HTB Lame

Featured

Recently, I have been spending a lot of time in training and decided to give PMA a break. For a few weeks, but wanted to get some hands on time on the computer. I went back through some of the boxes that I have exploited in the past and tried to do it again. I decided to work on Lame this week, and this was a fun box that was a little frustrating as it had a rabbit hole or two. 

The first step was to scan and enumerate the system. I used nmap to scan the box and get the open ports and versions.

This box was running ftp using vsftpd 2.3.4 so I made a note of that to research vulnerabilities with that version of ftp. Also, anonymous login is allowed, this is something that should not be allowed, and is a misconfiguration. Since there is not a web server on this host, I don’t think I will go the route of trying to upload a PHP shell. I tested the anonymous login and was successful at that. 

Next, I also notice that smb ports are active on this machine that is something worth noting as I could possibly use that to attack the machine. I also notice that on port 3632 a service called distccd is open, so that is another avenue to attack. Distccd is a distributed computing compiler that is written in the C++ language. 

Through research I was able to find a remote execution vulnerability for distccd. There was a metasploit module for this and I tried that, but the module did not work. 

Next I tried to exploit the machine by using smbclient, which became just another rabbit hole as I was not able to access the tmp file. 

This left me to continue to pick at the SMB protocol a little more. Going back to Google I decided to search for vulnerabilities in the Samba version Samba smbd 3.0.20-Debian. Again I was able to find a vulnerability and a metasploit module to exploit the machine using the username map script. The username map script can execute arbitrary commands by specifying a username with shell meta characters. 

This gave me a shell with root access. 

From here I found the user flag by going to /home/makis

Then by going to the root directory I was able to find the root flag

Practical Malware Analysis Lab03-01.exe

Featured

Introduction

Chapter 3 of Practical Malware Analysis is on Basic Dynamic Analysis. Dynamic analysis should be performed after Static Analysis. You want to have an idea of what you are attempting in the malware lab. Dynamic Analysis involves running the malware in a protected environment. It is important to make sure that the environment you are working with does not have access to your home network. I will be using various tools to monitor the malware to determine what the malware does when it is running on the computer. 

Preparing the Environment

There are numerous blogs on setting up your environment online, I did a lot of research and I picked one that I thought was best for my setup. There seems to be differing opinions on this matter, and my setup may change over time. 

First, I have two FlareVM instances running in my lab. FlareVM is a VM tool created by FireEye for Malware Analysis and Reverse Engineering on Microsoft. One is a Windows 7 box the other is Windows 10. I learned the hard way, as I will explain later, that the PMA labs for Chapter 3 do not run in Windows 10. This is a good practice anyway since a lot of malware is built for vulnerable out of date systems and will not run in updated systems. Once these servers were set up I took a baseline snapshot of the servers so that I can revert the operating system to baseline after each analysis. 

Second, I created a Virtual machine running InetSim. The InetSim Server acts as a web server, DNS server, and gateway. The InetSim server takes all the network calls from my victim machine. The server then returns images, HTML pages, or other input, so that the malware receives an HTTP 200 OK Success status and does not realize it is in a sandboxed environment without network access. 

Lastly, in preparing the environment I created a new virtual network, ensuring that it did not have access to the outside world. I want to ensure that the malware cannot scan the network outside my virtual lab and find devices that could be vulnerable. This is a protection mechanism that should be taken seriously when analyzing malware. I found a lot of differing opinions as to how to set up the environment. As a noob and at the present time without the amount of equipment I desire, I thought this was the best configuration for me. 

Analyzing Malware Lab03-01.exe

Static Analysis

 The first step in dynamic analysis is to run static analysis on the file. I began static analysis by uploading the file to VirusTotal. VirusTotal’s detection engines found this malware in 67 of the 71 engines. This is initially a good sign that we are working with malware. By uploading the malware to VirusTotal I can know that the malware has already been analyzed and detected, if my antivirus tool did not find the malware that gives me an indication that either the AV tool needs to update the malware signatures, or that the malware was able to kill my AV tool. 

Next I run strings against the malware to pick up any network indicators, or host based indicators. 

In the file I was able to find a couple host based indicators and network based indicators. The malware will be using the kernal32.dll, and install itself into the Run directory for persistence. I also see that it will call out to the Internet and practialmalwareanalysis.com. A few things I want to keep note of is that is looks like it downloading a file vmx32to64.exe from the site, and may be using the Video Driver for exploitation. 

Next, I used a tool called PEID to determine if the malware was packed. Upon inspection, it is clear that the malware is packed with PEncrypt 3.1.

Next I used PEView to get the timestamp of the Malware. Which was Sunday, January 6, 2008, at 14:51:31 UTC.

I also run the file in Dependency Walker to determine what DLLs the malware depends on. The only thing that shows up as relevant in Dependency Walker is the Kernel32.DLL.

So far from static analysis I know that I have a couple indicators from the network, and host. I also know that I am working with a known malware. This is very helpful before I begin Dynamic analysis because now I have a few indicators to look for, and am ready to move to Dynamic Analysis. 

Dynamic Analysis 

Before I run the malware, the book suggests running it through an automated tool. The tool that the book suggests is no longer active, but I was able to find a cuckoo sandbox instance on the web. So I uploaded the sample on the cuckoo box on the web and was able to gather more information on my investigation.

This provided more insight into the malware I was investigating. I now know the malware family it belongs to, I know that it is a Remote Access Trojan called PoisonIvy. Farthing my investigation into this malware I found an FSecure article located at https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml That gave me more information on the PoisonIvy RAT. The backdoor should copy itself in the Windows folder or the windows\System32 folder. I also determine that a Register is created to run the malware every time the computer is booted. This confirms my suspicions during the initial static analysis. 

