This is my write-up around a couple of Kringlecon22 challenges.
I wanted to use chatGPT as much as possible as an experiment for some of these challenges.
It's a pretty cool tool to add to your arsenal but it's far from perfect. If you don't know what you're doing, it'll probably point you in the wrong direction. If you know what you're doing, it'll speed up your workflow by providing code/commands you can fix ( suricata rule generation was nice; cracking shadow passwords was cool but didn't mention you had to run unshadow first etc.).
Tolkien ring
PCAP Analysis
1.First question is what type of objects can we export from the pcap?
HTTP
2. What is the filename of the largest file we can export?
> app.php
3. What packet number starts the app.php file?
687
4. What is the ip of the Apache server?
?> 192.185.57.242
5. What file is save to the infected host?
'Ref_Sept24-2020.zip'
6.Attackers used bad TLS certificates in this traffic. Which countries were they registered to?
To find that:
Use: tls.handshake.type == 11
On packet 808:
1) make sure the setting "Allow subdissector to reassemble TCP streams" is on in the TCP protocol preferences
2) Then go to the packet which contains the SSL handshake message "Certificate" 3) In the packet detail pane, expand the SSL protocol
4) Expand the "Certificate" TLS record
5) Expand the "certificate" handshake protocol
6) Expand the list of certificates. There is now a list of certificate length and certificates (the list could be only 1 certificate). The first certificate is the server certificate, the second it's signing CA, the third the CA that signed the CA, etc.
7) Now rightclick on the certificate that you want to export
8) Choose "Export selected packet bytes..."
9) Choose a filename and click on save
Then convert the DER to PEM using openssl and decode it with openssl or an online tool. We then get the following info:
There's two bad certificates (the other ones are legitimate Microsoft certificates). We rinse and repeat and get the below answers:
Israel, South Sudan
7. Is the host infected?
Yes; See below for details
File extraction:
We download suspicious pcap; See some http, copy the gzip decompressed body as text:
Then we just copy paste the following as well as the function below (with the big atob string to the dev console in chrome/firefox:
function saveAs(blob, fileName) {
let url = window.URL.createObjectURL(blob);
let anchorElem = document.createElement('a');
anchorElem.style = 'display: none';
anchorElem.href = url;
anchorElem.download = fileName;
document.body.appendChild(anchorElem);
anchorElem.click();
document.body.removeChild(anchorElem);
// On Edge, revokeObjectURL should be called only after
// a.click() has completed, atleast on EdgeHTML 15.15048
setTimeout(function() {
window.URL.revokeObjectURL(url);
}, 1000);
}
This downloads 'Ref_Sept24-2020.zip' to our computer which contains a .scr file that gets flagged by windows defender.
DIE tells us it's a RAR archive (probably a self-extracting RAR)
We extract that scr using 7zip and get a couple of interesting files:
Selector.vbs just runs dsep.bat; that renames SLP.txt to h1.rar and extracts it so we do that manually. The bat file tells us the password is "Version"
rename SLP.txt hl.rar
"PLS.exe" e -pVersion hl.rar
timeout 5
start fatless.vbs
timeout 4
del /f /q "hl.rar"
del /f /q "dsep.bat"
del /f /q "C:\Users\mycomp\Desktop\inst.exe"
@exit
Part 2 powershell logs
We filter by task category and notice the following:
With that, we understand that recipe.txt is what the attacker is after. We search for recipe.txt and see events on the 12/24/2022 tied to recipe.txt being deleted.
Knowing this, we can now apply a filter for events after 12/23/2022 to remove noise.
For question 3, I couldn't find the right command using Windows event log viewer; That's because the GUI abstracts some of the info. Using grep I managed to find the answer:
When did the attack occur?
>12/24/2022
What is the filename from which the attacker read secrets?
> Recipe.txt
8. What is the eventId of the logs that show the attacker's commands being run?
>4104
9. Is the secret ingredient compromised?
> Yes
10.What is the secret ingredient?
>honey
Suricata rules
My first rule to match adv[.]epostoday[.]uk was:
alert dns any any -> any any (msg:"Known bad DNS lookup, possible Dridex infection"; dns_query; content:"adv.epostoday.uk"; nocase; metadata:created_at 2019_05_15, updated_at 2019_05_15; classtype:trojan-activity; sid:1234; rev:1;)
This still didn't work; I tried using http instead of the "ip" key word and removed both "flow" and "content" this matched 454 packets out of 681.
alert http 192.185.57.242 any -> $HOME_NET any (msg:"Investigate suspicious connections, possible Dridex infection"; sid:12345; rev:1;)
For the second indicator, we flagged 454 packet(s), but we expected 681. Please try again!
Not sure what was missing there and I thought I might be matching traffic in one direction only. I asked chatGPT:
That obviously didn't work but the error gave me the answer:
Bi-direction is <> instead of ->
So we change our rule to:
````
alert http 192.185.57.242 any <> $HOME_NET any (msg:"Investigate suspicious connections, possible Dridex infection"; sid:12345; rev:1;)
Third rule being asked is:
We heard that some naughty actors are using TLS certificates with a specific CN.
Develop a Suricata rule to match and alert on an SSL certificate for heardbellith.Icanwepeh.nagoya.
When your rule matches, the message (msg) should read Investigate bad certificates, possible Dridex infection
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"Investigate bad certificates, possible Dridex infection"; tls.cert_subject; content: "CN=heardbellith.Icanwepeh.nagoya";)
Which worked nicely
OK, one more to rule them all and in the darkness find them.
Let's watch for one line from the JavaScript: let byteCharacters = atob
Oh, and that string might be GZip compressed - I hope that's OK!
