Hack The Box challenges
Here are my writeups for retired Hack The Box challenges (this link requires logging in).
Hack The Box Marshal In The Middle Writeup
This is a writeup for the retired Hack The Box Marshal In The Middle challenge.
- Challenge URL: https://app.hackthebox.com/challenges/27
- Time required: 30 min
These are the challenge instructions:
The security team was alerted to suspicous network activity from a production web server.<br>Can you determine if any data was stolen and what it was?
ZIP archive
First, we check if we have the correct archive:
sha256sum "challenges/marshal_in_the_middle/Marshal in the Middle.zip"
Comparing the checksum to the one given by Hack The Box, it seems like we have the correct archive:
cdf53bab266ab4b8a28b943516bc064e9f966dae0a33503648694e15cb50ae2b challenges/marshal_in_the_middle/Marshal in the Middle.zip
We proceed by unpacking the archive:
unzip -P hackthebox \
"challenges/marshal_in_the_middle/Marshal in the Middle.zip" \
-d challenges/marshal_in_the_middle/ar/
We immediately see that this archive contains a packet capture.
Archive: challenges/marshal_in_the_middle/Marshal in the Middle.zip
inflating: challenges/marshal_in_the_middle/ar/bro/conn.log
[...]
inflating: challenges/marshal_in_the_middle/ar/secrets.log
Deciphering the TLS conversations
We open chalcap.pcapng
in Wireshark:
We try to decipher the individual TLS connections using bundle.pem
. We also
need to tell Wireshark where the key log secrets.log
is.
Here’s some more information on deciphering TLS in Wireshark.
Analyze individual conversations
Now that all TLS conversations are deciphered, we can proceed two different ways:
- Keep analyzing all connections by stripping away L1-L6 protocol headers and work directly with L7 HTTP conversations
- Export all objects as retrieved through HTTP conversations
Stripping protocol headers
In order to strip away all L1-L6 information, we can use the “Export PDUs to File…” dialog and filter by HTTP, HTTP 2, and HTTP 3:
In a new Wireshark window, we see all HTTP conversations stripped of their lower-layer protocol data:
Filtering by http.file_data contains "HTB"
will show the packet containing
the flag and inspecting the packet contents manually reveals the flag.
Exporting HTTP objects
We can also export all HTTP bodies directly using the “Export Objects” dialog in Wireshark instead:
We click “Save All” and store the HTTP objects in a new folder.
Grepping for the flag
Now that we have dumped all HTTP objects in a new folder, we search for the
flag by grepping for HTB
:
grep -e "HTB" -r challenges/marshal_in_the_middle/http_objects/
Immediately, we find the flag:
challenges/marshal_in_the_middle/http_objects/api_post(4).php:HTB{...}
The above file contains a long array of American Express credit card numbers being uploaded. Better call the bank!
AAAAAAAAND, that’s exactly why need forward secrecy: It helps prevent exposure of confidential communications over HTTPS in case key material is leaked.