HackTheBox Forensics Challenge (Chase) Write-Up

Inspect PCAP file using wireshark.

1. Statistics —> Capture File Properties. (to get a general overview of the file)

2. Statistics —> Protocol Hierarchy. (to get a general overview of packets) 

Takeaways: 

three main packets that stood out in the capture file: TCP, HTTP, Data

Set filters and inspect each packet.

Follow protocol streams

https://www.wireshark.org/docs/wsug_html_chunked/ChAdvFollowStreamSection.html 

Found two strings that include executable file that is URL encoded. Looking suspicious.

URL decode those two strings in cyberchef. 

Decoded: download the executable from the server to host machine from port 4444, then execute the file in local machine.  

Inspect the traffic in port 4444 (since the malicious file comes from this port)

Filter the traffic only coming from port 4444: 

Follow TCP stream:

scroll all the way to the bottom

decode the file name using base32 decoding.

JBKEE62NIFXF6ODMOUZV6NZTMFGV6URQMNMH2IBA —> HTB{MAn_8lu3_73aM_R0cX}