The Forensics CTF Challenge is from Hackthebox.eu. Please see the details of the challenge and download the file from this link:
They have provided a pcap file for the analysis. For the analysis you need to follow the TCP Stream.
Once you start following in TCP Stream, you'll find the exfiltration information in the 1056 Stream.
Scroll down and review the content, it's fairly easy to notice the encoded flag in the data.
Use CyberChef Magic Recipe to decode the flag.
Hack the box Forensic Challenge Library:
The security team was alerted to suspicious network activity from a production web server.Can you determine if any data was stolen and what it was?
Solution: Hackinthebox will provide you following data - pcapng file, and lot of bro logs:
While reviewing the log files - I noticed pastebin.com access from ip 10.10.20.13
Decrypte the data by the secrets.log file provided by hackthebox to view the content in plain text
Followed the TCP Stream for ip.addr == 10.10.20.13
There was a post request made (as seen in about screenshot). Filters packets by HTTP Post
Credit Card Data in Plain Text
Hack the box key below: