Tag: PowerShell

Huntress CTF: Week 1 – Forensics: Backdoored Splunk, Traffic, Dumpster Fire

CTF, DFIR, PowerShell, Python

Backdoored Splunk

Hit Start.

So we’ve got a url and a specific port. Firefox web browser yields…

So we need an Authorization header. 🤔

Time to look at the provided files. It looks to be the export of a Splunk application.

Time to download an eval copy of Splunk and… pause. There’s probably a simpler way to attack this.

The Silver Searcher is a command line tool I picked up during the CTF and I love it. It’s like Grep on PCP.

Once installed, the base command is ag, followed by what you’re searching for, and where. So let’s do a quick search for Authorization on all the contents of this directory.

That looks interesting. A clue? One of the PowerShell scripts has Authorization and what looks to be Base64 code.

We also see a comment about the $PORT being dynamic based on the Start button. Decoding the string in CyberChef…

At this point we have all the pieces, we just need to put them together. I started to look at different ways to pass an Authorization header to a web server. There’s proxy tools galore. And then there’s the basic’s like curl. After a bit of brushing up on my syntax I had: 

curl -H "Authorization: Basic [longStringFromThePowershell]" http://site:$PORT

Yay what looks like more Base64. Once more with our Chef’s hat and…

Traffic

rita was a tool I hadn’t used before but it was very easy to use. I installed it on my REMnux box and then ran it against the dataset.

I then used the command to generate an html report.

Looking through the DNS requests there’s something sketchy indeed.

Let’s go take a look at that.

Dumpster Fire

Let’s start with the_silver_searcher again and see if we have any luck with “Password”.

There’s a number of hits including references to an encryptedUsername and encryptedPassword in the logins.json file. So we’ve got some encrypted Firefox user passwords. If only there were a utility that could decrypt those. Enter firepwd.py, an open source tool to decrypt Mozilla protected passwords.

Run the script in Python and point it to the directory for the user profile (where the logins.json file is).

That’s a pretty LEET password 😉

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 1 – WarmUps

CTF, DFIR, Malware, PowerShell

The team at Huntress pulled off an amazing CTF that ran through the month of October with new challenges released daily. In this series, I’ll be providing my solutions to the challenges. WARNING Will Robinson, spoilers ahead! Use the tag #HuntressCTF to see all related posts.

Technical Support

There wasn’t really a solve to this one, but I’m including here for consistency. If you head to the Discord server for the event and went to the support channel, the flag was provided.

String Cheese

Taking this literally – we’ll run STRINGS on cheese:

If we scroll down through the output…

Notepad

Right click on the notepad file, open with VS Code or text editor of choice.

CaesarMirror

When you examined the text file you got

I copied the text over to CyberChef and started running some recipes on it. I found an algorithm that would work on it, well, one half at a time.

I took the original file and edited it into 2 versions, caesar_left.text and caesar_right.txt. I converted each side of the file, screenshotted the output, and then aligned them next to each other to read the complete output.

Book By Its Cover

Use the FILE command to get the properties of book.rar.

Hmm. A png file. Let’s open that with an image viewer.

BaseFFFF+1

Examining the file contents yielded…

Back to CyberChef. There’s Base64 and Base85 but neither of those work. Looking closer at the title…. BaseFFFF+1… FFFF is the Hexadecimal for 65535. Add one and you have 65536. I googled Base65536, and while it’s not in CyberChef it does exist.

Read the Rules

Head over to the Rules page. While you’re there, be sure to read up on what tools are not allowed. CTFs are usually not the situation where you bring a tank to a knife fight. Once you’ve read everything, visible, three or four times if you’re me, right, click on the webpage and choose view source.

Query Code

Once again the FILE command gives us our first clue.

It’s a png image so open with an image viewer and you have a QR code. Scan that with a QR reader and…

Dialtone

The provided wav file is a recording of different telephone buttons being pushed. The first thing to do is identify what buttons/numbers are being pushed. Using the site DialABC I uploaded the wav file and then transcribed the DTMF Tone outputs.

13040004482820197714705083053746380382743933853520408575731743622366387462228661894777288573. That is on heck of a phone number!

A hint on Discord led me to the next step. It referenced that this was a BigInteger value. After several trips with Alice down various rabbit holes I found a PowerShell syntax to convert BigInt to strings.

Hmm. Looks closer to what an encoded flag might look like, but still not there yet. Back over to CyberChef and sprinkle a little Magic dust… and we see that the next and last decoding step is to From_Hex.

Layered Security

The file command indicates that it’s a GIMP image file. I recall that GIMP is an open-source application that’s comparable to Adobe Photoshop. I’d used it previously but not in a long time. I also can’t help but think of Pulp Fiction and “Bring out the Gimp.”

After a morbid chuckle and a quick installation, I launch GIMP and open the file. In the bottom right we see there are a number of faces that are part of this picture.

As we peel down the layers we find the flag in one of the images.

Comprezz

We’ve been pretty successful starting with the file command, so let’s start there.

As the challenge suggests, no I have not heard of this file type. A quick google for compress’d data 16 bits takes me to several posts on how to uncompress theses files. After a brief trial and error (it may have taken me 2 times), I cat’d the file and then piped it to uncompress.

That’s it for the challenges in the Warm Up category. There were also challenges in Forensics, Malware and Miscellaneous.

Use the tag #HuntressCTF to see all related posts. Now that October is over, I’ll be releasing as many of these as I can.

