{"id":1884,"date":"2025-06-10T13:40:08","date_gmt":"2025-06-10T17:40:08","guid":{"rendered":"https:\/\/www.peteonsoftware.com\/?p=1884"},"modified":"2025-06-10T13:40:08","modified_gmt":"2025-06-10T17:40:08","slug":"hack-the-box-walkthrough-origins","status":"publish","type":"post","link":"https:\/\/www.peteonsoftware.com\/index.php\/2025\/06\/10\/hack-the-box-walkthrough-origins\/","title":{"rendered":"Hack the Box Walkthrough: Origins"},"content":{"rendered":"

\"HTBWe’re going to keep the pattern going and attack another free Sherlock from HackTheBox called Origins<\/a>. This is rated “Very Easy” and just consists of a .zip file download containing a .pcap file. As is customary, the password to extract the files is hacktheblue<\/em>.<\/p>\n

Here’s our scenario for this adventure:
\nA major incident has recently occurred at Forela. Approximately 20 GB of data were stolen from internal s3 buckets and the attackers are now extorting Forela. During the root cause analysis, an FTP server was suspected to be the source of the attack. It was found that this server was also compromised and some data was stolen, leading to further compromises throughout the environment. You are provided with a minimal PCAP file. Your goal is to find evidence of brute force and data exfiltration.<\/em><\/p>\n

Since our only evidence is in a .pcap file, we’ll have to fire up Wireshark<\/a> (or your network traffic analyzer of choice).<\/p>\n

Task 1: What is the attacker’s IP address?<\/strong><\/p>\n

Looking in the ftp.pcap file, we have multiple protocols represented. Since we know that the ultimate compromise came from FTP, let’s start by filtering traffic that is using the FTP protocol. Adding this as a filter will do the trick: _ws.col.protocol == “FTP”<\/em>. That gets us down to 163 packets out of the 547 in the file. We can see over and over again that the main source making the requests is 15.206.185.207. If you look, the first few entries have a source of 172.31.45.144, but that is responding. The one making the request for the admin user is 15.206.185.207. Then 172.31.45.144 asks for the password. This makes it definitive which side is which.<\/p>\n

\"Relevant<\/p>\n

Task 1 Answer: 15.206.185.207<\/em><\/strong><\/p>\n

Task 2: It’s critical to get more knowledge about the attackers, even if it’s low fidelity. Using the geolocation data of the IP address used by the attackers, what city do they belong to?<\/strong><\/p>\n

You can go to many different places for this. I’m getting this lookup from this site<\/a>. Just search the IP and get the city.<\/p>\n

Task 2 Answer: Mumbai<\/em><\/strong><\/p>\n

Task 3: Which FTP application was used by the backup server? Enter the full name and version. (Format: Name Version)<\/strong><\/p>\n

Take a look back at the filtered capture from Task 1. You can see what the server (172.31.45.144) is responding.<\/p>\n

Task 3 Answer: vsFTPd 3.0.5<\/em><\/strong><\/p>\n

Task 4: The attacker has started a brute force attack on the server. When did this attack start?<\/strong><\/p>\n

Let’s do an additional filter for only traffic with this IP as the source within the FTP traffic. We can definitely see a brute force attempt happening. If we click the first one (packet 100), it will show details in the bottom left pane. If we expand the Frame 100 section, we can see Arrival Time, UTC Arrival Time, and Epoch Arrival time. The format for the HTB answer wanted one of the two “normal” dates (and not the epoch time). I guessed they wanted UTC as my first shot as that is pretty standard, and that was it. <\/p>\n

\"Relevant<\/p>\n

Task 4 Answer: 2024-05-03 04:12:54<\/em><\/strong><\/p>\n

Task 5: What are the correct credentials that gave the attacker access? (Format username:password)<\/strong><\/p>\n

For this one, I just scrolled down to the end of the attack. I figured the attack would stop when he was successful. When I got to the last row that had PASS in it (number 407). I then right clicked on it and chose Follow -> TCP Stream Ctrl+Alt+Shift+T<\/em>. That brings up the entire “conversation” in a window and also adds a filter tcp.stream eq 33<\/em> so that you now can see all of the individual pieces that make up what has been assembled for us. But from here, we can see what worked.<\/p>\n

