l337 S4uc3 Walkthrough — Cyberdefenders
Challenge Link: l337 S4uc3
Scenario:
Everyone has heard of targeted attacks. Detecting these can be challenging, responding to these can be even more challenging. This scenario will test your network and host-based analysis skills to figure out the who, what, where, when, and how of this incident. There is sure to be something for all skill levels and the only thing you need to solve the challenge is some l337 S4uc3!
Tools:
- PCAP: Development.wse.local is a critical asset for the Wayne and Stark Enterprises, where the company stores new top-secret designs on weapons. Jon Smith has access to the website and we believe it may have been compromised, according to the IDS alert we received earlier today. First, determine the Public IP Address of the webserver?
From the HTTP traffic, I’ve noticed that the website is made using WordPress.
One way to access the WordPress dashboard is to add wp-login.php at the end of your site URL.
I checked the HTTP object list and entered wp-login.php from the Text Filter field. The image below shows the Public IP address of the web server under Hostname.
Navigate to File > Export Objects > HTTP to view the HTTP Object list.
2. PCAP: Alright, now we need you to determine a starting point for the timeline that will be useful in mapping out the incident. Please determine the arrival time of frame 1 in the “GrrCON.pcapng” evidence file.
I used the filter below to sort the timestamp by ascending.
sort tsIn Wireshark, check the first packet and set the time format into UTC.
3. PCAP: What version number of PHP is the development.wse.local server running?
The filter below will display the HTTP GET request from the host development.wse.local with URI /wp-login.php. Then I used the Follow HTTP Stream option to view the HTTP header.
http.host == "development.wse.local" && http.request.uri == "/wp-login.php" && http.request.method == GET
Right-click on the packet, then select Follow > HTTP Stream.
X-Powered-By is the HTTP header field that specifies the technology and version that supports the web application.
4. PCAP: What version number of Apache is the development.wse.local web server using?
The same process from Q.3.
The Server field specifies the software and version used.
5. IR: What is the common name of the malware reported by the IDS alert provided?
I identified the malware name from the URL provided under References.
6. PCAP: Please identify the Gateway IP address of the LAN because the infrastructure team reported a potential problem with the IDS server that could have corrupted the PCAP
I checked all the IPv4 addresses by navigating to Statistics > Endpoints > IPv4 in Wireshark. The .1 IP address is commonly used for Gateway IP address.
You can also find the gateway IP address by analyzing the ARP traffic.
7. IR: According to the IDS alert, the Zeus bot attempted to ping an external website to verify connectivity. What was the IP address of the website pinged?
The payload shows www.google.com as the external website, and 74.125.225.112 was the assigned IP address.
You can also check Suricata alerts in Brim by navigating to Suricata Alerts by Category > Malware Command and Control Activity Detected > Pivot to logs.
8. PCAP: It’s critical to the infrastructure team to identify the Zeus Bot CNC server IP address so they can block communication in the firewall as soon as possible. Please provide the IP address?
The signature ET MALWARE Zbot POST Request to C2 in Suricata shows the Zeus CNC server IP address.
Suricata Alerts by Category > Malware Command and Control Activity Detected > Pivot to logs.
9. PCAP: The infrastructure team also requests that you identify the filename of the “.bin” configuration file that the Zeus bot downloaded right after the infection. Please provide the file name?
I found the filename by navigating to File > Export Objects > HTTP, filtering the results to only display .bin files, and then selecting Content-Type: as application/octet-stream.
Or use the filter below.
ip.addr == 88.198.6.20 && http.request.method == GET && frame contains ".bin" && !(http.host == "www.bing.com")
Or check the alert A Network Trojan was detected in Brim. Select ET MALWARE Generic .bin download from Dotted Quad and click the Packets button to open Wireshark.
10. PCAP: No other users accessed the development.wse.local WordPress site during the timeline of the incident and the reports indicate that an account successfully logged in from the external interface. Please provide the password they used to log in to the WordPress page around 6:59 PM EST?
I converted first the GrrCON.pcapng into a .pcap since I’m using a free version of NetworkMiner — no need to convert if you are using the NetworMiner Professional.
To convert into .pcap, open the file using Wireshark, then go to File > Save As > Choose Wireshark/tcpdump … — pcap as type > then click Save.
Open the .pcap file using NeworkMiner, click the Credentials tab, then uncheck Show Cookies.
NetworkMiner is in UTC. The image below shows the conversion from UTC to EDT/EST.
11. PCAP: After reporting that the WordPress page was indeed accessed from an external connection, your boss comes to you in a rage over the potential loss of confidential top-secret documents. He calms down enough to admit that the design’s page has a separate access code outside to ensure the security of their information. Before storming off he provided the password to the designs page “1qBeJ2Az” and told you to find a timestamp of the access time or you will be fired. Please provide the time of the accessed Designs page?
