Malicious Document and Excel Analysis Examples and Walkthroughs

Hi there,

Just a quick little post, mainly to myself, but I wanted to drop some malicious office analysis walkthroughs (and tool links) here just so I can come back to them later. I got pretty involved in a Malware Analysis class in college and ended up liking it a lot, so I hope to post some walkthroughs here myself!

https://0xevilc0de.com/analyzing-malicious-office-documents-with-oledump/

https://madlabs.dsu.edu/madrid/blog/2021/05/17/analyzing-document-with-malicious-excel-4-0-macros/

https://github.com/decalage2/ViperMonkey

https://github.com/DissectMalware/XLMMacroDeobfuscator

https://blog.didierstevens.com/programs/oledump-py/

https://communitydocs.accessnow.org/394-MS_Office_Files_static_analysis.html

MicroCorruption | New Orleans

I recently found out about a cool CTF site called “MicroCorruption“. They provide CTFs revolving around assembly language, disassembly/reverse engineering, etc. And it looks like a lot of them take advantage of real-world vulnerabilities and sometimes even string multiple vulnerabilities together on different levels. So far I’ve completed the tutorial, and the first level which is named “New Orleans” (the focus of this write-up).

Opening up the level, we are greeted with a fun little story. I love the extra work these guys put in just to make these more fun! So from this little readme though, we can gather that this one actually uses a password. The only reason I say this, is because the tutorial level only looked for a password of a certain character length.

From there we see that in main there is a function being called right off the bat called “create_password”. I’m going to assume it’s pretty important, so let’s take a look at it.

The function itself points r15 towards an address in memory. At this point, make sure you’ve run your program once and haven’t reset it, because this spot in memory won’t exist until then. Now we just need to go find #0x2400 in our “Live Memory Dump” section.

And there it is! Just sitting there, waiting for us to grab it. We’ll need to test it first though.

And they’re in! I know this was a little short, but there will be more of these levels as I work through them. Thanks for reading!

OSINT | Investigating Phone Numbers Mini-Toolkit

Recently, I started reading through the “Open Source Intelligence Tools and Resources Handbook 2020” released by I-Intelligence. I don’t know if “reading through” is the right word, as it is literally just a dump of different sites that may or may not be up, may or may not work, and may or may not be behind a paywall. This is an issue for me, so as I go through the book I’m going to attempt to audit each section and pick the links relevant to me out, give brief overviews of what they do, and leave them here for your use. Today, we’ll be going over investigating phone numbers in the US. In this section of the book it has a lot of links that relate to foreign phone numbers, phone call privacy/blocking/callerID, and more. If they didn’t relate directly to looking up a US number, I didn’t look further into them.

  • Caller ID Test – You can see the phone number and the associated name.
  • Caller Smart – Gives similar info to the link above, but includes the carrier. Carrier info is sometimes wrong.
  • Carrier Lookup – Gives you the carrier. Carrier is usually correct.
  • Free Carrier Lookup – Similar info to the link above, carrier is usually correct.
  • Reveal Name – Provides the info on the person the number belongs to, and the correct carrier.
  • SpyTox – The first site to actually confirm an accurate first and last name with one of the more challenging phone numbers I was testing it with. Most of the info is blocked behind a paywall, but the free info it provides could be gold in certain situations. It has some misinformation that tries to get someone to make the purchase though (says things like this number was found on Tinder, AshleyMadison, etc.).
  • Z LookUp – Provides a relatively accurate name that is usually associated with the phone number.

The golden chalice (tools I found along the way that I like):

  • Synapsint – This had no relevant info on any of the numbers I tried, but boy, does its email search work well. It even includes cleartext passwords from different breaches, along with some extra info. Extremely useful, and I’m leaving this here for later.
  • Fast People Search – This is my go to currently in terms of looking people/numbers up. Really fantastic, gives back some strong and mostly accurate results. Of course with this kind of stuff it won’t be 100% accurate information, but dang, this one gives you a ton of info to explore.
  • Intelligence X – Honestly, fantastic. They’ve got a lot of other tools besides the third party phone number search, and can find a lot of info surrounding accounts from different database breaches. If you sign up with a school email account, you also get access to more searches and a lot of extra stuff for free.

