Tag Archives: analysis

Wargames 2017 – Challenge 12 : ezfile sharing

Challenge 12 : ezfile sharing

question for challenge 12

and the hint for this challenge:

hint for challenge 12

one of our teammate was fuzzing around the website and found “.git” folder.
seems related to the hint.
we try to browse the folder/path:

.git folder/path

as a “layman” person (please guys, don’t try this at home. or any other place. wkwkwkwk), I’ve gone too far by downloading all the git folder (recursively):

download all git folder content

lets see what git -help can provide us with info:

git help menu

hmm.. lets see if “git show” can provide any clue…

and.. profit! XD

so the flag is: “wgmy:{AdminGitGudPlease}”

Wargames 2017 – Challenge 9 : unreachable

the question is:
“The critical server seems unreachable. The sysadmin tries to identify the cause of it..but weird..he is doing it backwardly.”
http://files.wargames.my/2/p100.7z

question for challenge 2

question for challenge 2

and the hint given to us:

hint for challenge 2

hint for challenge 2

so… RFC 792 – something related to ICMP/ping yada yada
so we open the pcap file in Wireshark, view only ICMP protocol:

open pcap using wireshark & then filter ICMP only

we can see ICMP traffic involving 2 IPs; 192.168.1.8 & 192.168.1.10
after digging around, I find out there is some “unique differences” at ping identification number; offset 0010. this involving IP 192.168.1.8.

lets use tshark to see it clearly:

use tshark & grep offset 0010

as noted in the hint above;
“he is tracing backwardly.”

the flag is: flag_is_p!ngp0ng~
but actually…. the flag is: p!ngp0ng~

Shell hiding in image files

One day, we noticed strange GET request towards our JBoss server:

From the request above, you’ll quickly noticed that this attack leveraging Apache Struts vulnerability from CVE-2017-5638.

The request tried to execute command below:

“-O” : writes the documents to file.
“-” : if is used as file, documents will be printed to standard output, disabling link conversion.
“-q” : quiet (no output)

As you see, it tried to fetch image (jpeg file) from 91.230.47.41. Seems normal right?
We fetch the file & take a look at the jpg file:

ASCII?? Not JPEG?? hmm..
Here’s whats inside the “logo.jpg” file:

We noticed there are several other file fetched; possibly a config file & bin file.
Let’s fetch those file!

Here is the config file:
http://91.230.47.41/pics/kworker.conf

Not sure it is. Maybe bin file to run a process:
http://91.230.47.41/pics/kworker

Lets see if the file is packed:

Yup. So lets unpacked the file using UPX:

http://91.230.47.41/pics/kworker_na

Overall, looks like the attacker want to hack our servers & turn it into his own crypto currency mining machine.
Typical behavior of attack we see in this time where the crypto currency is rising. People hack to make profit. 🙂

Here the MD5 for file above:

Dionaea simple analysis

Dionaea exploit analysis

We’ll using python bundled with Dionaea:

It will open a python console. Enter the code below line by line:


It will produce test.bin file in /tmp/ folder.

Now we analyze it and dump the output to another file:

You should see something like this:

As you can see, the malicious URL is hxxp://188.245.32.210:8147/kcfl

https://sourceforge.net/p/nepenthes/mailman/message/26862416/

Maltrieve on Mac OS X

Maltrieve originated as a fork of mwcrawler. It retrieves malware directly from the sources as listed at a number of sites, including:

  • Malc0de
  • Malware Black List
  • Malware Domain List
  • VX Vault
  • URLqery
  • CleanMX
  • .

    If you want to install maltrieve on your Mac OS X, below is the steps to install it.

    • First, install beautifulsoup4 via pip

    • Install required dependencies via apt-get

    • Download maltrieve from github

    Done. Now you can use the maltrieve on you Mac OS X.