Arson

Arabic | English
Written By: Moustafa Ahmed Ismail AKA Volk
 ‫بسم هللا الرحمن الرحيم‬

Introduction
The difficulty of this lab is Medium,
And the idea of the lab is analyzing the Wireshark packets to
extract the PowerShell script then analyze the PowerShell script
to be able to decrypt the data that is being sent to the attacker

How to solve the lab

First things first download the Wireshark file (Arson.pcapng)

In the beginning, I started to go around the packets and I
noticed several HTTP get requests

I assumed that the victim might have downloaded the

PowerShell script from http link, so I applied http filter

And yes he did! :)

So I followed the TCP stream to download the PowerShell script
I saved this tcp stream
Now let’s start analyzing this PowerShell script, First thing I
noticed is that the Script use Encryption and decryption
mechanism which is AES CBC and it encode almost everything
(key,IV,the retrieved data from the victim after encrypting it)
the rest of the PowerShell script is just a normal shell but the
new thing and unusual is that the data is transferred to the
attacker over HTTP

And this means that we should see the data that is sent to the
attacker on wireshark
I followed the TCP stream of the Post request which is marked
with yellow on the image and I did saw the data that is sent to
the attacker but its encrypted

There is more than one way to decrypt this data

1- use websites (use url decode website then AES decryption
website)
2- write a script that decrypt this data using python or any
other language
3- use the attacker PowerShell script to decrypt this data as
there is also decryption function in the script

So I used the third way to decrypt the data

First thing I cleaned the PowerShell script to use only the
decrypt function

function Create-AesManagedObject($key, $IV) {

$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
if ($IV) {
if ($IV.getType().Name -eq "String") {
$aesManaged.IV = [System.Convert]::FromBase64String($IV)
}
else {
$aesManaged.IV = $IV
}
}
if ($key) {
if ($key.getType().Name -eq "String") {
$aesManaged.Key = [System.Convert]::FromBase64String($key)
}
else {
$aesManaged.Key = $key
}
}
$aesManaged
}

function Decrypt-String($key, $encryptedStringWithIV) {

$bytes = [System.Convert]::FromBase64String($encryptedStringWithIV)
$IV = $bytes[0..15]
$aesManaged = Create-AesManagedObject $key $IV
$decryptor = $aesManaged.CreateDecryptor();
$unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);
$aesManaged.Dispose()
[System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0)
}

$key = "llm0xB8WOfv9Ssq9+f0sIMFK6OyQHOzhdenMzRInqXA="
$ip = "192.168.1.11"
$port = "7788"
$implant_name = "razer"
$sleep_time = 5

# The encrypted string you provided

$encryptedString = "Your-Encrypted-Data-After-URL-Decoding-It"

# Decrypt the string

$decryptedString = Decrypt-String $key $encryptedString

# Output the decrypted string

$decryptedString
You can use the above powershell code if you want to decrypt
any data that is retrieved by the attacker just replace:
$encryptedString = "Your-Encrypted-Data-After-URL-Decoding-It"
with your encrypted data and then run the script.
Note: Remember to decode it first using URL decode, You can
use any website that does URL decode, I used this website
urldecoder.io.

Now after decrypting this encrypted data which you found in

the post requests, you will get the flag:
IN3DZMA9y5D0q5y4Pe3Uv%2FVE3mA4EZY55XHJJIdLc29WAK7
3bE2DzB7ae%2Fmpy4CW
flag{2C_p0w3r_Chi11}
Note: It is possible that when you run the powershell, an error
occurs
running scripts is disabled on this system

The solution is to simply go to cmd and type

Set-ExecutionPolicy RemoteSigned

The script will work, but after you finish, and if you do not
intend to run PowerShell scripts, it is better to go back to how
you were before, to be more secure, so you will write in cmd:
Set-ExecutionPolicy Restricted

Written By: Moustafa Ahmed Ismail AKA Volk

Arabic
 ‫بسم هللا الرحمن الرحيم‬

‫مقدمة‬
‫ال‪ lab‬الصعوبه بتاعته‪medium‬‬
‫و فكره ال‪ lab‬انك تعمل ‪ analysis‬لل ‪ wireshark file‬و من خالله تطلع ال‬
‫‪ powershell file‬و تحلل ال‪ powershell file‬و من خالله هتعرف ازاي‬
‫ال‪ hacker‬ر‬
‫اختق ال‪ victim‬و ازاي كان بيرسق ال‪ data‬منه و هتعرف ازاي تفك‬
‫تشفت ال‪ data‬دي‬
‫ر‬

