Installing REMnux on a MacBook Pro

DFIR, Forensics, Mac, Malware

I had an older MacBook Pro (15-inch, 2.53GHz, Mid 2009) that had been unused for a while as it was no longer getting updates from Apple. It’s one of the Intel chip ones and last ran Monterey. I pulled it out of the closet and decided to give it a refresh by installing REMnux on it. The process was pretty straightforward, but there were a couple things noted along the way I thought I’d share.

Start off by downloading the Ubuntu 20.04.6 AMD64 Desktop ISO. Yes, 20.04. Later installations aren’t supported by the REMnux installer.

Next you’ll want to burn the image to a flash drive, and make it bootable, using Rufus (Windows) or Balena Etcher (Mac.) This model MacBook has USB-A ports which seems like a relic compared to the current Macs. You’ll need at least an 8GB flash drive for the Ubuntu image. The first free one I could find was 32GB so I used that.

With the bootable USB drive inserted, power-up the MacBook and hold the option key until you see the different hard drives listed.

The flash drive is the one that shows as EFI Boot. Select it and hit return/enter.

Once everything is booted up you’ll get to the Try or Install Ubuntu menu. We’ll choose install.

Specify options as needed for timezone, keyboard, etc. For the username we’ll use remnux and the password malware as that’s the default. After the installation you can set the password for the remnux user as you wish.

At the Installation type we’ll choose Erase disk and install Ubuntu.

Sorry for the wavy resolution. Tough to get good screenshots during bare-metal OS installations.

Once the installation completes, hit Restart Now.

When I first logged in I was getting an error, “Activation of network connection failed” when trying to authenticate to the wireless network. Disabling IPv6 for that network fixed. it.

Now that we’ve got connectivity, we can grab any available Ubuntu updates.

sudo apt-get update && sudo apt-get upgrade

If at any point you’re prompted to do a distribution upgrade (a version of Ubuntu later than 20.04), choose Don’t Upgrade.

Once you’ve done all the OS updates, and rebooted, we can start the REMnux installation. We’ll be following the Install from Scratch instructions at remnux.org

wget https://REMnux.org/remnux-cli
sha256sum remnux-cli

Verify the hash matches the published hash 88cd35b7807fc66ee8b51ee08d0d2518b2329c471b034ee3201e004c655be8d6

mv remnux-cli remnux
chmod +x remnux
sudo mv remnux /usr/local/bin

The first time I ran the installer it failed as curl wasn’t installed. So take care of that before starting the install.

sudo apt-get install curl

At this point we’re ready to run the installation. The one deviation I’m choosing here is that rather than the standard install, I’m choosing the ‘cloud mode.’

If you’re depoying REMnux in a remote cloud environment and will need to keep the SSH daemon enabled for remotely accessing the system, use the following command instead to avoid disabling the SSH daemon. Remember to harden the system after it installs to avoid unauthorized logins.
remnux.org

In my case I plan to be ssh’ing into the box from within my own network more often than actual hands on keyboard, hence the cloud mode.

sudo remnux install --mode=cloud

At this point grab a coffee, walk the dog, or find something to do while the wall of text streams by.

Note if the install fails the first time don’t be afraid to re-run the install command a 2nd time.

Finally when it’s done, Reboot.

There you go. A shiny, happy, malware analysis machine.

Huntress CTF: Week 2 – Malware: VeeBeeEee, Snake Eater, Opendir

CTF, DFIR, Malware

VeeBeeEee

First examine the file contents.

Ooof. That hurts the eyes. If we throw it into CyberChef, with the assistance of some magic (or detailed reading of the challenge), we see that it’s VB Script, which can be converted using the Microsoft Script Decoder recipe.

Copy the output to VS Code.

The syntax highlighting shows that all the ””””””””al37ysoeopm’al37ysoeopm entries are just comments, so let’s remove them.

There also seems to be an abundance of “&” obscuring the code. We’ll remove them too.

That’s a lot more readable. Looking at the code we see it’s going to use PowerShell to create a file C:\Users\Pubic\Documents\July.htm using as input the content from a pastebin URL.