Then furthering my investigation I find a link on Mitre|ATT&CK that gives more information. The rat has command line access, It creates a new system process, has a keylogger, and can transfer data. It is also a malware used by many threat Actors. Many of which are associated with China. https://attack.mitre.org/software/S0012/

I attempted to run the malware In my Windows 10 virtual machine, but it would not work. It looked like the process was killed every time I ran it. So I tried setting up a Windows 7 virtual machine to run the malware in. The process would die in Windows 7 as well. As you could imagine I was kicking myself because I knew I should have used a Window XP VM all along. 

This process has a lot of moving parts. First I wanted to configure ApateDNS. ApateDNS is a tool by FireEye that sets the DNS Reply IP. I set that to my InetSim Box. I start Process Explorer, which is a tool from the SysInternals Suite of tools created by Mark Russinovich. It allows me to view processes as they are run. I also run the tool Procmon, another tool from SysInternals. Before using Procmon I want to make sure I filter out only what I want. If not the tool will capture every process running and possibly crash my virtual machine. The other reason that I want to do this is that It will be much easier to find the process I am looking at. I also run Regshot, which will give me registry changes while the malware is running. Below is a screenshot of everything running. 

The first thing I notice is that the malware created a new file called vmx32to64.exe, then is a key is created in the registry to run this file at startup, and to set the value in VideoDriver. Earlier during my static analysis of the file I thought it would exploit a video driver, however it is writing itself to a video driver directory to look like it belongs. 

I confirm that the malware sample and the vmx32to64.exe file are the same by taking a hash of both files. The hash value of the Lab03-01.exe binary and the vmx32to64.exe binary are the same binaries. 

Viewing the Process explorer I notice that the process creates a mutex. This ensures that the virus does not attempt to install itself again if someone clicks the executable again. The malware is attempting to prevent itself from being discovered. 

ApateDNS also shows a bunch of indicators of compromise. During the initial static analysis practicalmalwareanalysis.com showed up as a network beacon. ApateDNS was able to capture the domain requested when that occurred. 

Lastly, using the compare button on Regshot I was able to see the registry values that were changed when the binary was executed. 

Upon completion of the dynamic analysis I am seeing some other IoCs from viewing the strings. The vmx32to64.exe file was present in the strings data, as well as the VideoDriver information. 

Questions

Q1: What are the malware’s imports and strings?

The malware was packed which made static analysis difficult. The only import that showed up during static analysis was Kernal32.dll. The strings did show that the binary vmx32to64.exe would show up in the run folder in the kernel. And a video driver registry entry would be created. While it was not apparent in the static analysis portion the mutex WinVMX32 was also created. 

Q2: What are the malware’s host-based indicators?

The malware’s host-based indicators was the presence of the mutex, the Registry Key entries and that the malware was able to copy itself into the System32 folder. 

Q3: Are there any useful network-based signatures for this malware? If so, what are they? 

ApateDNS was able to capture the practialmalwareanalysis.com beacon from the malware. 

Obligatory 2020 Year in Review

Featured

As I write this post there are 2 days 10 hours and 43 minutes left in 2020, a year that I think we could all agree has been a year like any other. I can’t help but think of how much has happened since the beginning of the year, and how much we all probably hoped to accomplish at the beginning of the year, that was not possible after 3 months into the year. I spent some time the other day reviewing my 2020 goals and noticed that there were a lot of goals I had, that I was, unfortunately, unable to accomplish.

For many people, I know 2020 has not had many ups and probably has had more downs. It has been a very difficult year, I must say so myself. I saw a lot of huge changes in my life that I did not expect, and things did not go ideal. However, I often try to reflect on the positives. It has always been a good trait I have. I always tell my wife that I tend to forget all the negative things that have happened and only remember the good things, for example, we hated our old house, while we lived there I know I complained a lot about certain things, however, since moving I have forgotten what most of those things were, and I tell my wife and daughter how much I loved that house.

For me, 2020 saw a lot of great things.

  1. I have always wanted to work from home, it has always been a career goal of mine to get a job that allowed that, I worked all but 3 months from home. While working from home I got a lot more accomplished professionally and personally. I also got to enjoy daily walks with my wife at lunch. Which is something I don’t want to give up yet.
  2. My wife and I welcomed another beautiful little girl into our lives. Our second daughter was born in the middle of a pandemic, as healthy as she could be.
  3. I have always wanted to slow things down, the pandemic did that for me. I got to spend more time at home with my girls, we started new family traditions like Smores Sunday, and French Toast for breakfast on Sundays before church. Being home every weekend provided this opportunity.
  4. I lost 35 pounds this year. I set a goal of 20 at the beginning of the year and crushed it. Since moving to Maryland, It has been difficult to keep it up, but I am working toward it.
  5. I started a new job doing something I am passionate about. It was something that I didn’t expect during the pandemic.
  6. I passed two professional certifications. The Certified Ethical Hacker, and the CompTIA Security+. These were huge accomplishments for me this year. **Pro tip: wear contacts at the testing facility, wearing a mask with glasses gets old after an hour **

There are others, but these were my main highlights. This year saw some downs, I had to move from the City I have loved and lived in for over 17 years, I moved in with my in-laws, and generally, isolation has been somewhat harder than I thought it would be, especially moving to a new area where you know very few people. But again, I try focusing on the positive. 2020 has taught me some great things though, and I wanted to share 6 things I learned this year with anyone who reads my blog.

