Posts: 35 Threads: 0 Joined: N/A having hard times to configure DNS trough openvpn with update-systemd-resolved... worked before but doesn't anymore. ah well... Posts: 35 Threads: 0 Joined: N/A Finally escalated to Scryh . Oh wow I know why this box is called Response now!
Was fun though :P
root part now. I think I got the logic already Posts: 35 Threads: 0 Joined: N/A (July 8, 2022, 09:16 PM)Unbolted5053 Wrote: Any tips for scryh->root? I'm trying to analyze `core.auto_update` with volatility3. I've tried creating symbols for Ubuntu 20.04 5.4.0-109-generic, but the dump is not recognized. your private msgs are disabled Posts: 59 Threads: 0 Joined: N/A  (July 9, 2022, 12:37 PM)yournamehere Wrote: having hard times to configure DNS trough openvpn with update-systemd-resolved... worked before but doesn't anymore. ah well... you could've use unbound instead of somethings like isc bind server, which is pretty terrible.. https://github.com/NLnetLabs/unbound something similar we've done on CrossFit2 box with unbound -> https://app.hackthebox.com/machines/CrossFitTwo Posts: 35 Threads: 0 Joined: N/A July 10, 2022 at 10:17 PM (July 10, 2022, 09:24 PM)undeadly Wrote: (July 9, 2022, 12:37 PM)yournamehere Wrote: having hard times to configure DNS trough openvpn with update-systemd-resolved... worked before but doesn't anymore. ah well...
you could've use unbound instead of somethings like isc bind server, which is pretty terrible..
https://github.com/NLnetLabs/unbound
something similar we've done on CrossFit2 box with unbound -> https://app.hackthebox.com/machines/CrossFitTwo Interesting ! Gonna give it a try. I ended up using dnsmasq after killing resolved. Needed to enable mx too Posts: 35 Threads: 0 Joined: N/A Head banging time again ! the pcap file gives good info about the attack chronology we have 2 ssh sessions , but can't find a way decrypt them I tried volatility against the memory dump as mentioned by @ Unbolted5053 , but can't get it to work either Gonna try to decrypt the metter session stream A little nudge would be appreciated ;) Posts: 24 Threads: 0 Joined: N/A (July 14, 2022, 03:16 PM)yournamehere Wrote: Head banging time again !
the pcap file gives good info about the attack chronology
we have 2 ssh sessions , but can't find a way decrypt them
I tried volatility against the memory dump as mentioned by @Unbolted5053 , but can't get it to work either
Gonna try to decrypt the metter session stream
A little nudge would be appreciated ;) This is part is why the box is insane imo. The goal of this part is to reconstruct the .zip archive that's been exfiltrated through meterpreter. There is some doc for this : https://github.com/OJ/clr-meterpreter/blob/master/streams/2019-04-25-Part-2/tlv.md https://www.rubydoc.info/github/rapid7/metasploit-framework/Rex/Post/Meterpreter/Packet https://github.com/rapid7/metasploit-framework/pull/8625 The core_dump is only useful for the AES key. Posts: 35 Threads: 0 Joined: N/A July 15, 2022 at 10:50 AM (July 15, 2022, 08:41 AM)toatoat Wrote: (July 14, 2022, 03:16 PM)yournamehere Wrote: Head banging time again !
the pcap file gives good info about the attack chronology
we have 2 ssh sessions , but can't find a way decrypt them
I tried volatility against the memory dump as mentioned by @Unbolted5053 , but can't get it to work either
Gonna try to decrypt the metter session stream
A little nudge would be appreciated ;)
This is part is why the box is insane imo.
The goal of this part is to reconstruct the .zip archive that's been exfiltrated through meterpreter. There is some doc for this :
https://github.com/OJ/clr-meterpreter/blob/master/streams/2019-04-25-Part-2/tlv.md
https://www.rubydoc.info/github/rapid7/metasploit-framework/Rex/Post/Meterpreter/Packet
https://github.com/rapid7/metasploit-framework/pull/8625
The core_dump is only useful for the AES key. Thanks a lot ! That's exactly what I'm at right now. I should get it very soon Posts: 35 Threads: 0 Joined: N/A (July 15, 2022, 10:50 AM)yournamehere Wrote: (July 15, 2022, 08:41 AM)toatoat Wrote: (July 14, 2022, 03:16 PM)yournamehere Wrote: Head banging time again !
the pcap file gives good info about the attack chronology
we have 2 ssh sessions , but can't find a way decrypt them
I tried volatility against the memory dump as mentioned by @Unbolted5053 , but can't get it to work either
Gonna try to decrypt the metter session stream
A little nudge would be appreciated ;)
This is part is why the box is insane imo.
The goal of this part is to reconstruct the .zip archive that's been exfiltrated through meterpreter. There is some doc for this :
https://github.com/OJ/clr-meterpreter/blob/master/streams/2019-04-25-Part-2/tlv.md
https://www.rubydoc.info/github/rapid7/metasploit-framework/Rex/Post/Meterpreter/Packet
https://github.com/rapid7/metasploit-framework/pull/8625
The core_dump is only useful for the AES key.
Thanks a lot ! That's exactly what I'm at right now. I should get it very soon so... I got the zip file reconstructed and extracted. the zip file is corrupt and so is the png. the key is useless. Nothing obvious here :s stegano maybe ? oh wow what a brainfuck ! Posts: 24 Threads: 0 Joined: N/A (July 17, 2022, 05:44 PM)yournamehere Wrote: (July 15, 2022, 10:50 AM)yournamehere Wrote: (July 15, 2022, 08:41 AM)toatoat Wrote: (July 14, 2022, 03:16 PM)yournamehere Wrote: Head banging time again !
the pcap file gives good info about the attack chronology
we have 2 ssh sessions , but can't find a way decrypt them
I tried volatility against the memory dump as mentioned by @Unbolted5053 , but can't get it to work either
Gonna try to decrypt the metter session stream
A little nudge would be appreciated ;)
This is part is why the box is insane imo.
The goal of this part is to reconstruct the .zip archive that's been exfiltrated through meterpreter. There is some doc for this :
https://github.com/OJ/clr-meterpreter/blob/master/streams/2019-04-25-Part-2/tlv.md
https://www.rubydoc.info/github/rapid7/metasploit-framework/Rex/Post/Meterpreter/Packet
https://github.com/rapid7/metasploit-framework/pull/8625
The core_dump is only useful for the AES key.
Thanks a lot ! That's exactly what I'm at right now. I should get it very soon
so... I got the zip file reconstructed and extracted. the zip file is corrupt and so is the png. the key is useless. Nothing obvious here :s
stegano maybe ? oh wow what a brainfuck ! The key is mandatory in order to reconstruct the zip correctly. If your png/archive is corrupted after a binwalk, it means that you didn't extract the whole zip. Meterpreter packets are TLV packets (actually LTV packets) following one another. In order to extract the zip file, you got to parse the TLV packets by packet type too and append the payloads When your zip file is correctly extracted from the conv, you should have 5 file, 2 of them are important for the rest (yes it's not over yet and the rest is also tricky) |
