Home front-page port 80-shoopyu TrueSecrets | Hack The Box | Forensics
Post
Cancel

front-page port 80-shoopyu TrueSecrets | Hack The Box | Forensics

Challenge Description

Our cybercrime unit has been investigating a well-known APT group for several months. The group has been responsible for several high-profile attacks on corporate organizations. However, what is interesting about that case, is that they have developed a custom command & control server of their own. Fortunately, our unit was able to raid the home of the leader of the APT group and take a memory capture of his computer while it was still powered on. Analyze the capture to try to find the source code of the server.

Volllllatility!!

imageinfo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kali)-[/home/kali/Desktop/challenge-files]
└─# volatility -f TrueSecrets.raw imageinfo             
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/kali/Desktop/challenge-files/TrueSecrets.raw)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82732c78L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x82733d00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2022-12-14 21:33:30 UTC+0000
     Image local date and time : 2022-12-14 13:33:30 -0800


pslist

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
                                                                                                               
┌──(root㉿kali)-[/home/kali/Desktop/challenge-files]
└─# volatility -f TrueSecrets.raw --profile=Win7SP1x86_23418 pslist    
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x8378ed28 System                    4      0     87      475 ------      0 2022-12-15 06:08:19 UTC+0000                                 
0x83e7e020 smss.exe                252      4      2       29 ------      0 2022-12-15 06:08:19 UTC+0000                                 
0x843cf980 csrss.exe               320    312      9      375      0      0 2022-12-15 06:08:19 UTC+0000                                 
0x837f6280 wininit.exe             356    312      3       79      0      0 2022-12-15 06:08:19 UTC+0000                                 
0x84402d28 csrss.exe               368    348      7      203      1      0 2022-12-15 06:08:19 UTC+0000                                 
0x84409030 winlogon.exe            396    348      3      110      1      0 2022-12-15 06:08:19 UTC+0000                                 
0x844577a0 services.exe            452    356      9      213      0      0 2022-12-15 06:08:19 UTC+0000                                 
0x8445e030 lsass.exe               468    356      7      591      0      0 2022-12-15 06:08:19 UTC+0000                                 
0x8445f030 lsm.exe                 476    356     10      142      0      0 2022-12-15 06:08:19 UTC+0000                                 
0x84488030 svchost.exe             584    452     10      347      0      0 2022-12-15 06:08:19 UTC+0000                                 
0x844a2030 VBoxService.ex          644    452     11      116      0      0 2022-12-15 06:08:19 UTC+0000                                 
0x844ab478 svchost.exe             696    452      7      243      0      0 2022-12-14 21:08:21 UTC+0000                                 
0x844c3030 svchost.exe             752    452     18      457      0      0 2022-12-14 21:08:21 UTC+0000                                 
0x845f5030 svchost.exe             864    452     16      399      0      0 2022-12-14 21:08:21 UTC+0000                                 
0x845fcd28 svchost.exe             904    452     15      311      0      0 2022-12-14 21:08:21 UTC+0000                                 
0x84484d28 svchost.exe             928    452     23      956      0      0 2022-12-14 21:08:21 UTC+0000                                 
0x8e013488 svchost.exe             992    452      5      114      0      0 2022-12-14 21:08:21 UTC+0000                                 
0x8e030a38 svchost.exe            1116    452     18      398      0      0 2022-12-14 21:08:21 UTC+0000                                 
0x8e0525b0 spoolsv.exe            1228    452     13      275      0      0 2022-12-14 21:08:21 UTC+0000                                 
0x84477d28 svchost.exe            1268    452     19      337      0      0 2022-12-14 21:08:21 UTC+0000                                 
0x8e0a2658 taskhost.exe           1352    452      9      223      1      0 2022-12-14 21:08:22 UTC+0000                                 
0x844d2d28 dwm.exe                1448    864      3       69      1      0 2022-12-14 21:08:22 UTC+0000                                 
0x8e0d3a40 explorer.exe           1464   1436     32     1069      1      0 2022-12-14 21:08:22 UTC+0000                                 
0x8e1023a0 svchost.exe            1636    452     10      183      0      0 2022-12-14 21:08:22 UTC+0000                                 
0x8e10d998 svchost.exe            1680    452     14      224      0      0 2022-12-14 21:08:22 UTC+0000                                 
0x8e07d900 wlms.exe               1776    452      4       45      0      0 2022-12-14 21:08:22 UTC+0000                                 
0x83825540 VBoxTray.exe           1832   1464     12      140      1      0 2022-12-14 21:08:22 UTC+0000                                 
0x8e1cd8d0 sppsvc.exe              352    452      4      144      0      0 2022-12-14 21:08:23 UTC+0000                                 
0x8e1f6a40 svchost.exe            1632    452      5       91      0      0 2022-12-14 21:08:23 UTC+0000                                 
0x8e06f2d0 SearchIndexer.          856    452     13      626      0      0 2022-12-14 21:08:28 UTC+0000                                 
0x91892030 TrueCrypt.exe          2128   1464      4      262      1      0 2022-12-14 21:08:31 UTC+0000                                 
0x91865790 svchost.exe            2760    452     13      362      0      0 2022-12-14 21:10:23 UTC+0000                                 
0x83911848 WmiPrvSE.exe           2332    584      5      112      0      0 2022-12-14 21:12:23 UTC+0000                                 
0x8e1ef208 taskhost.exe           2580    452      5       86      1      0 2022-12-14 21:13:01 UTC+0000                                 
0x8382f198 7zFM.exe               2176   1464      3      135      1      0 2022-12-14 21:22:44 UTC+0000                                 
0x83c1d030 DumpIt.exe             3212   1464      2       38      1      0 2022-12-14 21:33:28 UTC+0000                                 
0x83c0a030 conhost.exe             272    368      2       34      1      0 2022-12-14 21:33:28 UTC+0000                                 


