prevoius question to detect the name of the service i search about the CVE and Here it is the full name

4- Returning again to The statistics and here the second C2 server

5- In the Packets i trace the Docker Traffic which on the IP 128.199.52.72 and in the XML script i get it is also docker BTW

6-Here We will Look a little deeper to the script to detect the java class name and It`s here being Flexible and in concentrated will shortcut a lot of time for you Homie

7- When I Find The CVE in the prevision question it Help us Now in this question (:

8- To Answer this Question i Read This These Articles about the CVE and Detect the Valuable Arbitrary code

ActiveMQ

Apache ActiveMQ Remote Code Execution (CVE_2023_46604)SonicWall

Apache ActiveMQ RCE (CVE-2023-46604) - vsociety