Snake Eater

We’ll detonate snake_eater.exe in our lab environment.

I really enjoyed this challenge as I used my detonaRE PowerShell script to control the detonation and solve the challenge. Besides firing the malware itself, the script will initiate a pcap capture and monitor the malware process using Process Monitor. The script the converts the ProcMon output to csv for easy analysis.

Scrolling through the csv we find that the application was writing a file to:

~\AppData\Roaming\Mael Horns\flag{hashforflag}

Opendir

Let’s get Started

The link brings us to an Open Directory (duh) with lots of scripts and executables, not to mention a number of subdirectories.

The first thing to do is grab everything.

Site Sucker works well for this.

Once we’ve captured all the files and subdirectories locally we can search through them en masse. Once again in this CTF, the_silver_searcher (ag) comes into play.

Tucked away in /sir/64_bit_new/oui.txt is the flag.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 1 – Malware: Hot Off The Press, HumanTwo, PHP Stager & Zerion

CTF, DFIR, Malware, PowerShell

Hot Off The Press

To start with let’s see what kind of file this is.

“UHARC is a compression/archiving system for PC platforms, which appears to be neglected since around 2005. It achieves better compression than most other archivers, at the expense of being much slower.”
http://fileformats.archiveteam.org/wiki/UHARC

I scoured the internet looking for a copy of UHARC to download. I’m not going to link any here as many if not all may contain malware. Since this is a Windows only tool, (or Wine under Linux), we’ll open this one in a sandboxed Windows system.

When the file extracts we are presented with hot_off_the_press.ps1.

OMG that’s a lot of obfuscation! Let’s see if we can clean this up and make it more readable. First let’s remove all the ”+”

That’s a little bit better. There’s another obfuscation method going on where specific numbers are used to represent different letters. Originally, I tried to determine the substitution by completing terms I knew. Early ahead I saw (”Sc{2}i’pt{1}loc{0}Logging”) which to me reads like ScriptBlockLogging. So all 2’s are i’s, 1’s are B’s, and 0’s are k. I do a find/replace through the script with replacements on {0},{1}, and {2}. Now it looks like a block of Base64 in the middle block. I copy it over to CyberChef and … NADA. Something’s not right.

If you look closer at the code, you’ll see that each one of the strings that had a {#} substitution in it ends with “-f” followed by other letters in quotations. The first character after -f is substituted for {0}, the next for {1}, etc. So I run the same substitution pattern on the script using the correct letters for this string this time.

Replace the {0} with L.

Replace the {1} with E.

Now we’ve got a nice clean block of Base64.

Bring that over to CyberChef for decoding and:

We’ve got a script within the script.

If you scroll down in the output, you’ll see that there’s something else encoded as well.

We’ll run that through CyberChef.

Interesting we have an encoded_flag. Let’s add URL decode to the recipe.

HumanTwo

There were 1,000 files in the zip container. Easy comparison options like file size, modification date etc. don’t help as they are the same for all the files. It’s something in the content that has to be different. How the ‘f’ am I going to find the outlier in 1,000 files?! Meld and diff are two options coming up in the Discord. I install Meld, which is really a gui for diff, and start getting a feel for it. You can compare files or directories. If doing files you could do a 3 way comparison between 3 files. But not 1000. As I was looking through the files with Meld it struck me that all of the file contents we also the same with the exception of one line.

Let’s run through all the files with the_silver_searcher and isolate on String.Equals

Scrolling down through the output we see that one is a definite outlier, or as we like to say around here, an Irregular.

Once more to CyberChef, this time from Hex.

PHP Stager

Heavily obfuscated PHP. This is going to be fun.

Let’s see if ChatGPT can give some insight into what’s going on here.

After several hours of back and forth from PHP to Python to PowerShell, online IDE’s, more ChatGPT, googling, and back again I was able to roughly reproduce the PHP in a Python and get it to execute.

Looks like we’re not done yet. In the middle of the output we can see another block of Base64. What happens if we toss that into CyberChef.

Great! Now we have a Perl script. How far down does this challenge go? It’s like those Matryoshka dolls from Russia. One inside another inside another. But wait… there’s something interesting in the Perl script.