  1. I need a schedule, and structure. I think most people have had to figure out how to do things differently this year, and the built-in structure was destroyed for most of us. I struggled a lot with this and found myself having to build in structure and marking everything on a calendar this year. I learned some new ways to combat that.
  2. I’m not an expert at everything and that is okay. In February I went to Shmoocon and Bruce Potter gave his yearly “Potter Challenge” which was essentially to stop trying to be a GOAT at everything and work to be better at what you are currently doing. That is something that I struggle with a lot, but I followed that advice and wrote more code, I think I got better at writing code this year. I did more research on things I didn’t understand, but also asked more questions, even if I thought they were dumb.
  3. I need to ask more questions. Often I don’t ask questions or ask for help because I think everyone assumes I have to know the answer, and if I don’t know the answer then they will surely think I am dumb. Working remotely and starting a new job taught me, that I don’t know nearly as much as I think I do, and instead of working twice as hard to try figuring out something, maybe I should just ask questions, no matter how dumb I think they are, or say I don’t know. If someone thinks I am stupid for not knowing it then, that is fine. Because now I have a starting point to learn something new.
  4. Sleep is great and helps with everything. This year my dietician put me on a sleep schedule. Every day I have to cut off all electronics at 9:30 pm, except for my Kindle. Then I must begin my wind-down ritual. On occasion, I have stayed up to play a game with family, or to finish watching a sporting event, but for the most part, I consistently go to bed on time and get 8 hours of sleep. This has helped my focus, my mood, and helped me in so many other ways. I suggest you all try doing the same.
  5. My family needs me for more than just an income. Bruce Potter also challenged us to focus on our personal lives as well, he says that businesses essentially need to get out of the mindset that we must constantly “hustle” and work on training in our free time or we aren’t truly “dedicated”. We need to have hobbies outside of work, and we need to spend more time with our families. Well we got that this year by proxy, but I have set up a cut-off time for work, and I dedicate time with my family every night. Sometimes I may play Barbies for an hour, or just sit in front of the TV watching another episode of Paw Patrol, but it is the time I will never get back. I may not be the best Incident Responder this time next year, or the most knowledgeable, but hopefully, my wife and daughters will say I am the best husband and daddy ever.
  6. Lastly, the thing I think most of us learned the most was that our relationships mean a lot more to us than we usually want to admit. Moving away from all of my friends, and not seeing anyone ever has been a lot more difficult than I ever thought it was. Even, as a self-proclaimed introvert, I had a hard time not having friends nearby after about 6 months of isolation. I don’t think I am alone in that.

I’m looking forward to a new year. I am very excited to see what I will learn, to start working on new goals and build in new routines. Maybe I will be less lazy and write more blog posts in 2021.

MetaCTF Walkthrough 0

Featured

Recently MetaCTF had their cybergames 2020 competition hosted online. This was a great event, and I really enjoyed participating this year. Below is my walkthrough of some of the challenges I was able to complete in this years competition. I hope to complete more challenges over the next few weeks and have more writeups.

Crypto Stands for Cryptography

This challenge was pretty simple given the string TWV0YUNURntiYXNlNjRfZW5jMGRpbmdfaXNfbjB0X3RoZV9zYW1lX2FzX2VuY3J5cHRpMG4hfQ== we were to crack it. At first inspection this is an obvious base64 string. So I threw this string into bash and decoded it.

Forensics 101

The next challenge is asking for the ascii representation of a RAR file. This is useful for forensics because sometimes we have to use strings to do static analysis on a file, and you can get an idea of the file type by finding the ascii representation of the file. For instance, a zipfile will show up as PK in the header. This allows us to know what type of file we are working with prior to doing further analysis. RAR file the ascii representation is “Rar!….” so the flag would be

MetaCTF{Rar!....}

High Security Fan Page

The next challenge gives a fanpage website, from here you are supposed to find the password by reviewing the source code of the website. The first thing I did was visit the website by clicking the link provided and inspect the website. From here I see that the website is executing a javascript function authenticate().

Now that I know this site is running JavaScript to run the authenticate function I look for the JavaScript file that stores the authenticate function. In Firefox I navigate to the debugger which lists the JavaScript file. I am then able to find the flag.

Baffling Buffer 0

This challenge gives a binary file and the source code of the file. The first steps I do is wget the files into my directory for the challenge. Then I take a look at the files. I see that the source code file is a file written in c so that immediately makes me think I am working with a buffer overflow. I also like to test the files by putting in some random string to make sure it is not a simple challenge that returns the code no matter what the input. So I give the binary file executable permissions and then execute it using the string test. Which does give me an error that access code checking has not been set up from a todo comment in the code.

Next, step is to review the source code and determine if I can find any bugs. I know I am likely looking for a buffer overflow vulnerability.

By reviewing the source code I can see that the main function calls a vuln() function. The vuln() function sets a variable buf to 48 characters meaning that he buf variable can only store 48 characters. So if I give more than 48 characters it will overflow the available space and I should be able to set the isAuthenticated variable to 1. I’m a noob still at buffer overflows and It is something that I have been trying to work on learning to exploit more so I used trial and error by incrementing my input by 1 every time. So after inputting an A 61 times as the input I finally break the code and am able to get an error that says flag.txt does not exist.

Now I know that inputting 61 characters into the input will overflow the buffer and give the result I am looking for. So I use python to print 61 characters and pipe that to the server using netcat, and am given the result.

In the future I hope to go in better detail about how this is done, as well as have a better examples of how this works.

Barry’s Web Application

This challenge gave a website that is not finished. “Barry” has just recently started working on his website. The flag must be somewhere on the site. I begin by going to the developer tools and looking for a flag that could just be places in the source code somewhere. I do not find the flag there so I looked for a robots.txt file, which I also did not find. I notice in the sites url that it has multiple directories “/dev/webapp” so the next step is to enumerate the directories.

I go back one directory to see the listings in the dev directory and am given an index of the directory. From here I can view the files in the directory.

I navigate to the docs/ directory and there I find the flag.txt file

Big Breaches

One of the things I appreciated the most about this CTF is that they made you go to the web and lookup information about CVEs or past breaches. It is great to be a well rounded security professional. This challenge required you to find the amount of unique emails that were exposed in the biggest single collection of breached usernames and passwords. I remembered when Troy Hunt reported on finding this a year or two ago so I new it was likely “Collection #1” that this was talking about. I found the blog post from troy hunt here. The amount of unique email addresses were 772,904,991 so the flag would be MetaCTF{772,904,991}

Staging 1…2…3…

In this challenge we are given a tmp file that contains evidence that a suspicious file was created during some Threat Actor activity. For this challenge you have to look through the tmp file to find the file that was created. So first I wget the file into my directory and then I use strings to analyze the tmp file for any strings that I can find. Then I find the flag in the file, luckily in the last line as well as the file that was created.

