NET FORENSICS CHALLENGE WRITEUP:

# **HTB NETWORK FORENSICS CHALLENGE WRITEUP:** **Challenge description:** Investigate the provided network traffic capture file to identify important information concealed within the malicious payload. Your objective is to isolate the key details, including a callback endpoint used in various missions to spread UrchinVirus, to assist the resistance in neutralizing the corporation's control over the world. **Solution:** Download the file and open it with wireshark: ![Screenshot From 2025-02-11 20-35-54](https://hackmd.io/_uploads/rJ85q-tY1g.png) On checking the content of the pcap file it contains alot of MySQL traffics and some TCP, ![Screenshot From 2025-02-11 20-53-18](https://hackmd.io/_uploads/H1MoR-FFyx.png) I then checked on streams and trying to export objects but there was nothing available for extraction, on observing the streams there are strings inside the INSERT statements: ![Screenshot From 2025-02-11 21-16-04](https://hackmd.io/_uploads/BJSg4fttJg.png) Moving on with tshark (cli-wireshark) with command `tshark -r capture.pcap -q -z io,phs` we can see there is `nested MySQL layers` : ![image](https://hackmd.io/_uploads/S1gulftYyg.png) Since we expect malicious MySQL queries i extract all the MySQL queries using this command `tshark -r capture.pcap -Y "mysql.query" -T fields -e mysql.query` from the pcap file: ![Screenshot From 2025-02-11 21-05-54](https://hackmd.io/_uploads/Sk-6GMYt1l.png) I then attempted to decode some of the strings they were actually Base64 encode :accept: ![Screenshot From 2025-02-11 21-21-30](https://hackmd.io/_uploads/SkyBBGKt1l.png) Since the INSERT statements contain a Base64 strings, we can extract it by using this command: ``` tshark -r capture.pcap -Y "mysql.query contains \"INSERT INTO\"" -T fields -e mysql.query | grep -oP "'\K[^']+(?=')" ``` ![Screenshot From 2025-02-11 21-27-32](https://hackmd.io/_uploads/rkn38GYtyg.png) Then, I tried to decode the Base64-decoded content and it reveals an ELF binary (Linux executable), suggesting a malicious binary was inserted into a MySQL database.Here is the command for decoding it: ``` tshark -r capture.pcap -Y "mysql.query contains \"INSERT INTO\"" -T fields -e mysql.query | grep -oP "'\K[^']+(?=')" | base64 -d ``` I also found a Callback URL from the output `https://files.pypi-install.com/packages/callback/SFRCe2NodW5rNV80bmRfdWRmX2Ywcl9icjM0a2Y0NTd9 ` which suggests after the execution of the binary it downloads additional payloads from the site. ![image](https://hackmd.io/_uploads/HkFL9ftKJl.png) But at the end of the URL we can notice there is a Base64 string. Now lets decode it: ![Screenshot From 2025-02-11 21-54-47](https://hackmd.io/_uploads/Sk5b6GKYJg.png) ```Voila!!!``` i was then able to get the flag `Flag:HTB{chunk5_4nd_udf_f0r_br34kf457}` Thank you!!