[Flare-On7] Chal7-re_crowd write-up (Eng)

Posted: October 24, 2020 in Flare-On7, [Flare-On7] Chal7-re_crowd write-up (Eng)
Tags: , , ,

This image has an empty alt attribute; its file name is image-18.png

1. Analyze re_crowd.pcapng

Open file into Wireshark, select Statistics -> Flow Graph, you can see the flow as the bellow picture:

Figure 1. Using the Flow Graph feature of Wireshark to view the information exchange

When apply the filter like this: (http.request or tls.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and! (Udp.port eq 1900), I see more http request from ip 192.168.68.21 to port 80 of the server 192.168.68.1:

Figure 2. Many http reqests from ip 192.168.68.21 to port 80 of server 192.168.68.1

Next, filter with data.data || media.type, I obtain information exchanging between machines. My attention focus on the strange ports are 4444 and 1337:

Figure 3. Strange ports appear are 4444 and 1337

I follow any above HTTP Stream and get the following information:

Figure 4. Contents of an HTTP Stream

By using Google with “HTTP PROPFIND Exploit” keyword, I know that it is “WebDAV PROPFIND Exploiting CVE-2017-7269“, and also find Fortinet’s analysis at https://www.fortinet.com/blog/threat-research/buffer-overflow-attack -targeting-microsoft-iis-6-0-returns

Based on Fortinet’s analysis, I also known that “payload was encoded using the Metasploit encoder ‘AlphanumUnicodeMixed ”.

I use the decode script that was provided in the article to decode the shellcode (called sc1). In this shellcode, there is a plaintext string “killervulture123“.

Figure 5. 1st shellcode after decode contains the key to decode 2nd shellcode

2. Analyze sc1

This sc will retrieve the APIs that belong to ws2_32.dll, initializing socket to connect to port 4444 of ip 192.168.68.21:

Figure 6. 1st shellcode initializes the socket that connecting to port 4444 of ip 192.168.68.21

If the connection is successful, will call the following code to receive data:

Figure 7. Allocate a buffer to stores the returned data (another shellcode)

With the above code, I can realize that the received data is another shellcode because the allocated memory has PAGE_EXECUTE_READWRITE protection. The received data will be decoded by RC4 with decryption key is killervulture123.

Return pcap file, using filter data.data || media.type, I retrieve the encoded shellcode.

Figure 8. Get the 2nd encrypted shellcode after filtering data

Decrypt and get the new shellcode (called sc2), view the shellcode content, I found an important string:

Figure 9. 2nd shellcode after decoding contains the key to encrypt the data

3. Analyze sc2

This sc uses CreateFileA and ReadFile functions to read data from “C:\accounts.txt“. It then uses RC4 to encrypt the readable content with the key “intrepidmango“. Finally, it sends the encrypted data to port 1337 of IP 192.168.68.21:

Figure 10. 2nd shellcode sends encrypted data to port 1337 of IP 192.168.68.21

Again, return to the pcap file and use filter data.data || media.type, I retrieved the encoded data.

Figure 11. Filter in Wireshark to get the encrypted data

Decrypt data and obtain the final flag:

Figure 12. Decoding data to get the final flag

End.

m4n0w4r

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.