Challenges: Stolen Mount (TryHackMe)
Jebitok
In this challenge, we investigate a data breach involving a compromised NFS server. An intruder infiltrated the network and accessed backup files containing classified data. The only artifact available for analysis is a network packet capture (challenge.pcapng) recorded during the incident. Using Wireshark and basic forensic techniques, our objective is to trace the attacker’s actions, recover the stolen data, and extract the hidden flag.
Forensics Stolen Mount
Set up your virtual environment
To successfully complete this room, you'll need to set up your virtual environment. This involves starting the Target Machine, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.
An intruder has infiltrated our network and targeted the NFS server where the backup files are stored. A classified secret was accessed and stolen. The only trace left behind is a packet capture (PCAP) file recorded during the incident. Your mission, should you accept it, is to discover the contents of the stolen data.
Note: Click the Start Machine button to spawn the Virtual Machine.
The packet capture (challenge.pcapng) is stored in the ~/Desktop directory.
Answer the questions below
What is the flag?
Start the machine the open the pcap file using Wireshark. The description had mentioned that an intruder infiltrated our network and targeted the NFS server where the backup files are stored.
So we’ll highlight one NFS and click on Analyze inorder to follow the TCP stream:
this reveals a MD5 hash which is the password of a secrets. file and also
There’s a secrets.png and creds.txt files revealed to be on the backup. Also it’s revealed that they’re stored on a zip file, hidden_stash.zip and we need to access them locally. We need to find a way to export them or save locally.
Change the show data as field from ASCII to Raw then click on save as and save it as a .zip file locally.
On you terminal unzip the zip file in the Desktop folder and it will ask for the password which will be the one we got from the MD5 hash.
checking the secrets.png file, it’s a QR Code that needs to be scanned which reveals the flag.
Through careful analysis of the PCAP file, we identified unauthorized access to the NFS server and recovered a hidden ZIP archive containing sensitive files. After extracting the archive using credentials found in the captured traffic, we uncovered a QR code embedded in secrets.png. Scanning the QR code revealed the final flag, confirming the intruder’s stolen data. This challenge highlights the importance of network traffic analysis and proper monitoring of file access in preventing data exfiltration.
Subscribe to my newsletter
Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Jebitok
Jebitok
Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.