POOF

Target Information

  • IP: 206.189.117.93:30093

Exploitation

First we are presented with the following:

$ telnet 206.189.117.93 30093
Trying 206.189.117.93...
Connected to 206.189.117.93.
Escape character is '^]'.

+-----------+---------------------------------------------------------+
|   Title   |                       Description                       |
+-----------+---------------------------------------------------------+
| Downgrade |          During recent auditing, we noticed that        |
|           |     network authentication is not forced upon remote    |
|           |       connections to our Windows 2012 server. That      |
|           |           led us to investigate our system for          |
|           |  suspicious logins further. Provided the server's event |
|           |       logs, can you find any suspicious successful      |
|           |                          login?                         |
+-----------+---------------------------------------------------------+

Which is the malicious URL that the ransomware was downloaded from? (for example: http://maliciousdomain/example/file.extension)
>

Upon inspecting the packets, near the end of the stream (#6243) I noticed a stray HTTP packet amongst a lot of TCP packets. The request size was massive, and it was to the URL http://files.pypi-install.com/packages/a5/61/caf3af6d893b5cb8eae9a90a3054f370a92130863450e3299d742c7a65329d94/pygaming-dev-13.37.tar.gz. That was the answer to the first question.

What is the name of the malicious process? (for example: malicious)
>

To determine this, I needed to go through the mem.dmp file. I used volatility to do this. It can be installed and set up with the following:

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip install -r requirements.txt
python3 vol.py -h

Thankfully the ZIP file came with the proper header files for the particular operating system version that the memory dump was taken from. We can use dwarf2json to convert the header files to JSON files that volatility can use:

git clone https://github.com/volatilityfoundation/dwarf2json
cd dwarf2json
go build
./dwarf2json linux --system-map ./System.map-4.15.0-184-generic > System.map-4.15.0-184-generic.json
# Then move the JSON file to the volatility3/symbols/linux directory

I used the following command to determine the process name:

python3 vol.py -f /yourPath/mem.dmp linux.pslist.PsList

Tags

  1. hackthebox (Private)
  2. forensics (Private)