The filter below will display the POST HTTP request that contains 1qBeJ2Az. I used the POST method because this is often used to submit a password form.
frame contains "1qBeJ2Az" && http.request.method == POST12. PCAP: What is the source port number in the shellcode exploit? Dest Port was 31708 IDS Signature GPL SHELLCODE x86 inc ebx NOOP
I searched about the IDS signature and found out that the content of SHELLCODE x86 inc ebx NOOP has a lot of character “C” in it.
Then I used the filter below to display all the packets with destination port number 31708.
tcp.dstport == 31708 || udp.dstport == 31708The packet bytes pane shows the content type of the IDS Signature. The Source Port number can be found in the Frame or Column details.
13. PCAP: What was the Linux kernel version returned from the meterpreter sysinfo command run by the attacker?
I used the filter below to display all the packets that contain “sysinfo”.
frame contains "sysinfo"Then I used the Follow TCP Stream option by right-clicking the first packet and navigating to Follow > TCP Stream. The Find feature will quickly find the string “linux” from the results.
14. PCAP: What is the value of the token passed in frame 3897?
The filter below will display frame 3897. Expand the HTML Form URL Encoded section for the token value.
frame.number == 389715. PCAP: What was the tool that was used to download a compressed file from the webserver?
I used the filter _path==”http” in Brim and found the compressed file (unimportant.tar.gz) under the URI field. The user_agent field shows the tool used to download the compressed file.
16. PCAP: What is the download file name the user launched the Zeus bot?
Since I already know the CNC server IP address, I used it to filter and view all the HTTP GET requests from that Server.
ip.addr == 88.198.6.20 && http.request.method == GETThe image above shows the IP address 172.16.0.109 is trying to retrieve 3 files from the CNC server.
Analyzing the first file NewDesign.jpg.exe using the Follow TCP Steam option shows the HTTP request has a 404 Not Found response indicating the CNC server cannot find NewDesign.jpg.exe.
Analyzing the TCP Stream of the second file bt.exe shows the GET request has a 200 OK response indicating the request has succeeded.
The third file cf.bin is the configuration file that the Zeus bot downloaded after the infection.
17. Memory: What is the full file path of the system shell spawned through the attacker’s meterpreter session?
This article demonstrates how to generate a profile in Linux using Volatility 2. Read here.
The author of this challenge already provided the zip file containing module.dwarf and System.map.
The next step is to move the zip file into the volatility plugin. If you don’t know the path, use the command below.
locate volatility/plugins/overlays/linuxIn my case, this is the path of my volatility plugin.
/usr/local/lib/python2.7/dist-packages/volatility/plugins/overlays/linux
To move the zip file, use the command below.
sudo mv DFIRwebsvr.zip /usr/local/lib/python2.7/dist-packages/volatility/plugins/overlays/linuxThe command below prints the profile of the provided memory image.
vol.py --info | grep DFIRwebsvrNow that I know the profile of the memory sample, I used the linux_pslist plugin to list all the running processes.
vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pslist
The below image shows the 2 sh and their Process ID.
Now that I know the Process ID, I used the linux_psaux plugin to gather more information like the command line arguments. I also used the command grep 127 to only display the line that contains 127.
vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_psaux | grep 127The output shows the command and file path of the 2 sh.
18. Memory: What is the Parent Process ID of the two ‘sh’ sessions?
The plugin linux_pstree will display the process parent/child relationship, and the command grep sh -C 3 will display 3 lines before and after the “sh”.
vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pstree | grep sh -C 3The image above shows the parent and process ID of the 2 sh.
19. Memory: What is the latency_record_count for PID 1274?
First, I need to get the Offset of the PID 1274.
The command below will display the information of Process ID 1274, including its Offset.
vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pslist | grep 1274Then I used the plugin linux_volshell to open the interactive shell in the memory image.
vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_volshellTo view the structures, you can use the dt command.
The command below will display the structure of the offset 0xffff880006dd8000.
dt("task_struct",0xffff880006dd8000)20. Memory: For the PID 1274, what is the first mapped file path?
The linux_proc_maps plugin prints the process map information.
The image above shows the first mapped file path of Process ID 1274.
21. Memory: What is the md5hash of the receive.1105.3 file out of the per-process packet queue?
The plugin linux_pkt_queues will enumerate and recover queues out to disk.
vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pkt_queues -D /home/remnux/Documents/md5sum command prints the md5 hash of receive.1105.3.
References:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types
- Wireshark · Display Filter Reference: Hypertext Transfer Protocol
- https://www.giac.org/paper/gcia/777/giac-gcia-assignment-pass/106825
- https://andreafortuna.org/2019/08/22/how-to-generate-a-volatility-profile-for-a-linux-system/
- https://volatility-labs.blogspot.com/2012/09/movp-25-investigating-in-memory-network.html
Good resources for learning Wireshark and Volatility:
- https://www.wireshark.org/docs/dfref/
- https://unit42.paloaltonetworks.com/wireshark-workshop-videos/
- https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
- https://andreafortuna.org/ (Check out the Volatility, my own cheatsheet series)
- Book: The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory (Wait for humble bundle deals for a lower price)
https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098