In the process list TrueCrypt.exe and 7zFM.exe stands out Lets Investigate that!

cmdline

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
┌──(root㉿kali)-[/home/kali/Desktop/challenge-files]
└─# volatility -f TrueSecrets.raw --profile=Win7SP1x86_23418 cmdline           
Volatility Foundation Volatility Framework 2.6
************************************************************************
System pid:      4
************************************************************************
smss.exe pid:    252
Command line : \SystemRoot\System32\smss.exe
************************************************************************
csrss.exe pid:    320
Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
************************************************************************
wininit.exe pid:    356
Command line : 
************************************************************************
csrss.exe pid:    368
Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
************************************************************************
winlogon.exe pid:    396
************************************************************************
services.exe pid:    452
Command line : C:\Windows\system32\services.exe
************************************************************************
lsass.exe pid:    468
Command line : C:\Windows\system32\lsass.exe
************************************************************************
lsm.exe pid:    476
Command line : C:\Windows\system32\lsm.exe
************************************************************************
svchost.exe pid:    584
Command line : C:\Windows\system32\svchost.exe -k DcomLaunch
************************************************************************
VBoxService.ex pid:    644
Command line : C:\Windows\System32\VBoxService.exe
************************************************************************
svchost.exe pid:    696
Command line : C:\Windows\system32\svchost.exe -k RPCSS
************************************************************************
svchost.exe pid:    752
Command line : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
************************************************************************
svchost.exe pid:    864
Command line : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
************************************************************************
svchost.exe pid:    904
Command line : C:\Windows\system32\svchost.exe -k LocalService
************************************************************************
svchost.exe pid:    928
Command line : C:\Windows\system32\svchost.exe -k netsvcs
************************************************************************
svchost.exe pid:    992
************************************************************************
svchost.exe pid:   1116
Command line : C:\Windows\system32\svchost.exe -k NetworkService
************************************************************************
spoolsv.exe pid:   1228
Command line : C:\Windows\System32\spoolsv.exe
************************************************************************
svchost.exe pid:   1268
Command line : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
************************************************************************
taskhost.exe pid:   1352
Command line : "taskhost.exe"
************************************************************************
dwm.exe pid:   1448
Command line : 
************************************************************************
explorer.exe pid:   1464
Command line : C:\Windows\Explorer.EXE
************************************************************************
svchost.exe pid:   1636
Command line : C:\Windows\System32\svchost.exe -k utcsvc
************************************************************************
svchost.exe pid:   1680
Command line : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
************************************************************************
wlms.exe pid:   1776
************************************************************************
VBoxTray.exe pid:   1832
Command line : "C:\Windows\System32\VBoxTray.exe" 
************************************************************************
sppsvc.exe pid:    352
************************************************************************
svchost.exe pid:   1632
************************************************************************
SearchIndexer. pid:    856
Command line : C:\Windows\system32\SearchIndexer.exe /Embedding
************************************************************************
TrueCrypt.exe pid:   2128
Command line : "C:\Program Files\TrueCrypt\TrueCrypt.exe" 
************************************************************************
svchost.exe pid:   2760
Command line : C:\Windows\System32\svchost.exe -k secsvcs
************************************************************************
WmiPrvSE.exe pid:   2332
Command line : C:\Windows\system32\wbem\wmiprvse.exe
************************************************************************
taskhost.exe pid:   2580
Command line : 
************************************************************************
7zFM.exe pid:   2176
Command line : "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\IEUser\Documents\backup_development.zip"
************************************************************************
DumpIt.exe pid:   3212
Command line : "C:\Users\IEUser\Downloads\DumpIt.exe" 
************************************************************************
conhost.exe pid:    272
Command line : \??\C:\Windows\system32\conhost.exe "-180402527637560752-8319479621992226886-774806053592412399-20651748-1013740728

