HTB Sherlock - Knock Knock Writeup

Aug 1, 2024 10 min read
HTB Sherlock - Knock Knock Writeup

Sherlock Scenario

A critical Forela Dev server was targeted by a threat group. The Dev server was accidentally left open to the internet which it was not supposed to be. The senior dev Abdullah told the IT team that the server was fully hardened and it’s still difficult to comprehend how the attack took place and how the attacker got access in the first place. Forela recently started its business expansion in Pakistan and Abdullah was the one IN charge of all infrastructure deployment and management. The Security Team need to contain and remediate the threat as soon as possible as any more damage can be devastating for the company, especially at the crucial stage of expanding in other region. Thankfully a packet capture tool was running in the subnet which was set up a few months ago. A packet capture is provided to you around the time of the incident (1-2) days margin because we don’t know exactly when the attacker gained access. As our forensics analyst, you have been provided the packet capture to assess how the attacker gained access. Warning : This Sherlock will require an element of OSINT to complete fully.

Artefacts

To solve the task, we received a file named Capture.pcap, which is a network traffic capture. The file covers traffic from one day, 2 hours, 40 minutes, and 12 seconds, from 2023-03-20 15:37:35 to 2023-03-21 18:17:48, and contains 293 921 packets (Fig. 1).

Fig. 1. Basic information about the <code>Capture.pcap</code> file.
Fig. 1. Basic information about the Capture.pcap file.
To determine which addresses are involved in the traffic flow, I first tried to detect which IP addresses exchanged the most information. For this, I used the “Conversations” tab. There, I noticed two standout IP addresses, 3.109.209.43 and 172.31.39.46, which exchanged 134,231 packets, making them stand out from the others (Fig. 2).
Fig. 2. Standout IP addresses involved in the communication.
Fig. 2. Standout IP addresses involved in the communication.
After filtering the communication for these two IP addresses, I started reviewing from the end of the file and noticed that there was communication using the FTP protocol between them. From the analysis of this communication, it can be inferred that the address 3.109.209.43 belongs to the client (i.e., the attacker), and the IP address 172.31.39.46 belongs to the server (Fig. 3).
Fig. 3. Detection of the server and attacker IP addresses.
Fig. 3. Detection of the server and attacker IP addresses.

Solution

Task 1

Which ports did the attacker find open during their enumeration phase?

Reviewing further network traffic, I noticed that right after the ICMP packets sent by the attacker, there is an attempt to scan ports 21, 22, 80, 443, 3306, 6379, and 8086. For ports 21, 22, 3306, 6379, and 8086, the full TCP SYN procedure takes place, as described in a previous article during the resolution of Aptnightmare (Fig. 4).

Fig. 4. Open ports detected by the attacker.
Fig. 4. Open ports detected by the attacker.

Answer: 21,22,3306,6379,8086

Task 2

Whats the UTC time when attacker started their attack against the server?

I went back to the beginning of the communication between the server and the attacker and selected the first packet, which was timestamped 21/03/2023 10:42:23 (Fig. 5).

Fig. 5. First packet sent by the attacker.
Fig. 5. First packet sent by the attacker.

Answer: 21/03/2023 10:42:23

Task 3

What’s the MITRE Technique ID of the technique attacker used to get initial access?

After filtering the traffic for TCP port 21, it can be observed that the attacker uses a list of predefined users during the access attempt (Fig. 6), which suggests that they likely obtained such a list from somewhere.

Fig. 6. List of accounts used during the attack.
Fig. 6. List of accounts used during the attack.
Additionally, in the captured traffic, it can be seen that various combinations of similar passwords are used for these accounts (Fig. 7).
Fig. 7. List of passwords used during the attack.
Fig. 7. List of passwords used during the attack.
According to MITRE’s description, this technique resembles Brute Force: Password Spraying and has the identifier T1110.003.

Answer: T1110.003

Task 4

What are valid set of credentials used to get initial foothold?

Reviewing the traffic for port 21, I found two Login successful responses from the server. In both cases, after selecting the follow the stream option, I receive the answer to this question. In Fig. 8, I decided to present the second found answer because only after selecting it in the follow the stream option do we have access to the entire communication of the attacker after logging into the FTP server (Fig. 9).

Fig. 8. First packet sent by the attacker.
Fig. 8. First packet sent by the attacker.
Fig. 9. First packet sent by the attacker.
Fig. 9. First packet sent by the attacker.

