Origins HTB Sherlock Writeup

Nirmal SNirmal S
3 min read

Hello everyone, this is a new writeup on the HTB Sherlock Origins.

Sherlock Category: DFIR

Sherlock Description:

A major incident has recently occurred at Forela. Approximately 20 GB of data were stolen from internal s3 buckets and the attackers are now extorting Forela. During the root cause analysis, an FTP server was suspected to be the source of the attack. It was found that this server was also compromised and some data was stolen, leading to further compromises throughout the environment. You are provided with a minimal PCAP file. Your goal is to find evidence of brute force and data exfiltration.

Artifacts:

  1. ftp.pcap

Task 1:

What is the attacker’s IP address?

→ On the search bar, type ftp.

→ On the destination columns, you can find the IP.

15.206.185.207

Task 2:

It’s critical to get more knowledge about the attackers, even if it’s low fidelity. Using the geolocation data of the IP address used by the attackers, what city do they belong to?

→ Go to db-ip.com and paste the above mentioned ip address.

Mumbai

Task 3:

Which FTP application was used by the backup server? Enter the full name and version. (Format: Name Version)

→ In the same page, you can find the version of the FTP.

vsFTPd 3.0.5

Task 4:

The attacker has started a brute force attack on the server. When did this attack start?

→ Type ip.src == 15.206.185.207 and ftp in the search filter, that will display when brute force attack started on the server.

→ Check on the first occurence of the event.

2024-05-03 04:12:54

Task 5:

What are the correct credentials that gave the attacker access? (Format username:password)

→ Search for the packet info which shows “Login Successful”.

forela-ftp:ftprocks69$

Task 6:

The attacker has exfiltrated files from the server. What is the FTP command used to download the remote files?

→ Apply “ftp-data” filter to search for resources transferred over FTP.

RETR

Task 7:

Attackers were able to compromise the credentials of a backup SSH server. What is the password for this SSH server?

→ Go to File-> Export Objects -> FTP-DATA. From there, we can retrieve the files downloaded by the attacker, which may contain sensitive information.

→ We can check the Maintenance.pdf file for password of SSH server.

**B@ckup2024!**

Task 8:

What is the s3 bucket URL for the data archive from 2023?

→ Check on the file s3_buckets.txt to find the URL.

https://2023-coldstorage.s3.amazonaws.com

Task 9:

The scope of the incident is huge as Forela’s s3 buckets were also compromised and several GB of data were stolen and leaked. It was also discovered that the attackers used social engineering to gain access to sensitive data and extort it. What is the internal email address used by the attacker in the phishing email to gain access to sensitive data stored on s3 buckets?

→ We can find the email from the s3_buckets.txt file.

archivebackups@forela.co.uk

Skill Learnt:

  1. DFIR

  2. PCAP file analysis

Thank you. Follow my socials

https://www.linkedin.com/in/nirmal-s-738a60203/

0
Subscribe to my newsletter

Read articles from Nirmal S directly inside your inbox. Subscribe to the newsletter, and don't miss out.

htbsherlock

Written by

Nirmal S
Nirmal S