This is a writeup for the HackThebox Litter challenge.
Task 1: At a glance, what protocol seems to be suspect in this attack?
Using a SQL lite viewer (such as sqlitebrowser) you’ll see an exported database from a phpbb forum. The phpbb_users table contains an overview of all the available users, including a user called apoole1 (id 52) with [email protected] as the email address.
Task 2: What IP address did the contractor use to create their account?
The same table contains the IP address of the logged in user; this should be 10.10.0.78.
Task 3: What is the post_id of the malicious post that the contractor made?
Opening the phpbb_posts table shows that poster_id 52 (apoole1) created a post with post_id 9.
Task 4: What is the full URI that the credential stealer sends its data to?
The phpbb_posts also contains a field post_text which includes the full HTML content of the post. Upon searching for a form action, you’ll notice a form sending data to http://10.10.0.78/update.php.
Task 5: When did the contractor log into the forum as the administrator? (UTC)
Opening the phbpbb_log table contains the logs/events of the forum. Filtering on the contractor’s IP (10.10.0.78) we’ll see 1 LOG_ADMIN_AUTH_SUCCESS event.
Since the listed timestamp is saved as unix, we can use a simple python oneliner to convert it to the required format:
python -c 'from datetime import datetime; print(datetime.fromtimestamp(1682506392).strftime("%d/%m/%Y %H:%M:%S"))
...
26/04/2023 12:53:12
Now substract two hours for UTC :)
Task 6: In the forum there are plaintext credentials for the LDAP connection, what is the password?
The phpbb_config table contains the forum configuration details. This also includes the ldap_password config name, which contains the value ‘Passw0rd1’.
Task 7: What is the user agent of the Administrator user?
The access.log file contains the web/proxy logs of the forum. Using grep to find any path containing ‘/admin’ (assuming any directory containing /admin is limited to admin users). This should show two unique IP addressess with matching requests. Since we know that 10.10.0.78 belongs to the contractor, 10.255.254.2 should be the original admin with “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36” as the user agent
Task 8: What time did the contractor add themselves to the Administrator group? (UTC)
Going back to the phpbb_log table, we’ll see the LOG_USERS_ADDED event from the contractor’s IP (10.10.0.78) to add a user to the “Administrator” group.
Now use the same Python oneliner to convert the timestamp:
python -c 'from datetime import datetime; print(datetime.fromtimestamp(1682506431).strftime("%d/%m/%Y %H:%M:%S"))
...
26/04/2023 12:53:51
Now substract two hours for UTC again.
Task 10. What time did the contractor download the database backup? (UTC)
My initial guess was that the LOG_DB_BACKUP activity contained in the phpbb_logs table contained the answer but this seemed to be incorrect. Using grep "backup" access.log we find several requests related to backup activity in the access logs. One of the requests clearly shows an archived sql dump being downloaded (ie. store/backup_1682506471_dcsr71p7fyijoyq8.sql.gz). The timestamp of this request is 26/Apr/2023:12:01:38 +0100 (in GMT+1, so you should substract an hour).
Task 11. What was the size in bytes of the database backup as stated by access.log?
The same request in the previously mentioned access log contains the response in bytes (34707) just before the user agent.
