Information
Challenge: You Got Mail
Category: Forensics
Files : forensics_you_got_mail.zip 1.4 GB
case_1.ad1 1.4 GB
Environment: Remnux VM
My Recommendations
If you are on Linux, you can view my guide to install and use FTK imager with wine. To run FTK Imager, go to your home directory and run:
wine '.wine/drive_c/Program Files/AccessData/FTK Imager/FTK Imager.exe'Extract the AD1 image:
- From File select Image File.
- Click Browse and navigate to case_1.ad1.
- Click Finish.
Once it is attached, select File and ‘ExtractFiles’. Browse to your working Directory and click OK.
Once that’s done you can remove the case_1.ad1 file.
Two directories were extracted: info_C__Users_info and System32_C__Windows_System32/ . The first one is a User directory for a user named (I assume) info, and the other is a System32 directory.
I like to rename stuff to make CLI easier:
mv info_C__Users_info info
mv System32_C__Windows_System32/ System32
Walkthrough
Although I don’t have the exact challenge description anymore, the challenge name (You got mail) obviously refers to some mail stuff. The description also included something about finding out how the attacker gained/maintained access and what files were dropped.
1. User filesystem Analysis
Considering the challenge description and name, we need to first find any potential mail databases in the User’s directory. On Microsoft, these are often ost or pst files:
find info -name "*.ost"
find info -name "*.pst"
#returns nothing
No ost or post. We can check the AppData directories to see which Apps were installed/used:
ls -1 info/AppData/*
Two Thunderbird directories! The Thunderbird database is named ‘INBOX’, so we can find the file and copy it to our WD:
find info/AppData/ -name 'INBOX'
#returns info/AppData/Roaming/Thunderbird/Profiles/g19c6r8i.default-beta/ImapMail/mail.windowsliveupdater.com/INBOX
cp info/AppData/Roaming/Thunderbird/Profiles/g19c6r8i.default-beta/ImapMail/mail.windowsliveupdater.com/INBOX .
This ‘database’ is in plaintext. We can print its contents to find potential attachments that could have infected the machine:
And here we can see that HR sent a zip attachment, named ‘policy_draft.zip‘, the provided password being Passw0rd!23. We should also note the email’s date as it could help in Forensics Investigation – Wed, 21 Sep 2022 16:02:26 +0300.
To save the attachment, we use this one liner:
strings INBOX | grep -F 'Content-Transfer-Encoding: base64' -A 10000 | tail -n +2 | head -n -1 | base64 -d > policy_draft.zip
Then we can decrypt it with the provided password using 7z:
7z x policy_draft.zip
#Enter password (will not be echoed) : Passw0rd!23
The resulting file is a policy.xlsm (hello Maldoc!!).
2. Document Analysis
Going straight into it with Olevba:
olevba --deobf --decode policy.xlsm
In Olevba’s report, the identified IOCs are two executable filenames and an URL:
Further down, an Array is being Xored with Key 151:
We can quickly decrypt this in Python:
array = [223, 195, 213, 236, 246, 226, 227, 167, 231, 228, 238, 200, 167, 241, 200, 163, 249, 200, 166, 249, 245, 167, 239, 200, 229, 164, 225]
unxored ''.join([chr(i ^ 151) for i in array])
print(unxored)
# HTB{aut0psy_0f_4n_1nb0x_r3v
Amazing! We got the first part of the flag! The challenge description mentioned dropped files, which I very much assume to be the ‘update.exe‘ mentioned in the VBA script.
3. Executable Analysis
Now, we need to find where the file was dropped. An easy way is to look for “exe” extensions in the User directory:
find info -name "*.exe"
These three files are SUSSSS. I re-ran the same command to make sure the hashes match:
find info -name "*.exe" -exec md5sum "{}" \;
#the three files have hash 4d8f8be4789ac26d08e7ecc676f65821
Since the three files have the same hash, we can analyze any of them:
pedump info/AppData/Local/Microsoft/Windows/Explorer/2ole0wNnHOJXbsIKVhbA/hQxNctXsbg.exe
Which reveals it’s a .NET executable:
Luckily for us, we can analyze it in a Linux VM using ilspycmd. I like to decompile the project to check the code:
mkdir update
ilspycmd -o update -p info/AppData/Local/Microsoft/Windows/Explorer/2ole0wNnHOJXbsIKVhbA/hQxNctXsbg.exe
In update/PSEmpire_Stage1 there is one File, ‘Program.cs’:
cat update/PSEmpire_Stage1/Program.cs
Which has another Xor function on a base64 encoded string:
Again, we can decrypt it in Python:
import base64
array = [i for i in base64.b64decode("Ki11akYtd0YqdGkoa3xGLW1Gbilrcjg4ZA==")]
unxored = ''.join([chr(i ^ 25) for i in array])
print(unxored)
#34ls_4n_3mp1re_4t_w0rk!!}
And it’s the second part of the flag! These two together make the flag:
HTB{aut0psy_0f_4n_1nb0x_r3v34ls_4n_3mp1re_4t_w0rk!!}
Flag: HTB{aut0psy_0f_4n_1nb0x_r3v34ls_4n_3mp1re_4t_w0rk!!}
TLDR
– Find the Thunderbird Database, extract and decrypt the .zip attachment.
– Use Olevba to retrieve part 1 of flag.
– Use ilspycmd to retrieve part 2 of flag.
