Hack the box – Sherlocks – Litter

Posted on By Sagahiko
HackTheBox, Sherlocks

At a glance, what protocol seems to be suspect in this attack?

At first glance, I see many DNS protocols.

There seems to be a lot of traffic between our host and another, what is the IP address of the suspect host?

I filtered it to only see DNS.

When I scrolled it down a bit, I could observe 192.168.157.145 doing DNS enumeration.

What is the first command the attacker sends to the client?

We know the suspicious IP address and it’s DNS.

So, let’s see the UDP stream to find out what was happening.

I copied and pasted it into Cyber Chef and decoded it.

I could see the command that the attacker used.

What is the version of the DNS tunneling tool the attacker is using?

If you continue reading the decoded commands, you will see the tool called dnscat2 and its version.

The attackers attempt to rename the tool they accidentally left on the client’s host. What do they name it?

It is in the decoded content. However, I don’t know why but I couldn’t see it in the result from Cyber Chef.

Instead, I found a very cool tool.

https://github.com/josemlwdf/DNScat-Decoder

You can use this tool to decode all the messages. 

python3 dnscat_decoder.py ../suspicious_traffic.pcap "microsofto365.com"

Then, I found the renamed file.

ren ren dnscat2-v0.07-client-win32.exe
ren ren 'dnscat2-v0.07-client-win32.exe' 'win_install.exe
ren dnscat2-v0.07-client-win32.exe win_installer.exe
ren 'client data optimisation' client_data_optimisation

The attacker attempts to enumerate the user’s cloud storage. How many files do they locate in their cloud storage directory?

C:\Users\test\OneDrive>
ers\test\OneDrive

04/06/2021  08:52    <DIR>          .
04/06/2021  08:52    <DIR>         
 ..
               0 File(s)              0 bytes
               2 Dir(s)  24,470,171,648 byt

There is the OneDrive directory.

What is the full location of the PII file that was stolen?

C:\Users\test\Documents\client data optimisation>
type "C:\Users\test\Documents\client data optimisation\user details.csv"
,job,company,ssn,resid
ence,current_location,blood_group,website,username,name,sex,address,mail,birthdate
0,Chief Tec
hnology Officer,Bennett Group,725-79-1073,"5021 Mary Glens
Timothyville, TN 14945","(Decimal('5
7.8730225'), Decimal('51.378019'))",A-,['https://www.lamb.org/'],michellelynch,David Davis,M,"5
82 Hernandez Heights Apt. 177
Hillhaven, SC 87188",belljennifer@hotmail.com,1980-02-21

Exactly how many customer PII records were stolen?

If we can count the number of victims, then that’s the answer.

However, there are so many. So, I did it like below.

cat decoded.txt | grep -i @ | wc -l

I did grep @ symbol from the decoded text to count the email addresses. I focused on that every one has registered one email address.

And then I counted the line of the results and that was the answer.

1

You may also like

HackTheBox
OSCP series – Editorial write-up
HackTheBox
Hack the box : Codify[easy] write up
HackTheBox
Hack the box – machine – Broker (CVE-2023-46604)
HackTheBox
OSCP series – Busqueda write-up