Post

Origins

Posted
Preview Image
By Heland
views 2 min read
Origins

CHALLENGE DESCRIPTION

A major incident has recently occurred at Forela. Approximately 20 GB of data were stolen from internal s3 buckets and the attackers are now extorting Forela. During the root cause analysis, an FTP server was suspected to be the source of the attack. It was found that this server was also compromised and some data was stolen, leading to further compromises throughout the environment. You are provided with a minimal PCAP file. Your goal is to find evidence of brute force and data exfiltration.

SOLUTION

What is the attacker’s IP address?

Search for FTP and we will see abnormal IP and action try to request password.

Answer 15.206.185.207

It’s critical to get more knowledge about the attackers, even if it’s low fidelity. Using the geolocation data of the IP address used by the attackers, what city do they belong to?

Search IP lookup on Google and paste IP in the input.

Answer Mumbai

Which FTP application was used by the backup server? Enter the full name and version. (Format: Name Version)

Follow the attacker’s packet. (Right click on the packet and follow).

Answer vsFTPd 3.0.5

The attacker has started a brute force attack on the server. When did this attack start?

Search for FTP, we will see the attacker try to brute force password, look at the top bar, we will see View tab > Time Display Format > UTC Date.

Answer 2024-05-03 04:12:54

What are the correct credentials that gave the attacker access? (Format username:password)

Look at Info column, we will see Login successful, follow it.

Answer forela-ftp:ftprocks69$

The attacker has exfiltrated files from the server. What is the FTP command used to download the remote files?

Answer RETR

Attackers were able to compromise the credentials of a backup SSH server. What is the password for this SSH server?

Hint: Go to File-> Export Objects -> FTP-DATA

Open PDF file

Answer **B@ckup2024!**

What is the s3 bucket URL for the data archive from 2023?

Look at content of .txt file

Answer https://2023-coldstorage.s3.amazonaws.com

The scope of the incident is huge as Forela’s s3 buckets were also compromised and several GB of data were stolen and leaked. It was also discovered that the attackers used social engineering to gain access to sensitive data and extort it. What is the internal email address used by the attacker in the phishing email to gain access to sensitive data stored on s3 buckets?

Answer archivebackups@forela.co.uk
HTB-sherlock, DFIR, very-easy
CTF writeup wireshark ftp