Monday 14 January 2013

Digital Forensic War Game [Level 2] - Simple Backdoor

* To play, register and log in to the site http://real-forensic.com/.



After downloading and extracting the archive, you would be left with 2 files (file1 and file2) to work with.

Identifying the Files
Signature analysis of both the files revealed that file1 was a pcap file (D4 C3 B2 A1 - the signature for a WinDump capture file) and file2 was an executable (4D 5A - the signature of a Windows/DOS executable file).

*I find Gary Kessler's File Signature Table one of the best online references for file signatures.

Analysis of file1:
There was nothing notable in the UDP traffic. A quick glance at the TCP traffic surfaced traces of SSH communications between 2 IP addresses (192.168.11.1 and 192.168.11.130). Further analysis surfaced that the TCP traffic could be broken down into 3 streams, interpreted as follows.
  • tcp.stream eq 0 : 
    • 192.168.11.1 sends Joy*`s-lakj to 192.168.11.130.
  • tcp.stream eq 1 : 
    • 192.168.11.1 and 192.168.11.130 exchange a series of encrypted messages.
  • tcp.stream eq 2 : 
    • 192.168.11.1 sends Joy*`s-lakj to 192.168.11.130.
    • 192.168.11.130 sends LUZkyieoiU}EyUco{O.Uoedf^ to 192.168.11.1

At this point, it would be safe to discard the UDP traffic. For the TCP traffic, decryption of the SSH traffic would be difficult due to the fact that it looks rather unusual (no proper handshake and key exchange). However, I would still keep the SSH traffic in mind, considering that it may be possible for related info to be surfaced in file2. Other notable information would be the strings Joy*`s-lakj and LUZkyieoiU}EyUco{O.Uoedf^.

Analysis of file2
The pcap is indication of network activity, as I started analysis from the only reference to WSAStartup.


Analysis of the function sub_401220 is as follows. At the start a network connectivity establishment routine was surfaced.



Followed by a XOR encoding routine, in which a string of 11 characters is XOR encoded with the characters \xD and \xA.


And finally a data sending and receiving routine, in which a string of 11 characters is sent to a remote host, a buffer of size 26 is allocated to receive a string from the remote host and the value of that string is written to a file called "flag.txt". This pattern of sending and receiving data matches the pattern surfaced from analyzing "tcp.stream eq 2" from file 1, identifying Joy*`s-lakj as the encoded string sent from 192.168.11.1 to 192.168.11.130, and LUZkyieoiU}EyUco{O.Uoedf^ as the flag sent from 192.168.11.130 to 192.168.11.1. 


Now, it would make sense for the flag string to be encoded as well, so lets try our luck with the same XOR encoding routine discovered in the binary. The decoded flag: A_Watched_pOt_nevE#_boilS.

The decoded flag A_Watched_pOt_nevE#_boilS passed off as an invalid flag, however, from reversing the binary it was clear that it was the flag, so with some guess work and brute forcing the character #, the flag A_Watched_pOt_nevEr_boilS was found.




No comments:

Post a Comment