ROT 26

This challenge gives a string g!0{]n`7*+0y~+1|(!y.+0yKM9 that needs to be decoded it is in ROT26, which is a farce. The truth is if you were to rotate a normal character set 26 times you would be back to where you started. Usually a ROT cipher would only involve alphabetic characters. However, this string was more characters than the standard alphabet. So it must be all 94 printable ASCII characters. I used dcode.fr/rot-cipher for this challenge.

Not So Itsy Bitsy Spider

This is another challenge that requires some google foo. The challenge wanted the CVE number applied to the exploit from a recent exploit that was exploited by the ransomware operator known as WIZARD SPIDER who was able to deploy the Ryuk Ransomware in an environment within 5 hours of compromise. I had heard about this story days before the CTF so I knew it was ZeroLogon that the challenge was referencing. ZeroLogon was given CVE-2020-1472 so the flag was MetaCTF{CVE-2020-1472}.

[REDACTED]

This challenge took me a long time to complete. The challenge required me to remove section of a document that was redacted to get the flag.

Since I do not have access to adobe tools I was not able to remove the redacted image as easily as I would have liked. I tried converting to Word tried copy and paste, and a bunch of other tools to convert the pdf. I ended up finding the PDFCandy site that gave an option to upload the file and extract the images. Once I was able to do this I was given the flag.

Diving into the announcement

This challenge gave the clue that CVE-2020-1472 (NetLogon) was important to know. The challenge required me to find the function that is vulnerable and exploited in Zerologon. I found a white paper by Secura that explained how ZeroLogon worked, as well as a POC on Github found here https://github.com/dirkjanm/CVE-2020-1472/blob/master/cve-2020-1472-exploit.py. I read through the code in the github POC to find the flag.

ZeroLogon exploits a vulnerability in NetrServerPasswordSet2 function. The flag is MetaCTF(NetrServerPasswordSet2)

Finding Mr. Casyn

This OSINT challenge was fun. This is something that I am always trying to get better at. I used to think I was really good at OSINT, but sometimes these challenges make me second guess that. In this challenge we are told that Mr. Casyn is missing, he lives in the Chicagoland area, but not Illinois Proper. The Flag is the first name of Mr. Casyn.

So the first clue is that Mr. Casyn lives in Chicagoland area, but not Illinois. At first I had no idea what that meant. So I went to my trusted friend Wikipedia.

Wikipedia shows me that there are areas in the Chicago Metro area that are not in Illinois so I decided to go to Twitter and LinkedIn to see if I can find anyone with the last name Casyn in these areas that are not in Illinois. I found a Casyn who lived in Hammond, Indiana on LinkedIn. Hammond Indiana was part of Lake County in Indiana. His first name was Vedder.

MetaCTF{Vedder}

Ring Ring

This was the second OSINT Challenge in the Vedder Casyn Saga. In this challenge we were to look for his phone number. This took a lot longer than I had expected it to. I thought it was going to be a lot easier than it was. First I thought I would be able to find Vedder’s phone number if I looked at his contact info on his LinkedIn. However, that did not pan out, but it did give me his website.

I then looked at his website, and went to the source code to see if I could find it there. And was not able to find it. I then looked at his twitter that was linked and it also was not there. I thought if I look at the whois data maybe I could find it, but that also did not pan out. I realized he has a github account for his website and looked around the github. After hours of thinking through this I realized he could have edited the site at some point and if he had the history could show his phone number. Earlier I had tried the Waybackmachine, and that did not show any results, but if he had made commits to the site I might be able to find his phone number if he left it on a contact section of his website. After a lot of searching I found a commit that had his phone number.

So the flag is MetaCTF{929-249-4018}

Hang out Spots (Unfinished)

This is the last challenge in the Vedder Casyn Saga. I was not able to figure out the location’s address but I was able find a lot of information. This challenge wants me to find the location of the place that Vedder loves spending time at. At first I thought it was Theos because that was on his Website and I looked up the address, however, that was not the correct answer.

I remembered seeing a link to a picture in the commits during the last challenge so I found that and followed the link to see if I could figure it out. It took me to an imgur link. https://i.imgur.com/uTHNQT2.png

This is where I got stuck. I tried finding building in Hammond by looking up communication towers. I also tried doing a reverse image search on the image, but was not able to figure it out either. I am currently still trying to determine this one, and hope to figure it out soon.

Practical Malware Analysis Chapter 1 Labs

Featured

Lab 1-1 Questions

Q:1. Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?

It is possible to upload the files directly to VirusTotal but I decided to go a different route and hash the files and submit the hashes to virus total. First, I started by using MD5deep to get an md5 hash of the files.

Next, I search for those hashes in VirusTotal and am given the following results.

Lab01-01.dll

Lab01-01.exe

By analyzing the results from VirusTotal I can safely assume that this is indeed malware. The dll file was detected from 43 AV engines, and 50 detected the exe file as malware. Our next step is to continue with static analysis of the files.

Q:2. When were these files compiled?

I opened the files in PEView to view the PE Headers, this gives me more information about the files. In the IMAGE_NT_HEADER section I can find IMAGE_FILE_HEADER where the date the file was compiled is stored.

Lab01-01.dll

Lab01-01.exe

Both files were compiled on 2010/12/19 at 16:16:19 and 16:16:38 UTC. Each of these files were compiled around the same time, within seconds, this indicates that they were both likely compiled by the same person and are both related.

Q:3. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

These are not packed or obfuscated. I ran these files in PEiD, and they do not give any packer information. PEiD confirms that these files were compiled with Microsoft Visual C++, if they were packed the PEiD label would indicate a packer program.

Lab01-01.dll

Lab01-01.exe

Q:4. Do any imports hint at what this malware does? If so, which imports are they?

Viewing the exe file and the Kernel32.dll file, I notice a couple imports that show red flags for me:

 CopyFileA- This function copies a file from one location to another.

CreateFileA- This function creates a new file.

