Skip to content

Origins

Scenario

A major incident has recently occurred at Forela. Approximately 20 GB of data were stolen from internal s3 buckets and the attackers are now extorting Forela. During the root cause analysis, an FTP server was suspected to be the source of the attack. It was found that this server was also compromised and some data was stolen, leading to further compromises throughout the environment. You are provided with a minimal PCAP file. Your goal is to find evidence of brute force and data exfiltration.

The sherlock archive contains a single file, ftp.pcap.

Tasks

What is the attacker's IP address?

The Conversations view in Wireshark lists one IP address (172.31.45.144) participating in almost every conversation. It's likely this address belongs to the target host, which is serving requests to the various client IP addresses.

There is little traffic recorded between the host and most of the client addresses, with the exception of one IP address: 15.206.185.207. Filtering the capture for ftp reveals a lot of failed login attepts, suggesting a brute force attack was attempted from this IP address.

It's critical to get more knowledge about the attackers, even if it's low fidelity. Using the geolocation data of the IP address used by the attackers, what city do they belong to?

Using any online IP lookup service, the address can be traced to Mumbai, India.

Which FTP application was used by the backup server? Enter the full name and version. (Format: Name Version)

The FTP server presents a banner with the application name and banner whenver a connection is established. Loading any FTP conversation from the capture reveals the banner: vsFTPd 3.0.5.

The attacker has started a brute force attack on the server. When did this attack start?

Applying the filter ip.addr == 15.206.185.207 and ftp shows the first attempt was made on 2024-05-03 04:12:54 UTC.

What are the correct credentials that gave the attacker access? (Format username:password)

This can be approached in a few ways. One method is to filter for ftp, then use Find a packet (magifying glass on the toolbar) to search for the string Login successful. This returns two results, in both cases the credentials used were forela-ftp:ftprocks69$

The attacker has exfiltrated files from the server. What is the FTP command used to download the remote files?

The FTP command for downloading a file is RETR.

Attackers were able to compromise the credentials of a backup SSH server. What is the password for this SSH server?

Wireshark keeps a record of plain text file transfers for various protocols under File → Export Objects. Looking under FTP-DATA, there are two files, one of which is a PDF outlining a planned maintenance.

The PDF mentions a temporary access password: **B@ckup2024!**.

What is the s3 bucket URL for the data archive from 2023?

The second file in the listing above is a plain text file containing the URLs for two S3 buckets. The URL for the 2023 bucket is https://2023-coldstorage.s3.amazonaws.com.

The scope of the incident is huge as Forela's s3 buckets were also compromised and several GB of data were stolen and leaked. It was also discovered that the attackers used social engineering to gain access to sensitive data and extort it. What is the internal email address used by the attacker in the phishing email to gain access to sensitive data stored on s3 buckets?

The text file listing the S3 bucket URLs contains the following notice:

https://2022-warmstor.s3.amazonaws.com # pending audit, email alonzo at archivebackups@forela.co.uk for any clearance

Considering the case at hand, it's likely that the address in the comment was involved in the incident.