If you have any suggestions/changes/questions, feel free to fill out the “Contact Me” form.

OzSec2020 CTF | 1<3W!r35h4rk Challenge

Recently (it’s still going as I write this post), I’ve been able to participate in the OzSec2020 Capture-The-Flag competition. There were a couple challenges that were pretty interesting, and the Wireshark one was something I didn’t know existed/hadn’t touched before, so I just wanted to post a short write-up covering it. As of right now, it’s 20 minutes until the CTF ends and my team is sitting at 2nd place, so we ended up doing pretty decently!

But let’s go ahead and jump into it. If you want to follow along, feel free to download the .pcap file from here. Here is the challenge itself:

So, opening up the .pcap file we see a bunch of packets falling under the label 802.11, and this challenge mentions that we need to decipher the .pcap, and investigate it using a tool (or tools) on Kali (we’ll be using Wireshark).

First, to decipher the .pcap, we can go ahead and throw it at aircrack-ng. To read more on cracking 802.11 WEP using aircrack, click here. In short though, aircrack-ng is able to recover the WEP key once enough encrypted packets have been captured, and this .pcap has loads of them.

A key has been successfully found! Sweet! Now we just have to go over into Wireshark to decipher the packets, and find the correct request. For more in-depth step-by-step guide on the ins and outs of decrypting 802.11 in Wireshark, click here.

Now we actually have to find the password itself. All of our packets are decrypted, and the entirety of the .pcap file is looking a lot more readable. But it’s a large file, and we don’t want to go chasing down random rabbit-holes attempting to find the password. The question we have to ask ourselves is:

  • What type of request would a web-based admin panel have for completing a password change?

And our answer to that is: an http POST request. This isn’t a sure fire way to find it, and if we hadn’t found it this way there is another thing we could try, but for now let’s focus on the POST request. It’s just a very common way to handle passwords, and along with that, this is an admin panel in a browser we’re talking about, so we need to remember to include http in our filter.

Nice! Only one packet, let’s open it up:

And there you can see the password. It is besides the “PassPhrase=” section. This is the quick and easy way to solve it. If we hadn’t been able to find it using that filter, we probably would have ended up dumping the http.data through tshark and grep’ing for stuff like “pass”, “flag”, “phrase”, etc. It can definitely vary between CTFs, but a good addition would be to grep for their designated layout for flags as well. So if I was doing a MetaCTF challenge, and had a dump of data, I might look for “MetaCTF{” because that’s how most of their flags start.

Looks like we ended up officially taking second place as well!

Thanks for giving this a read, and if you have any recommendations, criticisms, or questions, feel free to reach out.

TryHackMe | Simple CTF Box

Ready for another one? Let’s do it! As per usual, let’s do an nmap scan and see what’s going on.

Time to break it down:

  • Port 80: We can check for a site of some kind here in the web browser, and also look up the version of Apache to see if their are any vulnerabilities/exploits for it.
  • Same tactics can be applied to port 21 and port 2222, check the versions for vulnerabilities.

Personally, I like to start with the website in these instances, as you are usually guaranteed to have something there. The main page for this site is the default Apache page though, so let’s see if Dirbuster will give us any directories.

Let’s see what’s hiding in that /simple/ directory.

Pulling the site up shows us that the framework being used is “CMS Made Simple” version 2.2.8. Let’s see if there are any vulnerabilities for that.

Time to download and run the exploit:

The command I ran to get the output is the command below the output

Let’s break this command up a little bit:

  • “python” runs the exploit we downloaded as it is a .py file.
  • “46635.py” is the exploit file.
  • “-u” is referring to the target (basically). It is referring to the URL.
  • “–crack” says that you want to crack the passwords found and
  • “-w” is referring to the wordlist you want to use to crack the password

We found two usernames, here’s one of them:

Now that we cracked the password and have a username to attempt to use, let’s try out ssh’ing on port 2222.