FindFirstFileA and FindNextFileA- these functions enumerate through the file system.

In the Dll file the sleep function and the CreateProcessA throws a red flag. CreateProcess creates and launches a new process, and sleep simply suspends execution of a thread, to either stop during working hours to evade detection or to slowly enumerate a system so that it does not throw a bunch of flags.

Q:5. Are there any other files or host-based indicators that you could look for on infected systems?

To perform this task, I simply run a strings command to find any strings that are available in the code. This command will output the strings that are found on the system. At first, I must admit, I did not notice anything out of the ordinary, then I found a dll file that was meant to be overlooked. It was named Kerne132.dll replacing the l with a 1 (one). This could be searched to identify infected systems with this malware sample.

Q:6. What network-based indicators could be used to find this malware on infected machines?

In the dll file there was an IP address that I found when running the strings file, this is likely in my guess, a call to a remote C2 server. This is something that could be analyzed on a network to determine if a system has been infected.

Q:7. What would you guess is the purpose of these files?

At this point in my investigation I am not sure what the malware is, but I am assuming that the executable is downloading the dll file to the infected computer. It is some sort of trojan that installs a backdoor and data is exfiltrated through the backdoor.

Lab 1-2

Questions

Q:1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

Again, I used the MD5 hash to search virustotal and found that 55 of the Antivirus engines notice this malware.

Q:2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

This file was Packed, I could initially tell because when I ran it in PEiD I could not find any information about the file.

This initially made me think, that it was likely packed, so that I could not find any information.

I unpacked the executable using upx -d <filename>, the -d switch decompresses the file.

Once the file is unpacked, I can now view that the file was compiled with Microsoft Visual C++ in PEiD.

Q:3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

This file imports from Kernel32.dll, ADVAPI32.DLL, MSVCRT.DLL, WINNET.DLL. WINNET.DLL AND ADVAPI32.DLL seem to give the best guess as to what this malware is specifically doing. ADVAPI32.DLL is importing CreateServiceA, this function creates a service that is started at boot allowing malware to have persistence, and WINNET.DLL is importing InternetOpenURLA and InternetOpenA functions. These functions open a webpage.

Q:4. What host- or network-based indicators could be used to identify this malware on infected machines?

After Reviewing the imports, I figured since it is opening up the web browser, it must be sending information to a specific website, or querying a website, something like that so I used strings to see what I could find. I found that it is opening the website Http://malwareanalysisbook.com. If we were to query the network for websites going to that site, we could find other computers that are infected.

Lab 1-3

Questions

Q:1. Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

Again, I used MD5deep to get the MD5hash of the executable file and searched for it in VirusTotal. This time, VirusTotal had 50 AV engines detect the file as malicious.

Q:2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

After opening the file in PEiD the PEiD Label shows that the file is packed by FSG 1.0.

I attempted to find more inforamtion on that packer, but was unable to find more information. I did attempt to unpack the file using the UPX command, but it was not possible since it was not packed with UPX. I will have to attempt to unpack it at a later time.

Q:3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

After Opening the file in dependency walker, I only get two imported processes. LoadLibraryA and GetProcAddress. This does not give me much of an indication as to what the Malware is attempting to accomplish. I attempted to run the strings command and was not able to get much farther either.

Q:4. What host- or network-based indicators could be used to identify this malware on infected machines?

I could not find any indication of network-based functionality with the small amount of information I have gleaned from this file.

Lab 1-4

Q:1. Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

57 of the antivirus engines detected this malware.

Q:2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

This file is not packed, first I ran the Strings command and it returned a lot of data, next I loaded the executable through the PEiD program and the Label points that it was compiled by Microsoft Visual C ++ 6.0, which proves that this file was not packed.

Q:3. When was this program compiled?

I uploaded the executable to PEview and it gives me a date of August 30, 2019. While I am doing this lab in 2020, that would not raise a red flag, however, knowing that this book was written in 2011 and the other samples are from that time frame, it does raise a red flag for me. The compile time was likely faked.

Q:4. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

Using dependency walker, I see that KERNEL31.DLL, ADVAPI32.DLL, AND MSVCRT.DLL are all importing functions.

KERNEL32.DLL is importing GetModuleHandleA which could be used to locate and modify code or look for a good location to inject code. FindResourceA and LoadResource both show that functions are being loaded to the system. WinExec can be used to execute another program. CreateFile and WriteFile both can be used to create files.

ADVAPI32.DLL is importing the LookupPrivilegeValue function which retrieves the locally unique identifier used on the system as well as the AdjustToeknPrivileges and OpenProcessToken functions. These all would be used to elevate privileges, or access files and directories that require special privileges.

Q:5. What host- or network-based indicators could be used to identify this malware on infected machines?

Running strings on this program shows a couple signs. First there is an executable that seems fishy, \system32\wupdmgrd.exe. The file tries to disguise itself as the windows update manager. Strings also shows an URL that is pointing to http://www.practicalmalwareanalysis.com/updater.exe. This program is likely reaching out to the website to download more code. These two could be used as indicators that a system has been infected.

I also notice that this function is using the URLDownlaodToFileA function when using strings. This means that it is using a network function to download a file from a website. This leads me to think that this executable just calls a website and downloads more malware to the computer.

Q:6. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

Using Resource Hacker, only one resource is viewable, and that resource is an arbitrary binary. Using resource hacker, it is difficult to read the file. But one thing that stands out is that the Binary has the string “This program cannot be run in DOS mode.”. This is a string that is common in PE headers so the next step is to save the BIN to the disk and analyze the headers using PEView.

Using PEView I can confirm that the URLDownlaodToFileA function is being used as well as GetWindowsDirector and WinExec functions. This can confirm that this executable is gaining elevated privileges to download more malware from a website.

Lastly, it came to my realization that this file may have a compile time, by viewing the IMAGE_FILE_HEADER it is possible to see the compile date was 02/27/2011.

