C47360ry: F0r3n51c
P01n75: 257
D35cr1p710n: N07r3 S0C 4 dé73c7é qu'un d0cum3n7 c0nf1d3n713l 4v417 é7é 3xf1l7ré ! L4 mé7h0d3 u71l15é3 n3 53m8l3 p45 4v4ncé3 37 h3ur3u53m3n7, un3 c4p7ur3 ré534u 4 pu ê7r3 f4173 4u 80n m0m3n7... R37r0uv3z c3 d0cum3n7.
F1l35: Exfiltration.pcap
A d0cum3n7 h45 833n 3x7r4c73d v14 4 POST r3qu3575. A x0r 0n 7h3 r3c0v3r3d f1l3 4ll0w5 u5 70 r34d 7h3 fl46 1n 4 w0rd d0cum3n7.
Wh3n w3 0p3n 7h3 f1l3 w17h w1r35h4rk w3 4ppr3c1473 7h47 7h3r3 4r3 27242 p4ck4635 70 l00k 47!
S0 7h47... L37'5 60!
Wh3n fly1n6 0v3r 7h3 p4ck375 w3 n071c3 7h47 7h3r3 15 4 l07 0f TCP fl0w.
By 601n6 7hr0u6h 4ll 7h3 TCP fl0w5 w3 08741n 53v3r4l 1n73r3571n6 3xch4n635 0f 7h3 54m3 7yp3:
Wh47 w3 4r3 1n73r3573d 1n 15 7h15 m355463:
<h1>Welcome to my panel!</h1>
<p>If you see this page, the malware is successfully installed and
working. No further configuration is required.</p>
And 7h3 f4c7 7h47 r3qu3575 4r3 m4d3 v14 7h3 POST m37h0d w17h d474 p45535 70 7h3 f0rm'5 f4c3:
d474=35287067716378686d6389c7f82d736365637363656373636563786365632c11000f004c481116&uu1d=80cx6rf7w55phwl87z3q
W17h 34ch r3qu357 7h3 d474 p4r4m373r ch4n635 8u7 n07 7h3 uu1d. Th3 uu1d mu57 83 4 un1qu3 1d3n71f13r 70 4ll0w 7h3 r3m073 53rv3r 70 r3c0n5717u73 7h3 3xf1l73r3d f1l3 v14 7h3 d474 f13ld.
A l177l3 py7h0n 5cr1p7 70 637 4ll 7h353 p4ck4635 4nd 4553m8l3 7h3m.
>_ cat extract.py
#!/usr/bin/env python3
from scapy.all import *
import binascii
packets = rdpcap('exfiltration.pcap')
data = ''
for packet in packets:
if packet[IP].dst == '198.18.0.10' and packet[IP].src == '192.168.1.26':
if Raw in packet:
p = str(packet[Raw].load.decode("UTF-8"))
p = p.split("&uuid")[0]
p = p.split('data=')[1:]
if p:
p = p[0]
data += p
print(data)
file = open("out.txt", 'wb')
file.write(binascii.unhexlify(data))
>_ ./extract.py
>_ file out.txt
out.txt: data
Unf0r7un473ly 7h3 3x7r4c73d f1l3 15 unr34d48l3.
F0r7un473ly, wh3n d3516n1n6 7h3 5cr1p7 I f0r607 70 f1l73r 0nly 0n p4ck375 7h47 c0n741n3d r4w d474 (7h3 R4w f13ld). Wh3n 73571n6 17, 17 w0uld cr45h 45 500n 45 4 p4ck37 d1d n07 c0n741n 7h3 R4w f13ld. I n071c3d 7h47 7h3 p4ck37 1n qu35710n w45 4n ICMP p4ck37 w17h 1n73r3571n6 d474: c0nf16 : 3xf1l73r3d_f1l3_51z3=41938y735
T0 kn0w m0r3 480u7 17, w3 f1l73r 1n w1r35h4rk 0n ICMP p4ck375:
And w3 637 f0ur 1n73r3571n6 f4c75:
config : exfiltered_file_size=4193bytes
config : file_type=DOCX
config : data_len_for_each_packet=random
config : encryption=XOR
Th3 f1l3 15 4193 8y735 l0n6, 50 4ll 7h3 d474 h45 833n 3x7r4c73d fr0m 7h3 p4ck4635.
>_ ls -l out.txt
-rw-r--r-- 1 lambdhack users 4193 May 22 20:06 out.txt
N0w w3 kn0w 7h47 7h3 3xf1l73r3d f1l3 15 4 w0rd d0cum3n7 4nd 7h3 3ncryp710n u53d 15 4n x0r. T0 f1nd 7h3 k3y 4641n w3 w1ll x0r 7h3 f1r575 8175 0f 7h3 f1l3 w17h 7h3 m461c num83r 0f 7h3 d0cum3n7 w0rd5. A l177l3 70ur 0n File signature table 70 f1nd 7h3 m461c num83r 0f 4 d0cx.
Af73r h4v1n6 d0n3 4n x0r, w3 f1nd 7h3 k3y wh1ch 15 3c5c
0f c0ur53 !
N0w w3 x0r 7h15 k3y 0n 4ll 7h3 f1l3 70 f1nd 7h3 0r161n4l d0cx.
>_ cat xor.py
#!/usr/bin/env python3
import binascii
def xor(file1_b, key):
file_size = len(file1_b)
key_size = len(key)
xord_byte_array = bytearray(file_size)
key_pad = key
for i in range(file_size):
key_pad += key
# XOR between the files
for i in range(file_size):
xord_byte_array[i] = file1_b[i] ^ key_pad[i]
open('data.docx', 'wb').write(xord_byte_array)
if __name__ == '__main__':
key = 'ecsc'.encode()
data = open('out.txt', 'rb').read()
xor(data, key)
>_ file data.docx
data.docx: Microsoft Word 2007+
Th3 f1l3 h45 833n w3ll d3c1ph3r3d.
ECSC{v3ry_n015y_3xf1l7r4710n}