Sweet! We made it in! Now we can take a look around.

There’s the user flag. Time to escalate privileges. The first step (especially in these beginner boxes) that I take is to perform the command “sudo -l”.

From there we are able to observe that vim can be run without the root password, so let’s check out GTFO Bins to see what we can do with vim.

Trying out the first option, it is a complete success! Let’s deconstruct why this works.

  • “sudo” runs program as superuser.
  • “NOPASSWD” in “sudo -l” means this user has the privilege level to run this program as the superuser without needing to authenticate.
  • “vim” the program we are running as the superuser.
  • “-c” designates a command to be read after the first file.
  • “‘:!/bin/sh'” is the command executed by the “-c” bit. It will run the shell as the elevated user, making you root.

That’s the end of it! Thanks for reading!

TryHackMe | RootMe Box

So, as per usual, let’s kick it off with an nmap scan:

We notice that two ports are open; 22-ssh, and 80-http. Web sites are always fun in CTFs and leave lots of different places to stuff clues and challenges, so let’s check out the site first, and run Dirbuster on it at the same time to see if it has any hidden directories.

Two important directories that are needed for us. /panel, and /uploads. Panel brings us to this page:

Which WILL NOT take a standard .php file (my poor reverse shell). And we can assume once we get past this roadblock, that the shell we will be executing is going to be located in the /uploads directory.

So I have a simple little minimalist reverse shell I like to use for php (nothing fancy, I should probably upgrade). I just need to run this command:

And switch it over to a php5 extension instead of php. This is called a “file name bypass” and hoodwinks the file name validation the upload functionality has in place. You can read further up on this here, but essentially, this is a type of blacklisting bypass. We found out that a php file is blacklisted from being uploaded, but to bypass this, we just have to try an unpopular php extension such as: php3, phpt, php5, php6, etc.

And wouldn’t ya know, it works! Let’s go verify that our reverse shell is now inside of the uploads directory.

Before clicking on it, make sure to get a netcat listener running.

You might have to do some things to stabilize this shell. As I said, it is extremely minimalist. Now we just need to search for a file with SUID permissions, and find the one that sticks out. We can do this by running the following command:

One major one that sticks out that I’ve used before can be seen here:

Python is great if you have access to it. Check out GTFO Bins for some more information. Keep in mind that this is SUID related, and we already have access to python.

That means we just need to run the second command there.

And boom, you’re root.

Great Threat Hunting Resources for Beginners

Recently, I attended Wild West Hackin’ Fest 2020 virtually, and one of the presentations was on threat hunting. I hadn’t really been exposed to threat hunting too much, so I shot some questions into Discord and got some phenomenal resources sent back to me regarding training and courses on the subject. Here are a few of those sources:

Hope you enjoy!

TryHackMe | Anthem Box

This box will be a little different, due to it being a Windows box. Now, given that like 98% of business infrastructure runs on Windows, I’m starting to think it’s due time for me to start branching out. I’ve got a couple more write ups coming soon, they are just very very long, so I haven’t gotten around to creating them yet.

But for this box, let’s start off with a little nmap scan.

So, we’ve got a lot of ports open. I’m going to look into the importance of each of these ports real quick, just for review:

  • Port 80 – HTTP: The port that the server expects to receive data from a web client. It can be configured differently, but this is the default.
  • Port 135 – MSRPC: This is a modified version of DCE/RPC. Stands for “Microsoft Remote Procedure Call”. It is a protocol that uses the client-server model in order to allow one program to request service from a program on another computer without having to understand the details of that computer’s network.
  • Port 139 – NetBIOS-SSN: Stands for “NETBIOS Session Service”. TCP NetBIOS connections are made over this port, usually by Windows machines, but can also be any other system running Samba (SMB). These sessions support “connection oriented file sharing activities”.
  • Port 445 – Microsoft-DS: This port is usually used for file sharing, with something like Samba. It stands for “Microsoft Directory Services”. It is the preferred port for carrying Windows file sharing and “numerous other services”.
  • Port 3389 – MS-WBT-Server: So, from the port number, we can already guess that this is an RDP instance. Also known as “msrdp” or “Microsoft Remote Display Protocol”, it sets up a terminal server that can be remoted into.