Answer: tony.shephard:Summer2023!

Task 5

What is the Malicious IP address utilized by the attacker for initial access?

I obtained the answer to this question during the initial analysis of the Capture.pcap file. During the analysis, I identified the attacker’s IP address as 3.109.209.43.

Answer: 3.109.209.43

Task 6

What is name of the file which contained some config data and credentials?

In the communication, I found information that the attacker downloaded two files from the FTP server: .backup and fetch.sh (Fig. 10).

Fig. 10. Files downloaded by the attacker from the FTP server.
Fig. 10. Files downloaded by the attacker from the FTP server.
After exporting the files using the option Export Objects -> FTP-DATA and checking their contents, I concluded that both contain sensitive data. In the fetch.sh file, we see that a connection to the database is established and a SELECT query is executed, which looks like regular data retrieval or a health check. The .backup file, on the other hand, appears to be a configuration file. After a short search, I found that it is a configuration file for knockd.
Fig. 11. Contents of the downloaded files fetch.sh and .backup.
Fig. 11. Contents of the downloaded files fetch.sh and .backup.

Answer: .backup

Task 7

Which port was the critical service running?

From the configuration file .backup, we see the iptables command with a redirection to port 24456 (Fig. 12).

Fig. 12. Contents of the downloaded file .backup.
Fig. 12. Contents of the downloaded file .backup.

Answer: 24456

Task 8

Whats the name of technique used to get to that critical service?

I found the answer to this question while identifying the configuration file .backup (Fig. 12).

Fig. 13. Found description regarding knockd (source: https://github.com/jvinet/knock).
Fig. 13. Found description regarding knockd (source: https://github.com/jvinet/knock ).

Answer: Port Knocking

Task 9

Which ports were required to interact with to reach the critical service?

From the configuration file .backup (Fig. 14).

Fig. 14. Contents of the downloaded file .backup.
Fig. 14. Contents of the downloaded file .backup.

Answer: 29999,45087,50234

Task 10

Whats the UTC time when interaction with previous question ports ended?

Checking the time of the last sent packet for each port, I got the answer: 21/03/2023 10:58:50 (Fig. 15).

Fig. 15. Last sent packet for port 50234.
Fig. 15. Last sent packet for port 50234.

Answer: 21/03/2023 10:58:50

Task 11

What are set of valid credentials for the critical service?

Analyzing the pcap file, I found communication between the attacker and the server on port 24456. After checking the contents of the packets, I noticed that it was FTP communication (Fig. 16).

Fig. 16. Detected communication on port 24456.
Fig. 16. Detected communication on port 24456.
Therefore, I chose the “decode as FTP” option in Wireshark. This made the view in Wireshark clearer (Fig. 17).
Fig. 17. Decoded communication in Wireshark as FTP.
Fig. 17. Decoded communication in Wireshark as FTP.
After selecting “follow the stream,” I obtained the entire communication of the attacker, including the login and password used to successfully log in to the critical service (Fig. 18).
Fig. 18. Login and password used by the attacker to log in to the critical service.
Fig. 18. Login and password used by the attacker to log in to the critical service.

Answer: abdullah.yasin:XhlhGame_90HJLDASxfd&hoooad

Task 12

At what UTC Time attacker got access to the critical server?

After selecting the packet in which the server informs the client of a successful login to the service, I obtained the answer to the question (Fig. 19).

Fig. 19. Server notification of successful login by the attacker.
Fig. 19. Server notification of successful login by the attacker.

Answer: 21/03/2023 11:00:01

Task 13

Whats the AWS AccountID and Password for the developer “Abdullah”?

After reviewing the communication conducted by the attacker, it can be seen that several files were downloaded using the FTP protocol (Fig. 20).

Fig. 20. Files downloaded by the attacker identified in the communication.
Fig. 20. Files downloaded by the attacker identified in the communication.
After selecting the “Export Objects -> FTP-data” option in Wireshark, I noticed that new files were added to the previous list of .backup and fetch.sh (Fig. 21). Since the number of files slightly increased, I decided to export all of them.
Fig. 21. List of files downloaded by the attacker using the FTP protocol.
Fig. 21. List of files downloaded by the attacker using the FTP protocol.
I found the answer to the question in the .archived.sql file, which is a dump of the MySQL database (Fig. 22).
Fig. 22. Found AWS account ID and password for user &ldquo;Abdullah&rdquo;.
Fig. 22. Found AWS account ID and password for user Abdullah.

Answer: 391629733297:yiobkod0986Y[adij@IKBDS

Task 14

Whats the deadline for hiring developers for forela?

Reviewing the exported files, I found the answer to the question in the Tasks to get Done.docx file (Fig. 23).

Fig. 23. Contents of the Tasks to get Done.docx file.
Fig. 23. Contents of the Tasks to get Done.docx file.

Answer: 30/08/2023

Task 15

When did CEO of forela was scheduled to arrive in pakistan?

Reviewing the exported files, I found the answer to the question in the reminder.txt file (Fig. 24).

Fig. 24. Contents of the reminder.txt file.
Fig. 24. Contents of the reminder.txt file.

Answer: 08/03/2023

Task 16

The attacker was able to perform directory traversel and escape the chroot jail. This caused attacker to roam around the filesystem just like a normal user would. Whats the username of an account other than root having /bin/bash set as default shell?

Reviewing the exported files, I found the answer to the question in the passwd file (Fig. 25).

Fig. 25. Contents of the passwd file.
Fig. 25. Contents of the passwd file.

Answer: cyberjunkie

Task 17

Whats the full path of the file which lead to ssh access of the server by attacker?

Analyzing the FTP communication, I noticed that the attacker navigates the file system using the CWD command and moves to the /opt/reminders directory. Then, from this directory, they download the .reminder file (Fig. 26).

Fig. 26. Contents of the .reminder file.
Fig. 26. Contents of the .reminder file.

Answer: /opt/reminders/.reminder

Task 18

Whats the SSH password which attacker used to access the server and get full access?

The contents of the .reminder file indicate that the attacker found a password in a Git repository (Fig. 27).

Fig. 27. Contents of the .reminder file.
Fig. 27. Contents of the .reminder file.
A brief search in the pcap file did not yield any results. I didn’t find any communication that could suggest the attacker had interactions with the Git server. The main task description provided a clue, indicating that some tasks would require a bit of OSINT. The first thing that came to mind was GitHub, so the first thing I did was enter the query site:github.com Forela into Google. As a result, I received a link to the Forela Finance repository (Fig. 28).
Fig. 28. Repository search result
Fig. 28. Repository search result
After visiting this repository, I was not entirely sure. Of course, the latest version of the file would not contain the password. According to the note, it was removed (Fig. 27). However, after selecting the second commit, I noticed the password in the diff (Fig. 29).
Fig. 29. Password found in the diff of the second commit.
Fig. 29. Password found in the diff of the second commit.

Answer: YHUIhnollouhdnoamjndlyvbl398782bapd

Task 19

Whats the full url from where attacker downloaded ransomware?

The task description indicates that the attacker downloaded ransomware as a file. Initially, I checked if there was any clue in the available files for export. For this, I chose “Export Objects -> HTTP Stream” and then changed the Content-Type filter. After selecting the application/zip option (Fig. 31, arrow 1), to my satisfaction, only one file appeared on the list, which was named Ransomware2_server.zip (Fig. 31, arrow 2). After selecting the file, I was immediately redirected to the packet in Wireshark corresponding to the beginning of the ZIP file transfer (Fig. 31, arrow 3).

Fig. 30. Finding the ZIP file and its export.
Fig. 30. Finding the ZIP file and its export.
Next, after selecting follow the stream, we obtain the request sent to download the file (Fig. 32).
Fig. 31. Communication containing the ZIP file download.
Fig. 31. Communication containing the ZIP file download.

Answer: http://13.233.179.35/PKCampaign/Targets/Forela/Ransomware2_Server.zip

Task 20

Whats the tool/util name and version which attacker used to download ransomware?

From the previous task, in the follow the stream, the user-agent header is available (Fig. 32).

Fig. 32. Detected user-agent used to download the ZIP file.
Fig. 32. Detected user-agent used to download the ZIP file.

Answer: Wget/1.21.2

Task 21

Whats the ransomware name?

After exporting the ZIP file during task 18, I unpacked it and then found the solution to the task in the src directory. The name immediately caught my attention as it was similar to another once-popular ransomware, which is still the subject of many articles – WannaCry (Fig. 33).

Fig. 33. Found ransomware name.
Fig. 33. Found ransomware name.

Answer: GonnaCry

HTB Sherlock DFIR Medium