1337 S4cu3 Writeup — Cyber Defenders

a1l4m
7 min readJun 17, 2023

--

Category: Threat Hunting

Wireshark-PCAP-Memory

background

Scenario

Everyone has heard of targeted attacks. Detecting these can be challenging, and responding to them can be even more challenging. This scenario will test your network and host-based analysis skills as a soc analyst to figure out the who, what, where, when, and how of this incident. There is sure to be something for all skill levels, and the only thing you need to solve the challenge is some l337 S4uc3!

PCAP:Development.wse.local is a critical asset for the Wayne and Stark Enterprises, where the company stores new top-secret designs on weapons. Jon Smith has access to the website and we believe it may have been compromised, according to the IDS alert we received earlier today. First, determine the Public IP Address of the webserver?

search for the most obvious thing frame contains “wse.local” you will find like 55 packets.

Filter of Wireshark

you will find communication between 172.16.0.1 & 172.16.0.108 also there is communication between 172.16.0.108 & 172.16.0.109 following the stream of the first communication.

Following Tcp Stream

You will find the referrer pointing to a URL containing the IP address of the web server.

PCAP: Alright, now we need you to determine a starting point for the timeline that will be useful in mapping out the incident. Please determine the arrival time of frame 1 in the “GrrCON.pcapng” evidence file.

Just change the time format to UTC from here, then look at the first packet time.

Changing the time zone to UTC

PCAP: What version number of PHP is the development.wse.local server running?

PCAP: What version number of Apache is the development.wse.local web server using?

Check any response for the server you will see the version of PHP and Apache in a plain text

version of PHP, Apache server

IR: What is the common name of the malware reported by the IDS alert provided?

Checking the image that contains the alert.

The name of the malware

PCAP: Please identify the Gateway IP address of the LAN because the infrastructure team reported a potential problem with the IDS server that could have corrupted the PCAP

As part of the hunting, you need to have an idea of what this malware, "Zeus," does, like its normal behavior, and what its purpose is.

Quick search

Behavior of the malware

Steal Data. Once you know the behavior, it’s easier to continue your investigation.

Now the gateway has to be an IP that sent a large amount of data to the attacker server. Looking for the conversation tap in wireshark

Statistics tab in wireshark

Now you know the answer.

IR: According to the IDS alert, the Zeus bot attempted to ping an external website to verify connectivity. What was the IP address of the website pinged?

Looking again at the alert, you will notice what you are looking for.

alert details

PCAP: It’s critical to the infrastructure team to identify the Zeus Bot CNC server IP address so they can block communication in the firewall as soon as possible. Please provide the IP address?

We already know that the malware controlling this machine 172.16.0.109 from the alert that we received “the image”, so looking for the connections of this machine.

zeus CNC server

You may wonder why this one exactly. Because I like it :”

Nah, just joking. Because it is the highest rate of sending data to this server.

PCAP: The infrastructure team also requests that you identify the filename of the “.bin” configuration file that the Zeus bot downloaded right after the infection. Please provide the file name?

Filter for the connection between the malware server and the compromised machine then for the keyword “.bin”

name of the downloaded file

PCAP: No other users accessed the development.wse.local WordPress site during the timeline of the incident, and the reports indicate that an account successfully logged in from the external interface. Please provide the password they used to log in to the WordPress page around 6:59 PM EST?

Filtering for POST requests

Post request filter

You will get three packets, following the stream.

Follow TCP stream.

you will notice the username and the password for the one that logged in.

PCAP: After reporting that the WordPress page was indeed accessed from an external connection, your boss comes to you in a rage over the potential loss of confidential top-secret documents. He calms down enough to admit that the design’s page has a separate access code outside to ensure the security of their information. Before storming off he provided the password to the designs page “1qBeJ2Az” and told you to find a timestamp of the access time or you will be fired. Please provide the time of the accessed Designs page?

Filtering for this password

password filtering

You will see the time that someone logged in to the design page.

Note: Change the time zone to UTC, if you don’t how look at the top of the writeup

PCAP: What is the source port number in the shellcode exploit? Dest Port was 31708 IDS Signature GPL SHELLCODE x86 inc ebx NOOP

I have tried to filter for a lot of stuff like

frame contains “cf.bin” Malicious file that got downloaded from the attacker server

frame contains “.sh” extension of the shell code

frame contains “NewDesign.jpg.exe” file that got downloaded from the attacker's server.

frame contains “31708” port number.

No results

I tried to search for the port directly.

udp.dstport == 31708,and the answer was pretty clear :)

PCAP: What was the Linux kernel version returned from the meterpreter sysinfo command run by the attacker?

filter for frame contains “sysinfo” then follow the TCP stream.

Follow TCP Stream

If you search for the “linux” keyword, then you will find what you are looking for.

filter for “linux” keyword

PCAP: What is the value of the token passed in frame 3897?

Just jump to the frame number, and you will find the token.

PCAP: What was the tool that was used to download a compressed file from the webserver?

Just search for the most common extensions of the compressed files, frame contains ".zip" || frame contains ".tar" || frame contains ".gz”, you will get these packets.

results of the filter

Following the stream

TCP Follow

Notice that the user agent is wget,which is the name of the tool that is used to grab the file.

PCAP: What is the download file name the user launched the Zeus bot?

search with the extension of the executables that got downloaded.

frame contains “.exe” || frame contains “.dll”

you will notice the answer in the packets.

Memory: What is the full file path of the system shell spawned through the attacker’s meterpreter session?

Okay after using this command vol2 -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_netstat

Port 4444 crying

You will notice that the famous port 4444 of Meterpreter is open with a process ID equal to 1274.

we will just need to check this process id with this plugin vol2 -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_psaux | grep -i "1274”

result of the command above

Notice the command that is used to start the shell, with the path.

Memory: What is the Parent Process ID of the two ‘sh’ sessions?

using pstree plugin, vol2 -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pstreeyou will see the parent process with the ID right next to it

The tree of the process

Memory: What is the latency_record_count for PID 1274?

using this plugin linux_volshell with the command vol2 -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_volshell

result of the command above

followed by specifying the process id and dt() function.

Specifying pid, and the task struct.

You will see here what you are looking for.

latency_record_count

Memory: For the PID 1274, what is the first mapped file path?

with the plugin linux_proc_maps it shows you the mapped files by the process you specify like vol2 -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_proc_maps -p 1274

result of the command above

Memory:What is the md5hash of the receive.1105.3 file out of the per-process packet queue?

with a quick search on google with “pre-process packet queue”

volatility plugin

you will know that this is a plugin that enumerates and recover queues out to disk.

Using the plugin in our command.

vol2 -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pkt_queues -D ../../dump with this command you will be able to extract the files

receive.1105.3, receive.930.10, using md5sum receive.1105.3 you will get the answer.

Thanks :”

--

--