forensicsfreemedium

Click Here For Free Bricks

umasscybersec

Task: inspect a packet capture of a malware download and identify the downloaded virus from VirusTotal. Solution: extract HTTP objects, recover the Python decryption logic for the launcher, hash the decrypted binary, and pivot from that SHA256 to the exact VirusTotal family string.

$ ls tags/ techniques/

pcap http virustotal malware_download malware_triage nacl_secretbox

http_object_extractionpayload_decryptionhash_based_malware_identificationvirustotal_pivoting

Click Here For Free Bricks — UMass Cybersecurity CTF

Description

Hey! A man was caught with malware on his PC in Lego City. Luckily, we were able to get a packet capture of his device during the download. Help Lego City Police figure out the source of this malicious download.

The flag for this challenge is the name of this virus on VirusTotal under the details tab with the format UMASS{[String]_[Sha256 Hash]}. For example if your hash is 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824, there will be a virus name under the details tab with a format similar to ForensicsChallenge_2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824, where "ForensicsChallenge" is an arbitrary string.

English summary: the challenge provides a packet capture from a host downloading suspected malware. The goal is to recover the malicious payload, identify the correct sample on VirusTotal, and format the answer as UMASS{family_sha256}.

Summary

The main artifact inside the downloaded archive was thedamage.pcapng. HTTP reconnaissance showed that the infected host fetched several files from 156.234.52.16, including installer.py and launcher.

The important pivot was that installer.py did not merely download malware; it contained the decryption routine for ./launcher. After decrypting the launcher and hashing the plaintext binary, the decrypted SHA256 matched the relevant VirusTotal sample, which exposed the exact string TheZoo_e7a09064fc40dd4e5dd2e14aa8dad89b328ef1b1fdb3288e4ef04b0bd497ccae.

Reconnaissance

After downloading and extracting the ZIP, the key artifact was thedamage.pcapng.

Useful initial commands:

file thedamage.pcapng
capinfos thedamage.pcapng
tshark -r thedamage.pcapng -Y "http.request" -T fields -e frame.number -e ip.src -e http.host -e http.request.method -e http.request.uri

The HTTP request list showed a single suspicious download server at 156.234.52.16 serving these paths:

/fungame.jpg
/cooldog.jpeg
/installer.py
/literallyme.jpeg
/launcher

That made 156.234.52.16 the malware download source/server requested by the challenge.

Extraction

Next, export the HTTP objects and inspect what was actually transferred:

...

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires auth)

Sign in to read this free writeup

This writeup is free — just sign in with GitHub to read it.

$ssh [email protected]