This challenge provides us with a .zip that only contains a single MarketDump.pcapng file. The challenge description reads:
We have got informed that a hacker managed to get into our internal network after pivoting through the web platform that runs in public internet. He managed to bypass our small product stocks logging platform and then he got our costumer database file. We believe that only one of our costumers was targeted. Can you find out who the customer was?Challenge Description
I opened up the .pcapng file in Wireshark, it has 2868 recorded packets. It appears the 10.0.2.15 IP appears to be the attacker in this case, and 10.0.2.3 must be the server that is running MySQL.
Packet Capture Overview:
- The first 2000 or so packets just seem to be back and forth TCP calls with no real evidence of compromise. There was a server greeting from MySQL.
- After the first 2000 packets, the activity changes and we can see packets for SSH, MySQL and HTTP light up.
- By Packet 2104 a PSQL request for NT LANMAN appears.
- Packet 2172 shows a TCP segment of
- Followed closely by a malformed DNS packet on 2181 that contains
krbtgtin the payload. It appears the attacker is attempting to send malformed packets to get a golden ticket or gain access to the machine.
- Packet 2202 is a GET request for
- Packet 2242 is an OPTIONS request to port 53 of 10.0.2.3
- Packet 2296 contains segment data of NSPlayer 22.214.171.124 which is a typical User-Agent for the Windows Media Player Browser
- Packet 2305 contains
- Packet 2314 contains
- Packet 2357 shows an nmap scripting engine GET request to
- Packet 2363 is a malformed packet containing
POST /sdkwith a
- Packet 2366 is another
POST /sdkwith a similar body
- Packets 2368 & 2370 are an initial Telnet connection that seems to go nowhere.
- Packet 2372, 2375, 2380 are a 400 Bad Requests
- Packet 2401, 10.0.2.15 reaches out to 10.0.2.3 with a
GET /HNAP1with a Nmap Scripting Engine User-Agent
- Followed by several more Bad requests at 2404, 2408, 2410
- Packet 2413 returns a 404 Not found on 10.0.2.3 for
- Packet 2415 returns a 404 Not found on 10.0.2.3 for
- Packet 2419 is a 200 OK which returns a HTML oage with #DataNET in the title
- Packet 2434
GET /evox/aboutfrom 10.0.2.15 to 10.0.2.3 (Bad Request)
- Packet 2452 checks /HNAP again (a vulnerability that can allow RCE), but it returns 404
- These last few packets appear to be NMAP doing a scan to check for vulnerabilities
- Packet 2482, 2484: 10.0.2.15 tries to log in to telnet on 10.0.2.3 but fails
- Packet 2459-2514 are ICMP ping packets
- Packet 2518 a HTTP request coming from User-Agent curl/7.60.0
- Packet 2526, DNS request for
A acidwhich returns
- Packets 2531 – 2539, user tries to login to Telnet as admin:admin and fails
- Packet 2545, another DNS request for
A acidwhcih returns
- Packets 2555-2559, user tries to login to Telnet as admin:admin and SUCCEEDS.
- Packet 2563-2579: Telnet command ran to view stock/inventory
- Packet 2578, user logs back into telnet and immediately runs the stock command again
Welcome, admin Here is you're daily stock report! PRODUCT PRICE STOCK SHIRTS 20$ 50 JEANS 40$ 99 WALLETS 15$ 19 SOCKS 10$ 100 Type exit to exit the program:
- Packet 2631, Telnet command ran
nc.traditional -lvp 9999 -e /bin/bash
- Packet 2633, reverse shell started and activity begins contact 10.0.2.3:9999
- This is tcp.stream eq 1056
From here, I followed the TCP stream and the attacker:
ls -lato find two files: costumers.sql and login.sh
pwdto find they were in
whoamito find they were
wc -l costumers.qlfor the wordcount of 10302
- Copied the sql file to
/tmpand exfiltrated it via a Python web server on port 9998
cat costumers.sqlto get an output of Credit Card Numbers
- One of the customers has a card number that contains letters instead of just numbers, this is our compromised customer
- The user then removed the costumers.sql file from /tmp and ran
Through trial and error, I found the unusual string from the database was base58 encoded. Decoding it from an online web tool nets us the flag.