\r\n220 (vsFTPd 3.0.5)\r\n\r\nUSER forela-ftp\r\n\r\n331 Please specify the password.\r\n\r\nPASS ftprocks69$\r\n\r\n230 Login successful.\r\n\r\nSYST\r\n\r\n215 UNIX Type: L8\r\n\r\nFEAT\r\n\r\n211-Features:\r\n EPRT\r\n EPSV\r\n MDTM\r\n PASV\r\n REST STREAM\r\n SIZE\r\n TVFS\r\n211 End\r\n\r\nEPSV\r\n\r\n229 Entering Extended Passive Mode (|||63192|)\r\n\r\nLIST\r\n\r\n150 Here comes the directory listing.\r\n226 Directory send OK.\r\n\r\nEPSV\r\n\r\n229 Entering Extended Passive Mode (|||40790|)\r\n\r\nNLST\r\n\r\n150 Here comes the directory listing.\r\n226 Directory send OK.\r\n\r\nTYPE I\r\n\r\n200 Switching to Binary mode.\r\n\r\nSIZE Maintenance-Notice.pdf\r\n\r\n213 27855\r\n\r\nEPSV\r\n\r\n229 Entering Extended Passive Mode (|||9759|)\r\n\r\nRETR Maintenance-Notice.pdf\r\n\r\n150 Opening BINARY mode data connection for Maintenance-Notice.pdf (27855 bytes).\r\n226 Transfer complete.\r\n\r\nMDTM Maintenance-Notice.pdf\r\n\r\n213 20240503034329\r\n\r\nSIZE s3_buckets.txt\r\n\r\n213 268\r\n\r\nEPSV\r\n\r\n229 Entering Extended Passive Mode (|||23530|)\r\n\r\nRETR s3_buckets.txt\r\n\r\n150 Opening BINARY mode data connection for s3_buckets.txt (268 bytes).\r\n226 Transfer complete.\r\n\r\nMDTM s3_buckets.txt\r\n\r\n213 20240503034852\r\n\r\nEPSV\r\n\r\n229 Entering Extended Passive Mode (|||15028|)\r\n\r\nSTOR \/home\/cyberjunkieX0X\/HACKED.txt\r\n\r\n550 Permission denied.\r\n\r\nQUIT\r\n\r\n221 Goodbye.\r\n<\/pre>\n
Task 5 Answer: forela-ftp:ftprocks69$<\/em><\/strong><\/p>\n
Task 6: The attacker has exfiltrated files from the server. What is the FTP command used to download the remote files?<\/strong><\/p>\n
Look at the command listing from Task 5.  You can see it there.<\/p>\n
Task 6 Answer: RETR<\/em><\/strong><\/p>\n
Task 7: Attackers were able to compromise the credentials of a backup SSH server. What is the password for this SSH server?<\/strong><\/p>\n
Looking at the conversation in Task 5, I don’t see any passwords directly compromised during that interaction.  My guess is that they were in some of the files.  Let’s take a look at the files that were downloaded.  We can see that it looks like the attacker got a file called Maintenance-Notice.pdf<\/em> and one called s3_buckets.txt<\/em>.  Let’s just go up to the File<\/em> Menu and select Export Objects -> FTP-DATA<\/em>.  We can then choose Save All<\/em> and put those files in the directory of our choosing.<\/p>\n
\"The<\/p>\n
\"The<\/p>\n
s3_buckets.txt just contains this<\/p>\n
\r\nhttps:\/\/2023-coldstorage.s3.amazonaws.com # bulk data from 2023, if required anything from here contact simon or alonzo. Retention period is 4 years\r\nhttps:\/\/2022-warmstor.s3.amazonaws.com # pending audit, email alonzo at archivebackups@forela.co.uk for any clearance\r\n<\/pre>\n
Maintenance-Notice.pdf has a lot of information, but contains this juicy paragraph:<\/p>\n
\r\nFor team members requiring urgent access to the backup SSH servers during the maintenance\r\nperiod, you can use the temporary password \"**B@ckup2024!**\" - kindly ensure this information is\r\nhandled securely and do not share it outside of our team.\r\n<\/pre>\n
Task 7 Answer: **B@ckup2024!**<\/em><\/strong><\/p>\n
Task 8: What is the s3 bucket URL for the data archive from 2023?<\/strong><\/p>\n
Just check up in the contents of s3_buckets.txt.<\/p>\n
Task 8 Answer: https:\/\/2023-coldstorage.s3.amazonaws.com<\/em><\/strong><\/p>\n
Task 9: The scope of the incident is huge as Forela’s s3 buckets were also compromised and several GB of data were stolen and leaked. It was also discovered that the attackers used social engineering to gain access to sensitive data and extort it. What is the internal email address used by the attacker in the phishing email to gain access to sensitive data stored on s3 buckets?<\/strong><\/p>\n
This is also in the s3_buckets.txt file.<\/p>\n
Task 9 Answer: archivebackups@forela.co.uk<\/em><\/strong><\/p>\n
And there we go.  That was a fun little exploration of some of the things that Wireshark can do for us.<\/p>\n","protected":false},"excerpt":{"rendered":"
We’re going to keep the pattern going and attack another free Sherlock from HackTheBox called Origins. This is rated “Very Easy” and just consists of a .zip file download containing a .pcap file. As is …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[153],"tags":[141,142],"class_list":["post-1884","post","type-post","status-publish","format-standard","hentry","category-capture-the-flag","tag-information-security","tag-infosec"],"_links":{"self":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1884","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/comments?post=1884"}],"version-history":[{"count":0,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1884\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/media?parent=1884"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/categories?post=1884"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/tags?post=1884"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}