~/portfolio / write-ups / vantage
Hack The Box Network Forensics & Traffic Analysis Very Easy Apr '26

Vantage

Analyzed network packet captures of a compromised OpenStack cloud environment. Traced an FFUF subdomain fuzzing campaign, brute-forced cloud login, API config file theft, Swift object storage enumeration, and exfiltration of a 28-record user data file — ending with attacker persistence via a new cloud account.

Very Easy
Difficulty
100%
Completion
Hack The Box
Platform
TOOLS USED
Wireshark
01

Fuzzing & Subdomain Discovery

Q1. What tool did the attacker use to fuzz the web server?

we open the web server pcap to get a full view of the packets.

Full pcap view of web server traffic

filtering for HTTP gives us the user agent string. Fuzz Faster U Fool, FFUF for short.

HTTP filter showing FFUF user agent string
Answer: Fuzz Faster U Fool v2.1.0
Q2. Which subdomain did the attacker discover?

looking through the logs, the attacker was enumerating active domains for TechVantage. instead of reading every 404, we sort by response length. a sudden influx and a 200 to 302 redirect stands out right away.

Wireshark results sorted by response length showing subdomain redirect
Answer: cloud
02

Login Brute Force & API Config Download

Q3. How many login attempts did the attacker make before successfully logging in?

reviewing the logs, we can see the attacker eventually got redirected to the dashboard. at first glance it looks like 8 attempts but the actual count is 3. the machine acts as a reverse proxy so each attempt shows up twice.

Login attempts in Wireshark with redirect to dashboard
Answer: 3
Q4. When did the attacker download the OpenStack API remote access config file? (UTC)

looking through the logs we spot the attacker accessing the api_access folder.

Wireshark log showing attacker accessing api_access folder

following the TCP stream confirms what was downloaded. UTC and GMT are close enough that we can read the timestamp directly.

TCP stream showing the downloaded API config file
Answer: 2025-07-01 09:40:29 UTC
03

OpenStack API Enumeration

Q5. When did the attacker first interact with the API on the controller node? (UTC)

we filter for the attacker's source IP 117.200.21.26 and look at the controller traffic. the user agent has changed from FFUF to openstacksdk. that config file handed them direct API access.

Wireshark showing attacker IP hitting controller with openstacksdk user agent
Answer: 2025-07-01 09:41:44
Q6. What is the project ID of the default project accessed by the attacker?

we don't know the project name yet so let's search for it in the filter.

Wireshark filter searching for project

that gives us what we need.

Wireshark packet showing project ID value
Answer: 9fb84977ff7c4a0baf0d5dbb57e235c7
Q7. Which OpenStack service provides authentication and authorization?

going back to when we first saw the attacker hit the controller, one of the agents listed was keystoneauth. looking that up confirms it is OpenStack's authentication service.

Answer: keystone
04

Swift Storage & Data Exfiltration

Q8. What is the endpoint URL of the Swift service?

searching for frames containing "swift" hits a dead end.

Wireshark search for swift returning no useful results

after some research, Swift endpoint URLs follow a pattern like http://host:8080/v1/AUTH_projectid. we plug that pattern into the logs and find a match.

Wireshark packet showing the Swift endpoint URL
Answer: hxxp://134.209.71.220:8080/v1/AUTH_9fb84977ff7c4a0baf0d5dbb57e235c7
Q9. How many containers were discovered by the attacker?

looking for packets containing the Swift endpoint, we can count what the attacker enumerated.

Wireshark results showing Swift container enumeration
Answer: 3
Q10. When did the attacker download the sensitive user data file? (UTC)

going back to the HTTP requests, we filter for user-details.csv.

Wireshark HTTP filter for user-details.csv Wireshark packet showing download timestamp for user-details.csv
Answer: 2025-07-01 09:45:23
Q11. How many user records are in the sensitive user data file?

following the HTTP stream gives us the full file contents.

HTTP stream showing full contents of user-details.csv
Answer: 28
05

Persistence via Account Creation

Q12. What is the username of the new user created by the attacker?

looking at the HTTP requests we spot a POST to /identity/v3/users. filtering on that path gives us the new account details.

Wireshark showing POST to identity/v3/users with new account details
Answer: jellibean
Q13. What is the password of the new user?

visible in the same packet from the previous question.

Answer: P@$$word
Q14. What is the MITRE tactic ID of the technique used in Q12?

the attacker created a new account in a cloud environment. that maps to Create Cloud Account in MITRE ATT&CK.

MITRE ATT&CK page for Create Account technique T1136.003 Create Cloud Account technique confirmed
Answer: T1136.003
Key Takeaways
  • sort by response length when analyzing fuzzing traffic. successful responses break the noise pattern and stand out from the 404s
  • when traffic is proxied, login counts can appear doubled in the logs. know the network architecture before taking raw numbers at face value
  • an API config file is basically a full set of keys. once it's downloaded, the attacker can authenticate directly to the controller as a legitimate client
  • if a keyword search hits a dead end, research the expected URL format first and match that against the traffic instead of searching for the name
  • cloud persistence through account creation doesn't touch the OS at all. T1136.003 is worth knowing specifically for cloud IR work

i was unfamiliar with the Swift endpoint and it became a real blocker. searching for "swift" directly got me nowhere and i had to stop and look up how OpenStack structures its URLs before anything made sense. the reverse proxy thing with the login count also caught me off guard. overall a good lab though, especially for cloud exposure since i hadn't really worked with OpenStack before.

← Prev Invite Only Next → ItsyBitsy