Try   HackMD
Hello hackers, am back again lemme share something i was little bored with  school stuffs so i decided to check something to make my brain on just little active, so took some forensic challenges from HTB and decode to make fun check wahat i can get here
😂😂😂 

We will be doing forensic from hack the box

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Before we start our inverstigation we need first to understand the challenge disciption

 CHALLENGE DESCRIPTION

We have got informed that a hacker managed to get into our internal network after pivoiting through the web platform that runs in public internet. He managed to bypass our small product stocks logging platform and then he got our costumer database file. We believe that only one of our costumers was targeted. Can you find out who the customer was?

objective

get the flag and flag formation is HTB{something_here}

Lets begin the inverstigation

STEP 1: download the challenge,unzip it with the password and finally open it with wireshark

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Now we can try few things here such as 'http' as a filter to see if there is some fun stuffs via http.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Actually here i didn't get any useful information so i decided to move on with my inverstigation, i came across this

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

If you take a close look you will see 'telnet', so i decided to inpect it more and see what it have, coz we all know about telnet protocol.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Here the attacker tried to login with default creds via telnet session and he found himself in men that one was very simple actually although telnet is not used nowadays.

Lets proceed, lets see what was his next move after he has gain access via telnet session

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

whereis nc 

explanation:
Here the attacker was trying to search the location the netcat(nc.traditional) so as he can try to connect remotely and the next two  streems show that he managed to open a netcat listerner on port 9999 and gain access to the remote server he was listerning.

And he managed to get a shell as a www-data user which means the backdoor he set was on the web or via telnet but i guess was via web application that was running the market shop application

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

I can't explain everything but in simple case is that the hacker man was trying to  move the customer details to his machine and he first cp the custumers.sql to his machine using the python server 

FLAG PART

The attacker now tried also to cat the contents of the custumer.sql and if you scroll much further you will find a weed interesting text encoded. There is a bunch of dumped details so you need to scroll faster here.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

American Express,NVCijF7n6peM7a7yLYPZrPgHmWUHi97LCAzXxSEUraKme

Once i saw this i knew it was encoded but didn't know method did he use to do that so i decide to do it manual with my terminal.

┌──(alienx㉿alienX)-[~/Desktop/MACHINES/CURLING]
└─$ open MarketDump.pcapng 
                                                                                                                                                                                                                                              
┌──(alienx㉿alienX)-[~/Desktop/MACHINES/CURLING]
└─$ echo "NVCijF7n6peM7a7yLYPZrPgHmWUHi97LCAzXxSEUraKme" | base64 -d
5P^-٬e
     !base64: invalid input
                                                                                                                                                                                                                                              
┌──(alienx㉿alienX)-[~/Desktop/MACHINES/CURLING]
└─$ echo "NVCijF7n6peM7a7yLYPZrPgHmWUHi97LCAzXxSEUraKme" | base32 -d
mbase32: invalid input
                                                                                                                                                                                                                                              
┌──(alienx㉿alienX)-[~/Desktop/MACHINES/CURLING]
└─$ echo "NVCijF7n6peM7a7yLYPZrPgHmWUHi97LCAzXxSEUraKme" | base58 -d
HTB{DonT...<SNIPED>.}

And finally we have solved the challenge