Let’s take a crack at the website first.

So, there wasn’t anything important on the main page, and robots.txt is always a great place to check when crawling directories. So if you’re feeling lazy and don’t want to start up and configure dirbuster, just add that “/robots.txt” to the end of the URL and see if it pulls up anything important. In our case it did, multiple directories to check out, and a potential password.

This just shows what the site’s URL is supposed to be. It answers one of the questions for the box.

Another question was to find out the name of the SysAdmin, which I considered this one a bit dumb, just because the whole concept of this question is flawed. You need to Google this poem that this employee wrote about the sysadmin, and it gives you the author of the original poem, which is what the sysadmin’s name is. Why this bears any relevance, how anyone was actually supposed to connect those dots, I’ll never know. I’m just glad I didn’t do the foot work on this bit of the box (haha).

^Name of the sysadmin^

This was to identify how the company creates its emails. So we have a first and last name, and we have an example email. Now we can create the sysadmin’s email, and it looks like we have his password from the robots.txt file too.

The challenge here was to just find three (maybe four? I don’t remember exactly) flags that were hidden in/on the site. Most of them were in the source code, so I just went to each page, opened the source code, and ctrl+f’d for “THM{“, which is the standard format for TryHackMe flags.

I didn’t spend too much time looking, but I feel like there should be a tool to crawl a specific website and all the links/pages it has on it and be able to look for certain parameters with the source code. I couldn’t find a tool like that, but maybe I should make one as a challenge. Could use Python + Beautiful Soup or something.

Final flag for this section was on a profile page.

I also broke into the website manager using the email and password for the sysadmin. Didn’t find anything, but it was fun to try.

So RDPing into the box works using the sysadmin and the password that we found. So now we just have to root around a bit (hehe…get it?), and then escalate our privilege to full admin to find the final text file.

First text file found just sitting on the desktop.

Interesting folders that were hidden. If going back through this box, you’ll want to check on those.

So, all we really had to do was add ourselves as owners to a hidden file, so that we now have full control.

Opening the file provides us with the administrator’s password.

Now, let’s log out, and attempt to login as admin.

And we’re in! The final flag was sitting on the desktop as well. Great box to get your feet wet with Windows and RDP, but I’m definitely looking forward to more!

TryHackMe | Bounty Hunter Box

TryHackMe has a box called “Bounty Hunter” which was a ton of fun, and definitely an experience. Let’s dive right into it.

I started off with a regular old nmap scan of the IP. It showed that there were three ports open, and so that means three potential points of entry. Now, before we start testing everything, we’d usually try to grab the versions of the software running on this ports, to make sure there is no blatantly obvious vulnerability. SSH ended up being up to date, so we’ll follow my normal approach for this type of situation. Which is immediately looking into FTP.

The most common thing that occurs for these beginner level boxes is that the FTP login is left to be anonymous. You don’t even usually NEED to use metasploit to scan it, you can just attempt to FTP in and if user: anonymous and password: anonymous doesn’t work, then it’s not anonymous login haha. Let’s go ahead and login to the FTP server.

Annnnd, success! Just like I thought. Time to poke around a bit.

So there are two files in here, locks.txt and task.txt. Let’s download and open them up.

Cool, so this looks like a password list. It’ll come in handy later, so store it somewhere safe. No, there’s one bit I missed documenting here, but I’ll do my best to explain it.

On our scan, port 80 was open, which is http. This means they are most likely running a website. Which also means there could be extra directories, code to audit, etc. Through exploring that site, I found the name “lin”. This appeared to be a username of some sorts. So we had a username, and now we have a list of passwords. There’s one service that has yet to be useful to us; SSH. So, it’s gotta be the login to that. Power up Hydra and let’s get to brute forcing.

