Hack the Box - MarketDump Challenge - Walkthrough

Introduction

Today we're going to be doing a CTF challenge walkthrough of the MarketDump challenge hosted at https://app.hackthebox.eu/challenges/66 . For this walkthrough, we'll be using a Kali Linux virtual machine as our attacking system. The challenge's description is as follows:

CHALLENGE DESCRIPTION

We have got informed that a hacker managed to get into our internal network after pivoiting through the web platform that runs in public internet. He managed to bypass our small product stocks logging platform and then he got our costumer database file. We believe that only one of our costumers was targeted. Can you find out who the customer was?

Initial Information and Clues

The downloaded file that accompanies this challenge is a file named MarketDump.zip, which is password protected (password = hackthebox). After unzipping the file, we find that the file in question is called MarketDump.pcapng, which we can analyze using Wireshark.

But before we open the file in Wireshark, we should review our information and figure out what kind of information we're looking for:

The challenge description states that the hacker got into the network through the public internet, which means we are looking for http packets. The description also references a costumer (sp?) database file, which means we're on the lookout for filenames in the traffic that refer to the strings “costumer”, or file extensions like ".db" or “.sql”.

With that in mind, we start up Wireshark:

start Wireshark
File -> Open -> MarketDump.pcapng



From here, we'll filter by http packets:


And then we'll attempt to find any string that contains “costumer”:

Ctrl+F to open the search bar
search string “costumer”


This looks like a pretty good place to start. We'll follow this packet's TCP stream:

Right-click on the packet -> Follow -> TCP Stream



It looks like we're on the right track. We should note the number of this stream, in case we need to reference it later.

If we scroll through the data in this window, eventually we find this:


This looks like it could be encrypted. We use the popular decrypting website, CyberChef, to see if it can figure out which encryption method it might be:

https://gchq.github.io/CyberChef/#recipe=Magic(3,false,false,'')&input=TlZDaWpGN242cGVNN2E3eUxZUFpyUGdIbVdVSGk5N0xDQXpYeFNFVXJhS21l


It turns out the string was encrypted using Base58, and our flag is this:

HTB{DonTRuNAsRoOt!MESsEdUpMarket}

Extra Credit

If we want to finding out the extent of the commands the hacker used to while inside the system, we can go back to our original TCP stream 1059, then back up a few entries to stream 1056, where the hacker gains their initial access to the web-host:


Summary

The challenge requires us to search through a pcap file in order to identify which customer's data was stolen. Within Wireshark, we were able to filter out non-http traffic, then searched for packets with the “costomer” string, leading us to a TCP stream which included an encrypted string. Using a webservice, we were able to decrypt the string and receive our flag.

Finish

Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more