This article provides a step-by-step walkthrough of the “Origins” Sherlock challenge on HackTheBox, a virtual hacking laboratory.
The scenario for this challenge is based on a recent incident at Forela, where approximately 20GB of data was stolen from the company’s internal S3 buckets, and the attackers were extorting the company.
The suspected source of the attack was an FTP server, which was also compromised and served as an entry point for the attackers.
The goal of the challenge is to analyze a PCAP file to find evidence of brute force and data exfiltration, with the ultimate objective of identifying the attacker’s IP address.
The walkthrough covers Task 1, focusing on filtering the packets to highlight FTP traffic solely, ultimately determining that the IP address “15.206.185.207” is the attacker.