Post

Meerkat

Posted
Preview Image
By Heland
views 2 min read
Meerkat

CHALLENGE DESCRIPTION

As a fast-growing startup, Forela has been utilising a business management platform. Unfortunately, our documentation is scarce, and our administrators aren’t the most security aware. As our new security provider we’d like you to have a look at some PCAP and log data we have exported to confirm if we have (or have not) been compromised.

SOLUTION

We believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running?

We can upload our JSON file on CyberChef and use JSON beautify. Search for CVE

We can answer both task 1 and task 3

Answer Bonitasoft

We believe the attacker may have used a subset of the brute forcing attack category - what is the name of the attack carried out?

Luckily, I read through all tasks and found the answer at task 5.

Answer credential stuffing

Does the vulnerability exploited have a CVE assigned - and if so, which one?

Search for CVE

Answer CVE-2022-25237

Which string was appended to the API URL path to bypass the authorization filter by the attacker’s exploit?

Search CVE we have found on Google, read the description and we can find the API URL.

Answer i18ntranslation

How many combinations of usernames and passwords were used in the credential stuffing attack?

http.request.method == "POST" && frame.len != 105 && frame.len < 200 && !json

  • When attackers login, they will use method POST, so we need to filter http.request.method == "POST"

  • We just need to see combinations of username and password, so the length of info is around 100 - 200; While analyze, we will see that some of the packets have the same username and password (install:install), so we need to filter out frame length 105, and no json.

Answer 56

Which username and password combination was successful?

Filter http.request.method == "GET", scroll down and we will see packet’s info execute command whoami, right click on packet and follow.

Answer seb.broom@forela.co.uk:g0vernm3nt

If any, which text sharing site did the attacker utilise?

Filter http.request.method == "GET", we will see packet with command wget

Answer pastes.io

Please provide the filename of the public key used by the attacker to gain persistence on our host.

Copy the link and paste into URL, we will get the filename.

Answer hffgra4unv

Can you confirm the file modified by the attacker to gain persistence?

Get the answer from above.

Answer /home/ubuntu/.ssh/authorized_keys

Can you confirm the MITRE technique ID of this type of persistence mechanism?

Search the path above on Google with keyword MITRE ATTK and we will get the answer.

Answer T1098.004
HTB-sherlock, SOC, easy
CTF writeup wireshark json