Thanks drome for sharing his knowledge and skills! He completed all 10 challenges and this series of writeups is done by him :)
Details | Links |
---|---|
Official Challenge Site | https://flare-on.com/ |
Official Challenge Announcement | https://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html |
Official Solutions | https://www.mandiant.com/resources/flare-on-8-challenge-solutions |
Official Challenge Binaries | http://flare-on.com/files/Flare-On8_Challenges.zip |
06_PetTheKitty
Hello,
Recently we experienced an attack against our super secure MEOW-5000 network. Forensic analysis discovered evidence of the filesPurrMachine.exe
andPetTheKitty.jpg
; however, these files were ultimately unrecoverable. We suspectPurrMachine.exe
to be a downloader and do not know what rolePetTheKitty.jpg
plays (likely a second-stage payload). Our incident responders were able to recover malicious traffic from the infected machine. Please analyze the PCAP file and extract additional artifacts.
Looking forward to your analysis, ~Meow
7zip password:flare
We are given a PCAP file in this challenge. If we follow the first TCP stream, we can see some clear signs of traffic formatting, with ME0W
being present in every message.
From observation, the traffic header has the following format
(DWORD) 'ME0W'
(DWORD) Length of message
(DWORD) Length of message (duplicate)
(Variable length) message
In stream 0, we have 2 messages, one being a PNG file and the other being a file that has the file signature PA30
.
The PNG file isn’t very useful, just a picture of a cat, so we take a look at the other file. Searching for PA30
, we learn that it is the Intra Package Delta format which is also used by Microsoft for Windows update patches.
This post (which we found from this Github issue leading to another Github issue) was particularly useful, and the author wrote a challenge for another CTF based on this format, so we could use the challenge solution on Github. We tried to run it as it was initially but it gave us some error so we had to rewrite it.
|
|
This write-up was for the same challenge and similar but it didn’t use ctypes
and we ultimately didn’t use it.
Applying the diff to the PNG file, we get a PE file.
Analysis
The PE file is a 32-bit DLL with a single exported function Le_Meow
.
Le_Meow
connects to xn--zn8hrcq4eeadihijjk.flare-on.com:1337
, then creates a thread at sub_10001CA3
which does some irrelevant UI stuff, then Le_Meow
continues to call sub_100015D4
.
sub_100015D4
creates a cmd.exe
process, then goes into a command loop where it reads from it, then sends it to sub_100015D4
, which xors the output with meoow
, then uses the result to diff with Src
, which is probably a buffer of null bytes, using sub_10001000
which is a wrapper for CreateDeltaB
, then sends the result to the server in the following format
(DWORD) 'ME0W'
(DWORD) Length of original message
(DWORD) Length of the PA30 delta
(Variable length) PA30 Delta
Afterwards sub_100015D4
calls sub_1000128A
which is the opposite and receives the delta from the server in the same format, then parses it in the same format, so we can write our script to parse all the messages and see what commands were being sent to and fro.
We see the messages in this format in stream 1, where we get back-and-forth PA30
files between the client and server.
Script
|
|
The output of the script shows all the different commands sent by the server and responses from the client, and scrolling through we find this important response from the client:
Flag
1m_H3rE_Liv3_1m_n0t_a_C4t@flare-on.com