‫طريقه حل ال‪lab‬‬

‫اول حاجه هنحمل ملف ال ‪)Arson.pcapng) Wireshark‬‬

 ‫يف البداية‪ ،‬بدأت اشوف ال‪ packets‬والحظت وجود كذا ‪HTTP request‬‬

‫افتضت أن ال‪ victim‬ممكن يكون حمل ال‪ powershell script‬عن طريق‬ ‫ر‬
‫فبالتال جربت اعمل ‪ HTTP filter‬يف ال‪wireshark‬‬
‫ي‬ ‫‪HTTP link‬‬

‫و فعال هو حمل الملف عن طريق ‪ link‬اتبعت له‬

Follow tcp stream ‫الل انا معلم عليها يف الصوره‬
‫ ي‬packet‫بعد كدا عملت لل‬
‫ هو‬ps1 ‫ و‬host.ps1 ‫ لفايل اسمه‬get request ‫ دي عباره عن‬packet‫الن ال‬
powershell script extension

tcp stream ‫ لل‬save ‫بعد كدا عملت‬

 ‫ر‬
‫دلوقت نبدأ نحلل ال‪ ,powershell script‬اول حاجة انا الحظت انه‬ ‫طيب‬
‫ي‬
‫تشفت)‬
‫ر‬ ‫(تشفت و فك‬
‫ر‬ ‫ال‪ script‬فيه ‪ encryption‬و ‪decryption mechanism‬‬
‫و باستخدام ‪ AES CBC Mechanism‬و بيعمل تقريبا ‪encode‬‬
‫تشفتها ‪(key, IV ,‬‬
‫ر‬ ‫الل جايه من ال‪ victim‬بعد‬
‫)البيانات ي‬
 ‫ر‬
‫غت اعتيادية و‬
‫يعت ر‬
‫باف ال‪ script‬هو فقط ‪ shell‬عادي بس الحاجه الجديدة او ي‬
‫ي‬
‫الل بتتبعت لل‪ attacker‬بتتبعت عن طريق‬
‫ه ان ال‪ data‬بتاعت ال‪ victim‬ي‬ ‫ي‬
‫ال‪HTTP‬‬

‫الل بيطلبها ال‪ attacker‬و بتتبعت له نشوفها يف‬

‫و دا معناه ان المفروض ال‪ data‬ي‬
‫ملف ال‪wireshark‬‬

‫اكت من ‪ command‬بعته ال‪ attacker‬لل‪ victim‬و ‪ data‬بعتها‬ ‫بالفعل فيه ر‬

‫ال‪ victim‬لل‪attacker‬‬
‫الل انا معلم عليه باللون‬ ‫ر‬
‫دلوقت انا عملت ‪ follow tcp stream‬لل‪ request‬ي‬
‫ي‬
‫االصفر‬
‫يعت بعت ‪ command‬و اتبعت‬ ‫ر‬
‫طبعا هو فيه اكت من ‪ data‬ال‪ attacker‬طلبها ي‬
‫الل اتنفذ يف ال‪ ,victim machine‬و ال‪ data‬بتتبعت‬
‫له نتيجه ال‪ command‬ي‬
‫لل‪ attacker‬عن طريق ‪.post request‬‬
 ‫انا جربت افك تشفت ر‬
‫اكت من واحد لحد ما وصلت ان ال‪ post request‬دا هو‬ ‫ر‬
‫الل فيه ال‪flag‬‬
‫ي‬

