This challenge is from the Hack The Box Forensic challenge library. Again, if you’re looking to crib the flag from this write up, you’re going to be disappointed.
The scenario is that the SOC flagged some suspicious activity on one of the production servers. They can’t determine if any data was stolen, and passed it to you for investigation. Opening the zip file we’re presented with the PCAP, a folder named bro, a .pem file, and a file called secrets.log.
Inside the bro folder we find conn, dns, files, http, packet_filter, ssl and wierd logs. Looking through them we find an interesting bit of info in the SSL and DNS logs
Now we know the IP of the intruder, how they connected, and where they connected to. Spinning up wireshark we load the .pcap and star the hunt.
From here we create a filter to isolate the IP address from the log
ip.addr == 10.10.20.13
Since we know a lot of the traffic was SSL/TLS encrypted, we need to see if we have the key. As stated earlier we have a .pem file. We can recover the SSL key from the .PEM file by following the instructions here.
Apparently that didn’t work, so we need to see if the secrets.log will.
Bingo. We now can read the encrypted traffic.
Hold on, whats up with 10.10.90.42? We’ll right-click on the packet, select follow > TCP stream.
Right. Stand up, get a drink, stretch, go to the bathroom. I’ll wait.
Ok, Back to it.
Interesting, it seems that this is the first indication that something’s afoot. Looks like the attacker cribbed etc/passwd, and was able to make an API call to 10.10.20.13.
And it looks like they may have accessed credit card data.
Since we know that there was a POST call made, lets add that to the filter.
ip.addr == 10.10.20.13 && http.request.method == POST
That narrows it down a bit, doesn’t it? Looks like the third packet has the data that was stolen. From here, right click on the third packet, select follow > http and boom….
In a real world situation this would mean someone’s getting let go, at minimum. Also the legal department now goes into overdrive to report the breach, contact customers, and remediate the issue.
Since this is a HTB challenge, you take the flag, submit it, and get the points.
This was a bit of a mind-bender for me, and I won’t lie, I scoured the HTB forum for hints. In the end, I learned a little more about wireshark, and PCAPs.