[Flare-On7] Chal7-re_crowd write-up (Eng)

Posted: October 24, 2020 in Flare-On7, [Flare-On7] Chal7-re_crowd write-up (Eng)
Tags: , , ,

This image has an empty alt attribute; its file name is image-18.png

1. Analyze re_crowd.pcapng

Open file into Wireshark, select Statistics -> Flow Graph, you can see the flow as the bellow picture:

Figure 1. Using the Flow Graph feature of Wireshark to view the information exchange

When apply the filter like this: (http.request or tls.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and! (Udp.port eq 1900), I see more http request from ip to port 80 of the server

Figure 2. Many http reqests from ip to port 80 of server

Next, filter with data.data || media.type, I obtain information exchanging between machines. My attention focus on the strange ports are 4444 and 1337:

Figure 3. Strange ports appear are 4444 and 1337

I follow any above HTTP Stream and get the following information:

Figure 4. Contents of an HTTP Stream

By using Google with “HTTP PROPFIND Exploit” keyword, I know that it is “WebDAV PROPFIND Exploiting CVE-2017-7269“, and also find Fortinet’s analysis at https://www.fortinet.com/blog/threat-research/buffer-overflow-attack -targeting-microsoft-iis-6-0-returns

Based on Fortinet’s analysis, I also known that “payload was encoded using the Metasploit encoder ‘AlphanumUnicodeMixed ”.

I use the decode script that was provided in the article to decode the shellcode (called sc1). In this shellcode, there is a plaintext string “killervulture123“.

Figure 5. 1st shellcode after decode contains the key to decode 2nd shellcode

2. Analyze sc1

This sc will retrieve the APIs that belong to ws2_32.dll, initializing socket to connect to port 4444 of ip

Figure 6. 1st shellcode initializes the socket that connecting to port 4444 of ip

If the connection is successful, will call the following code to receive data:

Figure 7. Allocate a buffer to stores the returned data (another shellcode)

With the above code, I can realize that the received data is another shellcode because the allocated memory has PAGE_EXECUTE_READWRITE protection. The received data will be decoded by RC4 with decryption key is killervulture123.

Return pcap file, using filter data.data || media.type, I retrieve the encoded shellcode.

Figure 8. Get the 2nd encrypted shellcode after filtering data

Decrypt and get the new shellcode (called sc2), view the shellcode content, I found an important string:

Figure 9. 2nd shellcode after decoding contains the key to encrypt the data

3. Analyze sc2

This sc uses CreateFileA and ReadFile functions to read data from “C:\accounts.txt“. It then uses RC4 to encrypt the readable content with the key “intrepidmango“. Finally, it sends the encrypted data to port 1337 of IP

Figure 10. 2nd shellcode sends encrypted data to port 1337 of IP

Again, return to the pcap file and use filter data.data || media.type, I retrieved the encoded data.

Figure 11. Filter in Wireshark to get the encrypted data

Decrypt data and obtain the final flag:

Figure 12. Decoding data to get the final flag



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.