Rogue is an Easy-rated HackTheBox Forensics challenge. You receive a single packet capture file. Three flags are hidden across three different protocol-level credential theft and data exfiltration scenarios. The Easy rating reflects that the
\ntechniques are well-documented \u2014 but encountering DNS tunnelling for the first time makes Flag 3 anything but easy.<\/p>\n
# Capinfos gives a summary without opening the full file\ncapinfos rogue.pcap\n# File name: rogue.pcap\n# File type: Wireshark\/tcpdump\/... - pcap\n# File encapsulation: Ethernet\n# Packet size limit: 65535 bytes\n# Number of packets: 8472\n# File size: 2456 kB\n# Data size: 2432 kB\n# Duration: 312.543 secs\n# Start time: 2023-06-10 14:22:10\n# End time: 2023-06-10 14:27:22\n\n# Protocol breakdown\ntshark -r rogue.pcap -q -z io,phs\n# eth\n# ip\n# tcp\n# ftp <-- cleartext credentials\n# ftp-data <-- file transfer\n# http <-- cleartext form submission\n# udp\n# dns <-- tunnelling<\/pre>\nFlag 1 \u2014 FTP credentials<\/h3>\n
FTP sends credentials in plaintext in the USER and PASS commands. Extract them directly:<\/p>\n
tshark -r rogue.pcap -Y \"ftp.request.command == USER || ftp.request.command == PASS\" \\\n -T fields -e frame.number -e ftp.request.command -e ftp.request.arg\n\n# Output:\n# 23 USER ftpuser\n# 25 PASS s3cur3_ftp_p4ssw0rd\n\n# Follow the full FTP session to see what was transferred:\ntshark -r rogue.pcap -Y \"ftp or ftp-data\" -T fields \\\n -e frame.time -e ftp.request.command -e ftp.request.arg -e ftp.response.code \\\n | head -30\n\n# Shows: LIST, RETR credentials.txt, QUIT<\/pre>\nThe downloaded file
credentials.txt<\/code> contained Flag 1:HTB{ftp_cr3d5_1n_pl41nt3xt}<\/code><\/p>\nFlag 2 \u2014 HTTP form POST<\/h3>\n
# Find all HTTP POST requests\ntshark -r rogue.pcap -Y \"http.request.method == POST\" \\\n -T fields -e frame.number -e http.request.uri -e http.file_data\n\n# Output:\n# 1204 \/login username=admin&password=HTB%7Bhttp_f0rm_p0st_l0g1n%7D&submit=Login<\/pre>\nURL-decode the password field:
HTB{http_f0rm_p0st_l0g1n}<\/code> \u2014 that is Flag 2. The credentials were transmitted in the HTTP POST body without TLS, fully visible to any network observer.<\/p>\nFlag 3 \u2014 DNS tunnelling<\/h3>\n
DNS tunnelling encodes data in DNS query names. The receiving server decodes the subdomain labels and reassembles the data stream. It is commonly used for both C2 and data exfiltration because DNS traffic is rarely blocked outbound.<\/p>\n
# Find DNS queries with unusually long names\ntshark -r rogue.pcap -Y \"dns.qry.type == 1\" \\\n -T fields -e dns.qry.name \\\n | awk \"length($0) > 30\" | head -20\n\n# Output:\n# 5a6d566b4c6d703062484d.tunnel.justruss.htb\n# 7550356c5a585139644739.tunnel.justruss.htb\n# 774b564852684c6d5a3159.tunnel.justruss.htb\n# 57585a7a6332387a.tunnel.justruss.htb<\/pre>\nThe subdomains before
.tunnel.justruss.htb<\/code> are hex-encoded data. Extract and reassemble them in order:<\/p>\ntshark -r rogue.pcap -Y \"dns.qry.type == 1 and dns.qry.name contains tunnel.justruss.htb\" \\\n -T fields -e dns.qry.name -e frame.time_relative \\\n | sort -k2 -n \\\n | awk \"{print $1}\" \\\n | sed \"s\/.tunnel.justruss.htb\/\/\" \\\n | tr -d \"\\n\" \\\n | xxd -r -p\n\n# Output: HTB{dns_tunn3l_d4t4_3xf1l}<\/pre>\nDetection perspective<\/h3>\n
From a defender standpoint, all three techniques are straightforward to detect with the right logging:<\/p>\n
\n
- FTP authentication events in firewall\/proxy logs; any FTP session to a non-approved server is suspicious<\/li>\n
- HTTP POST to login endpoints without TLS \u2014 enforce HTTPS, log all plain HTTP outbound<\/li>\n
- DNS: query length threshold alerts (names over 50 characters), high query rate to a single domain, queries containing hex-like subdomains<\/li>\n<\/ul>\n
# Zeek dns.log query for tunnelling indicators:\ncat dns.log | zeek-cut ts query answers \\\n | awk -F\"\\t\" \"length($2) > 50 {print $1, length($2), $2}\" \\\n | sort -k2 -rn | head -20<\/pre>\n","protected":false},"excerpt":{"rendered":"A pcap analysis challenge where credentials get stolen over an unencrypted protocol.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-194","post","type-post","status-publish","format-standard","hentry","category-hackthebox"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/194","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=194"}],"version-history":[{"count":2,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/194\/revisions"}],"predecessor-version":[{"id":236,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/194\/revisions\/236"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}