Hack The Box - Sherlocks\Origins
Sherlocks are defensive investigatory scenarios within Hack the Box’s Dedicated Labs, designed enhance digital forensics and incident response (DFIR) capabilities, provide a deeper understanding of security tools and technologies, improved ability to prioritize during real investigations and proficiency in technical analysis. This writeup is for Origins (DFIR very easy), aimed at familiriazing with network capture analysis.
Sherlock Information
Scenario
Forela-Security, had a major incident wherein 20GB of data were exfiltrated from internal s3 buckets with the attackers extracting Forela as a consequence of the incident. During root cause analysis, an FTP server is suspected to be the source of the attack with attacker further utilizing the host to further pivot and exfiltrate data. .
Artifacts
- Logjammer/Ftp.pcap
Initial Review and Inference
Artifact Review and Research
A PCAP (Packet Capture) file is a data capture file that contains recorded network traffic data. These files store detailed information about network communications, including full packet contents, timestamps, source and destination addresses, protocols used, and other metadata. PCAP files are created by packet capture tools like Wireshark, tcpdump, or other network monitoring software.
Common tools for analyzing PCAP files include Wireshark: GUI-based tool with extensive protocol analysis capabilities; tcpdump: command-line tool for capturing and analyzing network traffic; tshark: command-line version of Wireshark and NetworkMiner: tool focused on forensic analysis of PCAP files
Tasks
Task 1: What is the attacker’s IP address?
Pivoting off of the tshark -r ftp.pcap -T fields -e frame.time -e ip.src -e ip.dst -e ftp.request.command -e ftp.request.arg -e ftp.response.code -e ftp.response.arg | grep -E "USER|PASS|530|230|331" | grep -v "^$" command we observe two IP addresses 172.31.45.144 and 15.206.185.207. Further analyzing the results we can infer that 15.206.185.207 is the attacker IP as it makes multiple USER and PASS attempts with server (172.31.45.144) responding with code 530 (login failed) multiple times.
Tshark ftp traffic analysis
May 3, 2024 04:12:54.323331000 UTC 15.206.185.207 172.31.45.144
May 3, 2024 04:12:54.654978000 UTC 15.206.185.207 172.31.45.144 USER admin
May 3, 2024 04:12:54.655031000 UTC 15.206.185.207 172.31.45.144 USER admin
May 3, 2024 04:12:54.655031000 UTC 15.206.185.207 172.31.45.144 USER admin
May 3, 2024 04:12:54.655066000 UTC 15.206.185.207 172.31.45.144 USER admin
May 3, 2024 04:12:54.655125000 UTC 15.206.185.207 172.31.45.144 USER admin
May 3, 2024 04:12:54.655179000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.655215000 UTC 15.206.185.207 172.31.45.144 USER backup
May 3, 2024 04:12:54.655233000 UTC 15.206.185.207 172.31.45.144 USER svcaccount
May 3, 2024 04:12:54.655253000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.655287000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.655324000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.655352000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.655380000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.655413000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.660157000 UTC 15.206.185.207 172.31.45.144 USER ftpuser
May 3, 2024 04:12:54.660157000 UTC 15.206.185.207 172.31.45.144 USER backup
May 3, 2024 04:12:54.660157000 UTC 15.206.185.207 172.31.45.144 USER backup
May 3, 2024 04:12:54.660157000 UTC 15.206.185.207 172.31.45.144 USER svcaccount
May 3, 2024 04:12:54.660157000 UTC 15.206.185.207 172.31.45.144 USER backup
May 3, 2024 04:12:54.660157000 UTC 15.206.185.207 172.31.45.144 USER backup
May 3, 2024 04:12:54.660157000 UTC 15.206.185.207 172.31.45.144 USER svcaccount
May 3, 2024 04:12:54.660157000 UTC 15.206.185.207 172.31.45.144 USER svcaccount
May 3, 2024 04:12:54.660227000 UTC 15.206.185.207 172.31.45.144 USER svcaccount
May 3, 2024 04:12:54.660273000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.660319000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.660359000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.660398000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.660432000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.660470000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.660506000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.660542000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.660581000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:54.761216000 UTC 15.206.185.207 172.31.45.144 PASS ftprocks69$
May 3, 2024 04:12:54.761217000 UTC 15.206.185.207 172.31.45.144 PASS alonzo.spire!rocks
May 3, 2024 04:12:54.761217000 UTC 15.206.185.207 172.31.45.144 PASS 69696969
May 3, 2024 04:12:54.761254000 UTC 15.206.185.207 172.31.45.144 PASS ftprocks69$
May 3, 2024 04:12:54.761306000 UTC 15.206.185.207 172.31.45.144 PASS password
May 3, 2024 04:12:54.761349000 UTC 15.206.185.207 172.31.45.144 PASS password123
May 3, 2024 04:12:54.761388000 UTC 15.206.185.207 172.31.45.144 PASS alonzo.spire!rocks
May 3, 2024 04:12:54.761469000 UTC 15.206.185.207 172.31.45.144 PASS alonzo.spire!rocks
May 3, 2024 04:12:54.761511000 UTC 15.206.185.207 172.31.45.144 PASS password
