by ·Comments Off on Breaking bad

In this post I will breakdown a random malware found online.

By opening the file we can see that we are asked to enable the embedded macro.

When we examine the macro itself, we notice that the macro is trying to create a powershell script at “%TEMP%\Catchme\1.ps1″ – my pleasure!
The powershell script is encoded within the cells itself, not something clever.

Lets modify the script and remove the last 7 lines from the function temp() so we can get that powershell script without running it.

The script itself contains some encoded and compressed .NET managed code which will be loaded using System.Reflection.Assembly.Load(byte []).

The assembly is loaded into the application domain of the caller.

But we really want to get the executable itself – its way more fun this way!

To debug .NET assemblies we have some wonderful WinDBG extensions called SOS and SOSEX.
First load sosex.dll to WinDBG

.load “C:\\Users\\mark\\Desktop\\don’t open – dead inside\\sosex.dll”

Next step is settings breakpoints. We are interested in “System.Reflection.Assembly.Load”

!mbm *Assembly.Load*

We got our desired function call!

Because our debugger stopped exactly before “System.Reflection.Assembly.Load” is called, we can look at the stack and get the pointer to the file.

And we finally got him!

All we have left to do is dump the file and take a look at it

.writemem “C:\\Users\\mark\\Desktop\\don’t open – dead inside\\dumped.dll” 07bb1c40 L00046400

After all that work, all we get is a variant of QuasarRAT.

IOC:
sample.xls – md5,70659C4950B32B57DEA60E81DC64279B
1.ps1 – md5,D88A4430EB40F3C6731D66D6FFCB0724
loaded dll – md5,9581221589F01FE90358D31D3450E9A8

by ·Comments Off on Mossad CTF writeup

On Israel’s 69th independence day, the Mossad posted a new CTF challenge for us to break.
As always, challenge accepted.
mossad1
We notice the following URL: http://62933120s,60561450w.xyz and if we check those coordinates (-62.933120,-60.561450) in google maps, we get an island – Deception Island.
mossad2

Challenge #1

Welcome back Agent C!

Once again we require your skills for an urgent mission.
Our intelligence officers have intercepted a message between notorious terrorists discussing an imminent attack on targets world-wide.
Intel points to a popular chat website used by these terrorists to coordinate and select rendezvous locations.
Your mission is to track the team online and ascertain their physical location.

The following link leads to the web site of the online chat service.

Good luck!,
M.

Our mission is find the terrorists and their location using given chat system. sounds easy?
When we register to the chat, we have our first obstacle: there is a queue of 36 people waiting to register, and only the first one will be approved each day.
The bright side, if we give up, we can de-register and remove ourselves from the queue.
We will find a way to de-register the other users.
mossad3
While inspecting the cookies we noticed that the logged user defined by it’s cookie, to be more specific – base64 of the username.
mossad4
After de-registering all the other users, we end up being the only one in the queue.
mossad5
At this point we can simply login and start chatting.
We cannot view the entire room list because this section is closed for premium members.

Sorry, This area is reserved for our PLATINUM members only…

But we can view the active users list.
One of the users is an administrator, we will try to reset his password.
mossad6
The hint we get is a link to a file which will lead us to the password – hopefully.
The file named “password_hint” without extension, but by checking file’s magic number (50 4B 03 04) we can see its a zip (might also be jar, docx, xlsx, etc.), which contains a .dll file.
But like all good things in life, its password protected.mossad8
Luckily the password was very easy to brute force.
mossad9
We open the DLL with IDA and set a breakpoint at the relevant location (usually where the prints/validations happening).
mossad10
We dont care about asked password, simply jump to the correct section and the program will display the desired password.
mossad11
Connecting to admin’s account will let us approve users asking to join a room, I guess we need to join a room (platinum?).
mossad12
Joining the “regular” rooms did not help us.
After digging entire website’s source code the only piece of usable code was the javascript at room selection page.
mossad13
And the source code behind:
mossad14
We played with the parameters and found a combination which displayed the entire room list.
mossad15
You can be only in one room at a time, and the luck was against us – the correct room was the last one.
Thanks to chatW1z we got into the room.
mossad16
And the secret message inside the chat room:
mossad17
Found you!
mossad18

Challenge #2

Well done Agent!

