Hey there and welcome back to another blog post. I will be discussing my challenges for the BSides Nairobi 2023 Cyber Challenge that took place on the 04/11/2023 at USIU. The challenge was tackled by 45 registerd teams.

After 8hrs of competing, p3rf3ctr00t, led by k4p3re emerged 🥇 place.

well well well, here we are again, champions for the recently concluded @BSidesNairobi in conjunction with @CTF_Room CTF.@fr334aks in your face 😂 pic.twitter.com/9eahGqPlG1

— p3rf3ctr00t (@p3rf3ctr00t) November 4, 2023

The audacity to rub it on @fr334aks face

This year, the event was special as the first team bagged home a trophy

Lol. Watch the new shiny trophy effect. @Amarjit_Labu @JonesBaraza were mesmerized. The effects tell it all 🤣 #BsidesNairobi #BsidesNairobi2023 pic.twitter.com/ZHEr1UogbF

— #BSidesNairobi 2023 (@BSidesNairobi) November 4, 2023

Misc

CroffFit

Crossword

This challenge brings together an all-rounded quiz that encompasses questions on Kenyan current affairs, global news, and mastery of both Windows and Linux. Can you solve this crossword and prove your expertise?

Instructions.

• This is an online based activity and individual activity is not tracked.
• Sharing solutions with other teams is PROHIBITED.
• Access the challenge here
• Once your team completes the challenge, come get a physical - printed flag

Solution

Jigsaw

A scrambled image awaits your expertise. Piece it together to reveal a message or picture. But there’s a twist! This isn’t just a virtual game. Once you believe the image is whole and the message clear, the team captain must approach the challenge master (05t3) to claim a physical flag. But be wary: precision matters, and only a perfectly assembled image will lead to victory.

Instructions.

• This is an online based activity and individual activity is not tracked.
• Sharing solutions with other teams is PROHIBITED.
• Access the challenge here
• Once your team completes the challenge, come get a physical - printed flag

Solution

Forensics

Mystique

I recently encountered a potentially malicious email and thought it would be interesting to turn it into a CTF challenge. The email has an attachment that seems suspicious. Can you help analyze and decipher its purpose?

Guidelines:

• The provided files are genuine malware samples, so treat them with caution.
• Always examine them in a sandboxed environment to ensure safety.
• For your convenience, the zip files containing these samples are password-protected. Use the password “infected” to access them.
• If needed, feel free to use online resources for assistance. One recommended online sandbox tool is AnyRun.

Module: Email Forensics

Questions

Start by analyzing this email.

• Who is the sender of this email? (25pts)

BSidesNBI{2export@ekofood.com.tr}

• What is the JARM fingerprint of the Originating IP rDNS address? (25pts)

BSidesNBI{15d3fd16d29d29d00042d43d00000071784fa9f8305ba9220d0a7894b6ff2c}

• What is the md5sum of the email attachment? (25pts)

BSidesNBI{2dae57b509d72eb69166e9d48995e530}

• Without opening the attachment on your host machine, use an online sandbox like AnyRun to observe what happens when the document is opened. From your analysis, what CVE is associate with the attachment? (25pts)

BSidesNBI{CVE-2017-11882}

• What malware family is likely associated with the attachment? (25pts)

BSidesNBI{agenttesla}

• Take a look at the malware configuration. What is the c2 Domain address? (25pts)

BSidesNBI{cp5ua.hyperhost.ua}

• In your opinion, what protocol do you suspect could have been leveraged on for potential exfiltration? (25pts)

BSidesNBI{smtp}

• What was the username and password used in the protocol mentioned above? (25pts)

BSidesNBI{arinzelog@saonline.xyz_7213575aceACE@#$}

Solution

Let me walk you through my thought process of how i analyzed the email upon receiving it. First, I was at work and didnt have my malware environment available at my disposal to disect the mail. So i downloaded the .eml file and used my favourite online sandbox for some quick analysis.(PhishTool).

Upon loading the file, it rendered as so:

Straight up, I know this was a phishing email.

• I dont own any products that i’m selling 😂
• The attached list was a .doc (Items list.doc) - potentially containing malware 🚩
• Inconsistent display-name. The ‘From’ email address local-part 2export is inconsistent with the display-name Fatih ALTINDAŞ provided in the email.
• I looked up the display-name online (Fatih ALTINDAŞ) and got a hit on LinkedIn.

From his profile, there are no records of him working at megaendustri. He’s also from Turkey. Impersonation? 🤔

• Doing a quick WHOIS lookup, I learnt that the domain could be legit as it’s creation date is kinda old (1999). The company also seems to be in Turkey

• Confirming if the domain is malicious on VT , I didn’t get any hits.

With that in mind, I proceeded to inspect the document attached. On VT , it had a reputation score of 35/60.

Red 🚩🚩🚩.

Lets look at the Originating IP rDNS.

When you hear the term “Originating IP rDNS,” it’s referring to the domain name that is associated with the originating IP address of a network activity, based on a reverse DNS lookup.

Looking at it’s WHOIS Records, we realise its origin is still in Turkey.

Doing a quick lookup on VT i realised the IP is also linked to other uploaded .eml & .msg files.🚩🚩🚩

It’s JARM Fingerprint is 15d3fd16d29d29d00042d43d00000071784fa9f8305ba9220d0a7894b6ff2c

~ Source

• Virus Total
• Censys

I was abit curious what would happen when the document is opened. As i waited to head home to conduct an in depth analysis on my lab, i resolved to AnyRun, an online malware sandbox environment.

I uploaded the original .eml file and manually interacted with the document. A plaback can be found here

Lets start with the process graph.

