BAD RANSOMWARE - HackTheBox Business CTF

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on everybody welcome back another youtube video showcasing more of the hack the box business ctf in this video we're gonna hop into the forensics category i'm super excited to be hanging out in here there are a lot of really fun challenges in this one that i felt were i don't know kind of pertinent to stuff that i tend to do right i showcase some cheeky analysis and de-obfuscation things over on my youtube channel here so let's dive into the bad ransomware challenge it was super fun uh rated easy difficulty but still kind of neat uh you have a challenge information box here it says a wave of phishing emails came in today that seems to be executing some kind of bad ransomware the triage team said they created encrypted copies of all the files in your downloads folder but forgot to delete the originals oops anyway see if you can take a closer look and find the flag so we have a downloadable part here that i'll go ahead and download and we will open up a terminal and start to work i'll move into the hack the box business etf directory that i've created the forensics directory and uh the bad ransomware directory i'll go ahead and make a new directory for us called youtube because that's what we're working out of and let's move that downloadable file in there that was that bad ransomware in the forensics category so now that that is in this current directory i can go ahead and unzip it uh as soon as i type in the proper file name there we go and we have this bad ransomware dot doc m as you can tell the dot doc suffix and that file extension indicates okay this is going to end up being a microsoft word document the m at the trailing end there means for macro enabled or typically we'll can use and we'll use macros so this is a microsoft word 2007 and up microsoft word office document uh that m is interesting because that clues us in there may very well be macros present so i'll use a tool ole vba which i could use to kind of examine uh macros present in this document without even opening it up in microsoft word or even detonating that malware so i'll pass in that bad ransomware.m file and we can see that it already found some kind of shady spooky stuff we can see that there is an auto exec call or auto open really that will run and execute code when the document is opened and you were to click on enable editing and enable content stuff like that it will run the shell command at some point where it can run an executable file or a system command it might even call a dll using excel macros might run code from that dll or try to obfuscate specific strings with characters we could de-obfuscate to try and de-obfuscate things i wonder if that will even work for us i've never tried that can you run diop fingers crossed maybe that got something here above this little synopsis and debrief down at the very very bottom we can see the full code that is kind of churned out here for us and they use the chrw as present let's try to grab this entire thing and work with it i'll create a new file for us we'll call this macro.vba i suppose since it will be a visual basic application that's ending up running here and this private declare sub is actually going to end up loading in a function call from a specific win32 api like the library kernel 32.dll we're grabbing the sleep function now interestingly enough the sleep call is repeatedly called with sleep zero which does nothing and isn't really all that useful for us and some of you might notice hey this parallels really really well to the very first malware analysis video quote unquote that i showcased on my channel where we saw w script dot sleep and a lot of other strange shady stuff like this and tangent functions i think that became a good meme and that man all these tangent functions and math going on but all of these are are being set to variables that are then never used uh so first of all let's let's start to kind of work with this let's take out the sleep remove all these i'll replace any line that starts with a new line character and remove it i'm using regular expressions to note the carrot meaning the start of a line remove all of those and now we have a bunch of this stuff we can see these variables that are declared and defined with dim here to denote hey creating a variable uh but these variables random number 219 to 13 to 16 etc are then used with a math operation to set something with a tangent function uh if you'll notice i'll search for this variable name and these are the only occurrences so again this is just making noise and running code for the sake of having code execute calculating tangent functions but it's not useful or really doing anything or used anywhere else in the code so we can go ahead and nerf some of those out i see a good many of them and again this parallels pretty well to that uh video that i had showcased previously in the past i'll remove all these tangent function calls we see this over and over again we do see a for loop start to take shape in here as we're cutting through some of this and uh some other variables that are called oh yeah yeah that's already defined but maybe indexing things out of this removing tangent function calls removing tangent function calls thankfully there's not a lot in this uh in that malware analysis video that i showcased there were a ton and that became a little bit of a painful mess here but we can just kind of hand jam crank these out nice and easy not too many eventually we get down about spooky shell call where we are going to end up executing code and running commands here but the rest of this is not necessary so now we have a much shorter script and thing to work with here obviously on the very very bottom you can start to see uh powershell as a string starting to be built out kind of in a reverse manner where we keep appending or prepending on to a variable that's being defined here so that's cleaned up a bit but we can see what this does and that it takes values from some shapes in the document now if you're on linux and you're working in libreoffice you can still kind of check out what that shape might be by opening it and checking what the alternative text is we can do that super easy in fact i'll go ahead and do that now let me open up a file browser to access this and i'm not all that scared i'm in a virtual machine it's not going to execute visual basic script here uh so yeah i know it contains macros that's fine that's fine this is a nice cheeky uh classic phishing lure right for emails like this or microsoft offices hey please click on enable