Hack The Box Devel

Featured

In this walkthrough I am demonstrating how I was able to exploit the Devel box on Hack the Box. Usually the names of the boxes give away what exploit to use, so I decided to look up what devel means. According to dictionary.com Devel means Development. So I am assuming this is a development server. As always, I first ran an nmap scan.

In the nmap scan I see that ftp is open as well as a web server running IIS 7.5. One thing that jumps up at me is that anonymous FTP login is allowed on this server. Anonymous FTP means that anyone can login to ftp as anonymous, without a password. I am pretty sure at this point that this is going to be my path to attack. I will be exploiting a misconfiguration in the server. Anonymous FTP should never be left on in a server.

The first step in exploiting this is to try getting a shell on the server. Looking at the server I can see there is an IISStart.htm page in the anonymous login page, so I am sure that ftp will upload to the web directory. I also know this is IIS, so it will likely take an aspx shell so I head over to msfvenom and create a shell script.

Now I have a shell.aspx script in my working directory so the next step is to upload this reverse shell script to the ftp and try running it. So I log into ftp using the anonymous user and upload my reverse shell.

Next I fire up metasploit and set up a listener on port 4444 on my local machine. Now when I run the shell script I can get access to the reverse shell and get a meterpreter session.

I also have to go to the browser and navigate to my shell to run the reverse shell code.

I get a meterpreter session, but unfortunately it is not going to give me System access (root) so I have to find another exploit that will help me get system so I use the metasploit exploit suggester and get the suggestion for kitrap0d so I used that exploit to gain system access.

Using this exploit gives me System privileges.

So I just have to go and get the flags.

This box shows how dangerous it can be if you leave default configurations on a server and do not harden it. I hope you enjoyed this walkthrough, and thanks for reading.

Hack The Box Legacy

Featured

Legacy was one of the first boxes that I attempted when I first started using Hack The Box. To start, as always I ran an Nmap scan against the box to find out what ports were open, and what applications were running on the machine.

After running the nmap scan I immediately notice that the server is running SMB again, and the server is running most likely windows 2000 or XP. So I know the vulnerability will exploit the SMB protocol, and the system is most likely running XP so I immediately start thinking this box will either be vulnerable to Eternal Blue ( the NSA exploit that lead to wannacry) or MS08-067. The next step in my methodology would be to scan for vulnerabilities, I used nmap to do that as well.

After running the vulnerability scanner I realize it is actually vulnerable to both. So I decide to use ms08-067 to exploit this server. I decided to use this exploit primarily because I had already used eternal blue in another, and because this is called legacy, I think it is going to be a legacy exploit. This vulnerability, which led to the Conficker worm in 2008, allows remote code execution if the system receives a specially crafted RPC request. Conficker was able to exploit this weakness and create a botnet that infected millions of Government, business and home computers.

I used the windows/smb/ms08_067_netapi metasploit module to exploit this machine. I had to input my ipaddress for LHOST, the IP address of the machine for the RHOST and then was able to run the exploit and get System.

The Metasploit module gives system authority so I do not have to escalate privileges and am able to find the flags pretty easily.

First I like to get the Shell, which is the command prompt, that I am used to using when using the command line. This is not necessary, but I find it easier to navigate using the shell.

Next I navigate to the User john Desktop directory and get the flag.

Lastly, I go to the Administrator directory and get the root flag to complete the box.

Hope you enjoyed this demonstration. I am looking forward to uploading more of my walkthroughs that I have been working on over the last month.

HTB Blue

Featured

Recently, I decided to finally bite the bullet and start messing around on Hack the Box. As soon as I signed up I saw there was a machine that was vulnerable to Eternal Blue name Blue. Truthfully, I was not sure if this box was actually vulnerable to Eternal Blue when I started, but from the name it looked very likely.

Eternal Blue was an exploit that was part of the NSA leaked vulnerabilities that led to many of the Ransomware attacks that have plagued the world. Wannacry is the most notable ransomware that used this exploit.

Before you can exploit a machine it is necessary to do some reconnaissance. Even though I am 99% sure from context clues that this box is vulnerable to eternal blue I need to determine if it really is.

After running my nmap scan I notice that SMB is running on the target, and it is a Windows 7 box with Service Pack 1. This immediately proves that the target machine is likely exploitable through Eternal Blue, since it takes advantage of a flaw in the SMB protocol. I can also see that the computer’s name is harris-PC so I would assume that a user will be harris.

SMB or Server Message Block is a communication protocol that provides shared access to nodes on a network. These nodes can consist of printers or shared drives and folders. Eternal Blue takes advantage of a vulnerability in SMB for windows that mishandles packets crafted to allow remote attackers to execute code on the victim machine. Service pack 1 is known to be vulnerable to Eternal Blue.

The next step would be to verify the vulnerability by running a vulnerability scan. Nmap has a built in script to determine if it is vulnerable but I decided to use the metasploit auxiliary scanner instead, primarily because I know it is likely vulnerable to Eternal Blue or ms17_010, and I want to use metasploit for exploitation as well.

I have determined that the machine is most likely vulnerable to Eternal Blue. The next step would be to exploit the system. To do so I am going to use Metasploit again. first I search for the exploit for ms17_010.

Metasploit shows the exploits for eternal blue. I have highlighted the exploit that I will use. Looking at the Rank I can see that the exploit is average, while not great it should work fine so Choose the exploit and set all of my options.

When I choose this exploit it sets up a payload during exploitation to create a revers_tcp shell giving me a meterpreter session which allows me to navigate the system, and pull out files or upload other malicious files, such as Ransomware. In order to set up the reverse shell I have to set the listener with an open port. By default meterpreter sets up a listening port on port 4444. I need to set the listener to listen back on my computer. At first the LHOST is set to my computers IP Address, I want to change it to the IP Address for tun0 since I am connected to HTB server through a VPN Tunnel. Next I set the RHOST, which is the target host IP address.

I easily exploit the machine and get root (system) access to the computer. The only thing that is left is post exploitation.

