I haven’t logged into Hack the Box in a while, but when I did today I noticed they had a new section called “Sherlocks”.
“Engage in thrilling investigative challenges that test your defensive security skills. With Sherlocks you will be asked to dive into the aftermath of a targeted cyber attack and unravel the dynamics behind them, based on the knowledge provided. Ready to start the investigation?”
I started with the first easy one, Meerkat.
EDIT: I did this back in November of 2023 when Meerkat was still active. It is now retired, and you can only access retired challenges with a HTB subscription.
“Sherlock Scenario: As a fast growing startup, Forela have been utilising a business management platform. Unfortunately our documentation is scarce and our administrators aren’t the most security aware. As our new security provider we’d like you to take a look at some PCAP and log data we have exported to confirm if we have (or have not) been compromised.”
Question 1: We believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running?
You get two files to explore:
I looked through the pcap for a bit and found reference to “Bonita”, which is a BPM:
It’s actually referred to as Bonitasoft in one of the alerts:
Bonitasoft
Question 2: We believe the attacker may have used a subset of the brute forcing attack category — what is the name of the attack carried out?
It seems like the attacker already had a list of usernames and passwords to try out, so I went with Credential Stuffing.
Credential stuffing is simply taking a list of compromised username/passwords and then seeing if anyone on that list reused those credentials anywhere else. This recently happened with 23andMe.
Credential Stuffing
Question 3: Does the vulnerability exploited have a CVE assigned — and if so, which one?
Yes, in the logs we can see that CVE-2022–25237 has been identified:
CVE-2022–25237
Question 4: Which string was appended to the API URL path to bypass the authorization filter by the attacker’s exploit?
If you read the CVE details from the NVD, you can see the exploit uses the string “i18ntranslation”.
Here you can see where the attacker first used the appended URL:
i18ntranslation
Question 5: How many combinations of usernames and passwords were used in the credential stuffing attack?
For this one I filtered by POST request in Wireshark (http.request.method == “POST”) and just tabbed through and counted them.
56
Question 6: Which username and password combination was successful?
Seb Broom was the one that eventually worked. That was the last one on the list when I filtered by POST request. When you right-click and follow the stream you can see additional actions performed under this user’s profile. Like grabbing everything from the /etc/passwd file.
seb.broom@forela.co.uk:g0vernm3nt
Question 7: If any, which text sharing site did the attacker utilise?
A few of the seb.broom packets show that they used pastes.io. I found this in packet 3618.
pastes.io
Question 8: Please provide the file hash of the script used by the attacker to gain persistent access to our host.
I saved this to my computer and then calculated the hash:
0dc54416c346584539aa985e9d69a98e
Question 9: Please provide the file hash of the public key used by the attacker to gain persistence on our host.
When I viewed the first pastes.io link, I followed the other link in the script and found some ssh keys:
I copied and pasted it in CyberChef and used the MD5 recipe:
dbb906628855a433d70025b6692c05e7
Question 10: Can you confirm the file modified by the attacker to gain persistence?
That was the file in pastes.io link.
/home/ubuntu/.ssh/authorized_keys
Question 11: Can you confirm the MITRE technique ID of this type of persistence mechanism?
For this last question I just looked through the MITRE website and found the account manipulation sub-technique for SSH keys:
T1098.004