Category Archives: technique

Analyzing Phishing Email – Word XML File Analysis

Recently I’ve observed a phishing mail as below:
https://www.virustotal.com/#/file/cf027dd938f1a268f45f2ea786dc538ab47f35006fb12d0b64e0867bccf789c0/detection – clean

The file seems to be clean per VT. Interestingly, on details sections, found 2 URLs on OpenXML Doc Info.

To search for these URLs, first you’ll need to rename the Word doc file to compressed zip file. E.g. sample.doc to sample.zip.

Then, extract the zip file. The URLs can be found inside file document.xml.rels (~/sample_folder/word/_rels/):

Its may look simple if you know which & where the file to be look at.

I’m thinking; what if we can search for all the URL/hyperlink in the XML files content of the Word document, without actually having to open it one-by-one.

To do that, we’ll using zipdump, re-search (together with reextra) Python script tools by Didier Stevens:

  • zipdump
  • re-search
  • reextra
  • Download the Python scripts mentioned above in one place. Then, executed this command below:

    Command above will search the content of the zip file & extract/applied regex searching for URLs.
    As you can see below, these is all the URLs that contained in the Word doc:

    Check bulk IP for reverse DNS (rDNS)

    Recently I’ve encounter list of IPs that are related to CoinHive. So I want to check for these IPs DNS. We can do that by using dig command to perform reverse DNS (rDNS).

    Reverse DNS (rDNS) is a method of resolving an IP address into a domain name, just as the domain name system (DNS) resolves domain names into associated IP addresses.

    I found this script at this site:

    Just save this code above in your Linux/*nix machine, and run this command as below:

    The result should be like this:

    Import & export installed Cygwin packages

    Recently I’ve changed my workstation to new one. Previously I’ve installed bunch of Cygwin packages on my old workstation.

    So I thought; can I somehow migrate my installed Cygwin packages from my old workstation to new workstation?

    The answer is yes. Follow me along to this wonderful journey XD

    First you’ll need to save list of what you have installed on your Cygwin on old workstation.
    To do this, open the Cygwin terminal/console & run this command below:

    Its basically dump a list of installed Cygwin packages in your workstation & save it to text file with comma-separated.

    Next, go to your Cygwin home folder (commonly locate at “C:\cygwin64\home\“), open the “cygwin_packages.txt” file that we save before & copy all the content inside the text file.

    Next, at your new workstation, ensure you have downloaded the latest Cygwin installer “setup-x86.exe” (32-bit) or “setup-x86_64.exe” (64-bit).

    Then, open your Windows cmd & change you directory to where you save the Cygwin installer. E.g. for my case here, I save it in my Downloads folder “C:\Users\Zam\Downloads>”.

    Then, run this command below on your Windows cmd; replacing/inserting the content of cygwin_packages.txt inside the double-quote as below:

    You should see the Cygwin GUI opened & UAC requesting permission pop-up:

    Click “Yes”, go through “Next” button & wait until the installation finished.

    Analyzing Oracle WebLogic attack

    Recently we received an alert from our WAF related to an attack towards out environment.
    Further review of the alert found that the attacker is using Oracle WebLogic RCE Deserialization Vulnerability (CVE-2018-2628).

    We observed that the attacker included some sort of PowerShell command in their request:

    Seems like the PowerShell command is using Base64 encoding for obfuscation.
    I use https://gchq.github.io/CyberChef/ to decode the Base64:

    Seems like it tried to fetch DL.php file at http://111.230.229.226/images/test/DL.php.
    Lets try grab that file:

    Hmm.. Error 404..? Is it true error?
    Or did we missing something here?

    Lets analyze the command carefully:

    We can see the attacker is assigning/using specific User-Agent when fetching the file.
    That’s why when we try to wget/curl the file directly, it failed.

    So what we have to do is we set the User-Agent exactly same when fetching the file.
    In this case, I’m using curl to fetch the file:

    Now see? Previously if the fetch the file without the User-Agent, it will failed/error 404.
    Again, we see another set off Base64 encoding here.

    But what is it?
    I’m not an expert to explain this, but TL;DR, it convert Base64 encoded string to a memory stream and executes it. I guess ¯_(ツ)_/¯

    So, to see what happen if this command executes, we can use this Python script below to decode it.
    With this script, we can basically see what are those Base64 are doing.

    Take the Base64 at above, paste it at encoded parameters as example below:

    Save the script and run the Python script as command below:

    This will save all the output from your CMD to text file for easier to ready.
    P/S : Your can rename output_DL_php.txt to any filename that you want.

