How to solve MarketDump [HackTheBox]
Step by step on how to solve this Forensics challenge. You can check it here.
We get a pcapng file, which we can open with Wireshark.
The clues in the problem tell us that an attacker used the webserver to pivot into the network. Reviewing the data we see that 10.0.2.3 is the server and 10.0.2.15 the client (you can get this by reviewing the requests and responses between both machines).
Reviewing some of the HTTP protocol packages we find the following:
If we go to the detail of the communication (by doing Follow -> HTTP), we see the following:
And reviewing the credit card numbers in more detail, we see one that is different:
We get the following hash:
NVCijF7n6peM7a7yLYPZrPgHmWUHi97LCAzXxSEUraKme
Let’s see what type of hash it is, let’s ask CyberChef for help. We use the ‘Magic’ recipe and obtain:
The flag is HTB{DonTRuNAsRoOt!MESsEdUpMarket}
We could have also solved this by using base58 on Linux:
> echo -n "NVCijF7n6peM7a7yLYPZrPgHmWUHi97LCAzXxSEUraKme"|base58 -d
HTB{DonTRuNAsRoOt!MESsEdUpMarket}
Give me some claps!