Hello Im currently working on HTB sherlock lab called Fragility and stuck on the question with secret message from the exfiltrated file.
where did you find the file? im stuck to find the search.xsl
I’m still working on it, the file is ~/.cache/ but I dont think that’s it anymore. I followed the http stream of the pcap file and found out that the file info had been mimified. I tried to deobfuscate it using beautify but no luck still. Do you have any other ideas?
Oh i got it man yes i found some in that dir but it’s not there anymore. did you find the log which contains some related to encription? check the logs maybe can helps you.
you found the flag?
Not yet. Im stuck with this file and with question 3 related to timezone hahaha
this UTC+00/UTC+07 it is correct?
For question number 3 check ntp. UTC+07 is correct but default timezone is what didnt make sense to me. I got the correct answer but I still can’t make sense of how I got it using the provided ntp packets
Edited, I figured out why. Default is PDT and after john adjustment would be UTC. I can DM you if you are still stuck.
Oh thanks man i got the answer analysing the logs and then i realized that the question is in UTC format so just convert the PDT to UTC and it makes me sense. Thanks mate
hello guys, i’m stuck in the last question. I guess the way is recover the file from the pcap but idk how to get some information of the system that will be needed to ‘decrypt’ the file exfiltrated. BTW that question about timezones is really tricky
i was able to finish 
Any hints on how you got it?
here are my steps:
1 - extract the right data from the PCAP (look to nginx user bash_history)
2 - underestand the pattern the attacker use to encrypt the data (he use a bunch of commands)
3 - once we dont have information in the OS files (resolv.conf, hostname, passwd, etc) u need to check the logs to get the information needed to finish the decrypt
i guess this will be helpful
cya
I found the aes-256-cbc keys that I need to decrypt the file from auth.log but I’m having trouble finding the right data from PCAP. I know that its in spl-file section of the tcp stream packet but I have no idea how to move on from here. I have no clue how to revert the file to original spl-file from xsl format
yes. this is the command used by the attacker.
to find the correct data, you need to check how the data was exfiltrated. like IP and port, finding this 2 values, u can filter in wireshark or TShark to extract the data.
follow the traffic from the server IP to other IP specific to the port that was observed in the bashhistory
using this filter i mentioned, u will get an output like this
u can check this conversation only contain data from one side (103kb)
this is our guy
got it, the decryption keys that I think was right was wrong. I used openssl and still looking for the right one. Thank you for your help. I’m not familiar with this type of encryption.
