The Tolkein Ring
As we walk into the Talkain Ring area we found our old friend Sparkle Redberry, and like always, he needs our help.
We download the PCAP through the link he provides and we enter the terminal to find more instructions
First question
We open the PCAP with Wireshark and go to the menu File --> Export Objects and choose HTTP... (that's the answer, HTTP)
We immediately see the files downloaded, this also give us the answer to the next question
 |
| HTTP Objects Downloaded |
Now for question 4 we have to go a bit deeper and choose one of the HTTP streams to see that the responding HTTP headers says Server: Apache
Now for question file, we can save the app.php file to our computer from the Wireshark File menu using the same Export Object option as above.
To look at the last few lines of the file we use the tail command and we can see there's a blob being saved as Ref_Sept21-2020.zip, this is the answer.
For question 6, things get a little bit more complicated, we needed to find TLS certificates exchanged in the traffic, to do that we use binwalk on the pcap
There are a lot of certificates in the file so we need to extract them to examine them
To examine the extracted files we can use find with exec to use openssl to make sure they are certs in DER format
find . -type f -exec openssl x509 -inform der -in {} -noout -text \; 2>/dev/null| grep Issuer
This gives us all the Issuers of the certificates found including the Country (C), State (ST), City/Location (L).
We can see 3 main countries:
C = IL for Israel
C = SS for South Sudan
C = US for United States
And we enter those as our answer, completing our first objective to find the Tolkein Ring.
As we walk to the right on the same room we find Fitzy Shortstack and, of course, he has a problem to solve
We enter the terminal and find that we've been tasks with creating suricata rules to alert further communication with the Command and Control we discovered before
following the syntax we come up with arule for the first alert:
alert dns any any -> any any (msg:"Known bad DNS lookup, possible Dridex infection"; dns.query; content:"adv.epostoday.uk"; nocase; sid:20221211;rev:1;)
always changing the sid to avoid conflicts
We check our rule and get our next task
This one is bit trickier, we need 2 rules to catch of ways of communication, or at least with the little knowledge I have on suricata this is the way I found that worked find
alert http any any -> 192.185.57.242 any (msg:"Investigate suspicious connections, possible Dridex infection";sid:2022121122;rev:1;)
alert http 192.185.57.242 any -> any any (msg:"Investigate suspicious connections, possible Dridex infection";sid:2022121123;rev:1;)
To accomplish this, we need suricata to examine the certificate that is used in the TLS handshake by verifying the CommonName (CN) in it:
alert tls any any -> any any (msg:"Investigate bad certificates, possible Dridex infection";tls.cert_subject; content:"CN=heardbellith.Icanwepeh.nagoya";sid:202212114;rev:1;)
Once again, we verify our new rule and get one more task
We can find the malicous JavaScript by checking the body of the HTTP response to match the string we're looking for
alert http any any -> any any (msg:"Suspicious JavaScript function, possible Dridex infection"; flow:to_client;http.response_body;content:"let byteCharacters = atob";sid:5;)
And that's it!
Now we can walk to tend of the hall and find Snowrog (any similarities with a Balrog is just coincidence)