There’s a reference to UU encoding and a string. We’ll copy the string and bring it over to another of my favorite decoding sites, dcode.fr.

Sure enough it handles the decoding and we have our flag.

Zerion

Yay (said no one), another crazy PHP file.

Looks to be using Base64 encoding, Rot13, and some other options to obfuscate the code. Back to school (ChatGPT) to see what’s going on.

Let’s copy the large encoded text block to CyberChef. We’ll apply Rot13, then Reverse the text by Character, and finally – decrypt using Base64.

And that’s our flag!

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 1 – WarmUps

CTF, DFIR, Malware, PowerShell

The team at Huntress pulled off an amazing CTF that ran through the month of October with new challenges released daily. In this series, I’ll be providing my solutions to the challenges. WARNING Will Robinson, spoilers ahead! Use the tag #HuntressCTF to see all related posts.

Technical Support

There wasn’t really a solve to this one, but I’m including here for consistency. If you head to the Discord server for the event and went to the support channel, the flag was provided.

String Cheese

Taking this literally – we’ll run STRINGS on cheese:

If we scroll down through the output…

Notepad

Right click on the notepad file, open with VS Code or text editor of choice.

CaesarMirror

When you examined the text file you got

I copied the text over to CyberChef and started running some recipes on it. I found an algorithm that would work on it, well, one half at a time.

I took the original file and edited it into 2 versions, caesar_left.text and caesar_right.txt. I converted each side of the file, screenshotted the output, and then aligned them next to each other to read the complete output.

Book By Its Cover

Use the FILE command to get the properties of book.rar.

Hmm. A png file. Let’s open that with an image viewer.

BaseFFFF+1

Examining the file contents yielded…

Back to CyberChef. There’s Base64 and Base85 but neither of those work. Looking closer at the title…. BaseFFFF+1… FFFF is the Hexadecimal for 65535. Add one and you have 65536. I googled Base65536, and while it’s not in CyberChef it does exist.

Read the Rules

Head over to the Rules page. While you’re there, be sure to read up on what tools are not allowed. CTFs are usually not the situation where you bring a tank to a knife fight. Once you’ve read everything, visible, three or four times if you’re me, right, click on the webpage and choose view source.

Query Code

Once again the FILE command gives us our first clue.

It’s a png image so open with an image viewer and you have a QR code. Scan that with a QR reader and…

Dialtone

The provided wav file is a recording of different telephone buttons being pushed. The first thing to do is identify what buttons/numbers are being pushed. Using the site DialABC I uploaded the wav file and then transcribed the DTMF Tone outputs.

13040004482820197714705083053746380382743933853520408575731743622366387462228661894777288573. That is on heck of a phone number!

A hint on Discord led me to the next step. It referenced that this was a BigInteger value. After several trips with Alice down various rabbit holes I found a PowerShell syntax to convert BigInt to strings.

Hmm. Looks closer to what an encoded flag might look like, but still not there yet. Back over to CyberChef and sprinkle a little Magic dust… and we see that the next and last decoding step is to From_Hex.

Layered Security

The file command indicates that it’s a GIMP image file. I recall that GIMP is an open-source application that’s comparable to Adobe Photoshop. I’d used it previously but not in a long time. I also can’t help but think of Pulp Fiction and “Bring out the Gimp.”

After a morbid chuckle and a quick installation, I launch GIMP and open the file. In the bottom right we see there are a number of faces that are part of this picture.

As we peel down the layers we find the flag in one of the images.

Comprezz

We’ve been pretty successful starting with the file command, so let’s start there.

As the challenge suggests, no I have not heard of this file type. A quick google for compress’d data 16 bits takes me to several posts on how to uncompress theses files. After a brief trial and error (it may have taken me 2 times), I cat’d the file and then piped it to uncompress.

That’s it for the challenges in the Warm Up category. There were also challenges in Forensics, Malware and Miscellaneous.

Use the tag #HuntressCTF to see all related posts. Now that October is over, I’ll be releasing as many of these as I can.