May 3, 2024 04:12:54.761555000 UTC 15.206.185.207 172.31.45.144 PASS password
May 3, 2024 04:12:54.761597000 UTC 15.206.185.207 172.31.45.144 PASS password123
May 3, 2024 04:12:54.761646000 UTC 15.206.185.207 172.31.45.144 PASS 69696969
May 3, 2024 04:12:54.761716000 UTC 15.206.185.207 172.31.45.144 PASS password
May 3, 2024 04:12:54.761763000 UTC 15.206.185.207 172.31.45.144 PASS ftprocks69$
May 3, 2024 04:12:54.761803000 UTC 15.206.185.207 172.31.45.144 PASS password123
May 3, 2024 04:12:54.761853000 UTC 15.206.185.207 172.31.45.144 PASS 69696969
May 3, 2024 04:12:54.804153000 UTC 172.31.45.144 15.206.185.207
May 3, 2024 04:12:55.761680000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:55.763930000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:55.764317000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:55.764439000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:55.766412000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:55.863165000 UTC 15.206.185.207 172.31.45.144 USER ftpuser
May 3, 2024 04:12:55.863223000 UTC 172.31.45.144 15.206.185.207
May 3, 2024 04:12:55.863299000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:55.873319000 UTC 15.206.185.207 172.31.45.144 USER ftpuser
May 3, 2024 04:12:55.873346000 UTC 15.206.185.207 172.31.45.144 USER ftpuser
May 3, 2024 04:12:55.873353000 UTC 172.31.45.144 15.206.185.207
May 3, 2024 04:12:55.873436000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:55.873475000 UTC 15.206.185.207 172.31.45.144 USER ftpuser
May 3, 2024 04:12:55.873487000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:55.873524000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:55.873558000 UTC 15.206.185.207 172.31.45.144 USER forela-ftp
May 3, 2024 04:12:55.873593000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:55.964470000 UTC 15.206.185.207 172.31.45.144 PASS password123
May 3, 2024 04:12:55.981191000 UTC 15.206.185.207 172.31.45.144 PASS alonzo.spire!rocks
May 3, 2024 04:12:55.981209000 UTC 15.206.185.207 172.31.45.144 PASS ftprocks69$
May 3, 2024 04:12:55.981215000 UTC 15.206.185.207 172.31.45.144 PASS 69696969
May 3, 2024 04:12:55.981271000 UTC 15.206.185.207 172.31.45.144 PASS password
May 3, 2024 04:12:57.434927000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:57.435113000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:57.435352000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:57.435571000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:57.435812000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:57.436008000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:57.436530000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:57.436744000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:57.436995000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:57.437131000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:57.440534000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:57.536447000 UTC 15.206.185.207 172.31.45.144 USER forela-ftp
May 3, 2024 04:12:57.536551000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:57.546546000 UTC 15.206.185.207 172.31.45.144 USER forela-ftp
May 3, 2024 04:12:57.546546000 UTC 15.206.185.207 172.31.45.144 USER forela-ftp
May 3, 2024 04:12:57.546603000 UTC 15.206.185.207 172.31.45.144 USER forela-ftp
May 3, 2024 04:12:57.546643000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:57.546689000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:57.546719000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:12:57.547323000 UTC 15.206.185.207 172.31.45.144
May 3, 2024 04:12:57.548331000 UTC 15.206.185.207 172.31.45.144
May 3, 2024 04:12:57.553017000 UTC 15.206.185.207 172.31.45.144
May 3, 2024 04:12:57.637623000 UTC 15.206.185.207 172.31.45.144 PASS password123
May 3, 2024 04:12:57.648700000 UTC 15.206.185.207 172.31.45.144 PASS ftprocks69$
May 3, 2024 04:12:57.649561000 UTC 15.206.185.207 172.31.45.144 PASS 69696969
May 3, 2024 04:12:57.650193000 UTC 15.206.185.207 172.31.45.144 PASS alonzo.spire!rocks
May 3, 2024 04:12:57.827131000 UTC 172.31.45.144 15.206.185.207 230 Login successful.
May 3, 2024 04:12:58.415791000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:58.443625000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:58.443836000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:58.444049000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:12:58.485224000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:13:01.198827000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:13:01.214237000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:13:01.214457000 UTC 172.31.45.144 15.206.185.207 530 Login incorrect.
May 3, 2024 04:14:06.106253000 UTC 15.206.185.207 172.31.45.144
May 3, 2024 04:14:10.092755000 UTC 15.206.185.207 172.31.45.144 USER forela-ftp
May 3, 2024 04:14:10.092876000 UTC 172.31.45.144 15.206.185.207 331 Please specify the password.
May 3, 2024 04:14:15.028853000 UTC 172.31.45.144 169.254.169.123
May 3, 2024 04:14:15.554506000 UTC 15.206.185.207 172.31.45.144 PASS ftprocks69$
May 3, 2024 04:14:15.603267000 UTC 172.31.45.144 15.206.185.207 230 Login successful.