Just in case they try this again, please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection
ChatGPT returns the following with this prompt:
"Write a rule to watch for one line from the JavaScript: "let byteCharacters = atob" This string might be gzip compressed. Please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection"
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Suspicious JavaScript function, possible Dridex infection"; content:"let byteCharacters = atob"; flow:established,to_server; http_content_type; content: "text/javascript"; http_accept_encoding; content: "gzip";)
Nice start but I had to change it to:
alert http any any -> any any (msg:"Suspicious JavaScript function, possible Dridex infection";file_data; content:"let byteCharacters = atob"; )
As according to the docs file_data matches strings even for gziped content.
Elven ring
Git
I tried the below and got a permission denied error:
Trying orc_admin came from browsing the repo at https://haugfactory.com/orcadmin and finding this user.
Again, I tried using ChatGPT.
That didn't work; So I went to the gitlab website and pressed the clone button to get the http command:
I tried all of the above but they were all pretty useless.
Let's keep going with recon:
Connecting to that second ip on port 2222 asks us for samways password. We can use hashcat or jon to try and get that. The entry in /etc/shado file is:
Oh... Well ok then! As you can see, chatGPT wasn't great there;
CI/CD pipeline
The prompt gives us the following:
Greetings Noble Player,
Many thanks for answering our desperate cry for help!
You may have heard that some evil Sporcs have opened up a web-store selling
counterfeit banners and flags of the many noble houses found in the land of
the North! They have leveraged some dastardly technology to power their
storefront, and this technology is known as PHP!
***gasp***
This strorefront utilizes a truly despicable amount of resources to keep the
website up. And there is only a certain type of Christmas Magic capable of
powering such a thing… an Elfen Ring!
Along with PHP there is something new we've not yet seen in our land.
A technology called Continuous Integration and Continuous Deployment!
Be wary!
Many fair elves have suffered greatly but in doing so, they've managed to
secure you a persistent connection on an internal network.
BTW take excellent notes!
Should you lose your connection or be discovered and evicted the
elves can work to re-establish persistence. In fact, the sound off fans
and the sag in lighting tells me all the systems are booting up again right now.
Please, for the sake of our Holiday help us recover the Ring and save Christmas!
Running git clone on this, we can't resolve the domain.
We run ifconfig and see we have nmap on the host. Asking ChatGPT:
grinchum-land:/home/samways# nmap -sn 172.18.0.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-07 00:26 GMT
Nmap scan report for 172.18.0.1
Host is up (0.00013s latency).
MAC Address: 02:42:0A:F2:58:85 (Unknown)
Nmap scan report for wordpress-db.local_docker_network (172.18.0.87)
Host is up (0.000055s latency).
MAC Address: 02:42:AC:12:00:57 (Unknown)
Nmap scan report for wordpress.local_docker_network (172.18.0.88)
Host is up (0.000037s latency).
MAC Address: 02:42:AC:12:00:58 (Unknown)
Nmap scan report for gitlab.local_docker_network (172.18.0.150)
Host is up (0.000039s latency).
MAC Address: 02:42:AC:12:00:96 (Unknown)
Nmap scan report for grinchum-land.flag.net.internal (172.18.0.99)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.86 seconds
Nmap scan on one of these ips:
grinchum-land:~$ nmap 172.18.0.150
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-07 00:37 GMT
Nmap scan report for gitlab.local_docker_network (172.18.0.150)
Host is up (0.00037s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8181/tcp open intermapper
Nice; we now know what the gitlab domain is. Let's clone it
No interesting creds as they're pulled from variables.
Then I remembered this was about CI/CD deployments; let's try to commit to the repo:
grinchum-land:/home/samways/wordpress.flag.net.internal# git status
On branch main
Your branch is up to date with 'origin/main'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: readme.html
no changes added to commit (use "git add" and/or "git commit -a")
grinchum-land:/home/samways/wordpress.flag.net.internal# git add *
grinchum-land:/home/samways/wordpress.flag.net.internal# git commit test
error: pathspec 'test' did not match any file(s) known to git
grinchum-land:/home/samways/wordpress.flag.net.internal# git commit -m test
[main e042b3a] test
Committer: root <root@grinchum-land.flag.net.internal>
Your name and email address were configured automatically based
on your username and hostname. Please check that they are accurate.
You can suppress this message by setting them explicitly. Run the
following command and follow the instructions in your editor to edit
your configuration file:
git config --global --edit
After doing this, you may fix the identity used for this commit with:
git commit --amend --reset-author
1 file changed, 1 insertion(+)
grinchum-land:/home/samways/wordpress.flag.net.internal#
Ok; I think I need to commit as sporx@kringlecon.com using that pem key; let's try that
We look at / and find flag.txt a cat returns the elven ring!!!!
Web Ring
Use the artifacts from Alabaster Snowball to analyze this attack on the Boria mines. Most of the traffic to this site is nice, but one IP address is being naughty! Which is it? Visit Sparkle Redberry in the Tolkien Ring for hints.
Pretty obvious mass hits to /login.html with POST requests; indicator of a bruteforce attack.
Bad ip is 18.222.86.32
The first attack is a brute force login. What's the first username tried?
We use the following filter in Wireshark:
The next attack is forced browsing where the naughty one is guessing URLs. What's the first successful URL path in this attack?
In the txt file, we look for lots of 404 coming from the bad IP and look for the next 202 success right after:
The last step in this attack was to use XXE to get secret keys from the IMDS service. What URL did the attacker force the server to fetch?
There's a couple of XXE attacks (and technically file:///etc/passwd can be considered a uri ) but the first successfull attacker submitted URI through that XXE/SSRF is:
