binary

Wolf Infosec

THM-Warzone2

The Warzone banner above just links back to the THM page for this challenge

Hello everyone! This challenge on TryHackMe has a difficulty rating of "medium", I feel it was rated right where it needs to be. Depending upon your skillset and what you've worked on, you may find this challenge a bit easy or difficult.

You're currently working as a T1 Security Analyst for a MSSP. You've been assigned a case which there was an alert triggered for Misc activity, A Network Trojan Was Detected and Potential Corporate Privacy Violation.
Just a small bit of background, these alerts would have most likely an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS) however that would not be the case. You need to determine if the alerts received are a True Positive or a False Positive.

To do this challenge you'll want to spawn the Machine attached to the room as it will have the tools you'll need and the PCAP file needed for the analysis.
Once you've spawned the machine you'll see a directory on the desktop of your ubuntu machine labeled "Tools" as well as a Zone2.pcap file. If you go ahead and click on the "THM" logo in the top right corner of the spawned machine, you can start up WireShark by going into "All Applications" and scrolling until you see WireShark. Once it opens click on "File > Open" and browse to the pcap file on the desktop.
I personally just used WireShark to see if I could find anything suspicious on my own without using Brim or Network Miner, and well I did. I came across an IP address where there was a file downloaded that looked a bit suspect. If we right click on that particular packet (number 6) and choose Follow > HTTP stream it'll open a new window where we can follow each packet that is tied to this.


So let's jump into some of these questions. To find the answer to the first 2 Questions below I used BRIM - which I've never used this tool before and quite honestly I may have to put it into use at work! You can launch BRIM using terminal if you'd like or you can find it in the "All Applications". Once you start up BRIM you'll want to drag or open the pcap file that is on the machine desktop.
To get the first question in BRIM we will use the IP address we found in WireShark from packet 6, if you search that IP address you'll get some alerts that populate. To analyze these alerts you will want to double click on each one. This will open a pop out window that will give you some information on the packet.

  • Q1. What was the alert signature for A Network Trojan was Detected?
  • Ans: ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
    •
  • Q2. What was the alert signature for Potential Corporate Privacy Violation?
  • Ans: ET POLICY PE EXE or DLL Windows file download HTTP

    • For the questions that follow they will need the answers in a "defanged" method. This can be achieved by using cyberchef. When you go to cyberchef to do this, you will search for defanged and will be presented with 2 options, 1 for URLs and the other for IP addresses.

  • Q3. What was the IP to trigger either alert? Enter your answer in a defanged format.
  • Ans: 185[.]118[.]164[.]8
    •
    You will need both parts from one of the http alerts to get the answer.
  • Q4. Provide the full URI for the malicious downloaded file. In your answer, defang the URI.
  • Ans: awh93dhkylps5ulnq-be[.]com/czwih/fxla[.]php?l=gap1[.]cab

    • To get the following answer you'll need to get the hash of the downloaded file and input this information at virustotal. You can accomplish this in 1 of 2 ways. The easiest way would be to find the file in the log. The other way would be to extract the file from the pcap using wireshark and then in terminal running the sha1sum <filename> command
  • Q5. What is the name of the payload within the cab file? 
  • Ans: draw.dll
    •
    The below you can find in the same screen you used to answer question 4.
  • Q6. What is the user-agent associated with this network traffic?
  • Ans: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E)
    •
    I won't lie on the below question, this one I kind of played around with using the virustotal website and counting out the asterisks while knowing that I needed to submit a defanged answer.But you can also find this information in BRIM by looking at the Unique DNS Queries. However if you don't want to guess you can run a search query 
    method=="GET" | cut ip, host, status_code
    This will give you an output of multiple hosts and you can take your answers from that list and check their reputations on Virus Total.
  • Q7. What other domains do you see in the network traffic that are labelled as malicious by VirusTotal? Enter the domains defanged and in alphabetical order. (format: domain[.]zzz,domain[.]zzz)
  • a-zcorner[.]com,knockoutlights[.]com
    •
    For the IP addresses flagged as "Not Suspicious Traffic", I used the Suricate alerts by Source & Destination and then looked for source IPs corresponding to "Not Suspicious Traffic" alert.
  • Q8. There are IP addresses flagged as Not Suspicious Traffic. What are the IP addresses? Enter your answer in numerical order and defanged. (format: IPADDR,IPADDR)
  • 64[.]225[.]65[.]166,142[.]93[.]211[.]176

    • We needed to find the dmoains associated with the first IP, for this I ran a simple query in BRIM
    replace-with IP Addr | cut query

    You'll find that this filters out the domains related to the IP address, you can then take domains and run a check against Virus Total for their reputation.
  • Q9. For the first IP address flagged as Not Suspicious Traffic. According to VirusTotal, there are several domains associated with this one IP address that was flagged as malicious. What were the domains you spotted in the network traffic associated with this IP address? Enter your answer in a defanged format. Enter your answer in alphabetical order, in a defanged format. (format: domain[.]zzz,domain[.]zzz,etc)
  • safebanktest[.]top, tocsicambar[.]xyz, ulcertification[.]xyz

    • Run the same query again from Q9 only using the other IP address you found from Q8 and check the domain's reputation on Virus Total.
  • Q10. Now for the second IP marked as Not Suspicious Traffic. What was the domain you spotted in the network traffic associated with this IP address? Enter your answer in a defanged format. (format: domain[.]zzz)
  • 2partscow[.]top
    •


    I want to apologize for the length of this write-up, this challenge was a long one to work on. But it was a good one! Thank you to ujohn for creating this challenge.
    Happy Hacking everyone!