Challenge By : rotarydrone
Challenge Description : The security team was alerted to suspicous network activity from a production web server.
Can you determine if any data was stolen and what it was?
Points : 40
Author : Rehman S. Beg (HTB Profile : MrReh )
________________________________________
Lets Download the file and extract it content
Open the chalcap.pcapng file with wireshark, Decrypte the data by the secrets.log file to view the content in plain text we need to load Master-Secret log lets load it
edit>preference>protocol>SSL or TLS
Then add a display filter who will take all http POST request of ip address 10.10.20.13
http.request.method == "POST" && ip.addr == 10.10.20.13
There was a post request with biggest packet lenght
to view packet data in plain text “right click on packet > Follow > TLS or SSL stream”
Credit Card Data in Plain Text and here we got the flag
FLAG : “HTB{Th15_15_4_F3nD3r_Rh0d35_M0m3NT!!}”