huntress2023

Writeups for Huntress CTF 2023

View on GitHub

✅ MALWARE - HumanTwo

Writeup by: @goproslowyo

Tags

Files:

Description

Author: @JohnHammond

During the MOVEit Transfer exploitation, there were tons of “indicators of compromise” hashes available for the human2.aspx webshell! We collected a lot of them, but they all look very similar… except for very minor differences. Can you find an oddity? NOTE, this challenge is based off of a real malware sample. We have done our best to “defang” the code, but out of abudance of caution it is strongly encouraged you only analyze this inside of a virtual environment separate from any production devices. Download the file(s) below.

Writeup

HumanTwo was a bit tricky. To start we quickly looked for any differences between all the files. Differences like file size, modification date, etc.

While looking over the file we found some interesting string and decided to look at it in each file.

We used ripgrep and a regular expression to pull out matching lines from all the files. This made one file in particular stand out to use.

$ rg '[a-fA-F0-9]{12}'
d14000dac846909aefb1522ab5227429783b409dfdebe1dff3f723c27ff1ea33
36:    if (!String.Equals(pass, "0ffdaf9e-df3e-4de2-997f-f9a6b55c2ce8")) {

92376e8fd99a330262a9c3a44c26ad2f3d48b08685fa6a81768080ee5ed125ee
36:    if (!String.Equals(pass, "d51bf96b-54bd-4877-a5c3-1638bea0a218")) {

cc53495bb42e4f6563b68cdbdd5e4c2a9119b498b488f53c0f281d751a368f19
36:    if (!String.Equals(pass, "666c6167-7b36-6365-3666-366131356464"+"64623065-6262-3333-3262-666166326230"+"62383564-317d-0000-0000-000000000000")) {

b901a8865098d667090aa4469001d1a8ded3156317ff0baa3259ec395d9931e0
36:    if (!String.Equals(pass, "800d58be-4e1c-45fb-854a-9fcc8d1ab2c4")) {

559cb72f981be4df371fc501db246318ce3fe9950e1102bbd97630d8858e8e93
36:    if (!String.Equals(pass, "cad737a7-896f-4d11-8c59-d6ae7453f784")) {
[...]

Let’s take a deeper look at that string in the cc53495bb42e4f6563b68cdbdd5e4c2a9119b498b488f53c0f281d751a368f19 file.

We’ve got three ASCII-looking strings…

“666c6167-7b36-6365-3666-366131356464”+”64623065-6262-3333-3262-666166326230”+”62383564-317d-0000-0000-000000000000”

Looks like we can just join them together? And now they just kinda look like 0x (hex) values…

666c61677b36636536663661313564646462306562623333326266616632623062383564317d00000000000000000000

Let’s try to convert those to ASCII.

flag{6ce6f6a15dddb0ebb332bfaf2b0b85d1}

CyberChef Recipe