Start her up!

Nice! Glad to know that worked out in our favor. Let’s see what we can get to through SSH.

So our goals for this challenge were to get user.txt and root.txt. We’ve got user.txt, so now we need to get root on the box, and that means a little bit of privilege escalation.

This shows that the user we are logged in as (lin) can run the following commands as root: /bin/tar. This means we need to head over our favorite site (https://gtfobins.github.io/) to see how we can escape to root using this command.

Looks like it worked, and the box is now fully completed!

Thanks for reading!

Analysis of Commands Used in TryHackMe’s “Kenobi” box

This is more just notes for me than anything, but here we go:

So this is an nmap scan being used to enumerate for SMB shares. Let’s dissect it.

  • “-p 445” means it is only scanning the specified port, AKA port 445
  • “–script=” there are a bunch of different scripts, directories, script-categories, and more in here
  • “smb-enum-shares.nse” and “smb-enum-users.nse” are scripts developed for nmap to do what their names describe; they enumerate smb shares and users of the smb shares. More info on at least one of these scripts can be found here.

The rest of this (nmap, machine_ip) is pretty self-explanatory.

Here are some of the SMB commands. Luckily, “smbclient” is a pretty simple one. It is similar to how an ftp connection works through the command line, and just connects to an SMB instance on a certain machine’s IP.

“smbget -r” downloads files from a share. The “r” is for resume, which means it automatically resumes aborted files.

So, here’s another nmap scan:

  • “nfs-ls,nfs-statfs,nfs-showmount” these can be looked at online @ nmap’s official site, the main one we are concerned with is here.

This shows NFS exports, and is what we are mainly after. The others gather the extra info that we rely on as well, but this question on the box’s page surrounds the mount that we can see.

The next question I need to answer for myself is: what is netcat?

Well, netcat is a utility that lets you read and write from connections using TCP or UDP. It has been described as a “networking swiss army knife” and can do a ton of different things. It would definitely be out of my depth to currently attempt to put into words all the things it can do, but it does look very useful.

Searchsploit is a command line search tool that checks Exploit-Db. This is useful because it lets you take an offline version of their database with you wherever you go, and is easily accessed from the command line. It can show exploits and shellcode useful for all manner of things.

Here “proftpd” is the service we are looking for exploits for, and “version” is where we will put the version number, like “1.3.5”.

Now we’ll take a look at two more commands. “SITE CPFR” specifies the file you want to copy, while “SITE CPTO” specifies where you want to copy it to.

“Mkdir” creates a directory. “mount” mounts a drive/directory. This can be used to mount an smb share. “mount machine_ip:/var /mnt/kenobiNFS” mounts this machines /var to our newly created directory. “ls -la” then displays the contents of a directory with a lot of extra info for each file, like the size in bytes, last time of modification, etc. The “a” of “la” lists all entries in the directory, including the entries that begin with a period.

  • “find” takes a path to find things, searches for the parameters you feed it.
  • “/” means find will look through every file on the system.
  • “-perm” means you are looking for a file based on permissions. Which is where this next bit comes in.
  • “-u=s” u stands for user, and the s means “set user or group ID on execution”.
  • “-type f” means that it will only look for files. So type is specifying what type of things it is looking for, and f is specifying files.
  • “2>/dev/null” is apparently a fancy way of redirecting stderr to a black hole. This means it discards the output of the command.

Now, I’m going to attempt to walk myself through this. It might be right, it might be wrong.

So since we cannot run usr/bin/sh the way we want to, we copied its contents, and created a new file named curl with the same content. Now, just running curl wouldn’t work because we still need the correct permissions inside and out. We moved it into the way of /usr/bin/menu, a file that we CAN run, and so that when menu gets run, it hits our curl, which in turn gives us the access we need. This is because it has now fully run our shell (curl) as root.

Hopefully that was a semi-correct explanation. Cool stuff though, I’m looking forwards to doing more of these!