Magnet RESPONSE PowerShell

DFIR, Forensic Imaging, PowerShell, Presentations, RAM

I’m excited to share with you a new script I’ve written, Magnet RESPONSE PowerShell.

Magnet RESPONSE is a free tool from Magnet Forensics that makes it easy for investigators as well as non-technical operators to collect triage collections quickly and consistently.

Released initially as a GUI tool for law-enforcement investigators, it’s a single executable that requires no installation. The available command line syntax also makes it very flexible for enterprise use.

So what do I do when there’s a command line interface available, I PowerShell the hell out of it.

If you’ve been following my CyberPipe project, you’ll definitely want to check this one out.

MagnetRESPONSEPowerShell.ps1

Functions:
  • 💻 Capture specified triage artifacts using profiles with Magnet RESPONSE,
  • 🐏 Capture a memory image with DumpIt for Windows or Magnet RAM Capture,
  • 💾 Save all artifacts, output, and audit logs to network drive.
  • 🪟 Supports x86, x64 and ARM64 versions of Windows
Prerequisites:
  • Magnet RESPONSE
  • Web server where you can host MagnetRESPONSE.zip that’s accessible to endpoints.
  • File server repository to save the file collections to.

Please note this is not a Magnet supported product. This script is open source. If you have comments, updates, or suggestions – please do so here or on GitHub via discussion or pull request.

There are two areas of the script for you to customize.

  • The Variable Setup contains the case identification, file server and web server locations.
  • The second section, Collection Profiles, define which artifact groups you want to collect. You can see all the options available in the Magnet RESPONSE CLI Guide.

VARIABLE SETUP

$caseID = "demo-161" # no spaces

$outputpath = "\\Server\Share" # Update to reflect output destination.

$server = "192.168.4.187" # "192.168.1.10" resolves to http://192.168.1.10/MagnetRESPONSE.zip

COLLECTION PROFILES

Within the script we need to have at least one set of collection arguments defined. In this case I’ve built multiple profiles, which are simply un-commented to mark the profile as active. You only want to have one profile enabled at a time. You can design your own collection profiles using any of the available CLI options, just follow the format below.

#### Extended Process Capture

$profileName = "EXTENDED PROCESS CAPTURE"

$arguments = "/capturevolatile /captureextendedprocessinfo /saveprocfiles"

Execution

Once your environment and collection variables are defined, go ahead and run the script on your endpoints. Every host that executes the script will download RESPONSE from the web server, run the specified collection profile, and then save the output to the file server. All data defined in the collection profile will be collected and organized by case name, hostname and timestamp of collection in the central location. The returned files can be examined manually, using open source tools, or products like Magnet AXIOM Cyber.

If you’d like to learn more about the script, and how I integrated it with AXIOM Cyber and Magnet AUTOMATE, you can register for my webcast, Responding at Scale with Magnet RESPONSE. I hope to see you there.

You can download the script at https://github.com/MagnetForensics/Magnet-RESPONSE-PowerShell

Capturing malware evidence with detonaRE

DFIR, Malware, PowerShell, RAM

Lately I’ve been experimenting with a lot of varieties of different malware strains. Each time the malware executes, I have a process where I’ll initiate a packet capture, give the malware some time to spin up, and then execute an evidence capture while the malware is running. Then I’ll revert to a snapshot, make some modifications to the environment, and run the process again.

To make things easier on myself (and to help with late afternoon brain fog) I decided to script out the process with PowerShell.

detonaRE – from Latin, to detonate

  • initiates packet capture
  • launches malware sample
  • terminates packet capture after specified interval
  • initiates evidence collection with Magnet RESPONSE (memory, process, and triage capture)
  • converts collected .etl file (network capture) to .pcap with etl2pcapng.

## variable configuration:
$malwspath = “E:” ## malware source path
$malwdpath = “C:\Users\REM\Desktop\Malware\” ## malware destination path
$malware = “redline-76ca4a.exe” ## malware executable
$pcaptime = 180 ## duration in seconds for pcap capture
$toolsdir = “E:\Tools” ## MagnetRESPONSE.exe and etl2pcapng.exe

In my case I’ve got my malware file on the root of a USB device (E:) that will be attached to the VM. I want to copy the malware to the ‘Malware’ folder on the VM desktop. For this example the malware file is redline-76ca4a.exe. Any tools needed will be stored in E:\Tools.

I’m using the netsh command to capture any network traffic in .etl format. Later on, we’ll convert the .ett to .pcap. This is the same process I utilized in the QuickPcap PowerShell script.

Once the packet capture is running, the malware file gets detonated. The packet capture will continue running for the set duration, the default being 180 seconds or 3 minutes. It’s important not to terminate the packet capture too early. As you can see in the demonstration video below, once this particular malware sample is detonated, it sleeps for a bit and doesn’t show as active on the system until about 45 seconds into the capture.

Once the packet capture is completed, I’m running the command line version of Magnet RESPONSE. If you’re a fan of CyberPipe this is definitely one you’ll want to check out. Using Magnet RESPONSE I collect the memory (Comae DumpIt), pagefile, running processes (full process dumps) and triage system collection. Note, these artifacts can be scaled down by adjusting the Magnet RESPONSE CLI parameters.

Finally, when that’s all done, the .etl file gets converted to .pcap via etl2pcapng.exe. Then I transfer the collected files to my analysis machine and then the real fun begins.

update: (a day later) version 1.1 now also initiates Process Monitor with a filter applied for the malware to be detonated.

Github link for detonaRE

detonaRE v1.0
detonaRE.ps1 v1.1 now includes Process Monitor
detonaRE version 1.2 demo