Avatar
An incident responder who's seeking opportunities to work in technology company!
Operator in Cookie Han Hoan
Admin in Cyber Mely, CyberSpace
Forensic at @World Wide Flags

HackTheBox - Fishy HTTP

HackTheBox Writeup Blue Team ILSpy Malware Command and Control
Published on 16 Sep 2024

Hi everyone, I have not been writing any solutions related to HackTheBox challenges and I returned it last night, choosed a challenge and solved it. It’s just for fun so… let’s go!

These are two files we will use to solve their challenge:

image

First, I checked pcapng file by using Wireshark:

image

There’re just HTTP packets, so I will watch their stream to see whether anything is interesting or not and I found a weird string in stream 1:

image

From here I could guess that all things were created by that executable file, let’s reverse it to see inside. First, I checked by using exiftool:

image

The first name of this file is MyProject.dll and in its exiftool information there’s nothing interesting. If you learnt about how an executable file is created, you must know that an exe file is created by many files; example, for Windows an exe file will be created by compiling source code, linking with other DLL files inside system and you will get an exe file and these informations you can find easily by strings the file 😂😂😂. I tried to use it and I found that it was created by using IL code:

image

From here I used ILSpy to decompile it:

image

First, they created a dictionary, I don’t know how to describe so I wrote a Python script to describe its mechanism:

image

image

And with this dictionary, they encoded each character in their payload in EncodeData function, you can understand like this: if your payload is “bruhbruhlmao”, this code will take each character inside this payload, take a random string in dictionary that its first character is the taken character before:

image

After that the payload will be passed into a KeyValuePair variable named feedback and sent through IP and port as you can see in Wireshark:

image

image

Now we know their type of encoding, let’s decode it. We just do it reversingly and we will get the first part of flag:

import base64
def decode_base64(a):
    temp = ""
    for j in a.split(" "):
        temp += j[0]
    print(base64.b64decode(temp).decode())
with open("C:\\Users\\Admin\\Documents\\Code\\Python\\download.dat", "r") as file:
    payload = file.read().split("\n")

for i in range(len(payload)):
    decode_base64(payload[i])

image

The first part: h77P_s73417hy_revSHELL}

And the final function is DecodeData which is used to decode data in HTML body tag:

image

Again, write a Python script to decode it and we will get the final part of the flag:

import base64
import random
import re
import requests
import subprocess
from collections import defaultdict
from urllib.parse import urlencode

# Main function
# Decode data
tag_hex = {
    "cite": "0",
    "h1": "1",
    "p": "2",
    "a": "3",
    "img": "4",
    "ul": "5",
    "ol": "6",
    "button": "7",
    "div": "8",
    "span": "9",
    "label": "a",
    "textarea": "b",
    "nav": "c",
    "b": "d",
    "i": "e",
    "blockquote": "f"
}

def decode_data(data):
    body = re.search(r"<body>(.*?)</body>", data, re.S)
    if not body:
        return ""
    
    body_text = body.group(1)
    lines = body_text.splitlines()
    string_builder = []
    
    for match in re.finditer(r"<(\w+)[\s>]", lines[0], re.S):
        tag = match.group(1)
        if tag != "li":
            string_builder.append(tag_hex[tag])
    
    return hex_string_to_bytes("".join(string_builder))


# Hex string to bytes
def hex_string_to_bytes(hex_str):
    bytes_data = bytes.fromhex(hex_str)
    return bytes_data.decode('ascii')

#print(decode_data("<body><button>leaf tree glasses uniform guitar tiger umbrella book</button><button>panda universe quartz laptop</button><ol><li>rabbit jewel avocado sun plane</li></ol><div>house ball elephant trumpet fence mango fire hedgehog</div><ol><li>jar garden</li></ol><blockquote>mango yucca yurt bird lion</blockquote><ol><li>ball question apple necklace penguin zone xanthan quadrilateral</li></ol><h1>ice universe car tooth castle</h1><ol><li>notebook popcorn flag helicopter ant mailbox</li></ol><b>dinosaur door octopus</b><ol><li>mouse pencil grape quill pear utensil quiver</li></ol><span>utensil elephant grape cookie apple heart yucca knight anchor</span></body>"))
with open("C:\\Users\\Admin\\Documents\\Code\\Python\\download.dat", "r") as file:
    arr = file.read().split("\n")
payload = ''.join(arr)
print(decode_data(payload))

image

Flag: HTB{Th4ts_d07n37_h77P_s73417hy_revSHELL}

That’s it, this is an easy challenge and it’s very suitable for newbies (I think so). OK thank you very much for reading my article. See you in the next post, bye 🫀🫀🫀

related posts

all tags

AES Decrypt AKASEC BITSCTF BYUCTF Blue Team CTFtime Command and Control DES3 decrypt DFIR DUCTF Email forensic Forensic Git log HackTheBox ILSpy ImaginaryCTF JavaScript KCSC Macros Malware Memory Forensic MireaCTF Network Forensic OSCTF OSINT Powershell Python Real Case Redis Reverse Engineering Stealer TheCyberCoopCTF Threat Hunting TrueCrypt UIUCTF Vidar Virustotal Volatility WaniCTF WannaGame Wireshark Word Writeup dnSpy