Hack The Box – Sherlock – Litter (Revisited)

So I am revisiting Litter because I was not happy with how I solved it the first time.

I felt like I was doing way too much manual effort looking in wireshark and I wanted to try it using zeek instead.

Step 0: install docker and zeek

https://www.kali.org/docs/containers/installing-docker-on-kali/

sudo apt update

sudo apt upgrade

sudo apt install docker.io

https://www.manpagez.com/man/8/zeek/

docker pull zeek/zeek:latest

I had to change my VM settings because zeek was taking an ungodly amount of time to finish running in the next step.

docker run -it -v $(pwd):/mnt zeek/zeek sh

This will run docker and open the container interactively (-it) and mount a volume (-v) for my current directory ($(pwd)) and mount in inside of zeek as /mnt (:/mnt)
This then runs zeek and opens a shell (zeek/zeek) and (sh)

Afterwards I opened a bash shell (bash)

I have no idea why I need to use sh first and then bash, I tried just bash and the container kept locking up on me.

This still takes a bit to run, even with more resources but eventually she made it.

Breakdown of zeek command:

Task 1

At a glance, what protocol seems to be suspect in this attack?

Ref: https://docs.zeek.org/en/current/quickstart.html#reading-packet-capture-pcap-files

zeek -C -r suspicious_traffic.pcap local

run zeek, ignore checksums (-C) read (-r) suspicious_traffic.pcap and run the local zeek script for more detection capabilities.

So now we can easily see all the different logs broken up by type.

If we look at the file sizes we can get a pretty good idea which log has the most traffic

We can also use wc to show the word count of each file.

Both of these line up and suggest DNS is likely the culprit.

We can look at conn.log using zeek-cut, sort, and uniq to easily see what hosts may be involved with this traffic

https://github.com/zeek/zeek-aux?tab=readme-ov-file#zeek-cut

https://man7.org/linux/man-pages/man1/uniq.1.html

Here we see a lot of DNS traffic from 192.168.157.144

Task 2

There seems to be a lot of traffic between our host and another, what is the IP address of the suspect host?

We will do something very similar to above to see what is going on in the dns.log file with our IP.

Let’s look at the basic layout and columns we have available in the dns.log file using head

We have a lot of the same fields, what we want to pull out is going to be the source ip, destination ip, and maybe the query, but we will start with just the IPs

So to build our zeek-cut query:

Source ip: id.orig_h

Destination IP: id.resp_h

Zeek-cut id.orig_h id.resp_h

Now we can see a lot of traffic coming from 192.168.157.145 to us

Task 3

What is the first command the attacker sends to the client?

We will now look at the queries for traffic to/from our attacker ip.

cat dns.log | zeek-cut id.orig_h id.resp_h query | grep 192.168.157.145 | awk ‘{print $3}’

A lot of these queries seem to be hex encoded, so we will use xxd to decode them.

Unfortunately this docker image does not have xxd so I need to install it

Apt-get update

For some reason installing vim seemed to install xxd?

Just to make sure, I tried installing it anyway

Okay, now we can rerun our command

I made the mistake of not piping this to less and it froze

Restart docker container

NOW we can finally see this data

Task 4

What is the version of the DNS tunneling tool the attacker is using?

To make this easier to follow along with, I enabled line numbers in less using -N

https://linux.die.net/man/1/less

0.07

Task 5

The attackers attempts to rename the tool they accidentally left on the clients host. What do they name it to?

This was really cool to see, I did not get the full ren dnscat2 … .win_installer.exe line when I did this last time and I made an educated guess, now I can see it 100%