Knock Knock : Hack the box Sherlock
Sherlock Info
Creator : Cyberjunkie (Wait!!! Thats meeeeee)
Release date : 13 November 2023
Retire Date : 30 November 2023
Difficulty : Medium
Scenario
A critical Forela Dev server got targeted by a ransomware. The Dev server was accidently left open to internet which it was not supposed to be. The senior dev Abdullah told the IT team that the server was fully hardened and it's still difficult to comprehend how did the attack took place and how the attacker got access in the first place. Forela recently started its business expansion in Pakistan and Abdullah was the one IN charge of all infrastructure deployment and management. The Security Team need to contain and remediate the threat as soon as possible as any more damage can be devastating for the company especially at the crucial stage of expanding in other region.
Thankfully a packet capture tool was running in the subnet which was setup few months ago. A packet capture is provided to you of around the time of incident (1-2) days margin because we dont know exactly when attacker got access. As our forensics analyst, you have been provided the packet capture to analyze how attacker got access. Analysis
Q1 Which ports were open on the compromised server? Format [80,443….]
We need to understand how port scanning works to answer this question . The attacker sends SYN packet to the target port and if the port is open the server sends back a SYN/ACK packet to the attacker. And if the port is closed , instead of SYN/ACK it will send RST packet to the attacker.
So according to that knowledge we want to see all the packets with syn and ack flag set to 1. Also since we are identifying the port scan activity only for this question, we will set tcp length to 0. This indicates that packet has no payload, because if we dont set this filter it will also show some normal operations like connecting to a service running on a open port. Here’s the filter we will apply which will list down open ports responses to attacker IP.
ip.addr == 3.109.209.43 && tcp.flags.syn == 1 && tcp.flags.ack == 1 && tcp.len == 0Now there are chances of false positives because of the nature of networking. We can note down the time of the ports to reduce these FPs
If we notice the timestamps for each of these packets, we see that all these ports were reached under a second. That’s not possible without usage of automated tools or indication of being port scanned.
All the packets before and after these packets have major time difference hence we can deduce that indeed port scan occured and these ports were open at the time
Answer : 21,22,3306,6379,8086
Q2 Whats the UTC time when attacker started their attack against the server?
Lets first filter out the packets only for the attacker IP we identified previously
Here we can see the first interaction of attacker with the server and the time column. By default it doesn't show time in utc. We can do that by going to view->Time display format -> UTC
Answer : 21/03/2023 10:42:23
Q3 What’s the MITRE Technique ID of the technique attacker used to get initial access?
Lets see the activity after port scanning activities
We see ftpd version in response. Meaning the attacker started targeting ftp
We also see list of passwords and usernames being used.
It seems like a password spraying attack because the passwords used are commonly used passwords.
Answer : T1110.003
Q4 What are valid set of credentials used to get initial foothold? Format[username:password]
Now we can again make use of powerful wireshark filters to get our results.Lets apply a filter which will list down all ftp packets involved in the actual logging in process to the server.
ip.addr == 3.109.209.43 && (ftp.request.command == USER || ftp.request.command == PASS)
The reason why we applied the new filter inside brackets is because of the OR "||" operation.
We see that filtered packets comes to end at user tony.shephard and password of Summer2023!
Lets remove the FTP filter and see packets after this packet to confirm that whether the attacker got access or not. We can add another filter which will only display ftp packets
ip.addr == 3.109.209.43 && ftp
Here we can see that indeed we were right and the attacker managed to get access to the ftp server with the credentials
Answer : tony.shephard:Summer2023!
Q5 What is the IP address belonging to the attacker?
We already have identifies the IP address based on previous questions. But for analysis sake, lets assume we have not identified it yet. Here’s how we would approach this.
We see a lots of addresses on the pcap as the server was exposed to the internet publicly. We have identified the internal ip of the server which is 172.31.39.46. If we scroll a bit we see a lot of requests from IP Address 3.109.209.43. If we look closer we can see that it was a port scan because the ports were scanned sequentially, as this is not normal behavior.
We can note this from port 1 to 65564.
Answer : 3.109.209.43
Q6 What is name of the file which contained some config data and credentials?
Now we can see that attacker used ls -la command to list down all content under the users ftp directory. We can simply use ftp-data filter to see if any transfer took place
ip.addr == 3.109.209.43 && ftp-data
We can see 2 files were transferred by the attacker from the server. If we click a packet we can see the contents of the file but not as clearly. For example we can see the contents of the interesting file “.backup”
its readable but not as convenient. Here we can use export objects features of wireshark for FTP-DATA
Here we can see the both files. We can download the files locally thats why this feature is handy
Here we can see we have got them locally. Lets open the fetch.sh script first
We can see that this is a batch script probably made by the dev to automate some of their tasks. Here some Database credentials are leaked . Lets see the other file too
Now this seems like a config file. It also leaks some credentials for a backup server. From the looks of the config file we can see the name of it is FTP-INTERNAL so this must be a critical ftp server holding some important data. We also see the config data seems like a knockd config. Knockd is a daemon service in linux which can be used to setup port knocking.
We have a knock sequence leaking here, which means if an attacker knock on these ports the backup critical server will start running on port 24456. Since credentials are also leaked attacker can easily login the critical server.
Answer : .backup
Q7 Whats the port on which the critical service was running?
As discussed above the service will run on port 24456.
Answer : 24456
Q8 Whats the name of technique used to get to that critical service?
As also discussed previously the technique is port knocking
Answer : Port Knocking
Q9 Which ports were required to interact with to reach the critical service?
As already identified from the backup config file
Answer : 29999,45087,50234
Q10 Whats the UTC time when interaction with previous question ports ended?
So we need the exact time attacker port knocking completed. Lets add a filter for one of the port in the knock sequence .
ip.addr == 3.109.209.43 && tcp.port ==29999We see some packets from the port scan too because when attacker scanned the port this port was also scanned.
The first and third packet are of our interest and the other 2 are from the port scan activity. This can be identified by the timestamps. Lets note down the packet numbers of the highlighted packets. Then we will again view all the packets and if after these packets we see port 50234 and 45087 then thats our clue as of when port knocking occured.
indeed we were correct. The answer will be the utc time of last knocked port packet
Answer : 21/03/2023 10:58:50
Q11 What are set of valid credentials for the critical service?
Now from the config file we can assume that this service is also an FTP service. Thats still an assumption from our side because of the FTP-INTERNAL string in the config. We need to confirm first that this indeed is an FTP service because wireshark only reads the data as FTP packets if its running on the default port 21, just like we analyzed for previous questions.
Here we can see that this indeed is FTP service running on port 24456. One different thing we note is that when we analyzed previous FTP packet streams wireshark showed in a very nice view as ftp and analysing was easier .
If Ftp runs on a non standard port tools like wireshark network miner etc treat the packets just like TCP packets instead of FTP packets. This makes the analysis very difficult as we parse and export transfered data this way. So first we need to configure the wireshark to treat this entire session as ftp.
For this we need to find the first packet which initializes the FTP session for the backup server on port 24456.
we identify the packet number 210734
Right click it go to Decode As
Here make sure the Value part should have the port on which ftp is running. and in current field select FTP. and then click save
What this will do is that all the packets involving port 24456 will be now parsed and treated as FTP packets.
now we can see it in FTP format and we can see that attacker logged on using valid credentials leaked from the config file
Answer abdullah.yasin:XhlhGame_90HJLDASxfd&hoooad
Q12 At what UTC Time attacker got access to the critical server?
We have identified the login successful message as we have already decoded the tcp packets into FTP packets.
Answer : 21/03/2023 11:00:01
Q13 Whats the AWS AccountID and Password for the developer “Abdullah”?
So we need to see some exfiltrated data to answer this question. Lets see which files were exfiltrated.
The first one we spot is this one
We can find the FTP-DATA transfer too but we cannot export it directly from export objects still because we are indirectly decoding the tcp traffic as ftp. Lets inspect this packet further by double clicking
It seems like a backup of sql database. The database name is AWS_SECRETS.The Table name is AWS_EC2_DEV .
The table has 3 coloumns as in above picture.
So the second and third value is our pair of accaountID:Password
Answer : 391629733297 : yiobkod0986Y[adij@IKBDS
Q14 Whats the deadline for hiring developers for forela?
We need another file being exfiltrated to answer this question.
Here we spot an document being exfiltrated. We can see the transfer took place in 3–4 total packets. We cannot directly export the file and if we try to see the contents of the each packet we can see they hold part of their payload.
we can see that the data payload starts with a PK magic header which is of a docx. Things break if we copy the hex dump from each packet and combine them and save as a file, the file is corrupted and cannot be recovered by word either. Instead what we can do is follow tcp stream from the packet transfer begin and this way we can automatically have all hex contents of the doc.
First select the direction from the server to attacker IP as we only want the document contents being transfered.
here we can see all the document hex contents in a unified place.
Next up in dropdown of show data as Ascii, select Raw instead of Ascii
Then click Save as and save file as filname.docx
Now we can open the document just as normal document.
Answer : 30/08/2023
Q15 When did CEO of forela was scheduled to arrive in pakistan?
The next file we see of essence is reminder.txt. lets see contents of this
Open the relevant packet
Now we can read the contents of txt file easily.
Answer : 08/03/2023
Q16 The attacker was able to perform directory traversel and escape the chroot jail.This caused attacker to roam around the filesystem just like a normal user would. Whats the username of an account other than root having /bin/bash set as default shell?
After the reminder.txt file we see attacker interacting with different system files , listing out contents of directories etc. One interesting thing we see is attacker successfully exfiltrated /etc/passwd file. Lets take a look at that to answer .
Answer : cyberjunkie
Q17 . Whats the full path of the file which lead to ssh access of the server by attacker?
After the /etc/passwd we see attacker doing some other activities . Attacker exfils an interesting named file called reminder which was hidden (indiacated by ‘.’ in start of filename)
Lets read contents of this
We simply see a secret reminder to cleanup github repo as some sensitive data could have been leaked. Interesting hmm.
We do not see any other interesting file being transfered after this one nor did we found any reference of a github repository so far from the files we recovered. And after few minutes of exfillling the .reminder file we see that attacker successfully ssh into the machine.
We need to perform some osint to find the repo and mine any sensitive data leaked there as mentioned in the reminder. So the file name which lead to ssh access is
Answer : reminder
Q18 Whats the SSH password which attacker used to access the server and get full access?
ok so after scraping through all exfiltrated and cleared text data we could not find any thing useful, except the .reminder file note. Lets go and try to find any repositories handled by forela .
We find a repository named forela-dev
Theres a yaml script which seems interesting
If we see the contents of the script it looks like an automated task like an ansible playbook and its related to ssh
We cannot find any ssh password her but we do see several commits in commit history of this file
Lets take a look at older one. If we open the second last commit we can see that the script was updated to specify ssh key instead of ssh password
looks like the attacker found the ssh creds and then was able to login the server
Answer : YHUIhnollouhdnoamjndlyvbl398782bapd
Q19 Whats the full url from where attacker downloaded ransomware?
so we need to identify any new ips utilised by the attacker to download ransomware. Lets first filter the packets for http traffic only
http && ip.addr == 172.31.39.46
Now lets dig in and try to find any malicious traces.We identify a url which seems suspicious by its naming convention
Lets follow the http stream to read all contents of packet
We can see that attacker used wget to download a zip file which looks like a ransomware
Answer : http[:]//13.233.179.35/PKCampaign/Targets/Forela/Ransomware2_Server.zip
Q20 Whats the tool/util name and version which attacker used to download ransomware?
As discussed in previous question
Answer : Wget:1.21.2
Q21 Whats the ransomware name?
We need to get the zip file in order to find name of ransomware. Lets follow tcp stream of the packet which sent get request to the url to download
This is what we get. Now from below select the direction of tcp stream to the attacker webserver to our compromised server. Because file was downloaded to our machine we only want the data streams related to that , not any thing else
Also select the show data as option as raw instead of default ascii.
We also need to remove all the hex before the zip magic header bytes {504b03} Then click save as and save the file with zip extension
You can either recover and remake the zip file which will need some playing with hex bytes of the file. I have discussed how to get hex content so lets discuss another easier shortcut
We do not need to save file to get the answer if we scroll a bit we can just find the name of ransomware. We can see this reference several times in the content, so its upto you whether to recover the zip file or answer directly.
You can also use network miner tool to directly download the ransomware file and also the 2 exfiltrated files on ftp server running on port 21. Unfortunately network miner also dont recognize the traffice of port 24456 as ftp traffic and dont recover the files for us
We open the pcap file in network miner
Here we can see the zip file and the ftp files. Wireshark should also display the ransomware zip file in export objects but for some reason it doesn't(in my case especially) so we can use network miner to easily carve out the file or just play with raw hex bytes to fix up the file ourselves
We can confirm that indeed ransomware used was gonnacry
Answer : GonnaCry
