Marshall in the middle.

This challenge is from the Hack The Box Forensic challenge library. Again, if you’re looking to crib the flag from this write up, you’re going to be disappointed.

 

The scenario is that the SOC  flagged some suspicious activity on one of the production servers. They can’t determine if any data was stolen, and passed it to you for investigation. Opening the zip file we’re presented with the PCAP, a folder named bro, a .pem file, and a file called secrets.log.

Inside the bro folder we find conn, dns, files, http, packet_filter, ssl and wierd logs. Looking through them we find an interesting bit of info in the SSL and DNS logs

DNS

pcap2

SSL

pcap3

Now we know the IP of the intruder, how they connected, and where they connected to. Spinning up wireshark we load the .pcap and star the hunt.

pcap1

 

From here we create a filter to isolate the IP address from the log

ip.addr == 10.10.20.13

pcap7

Since we know a lot of the traffic was SSL/TLS encrypted, we need to see if we have the key. As stated earlier we have a .pem file. We can recover the SSL key from the .PEM file by following the instructions here.

pcap5

Apparently that didn’t work, so we need to see if the secrets.log will.

pcap8

Bingo. We now can read the encrypted traffic.

pcap9

Hold on, whats up with 10.10.90.42? We’ll right-click on the packet, select follow > TCP stream.

pcap11

INTERMISSION

tumblr_o3jqbxBRnY1uctr63o1_500.gif

 

Right. Stand up, get a drink, stretch, go to the bathroom. I’ll wait.

 

 

Ok, Back to it.

 

Interesting, it seems that this is the first indication that something’s afoot. Looks like the attacker cribbed etc/passwd, and was able to make an API call to 10.10.20.13.

pcap6a

And it looks like they may have accessed credit card  data.

pcap13

Since we know that there was a POST call made, lets add that to the filter.

ip.addr == 10.10.20.13 && http.request.method == POST

pcap12

That narrows it down a bit, doesn’t it? Looks like the third packet has the data that was stolen. From here, right click on the third packet, select follow > http and boom….

pcap14

pcap15

In a real world situation this would mean someone’s getting let go,  at minimum. Also the legal department now goes into overdrive to report the breach, contact customers, and remediate the issue.

Since this is a HTB challenge,  you take the flag, submit it, and get the points.

 

This was a bit of a mind-bender for me, and I won’t lie, I scoured the HTB forum for hints. In the end, I learned a little more about wireshark, and PCAPs.

As Always,

ppsr44ur

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s