For the purpose of this I just simply find the flags. Here I could do a number of things though. I could upload malware that I can use to come back to the machine, or set up a key logger, or even set up ransomware to infect the entire network.

Hacking Metasploitable Enumeration & vsFTPd vulnerability

Featured

In this series, I plan to show how I owned Rapid7’s vulnerable Virtual Machine, Metasploitable2.

When hacking computer systems, it is essential to know which systems are on your network, but also know which IP or IPs you are attempting to penetrate. In Metasploitable that can be done in two ways, first, you can quickly run the ifconfig command in the terminal and find the IP address of the machine or you can run a Nmap scan in Kali. I will attempt to find the Metasploitable machine by inputting the following stealth scan.

The SYN scan is the default scan in Nmap. It is also a quick scan and stealthy because it never completes TCP connections. This scan specifically searched all 256 possible IP addresses in the 10.0.2.0-10.0.2.255 range, therefore, giving me the open machines. In my test lab, I had four computers running, one being my Kali box, I was able to find the Metasploitable2 box and all of the open ports.

The next step thing I want to do is find each of the services and the version of each service running on the open ports. Again I will use Nmap for this by issuing the following command.

This scan is again doing the Stealth Scan, but also the -sV flag is verifying the versions of the services, and the -O flag is verifying the operating system running on the machine.

So, what type of information can I find from this scan?

Now I know the operating system s Linux version 2.6.9-2.6.33, the host is running Telnet, which is vulnerable. Also older versions of Apache web server, which I should be able to find a vulnerability for, I see that port 445 is open, this is the SMB or server message block port, I know these are typically vulnerable and can allow you to enumerate the system reasonably easy using Nmap. These are the ones that jump out at me first. I know these will likely give me some vulnerabilities when searching CVE lists.

Next, since I saw port 445 open, I will use a Nmap script to enumerate users on the system.

I decided it would be best to save the results to a file to review later as well. I receive a list of user accounts. Here is where I should stop and say something. You should never name your administrator accounts anything like admin, It is easy for an attacker to determine which username is the administrator and then brute force that password and gain administrator access to that computer.

We found a user names msfadmin, which we can assume is the administrator.

Next, I am going to run another Nmap script that will list vulnerabilities in the system.

Using this script we can gain a lot of information. I saved the results to a text document to review later, and I’m delighted I did. I knew the system was vulnerable, but I was not expecting the amount of information I got back from the script. The script gives a lot of great information, below I am showing the first line I was able to retrieve.

As you can see, the script gives me a lot of information. It tells me that the service running on port 21 is Vulnerable, it also gives me the OSVBD id and the CVE id, as well as the type of exploit. This is very useful when finding vulnerabilities because I can plan an attack, but also, I can see the exact issue that was not patched and how to exploit it.

I decided to go with the first vulnerable port. As the information tells us from the Nmap vulnerability scan, by exploiting the vulnerability, we can gain access to the server by creating a backdoor. I decided to find details on the vulnerability before exploiting it. I followed the blog link in the Nmap results for scarybeastsecurity and was able to find some information about the vulnerability. From reading the documentation, I learned that vsFTPd server is written in the C programming language, also that the server can be exploited by entering a : ) smiley face in the username section, and a TCP callback shell is attempted.

I used Metasploit to exploit the system. The first step was to find the exploit for the vulnerability. I did this by searching vsFTPd in Metasploit.

Searching for the exploit returned the above exploit for the service, so the next steps were pretty simple. In Metasploit, I typed the use command and chose the exploit. Next, I ran the command show options, which told me I needed to provide the remote hosts (RHOSTS) IP address; this is the target machine’s IP address. After that, I just had to set the RHOSTS value to the 10.0.2.4 IP address and type exploit in the command prompt.

From there, a remote shell was created and I was able to run commands.

Next, I wanted to set up proof that I had access. So I decided to write a file to the root directory called pwnd.txt.

I went to the Metasploitable server and changed my directory to the root directory; from there, I was able to see the pwnd.txt file and read the data.

I was left with one more thing. I wanted to learn how to exploit this vulnerability manually. So I tried it, and I sort of failed. First, I decided to use telnet to enter into the system which worked fine, but then I ran into some issues. I assumed that the username could be a smiley face; however, after searching on the web, I found out I needed to have a smiley face after the user parameter.

I did a Nmap scan before trying the manual exploit and found that the port at 6200, which was supposed to open was closed, after running the manual exploit the port is open.

The next step was to telnet into port 6200, where the remote shell was running and run commands.

In conclusion, I was able to exploit one of the vulnerabilities in Metasploitable2. Next, I will look at some of the websites offered by Metasploitable, and look at other vulnerabilities in the server.

Post Shmoocon 2020

Featured

                Over the last weekend, I was able to go to Shmoocon for the third year in a row. This year, however, I decided not to work on CTF challenges the whole time while “Listening” to talks. Instead, I was present at the talks, and it turns out, Shmoocon has some great discussions. While most people at Shmoocon typically try to take a lot of technical advice and come back in full force ready to tackle new exploits or something of that nature, this year I left in a more inquisitive than fired up ready to “pwn.” In this post, I hope to explain four topics that have made me think a lot since the weekend and things that maybe we don’t think of enough in the security community or the dev community.

The user isn’t stupid

Every year at Shmoo, one of the founders of Shmoocon, Bruce Potter, gives a rant about the industry and changes he wishes to make in the industry. Every year, I think I have heard Bruce talk about the same thing the users aren’t stupid. We need to start building better tools to protect the user. This got me thinking a lot about what we do in the security industry, I see this done in many areas of business, but we often call those who use bad passwords dumb, or we think someone is stupid because they can’t figure out things in our programs that we wrote. Often the user is not actually at fault. It is our fault for not educating the masses.

