Hacking a website used to deliver Malware

 Introduction

While analyzing a sample from this morning, I found out it uses a URL to download the second stage. While messing around with the url, I found a file upload vulnerability ( more precisely blunder). I used it to upload a php file to fetch the hashes of all the second stages there.

I- The File Upload vulnerability:

I always enumerate. When I found the URL from where the second stage is downloaded. I tried to find every path and see what happens there. I found this directory with a ZIP file

(1) Zip file in website

When you open the zip file, you see an upload.php file

(2) 

It uploads files and only checks if the User-Agent is "LOADER".

Wrote a basic python script to upload files.

(3) Python script to upload a file to the website

II- Fetching the hashes of all the samples

I tried uploading small php file containing only phpinfo() to check if the upload works.

(4) Phpinfo() works

So, I wrote a PHP file to fetch all the hashes of all the sample on the website.

(5) PHP script to get the hashes of the files on the website

And it worked. We got the hashes of all the samples there.

(6) hashes of all the files on the websites

Hashes:

056df27e8ab520ada6f91d8734334f57327521d8f3890980a8b26f3f25ad161c  
0a921ec694bdd5d95d9643efa72a73acb2fe4ebcd230a03de9f52c96c5991efe  
13652ca118b98ee7f713215094db92ebc74ed256534377342414d3648ae650f1  
1aecc3979eb3eee1e779e4eb652bcd82492fda1573009f48af273c4bc7c01653  
1b88197613f1c501120d3452c20a264bc4f2596d9781975f9054b444dffccb46  
1b88197613f1c501120d3452c20a264bc4f2596d9781975f9054b444dffccb46  
27b36145ae0389079a292b1189ff3c6e65c20b2269ce22b02b3feca3e5711da5  
304b156f8fce7e7aee41011fd7661dc3ce42941c3ff1e01ddf2f58e458e221d6  
444baa5f0e9d684d296e679e4ee7dd53ad5f716cc482c1ad5a6bbb73093bf9e4  
4fe2a64ead98de53de5e7457b888241fe01f1eb9399eda7cfa70aa5ee4ef6329  
53798111605041fa783c119fedf35b7ec32647b5eca41f1127a0625318ad6e8d  
590289bc95fc1253677f1b2c6e5333a4ebdd5d453b57f0c70d8accaec891c5b5  
5c62ac8e232df44816dc1cfff18ae90933c68f0e3aee4ee1b917ca5ae9edec60  
61769cac0deb5d3a9c98e310152d9818fd4499e7f7331d9acfe09ba7483919e2  
650d95cc15334a3a0c8c06c4f80c2a6b24aa5ba2a910a2521a61530c48bd81ba  
6c4a40ba44fe744debf7d3b37cb857941ac243b20e7860e224fb8bd8a0328ae6  
6fa55c058ce07658fd39dae990b27075065bd738f47e365bc7e27d2d51e99936  
71e02e244dc4e8ee6feaf8d2ea3cf966472fc23d348e80cd1eeda06b2a660a04  
741634e5b520fbc3fe99c4734618c6ba4c81303e8946d17557be40535a286c67  
783990d11819c473ccf153a73ac1edc2bebb366b9d432bf9bb0df07570466998  
7d0923848648282a0804f1dffedddb16d9f2ada1c26c20f15724dbea09d40334  
8a540451d8922eec3e75869b730468a1413a7dfac9db965ef2290e29d3694283  
8cba9355b5c5f36c22dd26170d46d4c2428ab4a42be218c4969867422e2e2ab5  
8dd4c9cb7fe66bf2e7e5512d317c5ff66ef1e14229b2a6cf0e1dd960a58c9197  
8ed6f363fd129c095829065c2f3dc81a6a0e82b0e8d58587470d913c68dbfe8e  
88025c2c5a48a9616e9662383483fe39418b8c73a4c95c7c08d73adf0cee41f2  
b20ab05350ae824ec38d1da543ec8b1d80b914a3292592c29f4dc41cd953976d  
b2f558d08fecb7804d2699f7a0723aefa9026d424297912993bc997e6e29f6d6  
b870c488a4946f65b8e0afad3307b2e99f09a182baf61d643806f1904e17d9a8  
b882d72547fbcbfc63e68faaf170cafb71f5bb2c0e5b6cd88eb8bde2737c52b9  
bf2e57d5710b78e19d1a43d72b9caf1463e7209814592afa3b7ea344cc8260fe  
bfebb7b8f30119d6d2081f299d2c12605a4b74495c129155cb248afc2cae56e0  
c37060ac5111af141178e93bc84c8e29106132762689fa4b09f990bcf19f0b9b  
d14b7c95892867005647daae1a238af9e30b5cde30ddafc77d40ed3e4c38506b  
d2f0924ef9051769f282edec31cad555abe40f1704132197b2515e68cca0578b  
da45f4505a0b386489d1308b14474b0795432ca895c7ea414de6f0f82177ce4b  
e500ec6e2d97a59e28feb5648c6da9bcb81213e687418167873d142f0f77063d  
f8add5919847d7d9cffc255df0ec9aea9c5afeb0be232fcfba7e380e8cb2e08d  
f9ef24ea4de2798eb7591fdc0d63278a2f72166b0a99c215f442a06ea8cc6dd9  
fd6fd560374f61b47a9a6184d3dbbe4126b644e3b70ec08b6380d5ae2fe0ed63  









Comments

Post a Comment

Popular posts from this blog

Issue with dotnetfile's get_user_stream_strings() and finding an alternative solution (ft. Redline Stealer) !

Image
 Introduction While working on a config extractor for a Redline Stealer variant, I encountered an issue which that when I open the executable in dnSpy I can see the encrypted strings (IP,Key,...) but when I try to automate the extraction using dotnetfile module in python, they don't show up somehow in dotnetfile's  get_user_stream_strings() 1- .NET Streams .NET files contain a "Metadata" section, which contains chunks of bytes called Streams . We're interested in the #US Stream: #US : It's called User Strings. It contains Unicode strings that are referenced by the code instuction (i.e. ldstr , which loads a string). You can see these stram in CFF Explorer: (1) .NET Stream in CFF Explorer There are other streams, you can check ntcore's article  to learn about the full format of a .NET executable. I might write about it in the future. 2- dotnetfile's get_user_stream_strings() didn't work When I deobfuscated the executable and managed to get the strin...
Read more

Writeup of a PHP Web CTF challenge I built for an event (ft. three vulnerabilities)

Image
 Introduction One of my professors asked me to build 3 CTF challenges for an event he wanted to organize. He wanted the challenges to be a little bit beginner friendly since some of the participants are quite new to it. I decided to make Web challenges since I guess anyone in computer science can read and google source codes to understand what they do also to make them understand that security is research. I'll present a walkthrough of one of the challenges which was very interesting since it featured 3 vulnerabilies. Link to the challenge's source code if you want to practice before reading : https://github.com/lowlevel01/coding-rooms-ctf-challenges/tree/main/challenge2  1- The challenge: The challenge's source code was fairly short and easy to understand.   (1) The challenge's source code     It's basically a custom authentication mechanism that reads a serialized object encoded in hex from the cookies. The catch is that to be authenticated you have ...
Read more