May 3, 2024 04:14:30.973131000 UTC 172.31.45.144 15.206.185.207 229 Entering Extended Passive Mode (|||23530|)
May 3, 2024 04:14:31.213319000 UTC 169.254.169.123 172.31.45.144
May 3, 2024 04:14:47.123020000 UTC 206.168.34.58 172.31.45.144
May 3, 2024 04:14:47.123045000 UTC 172.31.45.144 206.168.34.58
May 3, 2024 04:14:47.345305000 UTC 169.254.169.123 172.31.45.144
Task 2: Using the geolocation data of the IP address used by the attackers, what city do they belong to?
Using OSINT, primarily IPinfo we observe the source IP corresponding to AS16509 - Amazon.com, Inc, primarily the India division and hosted in Mumbai, Maharashtra, India.
Task 3: Which FTP application was used by the backup server? Enter the full name and version. (Format: Name Version)
To find the FTP application name and version, we can look for the initial banner message or SYST command response. Reviewing response code 220 (Service ready banner), SYST command requests and Response code 215 (System information response) through tshark -r ftp.pcap -Y "ftp.response.code==220 || ftp.request.command==SYST || ftp.response.code==215" -T fields -e ftp.response.arg we observe vsFTPd 3.0.5
Task 4: The attacker has started a brute force attack on the server. When did this attack start?
To see only FTP traffic generated by the attacker we can pivot off of attacker source IP and request command corresponding to USER. Executing tshark -r ftp.pcap -Y "ip.src == 15.206.185.207 and ftp.request.command==USER" -T fields -e frame.time -e ftp.request.command -e ftp.request.arg | head -n 1 we observe May 3, 2024 04:12:54.654978000 UTC USER admin corresponding to the first attempt by the attacker source IP at bruteforcing.
Task 5: What are the correct credentials that gave the attacker access?
To identify successful login credentials, we can look for successfull authentication (code 230) and the precending USER/PASS commands. Pivoting off of tshark -r ftp.pcap -Y "ftp.response.code==230 || ftp.request.command==USER || ftp.request.command==PASS" -T fields -e frame.time -e ip.src -e ftp.request.command -e ftp.request.arg -e ftp.response.code -e ftp.response.arg | grep -B2 "230" we observe forela-ftp as corresponding to the USER command and ftprocks69$ to PASS command preceding a 230 Login successful response from the server.
Tshark successful login analysis
May 3, 2024 04:12:57.546546000 UTC 15.206.185.207 USER forela-ftp
May 3, 2024 04:12:57.546603000 UTC 15.206.185.207 USER forela-ftp
May 3, 2024 04:12:57.637623000 UTC 15.206.185.207 PASS password123
--
May 3, 2024 04:12:57.649561000 UTC 15.206.185.207 PASS 69696969
May 3, 2024 04:12:57.650193000 UTC 15.206.185.207 PASS alonzo.spire!rocks
May 3, 2024 04:12:57.827131000 UTC 172.31.45.144 230 Login successful.
May 3, 2024 04:14:10.092755000 UTC 15.206.185.207 USER forela-ftp
May 3, 2024 04:14:15.554506000 UTC 15.206.185.207 PASS ftprocks69$
May 3, 2024 04:14:15.603267000 UTC 172.31.45.144 230 Login successful.
Task 6: The attacker has exfiltrated files from the server. What is the FTP command used to download the remote files?
The RETR(retrieve) command is the standard FTP command used for downloading files from an FTP server. When an attacker uses this command, they’re pulling files from the compromised server to their local machine, which is a common action during data exfiltration. Tshark command tshark -r ftp.pcap -Y "ftp.request.command" -T fields -e frame.time -e ip.src -e ftp.request.command -e ftp.request.arg | grep -E "RETR|STOR" can be used to look for both downloded and uploaded files through RETR and STOR commands respectively.
Task 7: Attackers were able to compromise the credentials of a backup SSH server. What is the password for this SSH server?
Pivoting off of File-> Export Objects -> FTP-DATA in wireshark, we observe s3_buckets.txt and Maintenance-Notice.pdf files (which correspond to files downloaded by attacker using previous RTR command). Downloading and reviewing the contents of the Maintenance-Notice.pdf, we are able to backup SSH server credentials shared in plaintext.
Task 8: What is the s3 bucket URL for the data archive from 2023?
Reviewing contents of the s3_buckets.txt we observe https://2023-coldstorage.s3.amazonaws.com with label #bulk data from 2023, if required anything from here contact simon or alonzo. Retention period is 4 years. Cold storage in AWS is usually for long term data archival, is less frequently accessed data and for data that needs to be retained for compliance/reference.
Task 9: The scope of the incident is huge as Forela’s s3 buckets were also compromised and several GB of data were stolen and leaked. It was also discovered that the attackers used social engineering to gain access to sensitive data and extort it. What is the internal email address used by the attacker in the phishing email to gain access to sensitive data stored on s3 buckets?
Reviewing the second entry in the same s3_buckets.txt we observe https://2022-warmstor.s3.amazonaws.com # pending audit, email alonzo at archivebackups@forela.co.uk for any clearance entry which can be used to infer the leak of an internal email address which can be hypothesized to have been targeted by the attacker for Phishing.