‫الل مبعوته لل‪ attacker‬متشفره‬

‫طيب ال‪ data‬ي‬
‫الن زي ما شوفنا يف ال‪ powershell script‬ال‪ attacker‬كان كاتب يف ال‪script‬‬
‫ان ال‪ data‬قبل ما تتبعت له تتشفر االول باستخدام ‪ AES CBC‬و ال‪ key‬دا‬
‫"=‪$key = "llm0xB8WOfv9Ssq9+f0sIMFK6OyQHOzhdenMzRInqXA‬‬
‫و بعد كدا يعملها ‪ encode‬باستخدام ‪ 64base‬و بعد كدا يبعتها‪,‬‬
‫تشفت ال‪data‬‬
‫ر‬ ‫محتاجي نفك‬
‫ر‬ ‫ر‬
‫دلوقت احنا‬
‫ي‬
 ‫التشفت عن طريق ال‪:AES CBC‬‬ ‫فيه ر‬
‫اكت من طريقه ممكن تفك بيها‬
‫ر‬
‫‪-1‬ممكن تستخدم موقع يفك تشفت ال‪ AES CBC‬و فيه ر‬
‫اكت من موقع بيعمل‬ ‫ر‬
‫الموضوع دا‬
‫‪-2‬ممكن بردو لو انت كويس يف لغة برمجة معينه تكتب ‪ script‬يعمل ‪decrypt‬‬
‫لل‪ data‬عن طريق مثال ‪ python‬او اي لغه تانيه‬
‫‪-3‬ممكن انك تستعمل ال‪ powershell script‬بتاع ال‪ attacker‬النه اصال‬
‫ال‪ already‬ال‪ attacker‬كاتب ‪decryption function‬‬
‫انا اختارت الخيار الثالث‬
‫الل انا مش‬
‫يعت مسحت ال‪ functions‬و الكود ي‬
‫اول حاجه ظبطت ال‪ script‬ي‬
‫محتاجه علشان بس استعمل ال‪decrypt function‬‬
 :‫و دا الكود بعد ما ظبطته‬
function Create-AesManagedObject($key, $IV) {
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
if ($IV) {
if ($IV.getType().Name -eq "String") {
$aesManaged.IV = [System.Convert]::FromBase64String($IV)
}
else {
$aesManaged.IV = $IV
}
}
if ($key) {
if ($key.getType().Name -eq "String") {
$aesManaged.Key = [System.Convert]::FromBase64String($key)
}
else {
$aesManaged.Key = $key
}
}
$aesManaged
}

function Decrypt-String($key, $encryptedStringWithIV) {

$bytes = [System.Convert]::FromBase64String($encryptedStringWithIV)
$IV = $bytes[0..15]
$aesManaged = Create-AesManagedObject $key $IV
$decryptor = $aesManaged.CreateDecryptor();
$unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);
$aesManaged.Dispose()
[System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0)
}

$key = "llm0xB8WOfv9Ssq9+f0sIMFK6OyQHOzhdenMzRInqXA="
$ip = "192.168.1.11"
$port = "7788"
$implant_name = "razer"
$sleep_time = 5

# The encrypted string you provided

$encryptedString = "Your-Encrypted-Data-After-URL-Decoding-It"

# Decrypt the string

$decryptedString = Decrypt-String $key $encryptedString

# Output the decrypted string

$decryptedString

attacker‫ اتبعتت لل‬data ‫ الي‬decrypt ‫ممكن تستعمل الكود دا و تعمل بيه‬

 ‫الل‬
‫ ي‬data‫ بال‬Your-Encrypted-Data-After-URL-Decoding-It ‫ بدل‬data‫غت ال‬
‫طبعا ر‬
decrypt ‫انت عايز تعملها‬
: decrypt ‫فمثال انا عايز اعمل‬
IN3DZMA9y5D0q5y4Pe3Uv%2FVE3mA4EZY55XHJJIdLc29WAK
73bE2DzB7ae%2Fmpy4CW
‫ ممكن تستعمل اي موقع يعمل‬URL decode ‫اول حاجه طبعا هعمل‬
‫ بعد كدا بدل حط‬urldecoder.io ‫ انا استخدمت الموقع دا‬URL decode
:‫ زي كدا‬$encryptedString‫ يف ال‬encrypted data‫ال‬
$encryptedString = "IN3DZMA9y5D0q5y4Pe3Uv/VE3mA4EZY55XHJJIdLc29WAK
73bE2DzB7ae/mpy4CW"
: extension‫ طبعا ب‬script‫ لل‬save ‫و اعمل‬
ps1
run ‫و اعمل‬
flag‫هيطلع لك ال‬
flag{2C_p0w3r_Chi11}
error ‫ يعمل‬powershell‫ ال‬run ‫ ممكن لما تعمل‬:‫ملوحظه‬
running scripts is disabled on this system

Set-ExecutionPolicy RemoteSigned ‫ و تكتب‬cmd‫عل ال‬

‫الحل ببساطه انك هتدخل ي‬
‫ هيشتغل بس بعد ما تخلص و لو مش ناوي بعد كدا تتعامل مع‬script‫و ال‬
‫ كتت يفضل انك ترجع زي ما كنت علشان تكون امن ر‬PowerShell scripts
,‫اكت‬ ‫ر‬
:cmd‫فهتكتب يف ال‬
Set-ExecutionPolicy Restricted

Written By: Moustafa Ahmed Ismail AKA Volk