The location you recovered was correct and we dispatched our tactical team.
However, the terrorist group was already gone by the time they arrived. We gathered enough intel to determine that the terrorists have planted a bomb on an airplane somewhere in the world, but we do not know the flight number and/or its destination.

We did however recover a picture of the bomb from the terrorist meeting.

Our steganography expert insists that the picture contains a hidden message, but she was unsuccessful in uncovering it before she left on her honeymoon.
We require your assistance in locating and defusing the bomb before it detonates.
There isn’t much time…

Good luck!,
M.

The next challenge begins with an image:mossad_stego
Lucky for us, the stenography wasn’t too hard and zsteg detected it without problems.
mossad19
And we got our next target.
mossad20
Our mission is to defuse the bomb. we have to find that password quickly.
mossad21
Browsing the site, we found a link to bomb’s firmware, lets hope the password is there.
mossad22
The downloaded file is a zip, and inside there was the firmware.
Firmware itself was some kind of linux file system (might be bootable?), we dont care, just mount it.
mossad23
We found the source code of the defuse mechanism, next step is finding the password using ‘Pmgmt.pyc’ file.
We can either brute force our way using the ‘CheckPassword’ function, or reverse the .pyc file and see what is in there.
By de-compiling Pmgmt.pyc we notice the ‘GetPassword’ function, which is a simple ‘password_array[index]’ implementation.
The index stored in a different file: ‘/etc/iexprun’, so we copy that file from the mounted folder to our file system, and run the function.
mossad26
Easy-Peasy!
mossad27

Challenge #3

You did it again!

The bomb you defused was discovered soon after the airplane landed (seems that someone posted an anonymous tip to local authorities…).
Additionally, we have been able to recruit an agent within the terrorist cell.
We are unable to maintain constant contact with him as the agent is deep undercover.
However, he did manage to post a message to our secure servers. We require your skills once again in order to follow the communication trail and reveal the message.

Thanks, and good luck!,
M.

We get a link to a message that we need to get info from.
This message is a PCAP file, so lets open with Wireshark.
Again, life is hard, and the traffic is is encrypted over SSL.
Fortunately we got some clues from ICMP requests.mossad28
(‘/challenge3/pkey’, ‘/challenge3/abcd’, ‘secret’)
The first file, ‘abcd’, is a copy-paste from Mossad’s page on Wikipedia.mossad29
The second file, ‘pkey’, is literately the pkey.mossad30
Lets try adding that key to Wireshark and hope the packets will be decrypted.
* The key is not in the supported format, so we have to fix it.
mossad31
Add the key:
mossad32
Now we can see the traffic, we can see a successful login and a file transfer.
We really want to see that is that file.
mossad33
And again we see that magic number (50 4B 03 04) but this time it is xlsx and not zip.
mossad34
The xlsx contains random numbers, lets try using that ‘abcd’ file we got earlier and extract characters by given value as index.
mossad36
And we are done!
mossad37

by ·Comments Off on Shabak CTF writeup Part 2

This is the second part of recent challenge posted by the Shabak.

Hey there fellow researcher! In every challenge in the ‘Airplane’ flow you’ll have to get to a point where a password is shown, feel free to use Dissasemblers, Debuggers or what ever you want.

Airplane 1

The intergalactic prison is in a secret location and we don’t know where it is…
We pulled some strings and found an intergalactic prison guard program which is willing to tell us the prison’s coordinates.
Sadly, we don’t know how to talk to it…
Show us what you got and get the prison’s location.

At this stage we have an executable file which should display the flag.
We can see an interesting path at the strings:
shabak13
We created the file but Shabak will not make this challenge that easy, it is time to get our hands dirty and dive into assembly.
By searching for the folder, we can see that the program is reading folder’s attributes and compares them to hardcoded values.
There are two checks that will lead us to failure and will not let us reach the protected area which should reveal the flag.
shabak14
Simply, fill these checks with NOPs and hope for the best.
shabak15
And as expected we have the flag!
shabak15

Airplane 2

HOMEBASE team is working on deciphering the prison messaging system, luckily for us our operatives found a program that knows the encryption key, but unfortunately the program is refusing to talk (maybe a technological approach is better suited for this job since Spanish didn’t work).
We need you to*Make It Talk*

At this level we get a Portable Executable file – ‘Second.exe’.
We run it and he is asking for a password, after some random password is given he is trying to execute ‘GettingSchwifty.bat’ batch file.
shabak16
The file does not have any known magic number, and the content looks encrypted. I guess my password was wrong.
shabak17
By looking at ‘Second.exe’ source code, we can see that ‘GettingSchwifty.bat’ is actually a DLL.
shabak18
We also found out that XOR used to decrypt ‘GettingSchwifty.bat’ data.
At this point we have two options, we can reverse ‘Second.exe’ to find what should be the password, or we can XOR ‘GettingSchwifty.bat’ with a key to get the correct data.
The second method is easier (at this case), we can do it because we know that the used algorithm was XOR on each 4 bytes, and we know what the output should be – a DLL.
DLLs have the same struct (same as PE) and by knowing this we can find what should be the key for ‘GettingSchwifty.bat’ and get our desired DLL.
PE_header
(Image from adlice.com)
We will take the 32 bit starting from offset 0x20 (00 00 00 00 on ‘regular’ PE file), and compare them to the bits on ‘GettingSchwifty.bat’ (BA DB A5 96).
Because we know that XOR was used, [00000000 XOR 5ADBA596 = 5ADBA596] – and this is our key.
The following script did the trick:
shabak19
The next part is breaking that DLL, lets get to it.
We noticed the following code:
shabak20
The DLL will open a pipe called ‘flumbus_channel’, ask us a question by writing it to the pipe, read our answer from the pipe.
The question is ‘What is cooler than being cool?‘.
I have never worked with pipes and I am too lazy to start coding, so I will just replace pipe’s path with my .txt file with the answer, so the DLL will read the answer straight from my file (also don’t forget to skip the WriteFile part so our answer will not get corrupted).shabak23
So after skipping the WriteFile part and reading the answer, the rest was clear and we have our password.
shabak22

by ·Comments Off on Shabak CTF writeup Part 1

This is a write-up of the CTF Shabak posted at April 2017.

Step 0

We begin with the following image:
shabak1
And after we decode as base64 we get:
shabak2
Browsing to the given address will lead us to the actual challenge, I honestly don’t know why all those challenges starting with base64.
We will choose the development team and will return back to research team once we are done.
shabak3

Homebase 1

“Staff Sergeant Foxy” Managed to get his hands on secret source code from the intergalactic prison!
unfortunately the code does not compile, Prove yourself worthy by compiling & executing the project.

We have unfinished project that we have to compile and run.
shabak4
The mission isn’t that hard, we have some undeclared variables, useless code, incorrect function signatures.
shabak5
After fixing all above and changing from debug to release, we get the flag!
shabak6

Homebase 2

Success! Well.. Kinda…
Team Airplane managed to identify the encryption algorithm that the server uses to encrypt the content from the response.
Sadly, they only know how to write pseudo code, so as a programmer you need to buckle up buckaroo and implement the algorithm and decipher the response.

Now we to implement an algorithm and decipher the flag.
shabak7
The algorithm is very straightforward and we also get an example to test our implementation.
Crafted python script:
shabak8
The final result:
shabak9

Homebase 3

Ok so our operative M. Smith managed to get to R. Sanchez’ cell in the prison, now he needs to transmit a message to him! Sadly the prison’s systems filter all messages that get through, so we need to figure out a way to fit its scheme.
You ‘member the decryption algorithm from the last mission? Yes you ‘member! now with a given encrypted message, you will need to find the correct key

Looks like we have to decrypt our way out through brute force:
shabak10
We know that there are only 3 steps, and we know our alphabet.
By knowing the alphabet we can aim for a very specific range of values which will make brute force faster.
A-Z: 65-90 (decimal)
a-z: 97-122
Space, ‘.’, ‘?’: 32, 46, 63
First run of add,sub and xor yielded only one useful output:
shabak11
Because add/sub will keep our values at the same range difference, we have to mix it up with xor in a way that all characters will be within a range of 26 (except for first capital letter and the last letter which reserved for space, ‘.’ and ‘?’).
At this point, after a quick google search, we found the desired quote (also the flag), which perfectly aligned with given encrypted message.
I consider this cheating because the key was never found, but hey – it works 🙂

The end

shabak12