Forensics: MarketDump

Hello,

I'm on this challenge it's been hours, I discovered the source ip address and destination, the database (c*********.sql), I think not to be far from the solution, some tracks to have the flag?

m4nu

Valiant, nothing is impossible.
Lock by lock and one after the other is the key. You cannot open door number 9 until you have unlocked number 8.

«1

Comments

  • PM Me. I just completed it

  • I've also spend some hours in this challenge, got all the information. Analyzed all the tcp.streams ... I am not sure I understand the question. We have the connection of the attacker, we see him still the costumer database file. It is possibly to see the content of the file and it stops there. Some other info like the owner of the database file and the user used to connect can be seen. There is customer line that is different than all the others, I've tried this and made some manipulations, but without success..
    I don't know which customer might have been affected since the capture stops right after the database is stolen, How can we know what happen after?

    It seems that some people solve this, so there is something i am not seeing clearly...

  • Type your comment> @f4d0 said:

    I've also spend some hours in this challenge, got all the information. Analyzed all the tcp.streams ... I am not sure I understand the question. We have the connection of the attacker, we see him still the costumer database file. It is possibly to see the content of the file and it stops there. Some other info like the owner of the database file and the user used to connect can be seen. There is customer line that is different than all the others, I've tried this and made some manipulations, but without success..
    I don't know which customer might have been affected since the capture stops right after the database is stolen, How can we know what happen after?

    It seems that some people solve this, so there is something i am not seeing clearly...

    exactly I got stuck there .... after several attempts to submit the flag

    m4nu

    Valiant, nothing is impossible.
    Lock by lock and one after the other is the key. You cannot open door number 9 until you have unlocked number 8.

  • solved, feel free to pm me.... thank's @GibParadox

    m4nu

    Valiant, nothing is impossible.
    Lock by lock and one after the other is the key. You cannot open door number 9 until you have unlocked number 8.

  • Gonna leave this here because I think the challenge is not really clear.
    There is something in the capture that will stand out. Once you find it, stop and try to decode it using a variation of a well known encoding.

  • Type your comment> @Peyphour said:

    Gonna leave this here because I think the challenge is not really clear.
    There is something in the capture that will stand out. Once you find it, stop and try to decode it using a variation of a well known encoding.

    ah ah :anguished: the hint of the challenge is not really clear, i think too

    m4nu

    Valiant, nothing is impossible.
    Lock by lock and one after the other is the key. You cannot open door number 9 until you have unlocked number 8.

  • edited May 2019

    Since I am getting quite some PMs regarding this challenge, you can solve it in less than 2 minutes by using some very basic tools or cmd pipe combinations, and taking a quick skim through output -- you don't even need Wireshark.

    artikrh

  • I'm looking at some N...e - do I at least look at the correct thing or do I go down a completely wrong path?

    fleitner
    I tried harder...

  • Type your comment> @fleitner said:

    I'm looking at some N...e - do I at least look at the correct thing or do I go down a completely wrong path?

    See my comment above

  • Still cant get it. I tried about 100 different decoding algorithms. Pls hint :(

    xeto

  • edited May 2019

    nvm.. I got it. Just check what kind of decoding-variations really exist.

    xeto

  • Pretty easy i guess, once you understand what type of decoder to use.

  • The magic operation in cyberchef is very useful for finding what decoder to use.

  • CyberChef is your friend ;)

  • I didnt know about CyberChef, such a great tool ! Thanks @Anvillian @avetamine

  • Dito, I did not know that page. Great Tool. Thanks

    fleitner
    I tried harder...

  • I knew about the friend tool because in one of the box IPPSec told about it.
    But without reminder would not remember it.

    tabacci

  • Hint: You don't need wireshark at all for this challenge. Just look for some long strings in the file which stands out, and decode it.

  • Finally found the flag (my first challenge "owned'), thanks to the hints here. I spent too much time in wireshark analyzing and not enough trying to actually find the flag. It feels silly now how easy it was.

    Side note: Is this challenge worth 30 pts or 3 pts? My profile only says +3, which is disappointing b/c I was psyched to finally be a script kiddie lol.

    Hack The Box

  • Type your comment> @Kiewicz said:

    Pretty easy i guess, once you understand what type of decoder to use.

    Great tip.

  • Type your comment> @TsukiCTF said:

    Hint: You don't need wireshark at all for this challenge. Just look for some long strings in the file which stands out, and decode it.

    Yeah, that help me to complete thx, but... Why is that the flag? Why we know that was the goal of the criminal?

    Bless ~⠠⠵

  • Yea im lost with this. The tips that just say you don't need to open it with wireshark and just look in the file, aren't helpful lol. I can see the whole process of the "criminal" logging into the site as admin and extracting everything but I can't see which user it is. I have no idea what I am supposed to be decoding here.

    Any tips?

  • Type your comment> @TurinGiants said:

    Yea im lost with this. The tips that just say you don't need to open it with wireshark and just look in the file, aren't helpful lol. I can see the whole process of the "criminal" logging into the site as admin and extracting everything but I can't see which user it is. I have no idea what I am supposed to be decoding here.

    Any tips?

    Try to filter by bytes sent/received

  • Guys, i've been working this for over a day now and I can't find what everyone is getting. Its driving me insane. I have viewed the pcap, ive seen the "hackers" actions, but I cannot find the damn name of the customer involved. Can someone please pm me and tell me where to look for the string to decode? I have looked up and down the file and can't find this flag.

    I would really appreciate it!

  • Type your comment> @TurinGiants said:

    Guys, i've been working this for over a day now and I can't find what everyone is getting. Its driving me insane. I have viewed the pcap, ive seen the "hackers" actions, but I cannot find the damn name of the customer involved. Can someone please pm me and tell me where to look for the string to decode? I have looked up and down the file and can't find this flag.

    I would really appreciate it!

    I like numbers.

    cyberus17l

  • Type your comment> @cyberus said:

    Type your comment> @TurinGiants said:

    Guys, i've been working this for over a day now and I can't find what everyone is getting. Its driving me insane. I have viewed the pcap, ive seen the "hackers" actions, but I cannot find the damn name of the customer involved. Can someone please pm me and tell me where to look for the string to decode? I have looked up and down the file and can't find this flag.

    I would really appreciate it!

    I like numbers.

    As do I. I see a lot of them. Especially after American but am I looking directly at it?

  • edited May 2019

    I can stare at numbers all day long...until enlightenment.

    cyberus17l

  • edited May 2019

    I'm a fucking idiot. I just got it....

  • Really cool challenge, I share a nice online tool for forensic => https://packettotal.com
    Do not hesitate to use CyberChef also :)

  • edited June 2019

    This challenge if addressed from the forensics point of view takes a lot of time, but if you examine each piece of evidence, it can be very rewarding. You can learn about the attack and get interestings conclusions from the big picture.

    If you see it from a CTF point of view, all the hints are given. Go for the long strings and use @avetamine CyberChef to check all the encodings very quickly.

Sign In to comment.