Under PID 2176 we can see that there’s one intresting ZIP File called backup_development.zip Lets Get that into our system for further analysis

Memory Dump


  • As the memory dump is a zip file renmae it to .zip and unzip it!
  • now the file extension is turned to .tc which means truecrypt!!!

Download the TrueCrypt – Click here to download

After doing some research on truecrypt i found a volatility argument to fetch the password! here you go

password

TrueCrypt Mounted Successfully

mount

There are 4 files in-total one is AgentServer.c and other 3 encrypted files

using  System;

using  System.IO;

using  System.Net;

using  System.Net.Sockets;

using  System.Text;

using  System.Security.Cryptography;

  

class  AgentServer  {

static  void  Main(String[]  args)

{

var  localPort  =  40001;

IPAddress  localAddress  = IPAddress.Any;

TcpListener  listener  =  new  TcpListener(localAddress, localPort);

listener.Start();

Console.WriteLine("Waiting for remote connection from remote agents (infected machines)...");

TcpClient  client  = listener.AcceptTcpClient();

Console.WriteLine("Received remote connection");

NetworkStream  cStream  = client.GetStream();

string  sessionID  = Guid.NewGuid().ToString();

while  (true)

{

string  cmd  = Console.ReadLine();

byte[]  cmdBytes  = Encoding.UTF8.GetBytes(cmd);

cStream.Write(cmdBytes,  0, cmdBytes.Length);

byte[]  buffer  =  new  byte[client.ReceiveBufferSize];

int  bytesRead  = cStream.Read(buffer,  0, client.ReceiveBufferSize);

string  cmdOut  = Encoding.ASCII.GetString(buffer,  0, bytesRead);

string  sessionFile  = sessionID +  ".log.enc";

File.AppendAllText(@"sessions\"  + sessionFile,

Encrypt(

"Cmd: "  + cmd + Environment.NewLine + cmdOut

)  + Environment.NewLine

);

}

}

private  static  string  Encrypt(string  pt)

{

string  key  =  "AKaPdSgV";

string  iv  =  "QeThWmYq";

byte[]  keyBytes  = Encoding.UTF8.GetBytes(key);

byte[]  ivBytes  = Encoding.UTF8.GetBytes(iv);

byte[]  inputBytes  = System.Text.Encoding.UTF8.GetBytes(pt);

using  (DESCryptoServiceProvider  dsp  =  new  DESCryptoServiceProvider())

{

var  mstr  =  new  MemoryStream();

var  crystr  =  new  CryptoStream(mstr, dsp.CreateEncryptor(keyBytes, ivBytes), CryptoStreamMode.Write);

crystr.Write(inputBytes,  0, inputBytes.Length);

crystr.FlushFinalBlock();

return Convert.ToBase64String(mstr.ToArray());

}

}

}

In the above file there’s Key and the iv (Initialization Vector)

keys

Lets Decrypt the other 3 files through online DES Decryptors https://devtoolcafe.com/tools/des

I tried to decrypt all the three files and found the flag in the third file

flag

Flag

HTB{570g_53***********}

This post is licensed under CC BY 4.0 by the author.

front-page port 80-shoopyu Dignostics | Hack The Box | Forensics

front-page port 80-shoopyu Password Reset Vulnerabilities