    Let’s see whats inside the text file:

    As you can see, the command is doing bunch of stuff that I’m lazy to explain 😉
    Hope you enjoy reading this.

    IOCs:

    References:
    https://gist.githubusercontent.com/strazzere/5faa709a3db9e1dcf3b5/raw/42b98a918bac3725934bcfa3087ac5936d9b88d1/decrypt.py
    http://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/

    Wargames 2017 – Challenge 12 : ezfile sharing

    Challenge 12 : ezfile sharing

    question for challenge 12

    and the hint for this challenge:

    hint for challenge 12

    one of our teammate was fuzzing around the website and found “.git” folder.
    seems related to the hint.
    we try to browse the folder/path:

    .git folder/path

    as a “layman” person (please guys, don’t try this at home. or any other place. wkwkwkwk), I’ve gone too far by downloading all the git folder (recursively):

    download all git folder content

    lets see what git -help can provide us with info:

    git help menu

    hmm.. lets see if “git show” can provide any clue…

    and.. profit! XD

    so the flag is: “wgmy:{AdminGitGudPlease}”

    Wargames 2017 – Challenge 9 : unreachable

    the question is:

    question for challenge 2

    question for challenge 2

    and the hint given to us:

    hint for challenge 2

    hint for challenge 2

    so… RFC 792 – something related to ICMP/ping yada yada
    so we open the pcap file in Wireshark, view only ICMP protocol:

    open pcap using wireshark & then filter ICMP only

    we can see ICMP traffic involving 2 IPs; 192.168.1.8 & 192.168.1.10
    after digging around, I find out there is some “unique differences” at ping identification number; offset 0010. this involving IP 192.168.1.8.

    lets use tshark to see it clearly:

    use tshark & grep offset 0010

    as noted in the hint above;
    “he is tracing backwardly.”

    the flag is: flag_is_p!ngp0ng~
    but actually…. the flag is: p!ngp0ng~

    Configuring proxy for APT in Ubuntu

    Recently, I have a problem where when I tried to update Ubuntu package via apt-get, it shows HTTP 401 proxy error related.
    Just a note, I’m running the VM using my office network which has a proxy servers.

    From this site;

    References :
    http://askubuntu.com/questions/257290/configure-proxy-for-apt
    http://askubuntu.com/questions/543616/why-does-add-apt-repository-now-fail-to-retrieve-keys-behind-my-proxy-server-bu

    Configure Cisco switch from Mac OS X through console port

    Recently, I was searching for rollover cable that use to connect your PC/laptop to your switch via console port. It took me for a while searching this kind of cable in Low Yat Plaza, KL. Here, you can find variety of electronics stuff from PC hardware to servers stuffs.

    But, it was hard for me to find this cable. After several visit to Low Yat, I managed to find the cable together with DB9 to USB converter. As you know, the rollover cable is using serial to ethernet cable. So, this post will guide you on how to install the driver and connect your rollover cable to your switch from Mac OS X.

    So, for the first step, you should have rollover cable that looks like this:

    Rollover to DB9/serial cable

    Rollover to DB9/serial cable

    And the DB9 to USB 2.0 converter. The one that I’m using is like this:
    http://www.vztec.com.my/?sec=product&type=connect&sub=5&id=13776589936053

    For my Mac OS X version, I’m using Mac OS X Yosemite 10.10.5 on MacBook Pro (13-inch, Early 2011). You’ll need the driver for the cables that you can download at here:
    http://www.prolific.com.tw/UserFiles/files/PL2303_MacOSX_1_6_1_20160309.zip

    After you’ve done downloading and extracting the driver, just click at .pkg file and proceed to install the driver. Reminder, make sure you restarted you machine after installing the driver in order for system to take effect:

    DB9 to USB Converter driver

    DB9 to USB Converter driver

    Then, connect/plug-in the rollover cable to DB9 to USB converter. Then connect the converter USB to you Mac. After all has been connected, click on Apple logo on top left menu bar, click About This Mac, on Overview tabs, click System Report. Ensure that you DB9 converter is connected:

    Mac OS X System Info

    Mac OS X System Info

    After restart, you can verify if the driver has successfully installed and loaded to the system by using this command:

    or

    Now finally, you need an application which will talk to the serial port. We’ll using Terminal app on Mac OS X. On Mac, the file which maps to the port is /dev/cu.usbserial. Once all the cable has been connected, run this command to start connecting to you switch:

    Flatten a Nested Directory & File Hierarchy from Command Line of OS X

    Lets say you have this kind of file/folder structure:

    You can take all the *.jpg file or any file type, and move it into one folder.
    Here are the command to use: