NSA Codebreaker 2022 Writeup
Tasks Completed: 4/9
Last updated
Tasks Completed: 4/9
Last updated
This was also a bonus challenge/extra credit opportunity for my CYBR 3800 Linux Operating Systems course!
This year's challenge was to solve a ransomware attack, and our mission was to investigate the attack , discover the tools and techniques used, unravel and expose a ransomware as a service ring, and recover the critical files to save the day.
Enter the username which shows signs of a possible compromise.
Access log from the companyβs VPN server for the week in question.
(vpn.log)
I first I downloaded the vpn.log file and cat the contents, but it is kind of
difficult to read for analysis.
So, I used awk and sort to get things in a more readable format for analysis, this way we can see all users in alphabetical order and see how many times they logged in.
I also wanted to know who had failed login attempts, indicated by βinvalidCredentialsβ.'
After a few failed submissions, I decided to exclude the users with failed login attempts and focus on ones that had successful login attempts because the phishing campaign was a successful one, meaning minimal login attempts, probably 1-2. So I greped each user and analyzed them one by one. I had two incorrect submissions before I came across one that was successful because of the two simultaneous sessions from different IP addresses, indicating that someone else logged in at the same time from a different IP.
What was the username of the account of the attacker used when they built their tools?
Files captured from rootβs home directory on the staging server (root.tar.bz2)
PCAP file believed to be of the attacker downloading their tools (session.pcap)
I first downloaded the root.tar.bz2 and session.pcap file to my Downloads folder:
I extracted the root.tar.bz2 folder and saved the files to my machine
Here we find a .cert.pem file that looks interesting and useful to use in the session.pcap file in wireshark
I moved it to the Desktop and renamed it βcert.pemβ so that it's visible
Opening the .cert.pem file with nano and we see that it is a RSA private key, maybe this will be useful to decrypt some TLS traffic using Wireshark. For some reason the .cert.pem file was not visible on the desktop but when i renamed it to βcert.pemβ, it was visible on the desktop.
I then opened Wireshark and opened the session.pcap file. It looks like there is some encrypted TLS traffic. To decrypt the TLS traffic in the packet capture file we must, given what we have, we must use the cert.pem file that contains RSA private keys by going to (Edit > Preferences > Protocols > TLS > RSA Key List) and use the cert.pem file, TLS protocol, port 443, and 172.16.01 as the ip address(ip for whose TLS traffic we want to decrypt in the pcap file).
We now see an interesting packet using the HTTP protocol using the GET /tools.tar method request, because itβs now decrypted using cert.pem the TLS stream should reveal some information regarding the client and server request/response and how the attacker was able to download their tools.
Right clicking on the packet and (Follow Stream > TLS Stream), we now see the username the attacker used βHuskyWisePitchβ when building/downloading their tools.
Enter the domain name of the associated site
Demand note from the attacker ( YOUR_FILES_ARE_SAFE.txt)
So for this task we have a demand/ransom note from the attacker and it looks like our files are encrypted and we must go to this page to find out how to recover them.
From here we can inspect the site using the inspect/dev tools in our browser. In the network tab we see an interesting GET request with the Host header leading to an external site βhttps://uxlnsbzrtpoawmpd.ransommethis.net/β.
We go to this site and inspected it as well, it looks like the contents are forbidden, but this is in fact the connection to the demand/ransom site , βhttps://uxlnsbzrtpoawmpd.ransommethis.net/β.
"It looks like the backend site you discovered has some security features to prevent you from snooping. They must have hidden the login page away somewhere hard to guess. Analyze the backend site, and find the URL to the login page."
Enter the URL for the login page. (for the external site found in Task B1)
For this task we are looking for the login page, so let's inspect this site with dev tools and see what we can find by analyzing the βbackendβ of the site. We see a server response header of βx-git-commit-hash" with a value of βa810d8632d5578670690618f391c4ea6a6d0c14aβ, maybe there is a hidden β/.gitβ directory ?
So, i tried "https://uxlnsbzrtpoawmpd.ransommethis.net/.git/", it looks like directory listing is disabled.
After some research, the site exposes a x-git-commit-hash value that is that is often used for GitHub whenever a commit is made to a repository (which holds files for developers). I learned a few basic git commands like init, add, clone, commit, push, pull, and theory of how git works. In this case all i needed was a working git repo and access to git commands for this to work. So I used an existing git repo of mine (note: you can also create your own test repo) that was a private repo with my Pen-Testing notes.
But the directory we really want to go to is the .git directory to mess around with the internals of how git works, where we see common things like HEAD, config, and objects.
For the next part we can get pieces of information by either going to the directory itself in our browser or by downloading the files using curl. I decided to go with curl to download the files for content discovery. I did this in a separate directory to keep my repo and this information separate.
As we can see below, we got the same x-git-commit-hash value when going to the .git/refs/heads/main directory, but we canβt really read that object unless we use a special git command(git cat-file -p).
This is how the process goes:
Create a directory to store these objects using βmkdir .git/objects/a8β , a8 being the beginning of our x-git-commit-hash.
Use curl to download the output of the hash and store it in the directory we created using --output to specify where to save the it to
Use βgit cat-file βp a810d8632d5578670690618f391c4ea6a6d0c14aβ to read the contents of the file
Here we notice another object of βtree 3db88461db61f52d71247e0e320387862b560318β along with the author and other information. To gain some more info about that object, we can repeat the process:
"mkdir .git/objects/3d" 3d being the first two digits of the object
Curl the contents of that object and store it into the directory we created in step one
git cat-file βp <completehash>
use this command to print its contents
Following this process, I was able to find some interesting objects, the app object could possibly contain backend files about the web application.
Following the same process using "bc7c79ab860bd5b09663d08ffcc7e87c074059b5", i was able find Server.py which contained interesting information about how the backend of the web application works.
We opened the server.py file and it looks like thereβs some info that could have exposed where the login page is located in the expected_pathkey() function.
Letβs see what happens if we go to that path on the βunauthoriizedβ site.
https://uxlnsbzrtpoawmpd.ransommethis.net/aonvykyjbhdoeruk/login
Note, this could have been much easier with this tool
This was my first ever NSA Codebreaker challenge . I am glad that i was able to complete a few tasks and that i was able to explore and learn new things like using awk, sort, and grep to analyze a log file, decrypting TLS traffic in Wireshark, web application analysis, and git!
