Hack the box Forensic Challenge Library:
The security team was alerted to suspicious network activity from a production web server.Can you determine if any data was stolen and what it was?
Solution: Hackinthebox will provide you following data - pcapng file, and lot of bro logs:
While reviewing the log files - I noticed pastebin.com access from ip 10.10.20.13
Decrypte the data by the secrets.log file provided by hackthebox to view the content in plain text
Followed the TCP Stream for ip.addr == 10.10.20.13
There was a post request made (as seen in about screenshot). Filters packets by HTTP Post
Credit Card Data in Plain Text
Hack the box key below:
Cluster is smallest allocation unit in a hard-drive. Cluster is a set of sectors and tracks. The file system divides the storage on a disk volume into discreet chunks of data for efficient disk usage & performance. This chunks are called cluster.
To put it in simple terms, you get a sector when you take a bunch of things and divide them. You get a cluster when you take a bunch of things and put them together.
Sector is smallest physical storage unit on a disk platter. Normally holds 512 Bytes and few additional bytes for drive control & error correction.
Data is stored on a disk in a contiguous series (Sharing a common border)
For example: if file size in 700 Bytes, two 512 sectors are allocated to the file.
Block or Cluster will be either used or unused in a file system. When I say it’s unused, so it doesn’t mean that the block or cluster is ‘Blank’. It might be possible that it has some deleted data.
For example- If a word file was stored is multiple blocks, and you deleted it. Some blocks are used by the file system to store another file.
Question: Is it possible to recover the whole work file?
No, but you can recover some fragments (Unused blocks) of the file (might be half of the file or One page)