We have got informed that a hacker managed to get into our internal network after pivoiting through the web platform that runs in public internet. He managed to bypass our small product stocks logging platform and then he got our costumer database file. We believe that only one of our costumers was targeted. Can you find out who the customer was?
Information
Challenge: MarketDump
Category: Forensics
Difficulty: Easy
Files : MarketDump.zip 231 KB
– MarketDump.pcapng 944 KB
Environment: Remnux VM
My Recommendations
Download it from hackthebox and verify it with:
sha256sum /path/to/MarketDump.zipSHA256SUM: d0ed5b6cc06bcb191fc0d83195542f7c1276835b1d8e2c5508e907ba740b64f6
Walkthrough
1. Traffic Analysis
First, we can check out the Protocol Hierarchy to get an overall idea of the traffic:
Other than HTTP, SQL Protocol was recorded. If we look at the Export Objects > HTTP, we will see that there is a ‘customer.sql’ database:
We can save it to our working Directory for now, and quickly check it with strings:
strings costumers.sql
The Data is in format IssuingNetwork,CardNumber:
All the Card Numbers start with 3. We can check for outliers by omitting the numbers starting with 3:
strings costumers.sql | sed '/American Express,3/d'
and here’s the outlier!
However, the base64 decodes to nothing. The absence of special characters could also be a base58 string. Decoding it in base58 gives the flag!
