The Forensics CTF Challenge is from Hackthebox.eu. Please see the details of the challenge and download the file from this link:
They have provided a pcap file for the analysis. For the analysis you need to follow the TCP Stream.
Once you start following in TCP Stream, you'll find the exfiltration information in the 1056 Stream.
Scroll down and review the content, it's fairly easy to notice the encoded flag in the data.
Use CyberChef Magic Recipe to decode the flag.
Websites and apps occasionally need to run commands on the underlying databases or operating system to add or delete data, execute a script, or start other apps. If unverified inputs are added to a commands string or a database command, attackers can launch commands at will to take control of a server, device or data.
How does it work?
If a website, app or device incorporates user input within a command, an attacker can insert a "payload" command directly into said input. If that input is not verified, an attacker then "injects" and runs their own commands.
Why it's bad?
Once attacker can make commands, they can control your website, apps and data.
SQL Injection was used in SONY Hack in 2014. The attackers used Server Message Block Worm tool to install several malicious components, including a backdoor and other tools. The SMB Worm Tool was equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. The worm moves throughout an infected network through brute-force authentication attacks on windows SMB Share and connects to a command and control (C2) infrastructure with servers located in Thailand, Poland, Italy, Bolivia, Singapore, and the United States
usermod -g wheel tstark
Adding user to a group
usermod -aG superhero tstark
usermod -aG superhero dprince
usermod -aG superhero cdanvers
usermod -L dprince
Hack the box Forensic Challenge Library:
The security team was alerted to suspicious network activity from a production web server.Can you determine if any data was stolen and what it was?
Solution: Hackinthebox will provide you following data - pcapng file, and lot of bro logs:
While reviewing the log files - I noticed pastebin.com access from ip 10.10.20.13
Decrypte the data by the secrets.log file provided by hackthebox to view the content in plain text
Followed the TCP Stream for ip.addr == 10.10.20.13
There was a post request made (as seen in about screenshot). Filters packets by HTTP Post
Credit Card Data in Plain Text
Hack the box key below:
echo 'export HISTTIMEFORMAT="%d/%m/%y %T "' >> ~/.bash_profile
HFS+ (Hierarchical File System) (1998 – 2018)
APFS (Apple File System)
HFS+ Volume Header & Special FilesCatalog File (Forensics Gold) - BTree
Extents Overflow – B Tree
Attributes File (Forensics Gold) – BTree
Volume Header & Example
B-TreesThink of it as a FLAT File
GeneralWorld's Biggest Data Breaches, Information is Beautiful
11 Steps Attackers Took to Crack Target, CIO.com
Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid, Wired
2017 Cyber Risks to Intensify as Hackers Become More Cunning: Report, Energi
Defining CybersecurityThe Security Mindset, Schneier on Security
Cybersecurity unemployment rate at zero, SC Media
VulnerabilitiesNetwork live IP video cameras directory, Insecam.org
This website lets you view video from unsecured cameras around the world
For each story I mentioned in the video:Hackers Remotely Kill a Jeep on the Highway—With Me in It, Andy Greenberg, Wired
With 'recall,' Fiat Chrysler makes its car hack worse, Colin Neagle, Network World
Florida man wins over 1 million miles for hacking United Airlines, Jack Corrigan, WGN TV
Computer hackers can now hijack toilets, Sarah Griffiths, Daily Mail
Baby monitor hacker delivers creepy message to child, CBS News
It’s Insanely Easy to Hack Hospital Equipment, Kim Zeller, Wired
It’s Way Too Easy to Hack the Hospital, Monte Reel and Jordan Robertson, Bloomberg
Personal SecurityHere's What We Know About the Massive Cyber Attack That Took Down the Internet on Friday, Peter Dockrill, Science Alert
How the Dyn DDoS attack unfolded, Tim Greene, Network World
Who are the Hackers?MEECES to pieces, Deborah Radcliff, Network World
Compensating Control may be considered if PCI DSS requirement cannot meet a requirement due to legitimate Technical or Documented Business constraints.
Compensating Control must satisfy following:
1) Meet the intent and rigor of the original requirement.
2) Provide a similar level of defence as the original
3) Be "Above and Beyond" other PCI DSS Requirement.
What is above and beyong?
- If existing PCI DSS requirement CANNOT be considered as compensating Control if they are already required by the item under review.
- Existing PCI DSS requirement MAY be considered as compensating control if they are required for another area, but not required for the item under review.
- Existing PCI DSS requirement may be conbined with new control to become a compensating control.
Compensating Control Worksheet:
3) Identified Risk
4) Defination of Compensating Controls
5) Validation of Compensating Controls
A. Be "above and beyond" other PCI DSS requirement (i.e., not simply in compliance with other requirements)
B. Sufficiently offset the risk that the original PCI DSS requirement was designed to defend against
C. Meet the intent and rigor of the original PCI requirement
D. Be commensurate with additional risk imposed by not adhering to original requirement
A - Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced
A-EP - E-Commerce Merchants, Partially Outsourced
B- Imprints Machine Only- No Electronic Card Storage, Standalone, Dial out Terminal. Data not Transmitted
B-IP- Merchant using only PTS Standalone Payment Terminal with an IP Connection to a Payment Processor . PTS- Approved Point of Interaction Device. Data Transmitted via IP
C-VT - Merchants who manually enter a single transaction at a time via Keyboard into a Internet based Virtual Terminal.
C- Merchant with Payment Application Systems connected to Internet, No Electronic Card Data Storage.
D - Merchant & Service Provider not Included in above description
- Password Reset: Users passwords/passphrases should be changed every 3 months (Minimum)
- Check for Wireless access points: must implement a process to test for the presence of wireless access points and detect and identify all authorized and unauthorized wireless access points
-An audit trail history should be available immediately for analysis
Methods for stealing payment card data include:
- Weak Password
Sensitive authentication exists in the magnetic strip or chip, and is also printed on the payment card. In a credit card- there are two tracks with 79 and 40 Characters.
Payment Card Flow
Authorization, Clearing, Settlement, Undo (If Needed)
Cyber Threat - Real Time Map
echo "export PS1='$ '" >> ~/.bash_profile
In this article, I am going to talk about basic forensic time analysis procedure: