API tools faq
paste
Guest User

obj-9-1

a guest
Jan 8th, 2019
107
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.08 KB | None | 0 0
raw download clone embed print report
  1. <!DOCTYPE html><head><link rel="stylesheet" href="style.css" type="text/css" media="all"/><style type="text/css">.code-black-background{color:#e0e0e0;background-color:#1f1f1f;}</style></head><body><div class="entry-title entry-title-no-feat-img">
  2. <a href="https://www.jollyfrogs.com/objective-9-1-catch-the-malware/" title="Permalink to Objective 9.1: Catch the malware" rel="bookmark">
  3. <h1>Objective 9.1: Catch the malware</h1>
  4. </a>
  5. </div><div class="entry-content">
  6. <figure class="wp-block-image">
  7. <img src="objective9-1.gif" alt="" class="wp-image-876">
  8. </figure>
  9. <p>Difficulty: 3/5
  10. <br>
  11. <br>Alabaster Snowball is in dire need of your help. Santa&apos;s file server
  12. has been hit with malware. Help Alabaster Snowball deal with the malware
  13. on Santa&apos;s server by completing several tasks.
  14. <br>For hints on achieving this objective, please visit Shinny Upatree and
  15. help him with the&#xA0;Sleigh Bell Lottery&#xA0;Cranberry Pi terminal challenge.
  16. <br>
  17. <br>Objective 9.1: <strong>Assist Alabaster by building a Snort filter to identify the malware plaguing Santa&apos;s Castle. </strong>
  18. <br>
  19. <br>Note: Shinny Upatree can be found on Floor 1, on the South Eastern side
  20. of the lobby area
  21. <br>
  22. <br>Hints given:
  23. <br>Shinny Upatree:
  24. <br>Have you heard that Kringle Castle was hit by a new ransomware called
  25. Wannacookie? Several elves reported receiving a cookie recipe Word doc.
  26. When opened, a PowerShell screen flashed by and their files were encrypted.
  27. Many elves were affected, so Alabaster went to go see if he could help
  28. out. I hope Alabaster watched the PowerShell Malware talk at KringleCon
  29. before he tried analyzing Wannacookie on his computer. An elf I follow
  30. online said he analyzed Wannacookie and that it communicates over DNS.
  31. He also said that Wannacookie transfers files over DNS and that it looks
  32. like it grabs a public key this way. Another recent ransomware made it
  33. possible to retrieve crypto keys from memory. Hopefully the same is true
  34. for Wannacookie! Of course, this all depends how the key was encrypted
  35. and managed in memory. Proper public key encryption requires a private
  36. key to decrypt. Perhaps there is a flaw in the wannacookie author&apos;s
  37. DNS server that we can manipulate to retrieve what we need. If so, we can
  38. retrieve our keys from memory, decrypt the key, and then decrypt our ransomed
  39. files.</p>
  40. <p>The objective can be accessed directly via this link:
  41. <br>https://docker.kringlecon.com/?challenge=snort&amp;id=7cd0c47e-7c7f-4983-95fe-d3ea9f752877
  42. <br>
  43. </p>
  44. <hr class="wp-block-separator">
  45. <div style="height:20px" aria-hidden="true" class="wp-block-spacer"></div>
  46. <p>Connect to the Snort Challenge console or navigate to:
  47. <br>https://docker.kringlecon.com/?challenge=snort&amp;id=7cd0c47e-7c7f-4983-95fe-d3ea9f752877</p>
  48. <pre
  49. class="wp-block-code"><code> _ __ _ _ _____ _ _
  50. | |/ / (_) | | / ____| | | | |
  51. | &apos; / _ __ _ _ __ __ _| | ___| | __ _ ___| |_| | ___
  52. | &lt; | &apos;__| | &apos;_ \ / _` | |/ _ \ | / _` / __| __| |/ _ \
  53. | . \| | | | | | | (_| | | __/ |___| (_| \__ \ |_| | __/
  54. |_|\_\_| |_|_|_|_|\__, |_|\___|\_____\__,_|___/\__|_|\___|
  55. / ____| __/ | | |
  56. | (___ |___/ ___ _ __| |_
  57. \___ \| &apos;_ \ / _ \| &apos;__| __|
  58. ____) | | | | (_) | | | |_
  59. |_____/|_|_|_|\___/|_|_ \__|
  60. |_ _| __ \ / ____|
  61. | | | | | | (___
  62. _____ | | | | | |\___ \ __
  63. / ____| _| |_| |__| |____) | /_ |
  64. | (___ |_____|_____/|_____/ _ __ | |
  65. \___ \ / _ \ &apos;_ \/ __|/ _ \| &apos;__| | |
  66. ____) | __/ | | \__ \ (_) | | | |
  67. |_____/ \___|_| |_|___/\___/|_| |_|
  68.  
  69. ============================================================
  70. INTRO:
  71. Kringle Castle is currently under attacked by new piece of
  72. ransomware that is encrypting all the elves files. Your
  73. job is to configure snort to alert on ONLY the bad
  74. ransomware traffic.
  75.  
  76. GOAL:
  77. Create a snort rule that will alert ONLY on bad ransomware
  78. traffic by adding it to snorts /etc/snort/rules/local.rules
  79. file. DNS traffic is constantly updated to snort.log.pcap
  80.  
  81. COMPLETION:
  82. Successfully create a snort rule that matches ONLY
  83. bad DNS traffic and NOT legitimate user traffic and the
  84. system will notify you of your success.
  85.  
  86. Check out ~/more_info.txt for additional information.</code>
  87. </pre>
  88. <div style="height:20px" aria-hidden="true" class="wp-block-spacer"></div>
  89. <p>Check the contents of the file ~/more_info.txt</p>
  90. <pre class="wp-block-code"><code>elf@59f9a5f70ada:~$ cat more_info.txt
  91. MORE INFO:
  92. A full capture of DNS traffic for the last 30 seconds is
  93. constantly updated to:
  94.  
  95. /home/elf/snort.log.pcap
  96.  
  97. You can also test your snort rule by running:
  98.  
  99. snort -A fast -r ~/snort.log.pcap -l ~/snort_logs -c /etc/snort/snort.conf
  100.  
  101. This will create an alert file at ~/snort_logs/alert
  102.  
  103. This sensor also hosts an nginx web server to access the
  104. last 5 minutes worth of pcaps for offline analysis. These
  105. can be viewed by logging into:
  106.  
  107. http://snortsensor1.kringlecastle.com/
  108.  
  109. Using the credentials:
  110. ----------------------
  111. Username | elf
  112. Password | onashelf
  113.  
  114. tshark and tcpdump have also been provided on this sensor.
  115.  
  116. HINT:
  117. Malware authors often user dynamic domain names and
  118. IP addresses that change frequently within minutes or even
  119. seconds to make detecting and block malware more difficult.
  120. As such, its a good idea to analyze traffic to find patterns
  121. and match upon these patterns instead of just IP/domains.
  122. elf@59f9a5f70ada:~$</code></pre>
  123.  
  124. <div style="height:20px" aria-hidden="true"
  125. class="wp-block-spacer"></div>
  126. <p>Login to http://snortsensor1.kringlecastle.com/
  127. <br>username: elf
  128. <br>password: onashelf
  129. <br>
  130. <br>Download one or more of the .pcap files</p>
  131. <div class="wp-block-file"><a href="https://www.jollyfrogs.com/wp-content/uploads/2019/01/snort.log_.1545449212.6848407.pcap_.zip">snort.log.1545449212.6848407.pcap (zipped)</a>
  132. <a
  133. href="https://www.jollyfrogs.com/wp-content/uploads/2019/01/snort.log_.1545449212.6848407.pcap_.zip"
  134. class="wp-block-file__button" download=""></a>
  135. </div>
  136. <p>Open the .pcap file in Wireshark. Notice that some DNS requests are sent
  137. to non-standard DNS ports. Exclude the good traffic using this filter</p>
  138. <pre
  139. class="wp-block-code"><code>!(udp.dstport == 53)</code>
  140. </pre>
  141. <p>The packets to non-standard DNS ports all contain the string &quot;77616E6E61636F6F6B69652E6D696E2E707331&quot;
  142. <br>
  143. </p>
  144. <pre class="wp-block-code code-black-background"><code>356 3.606484 212.43.18.229 10.126.0.26 Standard query response 0xedf0 TXT 58.77616E6E61636F6F6B69652E6D696E2E707331.rehrugnbsa.org TXT 57608 DNS 425
  145. 2 0.010593 233.12.59.19 10.126.0.19 Standard query response 0xa4b6 TXT 77616E6E61636F6F6B69652E6D696E2E707331.nsaehrgrub.org TXT 38663 DNS 167</code></pre>
  146.  
  147. <div
  148. style="height:20px" aria-hidden="true" class="wp-block-spacer"></div>
  149. <p>The string &quot;77616E6E61636F6F6B69652E6D696E2E707331&quot; is a unique
  150. identifier that can be used to create the Snort rule. Add a snort rule
  151. as follows:
  152. <br>
  153. </p>
  154. <pre class="wp-block-code code-black-background"><code>elf@524792a816b4:~$ echo &apos;alert udp any any -&gt; any any (msg:&quot;Bad DNS&quot;; sid:10000001; rev:001; content:&quot;77616E6E61636F6F6B69652E6D696E2E707331&quot;;)&apos; &gt; /etc/snort/rules/local.rules</code></pre>
  155.  
  156. <div
  157. style="height:20px" aria-hidden="true" class="wp-block-spacer"></div>
  158. <p>Shortly after the line is added, the Congratulation message appears</p>
  159. <pre
  160. class="wp-block-code code-black-background"><code>elf@524792a816b4:~$ echo &apos;alert udp any any -&gt; any any (msg:&quot;Bad DNS&quot;; sid:10000001; rev:001; content:&quot;77616E6E61636F6F6B69652E6D696E2E707331&quot;;)&apos; &gt; /etc/snort/rules/local.rules
  161. elf@524792a816b4:~$
  162. [+] Congratulation! Snort is alerting on all ransomware and only the ransomware! </code>
  163. </pre>
  164. <div style="height:20px" aria-hidden="true" class="wp-block-spacer"></div>
  165. <div style="height:20px" aria-hidden="true" class="wp-block-spacer"></div>
  166. <p>
  167. <br>
  168. </p>
  169. <div class="link-pages"></div>
  170. </div></body></html>
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!