forensicskween

HackTheBox: Marshal in the Middle

The security team was alerted to suspicous network activity from a production web server. Can you determine if any data was stolen and what it was?

Information

Challenge: Marshal in the Middle

Category: Forensics

Difficulty: Easy

Files : ‘Marshal in the Middle.zip’ 28 MB
– bro 288K
-bundle.pem 5.2 KB
-chalcap.pcapng 29MB
-secrets.log 465KB

Environment: Remnux VM

My Recommendations

Download it from hackthebox and verify it with:

sha1sum /path/to/'Marshal in the Middle.zip'

SHA256SUM: cdf53bab266ab4b8a28b943516bc064e9f966dae0a33503648694e15cb50ae2b

Walkthrough

1. Traffic Analysis

We are provided with a bundle.pem file, and a secrets.log file. These can be used to decrypt SSL encrypted traffic. The first step is to load them in Wireshark so that we can view the decrypted traffic. In Wireshark Select Edit > Preferences > RSA Keys and add the bundle.pem file. Next, go to Protocols > TLS and add the secrets.log file to (Pre)-Master-Secret log filename.

Next, we can look at the bro logs. The last record of ssl.log shows a record for pastebin.com, which … is suspicious:

In the PCAP, we can see that the api was used to Post Credit Card information:

If we use the Follow > TLS Stream for this frame, the flag will be shown in plain sight!

Flag: HTB{Th15_15_4_F3nD3r_Rh0d35_M0m3NT!!}

Twitter Github Discord

Recent Posts

Follow Us

Featured Video

Guide

forensicskween

Leave a ReplyCancel reply

Twitter
Reddit
Facebook

••• You Might Also Enjoy

Socials

Twitter Github
Resources
None
Pages

Copyright © 2023 forensicskween

Discover more from forensicskween

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%