This includes any area of business really, I have seen people call clients stupid for not being able to do the work the company does, although if they did know how to do it, we wouldn’t have jobs. I remember a talk with a friend of mine recently who is in User Experience, and he said: “Developers and IT People are not great at designing tools, they work great usually, but internal tools are always a pain to work in.” And if we are honest, it is true. While some tools that we design function great for our needs, 80% of the staff is going to be confused by the buttons or naming convention or something else. We think differently than most. That is why your CEO doesn’t have 2FA and uses the same password for Facebook as they use for their corporate email. They haven’t been trained to think like a hacker, but they have been trained to make deals and sell an organization.

This talk made me think more about why I want to be in this industry. I think most people want to be in the industry for one of two reasons, they want to break stuff and not get arrested, or they want to break things and protect users. I hold firm that my purpose is to protect others, breaking stuff is fun, I find trying to figure out solutions to challenges exciting, but at the end of the day, I work in this industry to help others know how to protect themselves from people like me, who want to harm them.

Bruce ended by encouraging us to get better at what we are currently doing, instead of trying to learn everything, which leads to the next takeaway.

I need to stop working more and start working smarter

                Bruce also noted that the security industry has a hard time selling our industry because we also tell everyone they must work off the clock consistently to learn. This leads to a massive amount of burnout and fatigue and makes us irritable with future generations. The security community prides itself on people who work 60 hours a week, with at least 20 of that being off the clock on our own time. As a leader, it made me think more about learning opportunities for the employees around me. What can I do as a leader to provide more learning opportunities for the staff at my organization without forcing them to learn on their dime?

                I must admit this is a challenging endeavor, first because I must practice what I preach. I am the master of always working on something or some goal. Secondly, because I work for a small organization and it feels like there is always too much work to do. Four years ago, when I started in IT, I learned a lot of things by doing, I was pushed to learn new things because if I didn’t learn it, it would not get done. Luckily, my bosses gave me the time I needed. Maybe that is where it starts, giving others small projects that they can learn on, and that pushes them to do better. Training sessions and mentoring from the leadership will also help mold employees. The security community is small, and sometimes it seems that it is difficult to learn. Leaders need to start mentoring those under us (and I am still very new to the field also, I need mentoring myself) and give them the chance to learn when they are on the clock, not off the clock.

What was a great feature, could turn into a bug

                During the opening day, I got to see a talk by Jonathan Leitschuh, who is mostly known for finding the Zoom Zero-day in 2019. What I found most interesting about Jonathan’s speech was his interaction with Zoom developers. They insisted that the vulnerabilities that Jonathan found were features that made Zoom attractive to their clients. While the webserver was a feature in the Zoom product that made it easier and more efficient to use the product, it was creating a backdoor that put customers at risk.

                This could be true about just about any application. Most developers did not learn security, and honestly don’t think like hackers most of the time. Their jobs, in most cases, are to get a product out as fast as possible that meets the needs of the organization. Many of these developers are being pushed to do things much quicker. I have been pushed to get products out the door in my organization very quickly, and it has prevented me from doing the job that I would have liked. I’m sure most penetration testers could tell you that they wish they had longer to poke around for holes in a network as well. The point is, in the security community, as well as in all industries, we need to learn to adapt and understand that many of the “features” few are looking for in things, can create opportunities for holes that we weren’t expecting. As a security person, I need to understand that not everyone will think the way I think and that I need to be understanding of that and use it as a learning experience and not as a whipping stick. As a developer, I need to understand the scope of a program I am writing and think about the holes that could be opened because of a feature that makes things convenient.

Security isn’t just CVEs it’s also misconfigurations

                Lastly, I enjoyed a talk by Mark Manning on Kubernetes security for Pentesters. This was an excellent talk primarily because Mark notes that his talk was not on Zero Days in Kubernetes, but it was on misconfigurations. This is something I struggle with myself; I think we often focus on zero-day attacks or CVEs, but we don’t focus enough on proper configuration. Every conference seems to be focused on zero-days or new vulnerabilities. I rarely ever see a talk where a person shows how they pwned a system because it was not correctly configured, yet that seems to be the nature of a large number of attacks. The Capital One data breach did not happen because of a vulnerability that was disclosed and unpatched, or some new zero-day that was dropped. It happened because one of Capital One’s databases were left exposed to the internet. It has shifted my train of thought. There are likely three times as many systems that are vulnerable to attack over the internet because of misconfigurations as there are those that are vulnerable because of a zero-day.

Bandit Walk Through 4

Featured

Bandit Level 9

This challenge wanted us to read the file data.txt and find the human readable strings beginning with several equal signs. Since there was non-human readable code in there, I knew that I could use the strings command to get the readable code. I also used grep to find only the lines that matched the === pattern.

Password = truKLdjsbJ5g7yyJ2X2Ro3a5HQJFuLK

Bandit Level 10

This time the flag is again stored in a data.txt file, but the data is encoded using base64. For this challenge I need to read the data using echo and pipe it to decode using base64 decoder.

Password = IFukwKGsFW8M0q3IRFqrxE1hxTNEbUPR

Bandit Level 11

This time the flag is again stored in a data.txt file, but this time the encoding method is ROT13. I looked up how to encode ROT13 in linux and found a command using the translate command. I echoed the data from the file and piped the translate code.

Password = 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Bandit Level 12

This one was very tedious. I am sure there was a much simpler way than the way I did, it but I will have to find out later. Essentially this time the data.txt file has been compressed several times. The objective is to decompress the file every time by determining the name of the file, renaming it, then decompressing the file. This was done in several steps so I will not explain how I did it but will show it all below.

Password = 8ZjyCRiBWFYkneahHwxCv3wb2a10RpYL

Bandit Level 13

This time the challenge required us to use ssh from the level 13 server and log on as the level14 user using a private key. I had to look up how to use private keys in ssh and was able to find ample information. I’m becoming a Google Fu blackbelt!  I used the below command to do so.

Then it was as simple as reading the etc/bandit_pass/bandit14 file to get the flag.

Password = 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Bandit Level 14

For level 14 the requirement was to send the password for level 14 to port 30000 to retrieve the next flag. I used netcat and then put the current password in. That gave me the next flag

Password = BfMYroe26WYalil77FoDi9qh59ek5xNr