CTFtime.org

Honeypot

by LazyTitan33 / LazyTitan

Rating:

image

vol.py -f honeypot.raw imageinfo

After finding out what kind of image we are dealing with, I usually first check to see what processes were running.

vol.py -f honeypot.raw --profile=Win7SP1x86_23418 pslist

image

We can see some iexplore.exe processes. To be expected considering there was a URL used to download a malware. I also see powershell and whoami being run. Will make a note of that.

Let's see what ports and connections we have listening or established. Especially in this case since the description asks us to find a process PID.

vol.py -f honeypot.raw --profile=Win7SP1x86_23418 netscan

image

Made a note of a strange quad 4 port.

Since Santa downloaded a malware and the challenges asks us to find a URL, let's check the Internet Exploder history as well.

vol.py -f honeypot.raw --profile=Win7SP1x86_23418 iehistory

image

I'm always wary of .hta files so this jumped out at me.

So we know iexplore.exe was used with PID 3344 to download an hta file.

Let's try to find the file

vol.py -f honeypot.raw --profile=Win7SP1x86_23418 filescan|grep -i .hta

image

We find it so let's dump its contents

vol.py -f honeypot.raw --profile=Win7SP1x86_23418 dumpfiles -Q 0x3f4d4348 -n "christmas_update[1].hta"

image

Would you look at that. That looks like a powershell reverse shell. We are on the right track.

Base64 decoding the string, we find it is downloading and executing a file called update.ps1

image

We can't find the file in memory.

vol.py -f honeypot.raw --profile=Win7SP1x86_23418 filescan|grep -i update.ps1

Back to netscan we notice a lot of powershell.exe processes with PID 2700. Because a ps1 reverse shell was downloaded, it would be running with powershell which has PID 2700. So I dumped the memory of that PID. image

vol.py -f honeypot.raw --profile=Win7SP1x86_23418 memdump -p 2700 -D .

And we can see the actual content of the script that was run by powershell. image

We have our IP: 147.182.172.189

Putting all this information together as the challenge requires us.

The URL used to download the malware: https://windowsliveupdater.com/christmas_update.hta The malicious process PID: 2700 The attacker's IP: 147.182.172.189

Putting it all together it looks like this: https://windowsliveupdater.com/christmas_update.hta_2700_147.182.172.189

However the flag is supposed to be the md5sum of that.

echo "https://windowsliveupdater.com/christmas_update.hta_2700_147.182.172.189"|md5sum

HTB{432fd3de8e42875dee4cef3dc6b1a766}

Original writeup (https://github.com/LazyTitan33/CTF-Writeups/blob/main/HTB%20-%20Cyber%20Santa%20is%20Coming%20to%20Town%202021/Forensics/Honeypot.md).

Comments