editing please click on enable content so you could detonate and actually execute the malicious code here if you were to right click on one of these images and i'm going to assume these are the shapes because there's not a whole lot else going on in this document i could actually right click and select properties and that will bring up this big big window in here the image that's displayed the options in here the options tab actually displays the type and and the name sorry of this object and you can see this matches what we are already looking at in sublime text that's the the second alternative text here so if we were to grab this alternative text only we can see this big long payload massive at signs so let's grab and replace for this specific object and we also see this active shapes plx ci trdd that might be the other image very very lower down on the bottom you can see kind of the arrows and focus edges surrounding this the shape here again let's check the properties this is of course that ple p e l x object and we can take that alternative text and slap it in here with that we can kind of put these together because we know that's going to be one long string eventually and what this code does as we've seen previously even in that other video is that we would take this and uh take this at sign kind of triple at signs here and that's going to end up being used as a split operation right we have a u-bound call and am i actually indexing or splitting that did i nerf that out on accident i might have let's grab all of this one last time and see if i or i might just be missing it and not thinking we should realistically have made that like an original original.vba perfect uh did we have a split we did and i totally killed the thing that was just before our for loop and u-bound call so let's get back in here we could do this there we will split on this at sign as a delimiter and that's my bad for accidentally nerfing that out that's the danger in doing that manual thing but then we get u-bound which is the upper bound or the length of that whole list that's kind of generated as we split on this the array that's generated with all of these we grab that and then we try to take an iterator value e in this case set to just the very very start uh does that actually reference anywhere else oh yeah they define it as zero again just before it then i again nerfed out i'm an idiot e starts at zero and then goes to that length now this is the variable that we've just split to act as a list or array and we index it at that iterator we then take the character chr representation of that value and we can start to concatenate them out into a new variable that will eventually be concatenated onto this powershell iab which really is going to run that as a base64 encoded command that's what that tak e means short for ink short for encoded and we could decode that base64 if we were to carve out all of this and then it's going to be executed as a shell command so with all of that said let's go ahead and kind of recraft this or recreate it in python i'll make again a tinker.pi script and we can start a cheesy shebang line we'll say that the data here can be a big long string of all that uh oh the sub black sublime text black is going to try and format this repeatedly and it's going to have a hard time because that's so much data so let's toggle that off um let's go ahead and take that data and split it on that delimiter of three at signs so we could say i guess like chunks so for chunk in chunks realistically this is gonna end up being a list comprehension we could go ahead and print out the character representation of the chunk right and that takes an integer so we want to cast that to an int because it is going to be a number like 74 or 65 or 69 as we work through each of these removing that at sign delimiter there we go now we have a lot of data here we can go ahead and make that a list comprehension as we suggested because eventually we want to join this all together as a string with new lines we know that this is going to end up being prefixed onto or appended sorry onto this powershell syntax where it looks like the beginning of some base64 is present there so let's go ahead and actually add that in when we want to print all of this out uh i totally failed we need to add that please and this will act as our next payload uh realistically we could save this as i guess like stage two dot ps1 or something you'll notice that there was an x at the very very end of that output there i've gone ahead and opted to remove that because the padding there is maybe not going to get in in the need for that let's try and decode this or base64 decode this slapping that all into my terminal and i can pipe that into base64 tacd we'll redirect that into like stage three or whatever even though it's not exactly a stage three how depending on how you consider this stuff but ooh we've got some really really good stuff here let's turn on word wrap so that we can see the whole chunk and it's this goodness uh this is eventually all going to be passed into an iex or invoke expression right classic powershell being able to run data sort of on the fly as it retrieves new information it's essentially eval for powershell right so the thing about iex is that it will execute this code but we don't want it to do that we also kind of would like to let powershell de-obfuscate all of this mess on its own because it's joining together some strings as it splits things by another delimiter and then taking the character in integer representation just as kind of we did in python but now doing that in powershell with another random delimiter we could just sort of let powershell do that for us i'm in linux but i do have powershell installed that powershell core cross-platform one so if i were to try and slap that all in in fact i'm actually gonna probably save this as stage three and then just run that as a script so i don't paste in that entire chunk uh that dies because something is not recognized as a name commandlet uh that's fine it's not supposed to be it should be a string please well that play nicely let's do a right host maybe all right now will you behave no still not um this has the right parentheses being mapped in here ah but it didn't oh no that join should be closed no the joint is necessary at the very very end there everything else is included i don't know why that split is being a pain we could realistically kind of cave and just throw this into a regular windows vm to go ahead and run that in actual powershell um yeah we could just fire one up and i will pause the video recording as this machine gets started here okay i have the windows machine pulled up and as much as i didn't want to originally go ahead and just paste this all in i guess i'm apparently going to still end up doing that so we'll let that crank through uh it should be a relatively short chunk though uh goodness that is missing a closing parenthesis i don't know if i mess with some stuff oh yeah i kind of had that missing i started to try and tinker with this to see if i could make sure that i was doing it wrong in uh there we go okay now that looks like kind of a mess but is still relatively readable let's take this thing and bring it back into sublime text where i have a lot of oddball spaces i have to think that's because of like the utf-16 thing and how i maybe decoded this wasn't the best way to do it uh let's try to remove all spaces i feel like that's a dangerous horrible move but i guess we'll find out uh let's set this to powershell okay it looks like we have relatively readable code here let's call that stage four i suppose and what this does is it tries to bring us into our downloads directory with the maybe a variable here uh load file invoking a disgusting format string but i part of me wonders if that would still work a-okay we could try and determine what that is actually churning out here uh it tries to write that to null but i don't think i want to will that fail we need another parentheses uh do we are we missing a parenthesis or do we have too many parentheses what the heck is going on replace with parentheses yeah we have way too many parentheses unexpected still we have an unexpected token off of the web one so let's close those up there do another do we only need one this uses two but we realistically don't need two because i had copied that wrong that the new dot web thing uses two and now we still have an extra at the very very end and an extra at the very very end finally my god i'm truly sorry uh this is what it would end up loading as the dll we can i guess leave that as a comment there and then we use some goodness gracious removing all the spaces and this probably made this more hellish than it needed to be but it looks like it's going to do a for each object is part of the get child item just trying to make sense of the format string here so we're looping through each object or file in that current directory we get the full name dot ant 0 1 2 with the format string so we receive the object's name and we encrypt it or even just change the extension at the very end we take the stuff being the get content representation of that file the full name and then we do a from base64 encode or invoke all of this um drt as a variable is that ever then used no it's invoked with the create encrypter uh and then we take the memory stream uh with cryptography again making just slight mess out of the format strings being used here and we could de-obfuscate this more if we needed to but i just kind of want to make sense of this and then we write all bytes so it's encrypting every single file that it finds in the downloads directory with a dot inked file extension and this key drt looks to be an encrypter but that that's using some base 64 in here so maybe we could just we could just determine what that value is uh let's run that in our powershell again and we have these bytes here um can we what is what is the power shell convert bytes just i'm not even typing google okay powershell convert bytes to string please there's got to be a nice convenient thing to do this unicode get bytes from the string oh they do it with ascii as well um let's try both so uh to prefix this we need this which adds another parentheses so we'll have to close that parentheses and that's our flag uh hack the box ransomware cute very nice that was very slick uh so i liked that challenge a lot because it felt like a little bit of a homage to uh kind of an original video that i had released i remember i had seen uh hex df or xerox df had tweeted about hey this is a kind of a neat video um so i i i don't know if this challenge was his baby i don't know if he made this one but uh i enjoyed that and uh props thank you to you guys um or it's just a straight up malware sample right and regular fishing for for staging and obfuscating that code and visual basic script so cool tangent function de-obfuscation more power shell work sorry for not fully de-obfuscating this thing but you could just crank this in obviously you could do some simple ones like removing the concatenated stuff the format strings you kind of have to parse through and work through but that's that i hope you enjoyed everybody i hope uh i didn't drag on too long for this sort of thing but i enjoyed that challenge and the forensics category for the ctf was a lot of fun hope to do more with it and bring stuff like that in the future so thanks so much for watching everybody if you enjoyed this video please do those youtube algorithm things please like the video please leave a comment please subscribe etc you know it helps grow the channel if you'd like to support me there's a patreon link and a paypal link if you're interested in those things in the description i am super duper thankful and i really appreciate all your generous donations and support thanks so much everybody i love you i'll see in the next video [Music] with [Music] you
Info
Channel: John Hammond
Views: 50,633
Rating: undefined out of 5
Keywords:
Id: 2wg4H9RMk3E
Channel Id: undefined
Length: 22min 1sec (1321 seconds)
Published: Sun Aug 01 2021
Related Videos
Reversing WannaCry Part 1 - Finding the killswitch and unpacking the malware in #Ghidra
stacksmashing
1M
Uncovering NETWIRE Malware - Discovery & Deobfuscation
John Hammond
81K
Phishing Document "Invitation" - HackTheBox Cyber Apocalypse CTF
John Hammond
33K
CUSTOM Java Deserialization Exploit - Serial Snyker
John Hammond
23K
Tmux has forever changed the way I write code.
Dreams of Code
303K
FAKE Microsoft Login to Hacked Charity Scam
John Hammond
21K
Capture The Flag! NahamCon EU CTF "MMORPG"
John Hammond
18K
Identify Unknown Malware Using Four Free Threat Intelligence Services
OALabs
6.6K
What's inside a .EXE File?
Inkbox
193K
Exploiting Tomcat with LFI & Container Privesc - "Tabby" HackTheBox
John Hammond
59K
HackTheBox - Retired
IppSec
17K
GHIDRA for Reverse Engineering (PicoCTF 2022 #42 'bbbloat')
John Hammond
133K
This is perhaps my favorite password manager for the terminal
Dreams of Code
54K
30 Windows Commands you CAN’T live without
NetworkChuck
1.1M
HackTheBox - Encoding
IppSec
12K
HackTheBox "Business CTF" - Time - Command Injection
John Hammond
32K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.