The task involved the execution of several processes, starting with Microsoft Outlook and Microsoft Word. These processes were launched with specific command lines and had parent-child relationships. After the execution of these processes, another executable file named “arinze963004.exe” was run twice. In addition to the process tree, there were modifications made to various files and registry keys.

The most interesting event in this task is the execution of the “arinze963004.exe” file. This file was run twice, with the second instance being a child process of the first instance. This behavior could indicate the presence of malware, as the file is located in the user’s AppData\Roaming directory, which is a common location for malicious files. Another interesting point is the modification of registry keys related to Microsoft Office and Internet settings. These modifications could be an attempt to persist the malware or change the behavior of the system.

Lets take a look at the DNS requests

Taking a look at the suricata rules fired, we see:

One notable rule is Successful Credential Theft Detected where an attempt to exfiltrate data via SMTP was made. The process image involved is “C:\Users\admin\AppData\Roaming\arinze963004.exe”. This event is triggered by a malicious program.

Lets disect it.

The process observed is a file named “arinze963004.exe” running in the user’s AppData\Roaming folder. It appears to be both the parent and child process. The process is associated with the AgentTesla malware, as indicated by the presence of the “AGENTTESLA” tag and the detection of AgentTesla using YARA rules.

Legitimate programs may read the computer name, environment values, and machine GUID from the registry for various purposes such as system configuration or user identification. They may also access Microsoft Outlook profiles for legitimate email operations. Additionally, legitimate programs may connect to SMTP ports for sending emails.

Malicious programs, like AgentTesla, can abuse these actions for malicious purposes. For example, they may steal personal data by accessing and exfiltrating files or by stealing credentials from web browsers. They may also read browser cookies to gather sensitive information. Additionally, they may read the settings of system certificates to bypass security measures or perform man-in-the-middle attacks. The presence of AgentTesla in this analysis suggests that the observed process is likely malicious.

Dissecting the process ,we get the malware configuration:

1
2
3
4
5
6
7

{
  "Protocol": "smtp",
  "Host": "cp5ua.hyperhost.ua",
  "Port": "587",
  "Username": "arinzelog@saonline.xyz",
  "Password": "  7213575aceACE@#$   "
}

A malware configuration refers to the set of instructions or parameters that dictate how the malware operates. These configurations can determine various aspects of the malware’s behavior, including its communication methods, target information, exfiltration pathways, and more. The configuration is often stored in a structured format, such as JSON, XML, or a custom data structure, depending on the malware’s design

I also observed that the document could be linked to CVE-2017-11882

I was abit curious if there are other public submissions of the same exploit in the wild - linked to AgentTesla and indeed its still being actively exploited.

I tracked the CVE on MALWARE bazaar and found recent submissions.

In summary:

This is a phishing email spreading the AgentTesla malware. This malware primarily spreads through phishing emails. It has been observed in spear phishing campaigns against multiple different industries, including energy, logistics, finance, and government. it was first seen in the wild around 1 January, 2014 and likely originating from Turkey. This confirms our earlier findings.

You can read more about it or track it here

Module: Network Analysis

Linking the analysis above with the network traffic around that period, can identify what really transpired?

File can be downloaded here

• How long did it take to capture these packets? (25pts)

BSidesNBI{00:01:36}

• What is the victim’s IP address? (25pts)

BSidesNBI{192.168.100.56}

• An executable was downloaded from a remote server. What is it’s md5sum? (25pts)

BSidesNBI{d85ad0ba989beb96da04aae8d44add7f}

• Can you provide the full URI used to download the executable. (25pts)

BSidesNBI{http://zang1.almashreaq.top/_errorpages/arinzezx.exe}

• A DNS query was made to the domain above, can you identify the IP4 addresses included in the response? (25pts)

BSidesNBI{104.21.70.74_172.67.221.26}

Solution

To answer the first question, simply load the pcap on wireshark and click on the Statistics tab and select Capture File Properties or ctrl+alt+shift+c

Moving on, we can also investigate the IPv4 addresses captured in this traffic. This way, we might identify the victim address. Simply head to Statistic > Endpoints and click on the IPv4 tab.

Here we see most packets between 192.168.100.56 (A private IP) and 104.21.70.74 (Public IP). Going a step further, we can also get a glimpse of the protocols captured in this traffic. To do so, click on the Statistics > Protocol Hierarchy

HTTP …

Filtering for http traffic, we see the local ip identified earlier downloading an executable from the remote server. (hxxp:[//]zang1.almashreaq.top/_errorpages/arinzezx.exe)

We can export the executable for further analysis by simply:

This is the same executable we saw in our analysis ealier.

Inspecting dns queries to the said malicious domain, we see it resolving to two addresses.

We can a step further and inspect the smtp exflitration attempt we found earlier. Network traffic consistent with SMTP communication was observed, aligning with the host cp5ua.hyperhost.ua on port 587. Given the context of the discovered malware configuration, it is highly probable that this SMTP communication represents data exfiltration from the compromised system.

After the 220 TLS go ahead message, the subsequent lines (with seemingly random characters and periods) represent the beginning of the TLS handshake. This is a binary process where the client and server exchange information to securely encrypt their communication. The text you’re seeing is a mix of ASCII representation and raw bytes of this binary data.

Within that garbled text, you can find some readable information about a certificate, such as mentions of “Greater Manchester”, “Salford”, “Sectigo Limited”, and “hyperhost.ua”. This suggests that the certificate was issued by “Sectigo Limited” for “hyperhost.ua”, and the organization is likely based in Salford, Greater Manchester.

Generally, this was a very easy and fun challenge. I hope you got to learn a thing or two.

Watch out for PART 2 of this blog post where i’ll be diging into the intricacies of iOS Forensics Challenge.