``` Hello hackers, am back again lemme share something i was little bored with school stuffs so i decided to check something to make my brain on just little active, so took some forensic challenges from HTB and decode to make fun check wahat i can get here 😂😂😂 ``` We will be doing forensic from hack the box  Before we start our inverstigation we need first to understand the challenge disciption ``` CHALLENGE DESCRIPTION We have got informed that a hacker managed to get into our internal network after pivoiting through the web platform that runs in public internet. He managed to bypass our small product stocks logging platform and then he got our costumer database file. We believe that only one of our costumers was targeted. Can you find out who the customer was? ``` # objective ``` get the flag and flag formation is HTB{something_here} ``` Lets begin the inverstigation ``` STEP 1: download the challenge,unzip it with the password and finally open it with wireshark ```  Now we can try few things here such as 'http' as a filter to see if there is some fun stuffs via http.  Actually here i didn't get any useful information so i decided to move on with my inverstigation, i came across this  If you take a close look you will see 'telnet', so i decided to inpect it more and see what it have, coz we all know about telnet protocol.  Here the attacker tried to login with default creds via telnet session and he found himself in men that one was very simple actually although telnet is not used nowadays. Lets proceed, lets see what was his next move after he has gain access via telnet session  ``` whereis nc explanation: Here the attacker was trying to search the location the netcat(nc.traditional) so as he can try to connect remotely and the next two streems show that he managed to open a netcat listerner on port 9999 and gain access to the remote server he was listerning. ``` And he managed to get a shell as a www-data user which means the backdoor he set was on the web or via telnet but i guess was via web application that was running the market shop application  ``` I can't explain everything but in simple case is that the hacker man was trying to move the customer details to his machine and he first cp the custumers.sql to his machine using the python server ``` # FLAG PART The attacker now tried also to cat the contents of the custumer.sql and if you scroll much further you will find a weed interesting text encoded. There is a bunch of dumped details so you need to scroll faster here.  ``` American Express,NVCijF7n6peM7a7yLYPZrPgHmWUHi97LCAzXxSEUraKme ``` Once i saw this i knew it was encoded but didn't know method did he use to do that so i decide to do it manual with my terminal. ``` ┌──(alienx㉿alienX)-[~/Desktop/MACHINES/CURLING] └─$ open MarketDump.pcapng ┌──(alienx㉿alienX)-[~/Desktop/MACHINES/CURLING] └─$ echo "NVCijF7n6peM7a7yLYPZrPgHmWUHi97LCAzXxSEUraKme" | base64 -d 5P^-٬e !base64: invalid input ┌──(alienx㉿alienX)-[~/Desktop/MACHINES/CURLING] └─$ echo "NVCijF7n6peM7a7yLYPZrPgHmWUHi97LCAzXxSEUraKme" | base32 -d mbase32: invalid input ┌──(alienx㉿alienX)-[~/Desktop/MACHINES/CURLING] └─$ echo "NVCijF7n6peM7a7yLYPZrPgHmWUHi97LCAzXxSEUraKme" | base58 -d HTB{DonT...<SNIPED>.} ``` And finally we have solved the challenge