Skip to content

Exfiltrated Data

alxk edited this page Jun 28, 2018 · 3 revisions

Web UI

A Web UI for dref is currently under development. In the mean time the exfiltrated data can be viewed from the MongoDB database.

Using the MongoDB

SSH into the box running dref and list the running Docker containers:

root@dref:~# docker ps 
CONTAINER ID        IMAGE                COMMAND                  CREATED             STATUS              PORTS                                                                                  NAMES
0544c5a454c6        node:9.11.1-alpine   "sh -c 'npm install …"   28 minutes ago      Up 28 minutes       0.0.0.0:80->80/tcp, 0.0.0.0:8000->80/tcp, 0.0.0.0:8080->80/tcp, 0.0.0.0:8888->80/tcp   deploy_api_1
b3591d487367        node:9.11.1-alpine   "sh -c 'npm install …"   28 minutes ago      Up 28 minutes       0.0.0.0:53->53/udp                                                                     deploy_dns_1
6fbb5e0f1a67        node:9.11.1-alpine   "sh -c 'npm install …"   28 minutes ago      Up 28 minutes                                                                                              deploy_scripts_1
00bd2456a9b6        mongo:3.6.5-jessie   "docker-entrypoint.s…"   28 minutes ago      Up 28 minutes       27017/tcp                                                                              deploy_mongo_1

The MongoDB database is the last container in the output above. You can get an interactive MongoDB shell directly on the dref database with the following command:

$ docker exec -it $(docker ps | grep mongo | awk '{print $1}') mongo dref

From there you can list any exfiltrated data from the logs collection:

> db.logs.find()

Please refer to the MongoDB documentation for more information.

Clone this wiki locally